Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

OnPay virus cleanup


  • Please log in to reply
1 reply to this topic

#1 mlkuhn07

mlkuhn07

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:34 AM

Posted 09 April 2013 - 02:56 AM

Subject: OnPay Inc Virus infection - and steps performed following advice provided to other persons on this site.

Help Needed: "un-obfuscate (C:)"

 

I found a post from on this site....

http://www.bleepingcomputer.com/forums/t/466692/on-pay-inc-us/

 

This provided a lot of insight and steps to begin performing:

 

After doing all the steps below - I believe there is Obfuscation still ongoing - as the C: contents and MS IE favorites are not visible.

 

Please provide feedback on next steps that may be performed - as I do not believe that a reformat is required.

 

 

Here is a log of the steps I performed... (and logs of processes run).

 

Use:

1. RKill 

Results:  Successful, removed a running process and removed some registry entries.

And reset registry associations for .EXE, .COM and .BAT.

 

2.  Tried to download and run  TDSSKILLER:

Results:  downloaded and placed on Desktop.  Fails to run - even when downloaded the Windows 7 version.

 

3. Malwarebytes-anti-malware

Results: Downloaded and placed on desktop (copied from USB). 

----Fails on attempting to install the "uninstall" portion of the application.

 

4.  Did Download and run the MS Safety scan tool.

Results: found Alureon virus ---BELOW

 

MS Safety Scanner  (msert.exe)  3-24-13   downloaded and ran:

Results:

  • 1.Removed:   Trojan: Win32/FakeSysdef
  • 2. Trojan:  DOS/Alureon.L      Partially removed -- Manual steps remain  (MS...KB...

 

 

THEN - I FOUND THIS on Bleepingcomputer...

 

This page is from Bleeping computer for Downloader.generic13.CAM

Posted 08 October 2012 - 05:10 PM

Greetings jcheck99 and :welcome:to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary. If you would allow me to call you by your first name I would prefer to do that.

 

 

================================

I was able to get Rkill to run:  here is the log:

 

Rkill 2.4.7 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 03/23/2013 08:43:38 PM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * C:\ProgramData\YIqeljvLcEYEi.exe (PID: 2780) [AU-HEUR]

1 proccess terminated!

Checking Registry for malware related settings:

 * System Policy Removed:  DisableTaskMgr [HKCU]
 * Explorer Policy Removed:  NoActiveDesktopChanges [HKLM]

Backup Registry file created at:
 C:\Users\Owner\Desktop\rkill\rkill-03-23-2013-08-43-55.reg

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
  * HKCU\SOFTWARE\Classes\.exe "@" exists and is set to exefile!
  * HKCU\SOFTWARE\Classes\.exe has been deleted!
  * HKCU\SOFTWARE\Classes\exefile has been deleted!


Performing miscellaneous checks:

 * Windows Defender Disabled

   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001

 * Windows Firewall Disabled

   [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
   "EnableFirewall" = dword:00000000

 * SMTMP folder detected. Please see this link for more information: http://www.bleepingcomputer.com/forums/topic405109.html

Checking Windows Service Integrity:

 * WinDefend [Missing ImagePath]
 * wscsvc [Missing ImagePath]

 * FontCache => %SystemRoot%\system32\svchost.exe -k LocalService [Incorrect ImagePath]

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * No issues found.

Program finished at: 03/23/2013 08:45:39 PM
Execution time: 0 hours(s), 2 minute(s), and 1 seconds(s)

 

 

mlkuhn07]   I have not read the SMTMP link --- just noticed it again.

                  THere were changes made by Rkill ---  Was this OK??   or...

 

==========================================================

Anyway next -- I downloaded AVG and ran it several  times on 25-27th.

Results of AVG efforts are listed below:

 

4-8-13

Scan found no infections.

Previous scans that found infecions are listed below.

3-27 was the previous date with a found infection, and twice on the 26th following the initial scan on 25th-26th with 19 FINDINGS)

 

"";"Trojan horse Downloader.Generic13.CAM, C:\Windows\System32\svchost.exe (1636):\memory_00120000";"Infected";"File or Directory";"3/27/2013, 10:41:47 AM"

"";"Trojan horse Downloader.Generic13.CAM, C:\Windows\System32\svchost.exe (1636)";"Deleted";"Process";"3/27/2013, 10:41:47 AM"

 

"";"Trojan horse Downloader.Generic13.CAM, C:\Windows\System32\svchost.exe (1636):\memory_00120000";"Healed";"File or Directory";"3/26/2013, 8:42:13 PM"

"";"Trojan horse Downloader.Generic13.CAM, C:\Windows\System32\svchost.exe (1636)";"Healed";"Process";"3/26/2013, 8:42:13 PM"

 

"";"Trojan horse Downloader.Generic13.CAM, C:\Windows\System32\svchost.exe (1636):\memory_00120000";"Healed";"File or Directory";"3/26/2013, 8:39:00 PM"

"";"Trojan horse Downloader.Generic13.CAM, C:\Windows\System32\svchost.exe (1636)";"Healed";"Process";"3/26/2013, 8:39:00 PM"

 

19 Infections [3-26-13]:  18 Deleted and moved to Virus Vault:  1 removed

 

 

"";"Corrupted executable file, C:\Users\Owner\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VirtualBox-4.2.6-82870-Win[1].exe";"Deleted, Moved to Virus Vault";"File or Directory";"3/26/2013, 3:33:54 PM"

 

"";"Virus found JS/Obfuscated, C:\Users\Owner\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IM7NFZ9A\q[1].htm";"Deleted, Moved to Virus Vault";"File or Directory";"3/26/2013, 10:20:07 AM"

 

"";"Trojan horse Dropper.Generic7.BJOV, C:\Users\Owner\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\5\53cc9345-619fc616";"Deleted, Moved to Virus Vault";"File or Directory";"3/26/2013, 3:05:58 PM"

 

"";"Trojan horse Dropper.Generic6.AGYO, C:\$Recycle.Bin\S-1-5-21-592982947-1044143337-4051690927-1000\$R0OTMDO\HomePage\UpThis\Adobe Acrobat X Pro 10.1.3 (English - French - German) Incl Keygen.exe";"Moved to Virus Vault"

 

"";"Trojan horse Dropper.Generic6.AGYO, C:\Users\Owner\AppData\Local\Temp\7zO3BD5.tmp\Adobe Acrobat X Pro 10.1.3 Multilanguage (keygen-CORE).exe";"Moved to Virus Vault"

 

"";"Trojan horse Dropper.Generic6.AGYO, C:\Users\Owner\AppData\Local\Temp\7zODE2D.tmp\Adobe Acrobat X Pro 10.1.3 Multilanguage (keygen-CORE).exe";"Moved to Virus Vault"

 

"";"Trojan horse Dropper.Generic6.AGYO, C:\Users\Owner\AppData\Local\Temp\7zO4EFC.tmp\Adobe Acrobat X Pro 10.1.3 Multilanguage (keygen-CORE).exe";"Moved to Virus Vault"

 

"";"Trojan horse Dropper.Generic6.AGYO, C:\Users\Owner\AppData\Local\Temp\7zO6AE.tmp\Adobe Acrobat X Pro 10.1.3 Multilanguage (keygen-CORE).exe";"Moved to Virus Vault"

 

"";"Trojan horse Dropper.Generic6.AGYO, C:\Users\Owner\AppData\Local\Temp\7zOD15.tmp\Adobe Acrobat X Pro 10.1.3 Multilanguage (keygen-CORE).exe";"Moved to Virus Vault"

 

"";"Trojan horse Dropper.Generic6.AGYO, C:\Users\Owner\AppData\Local\Temp\7zO256A.tmp\Adobe Acrobat X Pro 10.1.3 Multilanguage (keygen-CORE).exe";"Moved to Virus Vault"

 

"";"Trojan horse Dropper.Generic6.AGYO, C:\Users\Owner\AppData\Local\Temp\7zO2C7D.tmp\Adobe Acrobat X Pro 10.1.3 Multilanguage (keygen-CORE).exe";"Moved to Virus Vault"

 

"";"Trojan horse Dropper.Generic6.AGYO, C:\Users\Owner\AppData\Local\Temp\7zO1A31.tmp\Adobe Acrobat X Pro 10.1.3 Multilanguage (keygen-CORE).exe";"Moved to Virus Vault"

 

"";"Trojan horse Dropper.Generic6.AGYO, C:\Users\Owner\AppData\Local\Temp\7zO138B.tmp\Adobe Acrobat X Pro 10.1.3 Multilanguage (keygen-CORE).exe";"Moved to Virus Vault"

 

"";"Trojan horse Dropper.Generic6.AGYO, C:\Users\Owner\AppData\Local\Temp\7zO2CB8.tmp\Adobe Acrobat X Pro 10.1.3 Multilanguage (keygen-CORE).exe";"Moved to Virus Vault"

 

"";"Trojan horse Dropper.Generic6.AGYO, C:\Users\Owner\AppData\Local\Temp\7zO3035.tmp\Adobe Acrobat X Pro 10.1.3 Multilanguage (keygen-CORE).exe";"Moved to Virus Vault"

 

"";"Trojan horse Dropper.Generic6.AGYO, C:\Users\Owner\AppData\Local\Temp\7zO37E0.tmp\Adobe Acrobat X Pro 10.1.3 Multilanguage (keygen-CORE).exe";"Deleted, Moved to Virus Vault";"File or Directory";"3/26/2013, 3:12:19 PM"

 

"";"Trojan horse Dropper.Generic6.AGYO, C:\Users\Owner\AppData\Local\Temp\7zOB52C.tmp\Adobe Acrobat X Pro 10.1.3 Multilanguage (keygen-CORE).exe";"Deleted, Moved to Virus Vault";"File or Directory";"3/26/2013, 3:12:34 PM"

 

"";"Trojan horse Dropper.Generic6.AGYO, C:\Users\Owner\AppData\Local\Temp\7zOB0B8.tmp\Adobe Acrobat X Pro 10.1.3 Multilanguage (keygen-CORE).exe";"Deleted, Moved to Virus Vault";"File or Directory";"3/26/2013, 3:12:39 PM"

 

"";"Trojan horse Downloader.Generic13.CAM, C:\Windows\System32\svchost.exe (1636)";"Healed";"Process";"3/25/2013, 9:50:20 PM"

 

AVG removed/vaulted many instances of the:

trojan Dropper Generic6.AGYO

trojan Downloader.Generic13.CAM

JS/Obfuscated

 

and few others.

 

THE ONE THAT CONCERNS ME IS THE "JS/Obfuscated " because - I believe that the contents of the C drive are OBFUSCATED -from sight, and are not visible.

 

NEXT: after removing these trojans, I was able to run MalwareBytes:

 

=============================================

I followed this with MalwareBytes --- here is the log:--

 

Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Database version: v2013.03.28.13

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
Owner :: OWNER-HP [administrator]

3/28/2013 10:51:24 PM
mbam-log-2013-03-28 (22-51-24).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 765267
Time elapsed: 4 hour(s), 51 minute(s), 15 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 5
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{61E0EF7A-9BC0-45EA-9B2F-F3E9F02692BD} (PUP.PlayBryte) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{61E0EF7A-9BC0-45EA-9B2F-F3E9F02692BD} (PUP.PlayBryte) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\INSTALLEDBROWSEREXTENSIONS\215 APPS (PUP.CrossFire.SA) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Google\Chrome\Extensions\mpfapcdfbbledbojijcbcclmlieaoogk (PUP.GamesPlayLab) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\mpfapcdfbbledbojijcbcclmlieaoogk (PUP.GamesPlayLab) -> Quarantined and deleted successfully.

Registry Values Detected: 1
HKCU\Software\InstalledBrowserExtensions\215 Apps|2258 (PUP.CrossFire.SA) -> Data: I Want This -> Quarantined and deleted successfully.

Registry Data Items Detected: 8
HKCU\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\Owner\AppData\Local\Temp\is1373634743\PricePeepInstaller.exe (Adware.Shopper) -> Quarantined and deleted successfully.

(end)

 

 

 

 

 

=================================

I was able to run "aswMBR"

 

Here is the log:

 

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-03-29 23:57:48
-----------------------------
23:57:48.736    OS Version: Windows x64 6.1.7601 Service Pack 1
23:57:48.736    Number of processors: 4 586 0x2505
23:57:48.736    ComputerName: OWNER-HP  UserName: Owner
23:57:52.090    Initialize success
23:58:05.740    AVAST engine defs: 13032901
23:58:19.031    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
23:58:19.031    Disk 0 Vendor: WDC_WD32 02.0 Size: 305245MB BusType: 3
23:58:20.045    Disk 0 MBR read successfully
23:58:20.061    Disk 0 MBR scan
23:58:20.061    Disk 0 Windows XP default MBR code
23:58:20.061    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS          199 MB offset 2048
23:58:20.077    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       271190 MB offset 409600
23:58:20.123    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS        33751 MB offset 555806720
23:58:20.170    Disk 0 Partition 4 00     0C    FAT32 LBA MSDOS5.0      103 MB offset 624928768
23:58:20.685    Disk 0 scanning C:\Windows\system32\drivers
23:59:12.493    Service scanning
00:00:09.651    Modules scanning
00:00:09.667    Disk 0 trace - called modules:
00:00:10.213    ntoskrnl.exe CLASSPNP.SYS disk.sys hpdskflt.sys iaStor.sys hal.dll
00:00:10.213    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800529c060]
00:00:10.228    3 CLASSPNP.SYS[fffff88001a0143f] -> nt!IofCallDriver -> [0xfffffa8005140a50]
00:00:10.244    5 hpdskflt.sys[fffff88001ba2289] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8004fbf050]
00:00:11.367    AVAST engine scan C:\Windows
00:00:36.639    AVAST engine scan C:\Windows\system32
00:20:08.954    AVAST engine scan C:\Windows\system32\drivers
00:20:58.135    AVAST engine scan C:\Users\Owner
07:10:27.653    AVAST engine scan C:\ProgramData
07:13:47.975    Scan finished successfully
08:15:45.016    Disk 0 MBR has been saved successfully to "C:\Users\Owner\Documents\MBR.dat"
08:15:45.016    The log file has been saved successfully to "C:\Users\Owner\Documents\aswMBR.txt"
08:19:38.299    Disk 0 MBR has been saved successfully to "F:\!PC Security SW\MBR.dat"
08:19:38.314    The log file has been saved successfully to "F:\!PC Security SW\aswMBR_3-30-2013.txt"


===========

mlkuhn07]  This took about 7 hrs to run --- successfully....but did it cleananything? Not clear to me from the log.

 

 

 ===============================================

I was able to run TDSSKILLER - on 3-29-13:  Log is attached 

 

 


 

 

 =============================================

 

And I was able to run ListParts.exe --- here are 2 logs (3-30-13 and 4-9-13):

 

ListParts by Farbar Version: 10-03-2013
Ran by Owner (administrator) on 30-03-2013 at 08:43:13
Windows 7 (X64)
Running From: C:\Users\Owner\Desktop
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 70%
Total physical RAM: 3893.86 MB
Available physical RAM: 1156.55 MB
Total Pagefile: 7785.91 MB
Available Pagefile: 3922.32 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:264.83 GB) (Free:63.53 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive d: (RECOVERY) (Fixed) (Total:32.96 GB) (Free:4.85 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive f: () (Removable) (Total:3.74 GB) (Free:0.52 GB) FAT32

  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online          298 GB      0 B        
  Disk 1    Online         3835 MB      0 B        

Partitions of Disk 0:
===============

Disk ID: 6EB6D97E

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary            199 MB  1024 KB
  Partition 2    Primary            264 GB   200 MB
  Partition 3    Primary             32 GB   265 GB
  Partition 4    Primary            103 MB   297 GB

======================================================================================================

Disk: 0
Partition 1
Type  : 07
Hidden: No
Active: Yes

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1         SYSTEM       NTFS   Partition    199 MB  Healthy    System (partition with boot components) 

======================================================================================================

Disk: 0
Partition 2
Type  : 07
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2     C                NTFS   Partition    264 GB  Healthy    Boot   

======================================================================================================

Disk: 0
Partition 3
Type  : 07
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 3     D   RECOVERY     NTFS   Partition     32 GB  Healthy           

======================================================================================================

Disk: 0
Partition 4
Type  : 0C
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 4         HP_TOOLS     FAT32  Partition    103 MB  Healthy           

======================================================================================================

Partitions of Disk 1:
===============

Disk ID: 00000000

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary           3827 MB    19 KB

======================================================================================================

Disk: 1
Partition 1
Type  : 0B
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 5     F                FAT32  Removable   3827 MB  Healthy           

======================================================================================================
============================== MBR Partition Table ==================

==============================
Partitions of Disk 0:
===============
Disk ID: 6EB6D97E

Partition 1:
===========
Hex: 80202100077E25190008000000380600
Active: YES
Type: 07 (NTFS)
Size: 199 MB

Partition 2:
===========
Hex: 007E261907FEFFFF0040060000B01A21
Active: NO
Type: 07 (NTFS)
Size: 265 GB

Partition 3:
===========
Hex: 00FEFFFF07FEFFFF00F0202100B81E04
Active: NO
Type: 07 (NTFS)
Size: 33 GB

Partition 4:
===========
Hex: 00FEFFFF0CFEFFFF00A83F25B03A0300
Active: NO
Type: 0C
Size: 103 MB

==============================
Partitions of Disk 1:
===============
Disk ID: 00000000

Partition 1:
===========
Hex: 000027000BFE7FE726000000C29F7700
Active: NO
Type: 0B
Size: 4 GB


Windows Boot Manager
--------------------
identifier              {bootmgr}
device                  partition=\Device\HarddiskVolume1
description             Windows Boot Manager
locale                  en-US
inherit                 {globalsettings}
extendedinput           Yes
default                 {current}
resumeobject            {c279be75-9b51-11de-9b93-a29d207e6d0e}
displayorder            {current}
toolsdisplayorder       {memdiag}
timeout                 30
customactions           0x1000085000001
                        0x5400000f
custom:5400000f         {bf43b54f-52df-11e0-99b0-c3630413caf9}

Windows Boot Loader
-------------------
identifier              {572bcd60-ffa7-11d9-aae0-0007e994107d}
device                  ramdisk=[boot]\sources\boot.wim,{ramdiskoptions}
path                    \windows\system32\boot\winload.exe
description             Microsoft Windows PE 2.0
osdevice                ramdisk=[boot]\sources\boot.wim,{ramdiskoptions}
systemroot              \windows
detecthal               Yes
winpe                   Yes
ems                     Yes

Windows Boot Loader
-------------------
identifier              {bf43b54f-52df-11e0-99b0-c3630413caf9}
device                  ramdisk=[D:]\Recovery\WindowsRE\Winre.wim,{bf43b550-52df-11e0-99b0-c3630413caf9}
path                    \windows\system32\winload.exe
description             Windows Recovery Environment
inherit                 {bootloadersettings}
osdevice                ramdisk=[D:]\Recovery\WindowsRE\Winre.wim,{bf43b550-52df-11e0-99b0-c3630413caf9}
systemroot              \windows
nx                      OptIn
winpe                   Yes

Windows Boot Loader
-------------------
identifier              {current}
device                  partition=C:
path                    \Windows\system32\winload.exe
description             Windows 7
locale                  en-US
inherit                 {bootloadersettings}
recoverysequence        {bf43b54f-52df-11e0-99b0-c3630413caf9}
recoveryenabled         Yes
osdevice                partition=C:
systemroot              \Windows
resumeobject            {c279be75-9b51-11de-9b93-a29d207e6d0e}
nx                      OptIn

Resume from Hibernate
---------------------
identifier              {c279be75-9b51-11de-9b93-a29d207e6d0e}
device                  partition=C:
path                    \Windows\system32\winresume.exe
description             Windows Resume Application
locale                  en-US
inherit                 {resumeloadersettings}
filedevice              partition=C:
filepath                \hiberfil.sys
debugoptionenabled      No

Windows Memory Tester
---------------------
identifier              {memdiag}
device                  partition=\Device\HarddiskVolume1
path                    \boot\memtest.exe
description             Windows Memory Diagnostic
locale                  en-US
inherit                 {globalsettings}
badmemoryaccess         Yes

EMS Settings
------------
identifier              {emssettings}
bootems                 Yes

Debugger Settings
-----------------
identifier              {dbgsettings}
debugtype               Serial
debugport               1
baudrate                115200

RAM Defects
-----------
identifier              {badmemory}

Global Settings
---------------
identifier              {globalsettings}
inherit                 {dbgsettings}
                        {emssettings}
                        {badmemory}

Boot Loader Settings
--------------------
identifier              {bootloadersettings}
inherit                 {globalsettings}
                        {hypervisorsettings}

Hypervisor Settings
-------------------
identifier              {hypervisorsettings}
hypervisordebugtype     Serial
hypervisordebugport     1
hypervisorbaudrate      115200

Resume Loader Settings
----------------------
identifier              {resumeloadersettings}
inherit                 {globalsettings}

Setup Ramdisk Options
---------------------
identifier              {ramdiskoptions}
description             Ramdisk Options
ramdisksdidevice        boot
ramdisksdipath          \boot\boot.sdi

Device options
--------------
identifier              {bf43b550-52df-11e0-99b0-c3630413caf9}
description             Ramdisk Options
ramdisksdidevice        partition=D:
ramdisksdipath          \Recovery\WindowsRE\boot.sdi


****** End Of Log ******

 

==============================================

LOG file from 4-9-13

 

ListParts by Farbar Version: 10-03-2013
Ran by Owner (administrator) on 09-04-2013 at 00:26:34
Windows 7 (X64)
Running From: C:\Users\Owner\Desktop
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 45%
Total physical RAM: 3893.86 MB
Available physical RAM: 2137.75 MB
Total Pagefile: 7785.91 MB
Available Pagefile: 5604.69 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:264.83 GB) (Free:73.2 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive d: (RECOVERY) (Fixed) (Total:32.96 GB) (Free:4.85 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive f: () (Removable) (Total:3.74 GB) (Free:0.5 GB) FAT32

  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online          298 GB      0 B        
  Disk 1    Online         3835 MB      0 B        

Partitions of Disk 0:
===============

Disk ID: 6EB6D97E

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary            199 MB  1024 KB
  Partition 2    Primary            264 GB   200 MB
  Partition 3    Primary             32 GB   265 GB
  Partition 4    Primary            103 MB   297 GB

======================================================================================================

Disk: 0
Partition 1
Type  : 07
Hidden: No
Active: Yes

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1         SYSTEM       NTFS   Partition    199 MB  Healthy    System (partition with boot components) 

======================================================================================================

Disk: 0
Partition 2
Type  : 07
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2     C                NTFS   Partition    264 GB  Healthy    Boot   

======================================================================================================

Disk: 0
Partition 3
Type  : 07
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 3     D   RECOVERY     NTFS   Partition     32 GB  Healthy           

======================================================================================================

Disk: 0
Partition 4
Type  : 0C
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 4         HP_TOOLS     FAT32  Partition    103 MB  Healthy           

======================================================================================================

Partitions of Disk 1:
===============

Disk ID: 00000000

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary           3827 MB    19 KB

======================================================================================================

Disk: 1
Partition 1
Type  : 0B
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 5     F                FAT32  Removable   3827 MB  Healthy           

======================================================================================================
============================== MBR Partition Table ==================

==============================
Partitions of Disk 0:
===============
Disk ID: 6EB6D97E

Partition 1:
===========
Hex: 80202100077E25190008000000380600
Active: YES
Type: 07 (NTFS)
Size: 199 MB

Partition 2:
===========
Hex: 007E261907FEFFFF0040060000B01A21
Active: NO
Type: 07 (NTFS)
Size: 265 GB

Partition 3:
===========
Hex: 00FEFFFF07FEFFFF00F0202100B81E04
Active: NO
Type: 07 (NTFS)
Size: 33 GB

Partition 4:
===========
Hex: 00FEFFFF0CFEFFFF00A83F25B03A0300
Active: NO
Type: 0C
Size: 103 MB

==============================
Partitions of Disk 1:
===============
Disk ID: 00000000

Partition 1:
===========
Hex: 000027000BFE7FE726000000C29F7700
Active: NO
Type: 0B
Size: 4 GB


Windows Boot Manager
--------------------
identifier              {bootmgr}
device                  partition=\Device\HarddiskVolume1
description             Windows Boot Manager
locale                  en-US
inherit                 {globalsettings}
extendedinput           Yes
default                 {current}
resumeobject            {c279be75-9b51-11de-9b93-a29d207e6d0e}
displayorder            {current}
toolsdisplayorder       {memdiag}
timeout                 30
customactions           0x1000085000001
                        0x5400000f
custom:5400000f         {bf43b54f-52df-11e0-99b0-c3630413caf9}

Windows Boot Loader
-------------------
identifier              {572bcd60-ffa7-11d9-aae0-0007e994107d}
device                  ramdisk=[boot]\sources\boot.wim,{ramdiskoptions}
path                    \windows\system32\boot\winload.exe
description             Microsoft Windows PE 2.0
osdevice                ramdisk=[boot]\sources\boot.wim,{ramdiskoptions}
systemroot              \windows
detecthal               Yes
winpe                   Yes
ems                     Yes

Windows Boot Loader
-------------------
identifier              {bf43b54f-52df-11e0-99b0-c3630413caf9}
device                  ramdisk=[D:]\Recovery\WindowsRE\Winre.wim,{bf43b550-52df-11e0-99b0-c3630413caf9}
path                    \windows\system32\winload.exe
description             Windows Recovery Environment
inherit                 {bootloadersettings}
osdevice                ramdisk=[D:]\Recovery\WindowsRE\Winre.wim,{bf43b550-52df-11e0-99b0-c3630413caf9}
systemroot              \windows
nx                      OptIn
winpe                   Yes

Windows Boot Loader
-------------------
identifier              {current}
device                  partition=C:
path                    \Windows\system32\winload.exe
description             Windows 7
locale                  en-US
inherit                 {bootloadersettings}
recoverysequence        {bf43b54f-52df-11e0-99b0-c3630413caf9}
recoveryenabled         Yes
osdevice                partition=C:
systemroot              \Windows
resumeobject            {c279be75-9b51-11de-9b93-a29d207e6d0e}
nx                      OptIn

Resume from Hibernate
---------------------
identifier              {c279be75-9b51-11de-9b93-a29d207e6d0e}
device                  partition=C:
path                    \Windows\system32\winresume.exe
description             Windows Resume Application
locale                  en-US
inherit                 {resumeloadersettings}
filedevice              partition=C:
filepath                \hiberfil.sys
debugoptionenabled      No

Windows Memory Tester
---------------------
identifier              {memdiag}
device                  partition=\Device\HarddiskVolume1
path                    \boot\memtest.exe
description             Windows Memory Diagnostic
locale                  en-US
inherit                 {globalsettings}
badmemoryaccess         Yes

EMS Settings
------------
identifier              {emssettings}
bootems                 Yes

Debugger Settings
-----------------
identifier              {dbgsettings}
debugtype               Serial
debugport               1
baudrate                115200

RAM Defects
-----------
identifier              {badmemory}

Global Settings
---------------
identifier              {globalsettings}
inherit                 {dbgsettings}
                        {emssettings}
                        {badmemory}

Boot Loader Settings
--------------------
identifier              {bootloadersettings}
inherit                 {globalsettings}
                        {hypervisorsettings}

Hypervisor Settings
-------------------
identifier              {hypervisorsettings}
hypervisordebugtype     Serial
hypervisordebugport     1
hypervisorbaudrate      115200

Resume Loader Settings
----------------------
identifier              {resumeloadersettings}
inherit                 {globalsettings}

Setup Ramdisk Options
---------------------
identifier              {ramdiskoptions}
description             Ramdisk Options
ramdisksdidevice        boot
ramdisksdipath          \boot\boot.sdi

Device options
--------------
identifier              {bf43b550-52df-11e0-99b0-c3630413caf9}
description             Ramdisk Options
ramdisksdidevice        partition=D:
ramdisksdipath          \Recovery\WindowsRE\boot.sdi


****** End Of Log ******

 

==========================================================================

Finally-

Currently, Windows Explorer shows (C:), Libraries, Favorites, as empty. 

 

This needs fixing.

 

Thank you for assisting.

 

-mkuhn07

Attached Files


Edited by Elise, 09 April 2013 - 05:17 AM.
Topic moved from Windows 7 to AII forum


BC AdBot (Login to Remove)

 


#2 mlkuhn07

mlkuhn07
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:34 AM

Posted 09 April 2013 - 11:09 PM

I found that I needed to post this issue to the Virus, Trojan, Spyware, Malware Removal logs" forum.

I did post this to that forum at 10pm on Apr 9th.

 

Thank you,

mlkuhn07






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users