Jump to content

noahdfear

Trusted Malware Techs
  • Content Count

    336
  • Joined

  • Last visited

Everything posted by noahdfear

  1. I must again apologize - I forgot about you (one of the reasons I seldom work topics anymore). Despite reporting that the sfc results were written to the cbs.log, they were not, meaning they are of no help. I did some testing with a number o files to see if I could reproduce the behavior you're experiencing and the closest I came, albiet slightly different, was in not allowing userinit.exe to load. That said, let's see if replacing yours will help. Repeat the procedure in Post #50 using the replace.txt file attached to this post (delete the one from before). If there's no change after reboot the only other thing I can suggest is to attempt a repair install. Since your system is a Win7 upgrade, I'm assuming you have a Win7 upgrade dvd. To perform a repair installation you boot with the dvd and choose the Upgrade option at the setup screen. This option will only be available, in my experience, if a previous operating system is detected (although everything I've read, even in the link above, says it is only available from within Windows). If the option is not available to you, you cannot re-install Windows 7 without overwriting all of your existing files, eg; all of your personal files, pictures, etc. would be gone. If you have an external usb drive that you could copy files to, I would suggest seeing if you can backup your data via xPUD before attempting any repairs. replace.txt
  2. Let's see if that log reveals anything helpful. You'll need the driver.sh script from here on your flash drive. Boot into xPUD and navigate to the flash drive then click Tool>Open Terminal Type the following command then press Enter. bash driver.sh -f When prompted for the filename to search for type cbs.log and press Enter. If any copies are found it should show the location on the screen, as well as echo the results to a log named filefind.txt on the flash drive. I expect the cbs.log file to be located in /mnt/sda3/windows/logs - if so, please copy it to your flash drive then attach it to a reply here. If it is too big to attach you can zip it up and upload the zip to my submissions site.
  3. My apologies for the delay in a response. I've been banging my head trying to figure out a cause for your situation, and quite frankly, I'm just not finding anything. Let's run the system file checker from the Recovery Environment and see if that produces a positive result. Start your computer and tap F8 to enable the Advanced startup menu then select Repair your computer. When the System Recovery Options screen comes up select Command Prompt. Type in the following bolded command, replacing the red underscores with spaces, then press Enter. sfc_/scannow_/offbootdir=c:\_/offwindir=c:\windows When the scan completes restart and see if the computer will boot and load normally.
  4. Start the computer, pressing F8 to enable the Advanced Start menu. Select Repair your computer If Startup Repair starts automatically, when it completes click the link View advanced options for system recovery and support to open the System Recovery Options menu. Select System Restore then click Next. If any restore points are available they will be listed. If none are listed with a date prior to the current problem, check the box Show more restore points Click to select a date just prior to the current problem then click Next. Click Finish to confirm - your computer will restart and attempt to restore the system to it's previous state. Let us know the outcome.
  5. Hi Steve, I have studied and re-studied everything you've submitted and I still do not see anything that could be blamed for the behavior of your computer. On the off chance that explorer.exe is corrupted, let's replace it with another copy on your drive. Please download the attached replace.txt file and save it to your flash drive. Make sure that the driver.sh script you downloaded previously is still on the flash drive as well. Boot into xPUD and navigate to the flash drive (sdb1) then click Tool>Open Terminal. Type the following bolded command then press Enter. bash driver.sh -r Close the Terminal window when the script completes and restart the computer, allowing it to start normally. Let me know if there's any change. Please post the contents of the report created on the flash drive named filerep.txt replace.txt
  6. Please save xPUDtd to your flash drive. Boot to xPUD with the flash drive attached, navigate to the flash drive then double click xPUDtd to run it. At the first screen, leave [Create] selected and press Enter The next screen will show your disk drives, generally the hard drive will be first, usb second. You should be able to verify by the size Select the hard drive, select [Proceed] and press Enter At the next screen select [intel] and press Enter Now at the actions option screen, arrow down to [Advanced] and press Enter Select [boot] and press Enter - you may have to arrow up/down to select a different partition to get the [boot] option to show. Select [Dump] and press Enter At this screen, use the page down button (or press Enter on the [Next] option repeatedly) to view the entire boot sector, which may be about 4 screens full and ends at approximately the 01F8 sector in the left column Now press Q three times, which should return you to the actions option screen Select [Analyse] and press Enter Select [Quick Search] and press Enter If prompted to search for partitions created under Vista type Y The next screen will show the current partition structure. Press Enter to continue. Now press Q repeatedly until TestDisk exits. There will be a log created on the flash drive named testdisk.log Either zip and upload that log or open it (should open with notepad by default) and copy/paste it's contents in a reply here.
  7. Let's do it this way then. First, zip up the bcd.txt file (right click>Send To>Compressed (zipped) folder) Go to my submissions site and upload the bcd.zip and mbr.zip files. http://noahdfear.net/max/upload.php
  8. You will need to type something into the reply text box - I don't think the forum software will allow you to post a blank reply.
  9. Click Add Reply then on the Replying to Blank Screen page click the Browse button located below the reply textbox. Select your file and click Open. Click Attach this file. Finally, click Add Reply.
  10. Right click on the link and select Save Target As
  11. Hi Steve, I've looked over your registry hives, and the bcd, and frankly I don't see a problem with any of them. That said, I cannot get true results from your bcd - true results can only come from the machine on which the bcd lives. So, lets see if we can get an export from your bcd. Plug in your flash drive and start the computer, pressing F8 to enable the Advanced Start menu Select Repair your computer If Startup Repair starts automatically, when it completes click the link View advanced options for system recovery and support to open the System Recovery Options menu Select Command prompt Type diskpart and press Enter When the diskpart> command prompt appears type list volume and press Enter Jot down the drive letters assigned and their corresponding label - I'll want that information in your reply. Identify which drive letter is assigned to your flash drive (you should know by the size) Type exit and press Enter to quit the diskpart tool Now type the following command, replacing the red x with the drive letter that corresponds to your flash drive, then press Enter bcdedit /enum all>x:\bcd.txt *Please note that there is a space between bcdedit and /enum, and another between /enum and all *If for some reason your flash drive does not show up in diskpart, use one of the drive letters shown there in place of the red x and we can retrieve the export in xPUD. Close the command window and shut down the machine. I would also like to get a dump of the hard drive's MBR (Master Boot Record). We'll use xPUD for that. Download dumpit and save it to your flash drive Boot into xPUD with the flash drive attached, click the File icon, then navigate to your flash drive (mnt>sdb1) Double click dumpit to execute it. When it completes press Enter to exit the Terminal window. If you were unsuccessful exporting the bcd to the flash drive, click each mnt>sda folder to locate the bcd.txt file - when you find it, right click and select Cut then navigate back to the flash drive, right click and select Paste. Shut down and remove the flash drive, then on your working computer attach the mbr.zip and bcd.txt files on the flash drive to a reply here. Please remember to also post the drive letter and label information obtained in the Recovery Environment.
  12. Nothing of concern in that log. Please download Process Explorer from Microsoft Sysinternals. Extract the contents of the zip file to their own folder, open the folder and run procexp.exe Click the entry System once to select it. Click View on the menu, then make sure Show Lower Pane is checked. You should have a split window with upper and lower panes. Click View>Lower Pane View and select DLLs The lower pane will populate. When the System process is consuming a lot of CPU cycles, click File>Save As in Process Explorer. Save it to a convenient location (it will default to the name System.txt) Now click View>Lower Pane View and select Handles When the lower pane populates, and with the System process at high CPU usage, save another log and name it System1.txt Attach both logs in an email to me for review. Put RE:PCP logs in the Subject line.
  13. Your logs appear clean. Lets run 1 more tool now. This tool tends to be quite aggressive, so please be sure to configure it exactly as listed below. I only want to see a Report of what it finds. Download Dr.Web CureIt to the desktop: ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe Doubleclick the drweb-cureit.exe file and click 'Start' to run the express scan. This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan. Once the short scan has finished, we need to change the default settings. In the Menu Bar at the top, click 'Setting'>Change Settings. Click on the Actions tab Using the drop down menus, change each item under Objects and Malware to Report Next, 'tick' Complete Scan. Click the green arrow at the right, and the scan will start. Click 'No to All' if it asks if you want to cure/move the file. After the scan has completed, in the Dr.Web CureIt menu on top, click File and choose Save Report List Save the report to your desktop. The report will be called DrWeb.csv Close Dr.Web Cureit. Post the contents of the log from Dr.Web you saved previously in your next reply. Look again in the Task Manager for the process consuming CPU cycles and get the exact process name for me please. Should be something with an exe extension.
  14. You are quite welcome. Glad I could help.
  15. Copy the bolded line below. sc stop RoxLiveShare9 Click Start>Run then paste the command in the Run dialog and hit Enter. Now, do the same with this next command. sc delete RoxLiveShare9 That should remove the service, and you can delete that entire Roxio Shared folder.
  16. No sign of infection there. Looks like you got it all.
  17. Hi tonyc1075, Lets get a rootkit scan just to make sure it's gone, since I don't see the actual driver removed in any of the logs. Download GMER Rootkit Scanner from here. Extract the contents of the zipped file to desktop. Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent . If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO. In the right panel, you will see several boxes that have been checked. Uncheck the following ...Sections IAT/EAT Drives/Partition other than Systemdrive (typically C:\) Show All (don't miss this one) Then click the Scan button & wait for it to finish. Once done click on the [save..] button, and in the File name area, type in ark.txt Save it where you can easily find it, such as your desktop then post the contents here. **Caution** Rootkit scans often produce false positives. Do NOT take action on any <---- ROOKIT entries
  18. Hi foreverking, We need a bit more comprehensive look at things. Please download DDS and save it to your desktop. Disable any script blocking protection Double click dds.scr to run the tool. When done, DDS will open two (2) logs: DDS.txt Attach.txt Save both reports to your desktop. Please include the contents of both logs in your next reply. The scan will instruct you to post the attach log as an attachment. No need for that though ..... just post it as you would any other log.
  19. Welcome to The Pit Maple, CLView.exe is the Microsoft Office Help Client Viewer Nothing apparent in the HijackThis log, so I'd like to get a couple more logs that give us a more comprehensive look at things. Please download DDS and save it to your desktop. Disable any script blocking protection Double click dds.scr to run the tool. When done, DDS will open two (2) logs: DDS.txt Attach.txt Save both reports to your desktop. Please include the contents of both logs in your next reply. The scan will instruct you to post the attach log as an attachment. No need for that though ..... just post it as you would any other log. Addiditonally, download GMER Rootkit Scanner from here. Extract the contents of the zipped file to desktop. Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent . If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO. In the right panel, you will see several boxes that have been checked. Uncheck the following ...Sections IAT/EAT Drives/Partition other than Systemdrive (typically C:\) Show All (don't miss this one) Then click the Scan button & wait for it to finish. Once done click on the [save..] button, and in the File name area, type in ark.txt Save it where you can easily find it, such as your desktop then post the contents here. **Caution** Rootkit scans often produce false positives. Do NOT take action on any <---- ROOKIT entries
  20. I'm happy to hear that resolved the problem. You're very welcome for the help. Happy New Year to you too! Surf safe!!
  21. Good news! The infected files are all in ComboFix's quarantine folder, and the recycle bin. I don't know when you ran ComboFix, but had it been properly uninstalled you would not have that folder. Lets clean that up. If you still have ComboFix.exe delete it. Download a fresh copy from here, saving the file to your desktop. ComboFix.exe must be on the Desktop for this to work! Highlight and copy the following bolded command. "%userprofile%\desktop\combofix.exe" /u Click Start then Run and paste the command in the Run dialog, then hit Enter. ComboFix will run and uninstall itself removing the files it has quarantined. This action will also reset the System Restore points, removing any infected files there as well. Verify the C:\Qoobox and C:\ComboFix folders were removed. Download ATF Cleaner by Atribune and save it to your Desktop. Double click ATF-Cleaner.exe to run the program. Check the boxes to the left of: Windows Temp Current User Temp All Users Temp Temporary Internet Files Prefetch Java Cache Recycle bin The rest are optional - if you want it to remove everything check "Select All". Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.If you use Firefox and/or Opera I recommend you select that option(s) and clean at least the cache.Reboot when complete. That should make SpySweeper happy.
  22. Hi Madger and welcome to The Pit, Please visit the following webpage for instructions for downloading and running ComboFix How to use ComboFix Download ComboFix by sUBs from here, saving the file to your desktop. Disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs. Close all open programs and windows Double click ComboFix.exe and follow the prompts. It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log in your next reply. Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  23. Recommend you so a full scan with SpySweeper and see if you can get details.
  24. I suspect SubInACL is compatible with Vista, though I have not tested so rescind that recommendation. Since you are no longer recieving the errors, no need to do anything else.
×
×
  • Create New...