Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

win 7 system recovery can not recovery


  • This topic is locked This topic is locked
49 replies to this topic

#1 Wichita

Wichita

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:04:32 AM

Posted 12 June 2012 - 10:49 AM

Hello My system has crashed. not sure where to post this but maybe someone can help me. I had some malware/virus that i used mbytes that removed some fake alerts stuff. Then I installed mcafee which im not big on antivrus programs because they slow computers down alot & it found & removed some things, after that I restarted my laptop and it started to load flashed blue screen briefly & started back over. Then it went to recovery mode said windows did not start. 2 options start windows normally or repair. tried both no result. recovery says can not repair. system restore doesnt work & I ran chkdsk /r it said it didnt find any errors but did move some things around.(I believe is what it said) also ran chkdsk /f ... it said no errors found. This is from the partiton recovery. I havent tried the system restore to factory cause i wanted to get some files, pics, & software before doing that. is there anything else I can try.

Edited by hamluis, 12 June 2012 - 12:04 PM.
Moved from Win 7 to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:32 AM

Posted 12 June 2012 - 10:16 PM

:welcome:

Lets give it a try. You will need a USB Flash drive.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Click on Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the flash drive. Please copy and paste it to your reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 Wichita

Wichita
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:04:32 AM

Posted 12 June 2012 - 11:44 PM

UNDER ADVANCE BOOT OPTIONS there is a directory services restore mode, othe3r than that just safe mode safe mode with net. safe mode command prompt.

also i trie a system recovery after using slako to recover my files & it failed, now it keeps trying to load system recover i believe but fails and say restart.

#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:32 AM

Posted 13 June 2012 - 09:34 AM

How did you run CHKDSK?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 Wichita

Wichita
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:04:32 AM

Posted 13 June 2012 - 10:05 AM

I Ran it from command prompt through system recovery. where widows says repair computer or start windows normally. After it could not repair it it gave me options to system restore, command prompt, restore 2 factory. I ran system restore it said can not restore. I also Tried The Restore To factory settings saving some of my data, and it said it restored but had to restart. Then When it started back up said it could not try again & restart. Now Its in system page that just runs & runs sometimes it stops says can not recovery restart.

#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:32 AM

Posted 13 June 2012 - 10:26 AM

Are you able to reach the command prompt once again? I am assuming this is Windows 7.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 Wichita

Wichita
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:04:32 AM

Posted 13 June 2012 - 10:27 AM

Windows 7 But not sure i can try.

#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:32 AM

Posted 13 June 2012 - 10:31 AM

Please do. If unsuccessful, do you have the Win 7 Install CD or access to another Windows 7 Machine?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 Wichita

Wichita
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:04:32 AM

Posted 13 June 2012 - 10:40 AM

I can From alt F10 but in the recovery it doesnt have the options to recover, and its not really a command prompt. it say edit boot options at top of screen under that it says Path: \windows\system32\winload.exe under that it says partition: 3 hard disk 5504f881 under that [ /NOEXECUTE=Optin When My computer starts it says (setup is starting services)

#10 Wichita

Wichita
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:04:32 AM

Posted 13 June 2012 - 10:43 AM

Dont have the actual disk i did make back up dvds of the system & program files from the recovery center a few weeks back about 4 disk. I have a wind 7 iso file on a hard disk but it wouldnt fit to a reg dvd. I do have access to another windows 7 computer.

#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:32 AM

Posted 13 June 2012 - 10:46 AM

On a working computer, create a Windows 7 System Repair Disc

Note: the below can only be done if your machine has a a type of CD/R or DVD/R optical drive installed. Also depending on the exact type of OEM your machine has you may be unable to actually create a SRD.

  • Click on Start(Windows 7 Orb) >> Run...(or the Windows key and R together) to bring up the Run box, then copy/paste the following command into the box and click on OK:

    recdisc.exe

  • Allow the UAC(User Account Control) prompt via selecting Yes.
  • You should now see a menu like the below:-
Posted Image

  • Put a blank rewritable CD/DVD in your optical(CD/DVD) drive and then click on Create disc.
  • Note: If a AutoPlay window pops up, just close it.
  • When the SRD has been created you will see the below:-
Posted Image

  • Now click on Close >> OK. Leave the disc in the drive as we will be using it shortly.
  • You now have a Windows 7 System Repair Disc.

Boot the ailing computer with that CD and follow the instructions above.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 Wichita

Wichita
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:04:32 AM

Posted 13 June 2012 - 12:20 PM

ok Iam Going to get that done it will prob be tomorrow before i get back on here but i should have that part done. any other thing i can do after i make that repair disc. if I do get back on will be late tonight. thanks for Your Help.

#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:32 AM

Posted 13 June 2012 - 12:23 PM

Lets try that first.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 Wichita

Wichita
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:04:32 AM

Posted 15 June 2012 - 08:58 AM

Scan result of Farbar Recovery Scan Tool Version: 12-06-2012 02
Ran by SYSTEM at 14-06-2012 20:49:08
Running from H:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [11779176 2011-02-18] (Realtek Semiconductor)
HKLM-x32\...\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2010-04-13] (Intel Corporation)
HKLM-x32\...\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey [1465304 2010-02-03] (McAfee, Inc.)
HKLM-x32\...\Run: [SuiteTray] "C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe" [340336 2010-09-27] (Egis Technology Inc.)
HKLM-x32\...\Run: [EgisTecPMMUpdate] "C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe" [407920 2010-09-17] (Egis Technology Inc.)
HKLM-x32\...\Run: [EgisUpdate] "C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe" -d [201584 2010-09-17] (Egis Technology Inc.)
HKLM-x32\...\Run: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe [1155928 2010-06-01] (Symantec Corporation)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35696 2009-02-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [BackupManagerTray] "C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe" -h -k [297280 2011-02-15] (NTI Corporation)
HKU\Acer\...\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background [4240760 2010-11-10] (Microsoft Corporation)
HKU\Acer\...\Run: [Google Update] "C:\Users\Acer\AppData\Local\Google\Update\GoogleUpdate.exe" /c [x]
HKLM-x32\...\RunOnce: [IdentityCardFUB] C:\Windows\oem\IdentityCard\FUB.exe [227944 2010-12-05] ()
HKLM-x32\...\RunOnce: [InstallShieldSetup] C:\PROGRA~2\INSTAL~1\{0B61B~1\setup.exe /reboot /z [311296 2011-04-18] (NTI Corporation )

==================== Services (Whitelisted) ======

2 0192111303188371mcinstcleanup; C:\Users\ADMINI~1\AppData\Local\Temp\019211~1.EXE C:\PROGRA~2\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [8039 2011-04-18] ()
3 EgisTec Ticket Service; "C:\Program Files (x86)\Common Files\EgisTec\Services\EgisTicketService.exe" [172912 2010-09-27] (Egis Technology Inc. )
3 GamesAppService; "C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe" [206072 2010-10-12] (WildTangent, Inc.)
2 GREGService; C:\Program Files (x86)\Acer\Registration\GREGsvc.exe [23584 2010-01-08] (Acer Incorporated)
2 Live Updater Service; C:\Program Files\Acer\Acer Updater\UpdaterService.exe [244624 2011-01-31] (Acer Incorporated)
2 McAfee SiteAdvisor Service; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [355440 2009-12-14] (McAfee, Inc.)
2 McMPFSvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [355440 2009-12-14] (McAfee, Inc.)
2 mcmscsvc; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [355440 2009-12-14] (McAfee, Inc.)
2 McNaiAnn; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [355440 2009-12-14] (McAfee, Inc.)
2 McNASvc; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [355440 2009-12-14] (McAfee, Inc.)
3 McODS; "C:\Program Files\mcafee\VirusScan\mcods.exe" [509416 2009-12-30] (McAfee, Inc.)
2 McOobeSv; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [355440 2009-12-14] (McAfee, Inc.)
2 McProxy; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [355440 2009-12-14] (McAfee, Inc.)
2 McShield; "C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe" [199032 2010-01-05] (McAfee, Inc.)
2 mfefire; "C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe" [244840 2010-01-05] (McAfee, Inc.)
2 mfevtp; "C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe" [148520 2010-01-05] (McAfee, Inc.)
2 MSK80Service; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [355440 2009-12-14] (McAfee, Inc.)
2 NOBU; "C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe" SERVICE [2804568 2010-06-01] (Symantec Corporation)
2 NTI IScheduleSvc; C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe [257344 2011-02-15] (NTI Corporation)
2 UNS; "C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe" [2320920 2010-03-17] (Intel Corporation)

========================== Drivers (Whitelisted) =============

3 cfwids; C:\Windows\System32\Drivers\cfwids.sys [62416 2010-01-05] (McAfee, Inc.)
3 mfeapfk; C:\Windows\System32\Drivers\mfeapfk.sys [121504 2010-01-05] (McAfee, Inc.)
3 mfeavfk; C:\Windows\System32\Drivers\mfeavfk.sys [189880 2010-01-05] (McAfee, Inc.)
3 mfefirek; C:\Windows\System32\Drivers\mfefirek.sys [440688 2010-01-05] (McAfee, Inc.)
0 mfehidk; C:\Windows\System32\Drivers\mfehidk.sys [528232 2010-01-05] (McAfee, Inc.)
1 mfenlfk; C:\Windows\System32\Drivers\mfenlfk.sys [75288 2010-01-05] (McAfee, Inc.)
3 mferkdet; C:\Windows\System32\Drivers\mferkdet.sys [93840 2010-01-05] (McAfee, Inc.)
0 mfewfpk; C:\Windows\System32\Drivers\mfewfpk.sys [279752 2010-01-05] (McAfee, Inc.)
3 NTIDrvr; C:\Windows\System32\Drivers\NTIDrvr.sys [18432 2009-05-05] (NewTech Infosystems, Inc.)
3 RSUSBSTOR; C:\Windows\System32\Drivers\RtsUStor.sys [243712 2010-09-21] (Realtek Semiconductor Corp.)
3 UBHelper; C:\Windows\System32\Drivers\UBHelper.sys [16896 2009-05-05] (NewTech Infosystems Corporation)

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-06-12 10:51 - 2012-06-12 10:49 - 00011453 ____A C:\Windows\ChangeLang_Done.tag
2012-06-12 10:25 - 2012-06-12 10:26 - 00000000 ____D C:\Backup
2012-06-12 10:23 - 2012-06-12 10:23 - 00000000 ____A C:\Recovery.txt
2012-06-12 10:20 - 2012-06-12 10:50 - 00209904 ____A C:\Windows\ntbtlog.txt
2012-06-12 09:57 - 2012-06-12 09:58 - 00005095 ____A C:\Windows\WindowsUpdate.log
2012-06-10 15:29 - 2012-06-10 15:29 - 00000000 ____D C:\Users\Acer\AppData\Local\EgisTec
2012-06-10 15:28 - 2012-06-10 15:28 - 00000000 ____D C:\Program Files (x86)\MSXML 4.0
2012-06-10 15:24 - 2012-06-12 06:52 - 00000000 ____D C:\Users\All Users\Sony Corporation
2012-06-10 15:24 - 2012-06-12 06:51 - 00000000 ____D C:\Program Files (x86)\Sony
2012-06-10 15:05 - 2012-06-10 15:05 - 00000000 ____D C:\Users\Acer\AppData\Local\{817B090E-EB77-477E-9419-354DB6AF422D}
2012-06-10 15:04 - 2012-06-10 15:05 - 00000000 ____D C:\Users\Acer\AppData\Local\{2AB1963F-47E5-4C35-995A-D2FBBA5B7493}
2012-06-10 11:45 - 2012-06-10 13:05 - 00000430 ____A C:\rkill.log
2012-06-10 08:48 - 2012-06-10 08:48 - 00000000 ____D C:\Users\Acer\AppData\Local\{D899E409-1042-4738-990F-E50AC8956B8A}
2012-06-05 04:17 - 2012-06-12 21:06 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2012-05-21 16:42 - 2012-05-21 16:42 - 00000000 ____D C:\Users\Acer\AppData\Roaming\Mozilla


============ 3 Months Modified Files and Folders =============

2012-06-12 21:06 - 2012-06-05 04:17 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2012-06-12 21:06 - 2011-11-26 15:21 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-06-12 21:06 - 2011-07-31 05:45 - 00000000 ____D C:\Users\All Users\clear.fi
2012-06-12 21:06 - 2011-07-30 21:11 - 00000000 ____D C:\users\Acer
2012-06-12 21:02 - 2012-03-11 08:05 - 00000000 ____D C:\Users\Acer\AppData\Local\Apps\2.0
2012-06-12 21:02 - 2011-07-30 21:12 - 00000000 ____D C:\Users\Acer\AppData\Local\Downloaded Installations
2012-06-12 10:51 - 2011-04-18 20:52 - 00003791 ____A C:\Windows\patch.log
2012-06-12 10:51 - 2009-03-12 01:30 - 00000000 ____D C:\Windows\LP
2012-06-12 10:50 - 2012-06-12 10:20 - 00209904 ____A C:\Windows\ntbtlog.txt
2012-06-12 10:49 - 2012-06-12 10:51 - 00011453 ____A C:\Windows\ChangeLang_Done.tag
2012-06-12 10:48 - 2011-04-18 21:04 - 00000000 ___HD C:\OEM
2012-06-12 10:47 - 2009-07-13 21:38 - 00025600 __ASH C:\Windows\System32\config\BCD-Template.LOG
2012-06-12 10:47 - 2009-07-13 21:32 - 00028672 ____A C:\Windows\System32\config\BCD-Template
2012-06-12 10:30 - 2011-09-20 20:29 - 00000000 ___HD C:\Users\Acer\AppData\Local\Nero
2012-06-12 10:30 - 2011-07-30 21:12 - 00000000 ____D C:\Users\Acer\AppData\Local\PowerCinema
2012-06-12 10:26 - 2012-06-12 10:25 - 00000000 ____D C:\Backup
2012-06-12 10:26 - 2012-05-04 18:36 - 00000000 ____D C:\Users\Acer\AppData\Local\DIRECTV Player
2012-06-12 10:23 - 2012-06-12 10:23 - 00000000 ____A C:\Recovery.txt
2012-06-12 10:23 - 2011-07-30 21:11 - 00000000 __SHD C:\Recovery
2012-06-12 09:58 - 2012-06-12 09:57 - 00005095 ____A C:\Windows\WindowsUpdate.log
2012-06-12 09:58 - 2009-07-13 20:51 - 00026333 ____A C:\Windows\setupact.log
2012-06-12 09:58 - 2009-07-13 20:45 - 00016752 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-06-12 09:58 - 2009-07-13 20:45 - 00016752 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-06-12 09:56 - 2011-04-18 20:13 - 00003652 ____A C:\Windows\TSSysprep.log
2012-06-12 09:55 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-06-12 09:55 - 2007-07-11 17:49 - 00000000 ____D C:\Windows\Panther
2012-06-12 09:54 - 2010-11-20 19:47 - 00006164 ____A C:\Windows\PFRO.log
2012-06-12 09:54 - 2009-07-13 20:45 - 00282960 ____A C:\Windows\System32\FNTCACHE.DAT
2012-06-12 06:52 - 2012-06-10 15:24 - 00000000 ____D C:\Users\All Users\Sony Corporation
2012-06-12 06:51 - 2012-06-10 15:24 - 00000000 ____D C:\Program Files (x86)\Sony
2012-06-10 15:29 - 2012-06-10 15:29 - 00000000 ____D C:\Users\Acer\AppData\Local\EgisTec
2012-06-10 15:28 - 2012-06-10 15:28 - 00000000 ____D C:\Program Files (x86)\MSXML 4.0
2012-06-10 15:12 - 2012-01-28 11:28 - 00000000 ___HD C:\Users\Acer\Tracing
2012-06-10 15:05 - 2012-06-10 15:05 - 00000000 ____D C:\Users\Acer\AppData\Local\{817B090E-EB77-477E-9419-354DB6AF422D}
2012-06-10 15:05 - 2012-06-10 15:04 - 00000000 ____D C:\Users\Acer\AppData\Local\{2AB1963F-47E5-4C35-995A-D2FBBA5B7493}
2012-06-10 13:05 - 2012-06-10 11:45 - 00000430 ____A C:\rkill.log
2012-06-10 08:48 - 2012-06-10 08:48 - 00000000 ____D C:\Users\Acer\AppData\Local\{D899E409-1042-4738-990F-E50AC8956B8A}
2012-06-05 04:17 - 2012-04-13 03:51 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-06-05 04:17 - 2012-03-11 08:05 - 00000904 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1514837988-118717949-931218195-1001UA.job
2012-06-05 04:17 - 2012-03-11 08:05 - 00000852 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1514837988-118717949-931218195-1001Core.job
2012-05-26 16:43 - 2011-08-06 10:44 - 00000000 ____D C:\Users\Acer\AppData\Roaming\SoftGrid Client
2012-05-21 16:42 - 2012-05-21 16:42 - 00000000 ____D C:\Users\Acer\AppData\Roaming\Mozilla
2012-05-09 21:43 - 2012-04-22 09:11 - 00000000 ____D C:\Users\Acer\Desktop\Prevail-Replenish-NEW-OCR
2012-05-09 21:43 - 2012-03-15 17:58 - 00000000 ____D C:\Windows\System32\Macromed
2012-05-09 21:43 - 2011-11-26 14:56 - 00000000 ____D C:\Users\Default\AppData\Local\PowerCinema
2012-05-09 21:43 - 2011-11-26 14:56 - 00000000 ____D C:\Users\Default User\AppData\Local\PowerCinema
2012-05-09 21:43 - 2011-09-20 20:30 - 00000000 ____D C:\Users\Acer\AppData\Local\Nero_AG
2012-05-09 21:43 - 2011-09-20 19:04 - 00000000 ____D C:\Users\Acer\AppData\Roaming\RipIt4Me
2012-05-09 21:43 - 2011-09-10 12:57 - 00000000 ____D C:\Users\Acer\Downloads\htc diag cri
2012-05-09 21:43 - 2011-09-07 20:19 - 00000000 ____D C:\Users\Acer\Downloads\HTCDiagDrivers (1)
2012-05-09 21:43 - 2011-09-07 19:56 - 00000000 ____D C:\Users\Acer\Downloads\htc diag
2012-05-09 21:43 - 2011-08-22 17:54 - 00000000 ____D C:\Users\All Users\Microsoft Help
2012-05-09 21:43 - 2011-08-02 07:15 - 00000000 ____D C:\Users\Acer\AppData\Roaming\MusE
2012-05-09 21:43 - 2011-07-31 05:45 - 00000000 ____D C:\Users\Acer\AppData\Roaming\PowerCinema
2012-05-09 21:43 - 2011-05-14 01:31 - 00000000 ____D C:\Windows\NAPP_Dism_Log
2012-05-09 21:43 - 2011-05-14 00:57 - 00000000 ____D C:\Users\All Users\CLSK
2012-05-09 21:43 - 2011-05-14 00:55 - 00000000 ____D C:\Users\All Users\CyberLink
2012-05-09 21:43 - 2011-05-14 00:50 - 00000000 ____D C:\Users\All Users\FLEXnet
2012-05-09 21:43 - 2011-05-14 00:45 - 00000000 ____D C:\Program Files\Elantech
2012-05-09 21:43 - 2011-05-14 00:36 - 00000000 ____D C:\Users\Default\AppData\Local\Downloaded Installations
2012-05-09 21:43 - 2011-05-14 00:36 - 00000000 ____D C:\Users\Default User\AppData\Local\Downloaded Installations
2012-05-09 21:42 - 2012-03-20 04:34 - 00000000 ____D C:\Program Files (x86)\7-Zip
2012-05-09 21:42 - 2012-01-12 20:44 - 00000000 ____D C:\Program Files (x86)\SystemRequirementsLab
2012-05-09 21:42 - 2011-11-21 20:20 - 00000000 ____D C:\Program Files (x86)\Xvid
2012-05-09 21:42 - 2011-11-21 20:19 - 00000000 ____D C:\Program Files (x86)\ffdshow
2012-05-09 21:42 - 2011-11-21 20:18 - 00000000 ____D C:\Program Files (x86)\Haali
2012-05-09 21:42 - 2011-11-21 20:17 - 00000000 ____D C:\Program Files (x86)\AviSynth 2.5
2012-05-09 21:42 - 2011-11-21 20:17 - 00000000 ____D C:\Program Files (x86)\AC3Filter
2012-05-09 21:42 - 2011-11-21 20:16 - 00000000 ____D C:\Program Files (x86)\Avi2Dvd
2012-05-09 21:42 - 2011-09-20 19:09 - 00000000 ____D C:\adjustment_bureau
2012-05-09 21:42 - 2011-09-20 19:04 - 00000000 ____D C:\Program Files (x86)\DVD Decrypter
2012-05-09 21:42 - 2011-09-20 19:03 - 00000000 ____D C:\Program Files (x86)\DVD Shrink
2012-05-09 21:42 - 2011-08-06 10:43 - 00000000 ____D C:\Program Files (x86)\Microsoft Application Virtualization Client
2012-05-09 21:42 - 2011-08-02 07:10 - 00000000 ____D C:\Program Files (x86)\MuseScore
2012-05-09 21:42 - 2011-07-30 21:51 - 00000000 ____D C:\Program Files (x86)\ZEN Entertainment
2012-05-09 21:42 - 2011-07-30 21:13 - 00000000 ____D C:\Program Files (x86)\Times Reader
2012-05-09 21:42 - 2011-05-14 00:56 - 00000000 ____D C:\Program Files (x86)\Cyberlink
2012-05-09 21:42 - 2011-05-14 00:44 - 00000000 ____D C:\Program Files (x86)\Launch Manager
2012-05-09 21:41 - 2012-05-06 20:38 - 00000000 ____D C:\Program Files (x86)\ImgBurn
2012-05-09 21:33 - 2012-04-22 17:37 - 00000000 ____D C:\Users\Acer\Desktop\phone
2012-05-09 21:33 - 2011-05-14 00:36 - 00000000 ____D C:\Users\Default\AppData\Roaming\Macromedia
2012-05-09 21:33 - 2011-05-14 00:36 - 00000000 ____D C:\Users\Default User\AppData\Roaming\Macromedia
2012-05-09 21:32 - 2011-07-30 21:12 - 00000000 ____D C:\Users\Acer\AppData\Roaming\Adobe
2012-05-09 21:32 - 2011-07-30 21:12 - 00000000 ____D C:\Users\Acer\AppData\LocalLow
2012-05-09 21:29 - 2012-03-11 08:05 - 00000000 ____D C:\Users\Acer\AppData\Local\Google
2012-05-09 21:29 - 2011-07-31 05:45 - 00000000 ____D C:\Users\Acer\AppData\Local\Cyberlink
2012-05-09 21:28 - 2011-11-26 15:21 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-05-09 21:28 - 2011-09-20 20:26 - 00000000 ____D C:\Users\All Users\Nero
2012-05-09 21:28 - 2011-07-30 21:13 - 00000000 ____D C:\Users\All Users\OEM_E471269A730D
2012-05-09 21:27 - 2012-04-22 16:32 - 00000000 ____D C:\Program Files\SAMSUNG
2012-05-09 21:27 - 2011-08-06 10:43 - 00000000 ____D C:\Program Files\Microsoft Office
2012-05-09 21:27 - 2011-05-14 00:41 - 00000000 ____D C:\Program Files\Common Files\Intel
2012-05-09 21:26 - 2011-07-30 21:13 - 00000000 ____D C:\Program Files (x86)\OEM
2012-05-09 21:25 - 2011-09-20 20:26 - 00000000 ____D C:\Program Files (x86)\Nero
2012-05-09 21:24 - 2011-08-22 20:27 - 00000000 ____D C:\Program Files (x86)\MSECache
2012-05-09 21:24 - 2011-05-14 00:50 - 00000000 ____D C:\Program Files (x86)\Microsoft Office
2012-05-09 21:23 - 2011-12-18 10:14 - 00000000 ____D C:\Program Files (x86)\DirecTV
2012-05-09 21:23 - 2011-12-04 21:05 - 00000000 ____D C:\Program Files (x86)\Java
2012-05-09 21:22 - 2011-05-14 01:00 - 00000000 ____D C:\Program Files (x86)\Barnes & Noble
2012-05-09 21:19 - 2011-08-06 13:11 - 00000000 __RHD C:\MSOCache
2012-05-09 20:45 - 2012-05-09 20:45 - 00000000 ____D C:\Users\Acer\AppData\Local\{A7A2834B-E9FF-4615-986D-FEE42409E7C0}
2012-05-09 20:45 - 2012-05-09 20:44 - 00000000 ____D C:\Users\Acer\AppData\Local\{6D7D58DA-398F-43A8-9472-9B17E5BE35FA}
2012-05-09 19:48 - 2011-08-24 18:53 - 57848688 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-05-09 18:52 - 2011-09-20 15:24 - 00002018 ____A C:\Users\Public\Desktop\Adobe Reader 9.lnk
2012-05-09 18:49 - 2012-05-09 18:49 - 00000000 ____D C:\Users\Acer\AppData\Local\{EF8C0581-7E0F-4031-B9C6-022EB4666DAC}
2012-05-09 18:49 - 2012-05-09 18:49 - 00000000 ____D C:\Users\Acer\AppData\Local\{8811C489-0203-4A04-B41D-477E3833A533}
2012-05-09 18:49 - 2012-04-13 03:51 - 00419488 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-05-09 18:49 - 2011-09-09 17:32 - 00070304 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-05-09 17:46 - 2012-05-09 17:46 - 00000000 ____D C:\Users\Acer\AppData\Local\{E90FDC08-9648-4613-AB66-858AF119BC2C}
2012-05-09 17:46 - 2012-05-09 17:46 - 00000000 ____D C:\Users\Acer\AppData\Local\{D63639A8-03DF-40A5-9F66-4405A56A98D4}
2012-05-09 16:24 - 2012-05-09 16:24 - 00000000 ____D C:\Users\Acer\AppData\Roaming\Malwarebytes
2012-05-09 16:06 - 2012-05-09 16:06 - 00000000 ____D C:\Program Files (x86)\ESET
2012-05-09 15:48 - 2012-05-09 15:48 - 00000000 ____D C:\Users\Acer\AppData\Local\{242346EF-52F7-46DE-B6D0-7882B2EEEBE8}
2012-05-09 15:44 - 2012-05-09 15:44 - 00000256 ___AH C:\Users\All Users\4LMtT0TTaFyaY1
2012-05-09 15:44 - 2012-05-09 15:44 - 00000000 ___AH C:\Users\All Users\-4LMtT0TTaFyaY1
2012-05-09 14:50 - 2012-05-09 14:50 - 00000162 ___AH C:\Users\Acer\Downloads\~$ the Book Thief.docx
2012-05-09 14:46 - 2012-05-09 14:46 - 00000162 ___AH C:\Users\Acer\Documents\~$ the Book Thief.docx
2012-05-09 14:37 - 2012-05-09 14:50 - 00026461 ___AH C:\Users\Acer\Downloads\In the Book Thief.docx
2012-05-09 14:37 - 2012-05-09 13:33 - 00026461 ___AH C:\Users\Acer\Documents\In the Book Thief.docx
2012-05-08 16:30 - 2011-08-23 19:29 - 00000000 ___HD C:\Users\Acer\AppData\Local\ElevatedDiagnostics
2012-05-06 21:07 - 2012-05-06 20:51 - 00000000 ___HD C:\Users\Acer\AppData\Roaming\ImgBurn
2012-05-06 20:51 - 2012-05-06 20:51 - 00008414 ____A C:\WIN_7_PROFESSIONAL.MDS
2012-05-06 20:51 - 2012-05-06 20:41 - 842606592 ____A C:\WIN_7_PROFESSIONAL.ISO
2012-05-06 20:47 - 2012-05-06 20:42 - 00000000 ___HD C:\Users\Acer\Desktop\win7
2012-05-06 20:46 - 2012-05-06 20:46 - 00000096 ___AH C:\Users\Acer\Documents\WIN7PRO.txt
2012-05-06 20:32 - 2012-05-06 20:31 - 01925731 ___AH (LIGHTNING UK!) C:\Users\Acer\Downloads\SetupImgBurn_2.5.7.0 (1).exe.yeyxz8a.partial
2012-04-30 18:32 - 2012-04-30 15:21 - 01534585 ___AH C:\Users\Acer\Documents\Be Prepared for Class.docx
2012-04-30 15:21 - 2012-04-30 15:21 - 00000162 ___AH C:\Users\Acer\Documents\~$ Prepared for Class.docx
2012-04-26 13:26 - 2012-04-25 16:05 - 00035328 ___AH C:\Users\Acer\Documents\final exam.doc
2012-04-25 16:05 - 2012-04-25 16:05 - 00000162 ___AH C:\Users\Acer\Documents\~$nal exam.doc
2012-04-22 16:31 - 2012-04-22 16:31 - 00000000 ___HD C:\Users\All Users\Samsung
2012-04-22 16:31 - 2012-04-22 16:30 - 24114392 ____A (SAMSUNG Electronics Co., Ltd.) C:\Users\Acer\Downloads\SAMSUNG_USB_Driver_for_Mobile_Phones_1.4.8.0.exe
2012-04-22 12:05 - 2011-07-30 21:51 - 00000000 ___HD C:\Users\Acer\AppData\Roaming\ZEN Entertainment
2012-04-22 09:31 - 2012-04-22 09:31 - 01676480 ____A (W3i, LLC) C:\Users\Acer\Downloads\wifihotspot2_1558.exe
2012-04-22 09:20 - 2011-07-30 21:12 - 00000000 ___HD C:\Users\Acer\AppData\Local\Windows Live
2012-04-22 09:16 - 2012-04-22 09:16 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_ssadadb_01005.Wdf
2012-04-22 09:06 - 2012-04-22 09:06 - 01138397 ____A C:\Users\Acer\Downloads\7z922 (1).exe
2012-04-15 10:42 - 2012-04-15 10:42 - 08766112 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2012-04-13 03:51 - 2012-04-13 03:51 - 00000000 ___HD C:\Users\Acer\AppData\Local\{5300D057-6C5F-46DB-9C2C-5C3EE215B39C}
2012-04-11 18:44 - 2012-04-11 09:23 - 00029184 ___AH C:\Users\Acer\Documents\Mid-Term (Part B).doc
2012-03-28 20:05 - 2012-03-28 20:02 - 22589470 ___AH C:\Users\Acer\Downloads\PC36IMG.zip
2012-03-20 04:35 - 2012-03-19 19:23 - 101524152 ___AH C:\Users\Acer\Downloads\M-8643.rar
2012-03-20 04:34 - 2012-03-20 04:34 - 01138397 ____A C:\Users\Acer\Downloads\7z922.exe
2012-03-20 04:33 - 2012-03-20 04:33 - 01720456 ____A (www.zipeg.com) C:\Users\Acer\Downloads\zipeg_win.exe
2012-03-19 15:07 - 2012-03-19 12:17 - 00017080 ___AH C:\Users\Acer\Documents\Rachel -Journal.docx


========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 16%
Total physical RAM: 3766.7 MB
Available physical RAM: 3131.5 MB
Total Pagefile: 3764.9 MB
Available Pagefile: 3124.31 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: (Acer) (Fixed) (Total:449.65 GB) (Free:353.07 GB) NTFS
2 Drive e: (PQSERVICE) (Fixed) (Total:16 GB) (Free:5.29 GB) NTFS
3 Drive f: (Repair disc Windows 7 64-bit) (CDROM) (Total:0.24 GB) (Free:0 GB) UDF
5 Drive h: (USB20FD) (Removable) (Total:3.77 GB) (Free:3.76 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
7 Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 8 MB
Disk 1 No Media 0 B 0 B
Disk 2 Online 3864 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 16 GB 1024 KB
Partition 2 Primary 100 MB 16 GB
Partition 3 Primary 449 GB 16 GB

======================================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E PQSERVICE NTFS Partition 16 GB Healthy Hidden

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y SYSTEM RESE NTFS Partition 100 MB Healthy

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C Acer NTFS Partition 449 GB Healthy

======================================================================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3863 MB 31 KB

======================================================================================================

Disk: 2
Partition 1
Type : 0C
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 H USB20FD FAT32 Removable 3863 MB Healthy

======================================================================================================

==========================================================

Last Boot: 2011-04-18 20:10

======================= End Of Log ==========================

#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:32 AM

Posted 15 June 2012 - 01:22 PM

We need to check the Master Boot Record.

Download MBRFix from here.

Save and extract its contents to the working computer's desktop. There are three files in the MBRFix folder. From these, only copy the MBRFix64.exe to the USB drive.

Also download the enclosed file:

Save it next to FRST64. Use the same USB port you used to insert the USB drive. Run FRST64. This time around click on the Fix button and wait.

The tool will make a log on the flashdrive (Fixlog.txt). It will also create a file labeled MBRDUMP.txt. Copy and Paste the contents of the Fixlog.txt in your next reply, but attach the MBRDUMP.txt as it is a hex file.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users