Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't boot, apparent Norton Power Eraser issue


  • This topic is locked This topic is locked
9 replies to this topic

#1 Richard Carnes

Richard Carnes

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 23 December 2012 - 11:00 AM

In following another thread, I ran the FRST64 and am attaching the resulting .txt file. I'm having the same issue as others, in that after my son ran the Norton Power Eraser to clean out a virus, he cannot reboot at all. No system restore will work, no CHKDSK finds anything wrong, etc. Looking forward to a response, and Merry Christmas everyone.

BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:04 PM

Posted 23 December 2012 - 03:54 PM

Hello and Welcome -
This is not unusual, if you did not fully read all of the given information with the tool -

Because Norton Power Eraser uses aggressive methods to detect threats, there is a risk that it can select some legitimate programs for removal. You should use this tool very carefully. If you accidently remove a legitimate program, you can run Norton Power Eraser to review past repair sessions and undo them.
Norton Power Eraser For more information about using Norton Power Eraser, Fully read all of the tutorial

Thank You -

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:04 AM

Posted 23 December 2012 - 06:05 PM

I do not see the FRST64 report - but I would go ahead and post that report in the malware room and one of us there might be able to get it working again


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 Richard Carnes

Richard Carnes
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 24 December 2012 - 12:13 AM

Sorry, I attached as opposed to copy and pasting, my bad...

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 22-12-2012
Ran by SYSTEM at 22-12-2012 11:44:41
Running from G:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2096424 2010-05-27] (Synaptics Incorporated)
HKLM\...\Run: [AmIcoSinglun64] C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe [324096 2010-06-25] (Alcor Micro Corp.)
HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [487424 2010-06-17] (IDT, Inc.)
HKLM\...\Run: [IntelWireless] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray [1928976 2010-03-05] (Intel® Corporation)
HKLM\...\Run: [SmartMenu] C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe /background [611896 2010-01-20] ()
HKLM\...\Run: [HPWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe 120 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe /hidden [363064 2010-06-18] (Hewlett-Packard Company)
HKLM-x32\...\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2010-03-03] (Intel Corporation)
HKLM-x32\...\Run: [EgisTecPMMUpdate] "C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe" [401192 2009-12-24] (Egis Technology Inc.)
HKLM-x32\...\Run: [EgisUpdate] "C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe" -d [201512 2009-12-24] (Egis Technology Inc.)
HKLM-x32\...\Run: [VitaKeyTSR] C:\Program Files (x86)\Hewlett-Packard\HP SimplePass Identity Protection\EgisTSR.exe /run [380272 2010-06-08] (Egis Technology Inc. )
HKLM-x32\...\Run: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [602168 2010-06-29] (Hewlett-Packard Company)
HKLM-x32\...\Run: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe [1155928 2010-06-01] (Symantec Corporation)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [948672 2009-12-11] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35760 2009-12-22] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-08-27] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421776 2012-09-09] (Apple Inc.)
HKU\Default\...\Run: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe [1712184 2010-02-09] ()
HKU\Owner\...\Run: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe [1712184 2010-02-09] ()
HKU\Owner\...\Run: [Spotify] "C:\Users\Owner\AppData\Roaming\Spotify\Spotify.exe" /uri spotify:autostart [7880664 2012-10-28] (Spotify Ltd)
HKU\Owner\...\Run: [Spotify Web Helper] "C:\Users\Owner\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [1199576 2012-10-28] (Spotify Ltd)
HKU\Owner\...\Run: [Adobe] rundll32.exe "C:\Users\Owner\AppData\Local\Apple Computer\Adobe\kxrdwb.dll",DllRegisterServerW [454656 2012-11-07] ()
HKLM\...\RunOnce: [*Restore] C:\Windows\system32\rstrui.exe /RUNONCE [296960 2009-07-13] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 75.75.76.76 75.75.75.75
Lsa: [Notification Packages] EgisPwdFilter EgisDSPwdFilter

==================== Services (Whitelisted) ===================

2 DvmMDES; "C:\SwSetup\HPQWMM\QuickWeb\QW.SYS\config\DVMExportService.exe" [338168 2010-06-25] (DeviceVM, Inc.)
2 EgisTec Service; "C:\Program Files (x86)\Hewlett-Packard\HP SimplePass Identity Protection\EgisService.exe" [697712 2010-06-08] (Egis Technology Inc. )
2 HPWMISVC; C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [27192 2010-06-29] ()
3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [340240 2010-03-05] ()
2 NIS; "C:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe" /s "NIS" /m "C:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\diMaster.dll" /prefetch:1 [262584 2011-03-31] (Symantec Corporation)
2 NOBU; "C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe" SERVICE [2804568 2010-06-01] (Symantec Corporation)

==================== Drivers (Whitelisted) =====================

1 BHDrvx64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\BASHDefs\20121030.002\BHDrvx64.sys [1385632 2012-10-05] (Symantec Corporation)
1 DVMIO; C:\Windows\System32\Drivers\DVMIO.sys [20056 2009-11-11] (DeviceVM, Inc.)
1 eeCtrl; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484512 2012-10-15] (Symantec Corporation)
3 EraserUtilRebootDrv; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [138912 2012-10-15] (Symantec Corporation)
1 IDSVia64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\IPSDefs\20121109.001\IDSvia64.sys [513184 2012-10-13] (Symantec Corporation)
3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\VirusDefs\20121112.016\ENG64.SYS [126112 2012-10-15] (Symantec Corporation)
3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\VirusDefs\20121112.016\EX64.SYS [2084000 2012-10-15] (Symantec Corporation)
0 SMR311; C:\Windows\System32\Drivers\SMR311.sys [95392 2012-11-12] (Symantec Corporation)
3 SRTSP; C:\Windows\System32\Drivers\NISx64\1207020.003\SRTSP64.SYS [744568 2011-03-30] (Symantec Corporation)
1 SRTSPX; C:\Windows\system32\drivers\NISx64\1207020.003\SRTSPX64.SYS [40568 2011-03-30] (Symantec Corporation)
0 SymDS; C:\Windows\System32\drivers\NISx64\1207020.003\SYMDS64.SYS [450680 2011-01-26] (Symantec Corporation)
0 SymEFA; C:\Windows\System32\drivers\NISx64\1207020.003\SYMEFA64.SYS [912504 2011-03-14] (Symantec Corporation)
3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [174200 2012-10-15] (Symantec Corporation)
1 SymIRON; C:\Windows\system32\drivers\NISx64\1207020.003\Ironx64.SYS [171128 2011-01-26] (Symantec Corporation)
1 SymNetS; C:\Windows\System32\Drivers\NISx64\1207020.003\SYMNETS.SYS [386168 2011-04-20] (Symantec Corporation)

==================== NetSvcs (Whitelisted) ====================


==================== One Month Created Files and Folders ========



==================== One Month Modified Files and Folders =======

2012-12-22 11:44 - 2012-12-22 11:44 - 00000000 ____D C:\FRST
2012-12-22 11:38 - 2012-10-31 16:08 - 00000000 ____D C:\Users\Owner\AppData\Roaming\Juniper Networks
2012-12-22 11:38 - 2012-10-24 15:49 - 00000000 ____D C:\Users\Owner\AppData\Local\Apple Computer
2012-12-22 11:38 - 2012-10-10 23:38 - 00000000 ____D C:\users\Owner
2012-12-22 11:38 - 2011-12-14 16:30 - 00000000 ____D C:\Intel
2012-12-22 11:38 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
2012-12-22 11:38 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\AppCompat
2012-12-22 11:36 - 2012-11-05 22:48 - 00000000 ____D C:\Users\Owner\AppData\Local\Microsoft Games
2012-12-22 11:36 - 2012-10-23 14:39 - 00000000 ____D C:\Users\Owner\AppData\Roaming\SoftGrid Client
2012-12-22 11:36 - 2012-10-15 14:19 - 00000000 ____D C:\Users\Owner\AppData\Roaming\Adobe
2012-12-22 11:36 - 2012-10-10 23:38 - 00000000 ____D C:\Users\Owner\AppData\Local\VirtualStore
2012-12-22 11:35 - 2012-10-31 16:28 - 00000000 ____D C:\Program Files (x86)\Juniper Networks
2012-12-22 11:35 - 2012-10-23 14:44 - 00000000 __RHD C:\MSOCache

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

TDL4: custom:26000022 <===== ATTENTION!

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-10-31 09:38:28
Restore point made on: 2012-11-06 09:14:34
Restore point made on: 2012-11-12 19:36:42

==================== Memory info ===========================

Percentage of memory in use: 18%
Total physical RAM: 3893.86 MB
Available physical RAM: 3158.61 MB
Total Pagefile: 3892.01 MB
Available Pagefile: 3154.57 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:442.34 GB) (Free:355.18 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive e: (RECOVERY) (Fixed) (Total:23.11 GB) (Free:3.38 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive g: () (Removable) (Total:7.47 GB) (Free:7.35 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
6 Drive y: (SYSTEM) (Fixed) (Total:0.19 GB) (Free:0.16 GB) NTFS ==>[System with boot components (obtained from reading drive)]
ATTENTION: Malware custom entry on BCD on drive y: detected. Check for MBR/Partition infection.

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 121 MB
Disk 1 Online 7663 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 199 MB 1024 KB
Partition 2 Primary 442 GB 200 MB
Partition 3 Primary 23 GB 442 GB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y SYSTEM NTFS Partition 199 MB Healthy

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 442 GB Healthy

=========================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E RECOVERY NTFS Partition 23 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7655 MB 22 KB

==================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G FAT32 Removable 7655 MB Healthy

=========================================================

Last Boot: 2012-11-15 11:43

==================== End Of Log =============================

#5 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,821 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:04 AM

Posted 24 December 2012 - 07:04 AM

:welcome:

Download MBRFix from here.

Save and extract its contents to the working computer's desktop. There are three files in the MBRFix folder. From these, only copy the MBRFix64.exe to the USB drive.

Also download the enclosed file and save it in the USB drive.

Insert the USB drive into the ailing computer.

Now please enter System Recovery Options and run FRST64 as you did before, except that this time around, press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt). It will also create a file labeled MBRDUMP.txt. Copy and Paste the contents of the Fixlog.txt in your next reply, but attach the MBRDUMP.txt as it is a hex file.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#6 Richard Carnes

Richard Carnes
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 24 December 2012 - 11:40 AM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 22-12-2012
Ran by SYSTEM at 2012-12-24 06:30:26 Run:1
Running from G:\

==============================================

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\\*Restore Value deleted successfully.

The operation completed successfully.
The operation completed successfully.
MBRDUMP.txt is made successfully.

==== End of Fixlog ====

Thank you, and I hope you're having a good Christmas Eve (even though you're dealing with this crap...)

Attached Files



#7 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,821 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:04 AM

Posted 24 December 2012 - 02:24 PM

Are you able to boot in Normal Mode now?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#8 Richard Carnes

Richard Carnes
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 24 December 2012 - 06:02 PM

YES! Thank you so very much. Have a great Christmas and a Happy New Year!!

#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,821 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:04 AM

Posted 25 December 2012 - 10:34 AM

I would suggest you scan the computer for remnants:

Lets try Combofix.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link or this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • Install the Recovery Console if prompted.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" .
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,821 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:04 AM

Posted 06 January 2013 - 12:59 PM

Due to the lack of feedback this Topic is closed. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users