[TangentMedia]

Good morning. I will get back to you in a few minutes.

[Advertisements]

Yes, Windows will boot normally. Can't generate a Parted.log (we never solved that) but i am uploading a screen shot. And the testdisk.log is pasted below. Also attaching a picture of the screen after i hit the P key in testdisk. What's next?



Sat Dec 31 12:11:36 2011
Command line: TestDisk

TestDisk 6.13, Data Recovery Utility, November 2011
Christophe GRENIER <[email protected]>
http://www.cgsecurity.org
OS: Linux, kernel 2.6.31.2 (#5 SMP Mon Dec 7 11:56:35 UTC 2009) i686
Compiler: GCC 4.4
Compilation date: 2011-11-15T02:42:19
ext2fs lib: 1.41.9, ntfs lib: libntfs-3g, reiserfs lib: 0.3.1-rc8, ewf lib: 20100226
/dev/sda: LBA, HPA, LBA48, DCO support
/dev/sda: size 2930277168 sectors
/dev/sda: user_max 2930277168 sectors
/dev/sda: native_max 2930277168 sectors
/dev/sda: dco 2930277168 sectors
/dev/sdb: LBA, HPA, LBA48, DCO support
/dev/sdb: size 1953525168 sectors
/dev/sdb: user_max 1953525168 sectors
/dev/sdb: native_max 1953525168 sectors
/dev/sdb: dco 1953525168 sectors
Warning: can't get size for Disk /dev/mapper/control - 0 B - CHS 1 1 1, sector size=512
/dev/sr0 is not an ATA disk
Hard disk list
Disk /dev/sda - 1500 GB / 1397 GiB - CHS 182401 255 63, sector size=512 - WDC WD1502FAEX-007BA0, S/N:WD-WMAY02625035, FW:05.01D05
Disk /dev/sdb - 1000 GB / 931 GiB - CHS 121601 255 63, sector size=512 - ST31000528AS, S/N:6VPAF29M, FW:CC3E
Disk /dev/sr0 - 67 MB / 64 MiB - CHS 32770 1 1 (RO), sector size=2048 - HL-DT-ST DVDRAM GH40N, S/N:K4299890743, FW:NM02

Partition table type (auto): Intel
Disk /dev/sda - 1500 GB / 1397 GiB - WDC WD1502FAEX-007BA0
Partition table type: Intel

Analyse Disk /dev/sda - 1500 GB / 1397 GiB - CHS 182401 255 63
Geometry from i386 MBR: head=255 sector=63


test_FAT()
1 P FAT32 0 1 1 1305 254 63 20980827
sector_size 512
cluster_size 2
reserved 8
fats 1
dir_entries 1024
sectors 0
media F8
fat_length 0
secs_track 17
heads 4
hidden 1
total_sect 2097152
check_part_i386 failed for partition type 0B
NTFS at 1306/0/1
NTFS at 49947/0/1
get_geometry_from_list_part_aux head=255 nbr=5
get_geometry_from_list_part_aux head=8 nbr=1
get_geometry_from_list_part_aux head=16 nbr=1
get_geometry_from_list_part_aux head=32 nbr=1
get_geometry_from_list_part_aux head=64 nbr=1
get_geometry_from_list_part_aux head=128 nbr=1
get_geometry_from_list_part_aux head=240 nbr=1
get_geometry_from_list_part_aux head=255 nbr=5
Current partition structure:
Invalid FAT boot sector
1 P FAT32 0 1 1 1305 254 63 20980827
1 P FAT32 0 1 1 1305 254 63 20980827
2 * HPFS - NTFS 1306 0 1 49946 254 63 781417665 [WIN7]
3 P HPFS - NTFS 49947 0 1 182401 10 10 2127874150 [DATA]
Ask the user for vista mode
Computes LBA from CHS for Disk /dev/sda - 1500 GB / 1397 GiB - CHS 182402 255 63
Allow partial last cylinder : Yes
search_vista_part: 1

search_part()
Disk /dev/sda - 1500 GB / 1397 GiB - CHS 182402 255 63
NTFS at 1306/0/1
filesystem size 781417665
sectors_per_cluster 8
mft_lcn 786432
mftmirr_lcn 2
clusters_per_mft_record -10
clusters_per_index_record 1
HPFS - NTFS 1306 0 1 49946 254 63 781417665 [WIN7]
NTFS, 400 GB / 372 GiB
NTFS at 49947/0/1
filesystem size 2127874150
sectors_per_cluster 8
mft_lcn 786432
mftmirr_lcn 2
clusters_per_mft_record -10
clusters_per_index_record 1
HPFS - NTFS 49947 0 1 182401 10 10 2127874150 [DATA]
NTFS, 1089 GB / 1014 GiB
get_geometry_from_list_part_aux head=255 nbr=3
get_geometry_from_list_part_aux head=255 nbr=3

Results
* HPFS - NTFS 1306 0 1 49946 254 63 781417665 [WIN7]
NTFS, 400 GB / 372 GiB
P HPFS - NTFS 49947 0 1 182401 254 63 2127889575 [DATA]
NTFS, 1089 GB / 1014 GiB
ntfs_device_testdisk_io_ioctl() unimplemented
ntfs_ucstoutf8: iconv_open failed


dir_partition inode=5
* HPFS - NTFS 1306 0 1 49946 254 63 781417665 [WIN7]
NTFS, 400 GB / 372 GiB
Directory /
5 dr-xr-xr-x 0 0 0 27-Dec-2011 22:22 .
5 -r--r--r-- 0 0 1107 27-Dec-2011 22:22 .:3bdNtO8xvWVeLJO0j966nhs8A
5 -r--r--r-- 0 0 1197 27-Dec-2011 22:22 .:OAIB0yyRTqetf3vHe5nnAd
5 -r--r--r-- 0 0 1170 27-Dec-2011 22:22 .:rM2mu3yBjz7e4MkA7vC3uVs
5 -r--r--r-- 0 0 1182 27-Dec-2011 22:22 .:YGssNBO7SRZQMFGmF3N1
5 dr-xr-xr-x 0 0 0 27-Dec-2011 22:22 ..
5 -r--r--r-- 0 0 1107 27-Dec-2011 22:22 ..:3bdNtO8xvWVeLJO0j966nhs8A
5 -r--r--r-- 0 0 1197 27-Dec-2011 22:22 ..:OAIB0yyRTqetf3vHe5nnAd
5 -r--r--r-- 0 0 1170 27-Dec-2011 22:22 ..:rM2mu3yBjz7e4MkA7vC3uVs
5 -r--r--r-- 0 0 1182 27-Dec-2011 22:22 ..:YGssNBO7SRZQMFGmF3N1
63 dr-xr-xr-x 0 0 0 10-Oct-2009 05:13 MSOCache
35 dr-xr-xr-x 0 0 0 25-Nov-2010 16:37 $Recycle.Bin
18697 dr-xr-xr-x 0 0 0 15-Aug-2011 21:29 32788R22FWJFW
65982 dr-xr-xr-x 0 0 0 1-Jun-2011 22:38 Autodesk
13138 dr-xr-xr-x 0 0 0 24-Jan-2010 05:32 BigFishGamesCache
36 dr-xr-xr-x 0 0 0 27-Apr-2011 19:14 Boot
5868 -r--r--r-- 0 0 383786 20-Nov-2010 12:40 bootmgr
30081 -r--r--r-- 0 0 8192 5-Aug-2009 18:13 BOOTSECT.BAK
14851 dr-xr-xr-x 0 0 0 11-Apr-2010 04:07 chop
224407 dr-xr-xr-x 0 0 0 20-Dec-2011 17:14 Config.Msi
32856 dr-xr-xr-x 0 0 0 23-Apr-2011 05:30 divx
30143 dr-xr-xr-x 0 0 0 14-Jul-2009 05:08 Documents and Settings
6779 dr-xr-xr-x 0 0 0 27-Dec-2011 22:32 FRST
62092 dr-xr-xr-x 0 0 0 9-Feb-2011 21:59 grt-psds
434226 dr-xr-xr-x 0 0 0 19-Oct-2011 02:30 IExp0.tmp
434230 dr-xr-xr-x 0 0 0 19-Oct-2011 02:30 IExp1.tmp
302367 dr-xr-xr-x 0 0 0 20-Oct-2011 09:45 IExp2.tmp
302428 dr-xr-xr-x 0 0 0 20-Oct-2011 09:45 IExp3.tmp
61 dr-xr-xr-x 0 0 0 10-Oct-2009 04:58 Intel
209119 dr-xr-xr-x 0 0 0 3-Apr-2011 22:35 iPod Stuff
9936 dr-xr-xr-x 0 0 0 8-May-2011 18:59 MoTemp
34038 dr-xr-xr-x 0 0 0 28-May-2010 16:28 Multimedia Files
201170 dr-xr-xr-x 0 0 0 28-Mar-2011 17:47 NVIDIA
444 -r--r--r-- 0 0 1073741824 18-Dec-2011 04:15 pagefile.sys
130 dr-xr-xr-x 0 0 0 14-Jul-2009 03:20 PerfLogs
132 dr-xr-xr-x 0 0 0 17-Dec-2011 21:33 Program Files
880 dr-xr-xr-x 0 0 0 23-Dec-2011 04:18 Program Files (x86)
1969 dr-xr-xr-x 0 0 0 27-Dec-2011 04:28 ProgramData
2113 dr-xr-xr-x 0 0 0 10-Oct-2009 05:05 RaidTool
2114 dr-xr-xr-x 0 0 0 16-Jan-2010 19:01 Recovery
57187 dr-xr-xr-x 0 0 0 26-Jun-2010 22:54 SmartSound Software
140242 dr-xr-xr-x 0 0 0 27-Dec-2011 04:21 System Volume Information
203187 dr-xr-xr-x 0 0 0 13-Aug-2011 18:13 temp
2115 dr-xr-xr-x 0 0 0 19-Oct-2011 19:07 Users
314185 -r--r--r-- 0 0 488484 12-Oct-2011 05:18 vcredist_x86.log
2295 dr-xr-xr-x 0 0 0 11-Dec-2011 05:01 Windows
SIGHUP detected! TestDisk has been killed.

Attached Thumbnails

• 
• 

[TangentMedia]

Yes, Windows will boot normally. Can't generate a Parted.log (we never solved that) but i am uploading a screen shot. And the testdisk.log is pasted below. Also attaching a picture of the screen after i hit the P key in testdisk. What's next?



Sat Dec 31 12:11:36 2011
Command line: TestDisk

TestDisk 6.13, Data Recovery Utility, November 2011
Christophe GRENIER <[email protected]>
http://www.cgsecurity.org
OS: Linux, kernel 2.6.31.2 (#5 SMP Mon Dec 7 11:56:35 UTC 2009) i686
Compiler: GCC 4.4
Compilation date: 2011-11-15T02:42:19
ext2fs lib: 1.41.9, ntfs lib: libntfs-3g, reiserfs lib: 0.3.1-rc8, ewf lib: 20100226
/dev/sda: LBA, HPA, LBA48, DCO support
/dev/sda: size 2930277168 sectors
/dev/sda: user_max 2930277168 sectors
/dev/sda: native_max 2930277168 sectors
/dev/sda: dco 2930277168 sectors
/dev/sdb: LBA, HPA, LBA48, DCO support
/dev/sdb: size 1953525168 sectors
/dev/sdb: user_max 1953525168 sectors
/dev/sdb: native_max 1953525168 sectors
/dev/sdb: dco 1953525168 sectors
Warning: can't get size for Disk /dev/mapper/control - 0 B - CHS 1 1 1, sector size=512
/dev/sr0 is not an ATA disk
Hard disk list
Disk /dev/sda - 1500 GB / 1397 GiB - CHS 182401 255 63, sector size=512 - WDC WD1502FAEX-007BA0, S/N:WD-WMAY02625035, FW:05.01D05
Disk /dev/sdb - 1000 GB / 931 GiB - CHS 121601 255 63, sector size=512 - ST31000528AS, S/N:6VPAF29M, FW:CC3E
Disk /dev/sr0 - 67 MB / 64 MiB - CHS 32770 1 1 (RO), sector size=2048 - HL-DT-ST DVDRAM GH40N, S/N:K4299890743, FW:NM02

Partition table type (auto): Intel
Disk /dev/sda - 1500 GB / 1397 GiB - WDC WD1502FAEX-007BA0
Partition table type: Intel

Analyse Disk /dev/sda - 1500 GB / 1397 GiB - CHS 182401 255 63
Geometry from i386 MBR: head=255 sector=63


test_FAT()
1 P FAT32 0 1 1 1305 254 63 20980827
sector_size 512
cluster_size 2
reserved 8
fats 1
dir_entries 1024
sectors 0
media F8
fat_length 0
secs_track 17
heads 4
hidden 1
total_sect 2097152
check_part_i386 failed for partition type 0B
NTFS at 1306/0/1
NTFS at 49947/0/1
get_geometry_from_list_part_aux head=255 nbr=5
get_geometry_from_list_part_aux head=8 nbr=1
get_geometry_from_list_part_aux head=16 nbr=1
get_geometry_from_list_part_aux head=32 nbr=1
get_geometry_from_list_part_aux head=64 nbr=1
get_geometry_from_list_part_aux head=128 nbr=1
get_geometry_from_list_part_aux head=240 nbr=1
get_geometry_from_list_part_aux head=255 nbr=5
Current partition structure:
Invalid FAT boot sector
1 P FAT32 0 1 1 1305 254 63 20980827
1 P FAT32 0 1 1 1305 254 63 20980827
2 * HPFS - NTFS 1306 0 1 49946 254 63 781417665 [WIN7]
3 P HPFS - NTFS 49947 0 1 182401 10 10 2127874150 [DATA]
Ask the user for vista mode
Computes LBA from CHS for Disk /dev/sda - 1500 GB / 1397 GiB - CHS 182402 255 63
Allow partial last cylinder : Yes
search_vista_part: 1

search_part()
Disk /dev/sda - 1500 GB / 1397 GiB - CHS 182402 255 63
NTFS at 1306/0/1
filesystem size 781417665
sectors_per_cluster 8
mft_lcn 786432
mftmirr_lcn 2
clusters_per_mft_record -10
clusters_per_index_record 1
HPFS - NTFS 1306 0 1 49946 254 63 781417665 [WIN7]
NTFS, 400 GB / 372 GiB
NTFS at 49947/0/1
filesystem size 2127874150
sectors_per_cluster 8
mft_lcn 786432
mftmirr_lcn 2
clusters_per_mft_record -10
clusters_per_index_record 1
HPFS - NTFS 49947 0 1 182401 10 10 2127874150 [DATA]
NTFS, 1089 GB / 1014 GiB
get_geometry_from_list_part_aux head=255 nbr=3
get_geometry_from_list_part_aux head=255 nbr=3

Results
* HPFS - NTFS 1306 0 1 49946 254 63 781417665 [WIN7]
NTFS, 400 GB / 372 GiB
P HPFS - NTFS 49947 0 1 182401 254 63 2127889575 [DATA]
NTFS, 1089 GB / 1014 GiB
ntfs_device_testdisk_io_ioctl() unimplemented
ntfs_ucstoutf8: iconv_open failed


dir_partition inode=5
* HPFS - NTFS 1306 0 1 49946 254 63 781417665 [WIN7]
NTFS, 400 GB / 372 GiB
Directory /
5 dr-xr-xr-x 0 0 0 27-Dec-2011 22:22 .
5 -r--r--r-- 0 0 1107 27-Dec-2011 22:22 .:3bdNtO8xvWVeLJO0j966nhs8A
5 -r--r--r-- 0 0 1197 27-Dec-2011 22:22 .:OAIB0yyRTqetf3vHe5nnAd
5 -r--r--r-- 0 0 1170 27-Dec-2011 22:22 .:rM2mu3yBjz7e4MkA7vC3uVs
5 -r--r--r-- 0 0 1182 27-Dec-2011 22:22 .:YGssNBO7SRZQMFGmF3N1
5 dr-xr-xr-x 0 0 0 27-Dec-2011 22:22 ..
5 -r--r--r-- 0 0 1107 27-Dec-2011 22:22 ..:3bdNtO8xvWVeLJO0j966nhs8A
5 -r--r--r-- 0 0 1197 27-Dec-2011 22:22 ..:OAIB0yyRTqetf3vHe5nnAd
5 -r--r--r-- 0 0 1170 27-Dec-2011 22:22 ..:rM2mu3yBjz7e4MkA7vC3uVs
5 -r--r--r-- 0 0 1182 27-Dec-2011 22:22 ..:YGssNBO7SRZQMFGmF3N1
63 dr-xr-xr-x 0 0 0 10-Oct-2009 05:13 MSOCache
35 dr-xr-xr-x 0 0 0 25-Nov-2010 16:37 $Recycle.Bin
18697 dr-xr-xr-x 0 0 0 15-Aug-2011 21:29 32788R22FWJFW
65982 dr-xr-xr-x 0 0 0 1-Jun-2011 22:38 Autodesk
13138 dr-xr-xr-x 0 0 0 24-Jan-2010 05:32 BigFishGamesCache
36 dr-xr-xr-x 0 0 0 27-Apr-2011 19:14 Boot
5868 -r--r--r-- 0 0 383786 20-Nov-2010 12:40 bootmgr
30081 -r--r--r-- 0 0 8192 5-Aug-2009 18:13 BOOTSECT.BAK
14851 dr-xr-xr-x 0 0 0 11-Apr-2010 04:07 chop
224407 dr-xr-xr-x 0 0 0 20-Dec-2011 17:14 Config.Msi
32856 dr-xr-xr-x 0 0 0 23-Apr-2011 05:30 divx
30143 dr-xr-xr-x 0 0 0 14-Jul-2009 05:08 Documents and Settings
6779 dr-xr-xr-x 0 0 0 27-Dec-2011 22:32 FRST
62092 dr-xr-xr-x 0 0 0 9-Feb-2011 21:59 grt-psds
434226 dr-xr-xr-x 0 0 0 19-Oct-2011 02:30 IExp0.tmp
434230 dr-xr-xr-x 0 0 0 19-Oct-2011 02:30 IExp1.tmp
302367 dr-xr-xr-x 0 0 0 20-Oct-2011 09:45 IExp2.tmp
302428 dr-xr-xr-x 0 0 0 20-Oct-2011 09:45 IExp3.tmp
61 dr-xr-xr-x 0 0 0 10-Oct-2009 04:58 Intel
209119 dr-xr-xr-x 0 0 0 3-Apr-2011 22:35 iPod Stuff
9936 dr-xr-xr-x 0 0 0 8-May-2011 18:59 MoTemp
34038 dr-xr-xr-x 0 0 0 28-May-2010 16:28 Multimedia Files
201170 dr-xr-xr-x 0 0 0 28-Mar-2011 17:47 NVIDIA
444 -r--r--r-- 0 0 1073741824 18-Dec-2011 04:15 pagefile.sys
130 dr-xr-xr-x 0 0 0 14-Jul-2009 03:20 PerfLogs
132 dr-xr-xr-x 0 0 0 17-Dec-2011 21:33 Program Files
880 dr-xr-xr-x 0 0 0 23-Dec-2011 04:18 Program Files (x86)
1969 dr-xr-xr-x 0 0 0 27-Dec-2011 04:28 ProgramData
2113 dr-xr-xr-x 0 0 0 10-Oct-2009 05:05 RaidTool
2114 dr-xr-xr-x 0 0 0 16-Jan-2010 19:01 Recovery
57187 dr-xr-xr-x 0 0 0 26-Jun-2010 22:54 SmartSound Software
140242 dr-xr-xr-x 0 0 0 27-Dec-2011 04:21 System Volume Information
203187 dr-xr-xr-x 0 0 0 13-Aug-2011 18:13 temp
2115 dr-xr-xr-x 0 0 0 19-Oct-2011 19:07 Users
314185 -r--r--r-- 0 0 488484 12-Oct-2011 05:18 vcredist_x86.log
2295 dr-xr-xr-x 0 0 0 11-Dec-2011 05:01 Windows
SIGHUP detected! TestDisk has been killed.

Attached Thumbnails

• 
• 

[JSntgRvr]

You should have told me last night your computer was able to boot back in Normal Mode.

Was there an option in Testdisk to press P (List files in the FAT32) partition?

1 P FAT32 0 1 1 1305 254 63 20980827
1 P FAT32 0 1 1 1305 254 63 20980827
2 * HPFS - NTFS 1306 0 1 49946 254 63 781417665 [WIN7]
3 P HPFS - NTFS 49947 0 1 182401 10 10 2127874150 [DATA]

Lets scan the computer.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Please, never rename Combofix unless instructed.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link or this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    
    If AVG or CA Internet Security Suite is installed, you must remove these programs before using Combofix. If any of these applications will not uninstall, it is first recommended to uninstall it with AppRemover by Opswat. http://www.appremove...ed-applications. Do not use AppRemover on Norton
    
    

    -----------------------------------------------------------

  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combofix.exe & follow the prompts.
• Install the Recovery Console if prompted.
• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt" .

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

[TangentMedia]

I didn't know I could boot normally into windows. I never tried until you asked me to today.

No, i don't think there was an option in Testdisk to press P (List files in the FAT32) partition? I can send you the screen i get right before I do the testdisk P command. Maybe that will help.

And meanwhile, i will work on the combo disk stuff.

-chris

[TangentMedia]

Should I do the testdisk stuff again? I am not sure that it is created new partitions like you have depicted in your Quote. I only had 2 and 3, not 1 and 1. So I am not sure that i am ready for the combofix step.



Quote
1 P FAT32 0 1 1 1305 254 63 20980827
1 P FAT32 0 1 1 1305 254 63 20980827
2 * HPFS - NTFS 1306 0 1 49946 254 63 781417665 [WIN7]
3 P HPFS - NTFS 49947 0 1 182401 10 10 2127874150 [DATA]

[JSntgRvr]

If there was no option to obtain the list of files of the FAT32 partition, no. Continue with Combofix.

[TangentMedia]

[*]Select [Analyse] and press Enter, then press Enter again to run a [Quick Search], select yes

Attached art pictures of what happens at this step. The FAT partitions show up after Clicking Analyse. Then I click Quick Search. Am asked a question and click Y (since you said select Yes in your instructions above). Then it scans and returns the last screen attached which does NOT have the FAT partitions. So I cannot select the FAT partition and click P. Should I select NO after Quick Search instead of Yes?

Attached Thumbnails

• 
• 
• 
• 

[JSntgRvr]

Is not been shown in the right screen, thanks. Lets continue.

[TangentMedia]

Actually, answering NO after the QuickSearch produced the same results; no FAT partitions in the list. So I am moving on to the ComboFix instructions.

[TangentMedia]

Does ComboFix require an internet connection? I have my LAN cable unplugged right now and ComboFix on the desktop ready to run. I having connected that machine to the LAN since the problem occurred; thought it would be safer.

Does ComboFix require an internet connection?

[JSntgRvr]

[TangentMedia]

Also, the only anti-virus i have on that machine is Microsoft Security Essentials. Should I disable that?

[TangentMedia]

Yep. MSE is on the list. Will diable.

FYI, when i logged into Windows 7 I got 4 official looking Anti Virus windows (which i closed). Should that have happened?

[JSntgRvr]

Official looking Anti Virus windows? What is official?

[TangentMedia]

Very official looking pop ups. I don't recall ever installing Windows AntiSpyware 2012. I assume this is fake. But I thought I should not use ComboFix if the computer is still under attack. Please advise.

Attached Thumbnails

•