Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Start up Repair Virus Removed


  • This topic is locked This topic is locked
25 replies to this topic

#1 nightowl_80

nightowl_80

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 25 August 2012 - 10:53 AM

I have googled that fix and I found this site and someone had the same problem as me. I read the first step and I did it and attached the log. I hope that someone has time to look at my log and reply with what I need to do next.

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:45 PM

Posted 26 August 2012 - 01:07 PM

Hello nightowl_80,

Welcome to the forum.

How did it happened?

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Please download Attached File  fixlist.txt   39bytes   19 downloads
Save it to your flash drive.
Boot to System Recovery Options and select "Command Prompt".

Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Also restart, let it boot normally and tell me how it went.

#3 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:45 PM

Posted 26 August 2012 - 01:09 PM

BTW: Please copy and paste the logs instead of attaching them unless it is requested otherwise.

#4 nightowl_80

nightowl_80
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 26 August 2012 - 11:33 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 25-08-2012
Ran by SYSTEM at 2012-08-26 13:45:32 Run:1
Running from F:\

==============================================

DEFAULT hive was successfully copied to System32\config\HiveBackup
DEFAULT hive was successfully restored from registry back up.
SAM hive was successfully copied to System32\config\HiveBackup
SAM hive was successfully restored from registry back up.
SECURITY hive was successfully copied to System32\config\HiveBackup
SECURITY hive was successfully restored from registry back up.
Could not move SOFTWARE hive.
Could not restore SOFTWARE hive from registry back up.
Could not move SYSTEM hive.
Could not restore SYSTEM hive from registry back up.

==== End of Fixlog ====

I am unaware how it happened. Also it still made me do a system repair after rebooting it.

#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:45 PM

Posted 27 August 2012 - 12:51 AM

Please tell me in detail what happen when you start the system. How far it goes. Also pleas post a fresh FRST scan log.

#6 nightowl_80

nightowl_80
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 27 August 2012 - 01:19 AM

I power it on, then it asks me to do a lauch system repair (recommend) or start windows normally, I click start windows normally. The next page says loading windowns files it goes to startup Repair.

Scan result of Farbar Recovery Scan Tool Version: 25-08-2012
Ran by SYSTEM at 27-08-2012 01:10:30
Running from F:\
(X64) OS Language: English(US)
Attention: Could not load system hive.ERROR: The request could not be performed because of an I/O device error.

Attention: System hive is missing.

========================== Registry (Whitelisted) =============

Attention: Software hive is missing.

HKU\jenni\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-04-04] (Google Inc.)
HKU\jenni\...\Run: [Messenger (Yahoo!)] "C:\PROGRA~2\Yahoo!\Messenger\YahooMessenger.exe" -quiet [5252408 2010-06-01] (Yahoo! Inc.)
HKU\jenni\...\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2988928 2011-06-30] (SUPERAntiSpyware.com)
HKU\jenni\...\Run: [Google Update] "C:\Users\jenni\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-05-16] (Google Inc.)
HKLM\...\Winlogon: [Userinit]
HKLM-x32\...\Winlogon: [Userinit] [x]
HKLM\...\Winlogon: [Shell] [x ] ()
HKLM-x32\...\Winlogon: [Shell] [x ] ()

==================== Services (Whitelisted) ======


========================== Drivers (Whitelisted) =============


========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============



============ 3 Months Modified Files ========================

2012-07-25 22:14 - 2011-05-18 16:52 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-07-25 22:11 - 2011-05-12 10:01 - 01780746 ____A C:\Windows\WindowsUpdate.log
2012-07-25 22:02 - 2011-05-16 17:15 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3577412162-1554625798-3647938917-1001UA.job
2012-07-25 21:42 - 2012-04-27 11:36 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-07-25 21:32 - 2009-07-13 20:45 - 00015792 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-25 21:32 - 2009-07-13 20:45 - 00015792 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-25 21:23 - 2012-05-02 09:53 - 00000374 ____A C:\Windows\System32\Drivers\etc\hosts.ics
2012-07-25 21:23 - 2011-05-18 16:52 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-07-25 21:22 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-25 21:22 - 2009-07-13 20:51 - 00064720 ____A C:\Windows\setupact.log
2012-07-25 13:20 - 2012-07-25 13:20 - 01272776 ____A C:\Users\jenni\Downloads\ArcadeCandyGames (1).exe
2012-07-25 13:19 - 2012-07-25 13:19 - 01272776 ____A C:\Users\jenni\Downloads\ArcadeCandyGames.exe
2012-07-22 04:02 - 2011-05-16 17:15 - 00000856 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3577412162-1554625798-3647938917-1001Core.job
2012-07-12 23:05 - 2011-05-16 17:16 - 00002413 ____A C:\Users\jenni\Desktop\Google Chrome.lnk
2012-07-12 10:43 - 2012-04-27 11:36 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-07-12 10:43 - 2011-06-16 11:07 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-07-11 11:39 - 2009-07-13 20:45 - 00343552 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-11 03:58 - 2011-05-25 15:03 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-07-05 10:47 - 2012-07-05 10:47 - 00001927 ____A C:\Users\Public\Desktop\PC Checkup.lnk
2012-06-25 21:44 - 2010-04-04 13:07 - 00028374 ____A C:\Windows\PFRO.log
2012-06-16 07:38 - 2009-07-13 21:13 - 00740814 ____A C:\Windows\System32\PerfStringBackup.INI
2012-06-11 19:08 - 2012-07-11 10:17 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-08 21:43 - 2012-07-10 21:46 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-08 20:41 - 2012-07-10 21:46 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-06-05 22:06 - 2012-07-10 21:46 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 22:06 - 2012-07-10 21:46 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 22:02 - 2012-07-10 21:46 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-06-05 21:05 - 2012-07-10 21:46 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-06-05 21:05 - 2012-07-10 21:46 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-06-05 21:03 - 2012-07-10 21:46 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll
2012-06-02 14:19 - 2012-06-22 10:05 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-22 10:05 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-22 10:05 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-22 10:04 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 14:15 - 2012-06-22 10:05 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:15 - 2012-06-22 10:04 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 04:49 - 2012-07-11 03:57 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-02 04:17 - 2012-07-11 03:57 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-02 04:12 - 2012-07-11 03:57 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-02 04:05 - 2012-07-11 03:57 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-02 04:05 - 2012-07-11 03:57 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-02 04:04 - 2012-07-11 03:57 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-02 04:04 - 2012-07-11 03:57 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-02 04:03 - 2012-07-11 03:57 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-02 04:01 - 2012-07-11 03:57 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-02 04:00 - 2012-07-11 03:57 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-02 03:59 - 2012-07-11 03:57 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-02 03:57 - 2012-07-11 03:57 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-02 03:57 - 2012-07-11 03:57 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-02 03:54 - 2012-07-11 03:57 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-02 01:07 - 2012-07-11 03:57 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-02 00:43 - 2012-07-11 03:57 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-02 00:33 - 2012-07-11 03:57 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-06-02 00:26 - 2012-07-11 03:57 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-02 00:25 - 2012-07-11 03:57 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-06-02 00:25 - 2012-07-11 03:57 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-02 00:23 - 2012-07-11 03:57 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-02 00:21 - 2012-07-11 03:57 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-02 00:20 - 2012-07-11 03:57 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-06-02 00:19 - 2012-07-11 03:57 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-02 00:19 - 2012-07-11 03:57 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-02 00:17 - 2012-07-11 03:57 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-02 00:16 - 2012-07-11 03:57 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-02 00:14 - 2012-07-11 03:57 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-06-01 21:50 - 2012-07-10 21:46 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-06-01 21:48 - 2012-07-10 21:46 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-06-01 21:48 - 2012-07-10 21:46 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-01 21:45 - 2012-07-10 21:46 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 21:44 - 2012-07-10 21:46 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-06-01 20:40 - 2012-07-10 21:46 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-06-01 20:40 - 2012-07-10 21:46 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-06-01 20:39 - 2012-07-10 21:46 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2012-06-01 20:34 - 2012-07-10 21:46 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2012-05-31 11:25 - 2011-06-15 21:44 - 00279656 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: <===== ATTENTION!
HKLM\...\exefile\DefaultIcon: <===== ATTENTION!
HKLM\...\exefile\open\command: <===== ATTENTION!

==================== Restore Points =========================

Restore point made on: -> 2012-06-08 15:16:16
Restore point made on: -> 2012-06-14 20:27:13
Restore point made on: -> 2012-06-15 21:06:16
Restore point made on: -> 2012-06-20 13:49:39
Restore point made on: -> 2012-06-22 10:04:12
Restore point made on: -> 2012-06-26 13:10:28
Restore point made on: -> 2012-06-29 21:35:14
Restore point made on: -> 2012-07-03 10:02:42
Restore point made on: -> 2012-07-10 21:46:32
Restore point made on: -> 2012-07-11 03:54:43
Restore point made on: -> 2012-07-11 10:15:51
Restore point made on: -> 2012-07-17 23:03:06
Restore point made on: -> 2012-07-24 21:29:00

===================== Memory info ==========================

Percentage of memory in use: 19%
Total physical RAM: 1786.9 MB
Available physical RAM: 1435.46 MB
Total Pagefile: 1786.9 MB
Available Pagefile: 1423.09 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

===================== Partitions ===========================

1 Drive c: (TI105846W0F) (Fixed) (Total:287.63 GB) (Free:240.02 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive d: (System) (Fixed) (Total:1.46 GB) (Free:1.27 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive f: (DANE-ELEC) (Removable) (Total:0.12 GB) (Free:0.04 GB) FAT
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 0 B
Disk 1 Online 119 MB 0 B
Disk 2 No Media 0 B 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 1500 MB 1024 KB
Partition 2 Primary 287 GB 1501 MB
Partition 3 Primary 8 GB 289 GB

==================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D System NTFS Partition 1500 MB Healthy Hidden

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C TI105846W0F NTFS Partition 287 GB Healthy

==================================================================================

Disk: 0
Partition 3
Type : 17 (Suspicious Type)
Hidden: Yes
Active: No

There is no volume associated with this partition.

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 119 MB 16 KB

==================================================================================

Disk: 1
Partition 1
Type : 06
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F DANE-ELEC FAT Removable 119 MB Healthy

==================================================================================

Last Boot: 2012-07-05 10:41

======================= End Of Log ==========================

#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:45 PM

Posted 27 August 2012 - 01:58 AM

It seems the Systems and Software hives are missing from the whole system.

Please boot to System Recovery Option. This time select "System Restore". Select the system restore made on 2012-07-24 confirm any prompt and tell me how it went.

#8 nightowl_80

nightowl_80
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 27 August 2012 - 02:24 AM

It says The Disk c:\ has errors. Then I clicked on Check the Disk for errors and it won't let me.

#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:45 PM

Posted 27 August 2012 - 03:00 AM

From the command prompt please type the following and press Enter: chkdsk /r C:
Note that there is space between chkdsk and /r, and between /r and c:

If an error occurred please note down the error.

#10 nightowl_80

nightowl_80
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 27 August 2012 - 03:16 AM

It is just staying 2 for 5 and 10% complete

#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:45 PM

Posted 27 August 2012 - 03:17 AM

Please wait, sometimes it seems that it hangs, but it is not.

#12 nightowl_80

nightowl_80
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 27 August 2012 - 02:20 PM

It says Failed to transfer logged messages to the event log with status 50, I will try to reboot and see what it does.it has the windows logo when it says starting windows now. It looks like everything is repaired.

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:45 PM

Posted 27 August 2012 - 02:29 PM

Did it boot to Windows fully?

#14 nightowl_80

nightowl_80
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 27 August 2012 - 03:09 PM

Yes when I ran malware half way I get the blue screen

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:45 PM

Posted 27 August 2012 - 03:19 PM

I didn't ask to run anything. Please refrain from doing anything on your own unless you decide it is time to close the topic. Do you agree?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users