Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Userinit.exe Application error


  • This topic is locked This topic is locked
70 replies to this topic

#1 k263749

k263749

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Melbourne, Victoria, Australia
  • Local time:06:52 AM

Posted 16 April 2013 - 02:34 AM

When starting up and after the Welcome screen a window pops up with the following.

Userinit.exe - Application error
The application was unable to start correctly (Oxc000007b). Click OK to close the application.

After I click OK I just have a blank screen with only the mouse pointer working - nothing else works.

I am currently using our iPad to communicate!

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:01:52 PM

Posted 16 April 2013 - 10:51 AM

I'll report this topic to appropriate helpers.

Hold on...


Edited by Broni, 16 April 2013 - 10:52 AM.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,693 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:52 PM

Posted 19 April 2013 - 01:07 PM

Hi and Welcome.

 

Which Operating System is installed?


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:52 PM

Posted 19 April 2013 - 01:22 PM

Hello, Just letting you know I moved this to the Virus, Trojan, Spyware, and Malware Removal Logs forum,where it will stay.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 k263749

k263749
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Melbourne, Victoria, Australia
  • Local time:06:52 AM

Posted 19 April 2013 - 06:40 PM

Hi - thanks for your response, I was starting to get desperate. My OS is Windows 7. Last night I tried to see if I could look at an old email using safe mode but even safe mode crashed!

Unfortunately I'm unavailable between 10am - 6pm (Australian eastern time) both today and tomorrow but expect to be able to respond in the evenings.

Cheers Ken

#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,693 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:52 PM

Posted 19 April 2013 - 08:59 PM

  • Please download Farbar Recovery Scan Tool and save it to a flash drive.

    Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

    Plug the flash drive into the infected PC.
  • If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

    If you are using Vista or Windows 7 enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
    To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html



    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
  • On the System Recovery Options menu you will get the following options:
    •  
      • Startup Repair
      • System Restore
      • Windows Complete PC Restore
      • Windows Memory Diagnostic Tool
      • Command Prompt
      Select Command Prompt

      Once in the Command Prompt:
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 k263749

k263749
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Melbourne, Victoria, Australia
  • Local time:06:52 AM

Posted 20 April 2013 - 07:29 AM

I'll need to get to another PC tomorrow to do this download to a USB flash drive as I only have an iPad to communicate with at the moment & don't have any way to download it.

Hopefully I'll be able to report my progress around this time tomorrow so please just hang in there.

Regards Ken

#8 k263749

k263749
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Melbourne, Victoria, Australia
  • Local time:06:52 AM

Posted 20 April 2013 - 08:18 AM

I have just re-read your email and it reminded me that I have previously created a Windows7 System Repair Disk (32-bit). Also I have 3 Acer Recovery disks which I created just after I purchased this PC in Jan 2010. I have also been doing weekly backups of my PC onto a separate TB drive which I only leave connected to the PC for the duration of backup and then remove. I think this backup did a System Image as well as backing up my Data so if I loose the data on my PC I should be able to manage with the data from last Friday week which was backed up before I started having any problems and would loose only a few minor things.

I have tried the Acer Recovery disk up to the point where it asks me to select a restore type
1. Completely Restore System to Factory Defaults
2. Restore Operating System and Retain User Data. (This option will not remove persistent viruses or malware.

Maybe this information may alter your recommendation on which way I should proceed.

I'm off to bed now - I'll check to see if you have replied in about 10 hours before I need to leave.

Regards. Ken

#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,693 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:52 PM

Posted 20 April 2013 - 10:53 AM

I have just re-read your email and it reminded me that I have previously created a Windows7 System Repair Disk (32-bit).

 

You should be able to run FRST with  this CD.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 k263749

k263749
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Melbourne, Victoria, Australia
  • Local time:06:52 AM

Posted 21 April 2013 - 03:15 AM

Contents of text file:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 21-04-2013 02
Ran by SYSTEM on 21-04-2013 17:17:15
Running from K:\
Windows 7 Home Premium (X86) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery
The current controlset is ControlSet001

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [947152 2013-01-26] (Microsoft Corporation)
HKLM\...\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot [404712 2013-01-04] (BillP Studios)
HKLM\...\Winlogon: [System]
HKU\Default\...\RunOnce: [ScrSav] C:\Program Files\Acer\Screensaver\run_Acer.exe /default [ 2009-07-21] ()
HKU\Default User\...\RunOnce: [ScrSav] C:\Program Files\Acer\Screensaver\run_Acer.exe /default [ 2009-07-21] ()
Startup: C:ProgramData\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\Users\Ken\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office Outlook 2007.lnk
ShortcutTarget: Microsoft Office Outlook 2007.lnk -> C:\Windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\outicon.exe ()
Startup: C:\Users\Ken\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Live Mail.lnk
ShortcutTarget: Windows Live Mail.lnk -> C:\Program Files\Windows Live\Mail\wlmail.exe (Microsoft Corporation)

========================== Services (Whitelisted) =================

S4 Greg_Service; C:\Program Files\Acer\Registration\GregHSRW.exe [1150496 2009-06-04] (Acer Incorporated)
S2 MBAMScheduler; C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-03] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-03] (Malwarebytes Corporation)
S2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [20456 2013-01-26] (Microsoft Corporation)
S4 MWLService; C:\Program Files\EgisTec\MyWinLocker 3\x86\\MWLService.exe [311592 2009-08-06] (Egis Technology Inc.)
S3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [295232 2013-01-26] (Microsoft Corporation)
S3 NTI IScheduleSvc; C:\Program Files\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe [62208 2009-08-12] (NewTech Infosystems, Inc.)
S3 Roxio UPnP Renderer 9; C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe [57344 2006-08-09] (Sonic Solutions)
S2 Roxio Upnp Server 9; C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe [294912 2006-08-09] (Sonic Solutions)
S4 AMD External Events Utility; %SystemRoot%\system32\atiesrxx.exe [x]
S2 BITS; %SystemRoot%\System32\qmgr.dll [x]
S4 ForceWare Intelligent Application Manager (IAM); C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe [x]
S3 gusvc; "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe" [x]
S3 hpqcxs08; C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll [x]
S3 idsvc; "%systemroot%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe" [x]
S2 iphlpsvc; %SystemRoot%\System32\iphlpsvc.dll [x]
S3 iPod Service; "C:\Program Files\iPod\bin\iPodService.exe" [x]
S3 KtmRm; %systemroot%\system32\msdtckrm.dll [x]
S3 MozillaMaintenance; "C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe" [x]
S4 NetTcpPortSharing; "%systemroot%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe" [x]
S4 nSvcIp; C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe [x]
S3 ose; "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" [x]
S3 PolicyAgent; %SystemRoot%\System32\ipsecsvc.dll [x]
S3 RoxMediaDB9; "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe" [x]
S3 SDRSVC; %Systemroot%\System32\SDRSVC.dll [x]
S3 SessionEnv; %SystemRoot%\system32\sessenv.dll [x]
S4 TrkWks; %SystemRoot%\System32\trkwks.dll [x]
S3 TrustedInstaller; %SystemRoot%\servicing\TrustedInstaller.exe [x]
S4 Updater Service; C:\Program Files\Acer\Acer Updater\UpdaterService.exe [x]
S3 WinDefend; %ProgramFiles%\Windows Defender\mpsvc.dll [x]
S3 WinRM; %SystemRoot%\system32\WsmSvc.dll [x]
S4 WMPNetworkSvc; "%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe" [x]
S2 wuauserv; %systemroot%\system32\wuaueng.dll [x]

==================== Drivers (Whitelisted) ====================

S3 athur; C:\Windows\System32\DRIVERS\athur.sys [1500160 2010-01-04] (Atheros Communications, Inc.)
S0 IFP300; C:\Windows\System32\DRIVERS\ifp300.sys [13543 2003-03-05] (iRiver, Inc.)
S0 Lbd; C:\Windows\System32\DRIVERS\Lbd.sys [64288 2010-07-12] (Lavasoft AB)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [22856 2013-04-03] (Malwarebytes Corporation)
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [195296 2013-01-19] (Microsoft Corporation)
S1 mwlPSDFilter; C:\Windows\System32\DRIVERS\mwlPSDFilter.sys [18992 2009-06-02] (Egis Technology Inc.)
S1 mwlPSDNServ; C:\Windows\System32\DRIVERS\mwlPSDNServ.sys [16432 2009-06-02] (Egis Technology Inc.)
S1 mwlPSDVDisk; C:\Windows\System32\DRIVERS\mwlPSDVDisk.sys [60976 2009-06-02] (Egis Technology Inc.)
S4 RxFilter; C:\Windows\System32\DRIVERS\RxFilter.sys [50688 2006-08-08] (Sonic Solutions)
S2 supersafer; C:\Windows\system32\drivers\supersafer.sys [354176 2010-02-04] (TrueCrypt Foundation)
S3 srv2; System32\DRIVERS\srv2.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-04-21 17:17 - 2013-04-21 17:17 - 00000000 ____D C:\FRST
2013-04-11 20:07 - 2013-03-01 21:07 - 01212264 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys
2013-04-11 15:51 - 2013-02-21 20:05 - 12324352 ____N (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-04-11 15:51 - 2013-02-21 19:47 - 09738752 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-04-11 15:51 - 2013-02-21 19:46 - 01800704 ____N (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-04-11 15:51 - 2013-02-21 19:38 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-04-11 15:51 - 2013-02-21 19:38 - 01104384 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-04-11 15:51 - 2013-02-21 19:37 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2013-04-11 15:51 - 2013-02-21 19:36 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2013-04-11 15:51 - 2013-02-21 19:35 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-04-11 15:51 - 2013-02-21 19:34 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-04-11 15:51 - 2013-02-21 19:34 - 00420864 ____N (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2013-04-11 15:51 - 2013-02-21 19:34 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2013-04-11 15:51 - 2013-02-21 19:33 - 00607744 ____N (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-04-11 15:51 - 2013-02-21 19:32 - 01796096 ____N (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-04-11 15:51 - 2013-02-21 19:31 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-04-11 15:51 - 2013-02-21 19:31 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-04-11 15:49 - 2013-03-18 21:04 - 03968856 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe
2013-04-11 15:49 - 2013-03-18 21:04 - 03913560 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2013-04-11 15:49 - 2013-03-18 20:48 - 00038912 ____A (Microsoft Corporation) C:\Windows\System32\csrsrv.dll
2013-04-11 15:49 - 2013-03-18 18:49 - 00069632 ____A (Microsoft Corporation) C:\Windows\System32\smss.exe
2013-04-11 15:49 - 2013-02-28 19:09 - 02347008 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-04-11 15:49 - 2013-01-23 20:47 - 00196328 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\fvevol.sys
2013-03-29 12:44 - 2013-04-20 04:39 - 00002408 ____A C:\Windows\setupact.log
2013-03-29 12:44 - 2013-03-29 12:44 - 00000000 ____A C:\Windows\setuperr.log
2013-03-28 15:36 - 2013-03-28 15:40 - 03276440 ____A (Piriform Ltd) C:\Users\Ken\Downloads\ccsetup400_pro.exe
2013-03-25 12:39 - 2013-03-25 12:39 - 04546560 ____A (Google Inc.) C:\Windows\System32\GPhotos.scr

==================== One Month Modified Files and Folders ========

2013-04-21 17:17 - 2013-04-21 17:17 - 00000000 ____D C:\FRST
2013-04-20 04:39 - 2013-03-29 12:44 - 00002408 ____A C:\Windows\setupact.log
2013-04-18 23:35 - 2010-08-22 17:28 - 00000876 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-04-18 23:34 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-04-15 23:28 - 2010-08-22 17:28 - 00000880 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-04-15 23:11 - 2009-07-13 20:34 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-04-15 23:11 - 2009-07-13 20:34 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-04-15 15:40 - 2013-01-04 18:40 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-04-15 14:58 - 2011-08-11 20:30 - 00000000 ____D C:\Program Files\iTunes
2013-04-15 14:58 - 2009-08-17 18:19 - 00000000 ____D C:\Program Files\Microsoft Works
2013-04-15 14:45 - 2013-01-14 22:23 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2013-04-15 14:45 - 2009-07-13 20:52 - 00000000 ____D C:\Program Files\Windows Photo Viewer
2013-04-15 14:45 - 2009-07-13 20:52 - 00000000 ____D C:\Program Files\Windows Defender
2013-04-15 04:44 - 2006-10-10 11:52 - 02088682 ____A C:\Windows\WindowsUpdate.log
2013-04-15 04:43 - 2009-12-29 23:21 - 00000000 ____D C:\Users\Ken\Documents\PowerPoint
2013-04-14 13:52 - 2009-08-17 18:15 - 00743922 ____A C:\Windows\System32\PerfStringBackup.INI
2013-04-11 20:09 - 2009-07-13 20:53 - 00032552 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2013-04-11 16:10 - 2009-07-13 20:33 - 00464864 ____A C:\Windows\System32\FNTCACHE.DAT
2013-04-11 15:52 - 2009-08-17 18:18 - 00000000 ____D C:ProgramData\Microsoft Help
2013-04-11 15:49 - 2009-12-29 18:50 - 70490256 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-04-09 23:00 - 2010-07-24 04:19 - 00000000 ____D C:\Users\Ken\My Photos
2013-04-08 15:01 - 2009-12-30 15:03 - 00000000 ____D C:ProgramData\Roxio
2013-04-03 20:50 - 2013-01-04 18:40 - 00022856 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2013-04-02 02:33 - 2009-12-29 19:21 - 00237088 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2013-04-01 20:26 - 2009-12-30 15:33 - 00000000 ____D C:\Users\Ken\AppData\Local\CrashDumps
2013-03-31 17:17 - 2009-12-29 23:18 - 00000000 ___RD C:\Users\Ken\Documents\Adobe Files
2013-03-31 17:15 - 2010-07-29 15:54 - 00000000 ____D C:\Users\Ken\Documents\Winword
2013-03-29 12:44 - 2013-03-29 12:44 - 00000000 ____A C:\Windows\setuperr.log
2013-03-29 04:15 - 2009-12-29 23:18 - 00000000 ___RD C:\Users\Ken\Documents\Access
2013-03-28 15:46 - 2013-01-04 18:31 - 00000000 ____D C:\Program Files\CCleaner
2013-03-28 15:40 - 2013-03-28 15:36 - 03276440 ____A (Piriform Ltd) C:\Users\Ken\Downloads\ccsetup400_pro.exe
2013-03-25 12:39 - 2013-03-25 12:39 - 04546560 ____A (Google Inc.) C:\Windows\System32\GPhotos.scr

==================== Known DLLs (ALL) =========================

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2013-03-25 19:01:29
Restore point made on: 2013-03-28 15:00:27
Restore point made on: 2013-03-31 13:49:48
Restore point made on: 2013-04-03 17:02:49
Restore point made on: 2013-04-04 20:46:29
Restore point made on: 2013-04-07 14:08:46
Restore point made on: 2013-04-10 18:27:41
Restore point made on: 2013-04-11 15:49:42
Restore point made on: 2013-04-11 16:00:17
Restore point made on: 2013-04-11 20:07:34
Restore point made on: 2013-04-11 20:16:03
Restore point made on: 2013-04-15 04:36:11

==================== Memory info ===========================

Percentage of memory in use: 21%
Total physical RAM: 2047.24 MB
Available physical RAM: 1602.82 MB
Total Pagefile: 2047.24 MB
Available Pagefile: 1608.73 MB
Total Virtual: 2047.88 MB
Available Virtual: 1940.7 MB

==================== Drives ================================

Drive c: (Acer) (Fixed) (Total:342.92 GB) (Free:231.62 GB) NTFS
Drive e: (DATA) (Fixed) (Total:342.92 GB) (Free:342.82 GB) NTFS
Drive f: (PQSERVICE) (Fixed) (Total:12.7 GB) (Free:12.61 GB) NTFS
Drive g: (Repair disc Windows 7 32-bit) (CDROM) (Total:0.14 GB) (Free:0 GB) UDF
Drive k: () (Removable) (Total:3.74 GB) (Free:3.74 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online          698 GB      0 B        
  Disk 1    No Media           0 B      0 B        
  Disk 2    No Media           0 B      0 B        
  Disk 3    No Media           0 B      0 B        
  Disk 4    Online         3835 MB      0 B        

Partitions of Disk 0:
===============

Disk ID: 06AB1A18

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Recovery            12 GB  1024 KB
  Partition 2    Primary            100 MB    12 GB
  Partition 3    Primary            342 GB    12 GB
  Partition 4    Primary            342 GB   355 GB

==================================================================================

Disk: 0
Partition 1
Type  : 27
Hidden: Yes
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 4     F   PQSERVICE    NTFS   Partition     12 GB  Healthy    Hidden 

=========================================================

Disk: 0
Partition 2
Type  : 07
Hidden: No
Active: Yes

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1     Y   SYSTEM RESE  NTFS   Partition    100 MB  Healthy           

=========================================================

Disk: 0
Partition 3
Type  : 07
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2     C   Acer         NTFS   Partition    342 GB  Healthy           

=========================================================

Disk: 0
Partition 4
Type  : 07
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 3     E   DATA         NTFS   Partition    342 GB  Healthy           

=========================================================

Partitions of Disk 4:
===============

Disk ID: 00000000

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary           3827 MB    19 KB

==================================================================================

Disk: 4
Partition 1
Type  : 0B
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 8     K                FAT32  Removable   3827 MB  Healthy           

=========================================================
============================== MBR & Partition Table ==================

====================================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 699 GB) (Disk ID: 06AB1A18)

Partition 1: (Not Active) - (Size=13 GB) - (Type=27)

Partition 2: (Active) - (Size=100 MB) - (Type=07) (NTFS)

Partition 3: (Not Active) - (Size=343 GB) - (Type=07) (NTFS)

Partition 4: (Not Active) - (Size=343 GB) - (Type=07) (NTFS)

====================================================================
Disk: 4 (Size: 4 GB) (Disk ID: 00000000)

Partition 1: (Not Active) - (Size=4 GB) - (Type=0B)

Last Boot: 2013-04-13 14:25

==================== End Of Log ============================

 



#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,693 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:52 PM

Posted 21 April 2013 - 11:12 AM

Download the enclosed file. [attachment=137015:fixlist.txt]

 

Save it next to FRST in the USB drive.

 

Run FRST as you did before, except that this time around, click on the Fix button and wait.

 

The tool will make a log in the flashdrive (Fixlog.txt) please post it in your next reply.
 

 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 k263749

k263749
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Melbourne, Victoria, Australia
  • Local time:06:52 AM

Posted 21 April 2013 - 04:51 PM

Contents of Fixlog text file:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 21-04-2013 02
Ran by SYSTEM at 2013-04-22 07:47:26 Run:1
Running from K:\
Boot Mode: Recovery

==============================================

DEFAULT hive was successfully copied to System32\config\HiveBackup
DEFAULT hive was successfully restored from registry back up.
SAM hive was successfully copied to System32\config\HiveBackup
SAM hive was successfully restored from registry back up.
SECURITY hive was successfully copied to System32\config\HiveBackup
SECURITY hive was successfully restored from registry back up.
SOFTWARE hive was successfully copied to System32\config\HiveBackup
SOFTWARE hive was successfully restored from registry back up.
SYSTEM hive was successfully copied to System32\config\HiveBackup
SYSTEM hive was successfully restored from registry back up.

=========  bcdedit /enum all /v  =========

Windows Boot Manager
--------------------
identifier              {9dea862c-5cdd-4e70-acc1-f32b344d4795}
device                  partition=Y:
path                    \bootmgr
description             Windows Boot Manager
locale                  en-US
inherit                 {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
default                 {089b9826-58a0-11db-9a84-fcd97f8a9438}
resumeobject            {eb7ea4f2-9d0f-11df-b7de-806e6f6e6963}
displayorder            {089b9826-58a0-11db-9a84-fcd97f8a9438}
toolsdisplayorder       {b2721d73-1db4-4c62-bf78-c548a880142d}
timeout                 30

Windows Boot Loader
-------------------
identifier              {089b9821-58a0-11db-9a84-fcd97f8a9438}
device                  boot
path                    \Windows\system32\winload.exe
description             Windows 7
locale                  en-US
inherit                 {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
recoverysequence        {089b9822-58a0-11db-9a84-fcd97f8a9438}
recoveryenabled         Yes
osdevice                boot
systemroot              \Windows
resumeobject            {089b9820-58a0-11db-9a84-fcd97f8a9438}
nx                      OptIn

Windows Boot Loader
-------------------
identifier              {089b9822-58a0-11db-9a84-fcd97f8a9438}
device                  ramdisk=[C:]\Recovery\089b9822-58a0-11db-9a84-fcd97f8a9438\Winre.wim,{089b9823-58a0-11db-9a84-fcd97f8a9438}
path                    \windows\system32\winload.exe
description             Windows Recovery Environment
inherit                 {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
osdevice                ramdisk=[C:]\Recovery\089b9822-58a0-11db-9a84-fcd97f8a9438\Winre.wim,{089b9823-58a0-11db-9a84-fcd97f8a9438}
systemroot              \windows
nx                      OptIn
winpe                   Yes
custom:46000010         Yes

Windows Boot Loader
-------------------
identifier              {089b9824-58a0-11db-9a84-fcd97f8a9438}
device                  boot
path                    \Windows\system32\winload.exe
description             Windows 7 Home Premium (recovered)
locale                  en-US
recoverysequence        {089b9822-58a0-11db-9a84-fcd97f8a9438}
recoveryenabled         Yes
osdevice                boot
systemroot              \Windows
resumeobject            {a234c10f-031f-11df-913f-806e6f6e6963}

Windows Boot Loader
-------------------
identifier              {089b9825-58a0-11db-9a84-fcd97f8a9438}
device                  boot
path                    \Windows\system32\winload.exe
description             Windows 7 Home Premium (recovered)
locale                  en-US
recoverysequence        {089b9822-58a0-11db-9a84-fcd97f8a9438}
recoveryenabled         Yes
osdevice                boot
systemroot              \Windows
resumeobject            {e671eb92-2657-11df-a84b-806e6f6e6963}

Windows Boot Loader
-------------------
identifier              {089b9826-58a0-11db-9a84-fcd97f8a9438}
device                  partition=C:
path                    \Windows\system32\winload.exe
description             Windows 7 Home Premium (recovered)
locale                  en-US
recoverysequence        {089b9822-58a0-11db-9a84-fcd97f8a9438}
recoveryenabled         Yes
osdevice                partition=C:
systemroot              \Windows
resumeobject            {eb7ea4f2-9d0f-11df-b7de-806e6f6e6963}

Resume from Hibernate
---------------------
identifier              {089b9820-58a0-11db-9a84-fcd97f8a9438}
device                  partition=C:
path                    \Windows\system32\winresume.exe
description             Windows Resume Application
locale                  en-US
inherit                 {1afa9c49-16ab-4a5c-901b-212802da9460}
filedevice              partition=C:
filepath                \hiberfil.sys
pae                     Yes
debugoptionenabled      No

Resume from Hibernate
---------------------
identifier              {a234c10f-031f-11df-913f-806e6f6e6963}
device                  partition=C:
path                    \Windows\system32\winresume.exe
description             Windows 7 Home Premium (recovered)
locale                  en-US
inherit                 {1afa9c49-16ab-4a5c-901b-212802da9460}
filedevice              partition=C:
filepath                \hiberfil.sys
pae                     Yes
debugoptionenabled      No

Resume from Hibernate
---------------------
identifier              {e671eb92-2657-11df-a84b-806e6f6e6963}
device                  partition=C:
path                    \Windows\system32\winresume.exe
description             Windows 7 Home Premium (recovered)
locale                  en-US
inherit                 {1afa9c49-16ab-4a5c-901b-212802da9460}
filedevice              partition=C:
filepath                \hiberfil.sys
pae                     Yes
debugoptionenabled      No

Resume from Hibernate
---------------------
identifier              {eb7ea4f2-9d0f-11df-b7de-806e6f6e6963}
device                  partition=C:
path                    \Windows\system32\winresume.exe
description             Windows 7 Home Premium (recovered)
locale                  en-US
inherit                 {1afa9c49-16ab-4a5c-901b-212802da9460}
filedevice              partition=C:
filepath                \hiberfil.sys
pae                     Yes
debugoptionenabled      No

Windows Memory Tester
---------------------
identifier              {b2721d73-1db4-4c62-bf78-c548a880142d}
device                  partition=Y:
path                    \boot\memtest.exe
description             Windows Memory Diagnostic
locale                  en-US
inherit                 {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
badmemoryaccess         Yes

EMS Settings
------------
identifier              {0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
bootems                 Yes

Debugger Settings
-----------------
identifier              {4636856e-540f-4170-a130-a84776f4c654}
debugtype               Serial
debugport               1
baudrate                115200

RAM Defects
-----------
identifier              {5189b25c-5558-4bf2-bca4-289b11bd29e2}

Global Settings
---------------
identifier              {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
inherit                 {4636856e-540f-4170-a130-a84776f4c654}
                        {0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
                        {5189b25c-5558-4bf2-bca4-289b11bd29e2}

Boot Loader Settings
--------------------
identifier              {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
inherit                 {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
                        {7ff607e0-4395-11db-b0de-0800200c9a66}

Hypervisor Settings
-------------------
identifier              {7ff607e0-4395-11db-b0de-0800200c9a66}
hypervisordebugtype     Serial
hypervisordebugport     1
hypervisorbaudrate      115200

Resume Loader Settings
----------------------
identifier              {1afa9c49-16ab-4a5c-901b-212802da9460}
inherit                 {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}

Device options
--------------
identifier              {089b9823-58a0-11db-9a84-fcd97f8a9438}
description             Ramdisk Options
ramdisksdidevice        partition=C:
ramdisksdipath          \Recovery\089b9822-58a0-11db-9a84-fcd97f8a9438\boot.sdi

========= End of CMD: =========

==== End of Fixlog ====

 



#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,693 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:52 PM

Posted 21 April 2013 - 07:47 PM

Until now, only missing files are noted.
 
Boot to a command prompt. At the prompt type the following and press Enter:

sfc /scannow /offbootdir=y:\ /offwindir=c:\windows

Hint:
 
Copy these instructions into notepad and produce a text  document with this information in the USB drive. You can have access to this document in the Repair Console. Copy and paste the command on the prompt and press Enter.

Edited by JSntgRvr, 21 April 2013 - 07:48 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 k263749

k263749
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Melbourne, Victoria, Australia
  • Local time:06:52 AM

Posted 21 April 2013 - 09:37 PM

Before I received your message we had a short mains power failure; the infected PC restarted and tried to power up normally.  I restarted it, went to the command prompt and tried to scan twice but it failed.

 

I restarted the PC and retried doing your process from the beginning and after doing the scan it returned the following:

X:\windows\system32>k:\frst

X:\windows\system32>notepad

X:\windows\system32>sfc /scannow /offbootdir=y:\ /offwindir=c:\windows

Beginning system scan.  This process will take some time.

Windows Resource Protection found corrupt files but was unable to fix some of them.
Details are included in the CBS.Log windir\Logs\CBS\CBS.log. For example
C:\Windows\Logs\CBS\CBS.log

X:\windows\system32>

 

Hopefully I did the correct thing.

 

 

 

 



#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,693 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:52 PM

Posted 22 April 2013 - 11:52 AM

Boot to a command prompt. If your USB drive is on drive K, at the command prompt type the following and press Enter:

 

Copy C:\Windows\Logs\CBS\CBS.log K:\

 

That should copy the log to the USB drive. Open this log with Notepad and post its contents in a reply.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users