Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Farbar Recovery Scan Tool Not Compatible


  • This topic is locked This topic is locked
26 replies to this topic

#1 eternalliving

eternalliving

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:15 AM

Posted 11 April 2012 - 02:20 AM

Hi,
My computer started crashing on load and during safemode boot up after running ComboFix to remove a rootkit... At the time I wasn't able to run TDSSKiller for an unknown reason and after ComboFix looked like it was successful, the computer ended up not starting. I've run everything under the sun to try and fix this problem then I heard of Farbar's Recovery Scan Tool... Loaded it on a flash drive, whipped it over to the laptop, and low and behold....

This version of C:\FRST64.exe is not compatible with the version of WIndows you're running. Check your computer's system information to se whether you need a ..................

Anyway, it is a 64bit operating system that is installed and I had tried to 32bit program and neither worked... I attempted to download it again without success....

The system looks like it reboots just as it blinks from the starting windows screen to the logon screen...

Any help would be great.
Thank you

BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:09:15 AM

Posted 11 April 2012 - 06:44 AM

Hi,

Let me ask someone to help you

good luck

#3 dnthns87

dnthns87

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:15 AM

Posted 11 April 2012 - 07:10 AM

If formatting isn't an option and you had a windows disk you could boot into recovery mode and see if sfc works in recovery console.

SFC System file checker will scan protected files and replace them if they are corrupt.

1) Load recovery console
2) Open the command line
3) type SFC /verifyonly

If files are found to be corrupt then step 4
4) type SFC /scannow

Make sure you have the windows dvd and don't turn off the power.

If you can't get sfc to work in recovery mode then you can log in to the system user. (I'm assuming your using windows 7)

1) Load recovery console
2) CD to Windows\system32 directory
3) rename magnify.exe to magnify2.exe and create a copy of cmd.exe and name it magnify.exe
4) restart the machine and at the user login screen look at the bottom left and ease of access then select the magnifier and click apply.
5) cmd.exe will open up instead and inside of it type SFC /verifyonly
Again if that doesn't work then log in as the system user step 6:
6) type explorer.exe and you will be logged in as the system user.

Hope this helps, and from recovery console you should also run chkdsk.
1) Open command line
2) type chkdsk /f
3) wait for it to complete

#4 hamluis

hamluis

    Moderator


  • Moderator
  • 44,254 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:08:15 AM

Posted 11 April 2012 - 07:57 AM

Both FRST and ComboFix are malware tools...problems with or after use of malware tools are not the province of this forum since this is not a malware forum.

Your topic has been placed on the BC Unbootable (due to malware) List and someone with expertise in malware should be assisting you shortly.

I suggest that you do nothing until one of the BC malware personnel respond to this topic.

Louis

#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 53,919 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:15 PM

Posted 13 April 2012 - 04:13 AM

Hello,

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer
  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Double click the unetbootin-xpud-windows-latest.exe that you just downloaded
  • Press Run then OK
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Next download http://noahdfear.net/downloads/xPUD_userinit_fix to your USB (without a file extension, you may have to right click on the link and click on Save Target As, and make sure that "All Files" is selected)
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 right as the computer is initially starting up, and choose to boot from the USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your hard drive
  • sdb1 is likely your USB
  • Click on sdb1 (this is your USB drive)
  • Confirm that you see xPUD_userinit_fix on your USB drive (sdb1)
  • Double click on xPUD_userinit_fix
  • After it has finished a report will be located on your USB drive named UserinitReport.txt
  • Click on the Home tab, click on Power Off, and then click on Turn Off
  • Remove the USB drive and insert back in your working computer and navigate to UserinitReport.txt

    Please note - all text entries are case sensitive
Please copy and paste the UserinitReport.txt for my review.
regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."


banner.png

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome


#6 eternalliving

eternalliving
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:15 AM

Posted 14 April 2012 - 02:00 PM

Hi,

I downloaded xPud and attempted to run on the sick computer. It comes up with the language select screen and after selecting English it comes up with loading boot/xpud........... and has a lot of dots, then it moves onto the next screen but never comes on. The screen stays blank... Nothing comes up? I tried it several times.

Is there another version of linux live that I could use? or a way to make this one work?

I have a HP Pavilion dv4 2010 model...

Thanks

#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 53,919 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:15 PM

Posted 14 April 2012 - 02:05 PM

Have you tried to run a startup repair (from the recovery environment)?
regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."


banner.png

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome


#8 eternalliving

eternalliving
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:15 AM

Posted 14 April 2012 - 02:13 PM

Yes, I have tried system repair, chkdsk, bootrec /fix and all that... I've also done sfc /scannow and browsed through the ntbtlog.log without success.. There are errors in the ntbtlog loading about 5 files, but I've checked and none of them are corupt, at least sfc says so.

Thanks

#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 53,919 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:15 PM

Posted 14 April 2012 - 02:24 PM

Can you post me the ntbtlog.txt file?

Did startup repair successfully complete?
regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."


banner.png

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome


#10 eternalliving

eternalliving
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:15 AM

Posted 14 April 2012 - 02:38 PM

Yes, the Startup repair did make it all the way through. It did take its time on the chkdsk, and did not show any errors at the end.
Attached is the ntbtlog.... Theres a few safemode startups and a few normal attempts.

Attached Files



#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 53,919 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:15 PM

Posted 14 April 2012 - 03:12 PM

Hi again,

In the recovery environment open a command prompt and type notepad and press enter.

Click File > Open. Manually look for c:\windows\system32\drivers\serial.sys
Is this file present?
regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."


banner.png

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome


#12 eternalliving

eternalliving
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:15 AM

Posted 14 April 2012 - 03:31 PM

Yes, all the ones that came up with errors are present in the drivers folder. I have replaced the serial.sys with the one found on the X: drive (winRE) partition to no avail. Thanks

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 53,919 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:15 PM

Posted 14 April 2012 - 03:37 PM

At the command prompt type regedit and press enter.

Highlight the HKEY_LOCAL_MACHINE hive in the left panel and click File > Load Hive. Navigate to c:\windows\system32\config\system and click Open. Give the hive the name TEST.

You will now see TEST under HKEY_LOCAL_MACHINE. Expand it and high light the Select key. Let me know what value is present after Current. If you're not sure which value I mean, just list everything present in the Select key (you'll see its values in the right panel when you highlight Select in the left panel).

When done, highlight the TEST hive again, and click File > Unload hive (it is very important you do this!).
regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."


banner.png

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome


#14 eternalliving

eternalliving
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:15 AM

Posted 14 April 2012 - 03:39 PM

Current (1)
Default (1)
Failed (0)
LastKnownGood (2)

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 53,919 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:15 PM

Posted 15 April 2012 - 02:43 AM

Please repeat these steps:

At the command prompt type regedit and press enter.

Highlight the HKEY_LOCAL_MACHINE hive in the left panel and click File > Load Hive. Navigate to c:\windows\system32\config\system and click Open. Give the hive the name TEST.

You will now see TEST under HKEY_LOCAL_MACHINE.

Under TEST select ControlSet001.
Under Controlset001 select Services. Look in the services list for Serial and let me know if it is there.

If you shut down the computer, please be sure to unload the TEST hive as indicated!
regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."


banner.png

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users