Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Redirector removal Help [Closed]

Started by ohio_dutchman , Feb 24 2012 05:18 AM

This topic is locked

#1
ohio_dutchman

Posted 24 February 2012 - 05:18 AM

Member

Member
12 posts

I am redirected everytime I perform a search - Google, Bing, Geekstogo, etc. I have tried TDDSKIller -it won't run. I ran Malwarebytes and Super Antispyware. I have installed MS Security Essentials. I removed the hosts file and I flushed the dns. I am at the end of possibilities. I read several of your posts on removing the redirector but none seem to help. I see your fixes but have never found an explanation as to why you picked the particular fix. Perhaps adding (pinpointing) the error along with the fix, may reduce your work load as many people have the problem and search you site for solutions.

Here is the OTL output.

OTL logfile created on: 2/24/2012 6:01:09 AM - Run 2
OTL by OldTimer - Version 3.2.33.2 Folder = C:\Users\Ryan\Downloads
64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.96 Gb Total Physical Memory | 1.55 Gb Available Physical Memory | 52.45% Memory free
5.92 Gb Paging File | 4.41 Gb Available in Paging File | 74.51% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 218.20 Gb Total Space | 178.20 Gb Free Space | 81.67% Space Free | Partition Type: NTFS

Computer Name: RYAN-PC | User Name: Ryan | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/02/24 05:59:41 | 000,583,680 | ---- | M] (OldTimer Tools) -- C:\Users\Ryan\Downloads\OTL.exe
PRC - [2011/08/24 19:29:04 | 000,137,536 | ---- | M] (Facebook Inc.) -- C:\Users\Ryan\AppData\Local\Facebook\Update\FacebookUpdate.exe
PRC - [2009/12/02 02:03:00 | 000,611,624 | ---- | M] (Juniper Networks) -- C:\Program Files (x86)\Juniper Networks\Common Files\dsNcService.exe
PRC - [2009/08/17 09:29:00 | 000,656,624 | ---- | M] (SoftThinks) -- C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe
PRC - [2009/05/21 08:59:08 | 000,206,064 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files (x86)\Dell Support Center\bin\sprtsvc.exe
PRC - [2008/12/18 14:05:28 | 000,155,648 | ---- | M] (Stardock Corporation) -- C:\Program Files\Dell\DellDock\DockLogin.exe

========== Modules (No Company Name) ==========

MOD - [2011/11/01 23:26:32 | 000,087,912 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/11/01 23:26:12 | 001,242,472 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll

========== Win32 Services (SafeList) ==========

SRV:64bit: - [2011/08/11 18:38:04 | 000,140,672 | ---- | M] (SUPERAntiSpyware.com) [Auto | Running] -- C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE -- (!SASCORE)
SRV:64bit: - [2011/04/27 17:21:18 | 000,288,272 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe -- (NisSrv)
SRV:64bit: - [2011/04/27 17:21:18 | 000,012,784 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV:64bit: - [2009/07/16 20:06:22 | 000,033,280 | ---- | M] () [Auto | Running] -- C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRYSVC.EXE -- (wltrysvc)
SRV:64bit: - [2009/07/13 20:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2009/06/28 23:44:38 | 000,240,128 | ---- | M] (IDT, Inc.) [Auto | Running] -- C:\Windows\SysNative\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_afc3018f8cfedd20\stacsv64.exe -- (STacSV)
SRV:64bit: - [2009/03/02 00:42:58 | 000,089,600 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\SysNative\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_afc3018f8cfedd20\AESTSr64.exe -- (AESTFilters)
SRV:64bit: - [2008/12/18 14:05:28 | 000,155,648 | ---- | M] (Stardock Corporation) [Auto | Running] -- C:\Program Files\Dell\DellDock\DockLogin.exe -- (DockLoginService)
SRV - [2010/03/18 12:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/12/02 02:03:00 | 000,611,624 | ---- | M] (Juniper Networks) [Auto | Running] -- C:\Program Files (x86)\Juniper Networks\Common Files\dsNcService.exe -- (dsNcService)
SRV - [2009/10/30 08:39:24 | 000,016,680 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\Citrix\GoToAssist\514\g2aservice.exe -- (GoToAssist)
SRV - [2009/08/17 09:29:00 | 000,656,624 | ---- | M] (SoftThinks) [Auto | Running] -- C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE -- (SftService)
SRV - [2009/06/10 16:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2009/05/21 08:59:08 | 000,206,064 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files (x86)\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_DellSupportCenter) SupportSoft Sprocket Service (DellSupportCenter)

========== Driver Services (SafeList) ==========

DRV:64bit: - [2011/07/22 11:26:56 | 000,014,928 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys -- (SASDIFSV)
DRV:64bit: - [2011/07/12 16:55:18 | 000,012,368 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\saskutil64.sys -- (SASKUTIL)
DRV:64bit: - [2011/06/10 06:34:52 | 000,539,240 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
DRV:64bit: - [2011/05/12 14:03:12 | 000,006,144 | ---- | M] (Sophos Plc) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\1122.tmp -- (MEMSWEEP2)
DRV:64bit: - [2011/04/27 15:25:24 | 000,084,864 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\NisDrvWFP.sys -- (NisDrv)
DRV:64bit: - [2011/03/11 01:22:41 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011/03/11 01:22:40 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2011/02/11 19:16:38 | 010,628,640 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\igdkmd64.sys -- (igfx)
DRV:64bit: - [2009/12/02 01:31:52 | 000,034,600 | ---- | M] (Juniper Networks) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\dsNcAdpt.sys -- (dsNcAdpt)
DRV:64bit: - [2009/08/28 20:42:52 | 000,049,152 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbaapl64.sys -- (USBAAPL64)
DRV:64bit: - [2009/07/16 20:06:20 | 000,022,520 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\bcm42rly.sys -- (BCM42RLY)
DRV:64bit: - [2009/07/16 20:06:18 | 002,769,400 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\BCMWL664.SYS -- (BCM43XX)
DRV:64bit: - [2009/07/13 20:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 20:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 20:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2009/07/13 20:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/07/09 05:00:00 | 000,055,280 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\PxHlpa64.sys -- (PxHlpa64)
DRV:64bit: - [2009/06/28 23:44:38 | 000,487,424 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\stwrt64.sys -- (STHDA)
DRV:64bit: - [2009/06/15 13:06:42 | 000,172,704 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\CtClsFlt.sys -- (CtClsFlt)
DRV:64bit: - [2009/06/10 15:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 15:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 15:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 15:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2009/05/18 15:17:08 | 000,034,152 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:64bit: - [2009/05/08 03:15:18 | 000,215,552 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\RtsUStor.sys -- (RSUSBSTOR)
DRV:64bit: - [2009/03/25 01:28:56 | 000,230,960 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Apfiltr.sys -- (ApfiltrService)
DRV:64bit: - [2006/11/01 12:51:00 | 000,151,656 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\WimFltr.sys -- (WimFltr)
DRV - [2012/02/24 05:26:52 | 000,035,664 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{F4BF663B-E79E-48B4-BF4F-34A69376195A}\MpKsl59f9543d.sys -- (MpKsl59f9543d)
DRV - [2009/07/13 20:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://broadband.zoomtown.com

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USCON/1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = Preserve
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://portal.zoomtown.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8081.0709: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@Skype Limited.com/Facebook Video Calling Plugin: C:\Users\Ryan\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll (Skype Limited)
FF - HKCU\Software\MozillaPlugins\@sony.com/Some: C:\Program Files (x86)\Sony\Bloggie Software\npsome.dll (Sony)

========== Chrome ==========

Hosts file not found
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O4:64bit: - HKLM..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
O4:64bit: - HKLM..\Run: [Broadcom Wireless Manager UI] C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRAY.EXE (Dell Inc.)
O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [IgfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe (IDT, Inc.)
O4 - HKLM..\Run: [Dell Webcam Central] C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe (Creative Technology Ltd)
O4 - HKCU..\Run: [Facebook Update] C:\Users\Ryan\AppData\Local\Facebook\Update\FacebookUpdate.exe (Facebook Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Recovery present
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://juniper.net/...SetupClient.cab (JuniperSetupClientControl Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{01BED82E-2E02-4BA3-8876-376DA159744B}: DhcpNameServer = 192.168.200.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{2687C7F6-EF9B-4BDD-A74B-3DA5A9A9BAAB}: DhcpNameServer = 209.18.47.61 209.18.47.62
O18:64bit: - Protocol\Handler\livecall - No CLSID value found
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\ms-itss - No CLSID value found
O18:64bit: - Protocol\Handler\msnim - No CLSID value found
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20:64bit: - Winlogon\Notify\GoToAssist: DllName - (C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll) - File not found
O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{861d285a-f7f4-11de-a06a-0025646ab76f}\Shell - "" = AutoRun
O33 - MountPoints2\{861d285a-f7f4-11de-a06a-0025646ab76f}\Shell\AutoRun\command - "" = "E:\WD SmartWare.exe" autoplay=true
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/02/24 05:47:24 | 000,000,000 | ---D | C] -- C:\Users\Ryan\Desktop\GooredFix Backups
[2012/02/23 16:06:15 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Sophos
[2012/02/23 13:31:06 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ESET
[2012/02/23 07:13:36 | 000,000,000 | ---D | C] -- C:\ProgramData\TEMP
[2012/02/23 07:13:09 | 000,000,000 | ---D | C] -- C:\Users\Ryan\Documents\Simply Super Software
[2012/02/22 15:28:04 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\SPReview
[2012/02/22 11:22:53 | 000,000,000 | ---D | C] -- C:\Users\Ryan\AppData\Roaming\SUPERAntiSpyware.com
[2012/02/22 11:22:35 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
[2012/02/22 11:22:27 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2012/02/22 11:22:27 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2012/02/21 21:38:01 | 000,000,000 | ---D | C] -- C:\Windows\Sun
[2012/02/21 16:30:17 | 000,000,000 | ---D | C] -- C:\ProgramData\Kaspersky Lab
[2012/02/21 05:54:34 | 000,000,000 | ---D | C] -- C:\Windows\CheckSur
[2012/02/20 20:52:17 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Security Client
[2012/02/20 20:52:05 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2012/02/20 20:39:33 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\EventProviders
[2012/02/20 20:08:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
[2012/02/20 20:08:24 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2012/02/20 20:08:24 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\iTunes
[2012/02/20 20:08:24 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2012/02/20 20:08:24 | 000,000,000 | ---D | C] -- C:\ProgramData\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
[2012/02/20 20:06:29 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2012/02/20 20:06:29 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Bonjour
[2012/02/20 20:04:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
[2012/02/20 20:04:42 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\QuickTime
[2012/02/20 18:50:03 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Apple Software Update
[2012/02/20 16:40:33 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2012/02/20 15:58:43 | 000,000,000 | ---D | C] -- C:\Windows\pss
[2012/02/20 15:56:04 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
[2012/02/20 15:56:03 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]
[1 C:\Users\Ryan\Desktop\*.tmp files -> C:\Users\Ryan\Desktop\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/02/24 05:47:31 | 000,729,880 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2012/02/24 05:47:31 | 000,626,540 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2012/02/24 05:47:31 | 000,107,784 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2012/02/24 05:34:05 | 000,000,924 | ---- | M] () -- C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-984648990-498005856-3672418924-1001UA.job
[2012/02/24 05:17:51 | 000,014,240 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/02/24 05:17:51 | 000,014,240 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/02/24 05:10:29 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/02/24 05:10:24 | 2386,317,312 | -HS- | M] () -- C:\hiberfil.sys
[2012/02/24 05:08:21 | 000,000,902 | ---- | M] () -- C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-984648990-498005856-3672418924-1001Core.job
[2012/02/23 08:13:51 | 000,343,552 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2012/02/21 21:38:11 | 000,000,640 | ---- | M] () -- C:\Users\Public\Desktop\Internet Security.lnk
[2012/02/21 09:31:25 | 000,001,399 | ---- | M] () -- C:\Users\Ryan\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/02/21 08:46:47 | 000,072,822 | ---- | M] () -- C:\Windows\SysWow64\ieuinit.inf
[2012/02/21 08:46:41 | 000,072,822 | ---- | M] () -- C:\Windows\SysNative\ieuinit.inf
[2012/02/20 20:52:25 | 000,001,945 | ---- | M] () -- C:\Windows\epplauncher.mif
[2012/02/20 20:52:19 | 000,744,030 | ---- | M] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2012/02/20 20:08:58 | 000,001,745 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
[2012/02/20 20:04:47 | 000,001,807 | ---- | M] () -- C:\Users\Public\Desktop\QuickTime Player.lnk
[2012/02/20 16:00:22 | 000,004,998 | ---- | M] () -- C:\Users\Ryan\Documents\cc_20120220_160019.reg
[2012/02/20 16:00:04 | 000,134,134 | ---- | M] () -- C:\Users\Ryan\Documents\cc_20120220_155957.reg
[2 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]
[1 C:\Users\Ryan\Desktop\*.tmp files -> C:\Users\Ryan\Desktop\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/02/23 08:13:31 | 000,343,552 | ---- | C] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2012/02/21 21:38:11 | 000,000,640 | ---- | C] () -- C:\Users\Public\Desktop\Internet Security.lnk
[2012/02/21 08:46:47 | 000,072,822 | ---- | C] () -- C:\Windows\SysWow64\ieuinit.inf
[2012/02/21 08:46:41 | 000,072,822 | ---- | C] () -- C:\Windows\SysNative\ieuinit.inf
[2012/02/20 20:52:25 | 000,001,945 | ---- | C] () -- C:\Windows\epplauncher.mif
[2012/02/20 20:52:19 | 000,744,030 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2012/02/20 20:52:07 | 000,001,899 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
[2012/02/20 20:08:58 | 000,001,745 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk
[2012/02/20 20:04:47 | 000,001,807 | ---- | C] () -- C:\Users\Public\Desktop\QuickTime Player.lnk
[2012/02/20 18:14:02 | 000,002,173 | ---- | C] () -- C:\Users\Public\Desktop\Amazon Cloud Player.lnk
[2012/02/20 18:14:02 | 000,002,134 | ---- | C] () -- C:\Users\Public\Desktop\ZoomTown.lnk
[2012/02/20 18:14:02 | 000,001,913 | ---- | C] () -- C:\Users\Public\Desktop\AIM.lnk
[2012/02/20 18:14:02 | 000,001,087 | R--- | C] () -- C:\Users\Public\Desktop\Bloggie Software.lnk
[2012/02/20 18:13:57 | 000,002,557 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office PowerPoint Viewer 2007.lnk
[2012/02/20 18:13:57 | 000,002,519 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Apple Software Update.lnk
[2012/02/20 18:13:57 | 000,002,441 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader 9.lnk
[2012/02/20 18:13:57 | 000,002,260 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VZAccess Manager.lnk
[2012/02/20 18:13:57 | 000,002,080 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerDVD DX.lnk
[2012/02/20 18:13:57 | 000,001,975 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dell Help Documentation.lnk
[2012/02/20 18:13:57 | 000,001,547 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
[2012/02/20 18:13:57 | 000,001,352 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Anytime Upgrade.lnk
[2012/02/20 18:13:57 | 000,001,345 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Center.lnk
[2012/02/20 18:13:57 | 000,001,330 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sidebar.lnk
[2012/02/20 18:13:57 | 000,001,326 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows DVD Maker.lnk
[2012/02/20 18:13:57 | 000,001,246 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk
[2012/02/20 18:13:57 | 000,001,210 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk
[2012/02/20 18:13:57 | 000,001,149 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Works Task Launcher.lnk
[2012/02/20 18:13:57 | 000,001,009 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat_com.lnk
[2012/02/20 16:00:21 | 000,004,998 | ---- | C] () -- C:\Users\Ryan\Documents\cc_20120220_160019.reg
[2012/02/20 16:00:00 | 000,134,134 | ---- | C] () -- C:\Users\Ryan\Documents\cc_20120220_155957.reg
[2011/12/14 18:25:13 | 000,000,296 | ---- | C] () -- C:\ProgramData\~YQpvL045igJ5Pg
[2011/12/14 18:25:13 | 000,000,200 | ---- | C] () -- C:\ProgramData\~YQpvL045igJ5Pgr
[2011/12/14 18:25:11 | 000,000,448 | ---- | C] () -- C:\ProgramData\YQpvL045igJ5Pg
[2010/07/28 20:08:46 | 000,439,308 | ---- | C] () -- C:\Windows\SysWow64\igcompkrng500.bin
[2010/07/28 20:08:44 | 000,092,356 | ---- | C] () -- C:\Windows\SysWow64\igfcg500m.bin
[2010/07/28 20:08:42 | 000,982,240 | ---- | C] () -- C:\Windows\SysWow64\igkrng500.bin
[2010/03/28 20:50:20 | 000,002,560 | ---- | C] () -- C:\Windows\_MSRSTRT.EXE

========== LOP Check ==========

[2010/01/05 18:45:50 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\acccore
[2011/09/09 08:55:17 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\Amazon
[2012/02/22 22:34:14 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\FrostWire
[2010/03/08 18:45:17 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\Juniper Networks
[2010/05/30 14:54:54 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\Template
[2012/02/24 05:08:21 | 000,000,902 | ---- | M] () -- C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-984648990-498005856-3672418924-1001Core.job
[2012/02/24 05:34:05 | 000,000,924 | ---- | M] () -- C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-984648990-498005856-3672418924-1001UA.job
[2010/10/11 09:04:10 | 000,032,622 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 164 bytes -> C:\Users\Ryan\Desktop\paycheck.jpeg:3or4kl4x13tuuug3Byamue2s4b
@Alternate Data Stream - 164 bytes -> C:\Users\Ryan\Desktop\direct tv.jpeg:3or4kl4x13tuuug3Byamue2s4b
@Alternate Data Stream - 149 bytes -> C:\ProgramData\TEMP:CB0AACC9

< End of report >

Thanks for you service and your time. I have worked with computers for 46 years and know it is a thankless job.

#2
Render

Posted 29 February 2012 - 12:30 PM

Trusted Helper

Malware Removal
4,195 posts

Hi and welcome to GeeksToGo! Please make sure you read all of the instructions and fixes thoroughly before continuing with them. If you have any queries or you are unsure about anything, just say and I'll help you out

It may well be worth you printing/saving the instructions throughout the fix, so you have them to hand just in case you are unable to access this site.

Please note:

Remember to post your logs, not attach them. So, any logs from any programs we run, should be just 'copied & pasted' into your reply.
Please only run the tools that I request. I know malware can be frustrating but running other tools in the meantime and between posts, only makes it harder for us to analyse and fix your PC in the long run.
Please subscribe to this topic if you have not already done so. Please check back just in case, as the email system can fail at times.
Just because your machine is running better does not mean it is completely cleaned. Please wait for the 'all clear' from me to say when we are done.
Please reply within 3 days to be fair to other people asking for help.
Please tell me if you have your original Windows CD/DVD available
When in doubt, please stop and ask first. There's no harm in asking questions!

If you have since resolved the original problem you were having, I would appreciate you letting me know. If not please perform the following steps below so I can have a look at the current condition of your machine.

Please download aswMBR.exe to your desktop.
Double click the aswMBR.exe to run it.
When asked if you want to download Avast's virus definitions please select Yes.
Click the Scan button to start scan.
On completion of the scan click Save log, save it to your desktop and post in your next reply.
Also on Desktop there should be a file called MBR.dat after that, zip it and then attach it here

How to add an attachment to a new topic or reply

#3
ohio_dutchman

Posted 29 February 2012 - 01:25 PM

Member

Topic Starter
Member
12 posts

I am on another PC to reply.

I downloaded aswMBR and saved it to the desktop I double clicked the icon. I was asked it I wnated to continue. I responded yes. The prompt went away and nothing happened. I opened the task manager and watched the processes and the applications. Nothing in the process and aswMBR didn't appear in the processes.

I retarted in safe mode, ran rkill, tried aswMBR again. Same thing. Then I downloaded aswMBR again and changed the name before saving. Still nothing in task manager.

However, I noticed in task manager in the processes a process labeled searchfilter. It eventually went away.

The aswMBR will not run.

Looking for next steps.

#4
Render

Posted 29 February 2012 - 01:56 PM

Trusted Helper

Malware Removal
4,195 posts

OK. Are you able to reach this site (GeeksToGo) on your infected computer?

Try with this:

Download RogueKiller to your desktop

Quit all running programs
For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
When prompted, type 1 and validate
The RKreport.txt shall be generated next to the executable.
If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

Please post the contents of the RKreport.txt in your next Reply.

#5
ohio_dutchman

Posted 29 February 2012 - 02:34 PM

Member

Topic Starter
Member
12 posts

IT RAN

RogueKiller V7.2.1 [02/29/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User: Ryan [Admin rights]
Mode: Scan -- Date: 02/29/2012 15:29:33

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 5 ¤¤¤
[WallPP] HKCU\[...]\Desktop : Wallpaper () -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD2500BEVT-75ZCT2 ATA Device +++++
--- User ---
[MBR] 2dbc9862d931294e7119278110e1b0c1
[BSP] f2554e82efed46df96eec1d04c45713e : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 15000 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 30801920 | Size: 223434 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] 765d85cb46da4be5db0d0c594ff10e16
[BSP] f2554e82efed46df96eec1d04c45713e : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 15000 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 30801920 | Size: 223434 Mo
3 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 488395120 | Size: 0 Mo

Finished : << RKreport[1].txt >>
RKreport[1].txt

I forgot the last time - no I do not have the original disc

If it will help, I have another machine I could slve the drive if necessary.

Thanks!

#6
Render

Posted 29 February 2012 - 02:56 PM

Trusted Helper

Malware Removal
4,195 posts

Hi,

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

You will need a USB memory stick and blank CD-R disk.

Download GETxPUD.exe to the desktop of your clean computer

Run GETxPUD.exe
A new folder will appear on the desktop.
Open the GETxPUD folder and click on the get&burn.bat
The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
Click on Start and follow the prompts to burn the image to a CD.
Remove the USB & CD and insert it in the sick computer
Boot the Sick computer with the CD you just burned
The computer must be set to boot from the CD
Gently tap F12 and choose to boot from the CD
Follow the prompts
A Welcome to xPUD screen will appear
Press File
Expand mnt
sda1,2...usually corresponds to your HDD
sdb1 is likely your USB
Click on the folder that represents your USB drive (sdb1 ?)
Press Tool at the top
Choose Open Terminal
Type the following and press enter:

dd if=/dev/sda of=mbr.bin bs=512 count=1
Press Enter
After it has finished a file will be located on your USB drive named mbr.bin
Remove the USB drive and insert it back in your working computer and navigate to mbr.bin, zip it up and attach it to your next reply.

This will allow me to have a look at the MasterBootRecord of your drive and see if it is infected.

How to add an attachment to a new topic or reply

#7
ohio_dutchman

Posted 29 February 2012 - 03:54 PM

Member

Topic Starter
Member
12 posts

I was able to do all except finding the USB drive.

I used 2 different USB drives and all I ever got in the mnt folder was sda1, sda2, sda3, and sda4 I picked sda4 and it wrote the mbr.bin to it but it was not the USB drive.

Be away from the PC f or a while I will check in the morning.

Thanks!

#8
Render

Posted 29 February 2012 - 04:39 PM

Trusted Helper

Malware Removal
4,195 posts

Well... It should be there if you see it.You don't see any sdb1, sdb2... ?

#9
ohio_dutchman

Posted 01 March 2012 - 05:59 AM

Member

Topic Starter
Member
12 posts

Success!

This morning, I tried rebooting and moving things around. The successful sequence was move the mouse to a different port and plug the USB into the port where the mouse was. Then I changed the actual boot sequence on the PC to boot first from the Cd not over-ride with f12. Then I did a cold boot. Then took the USB drive to another PC and formatted the USB drive. On third try this way, I got a file I could use.

I am attaching the mbr.zip

Thanks! For you help and assistance!

Thanks to you and to your cohorts for this service!

Attached Files

mbr.zip 622bytes 87 downloads

#10
Render

Posted 01 March 2012 - 01:30 PM

Trusted Helper

Malware Removal
4,195 posts

Please delete your version of TDSSKiller and try to run it again like this:

Download the latest version of TDSSKiller from here and save it to your Desktop.

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK button.
Click the Start Scan button.
If a suspicious object is detected, the default action will be Skip, click on Continue.
If malicious objects are found, they will show in the Scan results and offer three (3) options.
Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt".
Please copy and paste its contents on your next reply.

#11
ohio_dutchman

Posted 02 March 2012 - 06:36 AM

Member

Topic Starter
Member
12 posts

New (?) problem, it will not boot! It hangs on the initial boot. Have tried the following.

1. Normal Windows 7 boot. It shows the black screen with "starting Windows" at bottom and does nothing more.

2. Repair Window. Shows the black screen with "Loading windows files" and stops.

3. Safe mode boot. Shows the black screen with "Loading windows files" at top and lists 3 lines (below) and stops

Loaded: \windows\system32\config\system
Loaded: \windows\system32\ntoskrnl.exe
Loaded: \windows\system32\hal.dll

Shows "please wait" at bottom

4. Edit Boot Option Screen (not familier with this)

Edit windows boot options for: Windows 7

Path: \windows\system32\winload.exe

Partition: 3
Hard Disk: 86f8f0b

[/NOEXECUTE=OPTIN IN/MINT
]

At bottom 2 options
ENTER=Submit
ESC=Cancel
(Did NOT hit ENTER) Waiting for you to say yea or nay on this option.

Since it hangs on the hal.dll load does that mean the hal.dll file is corrupt? I can get a copy of that file from my daughters machine if it will help.

Will run TDSSKiller as soon as we figure how to get the boot to work.

#12
Render

Posted 02 March 2012 - 06:44 AM

Trusted Helper

Malware Removal
4,195 posts

Please don't copy hal.dll as it is not the problem. Try this first:

Please do the following:

Download tdl_fix.sh and save it to the USB flash drive.
Boot into xPUD then click the File tab.
Press File
Expand mnt
Click on the folder under mnt that represents your USB drive (sdb1 ?)
You should see the tdl_fix.sh file in the main window.
Select Tool from the Menu
Choose Open Terminal
Type bash tdl_fix.sh then press Enter.
Read the warning then type y and press Enter to continue.
Type sda then press Enter when prompted.
You will be shown a list of partitions to choose marking active.
Type 2 then press Enter.
If you are presented with a warning about no bootloader files, type n then press Enter to choose another. If this happens, type 3 to select partition 3 then press Enter.
When you receive no warning about bootloader files but are presented with another view of the partition structure and asked if it looks correct, type y then press Enter.
The script will complete and prompt you to reboot the computer.
Close the Terminal window and restart back into Windows.
Post the contents of the tdl_fix.txt file that was created on your flash drive and let me know how the computer is behaving.

**NOTE: - in the event there is a problem booting the computer normally after running the script, run the tdl_fix.sh script again using the following command.

bash tdl_fix.sh -restore

Make sure to leave a space to either side of tdl_fix.sh in the command.
This will prompt you to use the file tdl_mbr_sda.bin on drive sda.
Click OK, and then reboot the computer.
This is a backup of the original mbr and will restore it to it's current state.

#13
ohio_dutchman

Posted 02 March 2012 - 08:50 AM

Member

Topic Starter
Member
12 posts

I ran the tdl_fix

Here are the contents of the tdl_fix.txt

2012-03-02-09:14:27

The following drives were found
sda
sdb
User has chosen drive sda
backing up mbr to tdl_mbr_sda.bin

Disk /dev/sda: 250.0 GB, 250059350016 bytes
255 heads, 63 sectors/track, 30401 cylinders, total 488397168 sectors
Units = sectors of 1 * 512 = 512 bytes

Device Boot Start End Blocks Id System
/dev/sda1 63 80324 40131 de Unknown
/dev/sda2 81920 30801919 15360000 7 HPFS/NTFS
/dev/sda3 30801920 488395119 228796600 7 HPFS/NTFS
/dev/sda4 * 488395120 488397151 1016 17 Hidden HPFS/NTFS

Model: ATA WDC WD2500BEVT-7 (scsi)
Disk /dev/sda: 250GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos

Number Start End Size Type File system Flags
1 32.3kB 41.1MB 41.1MB primary fat16
2 41.9MB 15.8GB 15.7GB primary ntfs
3 15.8GB 250GB 234GB primary ntfs
4 250GB 250GB 1040kB primary ntfs boot, hidden

User has chosen to make partition 2 active

Model: ATA WDC WD2500BEVT-7 (scsi)
Disk /dev/sda: 250GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos

Number Start End Size Type File system Flags
1 32.3kB 41.1MB 41.1MB primary fat16
2 41.9MB 15.8GB 15.7GB primary ntfs boot
3 15.8GB 250GB 234GB primary ntfs
4 250GB 250GB 1040kB primary ntfs hidden

User has accepted changes

However, on the reboot, I got a blue screen with a 0000007b error code.

Maybe I jumped ahead but I read the message to run the retore if it did not boot properly so I ran the restore. I am back to the black "Starting Windows" screen.

Sorry for the agravation!

Thanks for your patience!

I will be offline till late this evening.

#14
Render

Posted 02 March 2012 - 10:10 AM

Trusted Helper

Malware Removal
4,195 posts

Try this please:

Please restart your system and tap F10 repeatedly, until the "Edit Boot Options" screen appears.
In last line you should see this:
```
[ /NOEXECUTE=OPTIN /MININT ]
```
Delete /MININT from that entry so that now you have:
```
[ /NOEXECUTE=OPTIN ]
```
Press Enter key
Once back in Windows go to Start and type cmd in the search box.
In the results, right click CMD.exe and click on Run as Administrator.
Copy and paste the below command to the command prompt window and press enter: (to paste into a command window, right click in the command window and then click paste on the menu).
```
bcdedit /set {current} winpe no
```
Restart. Windows should start normally.