Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

STOP: C0000135 The program can't start because %hs is missing. Try resintalling


  • This topic is locked This topic is locked
36 replies to this topic

#1 mccrisco

mccrisco

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 09 April 2013 - 12:57 PM

I'm not sure if this right place to be posting this topic, but here's the situation. I was handed a HP Elitebook 8540w mobile workstation to try to get running again. The little bit of history I have for it is that it is not connected to the internet very often, it worked about a week ago and now will not boot into Windows. It starts to load windows but then gives the error message in the subject line on the BSOD. I have tried all normal recovery methods which have all failed. I still get the same error message when trying to boot into safe mode. The research I have done so far on this error seems to be pointing to a virus, which is hard to believe since it is not connected to the internet very often. But I guess anything is possible. I believe this system is running Windows 7 x64. Any help would be greatly appreciated! I'm running out of ideas!

 

~Nick



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:53 AM

Posted 10 April 2013 - 06:03 PM

Please do the following:

Download the appropriate version for your system of the Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
  • To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    On the System Recovery Options menu you will get the following options:

      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to the disclaimer.
    • Place a check next to List Drivers MD5 as well as the default check marks that are already there
    • Press Scan button.
    • type exit and reboot the computer normally
    • FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 mccrisco

mccrisco
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 11 April 2013 - 08:49 AM

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 13-03-2013 (ATTENTION: FRST version is 29 days old)
Ran by SYSTEM at 11-04-2013 09:41:50
Running from H:\
Windows 7 Professional  Service Pack 1 (X64) OS Language: English(US) 
The current controlset is ControlSet001
 
==================== Registry (Whitelisted) ===================
 
HKLM\...\Run: [IAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2010-04-05] (Intel Corporation)
HKLM\...\Run: [HPPowerAssistant] C:\Program Files\Hewlett-Packard\HP Power Assistant\HPPA_Main.exe /hidden [1690680 2009-11-19] (Hewlett-Packard)
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2074408 2010-02-26] (Synaptics Incorporated)
HKLM\...\Run: [HPWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe /hidden [363064 2009-11-19] (Hewlett-Packard)
HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [487424 2010-01-28] (IDT, Inc.)
HKLM\...\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices [112512 2010-03-13] (Microsoft Corporation)
HKLM\...\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet [1694016 2011-09-07] ()
HKLM-x32\...\Run: [QlbCtrl.exe] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start [287800 2010-02-25] ( Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [NUSB3MON] "c:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [106496 2009-11-20] (NEC Electronics Corporation)
HKLM-x32\...\Run: [IMSS] "C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe" [111640 2009-11-04] ()
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-02] (Adobe Systems Incorporated)
HKU\Administrator\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-05-26] (Google Inc.)
HKU\mappel\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-05-26] (Google Inc.)
HKU\mapvision\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-05-26] (Google Inc.)
HKLM\...\RunOnce: [*Restore] C:\windows\system32\rstrui.exe /RUNONCE [296960 2010-11-20] (Microsoft Corporation)
HKLM\...\Winlogon: [Userinit] C:\Windows\system32\userinit.exe,C:\Program Files (x86)\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DPAgent.exe, [634192 2010-07-16] (DigitalPersona, Inc.)
Winlogon\Notify\ScCertProp: wlnotify.dll [X]
Lsa: [Notification Packages] DPPassFilter scecli
Startup: C:\ProgramData\Start Menu\Programs\Startup\Bluetooth.lnk
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
Startup: C:\ProgramData\Start Menu\Programs\Startup\SolidWorks 2013 Fast Start.lnk
ShortcutTarget: SolidWorks 2013 Fast Start.lnk -> C:\windows\Installer\{B6B5EA7E-B91F-443D-A958-B0062FB53804}\NewShortcut2_87EDF6C81D0A4B7B84F42FE0C6A9D608.exe (Flexera Software, Inc.)
Startup: C:\ProgramData\Start Menu\Programs\Startup\SolidWorks Background Downloader.lnk
ShortcutTarget: SolidWorks Background Downloader.lnk -> C:\Program Files (x86)\Common Files\SolidWorks Installation Manager\BackgroundDownloading\sldBgDwld.exe (Dassault Systèmes SolidWorks Corp.)
 
==================== Services (Whitelisted) ===================
 
2 AESTFilters; C:\windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_21dba265e7e67cda\AESTSr64.exe [89600 2009-03-03] (Andrea Electronics Corporation)
3 DEBridge; C:\Program Files\Hewlett-Packard\Drive Encryption\SbHpAuthenticatorService.exe [704512 2009-11-11] (McAfee, Inc.)
2 DpHost; C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DpHostW.exe [462160 2010-07-16] (DigitalPersona, Inc.)
2 HP ProtectTools Service; "C:\Program Files (x86)\Hewlett-Packard\2009 Password Filter for HP ProtectTools\PTChangeFilterService.exe" [32768 2010-10-19] (Hewlett-Packard Development Company, L.P)
2 HpFkCryptService; "C:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe" [277096 2009-11-11] (McAfee, Inc.)
2 LkCitadelServer; C:\windows\SysWOW64\lkcitdl.exe [695136 2007-03-21] (National Instruments, Inc.)
2 lkClassAds; C:\windows\SysWOW64\lkads.exe [40488 2007-07-16] (National Instruments Corporation)
2 lkTimeSync; C:\windows\SysWOW64\lktsrv.exe [50736 2007-07-16] (National Instruments Corporation)
2 NIDomainService; "C:\Program Files (x86)\National Instruments\Shared\Security\nidmsrv.exe" [213040 2007-07-16] (National Instruments Corporation)
2 niSvcLoc; C:\windows\SysWOW64\nisvcloc.exe -s [48704 2007-07-19] (National Instruments Corp.)
3 PrintNotify; C:\windows\system32\spool\DRIVERS\x64\3\PrintConfig.dll [2675200 2012-07-25] (Microsoft Corporation)
2 STacSV; C:\windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_21dba265e7e67cda\STacSV64.exe [244736 2010-01-28] (IDT, Inc.)
2 TeamViewer8; "C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe" [3467768 2012-12-14] (TeamViewer GmbH)
2 AgereModemAudio; C:\Program Files\LSI SoftModem\agr64svc.exe [x]
2 HPDayStarterService; "C:\Program Files\Hewlett-Packard\HP QuickLook\32-bit\HPDayStarterService.exe" [x]
3 WatAdminSvc; C:\Windows\System32\Wat\WatAdminSvc.exe [x]
 
==================== Drivers (Whitelisted) =====================
 
3 AX88772; C:\Windows\System32\Drivers\AX88772.sys [79360 2011-06-01] (ASIX Electronics Corp.)
3 nidimk; \??\C:\windows\system32\drivers\nidimkl.sys [11872 2007-07-12] (National Instruments Corporation)
3 niorbk; \??\C:\windows\system32\drivers\niorbkl.sys [11856 2007-07-12] (National Instruments Corporation)
3 nipalfwedl; C:\Windows\System32\Drivers\nipalfwedl.sys [12928 2007-07-18] (National Instruments Corporation)
0 NIPALK; C:\Windows\System32\Drivers\NIPALK.sys [538712 2007-07-18] (National Instruments Corporation)
3 nipalusbedl; C:\Windows\System32\Drivers\nipalusbedl.sys [12920 2007-07-18] (National Instruments Corporation)
0 nipbcfk; C:\Windows\System32\Drivers\nipbcfk.sys [16472 2007-07-10] (National Instruments Corporation)
3 NiViFWK; C:\Windows\System32\Drivers\NiViFWK.sys [17528 2007-07-19] (National Instruments Corporation)
3 NiViPciK; C:\Windows\System32\Drivers\NiViPciK.sys [62048 2007-07-19] (National Instruments Corporation)
2 NiViPxiK; C:\Windows\System32\Drivers\NiViPxiK.sys [22624 2007-07-19] (National Instruments Corporation)
2 PYNWAGNT; C:\Windows\System32\Drivers\PYNWAGNT.sys [56336 2009-03-11] (Basler AG)
3 PyNwFlt; C:\Windows\System32\Drivers\PyNwFlt.sys [59408 2009-02-03] (Basler AG)
3 rismcx64; C:\Windows\System32\Drivers\rismcx64.sys [59008 2009-07-20] (RICOH Company, Ltd.)
1 RsvLock; C:\Windows\System32\Drivers\RsvLock.sys [58184 2009-11-11] (McAfee, Inc.)
1 RsvLock; C:\Windows\SysWow64\Drivers\RsvLock.sys [40088 2009-11-11] (McAfee, Inc.)
0 SafeBoot; C:\Windows\System32\Drivers\SafeBoot.sys [56648 2009-11-11] (McAfee, Inc.)
0 SafeBoot; C:\Windows\SysWow64\Drivers\SafeBoot.sys [110520 2009-11-11] (McAfee, Inc.)
0 SbAlg; C:\Windows\System32\Drivers\SbAlg.sys [60160 2009-06-04] (McAfee, Inc.)
0 SbAlg; C:\Windows\SysWow64\Drivers\SbAlg.sys [51800 2009-11-11] (McAfee, Inc.)
0 SbFsLock; C:\Windows\System32\Drivers\SbFsLock.sys [15688 2009-11-11] (McAfee, Inc.)
0 SbFsLock; C:\Windows\SysWow64\Drivers\SbFsLock.sys [13256 2009-11-11] (McAfee, Inc.)
3 SNP2UVC; C:\Windows\System32\Drivers\SNP2UVC.sys [1803904 2010-06-03] ()
3 AgereSoftModem; C:\Windows\System32\DRIVERS\agrsm64.sys [x]
4 eabfiltr;  [x]
 
==================== NetSvcs (Whitelisted) ====================
 
 
==================== One Month Created Files and Folders ========
 
2013-04-11 09:41 - 2013-04-11 09:41 - 00000000 ____D C:\FRST
2013-04-08 11:10 - 2013-04-08 11:10 - 00000000 __SHD C:\found.000
 
==================== One Month Modified Files and Folders =======
 
2013-04-11 09:41 - 2013-04-11 09:41 - 00000000 ____D C:\FRST
2013-04-08 12:37 - 2009-07-13 19:20 - 00000000 __RHD C:\users\Default
2013-04-08 11:10 - 2013-04-08 11:10 - 00000000 __SHD C:\found.000
2013-04-01 06:28 - 2012-11-26 10:19 - 00458752 ____A C:\Windows\System32\Ikeext.etl
2013-04-01 06:28 - 2011-04-27 17:18 - 01969654 ____A C:\Windows\WindowsUpdate.log
2013-04-01 06:16 - 2011-05-26 11:33 - 00000904 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-04-01 05:39 - 2012-06-13 12:31 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-03-31 07:16 - 2011-05-26 11:32 - 00000900 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-03-29 03:16 - 2009-07-13 20:45 - 00020944 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-03-29 03:16 - 2009-07-13 20:45 - 00020944 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-03-29 03:13 - 2009-07-13 21:13 - 00779306 ____A C:\Windows\System32\PerfStringBackup.INI
2013-03-29 03:09 - 2010-09-20 11:04 - 00000000 ____D C:\ProgramData\HPQLOG
2013-03-29 03:08 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-03-29 03:08 - 2009-07-13 20:51 - 00066322 ____A C:\Windows\setupact.log
2013-03-28 11:00 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\tracing
 
==================== Known DLLs (Whitelisted) =================
 
C:\Windows\System32\LPK.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\LPK.dll IS MISSING <==== ATTENTION!
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== EXE ASSOCIATION =====================
 
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
 
==================== Restore Points  =========================
 
Restore point made on: 2013-02-08 05:32:16
Restore point made on: 2013-02-15 08:15:13
Restore point made on: 2013-02-15 11:50:06
Restore point made on: 2013-02-22 21:00:12
Restore point made on: 2013-03-02 21:00:14
Restore point made on: 2013-03-05 07:44:42
Restore point made on: 2013-03-05 17:55:03
Restore point made on: 2013-03-11 21:20:29
Restore point made on: 2013-03-29 03:54:10
 
==================== Memory info =========================== 
 
Percentage of memory in use: 16%
Total physical RAM: 4023.38 MB
Available physical RAM: 3353.07 MB
Total Pagefile: 4021.58 MB
Available Pagefile: 3346.12 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB
 
==================== Partitions =============================
 
1 Drive c: () (Fixed) (Total:448.46 GB) (Free:354.26 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive e: (HP_RECOVERY) (Fixed) (Total:15 GB) (Free:3.46 GB) NTFS ==>[System with boot components (obtained from reading drive)]
3 Drive f: (HP_TOOLS) (Fixed) (Total:1.99 GB) (Free:1.45 GB) FAT32
4 Drive g: (GSP1RMCPRXFREO_EN_DVD) (CDROM) (Total:3.09 GB) (Free:0 GB) UDF
5 Drive h: () (Removable) (Total:1.87 GB) (Free:1.87 GB) FAT
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
7 Drive y: (SYSTEM) (Fixed) (Total:0.29 GB) (Free:0.25 GB) NTFS ==>[System with boot components (obtained from reading drive)]
 
  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online          465 GB      0 B         
  Disk 1    Online         1912 MB      0 B         
 
Partitions of Disk 0:
===============
 
Disk ID: BEDE5D5F
 
  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary            300 MB  1024 KB
  Partition 2    Primary            448 GB   301 MB
  Partition 3    Primary             15 GB   448 GB
  Partition 4    Primary           2043 MB   463 GB
 
==================================================================================
 
Disk: 0
Partition 1
Type  : 07
Hidden: No
Active: Yes
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1     Y   SYSTEM       NTFS   Partition    300 MB  Healthy            
 
=========================================================
 
Disk: 0
Partition 2
Type  : 07
Hidden: No
Active: No
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2     C                NTFS   Partition    448 GB  Healthy            
 
=========================================================
 
Disk: 0
Partition 3
Type  : 07
Hidden: No
Active: No
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 3     E   HP_RECOVERY  NTFS   Partition     15 GB  Healthy            
 
=========================================================
 
Disk: 0
Partition 4
Type  : 0C
Hidden: No
Active: No
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 4     F   HP_TOOLS     FAT32  Partition   2043 MB  Healthy            
 
=========================================================
 
Partitions of Disk 1:
===============
 
Disk ID: 3D0508C7
 
  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary           1911 MB    31 KB
 
==================================================================================
 
Disk: 1
Partition 1
Type  : 06
Hidden: No
Active: Yes
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 5     H                FAT    Removable   1911 MB  Healthy            
 
=========================================================
============================== MBR Partition Table ==================
 
==============================
Partitions of Disk 0:
===============
Disk ID: BEDE5D5F
 
Partition 1:
=========
Hex: 80202100075E38260008000000600900
Active: YES
Type: 07 (NTFS)
Size: 300 MB
 
Partition 2:
=========
Hex: 005E392607FEFFFF0068090000E00E38
Active: NO
Type: 07 (NTFS)
Size: 448 GB
 
Partition 3:
=========
Hex: 00FEFFFF07FEFFFF004818380000E001
Active: NO
Type: 07 (NTFS)
Size: 15 GB
 
Partition 4:
=========
Hex: 00FEFFFF0CFEFFFF0048F83900D83F00
Active: NO
Type: 0C
Size: 2 GB
 
==============================
Partitions of Disk 1:
===============
Disk ID: 3D0508C7
 
Partition 1:
=========
Hex: 8001010006FE3FF23F000000C1BF3B00
Active: YES
Type: 06
Size: 2 GB
 
 
Last Boot: 2013-03-29 03:47
 
==================== End Of Log =============================


#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:53 AM

Posted 11 April 2013 - 12:55 PM

The system appears to be missing a couple of files which may be causing the non-boot issue

C:\Windows\System32\LPK.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\LPK.dll IS MISSING <==== ATTENTION!

we need to look for replacements

Please boot into the recovery environment and re-run FRST as you did before

Instead of scanning, you need to use the Search button

First, type the following in the edit box after "Search:".

LPK.dll

It then should look like:

Search: LPK.dll

Click Search button and post the log (Search.txt) it makes to your reply.
 


Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 mccrisco

mccrisco
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 11 April 2013 - 01:16 PM

Farbar Recovery Scan Tool (x64) Version: 13-03-2013
Ran by SYSTEM at 2013-04-11 14:09:26
Running from H:\
 
================== Search: "LPK.dll" ===================
 
C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.22195_none_1281c5a8bee46a0f\lpk.dll
[2009-07-13 15:25] - [2009-07-13 17:11] - 0000000 ____A () 
 
C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.21664_none_12a15568beccd507\lpk.dll
[2009-07-13 15:25] - [2009-07-13 17:11] - 0000000 ____A () 
 
C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.18032_none_12360787a598d69a\lpk.dll
[2009-07-13 15:25] - [2009-07-13 17:11] - 0000000 ____A () 
 
C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.17563_none_1216b853a5b01be6\lpk.dll
[2009-07-13 15:25] - [2009-07-13 17:11] - 0000000 ____A () 
 
C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.17514_none_124dc839a586a988\lpk.dll
[2009-07-13 15:25] - [2009-07-13 17:11] - 0000000 ____A () 
 
C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.21402_none_10f9b8f6c177b3cc\lpk.dll
[2013-01-15 10:39] - [2012-12-16 08:34] - 0025600 ____A (Microsoft Corporation) BF6CDA72E4112DAC01E2ED8911C3FD74
 
C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.20905_none_10fcda1ac174d7f3\lpk.dll
[2009-07-13 15:25] - [2009-07-13 17:11] - 0000000 ____A () 
 
C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.17194_none_1010c9a7a8a147db\lpk.dll
[2009-07-13 15:25] - [2009-07-13 17:11] - 0000000 ____A () 
 
C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.16763_none_10305b4da889affa\lpk.dll
[2009-07-13 15:25] - [2009-07-13 17:11] - 0000000 ____A () 
 
C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.22195_none_082d1b568a83a814\lpk.dll
[2009-07-13 15:38] - [2009-07-13 17:41] - 0000000 ____A () 
 
C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.21664_none_084cab168a6c130c\lpk.dll
[2009-07-13 15:38] - [2009-07-13 17:41] - 0000000 ____A () 
 
C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.18032_none_07e15d357138149f\lpk.dll
[2009-07-13 15:38] - [2009-07-13 17:41] - 0000000 ____A () 
 
C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.17563_none_07c20e01714f59eb\lpk.dll
[2009-07-13 15:38] - [2009-07-13 17:41] - 0000000 ____A () 
 
C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.17514_none_07f91de77125e78d\lpk.dll
[2009-07-13 15:38] - [2009-07-13 17:41] - 0000000 ____A () 
 
C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.21402_none_06a50ea48d16f1d1\lpk.dll
[2013-01-15 10:39] - [2012-12-16 09:19] - 0041472 ____A (Microsoft Corporation) 838BF2634A38B344B27AC080D76B28C2
 
C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.20905_none_06a82fc88d1415f8\lpk.dll
[2009-07-13 15:38] - [2009-07-13 17:41] - 0000000 ____A () 
 
C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.17194_none_05bc1f55744085e0\lpk.dll
[2009-07-13 15:38] - [2009-07-13 17:41] - 0000000 ____A () 
 
C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.16763_none_05dbb0fb7428edff\lpk.dll
[2009-07-13 15:38] - [2009-07-13 17:41] - 0000000 ____A () 
 
====== End Of Search ======


#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:53 AM

Posted 11 April 2013 - 03:59 PM

That .dll belongs to a language pack, so it may not have anything to do with the boot issue, but we should replace it anyway and see what happens:

Please do the following:

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt
start
HKLM\...\RunOnce: [*Restore] C:\windows\system32\rstrui.exe /RUNONCE [296960 2010-11-20] (Microsoft Corporation)
replace: C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.21402_none_06a50ea48d16f1d1\lpk.dll C:\Windows\SysWOW64\LPK.dll
replace: C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.21402_none_10f9b8f6c177b3cc\lpk.dll C:\Windows\System32\LPK.dll 
end
NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.


If the machine still will not boot, then please run a fresh scan with FRST and post the new log

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 mccrisco

mccrisco
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 12 April 2013 - 06:14 AM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 13-03-2013
Ran by SYSTEM at 2013-04-12 06:52:21 Run:1
Running from H:\
 
==============================================
 
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\\*Restore Value deleted successfully.
Could not find C:\Windows\SysWOW64\LPK.dll.
C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.21402_none_06a50ea48d16f1d1\lpk.dll copied successfully to C:\Windows\SysWOW64\LPK.dll
Could not find C:\Windows\System32\LPK.dll .
C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.21402_none_10f9b8f6c177b3cc\lpk.dll copied successfully to C:\Windows\System32\LPK.dll 
 
==== End of Fixlog ====


#8 mccrisco

mccrisco
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 12 April 2013 - 06:17 AM

Computer still will not boot into Windows. The log from the FRST scan is below:
 
 
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 13-03-2013 (ATTENTION: FRST version is 30 days old)
Ran by SYSTEM at 12-04-2013 07:08:44
Running from H:\
Windows 7 Professional  Service Pack 1 (X64) OS Language: English(US) 
The current controlset is ControlSet001
 
==================== Registry (Whitelisted) ===================
 
HKLM\...\Run: [IAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2010-04-05] (Intel Corporation)
HKLM\...\Run: [HPPowerAssistant] C:\Program Files\Hewlett-Packard\HP Power Assistant\HPPA_Main.exe /hidden [1690680 2009-11-19] (Hewlett-Packard)
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2074408 2010-02-26] (Synaptics Incorporated)
HKLM\...\Run: [HPWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe /hidden [363064 2009-11-19] (Hewlett-Packard)
HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [487424 2010-01-28] (IDT, Inc.)
HKLM\...\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices [112512 2010-03-13] (Microsoft Corporation)
HKLM\...\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet [1694016 2011-09-07] ()
HKLM-x32\...\Run: [QlbCtrl.exe] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start [287800 2010-02-25] ( Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [NUSB3MON] "c:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [106496 2009-11-20] (NEC Electronics Corporation)
HKLM-x32\...\Run: [IMSS] "C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe" [111640 2009-11-04] ()
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-02] (Adobe Systems Incorporated)
HKU\Administrator\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-05-26] (Google Inc.)
HKU\mappel\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-05-26] (Google Inc.)
HKU\mapvision\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-05-26] (Google Inc.)
HKLM\...\Winlogon: [Userinit] C:\Windows\system32\userinit.exe,C:\Program Files (x86)\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DPAgent.exe, [634192 2010-07-16] (DigitalPersona, Inc.)
Winlogon\Notify\ScCertProp: wlnotify.dll [X]
Lsa: [Notification Packages] DPPassFilter scecli
Startup: C:\ProgramData\Start Menu\Programs\Startup\Bluetooth.lnk
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
Startup: C:\ProgramData\Start Menu\Programs\Startup\SolidWorks 2013 Fast Start.lnk
ShortcutTarget: SolidWorks 2013 Fast Start.lnk -> C:\windows\Installer\{B6B5EA7E-B91F-443D-A958-B0062FB53804}\NewShortcut2_87EDF6C81D0A4B7B84F42FE0C6A9D608.exe (Flexera Software, Inc.)
Startup: C:\ProgramData\Start Menu\Programs\Startup\SolidWorks Background Downloader.lnk
ShortcutTarget: SolidWorks Background Downloader.lnk -> C:\Program Files (x86)\Common Files\SolidWorks Installation Manager\BackgroundDownloading\sldBgDwld.exe (Dassault Systèmes SolidWorks Corp.)
 
==================== Services (Whitelisted) ===================
 
2 AESTFilters; C:\windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_21dba265e7e67cda\AESTSr64.exe [89600 2009-03-03] (Andrea Electronics Corporation)
3 DEBridge; C:\Program Files\Hewlett-Packard\Drive Encryption\SbHpAuthenticatorService.exe [704512 2009-11-11] (McAfee, Inc.)
2 DpHost; C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DpHostW.exe [462160 2010-07-16] (DigitalPersona, Inc.)
2 HP ProtectTools Service; "C:\Program Files (x86)\Hewlett-Packard\2009 Password Filter for HP ProtectTools\PTChangeFilterService.exe" [32768 2010-10-19] (Hewlett-Packard Development Company, L.P)
2 HpFkCryptService; "C:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe" [277096 2009-11-11] (McAfee, Inc.)
2 LkCitadelServer; C:\windows\SysWOW64\lkcitdl.exe [695136 2007-03-21] (National Instruments, Inc.)
2 lkClassAds; C:\windows\SysWOW64\lkads.exe [40488 2007-07-16] (National Instruments Corporation)
2 lkTimeSync; C:\windows\SysWOW64\lktsrv.exe [50736 2007-07-16] (National Instruments Corporation)
2 NIDomainService; "C:\Program Files (x86)\National Instruments\Shared\Security\nidmsrv.exe" [213040 2007-07-16] (National Instruments Corporation)
2 niSvcLoc; C:\windows\SysWOW64\nisvcloc.exe -s [48704 2007-07-19] (National Instruments Corp.)
3 PrintNotify; C:\windows\system32\spool\DRIVERS\x64\3\PrintConfig.dll [2675200 2012-07-25] (Microsoft Corporation)
2 STacSV; C:\windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_21dba265e7e67cda\STacSV64.exe [244736 2010-01-28] (IDT, Inc.)
2 TeamViewer8; "C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe" [3467768 2012-12-14] (TeamViewer GmbH)
2 AgereModemAudio; C:\Program Files\LSI SoftModem\agr64svc.exe [x]
2 HPDayStarterService; "C:\Program Files\Hewlett-Packard\HP QuickLook\32-bit\HPDayStarterService.exe" [x]
3 WatAdminSvc; C:\Windows\System32\Wat\WatAdminSvc.exe [x]
 
==================== Drivers (Whitelisted) =====================
 
3 AX88772; C:\Windows\System32\Drivers\AX88772.sys [79360 2011-06-01] (ASIX Electronics Corp.)
3 nidimk; \??\C:\windows\system32\drivers\nidimkl.sys [11872 2007-07-12] (National Instruments Corporation)
3 niorbk; \??\C:\windows\system32\drivers\niorbkl.sys [11856 2007-07-12] (National Instruments Corporation)
3 nipalfwedl; C:\Windows\System32\Drivers\nipalfwedl.sys [12928 2007-07-18] (National Instruments Corporation)
0 NIPALK; C:\Windows\System32\Drivers\NIPALK.sys [538712 2007-07-18] (National Instruments Corporation)
3 nipalusbedl; C:\Windows\System32\Drivers\nipalusbedl.sys [12920 2007-07-18] (National Instruments Corporation)
0 nipbcfk; C:\Windows\System32\Drivers\nipbcfk.sys [16472 2007-07-10] (National Instruments Corporation)
3 NiViFWK; C:\Windows\System32\Drivers\NiViFWK.sys [17528 2007-07-19] (National Instruments Corporation)
3 NiViPciK; C:\Windows\System32\Drivers\NiViPciK.sys [62048 2007-07-19] (National Instruments Corporation)
2 NiViPxiK; C:\Windows\System32\Drivers\NiViPxiK.sys [22624 2007-07-19] (National Instruments Corporation)
2 PYNWAGNT; C:\Windows\System32\Drivers\PYNWAGNT.sys [56336 2009-03-11] (Basler AG)
3 PyNwFlt; C:\Windows\System32\Drivers\PyNwFlt.sys [59408 2009-02-03] (Basler AG)
3 rismcx64; C:\Windows\System32\Drivers\rismcx64.sys [59008 2009-07-20] (RICOH Company, Ltd.)
1 RsvLock; C:\Windows\System32\Drivers\RsvLock.sys [58184 2009-11-11] (McAfee, Inc.)
1 RsvLock; C:\Windows\SysWow64\Drivers\RsvLock.sys [40088 2009-11-11] (McAfee, Inc.)
0 SafeBoot; C:\Windows\System32\Drivers\SafeBoot.sys [56648 2009-11-11] (McAfee, Inc.)
0 SafeBoot; C:\Windows\SysWow64\Drivers\SafeBoot.sys [110520 2009-11-11] (McAfee, Inc.)
0 SbAlg; C:\Windows\System32\Drivers\SbAlg.sys [60160 2009-06-04] (McAfee, Inc.)
0 SbAlg; C:\Windows\SysWow64\Drivers\SbAlg.sys [51800 2009-11-11] (McAfee, Inc.)
0 SbFsLock; C:\Windows\System32\Drivers\SbFsLock.sys [15688 2009-11-11] (McAfee, Inc.)
0 SbFsLock; C:\Windows\SysWow64\Drivers\SbFsLock.sys [13256 2009-11-11] (McAfee, Inc.)
3 SNP2UVC; C:\Windows\System32\Drivers\SNP2UVC.sys [1803904 2010-06-03] ()
3 AgereSoftModem; C:\Windows\System32\DRIVERS\agrsm64.sys [x]
4 eabfiltr;  [x]
 
==================== NetSvcs (Whitelisted) ====================
 
 
==================== One Month Created Files and Folders ========
 
2013-04-12 06:52 - 2012-12-16 09:19 - 00041472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\LPK.dll
2013-04-12 06:52 - 2012-12-16 08:34 - 00025600 ____A (Microsoft Corporation) C:\Windows\System32\LPK.dll
2013-04-11 09:41 - 2013-04-11 09:41 - 00000000 ____D C:\FRST
2013-04-08 11:10 - 2013-04-08 11:10 - 00000000 __SHD C:\found.000
 
==================== One Month Modified Files and Folders =======
 
2013-04-11 09:41 - 2013-04-11 09:41 - 00000000 ____D C:\FRST
2013-04-08 12:37 - 2009-07-13 19:20 - 00000000 __RHD C:\users\Default
2013-04-08 11:10 - 2013-04-08 11:10 - 00000000 __SHD C:\found.000
2013-04-01 06:28 - 2012-11-26 10:19 - 00458752 ____A C:\Windows\System32\Ikeext.etl
2013-04-01 06:28 - 2011-04-27 17:18 - 01969654 ____A C:\Windows\WindowsUpdate.log
2013-04-01 06:16 - 2011-05-26 11:33 - 00000904 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-04-01 05:39 - 2012-06-13 12:31 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-03-31 07:16 - 2011-05-26 11:32 - 00000900 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-03-29 03:16 - 2009-07-13 20:45 - 00020944 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-03-29 03:16 - 2009-07-13 20:45 - 00020944 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-03-29 03:13 - 2009-07-13 21:13 - 00779306 ____A C:\Windows\System32\PerfStringBackup.INI
2013-03-29 03:09 - 2010-09-20 11:04 - 00000000 ____D C:\ProgramData\HPQLOG
2013-03-29 03:08 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-03-29 03:08 - 2009-07-13 20:51 - 00066322 ____A C:\Windows\setupact.log
2013-03-28 11:00 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\tracing
 
==================== Known DLLs (Whitelisted) =================
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== EXE ASSOCIATION =====================
 
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
 
==================== Restore Points  =========================
 
Restore point made on: 2013-02-08 05:32:16
Restore point made on: 2013-02-15 08:15:13
Restore point made on: 2013-02-15 11:50:06
Restore point made on: 2013-02-22 21:00:12
Restore point made on: 2013-03-02 21:00:14
Restore point made on: 2013-03-05 07:44:42
Restore point made on: 2013-03-05 17:55:03
Restore point made on: 2013-03-11 21:20:29
Restore point made on: 2013-03-29 03:54:10
 
==================== Memory info =========================== 
 
Percentage of memory in use: 16%
Total physical RAM: 4023.38 MB
Available physical RAM: 3345.29 MB
Total Pagefile: 4021.58 MB
Available Pagefile: 3330.91 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB
 
==================== Partitions =============================
 
1 Drive c: () (Fixed) (Total:448.46 GB) (Free:354.26 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive e: (HP_RECOVERY) (Fixed) (Total:15 GB) (Free:3.46 GB) NTFS ==>[System with boot components (obtained from reading drive)]
3 Drive f: (HP_TOOLS) (Fixed) (Total:1.99 GB) (Free:1.45 GB) FAT32
4 Drive g: (GSP1RMCPRXFREO_EN_DVD) (CDROM) (Total:3.09 GB) (Free:0 GB) UDF
5 Drive h: () (Removable) (Total:1.87 GB) (Free:1.87 GB) FAT
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
7 Drive y: (SYSTEM) (Fixed) (Total:0.29 GB) (Free:0.25 GB) NTFS ==>[System with boot components (obtained from reading drive)]
 
  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online          465 GB      0 B         
  Disk 1    Online         1912 MB      0 B         
 
Partitions of Disk 0:
===============
 
Disk ID: BEDE5D5F
 
  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary            300 MB  1024 KB
  Partition 2    Primary            448 GB   301 MB
  Partition 3    Primary             15 GB   448 GB
  Partition 4    Primary           2043 MB   463 GB
 
==================================================================================
 
Disk: 0
Partition 1
Type  : 07
Hidden: No
Active: Yes
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1     Y   SYSTEM       NTFS   Partition    300 MB  Healthy            
 
=========================================================
 
Disk: 0
Partition 2
Type  : 07
Hidden: No
Active: No
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2     C                NTFS   Partition    448 GB  Healthy            
 
=========================================================
 
Disk: 0
Partition 3
Type  : 07
Hidden: No
Active: No
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 3     E   HP_RECOVERY  NTFS   Partition     15 GB  Healthy            
 
=========================================================
 
Disk: 0
Partition 4
Type  : 0C
Hidden: No
Active: No
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 4     F   HP_TOOLS     FAT32  Partition   2043 MB  Healthy            
 
=========================================================
 
Partitions of Disk 1:
===============
 
Disk ID: 3D0508C7
 
  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary           1911 MB    31 KB
 
==================================================================================
 
Disk: 1
Partition 1
Type  : 06
Hidden: No
Active: Yes
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 5     H                FAT    Removable   1911 MB  Healthy            
 
=========================================================
============================== MBR Partition Table ==================
 
==============================
Partitions of Disk 0:
===============
Disk ID: BEDE5D5F
 
Partition 1:
=========
Hex: 80202100075E38260008000000600900
Active: YES
Type: 07 (NTFS)
Size: 300 MB
 
Partition 2:
=========
Hex: 005E392607FEFFFF0068090000E00E38
Active: NO
Type: 07 (NTFS)
Size: 448 GB
 
Partition 3:
=========
Hex: 00FEFFFF07FEFFFF004818380000E001
Active: NO
Type: 07 (NTFS)
Size: 15 GB
 
Partition 4:
=========
Hex: 00FEFFFF0CFEFFFF0048F83900D83F00
Active: NO
Type: 0C
Size: 2 GB
 
==============================
Partitions of Disk 1:
===============
Disk ID: 3D0508C7
 
Partition 1:
=========
Hex: 8001010006FE3FF23F000000C1BF3B00
Active: YES
Type: 06
Size: 2 GB
 
 
Last Boot: 2013-03-29 03:47
 
==================== End Of Log =============================


#9 mccrisco

mccrisco
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 12 April 2013 - 06:22 AM

When I try to boot into Windows the new BSOD error message is:

 

STOP: c000007b {Bad Image}

winsrv is either not designed to run on windows or it contains an error. Try installing the program again using the original media or contact your system administrator or the software vendor for support.



#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:53 AM

Posted 12 April 2013 - 08:07 AM

please try this

Please do the following:

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt
start
SubSystems: [Windows] ==> ZeroAccess
C:\Windows\System32\consrv.dll
end
NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.


If it still doesn't boot, then run ListParts whild in the Recovery Environment and post the new log
  • Download ListParts64 to a USB flash drive.
  • Plug the USB drive into the infected machine.

    Boot your computer into Recovery Environment
  • Type h:\listparts64.exe and hit Enter
  • ListParts will start to run.
  • Press the Scan button.
  • When finished scanning it will make a log Result.txt on the flash drive.
  • Close the command window.
  • post me the Result.txt log please.

Edited by CatByte, 12 April 2013 - 08:08 AM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 mccrisco

mccrisco
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 12 April 2013 - 08:24 AM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 13-03-2013
Ran by SYSTEM at 2013-04-12 09:13:45 Run:2
Running from H:\
 
==============================================
 
HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows No ZeroAccess entry found.
C:\Windows\System32\consrv.dll not found.
 
==== End of Fixlog ====


Still not booting.

 

 

ListParts by Farbar Version: 10-03-2013
Ran by SYSTEM (administrator) on 12-04-2013 at 09:19:38
Windows 7 (X64)
Running From: H:\
Language: 0409
************************************************************
 
========================= Memory info ====================== 
 
Percentage of memory in use: 13%
Total physical RAM: 4023.38 MB
Available physical RAM: 3498.18 MB
Total Pagefile: 4021.58 MB
Available Pagefile: 3476.75 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB
 
======================= Partitions =========================
 
1 Drive c: (SYSTEM) (Fixed) (Total:0.29 GB) (Free:0.25 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: () (Fixed) (Total:448.46 GB) (Free:354.26 GB) NTFS ==>[System with boot components (obtained from reading drive)]
3 Drive e: (HP_RECOVERY) (Fixed) (Total:15 GB) (Free:3.46 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive f: (HP_TOOLS) (Fixed) (Total:1.99 GB) (Free:1.45 GB) FAT32
5 Drive g: (GSP1RMCPRXFREO_EN_DVD) (CDROM) (Total:3.09 GB) (Free:0 GB) UDF
6 Drive h: () (Removable) (Total:1.87 GB) (Free:1.86 GB) FAT
7 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
 
  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online          465 GB      0 B         
  Disk 1    Online         1912 MB      0 B         
 
Partitions of Disk 0:
===============
 
Disk ID: BEDE5D5F
 
  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary            300 MB  1024 KB
  Partition 2    Primary            448 GB   301 MB
  Partition 3    Primary             15 GB   448 GB
  Partition 4    Primary           2043 MB   463 GB
 
======================================================================================================
 
Disk: 0
Partition 1
Type  : 07
Hidden: No
Active: Yes
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1     C   SYSTEM       NTFS   Partition    300 MB  Healthy            
 
======================================================================================================
 
Disk: 0
Partition 2
Type  : 07
Hidden: No
Active: No
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2     D                NTFS   Partition    448 GB  Healthy            
 
======================================================================================================
 
Disk: 0
Partition 3
Type  : 07
Hidden: No
Active: No
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 3     E   HP_RECOVERY  NTFS   Partition     15 GB  Healthy            
 
======================================================================================================
 
Disk: 0
Partition 4
Type  : 0C
Hidden: No
Active: No
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 4     F   HP_TOOLS     FAT32  Partition   2043 MB  Healthy            
 
======================================================================================================
 
Partitions of Disk 1:
===============
 
Disk ID: 3D0508C7
 
  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary           1911 MB    31 KB
 
======================================================================================================
 
Disk: 1
Partition 1
Type  : 06
Hidden: No
Active: Yes
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 5     H                FAT    Removable   1911 MB  Healthy            
 
======================================================================================================
============================== MBR Partition Table ==================
 
==============================
Partitions of Disk 0:
===============
Disk ID: BEDE5D5F
 
Partition 1:
===========
Hex: 80202100075E38260008000000600900
Active: YES
Type: 07 (NTFS)
Size: 300 MB
 
Partition 2:
===========
Hex: 005E392607FEFFFF0068090000E00E38
Active: NO
Type: 07 (NTFS)
Size: 448 GB
 
Partition 3:
===========
Hex: 00FEFFFF07FEFFFF004818380000E001
Active: NO
Type: 07 (NTFS)
Size: 15 GB
 
Partition 4:
===========
Hex: 00FEFFFF0CFEFFFF0048F83900D83F00
Active: NO
Type: 0C
Size: 2 GB
 
==============================
Partitions of Disk 1:
===============
Disk ID: 3D0508C7
 
Partition 1:
===========
Hex: 8001010006FE3FF23F000000C1BF3B00
Active: YES
Type: 06
Size: 2 GB
 
 
****** End Of Log ****** 


#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:53 AM

Posted 12 April 2013 - 08:36 AM

can I ask what efforts you took to try and repair this issue prior to posting here

Please try the following:



Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt
start
Last Boot: 2013-03-29 03:47
end
NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.

Edited by CatByte, 12 April 2013 - 08:37 AM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 mccrisco

mccrisco
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 12 April 2013 - 08:54 AM

Before posting here, I tried recovering from a couple different restore points which all failed. I then ran some hardware tests juts to make sure nothing hardware failure was causing the problems, but all those tests came out ok. Then I tried using the Windows startup repair tool to automatically fix the problems, but that did not work as well.

 

Here's the log file after the last fix:

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 13-03-2013
Ran by SYSTEM at 2013-04-12 09:44:02 Run:3
Running from H:\
 
==============================================
 
DEFAULT hive was successfully copied to System32\config\HiveBackup
DEFAULT hive was successfully restored from registry back up.
SAM hive was successfully copied to System32\config\HiveBackup
SAM hive was successfully restored from registry back up.
SECURITY hive was successfully copied to System32\config\HiveBackup
SECURITY hive was successfully restored from registry back up.
SOFTWARE hive was successfully copied to System32\config\HiveBackup
SOFTWARE hive was successfully restored from registry back up.
SYSTEM hive was successfully copied to System32\config\HiveBackup
SYSTEM hive was successfully restored from registry back up.
 
==== End of Fixlog ====


#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:53 AM

Posted 12 April 2013 - 09:03 AM

any change?

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 mccrisco

mccrisco
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 12 April 2013 - 09:10 AM

No, I still cannot boot into windows. I get the BSOD message:

 

 

STOP: c000007b {Bad Image}

winsrv is either not designed to run on windows or it contains an error. Try installing the program again using the original media or contact your system administrator or the software vendor for support.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users