Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91813 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

pceu virus [Solved]


  • This topic is locked This topic is locked
25 replies to this topic

#1 robmiller

robmiller

    New Member

  • Authentic Member
  • Pip
  • 12 posts

Posted 12 January 2014 - 01:21 PM

please forgive me if this has been delt with before but im completely stuck and need help


    Advertisements

Register to Remove


#2 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,343 posts
  • Interests:LFC, music, more LFC, more music

Posted 12 January 2014 - 02:45 PM

Hello robmiller and welcome to the WTT forum.

My name is Satchfan and I would be glad to help you with your computer problem.

Please read the following guidelines which will help to make cleaning your machine easier:

  • please follow all instructions in the order posted
  • please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear
  • all logs/reports, etc. must be posted in Notepad. Please ensure that word wrap is unchecked. In Notepad click Format, uncheck Word wrap if it is checked
  • if you don't understand something, please don't hesitate to ask for clarification before proceeding
  • the fixes are specific to your problem and should only be used for this issue on this machine.
  • please reply within 3 days. If you do not reply within this period I will post a reminder but topics with no reply in 4 days will be closed!

IMPORTANT:

Please DO NOT install/uninstall any programs unless asked to.
Please DO NOT run any scans other than those requested


Run RogueKiller

IMPORTANT: Please remove any usb or external drives from the computer before you run this scan!

Close all running programs.


Download one of these to your desktop:


for a 32-bt system download this version.
for 64-bit use this one

.
  • close all running programs
  • for Windows Vista/Seven, right click -> run as administrator, for XP simply double-click on RogueKiller.exe
  • when the pre-scan is finished, click on Scan
  • click on Report and copy/paste the content in your next post
  • NOTE: DO NOT attempt to remove anything that the scan detects –everything that is reported is not necessarily bad

If the program is blocked, continue to try it several times. If it still doesn’t work, (it could happen), rename it to winlogon.exe.

Please post the contents of the RKreport.txt in your next reply.

Satchfan
 


NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

#3 robmiller

robmiller

    New Member

  • Authentic Member
  • Pip
  • 12 posts

Posted 12 January 2014 - 04:10 PM

thank you for your reply. unfortunately im on my wifes laptop as my pc the one that's infected  will not start in safe mode, has blue screen now on main start up. I desperately need to rescue my pictures from my pc. I have tried removing the hard drive from the pc and slaving it on a pc ive borrowed but my documents folder is blocked. ive tried farbar but that dosent bring up the repair option on reboot.

im not a complete pc nubee but have limited knowledge. its an old pc 3200 processor running xp 

thank you for your help



#4 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,343 posts
  • Interests:LFC, music, more LFC, more music

Posted 12 January 2014 - 05:24 PM

Do you have a Windows XP startup disk or  Windows XP CD?


NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

#5 robmiller

robmiller

    New Member

  • Authentic Member
  • Pip
  • 12 posts

Posted 12 January 2014 - 05:28 PM

yes I have xp cd



#6 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,343 posts
  • Interests:LFC, music, more LFC, more music

Posted 13 January 2014 - 02:36 AM

This infection locks you out of your computer and we need to try a couple of ways to gain access .

 

Hopefully we'll be able to get your pictures back but I need a bit more information before deciding on how to deal with this,

 

When you tried using Farbar Recovery Scan Tool, please tell me how you tried it and what happened.


NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

#7 robmiller

robmiller

    New Member

  • Authentic Member
  • Pip
  • 12 posts

Posted 13 January 2014 - 01:37 PM

went to bleeping computer.com download 32bit version on a pc I have borrowed from work.. copied the file onto a usb stick.

booted up infected pc, signed in at log on. waited for hard disc to stop accessing files inserted usb stick waited for green light to steady blink. turned off pc by front power button as cant get to start bar.restarted  pressed f8 after first boot   repair option not on available list of options  eg safe mode, command prompt etc. did manage to get to note pad once by going in on debugging mode. but absolutely no idea what to type in so closed down.  hope this is of help.



#8 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,343 posts
  • Interests:LFC, music, more LFC, more music

Posted 13 January 2014 - 03:52 PM

Using the computer that works, download Farbar Recovery Scan Tool from one of the following links and save it to a flash drive.

 

Note: You need to run the version compatible with your system.

32-bit
64-bit

  • next, download OTLPENet.exe to your Desktop
  • make sure that you have a blank CD in the drive
  • double click OTLPENet.exe and this will then open ImgBurn to burn the file to CD
  • boot your infected computer using the boot CD you just created.

If Windows starts normally, you’ll have to change a BIOS setting boot from CD: how to do this varies between different computer models but usually it's written on the first screen displayed after power on, eg. "Press Del to Enter Setup", "F12 = Boot order" (you can follow the steps here

  • your system should now display a Reatogo desktop.
  • insert the flash drive with FRST on it
  • open My Computer to locate the flash drive and run FRST
  • when the tool start to run, click Yes to the disclaimer
  • press the Scan button
  • when it has finished, it will create a log, (FRST.txt), on the flash drive
  • move the flash drive to a working computer and open the log file in Notepad.

Please copy and paste it to your reply.

 

Satchfan
 

 


NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

#9 robmiller

robmiller

    New Member

  • Authentic Member
  • Pip
  • 12 posts

Posted 14 January 2014 - 12:45 PM

have done as requested infected pc booted to reatogo, ran farbar, created log file, copied, unable to paste?????



#10 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,343 posts
  • Interests:LFC, music, more LFC, more music

Posted 14 January 2014 - 03:25 PM

For some reason there is a problem pasting in Internet Explorer.

 

Please use either Firefox or Chrome as your browser and try again.


NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

    Advertisements

Register to Remove


#11 robmiller

robmiller

    New Member

  • Authentic Member
  • Pip
  • 12 posts

Posted 14 January 2014 - 04:08 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 12-01-2014 01
Ran by SYSTEM on REATOGO on 14-01-2014 18:22:54
Running from H:\
Microsoft Windows XP (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Recovery
 
The current controlset is ControlSet002
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.
 
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [BluetoothAuthenticationAgent] - rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [AvastUI.exe] - C:\Program Files\AVAST Software\Avast\AvastUI.exe [3764024 2014-01-10] (AVAST Software)
HKLM\...\Winlogon: [Shell] Explorer.exe [x ] ()
HKU\rmiller\...\Run: [swg] - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [ 2012-02-23] (Google Inc.)
HKU\rmiller\...\Run: [NBJ] - C:\Program Files\Ahead\Nero BackItUp\NBJ.exe [ 2004-09-07] (Ahead Software AG)
Startup: C:\Documents and Settings\rmiller\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> B:\Documents and Settings\Default User\Application Data\Dropbox\bin\Dropbox.exe (No File)
Startup: C:\Documents and Settings\rmiller\Start Menu\Programs\Startup\lodll7r.lnk
ShortcutTarget: lodll7r.lnk -> C:\Documents and Settings\All Users\Application Data\r7lldol.jss (http://tortoisesvn.net)
Startup: C:\Documents and Settings\rmiller\Start Menu\Programs\Startup\v7trj9jl.lnk
ShortcutTarget: v7trj9jl.lnk -> C:\Documents and Settings\All Users\Application Data\lj9jrt7v.jss (http://tortoisesvn.net)
 
========================== Services (Whitelisted) =================
 
S2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2014-01-10] (AVAST Software)
S2 InCDsrv; C:\Program Files\Ahead\InCD\InCDsrv.exe [1192050 2004-09-13] (Ahead Software AG)
S2 InCDsrvR; C:\Program Files\Ahead\InCD\InCDsrv.exe [1192050 2004-09-13] (Ahead Software AG)
S2 winmgmt; C:\Documents and Settings\All Users\Application Data\lj9jrt7v.jss [307712 2013-12-27] (http://tortoisesvn.net)
 
==================== Drivers (Whitelisted) ====================
 
S1 aswKbd; C:\Windows\System32\Drivers\aswKbd.sys [24408 2012-03-06] (AVAST Software)
S2 aswMonFlt; C:\WINDOWS\system32\drivers\aswMonFlt.sys [67824 2014-01-10] (AVAST Software)
S1 aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [54832 2014-01-10] (AVAST Software)
S0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [49944 2013-11-29] ()
S1 aswSnx; C:\WINDOWS\system32\drivers\aswSnx.sys [775952 2014-01-10] (AVAST Software)
S1 aswSP; C:\WINDOWS\system32\drivers\aswSP.sys [410528 2014-01-10] (AVAST Software)
S1 aswTdi; C:\WINDOWS\system32\drivers\aswTdi.sys [57672 2014-01-10] (AVAST Software)
S0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [180248 2014-01-10] ()
S3 ds1; C:\Windows\System32\drivers\ds1wdm.sys [334208 2001-08-17] (Yamaha Corp.)
S3 gameenum; C:\Windows\System32\drivers\gameenum.sys [10624 2008-04-13] (Microsoft Corporation)
S3 HPZid412; C:\Windows\System32\DRIVERS\HPZid412.sys [49920 2007-10-29] (HP)
S3 HPZipr12; C:\Windows\System32\DRIVERS\HPZipr12.sys [16496 2007-10-29] (HP)
S3 HPZius12; C:\Windows\System32\DRIVERS\HPZius12.sys [21568 2007-10-29] (HP)
S4 InCDfs; C:\Windows\System32\Drivers\InCDfs.sys [93440 2004-09-13] (Ahead Software AG)
S1 InCDPass; C:\Windows\System32\DRIVERS\InCDPass.sys [28672 2004-09-13] (Ahead Software AG)
S1 InCDrec; C:\Windows\System32\Drivers\InCDrec.sys [7680 2004-09-13] (Ahead Software AG)
S1 incdrm; C:\Windows\System32\Drivers\incdrm.sys [27648 2004-09-13] (Ahead Software AG)
S3 rtl8139; C:\Windows\System32\DRIVERS\RTL8139.SYS [20992 2004-08-04] (Realtek Semiconductor Corporation)
S4 hpt3xx; No ImagePath
S4 IntelIde; No ImagePath
S5 ScsiPort; C:\Windows\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2014-01-14 18:22 - 2014-01-14 18:22 - 00000000 ____D C:\FRST
2014-01-09 13:25 - 2014-01-09 13:28 - 00000000 ____D C:\41d2e2aa28665d3d0e56
2013-12-27 18:56 - 2013-12-27 18:56 - 00000393 _____ C:\Documents and Settings\All Users\Application Data\v7trj9jl.reg
2013-12-27 18:56 - 2013-12-27 18:56 - 00000387 _____ C:\Documents and Settings\All Users\Application Data\lodll7r.reg
2013-12-27 18:54 - 2014-01-10 13:56 - 95025368 ____T C:\Documents and Settings\All Users\Application Data\v7trj9jl.fee
2013-12-27 18:54 - 2014-01-10 13:55 - 00000000 _____ C:\Documents and Settings\All Users\Application Data\v7trj9jl.odd
2013-12-27 18:54 - 2014-01-10 13:42 - 95025368 ____T C:\Documents and Settings\All Users\Application Data\lodll7r.fee
2013-12-27 18:54 - 2014-01-10 13:37 - 00000000 _____ C:\Documents and Settings\All Users\Application Data\lodll7r.odd
2013-12-27 18:54 - 2013-12-27 18:54 - 00307712 _____ (http://tortoisesvn.net) C:\Documents and Settings\All Users\Application Data\r7lldol.jss
2013-12-27 18:54 - 2013-12-27 18:54 - 00307712 _____ (http://tortoisesvn.net) C:\Documents and Settings\All Users\Application Data\lj9jrt7v.jss
 
==================== One Month Modified Files and Folders =======
 
2014-01-14 18:22 - 2014-01-14 18:22 - 00000000 ____D C:\FRST
2014-01-14 13:14 - 2011-05-22 15:10 - 01769332 _____ C:\Windows\WindowsUpdate.log
2014-01-14 13:14 - 2011-05-22 15:08 - 00032420 _____ C:\Windows\SchedLgU.Txt
2014-01-14 13:14 - 2011-05-22 14:04 - 00000216 _____ C:\Windows\wiadebug.log
2014-01-14 13:14 - 2011-05-22 14:04 - 00000049 _____ C:\Windows\wiaservc.log
2014-01-14 13:11 - 2011-05-22 15:10 - 00000178 ___SH C:\Documents and Settings\rmiller\ntuser.ini
2014-01-14 13:09 - 2001-08-23 07:00 - 00002206 _____ C:\Windows\System32\wpa.dbl
2014-01-12 11:42 - 2011-05-22 14:02 - 00473015 _____ C:\Windows\setupapi.log
2014-01-10 17:56 - 2013-03-16 12:59 - 00180248 _____ C:\Windows\System32\Drivers\aswVmm.sys
2014-01-10 17:56 - 2013-03-16 12:59 - 00067824 _____ (AVAST Software) C:\Windows\System32\Drivers\aswMonFlt.sys
2014-01-10 17:56 - 2012-05-13 15:52 - 00001733 _____ C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
2014-01-10 17:56 - 2011-05-22 16:34 - 00775952 _____ (AVAST Software) C:\Windows\System32\Drivers\aswSnx.sys
2014-01-10 17:56 - 2011-05-22 16:34 - 00410528 _____ (AVAST Software) C:\Windows\System32\Drivers\aswSP.sys
2014-01-10 17:56 - 2011-05-22 16:34 - 00270240 _____ (AVAST Software) C:\Windows\System32\aswBoot.exe
2014-01-10 17:56 - 2011-05-22 16:34 - 00057672 _____ (AVAST Software) C:\Windows\System32\Drivers\aswTdi.sys
2014-01-10 17:56 - 2011-05-22 16:34 - 00054832 _____ (AVAST Software) C:\Windows\System32\Drivers\aswRdr.sys
2014-01-10 17:56 - 2011-05-22 16:34 - 00043152 _____ (AVAST Software) C:\Windows\avastSS.scr
2014-01-10 13:56 - 2013-12-27 18:54 - 95025368 ____T C:\Documents and Settings\All Users\Application Data\v7trj9jl.fee
2014-01-10 13:55 - 2013-12-27 18:54 - 00000000 _____ C:\Documents and Settings\All Users\Application Data\v7trj9jl.odd
2014-01-10 13:42 - 2013-12-27 18:54 - 95025368 ____T C:\Documents and Settings\All Users\Application Data\lodll7r.fee
2014-01-10 13:41 - 2013-03-04 12:45 - 00001020 _____ C:\Documents and Settings\rmiller\Desktop\Dropbox.lnk
2014-01-10 13:41 - 2013-03-04 12:45 - 00000000 ___RD C:\Documents and Settings\rmiller\My Documents\Dropbox
2014-01-10 13:41 - 2013-03-04 12:41 - 00000000 ____D C:\Documents and Settings\rmiller\Application Data\Dropbox
2014-01-10 13:37 - 2013-12-27 18:54 - 00000000 _____ C:\Documents and Settings\All Users\Application Data\lodll7r.odd
2014-01-09 13:28 - 2014-01-09 13:25 - 00000000 ____D C:\41d2e2aa28665d3d0e56
2013-12-27 18:56 - 2013-12-27 18:56 - 00000393 _____ C:\Documents and Settings\All Users\Application Data\v7trj9jl.reg
2013-12-27 18:56 - 2013-12-27 18:56 - 00000387 _____ C:\Documents and Settings\All Users\Application Data\lodll7r.reg
2013-12-27 18:54 - 2013-12-27 18:54 - 00307712 _____ (http://tortoisesvn.net) C:\Documents and Settings\All Users\Application Data\r7lldol.jss
2013-12-27 18:54 - 2013-12-27 18:54 - 00307712 _____ (http://tortoisesvn.net) C:\Documents and Settings\All Users\Application Data\lj9jrt7v.jss
2013-12-27 18:46 - 2011-05-22 16:42 - 00000664 _____ C:\Windows\System32\d3d9caps.dat
 
Some content of TEMP:
====================
C:\Documents and Settings\rmiller\Local Settings\Temp\avguidx.dll
C:\Documents and Settings\rmiller\Local Settings\Temp\CommonInstaller.exe
C:\Documents and Settings\rmiller\Local Settings\Temp\GoogleToolbarInstaller_en32_signed.exe
C:\Documents and Settings\rmiller\Local Settings\Temp\hat.dll
C:\Documents and Settings\rmiller\Local Settings\Temp\iGearedHelper.dll
C:\Documents and Settings\rmiller\Local Settings\Temp\MachineIdCreator.exe
C:\Documents and Settings\rmiller\Local Settings\Temp\ose00000.exe
C:\Documents and Settings\rmiller\Local Settings\Temp\qCtO.dll
C:\Documents and Settings\rmiller\Local Settings\Temp\ToolbarInstaller.exe
C:\Documents and Settings\rmiller\Local Settings\Temp\UNINSTALL.exe
 
 
==================== Known DLLs (Whitelisted) ============
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\explorer.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== EXE ASSOCIATION =====================
 
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
 
==================== Restore Points (XP) =====================
 
RP: -> 2013-12-05 13:14 - 024576 _restore{0E6E6536-902F-4A16-8F6F-E361F7D073F7}\RP99 
 
RP: -> 2013-11-30 18:32 - 024576 _restore{0E6E6536-902F-4A16-8F6F-E361F7D073F7}\RP98 
 
RP: -> 2013-11-29 16:41 - 024576 _restore{0E6E6536-902F-4A16-8F6F-E361F7D073F7}\RP97 
 
RP: -> 2013-11-23 18:14 - 024576 _restore{0E6E6536-902F-4A16-8F6F-E361F7D073F7}\RP96 
 
RP: -> 2013-11-16 09:32 - 024576 _restore{0E6E6536-902F-4A16-8F6F-E361F7D073F7}\RP95 
 
RP: -> 2013-11-09 19:04 - 024576 _restore{0E6E6536-902F-4A16-8F6F-E361F7D073F7}\RP94 
 
RP: -> 2013-11-02 18:32 - 024576 _restore{0E6E6536-902F-4A16-8F6F-E361F7D073F7}\RP93 
 
RP: -> 2013-10-26 06:32 - 024576 _restore{0E6E6536-902F-4A16-8F6F-E361F7D073F7}\RP92 
 
RP: -> 2014-01-10 17:54 - 024576 _restore{0E6E6536-902F-4A16-8F6F-E361F7D073F7}\RP106 
 
RP: -> 2014-01-10 13:40 - 024576 _restore{0E6E6536-902F-4A16-8F6F-E361F7D073F7}\RP105 
 
RP: -> 2013-12-30 07:27 - 024576 _restore{0E6E6536-902F-4A16-8F6F-E361F7D073F7}\RP104 
 
RP: -> 2013-12-28 15:47 - 024576 _restore{0E6E6536-902F-4A16-8F6F-E361F7D073F7}\RP103 
 
RP: -> 2013-12-21 13:26 - 024576 _restore{0E6E6536-902F-4A16-8F6F-E361F7D073F7}\RP102 
 
RP: -> 2013-12-14 18:21 - 024576 _restore{0E6E6536-902F-4A16-8F6F-E361F7D073F7}\RP101 
 
RP: -> 2013-12-11 12:05 - 024576 _restore{0E6E6536-902F-4A16-8F6F-E361F7D073F7}\RP100 
 
 
==================== Memory info =========================== 
 
Percentage of memory in use: 17%
Total physical RAM: 1470.48 MB
Available physical RAM: 1214.78 MB
Total Pagefile: 1304.51 MB
Available Pagefile: 1230.71 MB
Total Virtual: 2047.88 MB
Available Virtual: 2000.15 MB
 
==================== Drives ================================
 
Drive b: (RAMDisk) (Fixed) (Total:0.06 GB) (Free:0.06 GB) NTFS
Drive c: () (Fixed) (Total:127.99 GB) (Free:109.98 GB) NTFS ==>[Drive with boot components (Windows XP)]
Drive h: (DISGO) (Removable) (Total:0.11 GB) (Free:0.11 GB) FAT
Drive x: (ReatogoPE) (CDROM) (Total:0.43 GB) (Free:0 GB) CDFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 149 GB) (Disk ID: 1549F232)
Partition 1: (Active) - (Size=128 GB) - (Type=07 NTFS)
 
========================================================
Disk: 5 (Size: 117 MB) (Disk ID: 2B9F264E)
Partition 1: (Active) - (Size=117 MB) - (Type=06)
 
==================== End Of Log ============================


#12 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,343 posts
  • Interests:LFC, music, more LFC, more music

Posted 14 January 2014 - 04:28 PM

Hi

 

Glad you got that to paste OK. We're making progress as I can see the problem and hopefully we can deal with it.

 

I have a very early start in the morning so will have to reply tomorrow, (10.30 GMT here now).

 

Satchfan


NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

#13 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,343 posts
  • Interests:LFC, music, more LFC, more music

Posted 15 January 2014 - 03:04 AM

I have a few minutes before I leave so thought I'd leave you with instructions to be getting on with until later. :)

 

 

Using the same CD, please boot into the PE (Preinstallation Environment) and run FRST again. Type the following in the edit box after "Search:".

explorer.exe

Click the Search button and post the log in your reply, (the log Search.txt can be found in the same place as the previous log you sent).

 

Thanks

 

Satchfan


NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

#14 robmiller

robmiller

    New Member

  • Authentic Member
  • Pip
  • 12 posts

Posted 15 January 2014 - 12:19 PM

Farbar Recovery Scan Tool (x86) Version: 12-01-2014 01
Ran by SYSTEM at 2014-01-15 18:02:53
Running from H:\
Boot Mode: Recovery
 
================== Search: "explorer.exe" ===================
 
C:\WINDOWS\ServicePackFiles\i386\explorer.exe
[2004-08-04 02:56] - [2008-04-13 19:12] - 1033728 ____N (Microsoft Corporation) 12896823fb95bfb3dc9b46bcaedc9923 
 
C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
[2011-06-12 13:08] - [2004-08-04 02:56] - 1032192 ____C (Microsoft Corporation) a0732187050030ae399b241436565e64 
 
X:\I386\EXPLORER.EXE
[2004-08-03 20:07] - [2004-08-03 20:07] - 1032192 ____R (Microsoft Corporation) a0732187050030ae399b241436565e64 
 
=== End Of Search ===


#15 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,343 posts
  • Interests:LFC, music, more LFC, more music

Posted 15 January 2014 - 04:58 PM

We need to fix an entry that FRST found.

  • click Start
  • type notepad.exe in the search programs and files box and clcik Enter
  • a blank Notepad page should open
  • copy/paste the contents of the code box below into Notepad.

Replace:C:\WINDOWS\ServicePackFiles\i386\explorer.exe C:\Windows\explorer.exe

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system


  • save it to your USB flashdrive as fixlist.txt
  • boot into the PE (Preinstallation Environment)
  • start FRST as you did when you ran a scan earlier, but this time when it opens press the Fix button once and wait
  • when finished, it will produce a log fixlog.txt on your USB flashdrive
  • exit the Recovery Environment and post the log.

Please also try to boot to Windows and tell me how it goes.

Thanks

Satchfan

 


NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users