Jump to content

noahdfear

Trusted Malware Techs
  • Content Count

    336
  • Joined

  • Last visited

Everything posted by noahdfear

  1. I must again apologize - I forgot about you (one of the reasons I seldom work topics anymore). Despite reporting that the sfc results were written to the cbs.log, they were not, meaning they are of no help. I did some testing with a number o files to see if I could reproduce the behavior you're experiencing and the closest I came, albiet slightly different, was in not allowing userinit.exe to load. That said, let's see if replacing yours will help. Repeat the procedure in Post #50 using the replace.txt file attached to this post (delete the one from before). If there's no change aft
  2. Let's see if that log reveals anything helpful. You'll need the driver.sh script from here on your flash drive. Boot into xPUD and navigate to the flash drive then click Tool>Open Terminal Type the following command then press Enter. bash driver.sh -f When prompted for the filename to search for type cbs.log and press Enter. If any copies are found it should show the location on the screen, as well as echo the results to a log named filefind.txt on the flash drive. I expect the cbs.log file to be located in /mnt/sda3/windows/logs - if so, please copy it to your flash drive the
  3. My apologies for the delay in a response. I've been banging my head trying to figure out a cause for your situation, and quite frankly, I'm just not finding anything. Let's run the system file checker from the Recovery Environment and see if that produces a positive result. Start your computer and tap F8 to enable the Advanced startup menu then select Repair your computer. When the System Recovery Options screen comes up select Command Prompt. Type in the following bolded command, replacing the red underscores with spaces, then press Enter. sfc_/scannow_/offbootdir=c:\_/offwindir=c:\win
  4. Start the computer, pressing F8 to enable the Advanced Start menu. Select Repair your computer If Startup Repair starts automatically, when it completes click the link View advanced options for system recovery and support to open the System Recovery Options menu. Select System Restore then click Next. If any restore points are available they will be listed. If none are listed with a date prior to the current problem, check the box Show more restore points Click to select a date just prior to the current problem then click Next. Click Finish to confirm - your computer will restart and att
  5. Hi Steve, I have studied and re-studied everything you've submitted and I still do not see anything that could be blamed for the behavior of your computer. On the off chance that explorer.exe is corrupted, let's replace it with another copy on your drive. Please download the attached replace.txt file and save it to your flash drive. Make sure that the driver.sh script you downloaded previously is still on the flash drive as well. Boot into xPUD and navigate to the flash drive (sdb1) then click Tool>Open Terminal. Type the following bolded command then press Enter. bash driver.sh
  6. Please save xPUDtd to your flash drive. Boot to xPUD with the flash drive attached, navigate to the flash drive then double click xPUDtd to run it. At the first screen, leave [Create] selected and press Enter The next screen will show your disk drives, generally the hard drive will be first, usb second. You should be able to verify by the size Select the hard drive, select [Proceed] and press Enter At the next screen select [intel] and press Enter Now at the actions option screen, arrow down to [Advanced] and press Enter Select [boot] and press Enter - you may have to arrow up/down to s
  7. Let's do it this way then. First, zip up the bcd.txt file (right click>Send To>Compressed (zipped) folder) Go to my submissions site and upload the bcd.zip and mbr.zip files. http://noahdfear.net/max/upload.php
  8. You will need to type something into the reply text box - I don't think the forum software will allow you to post a blank reply.
  9. Click Add Reply then on the Replying to Blank Screen page click the Browse button located below the reply textbox. Select your file and click Open. Click Attach this file. Finally, click Add Reply.
  10. Right click on the link and select Save Target As
  11. Hi Steve, I've looked over your registry hives, and the bcd, and frankly I don't see a problem with any of them. That said, I cannot get true results from your bcd - true results can only come from the machine on which the bcd lives. So, lets see if we can get an export from your bcd. Plug in your flash drive and start the computer, pressing F8 to enable the Advanced Start menu Select Repair your computer If Startup Repair starts automatically, when it completes click the link View advanced options for system recovery and support to open the System Recovery Options menu Select Comma
  12. Nothing of concern in that log. Please download Process Explorer from Microsoft Sysinternals. Extract the contents of the zip file to their own folder, open the folder and run procexp.exe Click the entry System once to select it. Click View on the menu, then make sure Show Lower Pane is checked. You should have a split window with upper and lower panes. Click View>Lower Pane View and select DLLs The lower pane will populate. When the System process is consuming a lot of CPU cycles, click File>Save As in Process Explorer. Save it to a convenient l
  13. Your logs appear clean. Lets run 1 more tool now. This tool tends to be quite aggressive, so please be sure to configure it exactly as listed below. I only want to see a Report of what it finds. Download Dr.Web CureIt to the desktop: ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe Doubleclick the drweb-cureit.exe file and click 'Start' to run the express scan. This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan. Once the short scan has finished, we need to chan
  14. Copy the bolded line below. sc stop RoxLiveShare9 Click Start>Run then paste the command in the Run dialog and hit Enter. Now, do the same with this next command. sc delete RoxLiveShare9 That should remove the service, and you can delete that entire Roxio Shared folder.
  15. No sign of infection there. Looks like you got it all.
  16. Hi tonyc1075, Lets get a rootkit scan just to make sure it's gone, since I don't see the actual driver removed in any of the logs. Download GMER Rootkit Scanner from here. Extract the contents of the zipped file to desktop. Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent . If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO. In the right panel, you will see several boxes that have been checked. Uncheck the following ...Sections IAT/EAT Drives/Partition other than Systemdrive (typically C:\) Show All (don't m
  17. Hi foreverking, We need a bit more comprehensive look at things. Please download DDS and save it to your desktop. Disable any script blocking protection Double click dds.scr to run the tool. When done, DDS will open two (2) logs: DDS.txt Attach.txt Save both reports to your desktop. Please include the contents of both logs in your next reply. The scan will instruct you to post the attach log as an attachment. No need for that though ..... just post it as you would any other log.
  18. Welcome to The Pit Maple, CLView.exe is the Microsoft Office Help Client Viewer Nothing apparent in the HijackThis log, so I'd like to get a couple more logs that give us a more comprehensive look at things. Please download DDS and save it to your desktop. Disable any script blocking protection Double click dds.scr to run the tool. When done, DDS will open two (2) logs: DDS.txt Attach.txt Save both reports to your desktop. Please include the contents of both logs in your next reply. The scan will instruct you to post the attach log as an attachment. No need for that though ...
  19. I'm happy to hear that resolved the problem. You're very welcome for the help. Happy New Year to you too! Surf safe!!
  20. Good news! The infected files are all in ComboFix's quarantine folder, and the recycle bin. I don't know when you ran ComboFix, but had it been properly uninstalled you would not have that folder. Lets clean that up. If you still have ComboFix.exe delete it. Download a fresh copy from here, saving the file to your desktop. ComboFix.exe must be on the Desktop for this to work! Highlight and copy the following bolded command. "%userprofile%\desktop\combofix.exe" /u Click Start then Run and paste the command in the Run dialog, then hit Enter. ComboFix will run and uninstall itself rem
  21. Hi Madger and welcome to The Pit, Please visit the following webpage for instructions for downloading and running ComboFix How to use ComboFix Download ComboFix by sUBs from here, saving the file to your desktop. Disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs. Close all open programs and windows Double click ComboFix.exe and follow the prompts. It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log i
  22. Recommend you so a full scan with SpySweeper and see if you can get details.
  23. I suspect SubInACL is compatible with Vista, though I have not tested so rescind that recommendation. Since you are no longer recieving the errors, no need to do anything else.
×
×
  • Create New...