Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Black Screen with blinking cursor Please Help


  • This topic is locked This topic is locked
5 replies to this topic

#1 jmon4

jmon4

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 26 May 2013 - 10:37 PM

My daughters computer went to a Black screen with a blinking cursor in the top left corner. it has been this way since January. I have tried everything with no results until i found another post in this forum for the same problem. I followed the steps and have a FRST file. But now I need the frstlist (I think and hope). 

Thank you so much in advance.

Here is the readout from the frst

 

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 26-05-2013 04
Ran by SYSTEM on 26-05-2013 22:10:29
Running from G:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery
The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [cAudioFilterAgent] C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe [518784 2011-03-17] (Conexant Systems, Inc.)
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2284328 2011-03-23] (Synaptics Incorporated)
HKLM\...\RunOnce: [*Restore] C:\Windows\system32\rstrui.exe /RUNONCE [296960 2010-11-20] (Microsoft Corporation)
HKLM-x32\...\Run: [ISBMgr.exe] "C:\Program Files (x86)\Sony\ISB Utility\ISBMgr.exe" [2757312 2011-02-15] (Sony Corporation)
HKLM-x32\...\Run: [PMBVolumeWatcher] c:\Program Files (x86)\Sony\PMB\PMBVolumeWatcher.exe [648032 2010-11-26] (Sony Corporation)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-05-30] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421776 2012-06-07] (Apple Inc.)
HKLM-x32\...\Run: [] [x]
HKLM-x32\...\Run: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe" [1561768 2012-05-04] (Ask)
HKU\Alexis\...\Run: [ooVoo.exe] C:\Program Files (x86)\ooVoo\oovoo.exe /minimized [27040888 2012-08-20] (ooVoo LLC)
HKU\Alexis\...\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation)

==================== Services (Whitelisted) =================

S3 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)
S2 AMD FUEL Service; c:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [365568 2011-05-24] (Advanced Micro Devices, Inc.)
S2 NIS; C:\Program Files (x86)\Norton Internet Security\Engine\19.0.0.128\diMaster.dll [281016 2011-05-24] (Symantec Corporation)
S2 SampleCollector; C:\Program Files\Sony\VAIO Care\VCPerfService.exe [259192 2011-01-29] (Sony Corporation)
S2 uCamMonitor; C:\Program Files (x86)\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe [105024 2011-02-23] (ArcSoft, Inc.)

==================== Drivers (Whitelisted) ====================

S3 ArcSoftKsUFilter; C:\Windows\System32\DRIVERS\ArcSoftKsUFilter.sys [19968 2009-05-26] (ArcSoft, Inc.)
S1 BHDrvx64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.0.0.128\Definitions\BASHDefs\20120823.005\BHDrvx64.sys [1385120 2012-08-10] (Symantec Corporation)
S1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484512 2012-08-09] (Symantec Corporation)
S3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [138912 2012-08-09] (Symantec Corporation)
S1 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.0.0.128\Definitions\IPSDefs\20120825.001\IDSvia64.sys [512672 2012-08-21] (Symantec Corporation)
S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.0.0.128\Definitions\VirusDefs\20120827.016\ENG64.SYS [125600 2012-08-27] (Symantec Corporation)
S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.0.0.128\Definitions\VirusDefs\20120827.016\EX64.SYS [2084000 2012-08-27] (Symantec Corporation)
S3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [174200 2012-07-28] (Symantec Corporation)
S1 ccSet_NIS; \SystemRoot\system32\drivers\NISx64\1300000.080\ccSetx64.sys [x]
S3 SRTSP; \SystemRoot\system32\drivers\NISx64\1300000.080\SRTSP64.SYS [x]
S1 SRTSPX; \SystemRoot\system32\drivers\NISx64\1300000.080\SRTSPX64.SYS [x]
S0 SymDS; system32\drivers\NISx64\1300000.080\SYMDS64.SYS [x]
S0 SymEFA; system32\drivers\NISx64\1300000.080\SYMEFA64.SYS [x]
S1 SymIRON; \SystemRoot\system32\drivers\NISx64\1300000.080\Ironx64.SYS [x]
S1 SymNetS; \SystemRoot\system32\drivers\NISx64\1300000.080\SYMNETS.SYS [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-05-26 22:10 - 2013-05-26 22:10 - 00000000 ____D C:\FRST

==================== One Month Modified Files and Folders =======

2013-05-26 22:10 - 2013-05-26 22:10 - 00000000 ____D C:\FRST
2013-05-26 22:04 - 2012-07-29 14:38 - 00000000 ____D C:\Users\Alexis\AppData\Roaming\ArcSoft
2013-05-26 22:04 - 2012-07-29 12:04 - 00000000 ____D C:\Windows\System32\Macromed
2013-05-26 22:04 - 2012-07-28 18:10 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2013-05-26 22:04 - 2012-07-28 16:29 - 00000000 ____D C:\users\Alexis
2013-05-26 22:04 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\sysprep
2013-05-26 22:04 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
2013-05-26 22:04 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\AppCompat
2013-05-26 22:03 - 2012-07-28 18:53 - 00000000 ____D C:\ProgramData\Norton
2013-05-26 22:03 - 2012-07-28 17:12 - 00000000 ____D C:\ProgramData\Sony Corporation
2013-05-26 22:03 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
2013-05-26 22:00 - 2012-07-28 17:35 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2013-05-26 21:45 - 2011-07-12 18:58 - 00000000 ___RD C:\Users\Public\Recorded TV

ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$0208babc657c9d257aa9ca686290b1ab

ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-3283811092-646336626-2863397043-1007\$0208babc657c9d257aa9ca686290b1ab

ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$0208babc657c9d257aa9ca686290b1ab

Other Malware:
===========
C:\Users\Alexis\GoToAssistDownloadHelper.exe

==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-12-03 18:37:51
Restore point made on: 2012-12-07 21:35:26
Restore point made on: 2012-12-12 17:27:25
Restore point made on: 2012-12-16 11:32:01
Restore point made on: 2012-12-20 06:36:22
Restore point made on: 2012-12-20 07:12:20
Restore point made on: 2012-12-25 20:41:40
Restore point made on: 2012-12-26 18:21:01
Restore point made on: 2013-01-04 20:48:12

==================== Memory info ===========================

Percentage of memory in use: 15%
Total physical RAM: 3690.9 MB
Available physical RAM: 3136.43 MB
Total Pagefile: 3689.05 MB
Available Pagefile: 3120.11 MB
Total Virtual: 8192 MB
Available Virtual: 8191.85 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:287.19 GB) (Free:236.23 GB) NTFS (Disk=0 Partition=3)
Drive e: (Recovery) (Fixed) (Total:10.8 GB) (Free:1.1 GB) NTFS (Disk=0 Partition=1) ==>[System with boot components (obtained from reading drive)]
Drive f: (RECOVERYDISC1) (CDROM) (Total:4.13 GB) (Free:0 GB) UDF
Drive g: () (Removable) (Total:0.24 GB) (Free:0 GB) FAT (Disk=1 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS (Disk=0 Partition=2) ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298 GB) (Disk ID: DF9D0DD4)
Partition 00: (Active) - (Size=0) - (Type=00) ATTENTION ===> 0 byte partition bootkit.
Partition 1: (Not Active) - (Size=11 GB) - (Type=27)
Partition 2: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=287 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 245 MB) (Disk ID: 00000000)
Partition 1: (Not Active) - (Size=245 MB) - (Type=06)


Last Boot: 2013-01-04 20:40

==================== End Of Log ============================


Edited by Orange Blossom, 27 May 2013 - 12:46 AM.
Moved to log forum. ~ OB


BC AdBot (Login to Remove)

 


#2 jmon4

jmon4
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 27 May 2013 - 12:15 PM

Please let me know if there is something else I should do. Really need to get her computer back up and running. Thanks again, and hope to hear from someone who can help soon. :)



#3 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:24 PM

Posted 28 May 2013 - 06:35 PM

Hi jmon4,

 

Welcome to the forum.

 

Please tell me if the issue is not resolved and you still need assistance.

 

 



#4 jmon4

jmon4
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 29 May 2013 - 07:04 AM

Hello and thank you for responding. I was able to put in the "restore" disc and move her pictures and music off the computer (to an external harddrive). Then I just restored to factory. I'm in the process of installing the windows updates (113 of them). It's taking a while but at least her computer is back up and running. But I do have a few questions hopefully that you can answer for me.

1. Will restoring to factory take care of the problem?

2. I'm assuming this was a virus, is there a good free anti-virus program to use (evidently nortons does not work)

3. Will moving the pictures and music to my external harddrive infect my ex hdd? Is there a program that will scan it?

4. My ex hdd is connect to my imac, if it is infected can it infect my imac?

5. Is there anything else I should do?

 

Thank you so much for your help.



#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:24 PM

Posted 29 May 2013 - 11:52 AM

Answer to question 3 and 4: This infection had created a partition and was running from  there. This infection doesn't infect other files. So you don't need to worry about other files or your HDD and your imac.

 

Answer to question 2: In my opinion Norton should perform better than any other free antivirus. Even a system with the best antivirus could be infected by this infection. But in case you opted to use a free antivirus, one of the following is an options:

Avira

Avast

 

To answer other questions I need a couple of logs:

  1. Please download Farbar Recovery Scan Tool and save it to your desktop.

    Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

    • Double-click to run it. When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
    • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply. 
  2. Please download TDSSKiller.zip and and extract it.

    • Run TDSSKiller.exe.
    • Click Start scan.
    • When it is finished the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default). Let the options as it is and click Continue
    • Click on Report and post the contents of the text file that will open.

      Note: By default, the utility outputs the log into system disk (it is usually the disk with installed operating system, C:\) root folder. The Log have a name like: TDSSKiller.Version_Date_Time_log.txt.

     



#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:24 PM

Posted 04 June 2013 - 08:15 AM

This thread will now be closed due to lack of activity.

If you should have a new issue, please start a new topic.

Every one else should start a new topic.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users