Jump to content


Trusted Malware Techs
  • Content Count

  • Joined

  • Last visited

About noahdfear

  • Rank
    Advanced Member
  • Birthday 04/08/1965

Contact Methods

  • MSN
  • Website URL
  • ICQ
  • Yahoo

Profile Information

  • Gender
  • Location
    New Bremen, OH. USA

Previous Fields

  • Teams:
    Nothing Selected
  1. I must again apologize - I forgot about you (one of the reasons I seldom work topics anymore). Despite reporting that the sfc results were written to the cbs.log, they were not, meaning they are of no help. I did some testing with a number o files to see if I could reproduce the behavior you're experiencing and the closest I came, albiet slightly different, was in not allowing userinit.exe to load. That said, let's see if replacing yours will help. Repeat the procedure in Post #50 using the replace.txt file attached to this post (delete the one from before). If there's no change after reboot the only other thing I can suggest is to attempt a repair install. Since your system is a Win7 upgrade, I'm assuming you have a Win7 upgrade dvd. To perform a repair installation you boot with the dvd and choose the Upgrade option at the setup screen. This option will only be available, in my experience, if a previous operating system is detected (although everything I've read, even in the link above, says it is only available from within Windows). If the option is not available to you, you cannot re-install Windows 7 without overwriting all of your existing files, eg; all of your personal files, pictures, etc. would be gone. If you have an external usb drive that you could copy files to, I would suggest seeing if you can backup your data via xPUD before attempting any repairs. replace.txt
  2. Let's see if that log reveals anything helpful. You'll need the driver.sh script from here on your flash drive. Boot into xPUD and navigate to the flash drive then click Tool>Open Terminal Type the following command then press Enter. bash driver.sh -f When prompted for the filename to search for type cbs.log and press Enter. If any copies are found it should show the location on the screen, as well as echo the results to a log named filefind.txt on the flash drive. I expect the cbs.log file to be located in /mnt/sda3/windows/logs - if so, please copy it to your flash drive then attach it to a reply here. If it is too big to attach you can zip it up and upload the zip to my submissions site.
  3. My apologies for the delay in a response. I've been banging my head trying to figure out a cause for your situation, and quite frankly, I'm just not finding anything. Let's run the system file checker from the Recovery Environment and see if that produces a positive result. Start your computer and tap F8 to enable the Advanced startup menu then select Repair your computer. When the System Recovery Options screen comes up select Command Prompt. Type in the following bolded command, replacing the red underscores with spaces, then press Enter. sfc_/scannow_/offbootdir=c:\_/offwindir=c:\windows When the scan completes restart and see if the computer will boot and load normally.
  4. Start the computer, pressing F8 to enable the Advanced Start menu. Select Repair your computer If Startup Repair starts automatically, when it completes click the link View advanced options for system recovery and support to open the System Recovery Options menu. Select System Restore then click Next. If any restore points are available they will be listed. If none are listed with a date prior to the current problem, check the box Show more restore points Click to select a date just prior to the current problem then click Next. Click Finish to confirm - your computer will restart and attempt to restore the system to it's previous state. Let us know the outcome.
  5. Hi Steve, I have studied and re-studied everything you've submitted and I still do not see anything that could be blamed for the behavior of your computer. On the off chance that explorer.exe is corrupted, let's replace it with another copy on your drive. Please download the attached replace.txt file and save it to your flash drive. Make sure that the driver.sh script you downloaded previously is still on the flash drive as well. Boot into xPUD and navigate to the flash drive (sdb1) then click Tool>Open Terminal. Type the following bolded command then press Enter. bash driver.sh -r Close the Terminal window when the script completes and restart the computer, allowing it to start normally. Let me know if there's any change. Please post the contents of the report created on the flash drive named filerep.txt replace.txt
  6. Please save xPUDtd to your flash drive. Boot to xPUD with the flash drive attached, navigate to the flash drive then double click xPUDtd to run it. At the first screen, leave [Create] selected and press Enter The next screen will show your disk drives, generally the hard drive will be first, usb second. You should be able to verify by the size Select the hard drive, select [Proceed] and press Enter At the next screen select [intel] and press Enter Now at the actions option screen, arrow down to [Advanced] and press Enter Select [boot] and press Enter - you may have to arrow up/down to select a different partition to get the [boot] option to show. Select [Dump] and press Enter At this screen, use the page down button (or press Enter on the [Next] option repeatedly) to view the entire boot sector, which may be about 4 screens full and ends at approximately the 01F8 sector in the left column Now press Q three times, which should return you to the actions option screen Select [Analyse] and press Enter Select [Quick Search] and press Enter If prompted to search for partitions created under Vista type Y The next screen will show the current partition structure. Press Enter to continue. Now press Q repeatedly until TestDisk exits. There will be a log created on the flash drive named testdisk.log Either zip and upload that log or open it (should open with notepad by default) and copy/paste it's contents in a reply here.
  7. Let's do it this way then. First, zip up the bcd.txt file (right click>Send To>Compressed (zipped) folder) Go to my submissions site and upload the bcd.zip and mbr.zip files. http://noahdfear.net/max/upload.php
  8. You will need to type something into the reply text box - I don't think the forum software will allow you to post a blank reply.
  9. Click Add Reply then on the Replying to Blank Screen page click the Browse button located below the reply textbox. Select your file and click Open. Click Attach this file. Finally, click Add Reply.
  10. Right click on the link and select Save Target As
  11. Hi Steve, I've looked over your registry hives, and the bcd, and frankly I don't see a problem with any of them. That said, I cannot get true results from your bcd - true results can only come from the machine on which the bcd lives. So, lets see if we can get an export from your bcd. Plug in your flash drive and start the computer, pressing F8 to enable the Advanced Start menu Select Repair your computer If Startup Repair starts automatically, when it completes click the link View advanced options for system recovery and support to open the System Recovery Options menu Select Command prompt Type diskpart and press Enter When the diskpart> command prompt appears type list volume and press Enter Jot down the drive letters assigned and their corresponding label - I'll want that information in your reply. Identify which drive letter is assigned to your flash drive (you should know by the size) Type exit and press Enter to quit the diskpart tool Now type the following command, replacing the red x with the drive letter that corresponds to your flash drive, then press Enter bcdedit /enum all>x:\bcd.txt *Please note that there is a space between bcdedit and /enum, and another between /enum and all *If for some reason your flash drive does not show up in diskpart, use one of the drive letters shown there in place of the red x and we can retrieve the export in xPUD. Close the command window and shut down the machine. I would also like to get a dump of the hard drive's MBR (Master Boot Record). We'll use xPUD for that. Download dumpit and save it to your flash drive Boot into xPUD with the flash drive attached, click the File icon, then navigate to your flash drive (mnt>sdb1) Double click dumpit to execute it. When it completes press Enter to exit the Terminal window. If you were unsuccessful exporting the bcd to the flash drive, click each mnt>sda folder to locate the bcd.txt file - when you find it, right click and select Cut then navigate back to the flash drive, right click and select Paste. Shut down and remove the flash drive, then on your working computer attach the mbr.zip and bcd.txt files on the flash drive to a reply here. Please remember to also post the drive letter and label information obtained in the Recovery Environment.
  12. Nothing of concern in that log. Please download Process Explorer from Microsoft Sysinternals. Extract the contents of the zip file to their own folder, open the folder and run procexp.exe Click the entry System once to select it. Click View on the menu, then make sure Show Lower Pane is checked. You should have a split window with upper and lower panes. Click View>Lower Pane View and select DLLs The lower pane will populate. When the System process is consuming a lot of CPU cycles, click File>Save As in Process Explorer. Save it to a convenient location (it will default to the name System.txt) Now click View>Lower Pane View and select Handles When the lower pane populates, and with the System process at high CPU usage, save another log and name it System1.txt Attach both logs in an email to me for review. Put RE:PCP logs in the Subject line.
  13. Your logs appear clean. Lets run 1 more tool now. This tool tends to be quite aggressive, so please be sure to configure it exactly as listed below. I only want to see a Report of what it finds. Download Dr.Web CureIt to the desktop: ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe Doubleclick the drweb-cureit.exe file and click 'Start' to run the express scan. This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan. Once the short scan has finished, we need to change the default settings. In the Menu Bar at the top, click 'Setting'>Change Settings. Click on the Actions tab Using the drop down menus, change each item under Objects and Malware to Report Next, 'tick' Complete Scan. Click the green arrow at the right, and the scan will start. Click 'No to All' if it asks if you want to cure/move the file. After the scan has completed, in the Dr.Web CureIt menu on top, click File and choose Save Report List Save the report to your desktop. The report will be called DrWeb.csv Close Dr.Web Cureit. Post the contents of the log from Dr.Web you saved previously in your next reply. Look again in the Task Manager for the process consuming CPU cycles and get the exact process name for me please. Should be something with an exe extension.
  14. You are quite welcome. Glad I could help.
  15. Copy the bolded line below. sc stop RoxLiveShare9 Click Start>Run then paste the command in the Run dialog and hit Enter. Now, do the same with this next command. sc delete RoxLiveShare9 That should remove the service, and you can delete that entire Roxio Shared folder.
  • Create New...