Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

STOP: C0000135 The program canít start because %hs is missing


  • Please log in to reply
12 replies to this topic

#1 syrushcw

syrushcw

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 27 February 2013 - 08:01 AM

From about the 100 sites I read, this is the place to be. WIndows 7 Home x64, the Usual, safe mode does not work, auto repair does not work. I've replaced the value in HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SubSystems and

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Session Manager\SubSystems

to no avail. I restored from regbackup still same thing.

Computer does not have AVG. It is an ASUS laptop from googling so much it seems like 80% of this problem is on ASUS laptops.

Ran FRST64 here is the log.

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 23-02-2013 01
Ran by SYSTEM at 26-02-2013 09:44:45
Running from F:\
Windows 7 Home Premium   (X64) OS Language: English(US) 
The current controlset is ControlSet001
 
==================== Registry (Whitelisted) ===================
 
HKLM\...\Run: [ETDWare] C:\Program Files\Elantech\ETDCtrl.exe [621440 2009-09-29] (ELAN Microelectronic Corp.)
HKLM\...\Run: [AmIcoSinglun64] C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe [324608 2010-01-18] (Alcor Micro Corp.)
HKLM\...\Run: [dlcxmon.exe] "C:\Program Files (x86)\Dell Photo AIO Printer 926\dlcxmon.exe" [292336 2007-01-12] ()
HKLM\...\Run: [MemoryCardManager] "C:\Program Files (x86)\Dell Photo AIO Printer 926\memcard.exe" [304008 2006-11-03] ()
HKLM\...\Run: [DLCXCATS] rundll32 C:\Windows\system32\spool\DRIVERS\x64\3\DLCXtime.dll,RunDLLEntry [31744 2006-10-15] ()
HKLM\...\Run: [MacDrive application] "C:\Program Files\Mediafour\MacDrive 7\MacDrive.exe" [226392 2008-09-23] (Mediafour Corporation)
HKLM\...\Run: [Getting started with MacDrive] "C:\Program Files\Mediafour\MacDrive 7\MDGetStarted.exe" /auto [151040 2008-09-02] (Mediafour Corporation)
HKLM-x32\...\Run: [ATKOSD2] C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe [7350912 2010-02-04] (ASUS)
HKLM-x32\...\Run: [ATKMEDIA] C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe [170624 2010-01-05] (ASUS)
HKLM-x32\...\Run: [HControlUser] C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe [105016 2009-06-19] (ASUS)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-11-28] (Apple Inc.)
HKLM-x32\...\Run: [FaxCenterServer] "C:\Program Files (x86)\Dell PC Fax\fm3032.exe" /s [312200 2006-11-03] ()
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [Freecorder FLV Service] "C:\Program Files (x86)\Freecorder\FLVSrvc.exe" /run [167936 2011-03-23] (Applian Technologies, Inc.)
HKLM-x32\...\Run: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe"  -osboot [296056 2012-04-11] (RealNetworks, Inc.)
HKLM-x32\...\Run: [Aimersoft Helper Compact.exe] C:\Program Files (x86)\Common Files\Aimersoft\Aimersoft Helper Compact\ASHelper.exe [1667072 2012-02-28] (AimerSoft)
HKLM-x32\...\Run: [Iminent] C:\Program Files (x86)\Iminent\Iminent.exe /warmup "F77F87E5-A6BD-4922-A530-EDF63D7E9F8C" [445416 2011-12-23] (Iminent)
HKLM-x32\...\Run: [IminentMessenger] C:\Program Files (x86)\Iminent\Iminent.Messengers.exe /startup [881144 2011-12-23] (Iminent)
HKLM-x32\...\Run: []  [x]
HKLM-x32\...\Run: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe" [1561768 2012-05-04] (Ask)
HKLM-x32\...\Run: [Sendori Tray] "C:\Program Files (x86)\Sendori\SendoriTray.exe" [82792 2012-12-10] (Sendori, Inc.)
HKLM-x32\...\Run: [Wondershare Helper Compact.exe] C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe [x]
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [151952 2012-11-28] (Apple Inc.)
HKU\Michaela\...\Run: [GenieoUpdaterService] "C:\Users\Michaela\AppData\Roaming\Genieo\Application\Updater\bin\genupdater.exe" -wait 5 [290144 2012-11-26] ()
HKU\Michaela\...\Run: [GenieoSystemTray] "C:\Users\Michaela\AppData\Roaming\Genieo\Application\TrayUi\bin\gentray.exe" [526688 2012-11-26] ()
HKU\Michaela\...\Run: [ooVoo.exe] C:\Program Files (x86)\ooVoo\oovoo.exe /minimized [27040888 2012-08-20] (ooVoo LLC)
HKU\Michaela\...\Run: [Google Update] "C:\Users\Michaela\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2012-01-24] (Google Inc.)
HKU\Michaela\...\Run: [Spotify] "C:\Users\Michaela\AppData\Roaming\Spotify\Spotify.exe" /uri spotify:autostart [7880664 2012-10-28] (Spotify Ltd)
HKU\Michaela\...\Run: [Spotify Web Helper] "C:\Users\Michaela\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [1199576 2012-10-28] (Spotify Ltd)
HKU\Michaela\...\Run: [Browser Infrastructure Helper] C:\Users\Michaela\AppData\Local\Smartbar\Application\Smartbar.exe startup [19800 2012-11-05] (Smartbar)
HKU\Michaela\...\RunOnce: [Application Restart #0] C:\Users\Michaela\AppData\Local\Google\Chrome\Application\chrome.exe  --flag-switches-begin --flag-switches-end --restore-last-session [1242728 2012-11-27] (Google Inc.)
HKU\Michaela\...\RunOnce: [Application Restart #1] C:\Config.Msi\acdc9.rbf /restore [x]
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
AppInit_DLLs: C:\Windows\System32\nvinitx.dll
Tcpip\..\Interfaces\{A52902AD-8A14-41B8-91F8-1A89CB086F89}: [NameServer]8.8.8.8,8.8.4.4
Tcpip\..\Interfaces\{E289D750-00EA-4EFF-A2D5-6A24F2512348}: [NameServer]216.146.35.240,216.146.36.240,192.168.1.254
Tcpip\..\Interfaces\{E8AAD553-90F4-4284-98D6-4C83DA4340E0}: [NameServer]216.146.35.240,216.146.36.240,192.168.1.254
Startup: C:\ProgramData\Start Menu\Programs\Startup\FancyStart daemon.lnk
ShortcutTarget: FancyStart daemon.lnk -> C:\Windows\Installer\{2B81872B-A054-48DA-BE3B-FA5C164C303A}\_C4A2FC3E3722966204FDD8.exe ()
Startup: C:\ProgramData\Start Menu\Programs\Startup\SRS Premium Sound.lnk
ShortcutTarget: SRS Premium Sound.lnk -> C:\Windows\Installer\{E5CF6B9C-3ABE-43C9-9413-AD5FFC98F049}\NewShortcut5_21C7B668029A47458B27645FE6E4A715.exe (Acresso Software Inc.)
Startup: C:\Users\Michaela\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PdaNet Desktop.lnk
ShortcutTarget: PdaNet Desktop.lnk -> C:\Program Files (x86)\PdaNet for iPhone\PdaNetPC.exe ()
 
==================== Services (Whitelisted) ===================
 
2 Application Sendori; C:\Program Files (x86)\Sendori\SendoriSvc.exe [118632 2012-12-10] (Sendori, Inc.)
2 ATKGFNEXSrv; C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe [96896 2009-12-15] (ASUS)
2 BroadCamService; "C:\Program Files (x86)\NCH Software\BroadCam\broadcam.exe" -service [2469380 2012-04-20] (NCH Software)
2 dlcx_device; C:\Windows\system32\dlcxcoms.exe -service [561152 2006-10-11] ( )
2 dlcx_device; C:\Windows\SysWow64\dlcxcoms.exe -service [532480 2006-10-11] ( )
2 dldt_device; C:\Windows\system32\dldtcoms.exe -service [1044648 2009-07-09] ( )
2 Freemake Improver; "C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe" [100864 2012-06-06] (Freemake)
2 M4LIC; "C:\Program Files (x86)\Common Files\Mediafour\M4LIC.EXE" [205312 2008-12-03] (Mediafour Corporation)
2 MacDriveService; "C:\Program Files\Mediafour\MacDrive 7\MacDriveService.exe" [165376 2008-11-26] (Mediafour Corporation)
2 MBAMScheduler; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe" [399432 2012-09-07] (Malwarebytes Corporation)
2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [676936 2012-09-07] (Malwarebytes Corporation)
2 N360; "C:\Program Files (x86)\Norton 360 Premier Edition\Engine\6.4.0.9\ccSvcHst.exe" /s "N360" /m "C:\Program Files (x86)\Norton 360 Premier Edition\Engine\6.4.0.9\diMaster.dll" /prefetch:1 [309688 2012-04-12] (Symantec Corporation)
2 Service Sendori; C:\Program Files (x86)\Sendori\Sendori.Service.exe [14696 2012-12-10] (sendori)
2 sndappv2; C:\Program Files (x86)\Sendori\sndappv2.exe [0 2012-12-10] ()
2 Tether; C:\Program Files (x86)\Tether\TBService.exe [91584 2012-03-18] (Tether)
 
==================== Drivers (Whitelisted) =====================
 
1 BHDrvx64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.2.1.5\Definitions\BASHDefs\20121130.005\BHDrvx64.sys [1384608 2012-10-23] (Symantec Corporation)
1 ccSet_N360; C:\Windows\system32\drivers\N360x64\0604000.009\ccSetx64.sys [167072 2012-06-06] (Symantec Corporation)
1 eeCtrl; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484512 2012-08-18] (Symantec Corporation)
3 EraserUtilRebootDrv; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [138912 2012-10-29] (Symantec Corporation)
1 IDSVia64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.2.1.5\Definitions\IPSDefs\20121212.001\IDSvia64.sys [513184 2012-09-06] (Symantec Corporation)
3 kbfiltr; C:\Windows\System32\Drivers\kbfiltr.sys [15416 2009-07-20] ( )
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [25928 2012-09-07] (Malwarebytes Corporation)
0 MDFSYSNT; C:\Windows\System32\Drivers\MDFSYSNT.sys [344680 2008-12-17] (Mediafour Corporation)
0 MDPMGRNT; C:\Windows\System32\Drivers\MDPMGRNT.sys [28768 2008-12-17] (Mediafour Corporation)
3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.2.1.5\Definitions\VirusDefs\20121212.006\ENG64.SYS [126112 2012-12-12] (Symantec Corporation)
3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.2.1.5\Definitions\VirusDefs\20121212.006\EX64.SYS [2084000 2012-12-12] (Symantec Corporation)
3 SNP2UVC; C:\Windows\System32\Drivers\SNP2UVC.sys [1806400 2009-06-05] ()
1 SRTSP; C:\Windows\System32\Drivers\N360x64\0604000.009\SRTSP64.SYS [737952 2012-07-05] (Symantec Corporation)
1 SRTSPX; C:\Windows\system32\drivers\N360x64\0604000.009\SRTSPX64.SYS [37536 2012-07-05] (Symantec Corporation)
0 SymDS; C:\Windows\System32\drivers\N360x64\0604000.009\SYMDS64.SYS [451192 2012-03-28] (Symantec Corporation)
0 SymEFA; C:\Windows\System32\drivers\N360x64\0604000.009\SYMEFA64.SYS [1129120 2012-05-21] (Symantec Corporation)
3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [175736 2012-06-20] (Symantec Corporation)
1 SymIRON; C:\Windows\system32\drivers\N360x64\0604000.009\Ironx64.SYS [190072 2012-03-28] (Symantec Corporation)
1 SymNetS; C:\Windows\System32\Drivers\N360x64\0604000.009\SYMNETS.SYS [405624 2012-03-28] (Symantec Corporation)
3 catchme; \??\C:\CombbbbboFix\catchme.sys [x]
3 DIRECTIO; \??\UNC\15.0.0.5\burnin\DirectIo.sys [x]
3 tmlwf;  [x]
3 tmwfp;  [x]
 
==================== NetSvcs (Whitelisted) ====================
 
 
==================== One Month Created Files and Folders ========
 
 
 
==================== One Month Modified Files and Folders =======
 
2013-02-26 09:44 - 2013-02-26 09:44 - 00000000 ____D C:\FRST
 
==================== Known DLLs (Whitelisted) =================
 
C:\Windows\System32\kernel32.dll IS MISSING <==== ATTENTION!
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== EXE ASSOCIATION =====================
 
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
 
==================== Restore Points  =========================
 
 
==================== Memory info =========================== 
 
Percentage of memory in use: 14%
Total physical RAM: 3884.42 MB
Available physical RAM: 3302.92 MB
Total Pagefile: 3882.57 MB
Available Pagefile: 3289.24 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB
 
==================== Partitions =============================
 
1 Drive c: (OS) (Fixed) (Total:116.44 GB) (Free:3.83 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (DATA) (Fixed) (Total:337.6 GB) (Free:333.71 GB) NTFS
4 Drive f: (UNTITLED 1) (Removable) (Total:7.44 GB) (Free:7.42 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
 
  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online          465 GB  1024 KB         
  Disk 1    Online         7633 MB      0 B         
 
Partitions of Disk 0:
===============
 
Disk ID: 9315A082
 
  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary             11 GB  1024 KB
  Partition 2    Primary            116 GB    11 GB
  Partition 0    Extended           337 GB   128 GB
  Partition 3    Logical            337 GB   128 GB
 
==================================================================================
 
Disk: 0
Partition 1
Type  : 1C
Hidden: Yes
Active: No
 
There is no volume associated with this partition.
 
=========================================================
 
Disk: 0
Partition 2
Type  : 07
Hidden: No
Active: Yes
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1     C   OS           NTFS   Partition    116 GB  Healthy            
 
=========================================================
 
Disk: 0
Partition 3
Type  : 07
Hidden: No
Active: No
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2     D   DATA         NTFS   Partition    337 GB  Healthy            
 
=========================================================
 
Partitions of Disk 1:
===============
 
Disk ID: 00000000
 
  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary           7633 MB   1024 B
 
==================================================================================
 
Disk: 1
Partition 1
Type  : 0B
Hidden: No
Active: No
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 3     F   UNTITLED 1   FAT32  Removable   7633 MB  Healthy            
 
=========================================================
 
Last Boot: 2012-11-30 08:13
 
==================== End Of Log =============================

 

 

I see combofix in that log all though I did not run it. Thanks for everything!



BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:01 AM

Posted 27 February 2013 - 08:40 AM

:welcome:

Run FRST as you did before.

Type the following in the edit box on FRST, after "Search:".

kernel32.dll

It then should look like:

Search: kernel32.dll

Click Search button and post the log (Search.txt) it makes on the USB drive in your next reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 syrushcw

syrushcw
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 27 February 2013 - 09:03 AM

Farbar Recovery Scan Tool (x64) Version: 23-02-2013 01
Ran by SYSTEM at 2013-02-27 07:47:28
Running from F:\
 
================== Search: "kernel32.dll" ===================
 
C:\Windows\winsxs\wow64_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7601.22125_none_fcb841e5ba70d1da\kernel32.dll
[2012-12-11 11:49] - [2012-10-04 08:36] - 1114112 ____A (Microsoft Corporation) 5FA395364EE727E4BEE6B1406C207F98
 
C:\Windows\winsxs\wow64_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7601.22091_none_fc688f63baad32ee\kernel32.dll
[2012-10-09 18:32] - [2012-08-20 09:31] - 1114112 ____A (Microsoft Corporation) 305681B4B695D4A888B941965FFC2C17
 
C:\Windows\winsxs\wow64_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7601.21772_none_fc7f5397ba9be6d3\kernel32.dll
[2012-01-24 15:43] - [2011-07-15 20:49] - 1114112 ____A (Microsoft Corporation) D3CB12854171DF61D117D7C2BF22C675
 
C:\Windows\winsxs\wow64_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7601.17965_none_fc038d48a1736e92\kernel32.dll
[2012-12-11 11:49] - [2012-10-04 08:47] - 1114112 ____A (Microsoft Corporation) D4F3176082566CEFA633B4945802D4C4
 
C:\Windows\winsxs\wow64_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7601.17932_none_fc20fc2ea15dceba\kernel32.dll
[2012-10-09 18:32] - [2012-08-20 09:37] - 1114112 ____A (Microsoft Corporation) 9B98D47916EAD4F69EF51B56B0C2323C
 
C:\Windows\winsxs\wow64_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7601.17651_none_fc0a565aa16ef5d0\kernel32.dll
[2012-01-24 15:43] - [2011-07-15 20:24] - 1114112 ____A (Microsoft Corporation) 99C3F8E9CC59D95666EB8D8A8B4C2BEB
 
C:\Windows\winsxs\wow64_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7600.21335_none_fac714f3bd5281df\kernel32.dll
[2012-12-11 11:49] - [2012-10-04 08:56] - 1114112 ____A (Microsoft Corporation) DE7A37CB1F48526A78A2D42786411578
 
C:\Windows\winsxs\wow64_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7600.21306_none_fae88501bd394763\kernel32.dll
[2012-10-09 18:32] - [2012-08-20 09:51] - 1114112 ____A (Microsoft Corporation) 85660067ECD49B6E302347EFCC2F72A5
 
C:\Windows\winsxs\wow64_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7600.21010_none_fad7ada7bd46d3d5\kernel32.dll
[2012-01-24 15:43] - [2011-07-15 20:21] - 1114112 ____A (Microsoft Corporation) 2113248DB2D1AF9CA790B09F3E6C6E85
 
C:\Windows\winsxs\wow64_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7600.17135_none_fa3d7642a434e4ee\kernel32.dll
[2012-12-11 11:49] - [2012-10-04 08:54] - 1114112 ____A (Microsoft Corporation) A6778FC49011313995A4D718F624CC74
 
C:\Windows\winsxs\wow64_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7600.17107_none_fa5fe69aa41ac3c9\kernel32.dll
[2012-10-09 18:32] - [2012-08-18 03:17] - 1114112 ____A (Microsoft Corporation) 33616DACC75C9E105DAE944120DB4274
 
C:\Windows\winsxs\wow64_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7600.16850_none_fa22f90aa449708d\kernel32.dll
[2012-01-24 15:43] - [2011-07-15 20:30] - 1048576 ____A (Microsoft Corporation) 4EA99F1644627B1EBAD99D0B93CDEE1C
 
C:\Windows\winsxs\wow64_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7600.16385_none_fa07813aa45d5150\kernel32.dll
[2009-07-13 15:16] - [2009-07-13 17:11] - 0836608 ____A (Microsoft Corporation) 606ECB76A424CC535407E7A24E2A34BC
 
C:\Windows\winsxs\amd64_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7601.22125_none_f263979386100fdf\kernel32.dll
[2012-12-11 11:49] - [2012-10-04 09:37] - 1162240 ____A (Microsoft Corporation) F3C594D0DA3ACFA6C7B781A490AB4282
 
C:\Windows\winsxs\amd64_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7601.22091_none_f213e511864c70f3\kernel32.dll
[2012-10-09 18:32] - [2012-08-20 10:24] - 1163264 ____A (Microsoft Corporation) 624B34180C79D67C470C155DB81FFB8E
 
C:\Windows\winsxs\amd64_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7601.21772_none_f22aa945863b24d8\kernel32.dll
[2012-01-24 15:43] - [2011-07-15 21:28] - 1163264 ____A (Microsoft Corporation) 27AC02D8EE4C02E7648C41CB880151DA
 
C:\Windows\winsxs\amd64_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7601.17965_none_f1aee2f66d12ac97\kernel32.dll
[2012-12-11 11:49] - [2012-10-04 09:41] - 1161216 ____A (Microsoft Corporation) 1DC3504CA4C57900F1557E9A3F01D272
 
C:\Windows\winsxs\amd64_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7601.17932_none_f1cc51dc6cfd0cbf\kernel32.dll
[2012-10-09 18:32] - [2012-08-20 10:48] - 1162240 ____A (Microsoft Corporation) EAF41CFBA5281834CBC383C710AC7965
 
C:\Windows\winsxs\amd64_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7601.17651_none_f1b5ac086d0e33d5\kernel32.dll
[2012-01-24 15:43] - [2011-07-15 21:37] - 1162752 ____A (Microsoft Corporation) B9B42A302325537D7B9DC52D47F33A73
 
C:\Windows\winsxs\amd64_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7600.21335_none_f0726aa188f1bfe4\kernel32.dll
[2012-12-11 11:49] - [2012-10-04 09:29] - 1162752 ____A (Microsoft Corporation) 6EED0D77C20137948979EA47360A890B
 
C:\Windows\winsxs\amd64_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7600.21306_none_f093daaf88d88568\kernel32.dll
[2012-10-09 18:32] - [2012-08-20 11:02] - 1163776 ____A (Microsoft Corporation) 1BDA5DB0C493B390C2DFD09139140DE1
 
C:\Windows\winsxs\amd64_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7600.21010_none_f083035588e611da\kernel32.dll
[2012-01-24 15:43] - [2011-07-15 21:21] - 1162240 ____A (Microsoft Corporation) 06835B46D9676BEDD80AF25ACF6845FD
 
C:\Windows\winsxs\amd64_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7600.17135_none_efe8cbf06fd422f3\kernel32.dll
[2012-12-11 11:49] - [2012-10-04 09:32] - 1161216 ____A (Microsoft Corporation) 1DDCACAB8DA5399E5521051923016B18
 
C:\Windows\winsxs\amd64_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7600.17107_none_f00b3c486fba01ce\kernel32.dll
[2012-10-09 18:32] - [2012-08-18 07:37] - 1162240 ____A (Microsoft Corporation) 8E7F88A62E1AA28F15C0D6784E4C78B6
 
C:\Windows\winsxs\amd64_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7600.16850_none_efce4eb86fe8ae92\kernel32.dll
[2012-01-24 15:43] - [2011-07-15 21:21] - 1162240 ____A (Microsoft Corporation) DDBD24DC04DA5FD0EDF45CF72B7C01E2
 
C:\Windows\winsxs\amd64_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7600.16385_none_efb2d6e86ffc8f55\kernel32.dll
[2009-07-13 15:28] - [2009-07-13 17:41] - 1162240 ____A (Microsoft Corporation) 5B4B379AD10DEDA4EDA01B8C6961B193
 
C:\Windows\SysWOW64\kernel32.dll
[2012-12-11 11:49] - [2012-10-04 08:54] - 1114112 ____A (Microsoft Corporation) A6778FC49011313995A4D718F624CC74
 
C:\Windows\SoftwareDistribution\Download\488053cdbca3231eeb2c2af7236d09ed\wow64_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7601.17514_none_fc389502a14bd4ea\kernel32.dll
[2012-01-25 16:46] - [2010-11-20 04:08] - 0837632 ____A (Microsoft Corporation) E80758CF485DB142FCA1EE03A34EAD05
 
C:\Windows\SoftwareDistribution\Download\488053cdbca3231eeb2c2af7236d09ed\amd64_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7601.17514_none_f1e3eab06ceb12ef\kernel32.dll
[2012-01-25 16:47] - [2010-11-20 05:26] - 1161216 ____A (Microsoft Corporation) 7A6326D96D53048FDEC542DF23D875A0
 
C:\Windows\ERDNT\cache86\kernel32.dll
[2012-08-31 13:15] - [2011-07-15 20:30] - 1048576 ____A (Microsoft Corporation) 4EA99F1644627B1EBAD99D0B93CDEE1C
 
C:\Windows\ERDNT\cache64\kernel32.dll
[2012-08-31 13:15] - [2011-07-15 21:21] - 1162240 ____A (Microsoft Corporation) DDBD24DC04DA5FD0EDF45CF72B7C01E2
 
====== End Of Search ======
 
Thanks!


#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:01 AM

Posted 27 February 2013 - 03:11 PM

Download the enclosed file.

Save it next to FRST64 in the flash drive.

Run FRST64 as you did before, except that this time around click on the Fix button and wait.

The tool will make a log in the flashdrive (Fixlog.txt) please post it to your reply.

Boot in Normal Mode. If successful, run Combofix as follows:

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

-----------------------------------------------------------

  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link or this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

-----------------------------------------------------------

  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  • Double click on combofix.exe & follow the prompts.
  • Install the Recovery Console if prompted.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" .
  • **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
    Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

    Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 syrushcw

syrushcw
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 27 February 2013 - 03:28 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 23-02-2013 01
Ran by SYSTEM at 2013-02-27 14:19:30 Run:1
Running from F:\
 
==============================================
 
Could not find C:\Windows\System32\kernel32.dll.
C:\Windows\winsxs\amd64_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7601.22125_none_f263979386100fdf\kernel32.dll copied successfully to C:\Windows\System32\kernel32.dll
 
==== End of Fixlog ====
 
Still does not boot. Same BSOD
 
Thanks!


#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:01 AM

Posted 27 February 2013 - 03:43 PM

From about the 100 sites I read, this is the place to be. WIndows 7 Home x64, the Usual, safe mode does not work, auto repair does not work. I've replaced the value in HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SubSystems and

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Session Manager\SubSystems

to no avail. I restored from regbackup still same thing.

Where did you find this fix. Can you post the link or the fix itself?



Please run FRST64 once again and post its report.

Edited by JSntgRvr, 27 February 2013 - 03:47 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 syrushcw

syrushcw
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 27 February 2013 - 04:19 PM

Here

http://blog.crosbydrive.com/?p=245

http://travis.sarbin.net/2011/11/28/stop-c0000135-the-program-cant-start-because-hs-is-missing-try-reinstalling-the-program-to-fix-this-problem/

http://superuser.com/questions/421277/stop-c0000135-the-program-cant-start-because-hs-is-missing

http://triplescomputers.com/blog/casestudies/stop-c0000135-the-program-can%E2%80%99t-start-because-consrv-is-missing-try-resintalling-the-program/

http://forums.whirlpool.net.au/archive/1856678

probably about a dozen other places, it says it replaces a value in the string.

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

it changed winsrv to consrv



#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:01 AM

Posted 27 February 2013 - 07:09 PM

That fix can be used if infected with zero access, but it must be diagnosed first. I will take a look at that key and the Master Boot Record, as well as removing entries that may intervene in the startup process.

Download MBRFix from here.

Save and extract its contents to the working computer's desktop. There are three files in the MBRFix folder. From these, only copy the MBRFix64.exe to the USB drive.

Also download the enclosed file and save it in the USB drive, overwriting the existing one.

Insert the USB drive into the ailing computer.

Now please enter System Recovery Options and run FRST64 as you did before, except that this time around, press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt). It will also create a file labeled MBRDUMP.txt. Copy and Paste the contents of the Fixlog.txt in your next reply, but attach the MBRDUMP.txt as it is a hex file.

Please also scan with FRST64 once again and post the new FRST.txt file.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 syrushcw

syrushcw
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 28 February 2013 - 08:02 AM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 23-02-2013 01
Ran by SYSTEM at 2013-02-28 06:59:12 Run:3
Running from F:\
 
==============================================
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs Value was restored successfully .
HKEY_USERS\Michaela\Software\Microsoft\Windows\CurrentVersion\RunOnce\\Application Restart #0 Value not found.
HKEY_USERS\Michaela\Software\Microsoft\Windows\CurrentVersion\RunOnce\\Application Restart #1 Value not found.
 
=========  Reg query "HKLM\SYSTEM\ControlSet001\Control\Session Manager\SubSystems" =========
 
 
HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems
    Debug    REG_EXPAND_SZ    
    (Default)    REG_SZ    mnmsrvc
    Kmode    REG_EXPAND_SZ    \SystemRoot\System32\win32k.sys
    Optional    REG_MULTI_SZ    Posix
    Posix    REG_EXPAND_SZ    %SystemRoot%\system32\psxss.exe
    Required    REG_MULTI_SZ    Debug\0Windows
    Windows    REG_EXPAND_SZ    %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=w?
 
 
========= End of Reg: =========
 
 
=========  bcdedit /enum all /v  =========
 
 
Windows Boot Manager
--------------------
identifier              {9dea862c-5cdd-4e70-acc1-f32b344d4795}
device                  partition=C:
description             Windows Boot Manager
locale                  en-US
inherit                 {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
default                 {8cb2d9b1-7c05-11de-842e-b4611d44fefa}
resumeobject            {8cb2d9b0-7c05-11de-842e-b4611d44fefa}
displayorder            {8cb2d9b1-7c05-11de-842e-b4611d44fefa}
toolsdisplayorder       {b2721d73-1db4-4c62-bf78-c548a880142d}
timeout                 30
 
Windows Boot Loader
-------------------
identifier              {572bcd56-ffa7-11d9-aae0-0007e994107d}
 
Windows Boot Loader
-------------------
identifier              {8cb2d9b1-7c05-11de-842e-b4611d44fefa}
device                  partition=C:
path                    \Windows\system32\winload.exe
description             Windows 7
locale                  en-US
inherit                 {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
recoverysequence        {8cb2d9b4-7c05-11de-842e-b4611d44fefa}
recoveryenabled         Yes
osdevice                partition=C:
systemroot              \Windows
resumeobject            {8cb2d9b0-7c05-11de-842e-b4611d44fefa}
nx                      OptIn
 
Windows Boot Loader
-------------------
identifier              {8cb2d9b4-7c05-11de-842e-b4611d44fefa}
device                  ramdisk=[C:]\Recovery\8cb2d9b4-7c05-11de-842e-b4611d44fefa\Winre.wim,{8cb2d9b5-7c05-11de-842e-b4611d44fefa}
path                    \windows\system32\winload.exe
description             Windows Recovery Environment
inherit                 {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
osdevice                ramdisk=[C:]\Recovery\8cb2d9b4-7c05-11de-842e-b4611d44fefa\Winre.wim,{8cb2d9b5-7c05-11de-842e-b4611d44fefa}
systemroot              \windows
nx                      OptIn
winpe                   Yes
custom:46000010         Yes
 
Resume from Hibernate
---------------------
identifier              {8cb2d9b0-7c05-11de-842e-b4611d44fefa}
device                  partition=C:
path                    \Windows\system32\winresume.exe
description             Windows Resume Application
locale                  en-US
inherit                 {1afa9c49-16ab-4a5c-901b-212802da9460}
filedevice              partition=C:
filepath                \hiberfil.sys
debugoptionenabled      No
 
Windows Memory Tester
---------------------
identifier              {b2721d73-1db4-4c62-bf78-c548a880142d}
device                  unknown
path                    \boot\memtest.exe
description             Windows Memory Diagnostic
locale                  en-US
inherit                 {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
badmemoryaccess         Yes
 
EMS Settings
------------
identifier              {0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
bootems                 Yes
 
Debugger Settings
-----------------
identifier              {4636856e-540f-4170-a130-a84776f4c654}
debugtype               Serial
debugport               1
baudrate                115200
 
RAM Defects
-----------
identifier              {5189b25c-5558-4bf2-bca4-289b11bd29e2}
 
Global Settings
---------------
identifier              {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
inherit                 {4636856e-540f-4170-a130-a84776f4c654}
                        {0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
                        {5189b25c-5558-4bf2-bca4-289b11bd29e2}
 
Boot Loader Settings
--------------------
identifier              {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
inherit                 {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
                        {7ff607e0-4395-11db-b0de-0800200c9a66}
 
Hypervisor Settings
-------------------
identifier              {7ff607e0-4395-11db-b0de-0800200c9a66}
hypervisordebugtype     Serial
hypervisordebugport     1
hypervisorbaudrate      115200
 
Resume Loader Settings
----------------------
identifier              {1afa9c49-16ab-4a5c-901b-212802da9460}
inherit                 {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
 
Device options
--------------
identifier              {8cb2d9b5-7c05-11de-842e-b4611d44fefa}
description             Ramdisk Options
ramdisksdidevice        partition=C:
ramdisksdipath          \Recovery\8cb2d9b4-7c05-11de-842e-b4611d44fefa\boot.sdi
 
Device options
--------------
identifier              {ad6c7bc8-fa0f-11da-8ddf-0013200354d8}
description             Ramdisk Device Options
ramdisksdidevice        unknown
ramdisksdipath          \boot.sdi
 
========= End of CMD: =========
 
MBRDUMP.txt is made successfully.
 
==== End of Fixlog ====
 
 
Thanks

Attached Files



#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:01 AM

Posted 28 February 2013 - 01:27 PM

Will post back in a bit.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:01 AM

Posted 28 February 2013 - 06:26 PM

I believe that entry is incomplete.

Download the enclosed file.

Save it next to FRST64 in the flash drive.

Run FRST64 as you did before, except that this time around click on the Fix button and wait.

The tool will make a log in the flashdrive (Fixlog.txt) please post it to your reply.

Boot in Normal Mode. If successful, run Combofix as suggested above.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:01 AM

Posted 05 March 2013 - 11:29 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:01 AM

Posted 06 March 2013 - 05:11 PM

This topic has been re-opened at the request of the person who originally posted.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users