[Jasmyne]

Don't shoot me...The link for the file that I gave you was to make the bootable USB was for Windows 7. I am so sorry.

So let's change game the game plan a bit. Since you have recovery console on your computer already we can access it like we did yesterday to get you booting for this part, I'll have to double check for other later. So...

• Restart you computer (without the USB) and press F8 to enter Advanced Boot Options.
• Select Repair my computer
• Choose command prompt (just like yesterday)
• Insert your USB drive into the computer.
• At the command prompt type the following:
  notepad and press Enter.
• The notepad opens.
• Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\Listparts.exe and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.

• Press Scan button.
• It will make a log (results.txt) on the flash drive. Please copy and paste it to your reply.

[Advertisements]

In step 9: response is " the system cannot execute the specified program"
Just stays on at the command prompt screen..

[Monvishi]

In step 9: response is " the system cannot execute the specified program"
Just stays on at the command prompt screen..

[Jasmyne]

Just to double-check, you were able to find the drive letter for the USB and changed the "e" to that drive letter?

[Monvishi]

Yes. In my case it is F:
I can see Listparts when I open the F: under All Files. But this file is not getting executed on the command prompt.

[Jasmyne]

There are two versions of ListParts, let's try the other.

You'll have to boot back normally, download the other version here and replace the one on the USB drive with the new download. Then see if it will work.

[Monvishi]

😰

[Monvishi]

Can we might as well change the windows7 boot to windows vista?

[Jasmyne]

That would required going through the USB creation process again, at this point you can format the USB and just add the new listparts to it. If we absolutely have to have a bootable USB for the fix we can worry about it then

[Monvishi]

ListParts by Farbar Version: 10-05-2013
Ran by SYSTEM (administrator) on 20-07-2013 at 12:48:31
Windows Vista (X64)
Running From: F:\
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 11%
Total physical RAM: 3900.26 MB
Available physical RAM: 3451.07 MB
Total Pagefile: 3629.06 MB
Available Pagefile: 3419.23 MB
Total Virtual: 8192 MB
Available Virtual: 8191.92 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:455.93 GB) (Free:159.71 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
3 Drive e: (Recovery) (Fixed) (Total:9.83 GB) (Free:0.84 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive f: () (Removable) (Total:1.99 GB) (Free:1.81 GB) NTFS
5 Drive x: (Boot) (Fixed) (Total:0.06 GB) (Free:0.06 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 466 GB 0 B
Disk 1 Online 2037 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 10 GB 1024 KB
Partition 2 Primary 456 GB 10 GB

======================================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E Recovery NTFS Partition 10 GB Healthy Hidden

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 456 GB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 2037 MB 32 KB

======================================================================================================

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 F NTFS Removable 2037 MB Healthy

======================================================================================================
============================== MBR Partition Table ==================

==============================
Partitions of Disk 0:
===============
Disk ID: 8A6043CE
Partition 1: (Not Active) - (Size=10 GB) - (Type=27)
Partition 2: (Active) - (Size=456 GB) - (Type=07 NTFS)

==============================
Partitions of Disk 1:
===============
Disk ID: 00DEAB1C
Partition 1: (Active) - (Size=2 GB) - (Type=07 NTFS)


Windows Boot Manager
--------------------
identifier {bootmgr}
device partition=C:
description Windows Boot Manager
locale en-US
inherit {globalsettings}
default {default}
resumeobject {8b0f86b9-6a3e-11dd-ba01-001a80a64cb7}
displayorder {default}
toolsdisplayorder {memdiag}
timeout 30
resume No

Windows Boot Loader
-------------------
identifier {current}
device ramdisk=[E:]\sources\boot.wim,{ramdiskoptions}
path \windows\system32\boot\winload.exe
description Windows Recovery Environment
osdevice ramdisk=[E:]\sources\boot.wim,{ramdiskoptions}
systemroot \windows
nx OptIn
detecthal Yes
winpe Yes

Windows Boot Loader
-------------------
identifier {default}
device partition=C:
path \Windows\system32\winload.exe
description Microsoft Windows Vista
locale en-US
inherit {bootloadersettings}
recoverysequence {current}
recoveryenabled Yes
osdevice partition=C:
systemroot \Windows
resumeobject {8b0f86b9-6a3e-11dd-ba01-001a80a64cb7}
nx OptIn

Resume from Hibernate
---------------------
identifier {8b0f86b9-6a3e-11dd-ba01-001a80a64cb7}
device partition=C:
path \Windows\system32\winresume.exe
description Windows Resume Application
locale en-US
inherit {resumeloadersettings}
filedevice partition=C:
filepath \hiberfil.sys
debugoptionenabled No

Windows Memory Tester
---------------------
identifier {memdiag}
device partition=C:
path \boot\memtest.exe
description Windows Memory Diagnostic
locale en-US
inherit {globalsettings}
badmemoryaccess Yes

Windows Legacy OS Loader
------------------------
identifier {ntldr}
device unknown
path \ntldr
description Earlier Version of Windows

EMS Settings
------------
identifier {emssettings}
bootems Yes

Debugger Settings
-----------------
identifier {dbgsettings}
debugtype Serial
debugport 1
baudrate 115200

RAM Defects
-----------
identifier {badmemory}

Global Settings
---------------
identifier {globalsettings}
inherit {dbgsettings}
{emssettings}
{badmemory}

Boot Loader Settings
--------------------
identifier {bootloadersettings}
inherit {globalsettings}

Resume Loader Settings
----------------------
identifier {resumeloadersettings}
inherit {globalsettings}

Setup Ramdisk Options
---------------------
identifier {ramdiskoptions}
description Ramdisk options
ramdisksdidevice partition=E:
ramdisksdipath \boot\boot.sdi


****** End Of Log ******

[Jasmyne]

We're still looking at things so I need you to boot into normal mode and run this scan and post these logs.

• Download RogueKiller and save it on your desktop.
  If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.com
  
  NOTE: If using IE8 or better Smartscreen Filter will need to be disabled
  
• Quit all programs
• Start RogueKiller.exe.
• Wait until Prescan has finished ...
• Click on Scan

• Wait for the end of the scan.
• The report has been created on the desktop.
• Click on the Delete button.

• The report has been created on the desktop.

• Next click on the ShortcutsFix

• The report has been created on the desktop.

Please post: All RKreport.txt text files located on your desktop.

[Monvishi]

RogueKiller V8.6.3 [Jul 17 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.co...es/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 64 bits version
Started in : Normal mode
User : Fry's Electronics [Admin rights]
Mode : Scan -- Date : 07/20/2013 13:51:40
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH] RTKAUDIOSERVICE.EXE -- C:\Windows\RTKAUDIOSERVICE.EXE [-] -> KILLED [TermProc]

¤¤¤ Registry Entries : 7 ¤¤¤
[HJ POL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ POL] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ POL] HKLM\[...]\Wow6432Node\[...]\System : EnableLUA (0) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
[HJ DESK] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1 localhost
::1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD5000AAJS-55A8B0 ATA Device +++++
--- User ---
[MBR] 4b68bcbc820ed1a69a6468c10d62f613
[BSP] 8a6a6c5c83df0a4ecc3c1efbdd6e04bc : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 10064 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 20613120 | Size: 466874 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] 5c3bc0ec3251614229189dab321552f7
[BSP] 483fec193e3022e6e5f949f3355ba2f8 : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 10064 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 20613120 | Size: 466874 Mo

Finished : << RKreport[0]_S_07202013_135140.txt >>

[Monvishi]

RogueKiller V8.6.3 [Jul 17 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.co...es/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 64 bits version
Started in : Normal mode
User : Fry's Electronics [Admin rights]
Mode : Remove -- Date : 07/20/2013 13:52:03
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH] RTKAUDIOSERVICE.EXE -- C:\Windows\RTKAUDIOSERVICE.EXE [-] -> KILLED [TermProc]

¤¤¤ Registry Entries : 7 ¤¤¤
[HJ POL] HKCU\[...]\System : DisableTaskMgr (0) -> DELETED
[HJ POL] HKLM\[...]\System : EnableLUA (0) -> [0x5] Access is denied.
[HJ POL] HKLM\[...]\Wow6432Node\[...]\System : EnableLUA (0) -> [0x5] Access is denied.
[HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> REPLACED (0)
[HJ DESK] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1 localhost
::1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD5000AAJS-55A8B0 ATA Device +++++
--- User ---
[MBR] 4b68bcbc820ed1a69a6468c10d62f613
[BSP] 8a6a6c5c83df0a4ecc3c1efbdd6e04bc : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 10064 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 20613120 | Size: 466874 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] 5c3bc0ec3251614229189dab321552f7
[BSP] 483fec193e3022e6e5f949f3355ba2f8 : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 10064 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 20613120 | Size: 466874 Mo

Finished : << RKreport[0]_D_07202013_135200.txt >>
RKreport[0]_S_07202013_135140.txt

[Monvishi]

RogueKiller V8.6.3 [Jul 17 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.co...es/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 64 bits version
Started in : Normal mode
User : Fry's Electronics [Admin rights]
Mode : Shortcuts HJfix -- Date : 07/20/2013 13:54:37
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH] RTKAUDIOSERVICE.EXE -- C:\Windows\RTKAUDIOSERVICE.EXE [-] -> KILLED [TermProc]

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 0 / Fail 0
Quick launch: Success 0 / Fail 0
Programs: Success 0 / Fail 0
Start menu: Success 0 / Fail 0
User folder: Success 10 / Fail 0
My documents: Success 0 / Fail 0
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 0 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 8 / Fail 0
Backup: [NOT FOUND]

Drives:
[C:] \Device\HarddiskVolume2 -- 0x3 --> Restored
[D:] \Device\HarddiskVolume3 -- 0x2 --> Restored
[E:] \Device\HarddiskVolume4 -- 0x2 --> Restored
[F:] \Device\CdRom0 -- 0x5 --> Skipped

¤¤¤ Infection : ¤¤¤

Finished : << RKreport[0]_SC_07202013_135437.txt >>
RKreport[0]_D_07202013_135200.txt;RKreport[0]_S_07202013_135140.txt

[Monvishi]

I am getting some error messages on screen now:

Host process for windows services has stopped working

Windows +COM has stopped working

The screen is blinking and images are getting a lil shaky..

Hope we are under control...

[Jasmyne]

Another scan to look at things.

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop ( it will be randomly named )

First we will run a virus scan
Select the cog to access scan areas


On the first tab select all elements down to OS C and then select start scan


Once it has finished select report and post that.

Now an analysis scan
Select the Manual Disinfection tab
Press the Gather System Information button



Once it has completed then click Step 2 Report sending


Click avptool.sysinfo.zip
And you will be taken to the zip file that needs to be attached