# Search.nu virus won't go away =(



## yellosnosid (Dec 28, 2012)

Hi
So I have tried full scans from the following programs
*MalwareBytes *(had to do 2 scans in "normal" so not safe mode to find things called Win 32 Toolbar)
Did *ESET,Bitdefender & Kaspersky *full online scans
*Microsoft Safety Scanner*
*SUPERantispyware* scans (about 3 full scans,1scan found & deleted mainly tracking cookies but some other things with names I forget,sorry!)
*HouseCall Scan*
Went to each individual browser & deleted the toolbar,changed back my homepage,it worked but I had to do it twice for Chrome & when I open a new tab even in Safe mode I get the annoying search.nu on the new tabs

All scans find nothing at the moment but it must still be there if a new tab opened in Safe Mode has that search.nu coming up
My antivirus is AVG(used to have McAfee)
I have Windows 7
64bit 
Thanks in advance for any help!

Log Files:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 23:20:43, on 28/12/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16457)
Boot mode: Safe mode with network support

Running processes:
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Users\Marion\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://acer.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://acer.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://acer.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20110829125357.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\13.2.0.5\AVG Secure Search_toolbar.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Bing Bar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll" (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll" (file missing)
O3 - Toolbar: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\13.2.0.5\AVG Secure Search_toolbar.dll
O4 - HKLM\..\Run: [SuiteTray] "C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe"
O4 - HKLM\..\Run: [EgisTecPMMUpdate] "C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe"
O4 - HKLM\..\Run: [EgisUpdate] "C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe" -d
O4 - HKLM\..\Run: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe
O4 - HKLM\..\Run: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
O4 - HKLM\..\Run: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe"
O4 - HKLM\..\Run: [ROC_roc_dec12] "C:\Program Files (x86)\AVG Secure Search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12
O4 - HKLM\..\Run: [ROC_ROC_JULY_P1] "C:\Program Files (x86)\AVG Secure Search\ROC_ROC_JULY_P1.exe" / /PROMPT /CMPID=ROC_JULY_P1
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe
O4 - HKCU\..\Run: [Spotify Web Helper] "C:\Users\Marion\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [IsMyWinLockerReboot] msiexec.exe /qn /x{voidguid} (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [IsMyWinLockerReboot] msiexec.exe /qn /x{voidguid} (User 'Default user')
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O17 - HKLM\System\CCS\Services\Tcpip\..\{29A05272-79DB-4A28-9BF2-ECE5B87B5F70}: NameServer = 195.67.199.27 195.67.199.28
O17 - HKLM\System\CCS\Services\Tcpip\..\{C98AFA9A-4194-4279-AF1F-D4687BA24BAD}: NameServer = 195.67.199.27 195.67.199.28
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\13.2.0\ViProtocol.dll
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O18 - Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~2\mcafee\msc\mcsniepl.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AVG Firewall (avgfws) - AVG Technologies CZ, s.r.o. - C:\Program Files (x86)\AVG\AVG2012\avgfws.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files (x86)\AVG\AVG2012\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe
O23 - Service: Tele2 Connect AT Service (CTATSvc) - Tele2 - C:\Program Files (x86)\Tele2 Connect\ATService.exe
O23 - Service: Tele2 Connect Monitor (CTConnect) - Columbitech - C:\Program Files (x86)\Tele2 Connect\Connect.exe
O23 - Service: DCService.exe - Unknown owner - C:\ProgramData\DatacardService\DCService.exe
O23 - Service: Dritek WMI Service (DsiWMIService) - Dritek System Inc. - C:\Program Files (x86)\Launch Manager\dsiwmis.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: EgisTec Ticket Service - Egis Technology Inc. - C:\Program Files (x86)\Common Files\EgisTec\Services\EgisTicketService.exe
O23 - Service: Acer ePower Service (ePowerSvc) - Acer Incorporated - C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GREGService - Acer Incorporated - C:\Program Files (x86)\Acer\Registration\GREGsvc.exe
O23 - Service: Tjänsten Google Update (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Tjänsten Google Update (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Live Updater Service - Acer Incorporated - C:\Program Files\Acer\Acer Updater\UpdaterService.exe
O23 - Service: Intel(R) Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Personal Firewall (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\mcafee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NTI IScheduleSvc - NTI Corporation - C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files (x86)\Skype\Updater\Updater.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: Intel(R) Management and Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: vToolbarUpdater13.2.0 - Unknown owner - C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\13.2.0\ToolbarUpdater.exe
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 15871 bytes

DDS (Ver_2012-11-20.01) - NTFS_AMD64 NETWORK
Internet Explorer: 9.0.8112.16457 BrowserJavaVersion: 10.9.2
Run by Marion at 23:22:48 on 2012-12-28
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.46.1033.18.3947.2950 [GMT 1:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
FW: AVG Firewall *Disabled* {621CC794-9486-F902-D092-0484E8EA828B}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Windows\helppane.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\System32\svchost.exe -k secsvcs
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Users\Marion\Desktop\HijackThis.exe
C:\Windows\SysWOW64\NOTEPAD.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uDefault_Page_URL = hxxp://acer.msn.com
mStart Page = hxxp://acer.msn.com
mDefault_Page_URL = hxxp://acer.msn.com
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll
mWinlogon: Userinit = userinit.exe,
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\mcafee\msk\mskapbho.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\mcafee\SystemCore\ScriptSn.20110829125357.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\13.2.0.5\AVG Secure Search_toolbar.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - 
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: <No Name>: {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - LocalServer32 - <no file>
TB: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - 
TB: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\13.2.0.5\AVG Secure Search_toolbar.dll
uRun: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe
uRun: [Spotify Web Helper] "C:\Users\Marion\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe"
uRun: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
mRun: [SuiteTray] "C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe"
mRun: [EgisTecPMMUpdate] "C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe"
mRun: [EgisUpdate] "C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe" -d
mRun: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe
mRun: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
mRun: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe"
mRun: [ROC_roc_dec12] "C:\Program Files (x86)\AVG Secure Search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12
mRun: [ROC_ROC_JULY_P1] "C:\Program Files (x86)\AVG Secure Search\ROC_ROC_JULY_P1.exe" / /PROMPT /CMPID=ROC_JULY_P1
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
dRunOnce: [IsMyWinLockerReboot] msiexec.exe /qn /x{voidguid}
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: NameServer = 83.255.245.11 193.150.193.150
TCP: Interfaces\{29A05272-79DB-4A28-9BF2-ECE5B87B5F70} : NameServer = 195.67.199.27 195.67.199.28
TCP: Interfaces\{42BA6F8F-CBAA-4C63-9723-BC44ECE1B59A} : DHCPNameServer = 83.255.245.11 193.150.193.150
TCP: Interfaces\{A279D623-E6BE-44D8-B8B9-A5EC6E3604DF} : DHCPNameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{A279D623-E6BE-44D8-B8B9-A5EC6E3604DF}\B49727B6F6B616E637C6965647D27457563747 : DHCPNameServer = 172.30.25.1
TCP: Interfaces\{A279D623-E6BE-44D8-B8B9-A5EC6E3604DF}\C696E6B6379737 : DHCPNameServer = 130.244.127.161 130.244.127.169
TCP: Interfaces\{C98AFA9A-4194-4279-AF1F-D4687BA24BAD} : NameServer = 195.67.199.27 195.67.199.28
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files (x86)\McAfee\msc\McSnIePl.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\13.2.0\ViProtocol.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
x64-mStart Page = hxxp://acer.msn.com
x64-mDefault_Page_URL = hxxp://acer.msn.com
x64-BHO: McAfee Phishing Filter: {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\mcafee\msk\MSKAPB~1.DLL
x64-BHO: AVG Do Not Track: {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files (x86)\AVG\AVG2012\avgdtiea.dll
x64-BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssiea.dll
x64-BHO: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\mcafee\SystemCore\ScriptSn.20110829125359.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll
x64-TB: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [RtHDVBg] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /FORPCEE4 
x64-Run: [Power Management] C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe
x64-IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - C:\Program Files (x86)\AVG\AVG2012\avgdtiea.dll
x64-Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\mcafee\msc\McSnIePl64.dll
x64-Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll
x64-Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgppa.dll
x64-Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll
x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - <orphaned>
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Marion\AppData\Roaming\Mozilla\Firefox\Profiles\es57jbpy.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxps://www.google.ie/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\progra~2\mcafee\msc\npMcSnFFPl.dll
FF - plugin: C:\PROGRA~2\MICROS~4\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\13.2.0\npsitesafety.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\McAfee\SiteAdvisor\NPMcFFPlg32.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Real\RealPlayer\Netscape6\nprpplugin.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_135.dll
FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
FF - ExtSQL: 2012-12-20 21:46; {1FD91A9C-410C-4090-BBCC-55D3450EF433}; C:\Program Files (x86)\Search Results Toolbar\Datamngr\FirefoxExtension
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHA;AVGIDSHA;C:\Windows\System32\drivers\avgidsha.sys [2012-4-19 28480]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\System32\drivers\avgrkx64.sys [2012-1-31 36944]
R0 mfehidk;McAfee Inc. mfehidk;C:\Windows\System32\drivers\mfehidk.sys [2010-1-6 639216]
R0 mfewfpk;McAfee Inc. mfewfpk;C:\Windows\System32\drivers\mfewfpk.sys [2010-1-6 281928]
R1 Avgtdia;AVG TDI Driver;C:\Windows\System32\drivers\avgtdia.sys [2012-8-24 384352]
R1 avgtp;avgtp;C:\Windows\System32\drivers\avgtpx64.sys [2012-9-4 30568]
R1 mfenlfk;McAfee NDIS Light Filter;C:\Windows\System32\drivers\mfenlfk.sys [2010-1-6 75672]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2012-7-11 140672]
R2 McMPFSvc;McAfee Personal Firewall;C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe [2011-8-29 249936]
R2 mfefire;McAfee Firewall Core Service;C:\Program Files\Common Files\mcafee\systemcore\mfefire.exe [2011-5-9 208272]
R2 mfevtp;McAfee Validation Trust Protection Service;C:\Program Files\Common Files\mcafee\systemcore\mfevtps.exe [2011-5-9 158832]
R3 huawei_enumerator;huawei_enumerator;C:\Windows\System32\drivers\ew_jubusenum.sys [2012-7-17 86016]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\Windows\System32\drivers\L1C62x64.sys [2011-5-9 77424]
R3 mfefirek;McAfee Inc. mfefirek;C:\Windows\System32\drivers\mfefirek.sys [2010-1-6 481376]
S1 Avgldx64;AVG AVI Loader Driver;C:\Windows\System32\drivers\avgldx64.sys [2012-7-26 291680]
S1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\System32\drivers\avgmfx64.sys [2011-12-23 47696]
S1 mwlPSDFilter;mwlPSDFilter;C:\Windows\System32\drivers\mwlPSDFilter.sys [2011-5-9 22912]
S1 mwlPSDNServ;mwlPSDNServ;C:\Windows\System32\drivers\mwlPSDNserv.sys [2011-5-9 20328]
S1 mwlPSDVDisk;mwlPSDVDisk;C:\Windows\System32\drivers\mwlPSDVDisk.sys [2011-5-9 62584]
S1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
S1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
S2 avgfws;AVG Firewall;C:\Program Files (x86)\AVG\AVG2012\avgfws.exe [2011-8-19 2399560]
S2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG2012\avgidsagent.exe [2012-8-13 5167736]
S2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe [2012-2-14 193288]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 CTATSvc;Tele2 Connect AT Service;C:\Program Files (x86)\Tele2 Connect\ATService.exe [2010-3-16 574784]
S2 CTConnect;Tele2 Connect Monitor;C:\Program Files (x86)\Tele2 Connect\Connect.exe [2010-3-16 1780544]
S2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2012-1-4 822624]
S2 DCService.exe;DCService.exe;C:\ProgramData\DatacardService\DCService.exe [2010-8-19 229376]
S2 DsiWMIService;Dritek WMI Service;C:\Program Files (x86)\Launch Manager\dsiwmis.exe [2011-5-9 352336]
S2 ePowerSvc;Acer ePower Service;C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe [2011-6-16 873064]
S2 GREGService;GREGService;C:\Program Files (x86)\Acer\Registration\GREGsvc.exe [2010-1-8 23584]
S2 Live Updater Service;Live Updater Service;C:\Program Files\Acer\Acer Updater\UpdaterService.exe [2012-5-19 255376]
S2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-9-14 398184]
S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-9-14 682344]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe [2011-8-29 249936]
S2 McNaiAnn;McAfee VirusScan Announcer;C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe [2011-8-29 249936]
S2 McProxy;McAfee Proxy Service;C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe [2011-8-29 249936]
S2 McShield;McAfee McShield;C:\Program Files\Common Files\mcafee\systemcore\mcshield.exe [2011-5-9 197960]
S2 NTI IScheduleSvc;NTI IScheduleSvc;C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe [2011-2-15 257344]
S2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-1 508776]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-11-9 160944]
S2 UNS;Intel(R) Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2011-5-9 2656280]
S2 vToolbarUpdater13.2.0;vToolbarUpdater13.2.0;C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\13.2.0\ToolbarUpdater.exe [2012-11-9 711112]
S3 AVGIDSDriver;AVGIDSDriver;C:\Windows\System32\drivers\avgidsdrivera.sys [2011-12-23 124496]
S3 AVGIDSFilter;AVGIDSFilter;C:\Windows\System32\drivers\avgidsfiltera.sys [2011-12-23 29776]
S3 BBSvc;Bing Bar Update Service;C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-3-2 183560]
S3 cfwids;McAfee Inc. cfwids;C:\Windows\System32\drivers\cfwids.sys [2010-1-6 65128]
S3 EgisTec Ticket Service;EgisTec Ticket Service;C:\Program Files (x86)\Common Files\EgisTec\Services\EgisTicketService.exe [2010-9-28 172912]
S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;C:\Windows\System32\drivers\ew_hwusbdev.sys [2012-7-17 117248]
S3 ew_usbenumfilter;huawei_CompositeFilter;C:\Windows\System32\drivers\ew_usbenumfilter.sys [2012-7-17 13952]
S3 ewusbnet;HUAWEI USB-NDIS miniport;C:\Windows\System32\drivers\ewusbnet.sys [2012-7-17 256000]
S3 IntcDAud;Intel(R) Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2011-5-9 317440]
S3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2011-7-13 24176]
S3 mfeavfk;McAfee Inc. mfeavfk;C:\Windows\System32\drivers\mfeavfk.sys [2010-1-6 227856]
S3 mferkdet;McAfee Inc. mferkdet;C:\Windows\System32\drivers\mferkdet.sys [2010-1-6 98728]
S3 RSPCIESTOR;Realtek PCIE CardReader Driver;C:\Windows\System32\drivers\RtsPStor.sys [2011-5-9 326760]
S3 Sftfs;Sftfs;C:\Windows\System32\drivers\Sftfslh.sys [2011-10-1 764264]
S3 Sftplay;Sftplay;C:\Windows\System32\drivers\Sftplaylh.sys [2011-10-1 268648]
S3 Sftredir;Sftredir;C:\Windows\System32\drivers\Sftredirlh.sys [2011-10-1 25960]
S3 Sftvol;Sftvol;C:\Windows\System32\drivers\Sftvollh.sys [2011-10-1 22376]
S3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-1 219496]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-21 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-21 31232]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-7-15 1255736]
S4 McOobeSv;McAfee OOBE Service;C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe [2011-8-29 249936]
S4 NOBU;Norton Online Backup;C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [2010-6-1 2804568]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-23 57184]
.
=============== Created Last 30 ================
.
2012-12-28 15:34:27	9125352	----a-w-	C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{2E746CA7-AB3E-4DE9-A982-A154A849C2E2}\mpengine.dll
2012-12-28 02:15:10	--------	d-----w-	C:\Users\Marion\AppData\Local\Programs
2012-12-27 22:25:38	--------	d-----w-	C:\Users\Marion\AppData\Roaming\QuickScan
2012-12-27 21:09:50	--------	d-----w-	C:\Users\Marion\AppData\Roaming\SUPERAntiSpyware.com
2012-12-27 21:09:14	--------	d-----w-	C:\ProgramData\SUPERAntiSpyware.com
2012-12-27 21:09:14	--------	d-----w-	C:\Program Files\SUPERAntiSpyware
2012-12-27 21:05:10	--------	d-----w-	C:\ProgramData\Kaspersky Lab
2012-12-22 10:01:43	46080	----a-w-	C:\Windows\System32\atmlib.dll
2012-12-22 10:01:43	34304	----a-w-	C:\Windows\SysWow64\atmlib.dll
2012-12-22 10:01:42	367616	----a-w-	C:\Windows\System32\atmfd.dll
2012-12-22 10:01:40	295424	----a-w-	C:\Windows\SysWow64\atmfd.dll
2012-12-21 22:32:13	--------	d-----w-	C:\Users\Marion\AppData\Local\{2FC86FC4-162B-4DC0-81F2-D4133982F526}
2012-12-20 23:32:10	--------	d-----w-	C:\ProgramData\Browser Manager
2012-12-20 20:48:18	773968	----a-w-	C:\Windows\System32\msvcr100.dll
2012-12-20 20:47:44	--------	d-----w-	C:\ProgramData\Wincert
2012-12-20 20:45:14	--------	d-----w-	C:\ProgramData\boost_interprocess
2012-12-20 20:43:50	--------	d-----w-	C:\Program Files (x86)\Search Results Toolbar
2012-12-14 12:49:38	--------	d-----w-	C:\Users\Marion\AppData\Local\{DD05BFD6-F6E1-4445-A6D7-FC8B70F62950}
2012-12-13 10:33:44	--------	d-----w-	C:\Users\Marion\AppData\Local\{99F3EFE6-D33E-470F-B073-575B90158C86}
2012-12-12 07:38:45	2048	----a-w-	C:\Windows\SysWow64\tzres.dll
2012-12-12 07:38:45	2048	----a-w-	C:\Windows\System32\tzres.dll
2012-12-12 07:36:59	2048	----a-w-	C:\Windows\SysWow64\user.exe
2012-12-11 15:27:48	--------	d-----w-	C:\Users\Marion\AppData\Local\{49B83808-0BE8-4E90-8248-DD06EC74B4A6}
2012-12-07 14:59:56	--------	d-----w-	C:\Users\Marion\AppData\Local\{BF42A35F-408E-46C2-9F17-0F7A973EC1B7}
2012-12-07 02:59:07	--------	d-----w-	C:\Users\Marion\AppData\Local\{08EE889D-B716-442B-889A-4C94A5942037}
2012-12-06 07:09:21	--------	d-----w-	C:\Users\Marion\AppData\Local\{954C7967-36DB-4C7C-8278-CA9362912A36}
2012-12-03 10:46:07	--------	d-----w-	C:\Users\Marion\AppData\Local\{89CB498C-A6FE-43D2-8716-0B5EC86F2DCF}
2012-12-02 03:35:34	--------	d-----w-	C:\Users\Marion\AppData\Local\{6F1B1215-B940-4290-A4F4-D3DADA94F1A1}
2012-11-30 14:20:36	--------	d-----w-	C:\Users\Marion\AppData\Local\{FB3E49B7-E639-4EE0-8EFD-B4CDC7EC4CDD}
2012-11-29 08:51:07	--------	d-----w-	C:\Users\Marion\AppData\Local\{822D5D51-1E0C-4186-8273-F90695E9A855}
.
==================== Find3M ====================
.
2012-12-14 15:49:28	24176	----a-w-	C:\Windows\System32\drivers\mbam.sys
2012-12-12 14:17:51	73656	----a-w-	C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-12-12 14:17:51	697272	----a-w-	C:\Windows\SysWow64\FlashPlayerApp.exe
2012-11-22 03:26:40	3149824	----a-w-	C:\Windows\System32\win32k.sys
2012-11-17 04:40:51	95208	----a-w-	C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2012-11-17 04:40:34	821736	----a-w-	C:\Windows\SysWow64\npDeployJava1.dll
2012-11-17 04:40:32	746984	----a-w-	C:\Windows\SysWow64\deployJava1.dll
2012-11-14 06:11:44	2312704	----a-w-	C:\Windows\System32\jscript9.dll
2012-11-14 06:04:11	1392128	----a-w-	C:\Windows\System32\wininet.dll
2012-11-14 06:02:49	1494528	----a-w-	C:\Windows\System32\inetcpl.cpl
2012-11-14 05:57:46	599040	----a-w-	C:\Windows\System32\vbscript.dll
2012-11-14 05:57:35	173056	----a-w-	C:\Windows\System32\ieUnatt.exe
2012-11-14 05:52:40	2382848	----a-w-	C:\Windows\System32\mshtml.tlb
2012-11-14 02:09:22	1800704	----a-w-	C:\Windows\SysWow64\jscript9.dll
2012-11-14 01:58:15	1427968	----a-w-	C:\Windows\SysWow64\inetcpl.cpl
2012-11-14 01:57:37	1129472	----a-w-	C:\Windows\SysWow64\wininet.dll
2012-11-14 01:49:25	142848	----a-w-	C:\Windows\SysWow64\ieUnatt.exe
2012-11-14 01:48:27	420864	----a-w-	C:\Windows\SysWow64\vbscript.dll
2012-11-14 01:44:42 2382848	----a-w-	C:\Windows\SysWow64\mshtml.tlb
2012-11-09 17:48:33	30568	----a-w-	C:\Windows\System32\drivers\avgtpx64.sys
2012-11-02 05:59:11	478208	----a-w-	C:\Windows\System32\dpnet.dll
2012-11-02 05:11:31	376832	----a-w-	C:\Windows\SysWow64\dpnet.dll
2012-10-16 08:38:37	135168	----a-w-	C:\Windows\apppatch\AppPatch64\AcXtrnal.dll
2012-10-16 08:38:34	350208	----a-w-	C:\Windows\apppatch\AppPatch64\AcLayers.dll
2012-10-16 07:39:52	561664	----a-w-	C:\Windows\apppatch\AcLayers.dll
2012-10-14 08:00:27	499712	----a-w-	C:\Windows\SysWow64\msvcp71.dll
2012-10-14 08:00:27	348160	----a-w-	C:\Windows\SysWow64\msvcr71.dll
2012-10-09 18:17:13	55296	----a-w-	C:\Windows\System32\dhcpcsvc6.dll
2012-10-09 18:17:13	226816	----a-w-	C:\Windows\System32\dhcpcore6.dll
2012-10-09 17:40:31	44032	----a-w-	C:\Windows\SysWow64\dhcpcsvc6.dll
2012-10-09 17:40:31	193536	----a-w-	C:\Windows\SysWow64\dhcpcore6.dll
2012-10-04 17:46:16	362496	----a-w-	C:\Windows\System32\wow64win.dll
2012-10-04 17:46:15	243200	----a-w-	C:\Windows\System32\wow64.dll
2012-10-04 17:46:15	13312	----a-w-	C:\Windows\System32\wow64cpu.dll
2012-10-04 17:45:55	215040	----a-w-	C:\Windows\System32\winsrv.dll
2012-10-04 17:43:28	16384	----a-w-	C:\Windows\System32\ntvdm64.dll
2012-10-04 17:41:16	424960	----a-w-	C:\Windows\System32\KernelBase.dll
2012-10-04 16:47:41	5120	----a-w-	C:\Windows\SysWow64\wow32.dll
2012-10-04 16:47:41	274944	----a-w-	C:\Windows\SysWow64\KernelBase.dll
2012-10-04 15:21:55	338432	----a-w-	C:\Windows\System32\conhost.exe
2012-10-04 14:46:46	7680	----a-w-	C:\Windows\SysWow64\instnm.exe
2012-10-04 14:46:46	25600	----a-w-	C:\Windows\SysWow64\setup16.exe
2012-10-04 14:46:44	14336	----a-w-	C:\Windows\SysWow64\ntvdm64.dll
2012-10-04 14:41:50	6144	---ha-w-	C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2012-10-04 14:41:50	4608	---ha-w-	C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2012-10-04 14:41:50	3584	---ha-w-	C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2012-10-04 14:41:50	3072	---ha-w-	C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2012-10-03 17:56:54	1914248	----a-w-	C:\Windows\System32\drivers\tcpip.sys
2012-10-03 17:44:21	70656	----a-w-	C:\Windows\System32\nlaapi.dll
2012-10-03 17:44:21	303104	----a-w-	C:\Windows\System32\nlasvc.dll
2012-10-03 17:44:17	246272	----a-w-	C:\Windows\System32\netcorehc.dll
2012-10-03 17:44:17	18944	----a-w-	C:\Windows\System32\netevent.dll
2012-10-03 17:44:16	216576	----a-w-	C:\Windows\System32\ncsi.dll
2012-10-03 17:42:16	569344	----a-w-	C:\Windows\System32\iphlpsvc.dll
2012-10-03 16:42:24	18944	----a-w-	C:\Windows\SysWow64\netevent.dll
2012-10-03 16:42:24	175104	----a-w-	C:\Windows\SysWow64\netcorehc.dll
2012-10-03 16:42:23	156672	----a-w-	C:\Windows\SysWow64\ncsi.dll
2012-10-03 16:07:26	45568	----a-w-	C:\Windows\System32\drivers\tcpipreg.sys
.
============= FINISH: 23:24:19.37 ===============


----------



## yellosnosid (Dec 28, 2012)

My computer will no longer let me access the desktop after I put it in hybernate,started it up & it goes into system recovery.I press F8 & tried almost all options except for putting it back to factory settings.It says startup repair could not detect a problem,your computer was unable to start.startup repair could not repair this computer automatically.Will I loose all my files? Can this be fixed or do I have to go to a repair shop?
Thanks in advance


----------



## CatByte (Feb 24, 2009)

Please do the following:

Download the appropriate version for your system of the *Farbar Recovery Scan Tool* and save it to a flash drive. (Choose the correct version depending on which architecture operating system you are using, 32bit (x86) or 64 (x64) bit)

Plug the flashdrive into the infected PC.

Enter *System Recovery Options*.

*To enter System Recovery Options from the Advanced Boot Options:*

Restart the computer.
As soon as the BIOS is loaded begin tapping the* F8* key until Advanced Boot Options appears.
Use the arrow keys to select the *Repair your computer* menu item.
Choose your language settings, and then click *Next*.
Select the operating system you want to repair, and then click *Next*.
Select your user account and click *Next*.
*To enter System Recovery Options by using Windows installation disc:*

Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click *Repair your computer*.
Choose your language settings, and then click *Next*.
Select the operating system you want to repair, and then click *Next*.
Select your user account an click *Next*.
*On the System Recovery Options menu you will get the following options:*


*Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt*

Select *Command Prompt*
In the command window type in *notepad* and press *Enter*.
The notepad opens. Under File menu select *Open*.
Select "Computer" and find your flash drive letter and close the notepad.
In the command window type *e:\frst.exe* (for x64 bit version type *e:\frst64*) and press *Enter* 
*Note:* Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click *Yes* to the disclaimer.
Place a check next to List Drivers MD5 as well as the default check marks that are already there
Press *Scan* button.
FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:
*services.exe*
now press the *search* button
when the search is complete, search.txt will also be written to your USB
type exit and reboot the computer normally
please copy and paste both logs in your reply.(FRST.txt and Search.txt)


----------



## yellosnosid (Dec 28, 2012)

Thank you very much for your reply,I have a few questions
1)Do logs reveal personal information stored on my computer,as I'm not really at ease with posting them where anybody can access them.
2) Can the virus transfer & infect my memory stick? what are the chances of it happening...
I was unable to do a system restore when I was in the advanced boot options as it says there are no restore points,will it be possible to get some of my files back?
I cannot save the farbar tool as the library computers won't allow me to but will try another computer asap


----------



## CatByte (Feb 24, 2009)

> 1)Do logs reveal personal information stored on my computer,as I'm not really at ease with posting them where anybody can access them.


 it may reveal your user name if you have set up your computer with your real name, but you can edit that name out before posting if you wish. It doesn't reveal passwords or serial numbers, just the files and programs on your computer which are usually very generic.


> 2) Can the virus transfer & infect my memory stick? what are the chances of it happening...


 some infections have the capabilities of doing this, but all you are doing is copying text files back and forth that I have asked you to run, so unless you transfer an infected file to the USB, it shouldn't get infected, you can use a utility to protect the USB

Panda USB drive vaccination

Download Panda USB Drive Vaccine from here and save it to your desktop.
Double click the file to run it making sure your USB is already inserted.



> I was unable to do a system restore when I was in the advanced boot options as it says there are no restore points,will it be possible to get some of my files back?


I am hoping to restore your computer with the FRST tool so that it will be fully functional again, obviously I can't guarantee that I can do that as I don't know what is causing this issue at the moment. If we cannot restore the computer, there are many rescue disks out there linux/ubuntu based that will allow access to your files so that you can copy them off the machine



> I cannot save the farbar tool as the library computers won't allow me to but will try another computer asap


ok good


----------



## yellosnosid (Dec 28, 2012)

CatByte said:


> it may reveal your user name if you have set up your computer with your real name, but you can edit that name out before posting if you wish. It doesn't reveal passwords or serial numbers, just the files and programs on your computer which are usually very generic.
> some infections have the capabilities of doing this, but all you are doing is copying text files back and forth that I have asked you to run, so unless you transfer an infected file to the USB, it shouldn't get infected, you can use a utility to protect the USB
> 
> Panda USB drive vaccination
> ...


Super thanks =D,I 'll get panda when I use another computer


----------



## CatByte (Feb 24, 2009)

:up:


----------



## yellosnosid (Dec 28, 2012)

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 09-01-2013
Ran by SYSTEM at 12-01-2013 20:29:14
Running from G:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US) 
The current controlset is ControlSet001
==================== Registry (Whitelisted) ===================
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2531624 2010-12-16] (Synaptics Incorporated)
HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [11775592 2011-01-12] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /FORPCEE4 [2186856 2011-01-09] (Realtek Semiconductor)
HKLM\...\Run: [Power Management] C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe [1796200 2011-02-22] (Acer Incorporated)
HKLM-x32\...\Run: [SuiteTray] "C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe" [340336 2010-09-27] (Egis Technology Inc.)
HKLM-x32\...\Run: [EgisTecPMMUpdate] "C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe" [407920 2010-09-17] (Egis Technology Inc.)
HKLM-x32\...\Run: [EgisUpdate] "C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe" -d [201584 2010-09-17] (Egis Technology Inc.)
HKLM-x32\...\Run: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe [1081424 2011-03-14] (Dritek System Inc.)
HKLM-x32\...\Run: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe" [2596984 2012-07-30] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe" [997320 2012-11-09] ()
HKLM-x32\...\Run: [ROC_roc_dec12] "C:\Program Files (x86)\AVG Secure Search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12 [x]
HKLM-x32\...\Run: [ROC_ROC_JULY_P1] "C:\Program Files (x86)\AVG Secure Search\ROC_ROC_JULY_P1.exe" / /PROMPT /CMPID=ROC_JULY_P1 [1022048 2012-09-03] ()
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)
HKU\Default\...\RunOnce: [ScrSav] C:\Program Files (x86)\Acer\Screensaver\run_Acer.exe /default [154144 2010-07-29] ()
HKU\Default User\...\RunOnce: [ScrSav] C:\Program Files (x86)\Acer\Screensaver\run_Acer.exe /default [154144 2010-07-29] ()
HKU\Username\...\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation)
HKU\Username\...\Run: [Spotify Web Helper] "C:\Users\Username\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [1199576 2012-10-24] (Spotify Ltd)
HKU\Username\...\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [5629312 2012-11-01] (SUPERAntiSpyware.com)
Tcpip\Parameters: [DhcpNameServer] 83.255.245.11 193.150.193.150
Tcpip\..\Interfaces\{29A05272-79DB-4A28-9BF2-ECE5B87B5F70}: [NameServer]195.67.199.27 195.67.199.28
Tcpip\..\Interfaces\{C98AFA9A-4194-4279-AF1F-D4687BA24BAD}: [NameServer]195.67.199.27 195.67.199.28
==================== Services (Whitelisted) ===================
2 !SASCORE; "C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE" [140672 2012-07-11] (SUPERAntiSpyware.com)
2 avgfws; "C:\Program Files (x86)\AVG\AVG2012\avgfws.exe" [2399560 2011-08-18] (AVG Technologies CZ, s.r.o.)
2 AVGIDSAgent; "C:\Program Files (x86)\AVG\AVG2012\AVGIDSAgent.exe" [5167736 2012-08-12] (AVG Technologies CZ, s.r.o.)
2 avgwd; "C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe" [193288 2012-02-13] (AVG Technologies CZ, s.r.o.)
2 CTATSvc; "C:\Program Files (x86)\Tele2 Connect\ATService.exe" [574784 2010-03-16] (Tele2)
2 CTConnect; "C:\Program Files (x86)\Tele2 Connect\Connect.exe" [1780544 2010-03-16] (Columbitech)
2 DCService.exe; C:\ProgramData\DatacardService\DCService.exe [229376 2010-08-19] ()
2 MBAMScheduler; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe" [398184 2012-12-14] (Malwarebytes Corporation)
2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [682344 2012-12-14] (Malwarebytes Corporation)
2 McAfee SiteAdvisor Service; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [249936 2011-01-27] (McAfee, Inc.)
2 McMPFSvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [249936 2011-01-27] (McAfee, Inc.)
2 mcmscsvc; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [249936 2011-01-27] (McAfee, Inc.)
2 McNaiAnn; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [249936 2011-01-27] (McAfee, Inc.)
2 McNASvc; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [249936 2011-01-27] (McAfee, Inc.)
3 McODS; "C:\Program Files\mcafee\VirusScan\mcods.exe" [501768 2011-06-23] (McAfee, Inc.)
4 McOobeSv; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [249936 2011-01-27] (McAfee, Inc.)
2 McProxy; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [249936 2011-01-27] (McAfee, Inc.)
2 McShield; "C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe" [197960 2011-03-13] (McAfee, Inc.)
2 mfefire; "C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe" [208272 2011-03-13] (McAfee, Inc.)
2 mfevtp; "C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe" [158832 2011-03-13] (McAfee, Inc.)
2 MSK80Service; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [249936 2011-01-27] (McAfee, Inc.)
4 NOBU; "C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe" SERVICE [2804568 2010-06-01] (Symantec Corporation)
2 NTI IScheduleSvc; C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe [257344 2011-02-15] (NTI Corporation)
2 vToolbarUpdater13.2.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\13.2.0\ToolbarUpdater.exe [711112 2012-11-09] ()
==================== Drivers (Whitelisted) =====================
3 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [124496 2011-12-23] (AVG Technologies CZ, s.r.o. )
3 AVGIDSFilter; C:\Windows\System32\DRIVERS\avgidsfiltera.sys [29776 2011-12-23] (AVG Technologies CZ, s.r.o. )
0 AVGIDSHA; C:\Windows\System32\Drivers\AVGIDSHA.sys [28480 2012-04-18] (AVG Technologies CZ, s.r.o. )
1 Avgldx64; C:\Windows\System32\Drivers\Avgldx64.sys [291680 2012-07-25] (AVG Technologies CZ, s.r.o.)
1 Avgmfx64; C:\Windows\System32\Drivers\Avgmfx64.sys [47696 2011-12-23] (AVG Technologies CZ, s.r.o.)
0 Avgrkx64; C:\Windows\System32\Drivers\Avgrkx64.sys [36944 2012-01-30] (AVG Technologies CZ, s.r.o.)
1 Avgtdia; C:\Windows\System32\Drivers\Avgtdia.sys [384352 2012-08-24] (AVG Technologies CZ, s.r.o.)
1 avgtp; \??\C:\Windows\system32\drivers\avgtpx64.sys [30568 2012-11-09] (AVG Technologies)
3 cfwids; C:\Windows\System32\Drivers\cfwids.sys [65128 2011-03-13] (McAfee, Inc.)
3 ewusbnet; C:\Windows\System32\Drivers\ewusbnet.sys [256000 2010-08-31] (Huawei Technologies Co., Ltd.)
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [24176 2012-12-14] (Malwarebytes Corporation)
3 mfeapfk; C:\Windows\System32\Drivers\mfeapfk.sys [156792 2011-03-13] (McAfee, Inc.)
3 mfeavfk; C:\Windows\System32\Drivers\mfeavfk.sys [227856 2011-03-13] (McAfee, Inc.)
3 mfefirek; C:\Windows\System32\Drivers\mfefirek.sys [481376 2011-03-13] (McAfee, Inc.)
0 mfehidk; C:\Windows\System32\Drivers\mfehidk.sys [639216 2011-03-13] (McAfee, Inc.)
1 mfenlfk; C:\Windows\System32\Drivers\mfenlfk.sys [75672 2011-03-13] (McAfee, Inc.)
3 mferkdet; C:\Windows\System32\Drivers\mferkdet.sys [98728 2011-03-13] (McAfee, Inc.)
0 mfewfpk; C:\Windows\System32\Drivers\mfewfpk.sys [281928 2011-03-13] (McAfee, Inc.)
1 SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
1 SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
3 hwusbdev; C:\Windows\System32\DRIVERS\ewusbdev.sys [x]
3 mfeavfk01; [x]
==================== NetSvcs (Whitelisted) ====================

==================== One Month Created Files and Folders ========
2013-01-12 20:06 - 2013-01-12 20:06 - 00000000 ____D C:\FRST
2012-12-28 16:01 - 2012-12-28 16:22 - 00000000 ____D C:\Program Files (x86)\Panda Security
2012-12-28 14:24 - 2012-12-28 14:24 - 00027405 ____A C:\Users\Username\Desktop\dds.txt
2012-12-28 14:24 - 2012-12-28 14:24 - 00013899 ____A C:\Users\Username\Desktop\attach.txt
2012-12-28 14:20 - 2012-12-28 14:46 - 00016094 ____A C:\Users\Username\Desktop\hijackthis.log
2012-12-28 14:18 - 2012-12-28 14:18 - 00688992 ____R (Swearware) C:\Users\Username\Desktop\dds.scr
2012-12-28 14:17 - 2012-12-28 14:17 - 00388608 ____A (Trend Micro Inc.) C:\Users\Username\Desktop\HijackThis.exe
2012-12-28 13:33 - 2012-12-28 13:33 - 02617648 ____A (VS Revo Group Ltd.) C:\Users\Username\Downloads\revosetup.exe
2012-12-28 12:17 - 2012-12-28 12:17 - 00847609 ____A C:\Users\Username\AppData\Local\census.cache
2012-12-28 12:16 - 2012-12-28 12:16 - 00108667 ____A C:\Users\Username\AppData\Local\ars.cache
2012-12-28 12:02 - 2012-12-28 12:02 - 00000036 ____A C:\Users\Username\AppData\Local\housecall.guid.cache
2012-12-28 12:01 - 2012-12-28 12:02 - 02406064 ____A (Trend Micro Inc.) C:\Users\Username\Downloads\HousecallLauncher64.exe
2012-12-28 11:37 - 2012-12-28 11:39 - 05014093 ____A (Swearware) C:\Users\Username\Downloads\ComboFix.exe
2012-12-27 18:14 - 2012-12-27 18:15 - 10156344 ____A (Malwarebytes Corporation ) C:\Users\Username\Downloads\mbam-setup-1.70.0.1100.exe
2012-12-27 15:36 - 2012-12-27 15:38 - 81364032 ____A (Microsoft Corporation) C:\Users\Username\Downloads\msert.exe
2012-12-27 14:25 - 2012-12-27 14:27 - 00000000 ____D C:\Users\Username\AppData\Roaming\QuickScan
2012-12-27 13:09 - 2012-12-27 13:09 - 00001812 ____A C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2012-12-27 13:09 - 2012-12-27 13:09 - 00000000 ____D C:\Users\Username\AppData\Roaming\SUPERAntiSpyware.com
2012-12-27 13:09 - 2012-12-27 13:09 - 00000000 ____D C:\Users\All Users\SUPERAntiSpyware.com
2012-12-27 13:09 - 2012-12-27 13:09 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2012-12-27 13:06 - 2012-12-27 13:06 - 22877440 ____A (SUPERAntiSpyware.com) C:\Users\Username\Downloads\SUPERAntiSpyware.exe
2012-12-27 13:05 - 2012-12-27 13:05 - 00000000 ____D C:\Users\All Users\Kaspersky Lab
2012-12-27 12:48 - 2012-12-27 12:48 - 00002120 ____A C:\scu.dat
2012-12-27 12:35 - 2012-12-27 12:38 - 149807200 ____A C:\Users\Username\Downloads\setup_11.0.0.1245.x01_2012_12_27_23_16.exe
2012-12-22 02:01 - 2012-12-16 09:11 - 00046080 ____A (Adobe Systems) C:\Windows\System32\atmlib.dll
2012-12-22 02:01 - 2012-12-16 06:45 - 00367616 ____A (Adobe Systems Incorporated) C:\Windows\System32\atmfd.dll
2012-12-22 02:01 - 2012-12-16 06:13 - 00295424 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll
2012-12-22 02:01 - 2012-12-16 06:13 - 00034304 ____A (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll
2012-12-21 14:32 - 2012-12-23 15:07 - 00000000 ____D C:\Users\Username\AppData\Local\{2FC86FC4-162B-4DC0-81F2-D4133982F526}
2012-12-20 15:32 - 2012-12-20 15:32 - 00000000 ____D C:\Users\All Users\Browser Manager
2012-12-20 12:48 - 2012-06-27 11:26 - 00773968 ____A (Microsoft Corporation) C:\Windows\System32\msvcr100.dll
2012-12-20 12:47 - 2012-12-25 13:12 - 00000000 ____D C:\Users\All Users\Wincert
2012-12-20 12:45 - 2012-12-24 03:25 - 00000000 ____D C:\Users\All Users\boost_interprocess
2012-12-20 12:43 - 2012-12-25 13:11 - 00000000 ____D C:\Program Files (x86)\Search Results Toolbar
2012-12-20 12:38 - 2012-12-20 12:39 - 00000041 ____A C:\Users\Username\AppData\Roaming\mbam.context.scan
2012-12-14 04:49 - 2012-12-14 04:50 - 00000000 ____D C:\Users\Username\AppData\Local\{DD05BFD6-F6E1-4445-A6D7-FC8B70F62950}
2012-12-13 02:33 - 2012-12-13 02:34 - 00000000 ____D C:\Users\Username\AppData\Local\{99F3EFE6-D33E-470F-B073-575B90158C86}
==================== One Month Modified Files and Folders =======
2013-01-12 20:06 - 2013-01-12 20:06 - 00000000 ____D C:\FRST
2012-12-28 17:01 - 2011-08-24 18:46 - 00000994 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-12-28 16:22 - 2012-12-28 16:01 - 00000000 ____D C:\Program Files (x86)\Panda Security
2012-12-28 16:17 - 2012-04-12 13:50 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-12-28 15:05 - 2009-07-13 20:45 - 00016976 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-12-28 15:05 - 2009-07-13 20:45 - 00016976 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-12-28 15:02 - 2011-06-15 19:08 - 01833144 ____A C:\Windows\WindowsUpdate.log
2012-12-28 15:00 - 2011-07-12 09:48 - 00000000 ____D C:\Users\All Users\clear.fi
2012-12-28 14:59 - 2011-08-24 18:46 - 00000990 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-12-28 14:58 - 2011-09-15 15:30 - 00042856 ____A C:\Windows\setupact.log
2012-12-28 14:58 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-12-28 14:46 - 2012-12-28 14:20 - 00016094 ____A C:\Users\Username\Desktop\hijackthis.log
2012-12-28 14:24 - 2012-12-28 14:24 - 00027405 ____A C:\Users\Username\Desktop\dds.txt
2012-12-28 14:24 - 2012-12-28 14:24 - 00013899 ____A C:\Users\Username\Desktop\attach.txt
2012-12-28 14:18 - 2012-12-28 14:18 - 00688992 ____R (Swearware) C:\Users\Username\Desktop\dds.scr
2012-12-28 14:17 - 2012-12-28 14:17 - 00388608 ____A (Trend Micro Inc.) C:\Users\Username\Desktop\HijackThis.exe
2012-12-28 13:33 - 2012-12-28 13:33 - 02617648 ____A (VS Revo Group Ltd.) C:\Users\Username\Downloads\revosetup.exe
2012-12-28 12:17 - 2012-12-28 12:17 - 00847609 ____A C:\Users\Username\AppData\Local\census.cache
2012-12-28 12:16 - 2012-12-28 12:16 - 00108667 ____A C:\Users\Username\AppData\Local\ars.cache
2012-12-28 12:02 - 2012-12-28 12:02 - 00000036 ____A C:\Users\Username\AppData\Local\housecall.guid.cache
2012-12-28 12:02 - 2012-12-28 12:01 - 02406064 ____A (Trend Micro Inc.) C:\Users\Username\Downloads\HousecallLauncher64.exe
2012-12-28 11:39 - 2012-12-28 11:37 - 05014093 ____A (Swearware) C:\Users\Username\Downloads\ComboFix.exe
2012-12-28 08:49 - 2011-09-10 14:23 - 00000000 ____D C:\Windows\System32\Drivers\AVG
2012-12-28 08:49 - 2011-09-10 14:17 - 00000000 ____D C:\Users\All Users\MFAData
2012-12-27 20:08 - 2011-09-24 08:16 - 00159326 ____A C:\Windows\PFRO.log
2012-12-27 20:08 - 2011-07-13 12:51 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-12-27 19:43 - 2011-09-24 08:29 - 10000014 ____A C:\ATsvcLog.txt.old
2012-12-27 18:23 - 2011-12-28 13:30 - 00001113 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-12-27 18:15 - 2012-12-27 18:14 - 10156344 ____A (Malwarebytes Corporation ) C:\Users\Username\Downloads\mbam-setup-1.70.0.1100.exe
2012-12-27 15:38 - 2012-12-27 15:36 - 81364032 ____A (Microsoft Corporation) C:\Users\Username\Downloads\msert.exe
2012-12-27 14:27 - 2012-12-27 14:25 - 00000000 ____D C:\Users\Username\AppData\Roaming\QuickScan
2012-12-27 13:09 - 2012-12-27 13:09 - 00001812 ____A C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2012-12-27 13:09 - 2012-12-27 13:09 - 00000000 ____D C:\Users\Username\AppData\Roaming\SUPERAntiSpyware.com
2012-12-27 13:09 - 2012-12-27 13:09 - 00000000 ____D C:\Users\All Users\SUPERAntiSpyware.com
2012-12-27 13:09 - 2012-12-27 13:09 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2012-12-27 13:06 - 2012-12-27 13:06 - 22877440 ____A (SUPERAntiSpyware.com) C:\Users\Username\Downloads\SUPERAntiSpyware.exe
2012-12-27 13:05 - 2012-12-27 13:05 - 00000000 ____D C:\Users\All Users\Kaspersky Lab
2012-12-27 12:48 - 2012-12-27 12:48 - 00002120 ____A C:\scu.dat
2012-12-27 12:38 - 2012-12-27 12:35 - 149807200 ____A C:\Users\Username\Downloads\setup_11.0.0.1245.x01_2012_12_27_23_16.exe
2012-12-25 13:12 - 2012-12-20 12:47 - 00000000 ____D C:\Users\All Users\Wincert
2012-12-25 13:11 - 2012-12-20 12:43 - 00000000 ____D C:\Program Files (x86)\Search Results Toolbar
2012-12-25 03:37 - 2012-05-20 08:04 - 00000000 ____D C:\Users\Username\AppData\Local\Spotify
2012-12-25 03:37 - 2012-05-20 08:03 - 00000000 ____D C:\Users\Username\AppData\Roaming\Spotify
2012-12-24 03:25 - 2012-12-20 12:45 - 00000000 ____D C:\Users\All Users\boost_interprocess
2012-12-23 17:18 - 2009-07-13 20:45 - 00288712 ____A C:\Windows\System32\FNTCACHE.DAT
2012-12-23 17:12 - 2011-08-30 00:38 - 00000000 ____D C:\Users\Username\AppData\Roaming\SoftGrid Client
2012-12-23 15:07 - 2012-12-21 14:32 - 00000000 ____D C:\Users\Username\AppData\Local\{2FC86FC4-162B-4DC0-81F2-D4133982F526}
2012-12-20 15:32 - 2012-12-20 15:32 - 00000000 ____D C:\Users\All Users\Browser Manager
2012-12-20 12:39 - 2012-12-20 12:38 - 00000041 ____A C:\Users\Username\AppData\Roaming\mbam.context.scan
2012-12-18 11:01 - 2011-07-13 07:01 - 00000000 ____D C:\Users\Username\AppData\Roaming\Skype
2012-12-16 09:11 - 2012-12-22 02:01 - 00046080 ____A (Adobe Systems) C:\Windows\System32\atmlib.dll
2012-12-16 06:45 - 2012-12-22 02:01 - 00367616 ____A (Adobe Systems Incorporated) C:\Windows\System32\atmfd.dll
2012-12-16 06:13 - 2012-12-22 02:01 - 00295424 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll
2012-12-16 06:13 - 2012-12-22 02:01 - 00034304 ____A (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll
2012-12-14 07:49 - 2011-07-13 12:51 - 00024176 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-12-14 04:50 - 2012-12-14 04:49 - 00000000 ____D C:\Users\Username\AppData\Local\{DD05BFD6-F6E1-4445-A6D7-FC8B70F62950}
2012-12-13 23:52 - 2011-08-24 18:47 - 00002378 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2012-12-13 02:34 - 2012-12-13 02:33 - 00000000 ____D C:\Users\Username\AppData\Local\{99F3EFE6-D33E-470F-B073-575B90158C86}
2012-12-13 00:26 - 2009-07-13 21:08 - 00032646 ____A C:\Windows\Tasks\SCHEDLGU.TXT

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== EXE ASSOCIATION =====================
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
==================== Restore Points =========================

==================== Memory info =========================== 
Percentage of memory in use: 20%
Total physical RAM: 3946.73 MB
Available physical RAM: 3145.13 MB
Total Pagefile: 3944.93 MB
Available Pagefile: 3217.3 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB
==================== Partitions =============================
1 Drive c: (Acer) (Fixed) (Total:450.66 GB) (Free:362.15 GB) NTFS
2 Drive e: (PQSERVICE) (Fixed) (Total:15 GB) (Free:1.43 GB) NTFS
4 Drive g: () (Removable) (Total:29.8 GB) (Free:29.75 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
6 Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B 
Disk 1 Online 29 GB 0 B 
Partitions of Disk 0:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 15 GB 1024 KB
Partition 2 Primary 100 MB 15 GB
Partition 3 Primary 450 GB 15 GB
==================================================================================
Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E PQSERVICE NTFS Partition 15 GB Healthy Hidden 
=========================================================
Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y SYSTEM RESE NTFS Partition 100 MB Healthy 
=========================================================
Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C Acer NTFS Partition 450 GB Healthy 
=========================================================
Partitions of Disk 1:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 29 GB 16 KB
==================================================================================
Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G FAT32 Removable 29 GB Healthy 
=========================================================
Last Boot: 2012-12-25 07:25
==================== End Of Log =============================


----------



## yellosnosid (Dec 28, 2012)

Farbar Recovery Scan Tool (x64) Version: 09-01-2013
Ran by SYSTEM at 2013-01-12 20:12:02
Running from G:\
================== Search: "services.exe" ===================
C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB
====== End Of Search ======


*How can I edit/remove my 1st post?*
*Thanks =D*


----------



## CatByte (Feb 24, 2009)

you will need to make a request to an Admin to edit the first post

Please run the following:

Refer to the *ComboFix User's Guide*


 Download ComboFix from the following location:

*Link *

** IMPORTANT !!! Place ComboFix.exe on your Desktop*

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
You can get help on disabling your protection programs *here*

Double click on ComboFix.exe & follow the prompts.
Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
 When finished, it shall produce a log for you. Post that log in your next reply

*Note: 
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.*

---------------------------------------------------------------------------------------------

Ensure your AntiVirus and AntiSpyware applications are re-enabled.

---------------------------------------------------------------------------------------------

NOTE: If you encounter a message *"illegal operation attempted on registry key that has been marked for deletion"* and no programs will run - please just reboot and that will resolve that error.


----------



## yellosnosid (Dec 28, 2012)

Thanks for your speedy reply =)
I think my computer when I start it will be like the other times where it goes into startup repair & I don't know how to get CFix on the desktop when it is in this limited mode.I don't think I will be able to access System Tray icon either .I haven't turned it back on since I ran the last tool you asked for...I will check & let you know what it does.But I have saved CFix onto a memory stick (without saving it to the desktop 1st)


How do I make a request to an Admin ?


----------



## CatByte (Feb 24, 2009)

are you able to send a PM to Cookiegal?

ComboFix should run from the USB stick


----------



## yellosnosid (Dec 28, 2012)

CatByte said:


> are you able to send a PM to Cookiegal?
> 
> ComboFix should run from the USB stick


Done,thanks.

I'll try to run it from the USB like I ran the other scan from but I'm still unsure about how I'll manage to disble AV & Anti Spyware because my computer is still automatically going into startup repair when turned on.


----------



## yellosnosid (Dec 28, 2012)

Cookiegal said 

"If you continue to edit your posts then CatByte will not be able to post fixes for you to run."


----------



## CatByte (Feb 24, 2009)

ok, I thought it was something in particular that you wanted to remove from the first post?

Editing posts does make it more difficult for me

Were you able to run ComboFix from the USB?


----------



## Cookiegal (Aug 27, 2003)

Forgive me for posting here but I thought it would be easier since I haven't heard back from yellosnosid. I only see a first name as the username and don't see any reason to edit that out as it's not a full name, unless I'm missing something. But it's part of the path needed to files or folders that may have to be deleted in the clean up process.


----------



## CatByte (Feb 24, 2009)

yes, thank-you Cookiegal

I misunderstood what the user was asking for


----------



## Cookiegal (Aug 27, 2003)

CatByte said:


> yes, thank-you Cookiegal
> 
> I misunderstood what the user was asking for


You're welcome CatByte. :up:


----------



## yellosnosid (Dec 28, 2012)

CatByte said:


> ok, I thought it was something in particular that you wanted to remove from the first post?
> 
> Editing posts does make it more difficult for me
> 
> Were you able to run ComboFix from the USB?


ok no problem,I tried G:\ComboFix but I got this message:

_*The subsystem needed to support the image type is not present*_

What do I do now?
Thanks


----------



## yellosnosid (Dec 28, 2012)

Cookiegal said:


> Forgive me for posting here but I thought it would be easier since I haven't heard back from yellosnosid. I only see a first name as the username and don't see any reason to edit that out as it's not a full name, unless I'm missing something. But it's part of the path needed to files or folders that may have to be deleted in the clean up process.


ok,thanks anyway


----------



## Cookiegal (Aug 27, 2003)

yellosnosid said:


> ok,thanks anyway


:up:


----------



## CatByte (Feb 24, 2009)

Please try the following:

Please create a new system restore point before running *Malwarebytes Anti-Rootkit* if you can.

*MBAR tutorial*

Download *Malwarebytes Anti-Rootkit* from HERE
Unzip the contents to a folder in a convenient location.
Open the folder where the contents were unzipped and run *mbar.exe*
Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
Click on the *Cleanup button* to remove any threats and reboot if prompted to do so.
Wait while the system shuts down and the cleanup process is performed.
Perform another scan with *Malwarebytes Anti-Rootkit* to verify that no threats remain. If they do, then click *Cleanup* once more and repeat the process.
When done, please post the two logs produced they will be in the *MBAR* folder..... mbar-log.txt and system-log.txt

~~~~~~~~~~~~~~~~~~~~~~~

*Note:*
If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:
_Internet access
Windows Update
Windows Firewall_
If there are additional problems with your system, such as any of those listed above or other system issues, then run the *fixdamage tool* included with Malwarebytes Anti-Rootkit and reboot.
Verify that your system is now functioning normally.


----------



## yellosnosid (Dec 28, 2012)

Will try it,thanx


----------



## yellosnosid (Dec 28, 2012)

tried it,it says not recognised as an internal/external command,tried different versions G:\mbar-1.01.0.1016\mbar & all other combinations could think of.
(.exe,mbar64 ...)
When I click on the icon it says the subsystem needed to support the image type is not present
Will any of these tools delete files on the computer?


PS:I have unzipped the file


----------



## CatByte (Feb 24, 2009)

> Will any of these tools delete files on the computer?


 only infected ones, if they are required system files, then they will not be deleted

so basically, non of the tools we have tried other than FRST have run?

have you tried to run the tools in safe mode?

To Enter Safemode 

Go to *Start> Shut off your Computer> Restart*
As the computer starts to boot-up, Tap the *F8 KEY* repeatedly,
this will bring up a *menu.*
Use the *Up and Down Arrow Keys* to scroll up to *Safemode *
Then press the *Enter Key* on your Keyboard 
go into your usual account

please try the following:

Download *OTL* to your Desktop

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
Select *All Users*
Under the Custom Scan box paste this in
*netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
services.exe
/md5stop
%systemroot%\*. /rp /s
%systemdrive%\$Recycle.Bin|@;true;true;true /fp 
DRIVES
CREATERESTOREPOINT*
Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. *OTL.Txt* and *Extras.Txt*. These are saved in the same location as OTL.
Post both logs


----------



## yellosnosid (Dec 28, 2012)

CatByte said:


> only infected ones, if they are required system files, then they will not be deleted
> 
> so basically, non of the tools we have tried other than FRST have run?
> 
> ...


That's correct & getting into safe mode will sometimes not work as when the f8 key is pressed it still goes into the startup repair,will try OTL,thanks


----------



## yellosnosid (Dec 28, 2012)

I didn't manage to go into any safe mode at all tried 3 (SM with networking,command promt,just SM)
It says windows is loading files then goes directly into a grey screen Startup repair & that says Startup Repair cannot repair the computer automatically & recommends you to send information about the problem as 1 of the options then you can restart or shut down & it mentions removing any device like a USB connected to the computer which I hadn't put in,nothing was connected other than the battery charger.
What should I do now?
Thanks in advance.


----------



## CatByte (Feb 24, 2009)

Please do the following:

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as *fixlist.txt*


```
start
Last Boot: 2012-12-25 07:25
end
```
*NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system*

Now please enter *System Recovery Options* then select *Command Prompt*

Run *FRST* (or FRST64 if you have the 64bit version) and press the *Fix* button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.

If this fix allows you to boot normally again, then please try running ComboFix

give it lot's of time to complete


----------



## yellosnosid (Dec 28, 2012)

Thanks,the computer went into startup repair again
I got the latest Farbar tool & followed your instructions,(I didn't do a scan before pressing fix)

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 21-01-2013 02
Ran by SYSTEM at 2013-01-25 15:20:08 Run:1
Running from G:\

==============================================

DEFAULT hive was successfully copied to System32\config\HiveBackup
DEFAULT hive was successfully restored from registry back up.
SAM hive was successfully copied to System32\config\HiveBackup
SAM hive was successfully restored from registry back up.
SECURITY hive was successfully copied to System32\config\HiveBackup
SECURITY hive was successfully restored from registry back up.
SOFTWARE hive was successfully copied to System32\config\HiveBackup
SOFTWARE hive was successfully restored from registry back up.
SYSTEM hive was successfully copied to System32\config\HiveBackup
SYSTEM hive was successfully restored from registry back up.

==== End of Fixlog ====


----------



## CatByte (Feb 24, 2009)

can you please explain the status of the machine in more detail

are you able to boot into normal mode?

are you able to boot into safe mode?

did the start up repair complete?


----------



## yellosnosid (Dec 28, 2012)

to put it simply nothing has changed,no normal/sleep mode just goes into startup repair which doesn't complete just like before it says "windows cannot repair this computer automaticaly" just like before


----------



## CatByte (Feb 24, 2009)

*Download* *ListParts64* to a USB flash drive.
Plug the USB drive into the infected machine.

*Boot your computer into Recovery Environment*


Restart the computer and press *F8* repeatedly until the *Advanced Options Menu* appears.
Select *Repair your computer*.
Select Language and click *Next*
Enter password (if necessary) and click *OK*, you should now see the screen below ...











Select the *Command Prompt* option.
A command window will open.
Type *notepad* then hit *Enter*.
Notepad will open.
Click *File > Open* then select *Computer*.
Note down the drive letter for your *USB Drive*.
Close Notepad.


Back in the command window ....
Type *e:\listparts64.exe* and hit *Enter* (where *e:* is replaced by the drive letter for your USB drive)
*ListParts* will start to run.
Press the *Scan* button.
When finished scanning it will make a log *Result.txt* on the flash drive.


Close the command window.
Boot back into normal mode and post me the *Result.txt* log please.


----------



## yellosnosid (Dec 28, 2012)

*Thanks
when I pressed f8 it started beeping a lot was loading files & went straight into startup repair,I pressed advanced options & selected the keyboard,langauage I couldn't change then password then reached the image you posted above.

I did not tick the List BCD box
*
ListParts by Farbar Version: 16-01-2013
Ran by SYSTEM (administrator) on 27-01-2013 at 12:28:16
Windows 7 (X64)
Running From: G:\
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 13%
Total physical RAM: 3946.73 MB
Available physical RAM: 3403.05 MB
Total Pagefile: 3944.93 MB
Available Pagefile: 3379.33 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (Acer) (Fixed) (Total:450.66 GB) (Free:362.06 GB) NTFS
3 Drive e: (PQSERVICE) (Fixed) (Total:15 GB) (Free:1.43 GB) NTFS
5 Drive g: () (Removable) (Total:29.8 GB) (Free:29.69 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B 
Disk 1 Online 29 GB 0 B

Partitions of Disk 0:
===============

Disk ID: CF566CB4

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 15 GB 1024 KB
Partition 2 Primary 100 MB 15 GB
Partition 3 Primary 450 GB 15 GB

======================================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E PQSERVICE NTFS Partition 15 GB Healthy Hidden

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C SYSTEM RESE NTFS Partition 100 MB Healthy

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D Acer NTFS Partition 450 GB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Disk ID: 00000000

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 29 GB 16 KB

======================================================================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G FAT32 Removable 29 GB Healthy

======================================================================================================

****** End Of Log ******


----------



## CatByte (Feb 24, 2009)

Please re-run List Parts and press the BCD box this time

there isn't anything obvious in the logs as to what is causing these issues, so let's have a look at more details

the log will be long this time


----------



## yellosnosid (Dec 28, 2012)

*ok,thanks =)*

ListParts by Farbar Version: 16-01-2013
Ran by SYSTEM (administrator) on 27-01-2013 at 16:21:04
Windows 7 (X64)
Running From: G:\
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 14%
Total physical RAM: 3946.73 MB
Available physical RAM: 3372.32 MB
Total Pagefile: 3944.93 MB
Available Pagefile: 3352.8 MB
Total Virtual: 8192 MB
Available Virtual: 8191.92 MB

======================= Partitions =========================

1 Drive c: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (Acer) (Fixed) (Total:450.66 GB) (Free:362.06 GB) NTFS
3 Drive e: (PQSERVICE) (Fixed) (Total:15 GB) (Free:1.43 GB) NTFS
5 Drive g: () (Removable) (Total:29.8 GB) (Free:29.69 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B 
Disk 1 Online 29 GB 0 B

Partitions of Disk 0:
===============

Disk ID: CF566CB4

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 15 GB 1024 KB
Partition 2 Primary 100 MB 15 GB
Partition 3 Primary 450 GB 15 GB

======================================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E PQSERVICE NTFS Partition 15 GB Healthy Hidden

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C SYSTEM RESE NTFS Partition 100 MB Healthy

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D Acer NTFS Partition 450 GB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Disk ID: 00000000

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 29 GB 16 KB

======================================================================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G FAT32 Removable 29 GB Healthy

======================================================================================================

Windows Boot Manager
--------------------
identifier {bootmgr}
device partition=C:
description Windows Boot Manager
locale en-US
inherit {globalsettings}
default {default}
resumeobject {f25c44c0-97c8-11e0-b5ed-ac679eb60ab0}
displayorder {default}
toolsdisplayorder {memdiag}
timeout 3

Windows Boot Loader
-------------------
identifier {default}
device partition=D:
path \Windows\system32\winload.exe
description Windows 7
locale en-US
inherit {bootloadersettings}
recoverysequence {current}
recoveryenabled Yes
osdevice partition=D:
systemroot \Windows
resumeobject {f25c44c0-97c8-11e0-b5ed-ac679eb60ab0}
nx OptOut
usefirmwarepcisettings No

Windows Boot Loader
-------------------
identifier {current}
device ramdisk=[D:]\Recovery\f25c44c2-97c8-11e0-b5ed-ac679eb60ab0\Winre.wim,{f25c44c3-97c8-11e0-b5ed-ac679eb60ab0}
path \windows\system32\winload.exe
description Windows Recovery Environment
inherit {bootloadersettings}
osdevice ramdisk=[D:]\Recovery\f25c44c2-97c8-11e0-b5ed-ac679eb60ab0\Winre.wim,{f25c44c3-97c8-11e0-b5ed-ac679eb60ab0}
systemroot \windows
nx OptIn
winpe Yes

Resume from Hibernate
---------------------
identifier {f25c44c0-97c8-11e0-b5ed-ac679eb60ab0}
device partition=D:
path \Windows\system32\winresume.exe
description Windows Resume Application
locale en-US
inherit {resumeloadersettings}
filedevice partition=D:
filepath \hiberfil.sys
debugoptionenabled No

Windows Memory Tester
---------------------
identifier {memdiag}
device partition=C:
path \boot\memtest.exe
description Windows Memory Diagnostic
locale en-US
inherit {globalsettings}
badmemoryaccess Yes

EMS Settings
------------
identifier {emssettings}
bootems Yes

Debugger Settings
-----------------
identifier {dbgsettings}
debugtype Serial
debugport 1
baudrate 115200

RAM Defects
-----------
identifier {badmemory}

Global Settings
---------------
identifier {globalsettings}
inherit {dbgsettings}
{emssettings}
{badmemory}

Boot Loader Settings
--------------------
identifier {bootloadersettings}
inherit {globalsettings}
{hypervisorsettings}

Hypervisor Settings
-------------------
identifier {hypervisorsettings}
hypervisordebugtype Serial
hypervisordebugport 1
hypervisorbaudrate 115200

Resume Loader Settings
----------------------
identifier {resumeloadersettings}
inherit {globalsettings}

Device options
--------------
identifier {f25c44c3-97c8-11e0-b5ed-ac679eb60ab0}
description Ramdisk Options
ramdisksdidevice partition=D:
ramdisksdipath \Recovery\f25c44c2-97c8-11e0-b5ed-ac679eb60ab0\boot.sdi

****** End Of Log ******


----------



## yellosnosid (Dec 28, 2012)

There's a file I want to access on my laptop is there any way I an retrieve it? Will I have many more scans to do? Any information would be greatly appreciated,thanks


----------



## CatByte (Feb 24, 2009)

I need to consult with my expert colleagues as I do not see why you are having boot issues

please be patient with me until I can find an answer

thank-you


----------



## yellosnosid (Dec 28, 2012)

CatByte said:


> I need to consult with my expert colleagues as I do not see why you are having boot issues
> 
> please be patient with me until I can find an answer
> 
> thank-you


ok,thanks


----------



## CatByte (Feb 24, 2009)

thank-you for your patience

I have some input from one of my expert colleagues, we need to run a fresh scan with FRST and get a dump of the MBR

Please do the following:

Download *MBRFix*. Save and extract its contents to the desktop. Once extracted, there will be three files in the folder. Copy just the MBRFix64 application to the USB drive.

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as *fixlist.txt*


```
start

SaveMbr: Drive=0

end
```
Now please enter *System Recovery Options* and select "Command Prompt".

Run *FRST64* and press the *Fix* button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

The tool will make a log on the flashdrive (*Fixlog.txt*) please post its contents in your reply. It will also produce another file, *MBRDUMP.txt*, on the flash drive that although it may look a text file, it is a hex file. You must attach this report on your reply instead of posting its contents.

NEXT, please run a scan with FRST as you did before and post the new log

Also restart, let the computer boot normally and in case it didn't boot tell me exactly what you see on the screen from the moment you start the computer


----------



## yellosnosid (Dec 28, 2012)

*Great, so I got the new version of FRST64 & then pressed fix where all the boxes were ticked already.Then I pressed restart & my screen login is like it was before the virus!!!!*

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 28-01-2013 02
Ran by SYSTEM at 2013-01-30 16:14:34 Run:2
Running from G:\

==============================================

MBRDUMP.txt is made successfully.

==== End of Fixlog ====

I will run the FRST scan now


----------



## yellosnosid (Dec 28, 2012)

*It took a while to let me log in,was quite slow letting me get to the FRST on the memory stick...then it said "not responding" 
when I could click on FRST64,then I tried to close the windows it said the application might respond if I wait,then the screen went to the screensaver before I could click end process,I could move & see mouse arrow but the start button at the left hand corner had disappeared & clicking on it did nothing(the USB was still in at this time) then the screen went back to normal with the icons...& I ran the FRST64 scan & shut the computer down
Can I start using my files etc...doing updates on AV & Malwarebytes,Windows updates....when I connect to the internet?
Should I run the scan in Safe Mode?
Thanks
*

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 28-01-2013 02
Ran by Marion at 30-01-2013 16:42:55
Running from E:\
Service Pack 1 (X64) OS Language: English(US) 
Attention: Could not load system hive.
ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNCTION PROPERLY.

==================== One Month Created Files and Folders ========

2013-01-13 05:06 - 2013-01-30 16:42 - 00000000 ____D C:\FRST

==================== One Month Modified Files and Folders =======

2013-01-30 16:42 - 2013-01-13 05:06 - 00000000 ____D C:\FRST
2013-01-30 16:40 - 2011-07-12 18:48 - 00000000 ____D C:\Users\All Users\clear.fi
2013-01-30 16:22 - 2011-09-16 00:30 - 00043583 ____A C:\Windows\setupact.log
2013-01-30 16:20 - 2011-09-10 23:17 - 00000000 ____D C:\Users\All Users\MFAData
2013-01-30 16:20 - 2011-08-25 03:46 - 00000990 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-01-30 16:17 - 2012-04-12 22:50 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-01-30 16:16 - 2012-12-20 21:47 - 00000000 ____D C:\Users\All Users\Wincert
2013-01-30 16:16 - 2011-09-24 17:16 - 00160386 ____A C:\Windows\PFRO.log
2013-01-30 16:16 - 2009-07-14 06:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-01-26 00:20 - 2013-01-26 00:20 - 00000000 ____D C:\Windows\System32\config\HiveBackup

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== Restore Points =========================

==================== Memory info ===========================

Percentage of memory in use: 47%
Total physical RAM: 3946.73 MB
Available physical RAM: 2074.23 MB
Total Pagefile: 7891.66 MB
Available Pagefile: 5856.63 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB

==================== Partitions =============================

1 Drive c: (Acer) (Fixed) (Total:450.66 GB) (Free:362.11 GB) NTFS
3 Drive e: () (Removable) (Total:29.8 GB) (Free:29.66 GB) FAT32

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B 
Disk 1 Online 29 GB 0 B

Partitions of Disk 0:
===============

Disk ID: CF566CB4

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 15 GB 1024 KB
Partition 2 Primary 100 MB 15 GB
Partition 3 Primary 450 GB 15 GB

==================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 PQSERVICE NTFS Partition 15 GB Healthy Hidden

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 SYSTEM RESE NTFS Partition 100 MB Healthy System (partition with boot components)

=========================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C Acer NTFS Partition 450 GB Healthy Boot

=========================================================

Partitions of Disk 1:
===============

Disk ID: 00000000

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 29 GB 16 KB

==================================================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 E FAT32 Removable 29 GB Healthy

=========================================================

Last Boot: 2012-12-25 16:25

==================== End Of Log =============================


----------



## CatByte (Feb 24, 2009)

let's stay in normal mode and make sure the machine is stable, I would take this opportunity to backup all your important documents now just in case the machine becomes unbootable again.

Update Malwarebytes and your antivirus and post the results,

hold off on the windows updates until we are sure the machine is clear of malware and the machine remains stable

the FRST scan needed to be run from the Recovery Environment or it wont show any hidden infections on your machine


----------



## yellosnosid (Dec 28, 2012)

*what d you mean the results,do you want me to do scans with them when updated?
How do I go into recovery environment ? I went into the command prompt nothing else.

I started PC it said windows is loading files which took a while then the screen stayed black after a quick view of the windows symbol with the bar below it that has these green rectangles that move across except they didn't have time to show because it moved into the black screen so quickly,,then it went into startup repair"Your computer was unable to start .Startup repair is checking your system for problems...If problems are found Stratup Repair will fix them automatically.....,it was "attempting repairs" for a long while.it said that thing again about if you recently had put in a usb....so i clicked finish to shut down & took out the USB & restarted PC but startup repair came back just like before =( went into command promt & did the scan.How can I get the screen back into "normal"mode so I can copy my files?thanks*

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 28-01-2013 02
Ran by SYSTEM at 31-01-2013 08:26:00
Running from G:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US) 
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2531624 2010-12-16] (Synaptics Incorporated)
HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [11775592 2011-01-12] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /FORPCEE4 [2186856 2011-01-09] (Realtek Semiconductor)
HKLM\...\Run: [Power Management] C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe [1796200 2011-02-22] (Acer Incorporated)
HKLM-x32\...\Run: [SuiteTray] "C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe" [340336 2010-09-27] (Egis Technology Inc.)
HKLM-x32\...\Run: [EgisTecPMMUpdate] "C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe" [407920 2010-09-17] (Egis Technology Inc.)
HKLM-x32\...\Run: [EgisUpdate] "C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe" -d [201584 2010-09-17] (Egis Technology Inc.)
HKLM-x32\...\Run: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe [1081424 2011-03-14] (Dritek System Inc.)
HKLM-x32\...\Run: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe" [2596984 2012-07-30] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe" [997320 2012-11-09] ()
HKLM-x32\...\Run: [ROC_roc_dec12] "C:\Program Files (x86)\AVG Secure Search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12 [x]
HKLM-x32\...\Run: [ROC_ROC_JULY_P1] "C:\Program Files (x86)\AVG Secure Search\ROC_ROC_JULY_P1.exe" / /PROMPT /CMPID=ROC_JULY_P1 [1022048 2012-09-03] ()
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [DATAMNGR] C:\PROGRA~2\SEARCH~1\Datamngr\DATAMN~1.EXE [x]
HKU\Default\...\RunOnce: [ScrSav] C:\Program Files (x86)\Acer\Screensaver\run_Acer.exe /default [154144 2010-07-29] ()
HKU\Default User\...\RunOnce: [ScrSav] C:\Program Files (x86)\Acer\Screensaver\run_Acer.exe /default [154144 2010-07-29] ()
HKU\Marion\...\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation)
HKU\Marion\...\Run: [Spotify Web Helper] "C:\Users\Marion\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [1199576 2012-10-24] (Spotify Ltd)
HKU\Marion\...\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [5629312 2012-11-01] (SUPERAntiSpyware.com)
Tcpip\Parameters: [DhcpNameServer] 83.255.245.11 193.150.193.150
AppInit_DLLs: C:\PROGRA~3\Wincert\WIN64C~1.DLL C:\PROGRA~2\SEARCH~1\Datamngr\x64\datamngr.dll C:\PROGRA~2\SEARCH~1\Datamngr\x64\IEBHO.dll 
Tcpip\..\Interfaces\{29A05272-79DB-4A28-9BF2-ECE5B87B5F70}: [NameServer]195.67.199.27 195.67.199.28
Tcpip\..\Interfaces\{C98AFA9A-4194-4279-AF1F-D4687BA24BAD}: [NameServer]195.67.199.27 195.67.199.28

==================== Services (Whitelisted) ===================

2 avgfws; "C:\Program Files (x86)\AVG\AVG2012\avgfws.exe" [2399560 2011-08-18] (AVG Technologies CZ, s.r.o.)
2 AVGIDSAgent; "C:\Program Files (x86)\AVG\AVG2012\AVGIDSAgent.exe" [5167736 2012-08-12] (AVG Technologies CZ, s.r.o.)
2 avgwd; "C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe" [193288 2012-02-13] (AVG Technologies CZ, s.r.o.)
2 CTATSvc; "C:\Program Files (x86)\Tele2 Connect\ATService.exe" [574784 2010-03-16] (Tele2)
2 CTConnect; "C:\Program Files (x86)\Tele2 Connect\Connect.exe" [1780544 2010-03-16] (Columbitech)
2 DCService.exe; C:\ProgramData\DatacardService\DCService.exe [229376 2010-08-19] ()
2 MBAMScheduler; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe" [398184 2012-12-14] (Malwarebytes Corporation)
2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [682344 2012-12-14] (Malwarebytes Corporation)
2 McAfee SiteAdvisor Service; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [249936 2011-01-27] (McAfee, Inc.)
2 McMPFSvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [249936 2011-01-27] (McAfee, Inc.)
2 mcmscsvc; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [249936 2011-01-27] (McAfee, Inc.)
2 McNaiAnn; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [249936 2011-01-27] (McAfee, Inc.)
2 McNASvc; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [249936 2011-01-27] (McAfee, Inc.)
3 McODS; "C:\Program Files\mcafee\VirusScan\mcods.exe" [501768 2011-06-23] (McAfee, Inc.)
4 McOobeSv; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [249936 2011-01-27] (McAfee, Inc.)
2 McProxy; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [249936 2011-01-27] (McAfee, Inc.)
2 McShield; "C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe" [197960 2011-03-13] (McAfee, Inc.)
2 mfefire; "C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe" [208272 2011-03-13] (McAfee, Inc.)
2 mfevtp; "C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe" [158832 2011-03-13] (McAfee, Inc.)
2 MSK80Service; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [249936 2011-01-27] (McAfee, Inc.)
4 NOBU; "C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe" SERVICE [2804568 2010-06-01] (Symantec Corporation)
2 NTI IScheduleSvc; C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe [257344 2011-02-15] (NTI Corporation)
2 vToolbarUpdater13.2.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\13.2.0\ToolbarUpdater.exe [711112 2012-11-09] ()

==================== Drivers (Whitelisted) =====================

3 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [124496 2011-12-23] (AVG Technologies CZ, s.r.o. )
3 AVGIDSFilter; C:\Windows\System32\DRIVERS\avgidsfiltera.sys [29776 2011-12-23] (AVG Technologies CZ, s.r.o. )
0 AVGIDSHA; C:\Windows\System32\Drivers\AVGIDSHA.sys [28480 2012-04-18] (AVG Technologies CZ, s.r.o. )
1 Avgldx64; C:\Windows\System32\Drivers\Avgldx64.sys [291680 2012-07-25] (AVG Technologies CZ, s.r.o.)
1 Avgmfx64; C:\Windows\System32\Drivers\Avgmfx64.sys [47696 2011-12-23] (AVG Technologies CZ, s.r.o.)
0 Avgrkx64; C:\Windows\System32\Drivers\Avgrkx64.sys [36944 2012-01-30] (AVG Technologies CZ, s.r.o.)
1 Avgtdia; C:\Windows\System32\Drivers\Avgtdia.sys [384352 2012-08-24] (AVG Technologies CZ, s.r.o.)
1 avgtp; \??\C:\Windows\system32\drivers\avgtpx64.sys [30568 2012-11-09] (AVG Technologies)
3 cfwids; C:\Windows\System32\Drivers\cfwids.sys [65128 2011-03-13] (McAfee, Inc.)
3 ewusbnet; C:\Windows\System32\Drivers\ewusbnet.sys [256000 2010-08-31] (Huawei Technologies Co., Ltd.)
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [24176 2012-12-14] (Malwarebytes Corporation)
3 mfeapfk; C:\Windows\System32\Drivers\mfeapfk.sys [156792 2011-03-13] (McAfee, Inc.)
3 mfeavfk; C:\Windows\System32\Drivers\mfeavfk.sys [227856 2011-03-13] (McAfee, Inc.)
3 mfefirek; C:\Windows\System32\Drivers\mfefirek.sys [481376 2011-03-13] (McAfee, Inc.)
0 mfehidk; C:\Windows\System32\Drivers\mfehidk.sys [639216 2011-03-13] (McAfee, Inc.)
1 mfenlfk; C:\Windows\System32\Drivers\mfenlfk.sys [75672 2011-03-13] (McAfee, Inc.)
3 mferkdet; C:\Windows\System32\Drivers\mferkdet.sys [98728 2011-03-13] (McAfee, Inc.)
0 mfewfpk; C:\Windows\System32\Drivers\mfewfpk.sys [281928 2011-03-13] (McAfee, Inc.)
3 hwusbdev; C:\Windows\System32\DRIVERS\ewusbdev.sys [x]
3 mfeavfk01; [x]

==================== NetSvcs (Whitelisted) ====================

==================== One Month Created Files and Folders ========

2013-01-25 15:20 - 2013-01-25 15:20 - 00000000 ____D C:\Windows\System32\config\HiveBackup
2013-01-12 20:06 - 2013-01-30 07:42 - 00000000 ____D C:\FRST

==================== One Month Modified Files and Folders =======

2013-01-30 07:52 - 2011-06-15 19:08 - 01838377 ____A C:\Windows\WindowsUpdate.log
2013-01-30 07:42 - 2013-01-12 20:06 - 00000000 ____D C:\FRST
2013-01-30 07:40 - 2011-07-12 09:48 - 00000000 ____D C:\Users\All Users\clear.fi
2013-01-30 07:22 - 2011-09-15 15:30 - 00043583 ____A C:\Windows\setupact.log
2013-01-30 07:20 - 2011-09-10 14:17 - 00000000 ____D C:\Users\All Users\MFAData
2013-01-30 07:20 - 2011-08-24 18:46 - 00000990 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-01-30 07:17 - 2012-04-12 13:50 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-01-30 07:16 - 2012-12-20 12:47 - 00000000 ____D C:\Users\All Users\Wincert
2013-01-30 07:16 - 2011-09-24 08:16 - 00160386 ____A C:\Windows\PFRO.log
2013-01-30 07:16 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-01-25 15:20 - 2013-01-25 15:20 - 00000000 ____D C:\Windows\System32\config\HiveBackup

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

==================== Memory info ===========================

Percentage of memory in use: 17%
Total physical RAM: 3946.73 MB
Available physical RAM: 3250.06 MB
Total Pagefile: 3944.93 MB
Available Pagefile: 3238.25 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

==================== Partitions =============================

1 Drive c: (Acer) (Fixed) (Total:450.66 GB) (Free:362.13 GB) NTFS
2 Drive e: (PQSERVICE) (Fixed) (Total:15 GB) (Free:1.43 GB) NTFS
4 Drive g: () (Removable) (Total:29.8 GB) (Free:29.66 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
6 Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B 
Disk 1 Online 29 GB 0 B

Partitions of Disk 0:
===============

Disk ID: CF566CB4

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 15 GB 1024 KB
Partition 2 Primary 100 MB 15 GB
Partition 3 Primary 450 GB 15 GB

==================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E PQSERVICE NTFS Partition 15 GB Healthy Hidden

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y SYSTEM RESE NTFS Partition 100 MB Healthy

=========================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C Acer NTFS Partition 450 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Disk ID: 00000000

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 29 GB 16 KB

==================================================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G FAT32 Removable 29 GB Healthy

=========================================================

Last Boot: 2012-12-25 07:25

==================== End Of Log =============================


----------



## CatByte (Feb 24, 2009)

> Then I pressed restart & my screen login is like it was before the virus!!!!


what do you mean by this?

I took this to mean that you could log on normally?

What is the status of your machine > normal mode and safe mode?


----------



## yellosnosid (Dec 28, 2012)

CatByte said:


> what do you mean by this?
> 
> I took this to mean that you could log on normally?
> 
> What is the status of your machine > normal mode and safe mode?


Yes it was a positive thing.Like this http://www.google.ie/imgres?imgurl=http://www.thoosje.com/Windows-7-logonscreen-editor/Thoosje_Windows_7_Logon_Editor.jpg&imgrefurl=http://www.thoosje.com/windows-7-logon-screen-editor.html&h=600&w=767&sz=59&tbnid=6HRFuG2MW6ea5M:&tbnh=90&tbnw=115&prev=/search%3Fq%3Dwindows%2B7%2Blogon%2Bscreen%26tbm%3Disch%26tbo%3Du&zoom=1&q=windows+7+logon+screen&usg=__9PXklS_6fr4bGpe5DyimEhfpLTE=&docid=eq9BqPZxXKuQ3M&hl=sv&sa=X&ei=1aQLUeywI8qxtAamnYHQCg&ved=0CC0Q9QEwAQ&dur=0
the windows login was normal with blue Windows backround & the little picture you get to choose above the login boxes for name & passwrd,then I could see desktop etc... like a normal PC now its all gone back to startup repair all the time,how do I get it back please? as I can't get it into safe mode only startup repair options such as command prompt
I didn't get to backup & I can't anymore due to startup repair,how do I get it back into "normal" mode do I do that thing with the code
startSaveMbr: Drive=0end that you gave me last time which made it work again?
Thanks


----------



## CatByte (Feb 24, 2009)

actually all that did was save a copy of your MBR so I could see if it was infected (which it doesn't appear to be)

it would seem that there may be a hard drive issue

try running chkdsk from the recovery environment

Run a disk check for errors.

Use F8 at startup or your to get to Advanced Boot Options.
Select *"Repair your computer"*.
On the *system recovery options* select *command prompt*. 
Type the following and press *Enter*:

*chkdsk c: /f*

(note spaces between *chkdsk* and */f* and *c:*)

Please wait until the check is done.

let me know if that helps


----------



## yellosnosid (Dec 28, 2012)

it said the type of file system is NTFS
volume label is SYSTEM RESERVED.
In stage 1 & 2 there are all 0s except for 330 indexed
Stage 3 says: 256 file SDs/SIDs processed
38 data files processed
Windows has checked file system & found no problems

Then there's a lot more numbers but 0 KB in bad sectors
Failed to transfer logged messages to the even log with status 50
*I shut it dwn now & theres no change was loading files then straight into startup repair/B]

Yesterday there was a problem where the blue ligh of the computer was still on after shut down & the sceen was stuck on loading Windows (startup microsoft corporation logo ) so I had to press the on/off button to shut it down =S
What should I do next? What is wrong with the hard drive,is it serious? Thanks in advance*


----------



## CatByte (Feb 24, 2009)

Let's try this:

Please do the following:

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as *fixlist.txt*


```
start
cmd: bootrec /fixmbr
cmd: bootrec /fixboot
TDL4: custom:26000022
end
```
*NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system*

Now please enter *System Recovery Options* then select *Command Prompt*

Run *FRST* (or FRST64 if you have the 64bit version) and press the *Fix* button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

See if you can now boot Normally.


----------



## yellosnosid (Dec 28, 2012)

*it went back to startup repair
*
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 28-01-2013 02
Ran by SYSTEM at 2013-02-02 20:25:04 Run:3
Running from G:\

==============================================

========= bootrec /fixmbr =========

ÿþT h e o p e r a t i o n c o m p l e t e d s u c c e s s f u l l y .

========= End of CMD: =========

========= bootrec /fixboot =========

ÿþT h e o p e r a t i o n c o m p l e t e d s u c c e s s f u l l y .

========= End of CMD: =========

An error occurred while attempting to delete the specified data element.
Element not found.
The operation completed successfully.

==== End of Fixlog ====


----------



## CatByte (Feb 24, 2009)

when it takes you to "system repair"

choose "System Restore" choose the earliest restore point that is available prior to you becoming infected

allow windows to restore to the earlier time


If there are no restore points available, then choose the "startup repair" option and let me know what happens


----------



## yellosnosid (Dec 28, 2012)

No restore points have been created on your computers system drive.To create a reastore point....
Startup repair as usual it says" SR cannot repair this computer automatically" Sending more information can help Microsoft....
So no changes at all =(


----------



## CatByte (Feb 24, 2009)

what happens when you choose the "start up repair" option


----------



## yellosnosid (Dec 28, 2012)

CatByte said:


> what happens when you choose the "start up repair" option


Startup repair as usual it says" SR cannot repair this computer automatically" Sending more information can help Microsoft....
So no changes at all =(


----------



## yellosnosid (Dec 28, 2012)

then it has that thing it always says after you send the information to Microsoft,if you have recently attached a device to your computer...remove it & restart,bit I haven't had anything plugged in for a few hours now & then you click finish to shut down


----------



## yellosnosid (Dec 28, 2012)

Do you need Startup Repair log details ?
It has made 14 repair attempts & last sucessful boot time was 1/30/2013
If that helps =S I can copy the whole thing if its of any use


----------



## CatByte (Feb 24, 2009)

Please do the following:

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as *fixlist.txt*


```
start
Last Boot: 2012-12-25 16:25
end
```
*NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system*

Now please enter *System Recovery Options* then select *Command Prompt*

Run *FRST* (or FRST64 if you have the 64bit version) and press the *Fix* button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.


----------



## yellosnosid (Dec 28, 2012)

*all boxes were ticked when I pressed fix*

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 28-01-2013 02
Ran by SYSTEM at 2013-02-02 22:57:35 Run:4
Running from G:\

==============================================

DEFAULT hive was successfully copied to System32\config\HiveBackup
DEFAULT hive was successfully restored from registry back up.
SAM hive was successfully copied to System32\config\HiveBackup
SAM hive was successfully restored from registry back up.
SECURITY hive was successfully copied to System32\config\HiveBackup
SECURITY hive was successfully restored from registry back up.
SOFTWARE hive was successfully copied to System32\config\HiveBackup
SOFTWARE hive was successfully restored from registry back up.
SYSTEM hive was successfully copied to System32\config\HiveBackup
SYSTEM hive was successfully restored from registry back up.

==== End of Fixlog ====

*Restarted computer & it went into startup repair again,no changes*


----------



## CatByte (Feb 24, 2009)

it seems the installation itself is corrupt, this can be caused by any number of reasons, bad ram, failing hard drive, bad driver.

You need an installation disk to try a repair install or reformat (providing the hard drive is ok)

can you get your hands on one?


----------



## yellosnosid (Dec 28, 2012)

it came with the PC?
Will my files be deleted?


----------



## CatByte (Feb 24, 2009)

no, not if you perform a repair install

http://www.sevenforums.com/tutorials/3413-repair-install.html


----------



## yellosnosid (Dec 28, 2012)

thanks,is there any way that i can backup files before doing this repair install?
Is it ok if I use a USB instead of an installation disk?
What do I have to type in command prompt to get the program to open?
Thanks


----------



## CatByte (Feb 24, 2009)

> Is it ok if I use a USB instead of an installation disk?


 You will need the installation disk that came with your PC


> is there any way that i can backup files before doing this repair install?


 if you use a boot disk such as puppy linux or ubuntu, then you would be able to access your files


> What do I have to type in command prompt to get the program to open?


what are you referring to here?

read the link I gave you carefully as to how to perform a repair install

you don't want to reformat unless there is no other option

http://www.sevenforums.com/tutorials/3413-repair-install.html


----------



## yellosnosid (Dec 28, 2012)

CatByte said:


> what are you referring to here?


I am referring to the way that the computer doesn't boot normally & to get a program to run I usually go to the command prompt & type in something along the lines of G:\FRST64
I can't just open the autoplay window ,do I type setup.exe?
Do I absolutely have to buy a boot disk to get my files back,when the computer booted normally once ,is there no other way that I can get it to boot normally again or was the last time it worked pure luck?
Thanks in advance


----------



## CatByte (Feb 24, 2009)

there may be a conflict between having more than one AV installed,

let's give this a try

Please do the following:

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as *fixlist.txt*


```
start
HKLM-x32\...\Run: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe" [2596984 2012-07-30] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe" [997320 2012-11-09] ()
HKLM-x32\...\Run: [ROC_roc_dec12] "C:\Program Files (x86)\AVG Secure Search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12 [x]
HKLM-x32\...\Run: [ROC_ROC_JULY_P1] "C:\Program Files (x86)\AVG Secure Search\ROC_ROC_JULY_P1.exe" / /PROMPT /CMPID=ROC_JULY_P1 [1022048 2012-09-03] ()
2 avgfws; "C:\Program Files (x86)\AVG\AVG2012\avgfws.exe" [2399560 2011-08-18] (AVG Technologies CZ, s.r.o.)
2 AVGIDSAgent; "C:\Program Files (x86)\AVG\AVG2012\AVGIDSAgent.exe" [5167736 2012-08-12] (AVG Technologies CZ, s.r.o.)
2 avgwd; "C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe" [193288 2012-02-13] (AVG Technologies CZ, s.r.o.)
2 McAfee SiteAdvisor Service; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [249936 2011-01-27] (McAfee, Inc.)
2 McMPFSvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [249936 2011-01-27] (McAfee, Inc.)
2 mcmscsvc; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [249936 2011-01-27] (McAfee, Inc.)
2 McNaiAnn; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [249936 2011-01-27] (McAfee, Inc.)
2 McNASvc; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [249936 2011-01-27] (McAfee, Inc.)
3 McODS; "C:\Program Files\mcafee\VirusScan\mcods.exe" [501768 2011-06-23] (McAfee, Inc.)
4 McOobeSv; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [249936 2011-01-27] (McAfee, Inc.)
2 McProxy; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [249936 2011-01-27] (McAfee, Inc.)
2 McShield; "C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe" [197960 2011-03-13] (McAfee, Inc.)
2 mfefire; "C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe" [208272 2011-03-13] (McAfee, Inc.)
2 mfevtp; "C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe" [158832 2011-03-13] (McAfee, Inc.)
2 MSK80Service; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [249936 2011-01-27] (McAfee, Inc.)
4 NOBU; "C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe" SERVICE [2804568 2010-06-01] (Symantec Corporation)
2 vToolbarUpdater13.2.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\13.2.0\ToolbarUpdater.exe [711112 2012-11-09] ()
3 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [124496 2011-12-23] (AVG Technologies CZ, s.r.o. )
3 AVGIDSFilter; C:\Windows\System32\DRIVERS\avgidsfiltera.sys [29776 2011-12-23] (AVG Technologies CZ, s.r.o. )
0 AVGIDSHA; C:\Windows\System32\Drivers\AVGIDSHA.sys [28480 2012-04-18] (AVG Technologies CZ, s.r.o. )
1 Avgldx64; C:\Windows\System32\Drivers\Avgldx64.sys [291680 2012-07-25] (AVG Technologies CZ, s.r.o.)
1 Avgmfx64; C:\Windows\System32\Drivers\Avgmfx64.sys [47696 2011-12-23] (AVG Technologies CZ, s.r.o.)
0 Avgrkx64; C:\Windows\System32\Drivers\Avgrkx64.sys [36944 2012-01-30] (AVG Technologies CZ, s.r.o.)
1 Avgtdia; C:\Windows\System32\Drivers\Avgtdia.sys [384352 2012-08-24] (AVG Technologies CZ, s.r.o.)
1 avgtp; \??\C:\Windows\system32\drivers\avgtpx64.sys [30568 2012-11-09] (AVG Technologies)
3 cfwids; C:\Windows\System32\Drivers\cfwids.sys [65128 2011-03-13] (McAfee, Inc.)
3 mfeapfk; C:\Windows\System32\Drivers\mfeapfk.sys [156792 2011-03-13] (McAfee, Inc.)
3 mfeavfk; C:\Windows\System32\Drivers\mfeavfk.sys [227856 2011-03-13] (McAfee, Inc.)
3 mfefirek; C:\Windows\System32\Drivers\mfefirek.sys [481376 2011-03-13] (McAfee, Inc.)
0 mfehidk; C:\Windows\System32\Drivers\mfehidk.sys [639216 2011-03-13] (McAfee, Inc.)
1 mfenlfk; C:\Windows\System32\Drivers\mfenlfk.sys [75672 2011-03-13] (McAfee, Inc.)
3 mferkdet; C:\Windows\System32\Drivers\mferkdet.sys [98728 2011-03-13] (McAfee, Inc.)
0 mfewfpk; C:\Windows\System32\Drivers\mfewfpk.sys [281928 2011-03-13] (McAfee, Inc.)
1 SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
1 SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
3 mfeavfk01; [x]
HKU\Username\...\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [5629312 2012-11-01] (SUPERAntiSpyware.com)
2 !SASCORE; "C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE" [140672 2012-07-11] (SUPERAntiSpyware.com)
3 hwusbdev; C:\Windows\System32\DRIVERS\ewusbdev.sys [x]
2012-12-28 16:01 - 2012-12-28 16:22 - 00000000 ____D C:\Program Files (x86)\Panda Security
2012-12-27 13:09 - 2012-12-27 13:09 - 00001812 ____A C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2012-12-27 13:09 - 2012-12-27 13:09 - 00000000 ____D C:\Users\Username\AppData\Roaming\SUPERAntiSpyware.com
2012-12-27 13:09 - 2012-12-27 13:09 - 00000000 ____D C:\Users\All Users\SUPERAntiSpyware.com
2012-12-27 13:09 - 2012-12-27 13:09 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2012-12-27 13:06 - 2012-12-27 13:06 - 22877440 ____A (SUPERAntiSpyware.com) C:\Users\Username\Downloads\SUPERAntiSpyware.exe
HKLM-x32\...\Run: [DATAMNGR] C:\PROGRA~2\SEARCH~1\Datamngr\DATAMN~1.EXE [x]
AppInit_DLLs: C:\PROGRA~3\Wincert\WIN64C~1.DLL C:\PROGRA~2\SEARCH~1\Datamngr\x64\datamngr.dll C:\PROGRA~2\SEARCH~1\Datamngr\x64\IEBHO.dll 
C:\PROGRA~2\SEARCH~1\Datamngr\x64\datamngr.dll 
end
```
*NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system*

Now please enter *System Recovery Options* then select *Command Prompt*

Run *FRST* (or FRST64 if you have the 64bit version) and press the *Fix* button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.

If that gets you back booting normally

then remove all traces of AVG and McAfee using their removal tools:

Download and run the *McAfee Removal Tool*

http://www.avg.com/filedir/util/avg_arm_sup_____.dir/avgremover.exe

let me know how that goes


----------



## yellosnosid (Dec 28, 2012)

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 02-02-2013 02
Ran by SYSTEM at 2013-02-03 18:16:02 Run:5
Running from G:\

==============================================

HKEY_LOCAL_MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\AVG_TRAY Value deleted successfully.
HKEY_LOCAL_MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\vProt Value deleted successfully.
HKEY_LOCAL_MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ROC_roc_dec12 Value deleted successfully.
HKEY_LOCAL_MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ROC_ROC_JULY_P1 Value deleted successfully.
avgfws service deleted successfully.
AVGIDSAgent service deleted successfully.
avgwd service deleted successfully.
McAfee SiteAdvisor Service service deleted successfully.
McMPFSvc service deleted successfully.
mcmscsvc service deleted successfully.
McNaiAnn service deleted successfully.
McNASvc service deleted successfully.
McODS service deleted successfully.
McOobeSv service deleted successfully.
McProxy service deleted successfully.
McShield service deleted successfully.
mfefire service deleted successfully.
mfevtp service deleted successfully.
MSK80Service service deleted successfully.
NOBU service deleted successfully.
vToolbarUpdater13.2.0 service deleted successfully.
AVGIDSDriver service deleted successfully.
AVGIDSFilter service deleted successfully.
AVGIDSHA service deleted successfully.
Avgldx64 service deleted successfully.
Avgmfx64 service deleted successfully.
Avgrkx64 service deleted successfully.
Avgtdia service deleted successfully.
avgtp service deleted successfully.
cfwids service deleted successfully.
mfeapfk service deleted successfully.
mfeavfk service deleted successfully.
mfefirek service deleted successfully.
mfehidk service deleted successfully.
mfenlfk service deleted successfully.
mferkdet service deleted successfully.
mfewfpk service deleted successfully.
SASDIFSV service not found.
SASKUTIL service not found.
mfeavfk01 service deleted successfully.
HKEY_USERS\Username\Software\Microsoft\Windows\CurrentVersion\Run\\SUPERAntiSpyware Value not found.
!SASCORE service not found.
hwusbdev service deleted successfully.
C:\Program Files (x86)\Panda Security moved successfully.
C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk moved successfully.
C:\Users\Username\AppData\Roaming\SUPERAntiSpyware.com not found.
C:\Users\All Users\SUPERAntiSpyware.com moved successfully.
C:\Program Files\SUPERAntiSpyware moved successfully.
C:\Users\Username\Downloads\SUPERAntiSpyware.exe not found.
HKEY_LOCAL_MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\DATAMNGR Value deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs Value was restored successfully .
C:\PROGRA~2\SEARCH~1\Datamngr\x64\datamngr.dll moved successfully.

==== End of Fixlog ====

*Did not boot normally*


----------



## CatByte (Feb 24, 2009)

reboot again

advise how far it get's into the boot process,

try it a couple of times

if it still wont boot, then boot into the Recovery Environment and run a fresh scan with FRST, post the new log


----------



## yellosnosid (Dec 28, 2012)

CatByte said:


> reboot again
> 
> advise how far it get's into the boot process,
> 
> ...


booted it twice now still goes into Startup Repair


----------



## yellosnosid (Dec 28, 2012)

will post new scan log in 3 mins,not sure what you mean by "advise how far it get's into the boot process,"


----------



## yellosnosid (Dec 28, 2012)

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 02-02-2013 02
Ran by SYSTEM at 03-02-2013 18:34:22
Running from G:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US) 
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2531624 2010-12-16] (Synaptics Incorporated)
HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [11775592 2011-01-12] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /FORPCEE4 [2186856 2011-01-09] (Realtek Semiconductor)
HKLM\...\Run: [Power Management] C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe [1796200 2011-02-22] (Acer Incorporated)
HKLM-x32\...\Run: [SuiteTray] "C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe" [340336 2010-09-27] (Egis Technology Inc.)
HKLM-x32\...\Run: [EgisTecPMMUpdate] "C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe" [407920 2010-09-17] (Egis Technology Inc.)
HKLM-x32\...\Run: [EgisUpdate] "C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe" -d [201584 2010-09-17] (Egis Technology Inc.)
HKLM-x32\...\Run: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe [1081424 2011-03-14] (Dritek System Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)
HKU\Default\...\RunOnce: [ScrSav] C:\Program Files (x86)\Acer\Screensaver\run_Acer.exe /default [154144 2010-07-29] ()
HKU\Default User\...\RunOnce: [ScrSav] C:\Program Files (x86)\Acer\Screensaver\run_Acer.exe /default [154144 2010-07-29] ()
HKU\Marion\...\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation)
HKU\Marion\...\Run: [Spotify Web Helper] "C:\Users\Marion\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [1199576 2012-10-24] (Spotify Ltd)
HKU\Marion\...\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [x]
Tcpip\Parameters: [DhcpNameServer] 83.255.245.11 193.150.193.150
Tcpip\..\Interfaces\{29A05272-79DB-4A28-9BF2-ECE5B87B5F70}: [NameServer]195.67.199.27 195.67.199.28
Tcpip\..\Interfaces\{C98AFA9A-4194-4279-AF1F-D4687BA24BAD}: [NameServer]195.67.199.27 195.67.199.28

==================== Services (Whitelisted) ===================

2 CTATSvc; "C:\Program Files (x86)\Tele2 Connect\ATService.exe" [574784 2010-03-16] (Tele2)
2 CTConnect; "C:\Program Files (x86)\Tele2 Connect\Connect.exe" [1780544 2010-03-16] (Columbitech)
2 DCService.exe; C:\ProgramData\DatacardService\DCService.exe [229376 2010-08-19] ()
2 MBAMScheduler; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe" [398184 2012-12-14] (Malwarebytes Corporation)
2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [682344 2012-12-14] (Malwarebytes Corporation)
2 NTI IScheduleSvc; C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe [257344 2011-02-15] (NTI Corporation)

==================== Drivers (Whitelisted) =====================

3 ewusbnet; C:\Windows\System32\Drivers\ewusbnet.sys [256000 2010-08-31] (Huawei Technologies Co., Ltd.)
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [24176 2012-12-14] (Malwarebytes Corporation)

==================== NetSvcs (Whitelisted) ====================

==================== One Month Created Files and Folders ========

2013-01-25 15:20 - 2013-02-02 22:57 - 00000000 ____D C:\Windows\System32\config\HiveBackup
2013-01-12 20:06 - 2013-01-30 07:42 - 00000000 ____D C:\FRST

==================== One Month Modified Files and Folders =======

2013-02-02 22:57 - 2013-01-25 15:20 - 00000000 ____D C:\Windows\System32\config\HiveBackup
2013-01-30 07:52 - 2011-06-15 19:08 - 01838377 ____A C:\Windows\WindowsUpdate.log
2013-01-30 07:42 - 2013-01-12 20:06 - 00000000 ____D C:\FRST
2013-01-30 07:40 - 2011-07-12 09:48 - 00000000 ____D C:\Users\All Users\clear.fi
2013-01-30 07:22 - 2011-09-15 15:30 - 00043583 ____A C:\Windows\setupact.log
2013-01-30 07:20 - 2011-09-10 14:17 - 00000000 ____D C:\Users\All Users\MFAData
2013-01-30 07:20 - 2011-08-24 18:46 - 00000990 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-01-30 07:17 - 2012-04-12 13:50 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-01-30 07:16 - 2012-12-20 12:47 - 00000000 ____D C:\Users\All Users\Wincert
2013-01-30 07:16 - 2011-09-24 08:16 - 00160386 ____A C:\Windows\PFRO.log
2013-01-30 07:16 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

==================== Memory info ===========================

Percentage of memory in use: 17%
Total physical RAM: 3946.73 MB
Available physical RAM: 3249.81 MB
Total Pagefile: 3944.93 MB
Available Pagefile: 3238.77 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

==================== Partitions =============================

1 Drive c: (Acer) (Fixed) (Total:450.66 GB) (Free:362.13 GB) NTFS
2 Drive e: (PQSERVICE) (Fixed) (Total:15 GB) (Free:1.43 GB) NTFS
4 Drive g: () (Removable) (Total:29.8 GB) (Free:29.66 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
6 Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B 
Disk 1 Online 29 GB 0 B

Partitions of Disk 0:
===============

Disk ID: CF566CB4

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 15 GB 1024 KB
Partition 2 Primary 100 MB 15 GB
Partition 3 Primary 450 GB 15 GB

==================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E PQSERVICE NTFS Partition 15 GB Healthy Hidden

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y SYSTEM RESE NTFS Partition 100 MB Healthy

=========================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C Acer NTFS Partition 450 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Disk ID: 00000000

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 29 GB 16 KB

==================================================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G FAT32 Removable 29 GB Healthy

=========================================================

Last Boot: 2012-12-25 07:25

==================== End Of Log =============================


----------



## CatByte (Feb 24, 2009)

please run this script

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as *fixlist.txt*


```
start
testsigning on:
nointegritychecks on:
end
```
*NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system*

Now please enter *System Recovery Options* then select *Command Prompt*

Run *FRST* (or FRST64 if you have the 64bit version) and press the *Fix* button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

If the machine boots,

use the opportunity to rescue and backup all your important documents, as the machine will be unstable and will need to be reformatted


----------



## yellosnosid (Dec 28, 2012)

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 02-02-2013 02
Ran by SYSTEM at 2013-02-04 09:43:54 Run:6
Running from G:\

==============================================

The operation completed successfully.

The operation completed successfully.

==== End of Fixlog ====
*I pressed restart & it did not boot normally went straight into startup repair*


----------



## CatByte (Feb 24, 2009)

let's see if you are able to run the System File Checker from the recovery environment

There may be some file system corruption

please run the following:

Boot into the recovery environment as you did to run FRST and ListParts

this time choose the Command Prompt

your OS should be D:\ run the following command from the command prompt

*
sfc /scannow /offbootdir=D:\ /offwindir=D:\Windows*

(copy the command exactly as you see it, take note of the spaces)

when it has completed, run this next command, again from the command prompt in the Recovery Environment:

*chkdsk /r D:*

Once the check disk has completed, try rebooting normally, if it boots successfully, immediately try running ComboFix from the USB drive (don't reboot beforehand)

If it goes back to start up repair, then yes, please post the log details

let me know how it goes and how far each process completes


----------



## yellosnosid (Dec 28, 2012)

1st red code I entered "no repair operations performed"
"For offline repair specify the location of the offline window d" (cuts off,can't get it to show the rest of the word)
"For offline repair specify the location of the offline boot dire" 
It seems to be stuck on 4% complete of Chkdsk stage 1 of 5 (NTFS file) maybe its a bit slow


----------



## CatByte (Feb 24, 2009)

the chkdsk may take a while to run, let it finish first

then please verify the correct drive letter

when you first boot into the Recovery environment and select the command prompt

type *notepad.exe* at the command prompt

a notepad will open

click File > save as > look for the operating system drive and verify what letter is assigned to it


----------



## yellosnosid (Dec 28, 2012)

thanks,my USB is usually G if thats what you mean,i have it plugged in now in case something had to be saved
Its on 6% now


----------



## CatByte (Feb 24, 2009)

no I mean the operating system, not the USB


----------



## yellosnosid (Dec 28, 2012)

ok,sorry.thanks for clarifying that


----------



## yellosnosid (Dec 28, 2012)

oops the computer went dead because I forgot to plug it in.I took the opportunity when I switched it on (went into startup repair as usual) to check drives
Drives: system reserved C:
Acer D:
Boot X.
PQSERVICE E:
CD DRIVE F:

Re-did ScanNow & am doing ckdsk now as you outlined Post#72


----------



## yellosnosid (Dec 28, 2012)

About 9 hours into the scan I am still on Stage 1 of 5 at 6% There is a long list of "File record segment.........is unreadable"


----------



## yellosnosid (Dec 28, 2012)

12 hours later with about 50 unreadable file record segments & I',m still at 6% should I let the scan continue this might take a few days.I think its still in stage 1of 5 but I can't read the start anymore it won't scroll up that far =S


----------



## yellosnosid (Dec 28, 2012)

am on 8% now should I let it continue?


----------



## CatByte (Feb 24, 2009)

yes please let it continue, but it is looking more and more like some major corruption has occurred and you will need to reformat


----------



## yellosnosid (Dec 28, 2012)

ok,thanks


----------



## yellosnosid (Dec 28, 2012)

it is now on 10% saying its deleting various index entries,index verification complete.Failed to transfer logged msgs to the event log with status 50.
X:\windows\system32>ch
was the major corruption because of the virus? Will I get to retrieve any files at all?
Thanks


----------



## CatByte (Feb 24, 2009)

hopefully the chkdsk and sfc will be able to make enough repairs so that the machine will boot.

If not, you may be able to access files (if they are in tact) through a puppy linux boot disk.

Quite likely the infection was the culprit, but in your second post the machine failed to boot, so the hard drive may have failed prior to getting the infection unless you have been infected for a while

when did you first notice the trouble?


----------



## yellosnosid (Dec 28, 2012)

Thanks
I noticed the problem with the Search.nu page coming up about a day or 2 before I posted online,but at the time I had taken it off manually from chrome & IE & firefox thinking it was mostly gone but unsure because my computer was running pretty normally & I had read online it was quite a vicious infection,so wanted 2 be sure it was completely gone.Then if I remember correctly some cans were coming up with a lot of infections & things they couldn't fix I think =S

I can buy a puppy linux boot disk at a normal PC shop,right?
It seems to be stuck on X:\windows\system32>ch for a few hours now,like 6 hrs,should I let it continue?


----------



## CatByte (Feb 24, 2009)

it's free

You will need a blank CD or flash drive, as well as software to burn .iso images, such as *FreeISOBurner* or *BurnCDCC.*

Download PuppyLinux from *here* and save it to your Desktop.

Open *FreeISOBurner.* Configure it as follows:

Click *Open* and navigate to *puppy-4.2-k2.6.25.16-seamonkey.iso* on your *Desktop.*
Change the *Drive* to reflect the drive letter of your *CD* or *USB* drive.
Change the *Burn Speed* to *as slow as possible* (4x or lower preferred).
Click *Burn*










When it finishes, *eject the CD* and put it in the computer that will not boot.

If not already done so, configure that computer to *boot from CD or USB first.*

To do so, restart your computer. Carefully read what appears on the screen to see which key need to be pressed to enter *Setup.*

From there, navigate using the keyboard to the *Boot* section, then use the Page Up and Page Down keys to move the *CDROM or USB* option first. Afterward, press *F10* to save and exit setup.

When the computer restarts, it will boot from your CD or USB drive instead of the damaged hard drive, and you will be presented with PuppyLinux.

It will say Linux will boot automatically in 8 seconds. Let it. It will proceed to "boot the kernel."

You will be presented with a number of options. Select the *default option for everything* and you will see an interface with several icons on it.

Click (only once) on *mount* and the *Pmount Puppy Drive Mounter* menu will open.

Click *MOUNT* next to the hard drive that contains your Windows installation. Also mount any removable media you have inserted to transfer your data to.

A window will open titled */mnt/sda1* (or something similar).

You will now have access to all of your files in a familiar folder format.

you should be able to copy them to a USB


----------



## yellosnosid (Dec 28, 2012)

Great! Thanks,but my flash drive is in the computer at the moment,its got 32GB,do you think that will be enough,do I continue the scan because it seems a little stuck!


----------



## CatByte (Feb 24, 2009)

i would try and let it finish unless you need to retrieve something urgently

hard shutting down of the computer while it is in the middle of something can be the cause of corruption


----------



## yellosnosid (Dec 28, 2012)

ok,I guess I'll let it keep running for a couple more days then ! Thanks =)


----------



## yellosnosid (Dec 28, 2012)

CatByte said:


> i would try and let it finish unless you need to retrieve something urgently
> 
> hard shutting down of the computer while it is in the middle of something can be the cause of corruption


Can i take out the USB,I don't want to destroy it the light being on for days it doesn't seem to overheat,but I just want to be on the safe side...its the only 1 I've got


----------



## yellosnosid (Dec 28, 2012)

CatByte said:


> Click *MOUNT* next to the hard drive that contains your Windows installation. Also mount any removable media you have inserted to transfer your data to.


Do you mean Acer D: or another?
I'm not sure what you mean by removable media?
Can I use 1 USB for everything?
Thanks in advance


----------



## CatByte (Feb 24, 2009)

your hard drive will either show up as C:\ or D:\

the removable media is your USB drive


----------



## yellosnosid (Dec 28, 2012)

CatByte said:


> your hard drive will either show up as C:\ or D:\
> 
> the removable media is your USB drive


thanks,the computer has been stuck since yesteday on that X:\windows\systems code I posted before.Can I remove the USB or is it a bad idea?
Thanks


----------



## yellosnosid (Dec 28, 2012)

*I don't know what the name of the log I'm supposed to post so here are the ones with the latest dates.The computer finished the scan when I was asleep when I woke up I just saw the startup repair page with the option to send information(recommended) & I shut it down,it did not boot normally
*
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 02-02-2013 02
Ran by SYSTEM at 2013-02-04 09:43:54 Run:6
Running from G:\

==============================================

The operation completed successfully.

The operation completed successfully.

==== End of Fixlog ====


----------



## yellosnosid (Dec 28, 2012)

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 02-02-2013 02
Ran by SYSTEM at 03-02-2013 18:34:22
Running from G:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US) 
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2531624 2010-12-16] (Synaptics Incorporated)
HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [11775592 2011-01-12] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /FORPCEE4 [2186856 2011-01-09] (Realtek Semiconductor)
HKLM\...\Run: [Power Management] C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe [1796200 2011-02-22] (Acer Incorporated)
HKLM-x32\...\Run: [SuiteTray] "C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe" [340336 2010-09-27] (Egis Technology Inc.)
HKLM-x32\...\Run: [EgisTecPMMUpdate] "C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe" [407920 2010-09-17] (Egis Technology Inc.)
HKLM-x32\...\Run: [EgisUpdate] "C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe" -d [201584 2010-09-17] (Egis Technology Inc.)
HKLM-x32\...\Run: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe [1081424 2011-03-14] (Dritek System Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)
HKU\Default\...\RunOnce: [ScrSav] C:\Program Files (x86)\Acer\Screensaver\run_Acer.exe /default [154144 2010-07-29] ()
HKU\Default User\...\RunOnce: [ScrSav] C:\Program Files (x86)\Acer\Screensaver\run_Acer.exe /default [154144 2010-07-29] ()
HKU\Marion\...\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation)
HKU\Marion\...\Run: [Spotify Web Helper] "C:\Users\Marion\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [1199576 2012-10-24] (Spotify Ltd)
HKU\Marion\...\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [x]
Tcpip\Parameters: [DhcpNameServer] 83.255.245.11 193.150.193.150
Tcpip\..\Interfaces\{29A05272-79DB-4A28-9BF2-ECE5B87B5F70}: [NameServer]195.67.199.27 195.67.199.28
Tcpip\..\Interfaces\{C98AFA9A-4194-4279-AF1F-D4687BA24BAD}: [NameServer]195.67.199.27 195.67.199.28

==================== Services (Whitelisted) ===================

2 CTATSvc; "C:\Program Files (x86)\Tele2 Connect\ATService.exe" [574784 2010-03-16] (Tele2)
2 CTConnect; "C:\Program Files (x86)\Tele2 Connect\Connect.exe" [1780544 2010-03-16] (Columbitech)
2 DCService.exe; C:\ProgramData\DatacardService\DCService.exe [229376 2010-08-19] ()
2 MBAMScheduler; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe" [398184 2012-12-14] (Malwarebytes Corporation)
2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [682344 2012-12-14] (Malwarebytes Corporation)
2 NTI IScheduleSvc; C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe [257344 2011-02-15] (NTI Corporation)

==================== Drivers (Whitelisted) =====================

3 ewusbnet; C:\Windows\System32\Drivers\ewusbnet.sys [256000 2010-08-31] (Huawei Technologies Co., Ltd.)
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [24176 2012-12-14] (Malwarebytes Corporation)

==================== NetSvcs (Whitelisted) ====================

==================== One Month Created Files and Folders ========

2013-01-25 15:20 - 2013-02-02 22:57 - 00000000 ____D C:\Windows\System32\config\HiveBackup
2013-01-12 20:06 - 2013-01-30 07:42 - 00000000 ____D C:\FRST

==================== One Month Modified Files and Folders =======

2013-02-02 22:57 - 2013-01-25 15:20 - 00000000 ____D C:\Windows\System32\config\HiveBackup
2013-01-30 07:52 - 2011-06-15 19:08 - 01838377 ____A C:\Windows\WindowsUpdate.log
2013-01-30 07:42 - 2013-01-12 20:06 - 00000000 ____D C:\FRST
2013-01-30 07:40 - 2011-07-12 09:48 - 00000000 ____D C:\Users\All Users\clear.fi
2013-01-30 07:22 - 2011-09-15 15:30 - 00043583 ____A C:\Windows\setupact.log
2013-01-30 07:20 - 2011-09-10 14:17 - 00000000 ____D C:\Users\All Users\MFAData
2013-01-30 07:20 - 2011-08-24 18:46 - 00000990 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-01-30 07:17 - 2012-04-12 13:50 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-01-30 07:16 - 2012-12-20 12:47 - 00000000 ____D C:\Users\All Users\Wincert
2013-01-30 07:16 - 2011-09-24 08:16 - 00160386 ____A C:\Windows\PFRO.log
2013-01-30 07:16 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

==================== Memory info ===========================

Percentage of memory in use: 17%
Total physical RAM: 3946.73 MB
Available physical RAM: 3249.81 MB
Total Pagefile: 3944.93 MB
Available Pagefile: 3238.77 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

==================== Partitions =============================

1 Drive c: (Acer) (Fixed) (Total:450.66 GB) (Free:362.13 GB) NTFS
2 Drive e: (PQSERVICE) (Fixed) (Total:15 GB) (Free:1.43 GB) NTFS
4 Drive g: () (Removable) (Total:29.8 GB) (Free:29.66 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
6 Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B 
Disk 1 Online 29 GB 0 B

Partitions of Disk 0:
===============

Disk ID: CF566CB4

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 15 GB 1024 KB
Partition 2 Primary 100 MB 15 GB
Partition 3 Primary 450 GB 15 GB

==================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E PQSERVICE NTFS Partition 15 GB Healthy Hidden

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y SYSTEM RESE NTFS Partition 100 MB Healthy

=========================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C Acer NTFS Partition 450 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Disk ID: 00000000

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 29 GB 16 KB

==================================================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G FAT32 Removable 29 GB Healthy

=========================================================

Last Boot: 2012-12-25 07:25

==================== End Of Log =============================


----------



## yellosnosid (Dec 28, 2012)

ListParts by Farbar Version: 16-01-2013
Ran by SYSTEM (administrator) on 27-01-2013 at 16:21:04
Windows 7 (X64)
Running From: G:\
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 14%
Total physical RAM: 3946.73 MB
Available physical RAM: 3372.32 MB
Total Pagefile: 3944.93 MB
Available Pagefile: 3352.8 MB
Total Virtual: 8192 MB
Available Virtual: 8191.92 MB

======================= Partitions =========================

1 Drive c: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (Acer) (Fixed) (Total:450.66 GB) (Free:362.06 GB) NTFS
3 Drive e: (PQSERVICE) (Fixed) (Total:15 GB) (Free:1.43 GB) NTFS
5 Drive g: () (Removable) (Total:29.8 GB) (Free:29.69 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B 
Disk 1 Online 29 GB 0 B

Partitions of Disk 0:
===============

Disk ID: CF566CB4

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 15 GB 1024 KB
Partition 2 Primary 100 MB 15 GB
Partition 3 Primary 450 GB 15 GB

======================================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E PQSERVICE NTFS Partition 15 GB Healthy Hidden

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C SYSTEM RESE NTFS Partition 100 MB Healthy

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D Acer NTFS Partition 450 GB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Disk ID: 00000000

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 29 GB 16 KB

======================================================================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G FAT32 Removable 29 GB Healthy

======================================================================================================

Windows Boot Manager
--------------------
identifier {bootmgr}
device partition=C:
description Windows Boot Manager
locale en-US
inherit {globalsettings}
default {default}
resumeobject {f25c44c0-97c8-11e0-b5ed-ac679eb60ab0}
displayorder {default}
toolsdisplayorder {memdiag}
timeout 3

Windows Boot Loader
-------------------
identifier {default}
device partition=D:
path \Windows\system32\winload.exe
description Windows 7
locale en-US
inherit {bootloadersettings}
recoverysequence {current}
recoveryenabled Yes
osdevice partition=D:
systemroot \Windows
resumeobject {f25c44c0-97c8-11e0-b5ed-ac679eb60ab0}
nx OptOut
usefirmwarepcisettings No

Windows Boot Loader
-------------------
identifier {current}
device ramdisk=[D:]\Recovery\f25c44c2-97c8-11e0-b5ed-ac679eb60ab0\Winre.wim,{f25c44c3-97c8-11e0-b5ed-ac679eb60ab0}
path \windows\system32\winload.exe
description Windows Recovery Environment
inherit {bootloadersettings}
osdevice ramdisk=[D:]\Recovery\f25c44c2-97c8-11e0-b5ed-ac679eb60ab0\Winre.wim,{f25c44c3-97c8-11e0-b5ed-ac679eb60ab0}
systemroot \windows
nx OptIn
winpe Yes

Resume from Hibernate
---------------------
identifier {f25c44c0-97c8-11e0-b5ed-ac679eb60ab0}
device partition=D:
path \Windows\system32\winresume.exe
description Windows Resume Application
locale en-US
inherit {resumeloadersettings}
filedevice partition=D:
filepath \hiberfil.sys
debugoptionenabled No

Windows Memory Tester
---------------------
identifier {memdiag}
device partition=C:
path \boot\memtest.exe
description Windows Memory Diagnostic
locale en-US
inherit {globalsettings}
badmemoryaccess Yes

EMS Settings
------------
identifier {emssettings}
bootems Yes

Debugger Settings
-----------------
identifier {dbgsettings}
debugtype Serial
debugport 1
baudrate 115200

RAM Defects
-----------
identifier {badmemory}

Global Settings
---------------
identifier {globalsettings}
inherit {dbgsettings}
{emssettings}
{badmemory}

Boot Loader Settings
--------------------
identifier {bootloadersettings}
inherit {globalsettings}
{hypervisorsettings}

Hypervisor Settings
-------------------
identifier {hypervisorsettings}
hypervisordebugtype Serial
hypervisordebugport 1
hypervisorbaudrate 115200

Resume Loader Settings
----------------------
identifier {resumeloadersettings}
inherit {globalsettings}

Device options
--------------
identifier {f25c44c3-97c8-11e0-b5ed-ac679eb60ab0}
description Ramdisk Options
ramdisksdidevice partition=D:
ramdisksdipath \Recovery\f25c44c2-97c8-11e0-b5ed-ac679eb60ab0\boot.sdi

****** End Of Log ******


----------



## yellosnosid (Dec 28, 2012)

*I don't have a blank USB but I have 29.6GB free the rest is just the programs & logs that you told me to do/get.
The computer I'm using won't allow me to select the USB drive,just E: 
I don't know how to change it.
I tried Burn CDC but that had the same problem*


----------



## CatByte (Feb 24, 2009)

try this:


When you boot your machine, press F8 to list the startup options, exactly as you would if you were trying to enter Safe Mode

Select "Disable Automatic Restart on System Failure", as shown here:










Restart the computer and see if it gives an error code before it goes into start-up repair, write down the STOP error code, as well as any written out error message back here. 
The STOP error should always appear, but the message may not.

You are looking for this:









Have you also tried choosing "Last Known Good Configuration" when you tap F8

if not, try it


----------



## yellosnosid (Dec 28, 2012)

CatByte said:


> Have you also tried choosing "Last Known Good Configuration" when you tap F8 if not, try it


Tried both,it just went back into Startup repair automatically unfortunately


----------



## yellosnosid (Dec 28, 2012)

I don't seem to have a disc but it says I have acer eRecovery management which allows you to create a recovery dic & to restore/reinstall applications & drivers,is that any good?


----------



## CatByte (Feb 24, 2009)

your system seems to have too much corruption to be able to recover any of your files, but anything is worth a try,


> I have acer eRecovery management which allows you to create a recovery dic


try it and see what happens
If you are unable to get your hands on another computer to make a boot disk, you should probably use the restore partition to do the factory reset


----------



## yellosnosid (Dec 28, 2012)

CatByte said:


> your system seems to have too much corruption to be able to recover any of your files, but anything is worth a try,
> try it and see what happens
> If you are unable to get your hands on another computer to make a boot disk, you should probably use the restore partition to do the factory reset


There''s another computer I can access on monday & maybe tomorrow 
*I'm not sure how to get into eRecovery management on my computer,it says to run the program from the acer progrgram group in the start menu which I can't do...*Thanks in advance

http://acer.custhelp.com/app/answers/detail/a_id/12866/kw/restore operating system

_Note: If your computer will not load into the Windows Operating System, you can access the eRecovery environment before Windows starts. For more information on this process, please visit our How do I restore my computer using the eRecovery Management program outside of Windows?answer.

In the eRecovery Management program you have the option to restore your computer. Clicking restore will present you with 3 options.

The first option is Completely Restore System to Factory Defaults, which will completely erase your computer and reinstall Windows returning it to the same state it was when you turned your computer on for the first time.
The second option is Restore Operating System and Retain User Data, which is essentially the same process but the information stored in your user account folder will be saved. Acer still recommends backing up all other data if you choose to use this option.

The third option, Reinstall Drivers or Applications, is discussed in further detail below.

Note: Keep in mind that Windows recovery or an anti-virus program may solve an issue your having without having to completely reinstall windows._http://acer.custhelp.com/app/answers/detail/a_id/12869/kw/eRecovery/sno/1
*the computer i tried to download iso burner from is a windows Vista if that helps,i have a windows7*


----------



## CatByte (Feb 24, 2009)

> In the eRecovery Management program you have the option to restore your computer. Clicking restore will present you with 3 options.
> 
> The first option is Completely Restore System to Factory Defaults, which will completely erase your computer and reinstall Windows returning it to the same state it was when you turned your computer on for the first time.
> The second option is Restore Operating System and Retain User Data, which is essentially the same process but the information stored in your user account folder will be saved. Acer still recommends backing up all other data if you choose to use this option.


Try the second option


----------



## yellosnosid (Dec 28, 2012)

I figured out how to do it by using Alt and F10
it does warn that it will NOT get rid of persistent viruses or malware.It says it will only save files in my user account folder but won't save files anywhere else on the drive or installed program which I want to avoid since there was a video I had saved but saved only in WLMM format which I can't get to play on another computer ,I'm not sure what the user acount folder means & if it includes documents,downlaods,adobe reader PDFs,music etc...
I think I'll wait & get the ISO software tomorrow/monday unless you think this eRovery thing is the best thing to do.
Thanks,hope you enjoy the rest of your weekend =)


----------



## CatByte (Feb 24, 2009)

might as well wait until tomorrow to see if the linux boot CD will allow you to copy all the files you want to save onto a USB

if not, then use the erecovery

the user account folder usually contains:

Downloads
My Documents
My Music
My Pictures
My Videos


it wouldn't save any programs, you would have to reinstall any 3rd party software


----------



## yellosnosid (Dec 28, 2012)

ok,thanks


----------



## yellosnosid (Dec 28, 2012)

I'll try it on another computer,didn't work on this 1 if there isn't another ISO burner program I can try,I just tried the ISO burner forgot to try the other CDC thing,I guess I can try both tomorrow on another computer(windows 7) but I already tried it on 1 Vista & 1 Windows 7(today)


----------



## yellosnosid (Dec 28, 2012)

CatByte said:


> might as well wait until tomorrow to see if the linux boot CD will allow you to copy all the files you want to save onto a USB
> 
> if not, then use the erecovery
> 
> ...


It didn't work on this computer =( is there any other method I can try before the acer e Recovery?


----------



## CatByte (Feb 24, 2009)

what was it that didn't work specifically

what did you try and do?


----------



## yellosnosid (Dec 28, 2012)

CatByte said:


> what was it that didn't work specifically
> 
> what did you try and do?


 I tried to select it to save to the USB but couldn't change the letter to select the letter of USB(just like before on a prevoius computer),could you please send me instructions for *BurnCDCC.* like you did for Free ISO burner,thanks,sorry it took me so long to answer things ahave been bit crazy here.


----------



## CatByte (Feb 24, 2009)

Here are instructions

*Using BurnCDCC*

If you don't have BurnCDCC, you can download it here.

1) Open BurnCDCC. You do not need to install this program, it runs by itself.

2) Click on the "Browse" button and navigate to the *.iso* file you wish to burn Click *Open*.

3) Insert your blank disc and ensure the correct drive is selected under "Device".

4) Ensure the "Finalize" box is *checked*.

5) Using the slider bar under "Speed", I recommend you slow it down to around 8x or 10x - too fast can cause errors

6) BurnCDCC will finish and eject the disc for you. Label it appropriately.

*How to Check your Image Burnt Successfully*

1) Insert your disc into the drive.

2) Navigate to the drive from *My Computer*

If you didn't burn the file properly, all you will see is a *.iso* file in the folder.

If you did burn the file properly, you should see files and folders as was intended.


----------



## yellosnosid (Dec 28, 2012)

CatByte said:


> Here are instructions
> 
> *Using BurnCDCC*
> 
> ...


thanks but can I use a USB instead of a blank disc?


----------



## CatByte (Feb 24, 2009)

BurnCDDC is only for making CD's or DVD's

sorry for the late reply, I was away.

What is the status of the machine at the moment, will it not boot in any mode at all (safe mode, safe mode with networking)

what happens when you try "Last Known Good Configuration" (option from the F8 menu)

have you been able to create a boot disk on another machine successfully?

have you tried a different USB stick to see if it can be recognized in the recovery environment

have you tried the factory reset option?


----------



## yellosnosid (Dec 28, 2012)

CatByte said:


> BurnCDDC is only for making CD's or DVD's
> 
> sorry for the late reply, I was away.
> 
> ...


I'll try adifferent USB & the different modes & get back to you/buy a disc...
Thanks for the reply


----------



## CatByte (Feb 24, 2009)

How are things now?


----------



## yellosnosid (Dec 28, 2012)

CatByte said:


> How are things now?


 Tried SM,SM with networking & with command prompt,last known good configuration just goes into the usual startup repair
It wouldn't work on a different USB,I'm going to get a DVD and try burn CDDC.
I'm not sure what you mean by a boot disc.
If burn CDDC fails I will try acer eRecovery then do a factory reset to make sure the virus/other problems are completely gone.


----------



## CatByte (Feb 24, 2009)

ok, let me know how it goes


----------



## yellosnosid (Dec 28, 2012)

CatByte said:


> ok, let me know how it goes


will do,how many GB DVD/CD do I need?


----------



## CatByte (Feb 24, 2009)

you have lost me, sorry. Is your plan to create a boot disc so you can access your files and copy them to USB?

or do you need the DVD to write your files to?

the average size of DVD is 4.7gb which should suffice


----------



## yellosnosid (Dec 28, 2012)

CatByte said:


> you have lost me, sorry. Is your plan to create a boot disc so you can access your files and copy them to USB?
> 
> or do you need the DVD to write your files to?
> 
> the average size of DVD is 4.7gb which should suffice


I plan to try out the CDCC yuo talked about here http://forums.techguy.org/8607827-post87.html and here http://forums.techguy.org/8619811-post112.html


----------



## CatByte (Feb 24, 2009)

ok good,

you should then be able to locate your files and copy them to a USB


----------



## yellosnosid (Dec 28, 2012)

CatByte said:


> ok good,
> 
> you should then be able to locate your files and copy them to a USB


I wanted to get a CD pack but they are all 700MB & I guess that isn't enough


----------



## CatByte (Feb 24, 2009)

from the puppy web site

puppypy-4.2-k2.6.25.16-seamonkey.iso
File size: *104,855,552 Bytes*

so the 700MB will be plenty big enough


----------



## yellosnosid (Dec 28, 2012)

CatByte said:


> from the puppy web site
> 
> puppypy-4.2-k2.6.25.16-seamonkey.iso
> File size: *104,855,552 Bytes*
> ...


thanks I guess I'll try both puppy ISO & burn CDDC to see which one I can get on the disc


----------



## yellosnosid (Dec 28, 2012)

CatByte said:


> from the puppy web site
> 
> puppypy-4.2-k2.6.25.16-seamonkey.iso
> File size: *104,855,552 Bytes*
> ...


I've finally got a CD,is it a good idea to vaccinate it?
& will I be able to re-use it as a boot CD for another computer/my PC in the future(CD is non-re-writable) 
,thanks


----------



## CatByte (Feb 24, 2009)

it shouldn't need vaccination and yes, if you create a puppy linux boot CD, then you should be able to use it for any other PC you need it for


----------



## yellosnosid (Dec 28, 2012)

CatByte said:


> it shouldn't need vaccination and yes, if you create a puppy linux boot CD, then you should be able to use it for any other PC you need it for


 super thanks for that very speedy reply! =) gonna try it now


----------



## CatByte (Feb 24, 2009)

> super thanks for that very speedy reply!


 I'm actually home sick unfortunately, but just happened to be sitting at the computer 



> gonna try it now


 Let's hope this get's you into the computer :up:


----------



## yellosnosid (Dec 28, 2012)

CatByte said:


> I'm actually home sick unfortunately, but just happened to be sitting at the computer
> 
> Let's hope this get's you into the computer :up:


 aww =( hope you get well soon!
fingers crossed!


----------



## yellosnosid (Dec 28, 2012)

Free ISO burner & Burn CDDC says D:TSSTcorp CDDVDW TS-H653N HB01

its the only one I can select,is that any good?
computer won't detect the CD but will detect USB,weird =S


----------



## CatByte (Feb 24, 2009)

yes, that's your CD/DVD drive


----------



## yellosnosid (Dec 28, 2012)

CatByte said:


> yes, that's your CD/DVD drive


not sure what you mean by

Click *MOUNT* next to the hard drive that contains your Windows installation. Also mount any removable media you have inserted to transfer your data to.
Also mount any removable media you have inserted to transfer your data to.


How will I know which one it is? Also mount any removable media, you mean insert USB?


----------



## CatByte (Feb 24, 2009)

> Also mount any removable media, you mean insert USB?


 yes, insert the USB and mount that drive

you should be able to tell which is your hard drive.

One will be the recovery partition, so it will not have any of your programs and files

the other will be the partition where your operating system is installed with all your programs and files


----------



## yellosnosid (Dec 28, 2012)

CatByte said:


> yes, insert the USB and mount that drive
> 
> you should be able to tell which is your hard drive.
> 
> ...


Thanks =) hope you're feeling better


----------



## CatByte (Feb 24, 2009)

a little bit yes, thanks

let me know how it goes


----------



## yellosnosid (Dec 28, 2012)

CatByte said:


> a little bit yes, thanks
> 
> let me know how it goes


will do,I plan to try it tonight


----------



## yellosnosid (Dec 28, 2012)

CatByte said:


> a little bit yes, thanks
> 
> let me know how it goes


So... it didn't work
tried it twice
Pressed F2 boot,then f10 ,black screen with "starting windows" then Windows loading files with the moving white bar at the bottom of the screen then straight into Startup Repair!
Should I move to eRecovery from acer or is there another programto create another boot disc?
Thanks in advance


----------



## CatByte (Feb 24, 2009)

when you entered the BIOS (F2) were you able to change the boot order to CD/DVD first?

does the machine appear to be trying to boot from the CD/DVD?

It might be time to cut your losses and reformat

the only other way might be to remove the HD and slave it to another computer and recover your files from it that way

(you would likely need to take it to a shop for that)


----------



## yellosnosid (Dec 28, 2012)

CatByte said:


> when you entered the BIOS (F2) were you able to change the boot order to CD/DVD first?
> 
> does the machine appear to be trying to boot from the CD/DVD?
> 
> It might be time to cut your losses and reformat


I didn't move the boot order,I just selected it so that it became white (the enter key didn't work) then I pressed f10 to save.I can hear the CD "moving inside"yes
I'll try puting theboot from Cd/DVD as the 1st on the list see if it helps


----------



## CatByte (Feb 24, 2009)

:up:


----------



## yellosnosid (Dec 28, 2012)

CatByte said:


> :up:


tried re-arranging it but it still did not ork even though the cd was turning round,time for e-Recovery then a reformat I think


----------



## CatByte (Feb 24, 2009)

sounds like that's the only option 

too bad it wouldn't work


----------



## yellosnosid (Dec 28, 2012)

I'm wondering after I do the eRecovery thing & get whatever files I can access,then I do a factory reset to make sure all vuiruses are gone there won't be an antivirus anymore I guess,should I continue with AVG & if so what are safe sites to download my programs again...
Is it a good idea to vaccinate the PC with the panda vaccinate program?
thanks


----------



## CatByte (Feb 24, 2009)

I would use Microsoft Security Essentials

http://www.microsoft.com/security_essentials/

it's excellent and free

as for where to download programs, it's best to download directly from the authors/owners/company site if you can

if not, somewhere like File Hippo should be fine, (be wary of any addition add-ons that you should opt out of when installing) make sure you don't use torrents

I've never used Panda Vaccine, so can't really comment on it's effectiveness


----------



## yellosnosid (Dec 28, 2012)

CatByte said:


> I would use Microsoft Security Essentials
> 
> http://www.microsoft.com/security_essentials/
> 
> ...


Super thanks,any more tips on how to go online for the 1st time when you don't have an antivirus...


----------



## CatByte (Feb 24, 2009)

just be careful where you browse to, you should be fine just going to the Microsoft download page


----------



## yellosnosid (Dec 28, 2012)

CatByte said:


> just be careful where you browse to, you should be fine just going to the Microsoft download page


THANKS
Mc Afee came with my PC when I bought it,if it re-instralls after eRecovery how do I disable it after getting microsoft security essentials?


----------



## CatByte (Feb 24, 2009)

you should be able to uninstall it via Programs and Features, also McAffee makes a removal tool to remove all the leftovers

Download and run the *McAfee Removal Tool*


----------



## yellosnosid (Dec 28, 2012)

CatByte said:


> you should be able to uninstall it via Programs and Features, also McAffee makes a removal tool to remove all the leftovers
> 
> Download and run the *McAfee Removal Tool*


 super,thanks:up:


----------



## yellosnosid (Dec 28, 2012)

CatByte said:


> you should be able to uninstall it via Programs and Features, also McAffee makes a removal tool to remove all the leftovers
> 
> Download and run the *McAfee Removal Tool*


Would starting in safe mode help when downloading the new antivirus (Microsoft)
Thanks & Happy Easter !


----------



## CatByte (Feb 24, 2009)

no, you shouldn't need to use safe mode to download it

you will be fine connecting to the download in normal mode, just make sure you don't surf until you install it


----------



## yellosnosid (Dec 28, 2012)

CatByte said:


> no, you shouldn't need to use safe mode to download it
> 
> you will be fine connecting to the download in normal mode, just make sure you don't surf until you install it


Hi
I hope you had a nice Easter.
Tried eRecovery & I got this message
Restore failed-Error code =0x45d
(WIM Apply Image cannot apply image:the request could not be performed because of an I/O decvice error.)Restore unsucessful.Please try "Restore Operating System to Factory Defaults".

Is there any way I can acess my files by solving this I/O decvice error?Thanks


----------



## CatByte (Feb 24, 2009)

from various research that error would indicate either the restore image is corrupt, the hard drive is going bad or both. 

I would suggest the best way of accessing that drive at this point is to remove it and slave it to another machine, so you may need to take it to a shop to do that. I really suspect your hard drive has failed as the machine hasn't been able to boot properly since about your second post and wont boot to a rescue disk, so unfortunately it's not good news


----------

