Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer freezes on boot up


  • This topic is locked This topic is locked
34 replies to this topic

#1 MID1991

MID1991

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 30 June 2013 - 09:36 AM

Hi Folks

 

A Windows Vista Ultimate machine.  Recently went though a power outage due to weather moving through the area.  When I started it up on after the outage, it took a very long time to reach the select user and login page, and when it got  there it freezes and does not let me pick a user.  The one time it did let me pick a user, it froze and would not let me enter a password. 

 

Started in safemode, spent about 10 mins to continue after loading crcdisk.sys driver.  Allowed me to choose a user and login in a normal time period.  However when I tried to restart it has now been on the shuting down page for the last 15 minutes.

 

Not sure where to go to from here.  Any sugesstions welcomed.

 

Rgds

 

Tom


Edited by hamluis, 30 June 2013 - 03:27 PM.
Moved from Vista to Malware Removal Logs - Hamluis.


BC AdBot (Login to Remove)

 


#2 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,608 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:04:46 PM

Posted 30 June 2013 - 10:40 AM

Application which are running at the time of a hard shutdown, such as a power outage, can be damaged.

 

If you can boot back into Safe Mode run sfc /scannow.  This scans all protected system files and replaces corrupted and incorrect versions with correct Microsoft versions.

 

Click on the Start orb startorb_zps06e1f985.png, then type in cmd in the Search programs and files.
 
cmd will appear in Programs above, right click on it, then click on Run as administrator.   
 
If you are prompted for an administrator password or for a confirmation, enter the password, or click Allow.  
 
A page similar to the one below will open.
 
Screenshot2.jpg
 
Type in sfc /scannow and then press Enter to start the scan.
 
If the scan finds no problem in the first portion of the scan it may stop, if it does not restart within five minutes type in exit and press Enter to stop the scan.

Edited by dc3, 30 June 2013 - 10:41 AM.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#3 MID1991

MID1991
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 30 June 2013 - 11:25 AM

It will not let me boot in safemode anymore.  It goes right to startup repair.  It is "attempting to repair", "Reparing disk errors, this may take more than an hour to complete"

 

Will let you know what happens



#4 MID1991

MID1991
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 30 June 2013 - 11:40 AM

Wasn't watching when the "repair" ended.  Not sure if it found or fixed anyrhing.  Propted me for language and account to log in with and returned me to the startup repair menu.  What should I do?



#5 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,608 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:04:46 PM

Posted 30 June 2013 - 12:17 PM

Reboot the computer and see what happens.

 

Do you have the installation disc for your operating system?

 

If not, you can make a recovery disc with the information at this website.  There are full instructions for making the disc and using the recovery console.


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#6 MID1991

MID1991
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 30 June 2013 - 12:29 PM

After reboot, goes back into system repair



#7 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:46 PM

Posted 30 June 2013 - 01:32 PM

Hi and welcome back. Lets give it a try.

Please download Farbar Recovery Scan Tool and save it to a flash drive.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Plug the flash drive into the infected PC.

  • If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

    If you are using Vista or Windows 7 enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
  • Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
    To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html



    To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
  • On the System Recovery Options menu you will get the following options:
  • Startup Repair
  • System Restore
  • Windows Complete PC Restore
  • Windows Memory Diagnostic Tool
  • Command Prompt
  • Select Command Prompt

    Once in the Command Prompt:
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#8 MID1991

MID1991
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 30 June 2013 - 02:20 PM

Hi and Thanks

 

Here are the results

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 30-06-2013 02
Ran by SYSTEM on 30-06-2013 14:12:14
Running from J:\
WIN_VISTA (X86) OS Language: English(US)
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and Addition.txt log.

==================== Registry (Whitelisted) ==================

ATTENTION: Software hive is not loaded.

HKU\Default\...\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup [ 2007-03-15] (Gteko Ltd.)
HKU\Default User\...\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup [ 2007-03-15] (Gteko Ltd.)
HKU\Mary\...\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup [ 2007-03-15] (Gteko Ltd.)
HKU\Mary\...\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter [x]
HKU\Mary\...\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [ 2008-01-18] (Microsoft Corporation)
HKU\Mary\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [x]
HKU\Tom\...\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup [ 2007-03-15] (Gteko Ltd.)
HKU\Tom\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [ 2008-01-18] (Microsoft Corporation)
HKU\Tom\...\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter [x]
HKU\Tom\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [x]
HKU\Tom\...\Run: [TivoServer] C:\Program Files\TiVo\Desktop\TiVoServer.exe /service /registry /auto:TivoServer [ 2010-08-24] (TiVo Inc.)
HKU\Tom\...\Run: [TivoTransfer] C:\Program Files\TiVo\Desktop\TiVoTransfer.exe [ 2010-08-24] (TiVo Inc.)
HKU\Tom\...\Run: [TivoNotify] C:\Program Files\TiVo\Desktop\TiVoNotify.exe /service /registry /auto:TivoNotify [ 2010-08-24] (TiVo Inc.)
HKU\Tom\...\Run: [TranscodingService] C:\Program Files\TiVo\Desktop\Plus\\TranscodingService.exe [ 2010-08-24] (TiVo Inc.)
HKU\UpdatusUser\...\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup [ 2007-03-15] (Gteko Ltd.)
Startup: C:\ProgramData\Start Menu\Programs\Startup\APC UPS Status.lnk
ShortcutTarget: APC UPS Status.lnk -> C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe (American Power Conversion Corporation)
Startup: C:\ProgramData\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files\hp\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\Users\Mary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Event Planner Reminder.lnk
ShortcutTarget: Event Planner Reminder.lnk -> C:\Program Files\Creative Home\Hallmark Card Studio 2006\Planner\PLNRnote.exe (Creative Home)

========================== Services (Whitelisted) =================

S3 123MediaStreamer; C:\Program Files\123CopyDVDPlatinum 2012\MediaStreamerService.exe [48128 2012-10-24] (Microsoft)
S2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269; C:\Program Files\Roxio\BackOnTrack\App\SaibSVC.exe [457200 2009-06-02] ()
S2 AlertService; C:\Program Files\Intel\IntelDH\CCU\AlertService.exe [195032 2006-11-18] (Intel® Corporation)
S2 APC UPS Service; C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe [689672 2007-02-27] (American Power Conversion Corporation)
S2 BOT4Service; C:\Program Files\Roxio\BackOnTrack\App\BService.exe [39408 2010-09-13] ()
S2 Creative Labs Licensing Service; C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe [72704 2007-08-28] (Creative Labs)
S2 Creative Service for CDROM Access; C:\Windows\system32\CTsvcCDA.exe [44032 1999-12-13] (Creative Technology Ltd)
S2 DQLWinService; C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [208896 2006-10-29] ()
S3 DSBrokerService; C:\Program Files\DellSupport\brkrsvc.exe [70656 2007-03-19] ()
S3 GoogleDesktopManager-093009-130223; C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [30192 2009-11-02] (Google)
S2 ISSM; C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe [81880 2006-11-18] (Intel® Corporation)
S2 M1 Server; C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe [32216 2006-11-18] ()
S2 MCLServiceATL; C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe [174552 2006-11-18] (Intel® Corporation)
S3 MSSQL$MSSMLBIZ; c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [29293408 2010-12-10] (Microsoft Corporation)
S2 N360; C:\Program Files\Norton 360\Engine\20.4.0.40\diMaster.dll [556336 2013-05-29] (Symantec Corporation)
S2 pcServiceHost; C:\Program Files\Common Files\Motive\pcServiceHost.exe [342528 2013-02-25] (Alcatel-Lucent)
S2 Remote UI Service; C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe [550872 2006-11-18] (Intel® Corporation)
S3 RoxMediaDB13; C:\Program Files\Common Files\Roxio Shared\13.0\SharedCOM\RoxMediaDB13.exe [1099248 2010-07-16] (Sonic Solutions)
S2 RoxWatch12; C:\Program Files\Common Files\Roxio Shared\13.0\SharedCOM\RoxWatch13.exe [354288 2010-07-16] (Sonic Solutions)
S2 STacSV; C:\Windows\system32\STacSV.exe [94208 2007-07-09] (SigmaTel, Inc.)
S4 TivoBeacon2; C:\Program Files\TiVo\Desktop\TiVoBeacon.exe [1104656 2010-08-24] (TiVo Inc.)
S4 clr_optimization_v2.0.50727_32; %systemroot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [x]
S2 sprtsvc_dellsupportcenter; C:\Program Files\Dell Support Center\bin\sprtsvc.exe /service /p dellsupportcenter [x]

==================== Drivers (Whitelisted) ====================

S1 BHDrvx86; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.3.1.22\Definitions\BASHDefs\20130620.001\BHDrvx86.sys [1002072 2013-05-31] (Symantec Corporation)
S1 ccSet_N360; C:\Windows\system32\drivers\N360\1404000.028\ccSetx86.sys [134744 2013-04-15] (Symantec Corporation)
S3 DSproct; C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys [4736 2006-10-05] (Gteko Ltd.)
S1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [376480 2012-08-08] (Symantec Corporation)
S3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [106656 2012-08-08] (Symantec Corporation)
S1 IDSVix86; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.3.1.22\Definitions\IPSDefs\20130625.001\IDSvix86.sys [386720 2013-06-05] (Symantec Corporation)
S3 IntelDH; C:\Windows\System32\Drivers\IntelDH.sys [5504 2007-08-28] (Intel Corporation)
S3 MREMP50; C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS [21248 2013-02-25] (Printing Communications Assoc., Inc. (PCAUSA))
S3 MRESP50; C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS [20096 2013-02-25] (Printing Communications Assoc., Inc. (PCAUSA))
S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.3.1.22\Definitions\VirusDefs\20130626.002\NAVENG.SYS [93272 2013-06-06] (Symantec Corporation)
S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.3.1.22\Definitions\VirusDefs\20130626.002\NAVEX15.SYS [1611992 2013-06-06] (Symantec Corporation)
S3 NetgearUDSMBus; C:\Windows\System32\drivers\NetgearUDSMBus.sys [92032 2012-08-10] (Windows ® Codename Longhorn DDK provider)
S3 NetgearUDSTcpBus; C:\Windows\System32\drivers\NetgearUDSTcpBus.sys [153600 2012-08-10] (Windows ® Codename Longhorn DDK provider)
S2 nmsgopro; C:\Windows\System32\DRIVERS\nmsgopro.sys [28672 2006-09-27] (Gteko Ltd.)
S2 nmsunidr; C:\Windows\System32\DRIVERS\nmsunidr.sys [7424 2006-10-19] (Gteko Ltd.)
S3 SRTSP; C:\Windows\System32\Drivers\N360\1404000.028\SRTSP.SYS [603224 2013-05-15] (Symantec Corporation)
S1 SRTSPX; C:\Windows\system32\drivers\N360\1404000.028\SRTSPX.SYS [32344 2013-03-04] (Symantec Corporation)
S3 STHDA; C:\Windows\System32\drivers\stwrt.sys [326656 2007-07-09] (SigmaTel, Inc.)
S0 SymDS; C:\Windows\System32\drivers\N360\1404000.028\SYMDS.SYS [367704 2013-05-20] (Symantec Corporation)
S0 SymEFA; C:\Windows\System32\drivers\N360\1404000.028\SYMEFA.SYS [934488 2013-05-22] (Symantec Corporation)
S3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT.SYS [142496 2013-06-17] (Symantec Corporation)
S1 SymIRON; C:\Windows\system32\drivers\N360\1404000.028\Ironx86.SYS [175264 2013-03-04] (Symantec Corporation)
S1 SYMTDIv; C:\Windows\System32\Drivers\N360\1404000.028\SYMTDIV.SYS [352344 2013-04-24] (Symantec Corporation)
S3 TSHWMDTCP; C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.sys [18904 2006-11-18] ()
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [x]
S3 IpInIp; system32\DRIVERS\ipinip.sys [x]
S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [x]
S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [x]
S3 Ntfs; No ImagePath
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]
S3 SDDMI2; \??\C:\Windows\system32\DDMI2.sys [x]
S3 SYMFW; \SystemRoot\System32\Drivers\N360\0308000.029\SYMFW.SYS [x]
S3 SYMNDISV; \SystemRoot\System32\Drivers\N360\0308000.029\SYMNDISV.SYS [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-06-30 14:12 - 2013-06-30 14:12 - 00000000 ____D C:\FRST
2013-06-29 19:12 - 2013-06-29 19:12 - 00000000 ____D C:\Windows\LastGood
2013-06-29 17:01 - 2013-06-29 17:01 - 00000000 ____D C:\Windows\LastGood.Tmp
2013-06-13 14:27 - 2013-06-13 14:27 - 00000908 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-06-13 14:27 - 2013-06-13 14:27 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-06-13 14:27 - 2013-04-04 11:50 - 00022856 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2013-06-13 00:17 - 2013-05-16 15:08 - 12329984 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-06-13 00:17 - 2013-05-16 14:49 - 09738752 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-06-13 00:17 - 2013-05-16 14:39 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-06-13 00:17 - 2013-05-16 14:28 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-06-13 00:17 - 2013-05-16 14:28 - 01104384 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-06-13 00:17 - 2013-05-16 14:27 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2013-06-13 00:17 - 2013-05-16 14:26 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2013-06-13 00:17 - 2013-05-16 14:23 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-06-13 00:17 - 2013-05-16 14:21 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-06-13 00:17 - 2013-05-16 14:21 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2013-06-13 00:17 - 2013-05-16 14:20 - 00420864 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2013-06-13 00:17 - 2013-05-16 14:19 - 00607744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-06-13 00:17 - 2013-05-16 14:17 - 01796096 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-06-13 00:17 - 2013-05-16 14:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-06-13 00:17 - 2013-05-16 14:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-06-13 00:17 - 2013-05-16 14:12 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-06-12 04:51 - 2013-05-07 20:37 - 00905576 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2013-06-12 04:51 - 2013-05-02 14:03 - 03603832 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe
2013-06-12 04:51 - 2013-05-02 14:03 - 03551096 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2013-06-12 04:51 - 2013-05-01 20:04 - 00443904 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll
2013-06-12 04:51 - 2013-05-01 20:03 - 00037376 ____A (Microsoft Corporation) C:\Windows\System32\printcom.dll
2013-06-12 04:51 - 2013-04-23 20:00 - 00985600 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2013-06-12 04:51 - 2013-04-23 20:00 - 00133120 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2013-06-12 04:51 - 2013-04-23 20:00 - 00098304 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2013-06-12 04:51 - 2013-04-23 20:00 - 00041984 ____A (Microsoft Corporation) C:\Windows\System32\certenc.dll
2013-06-12 04:51 - 2013-04-23 17:46 - 00812544 ____A (Microsoft Corporation) C:\Windows\System32\certutil.exe
2013-06-12 04:51 - 2013-04-17 04:30 - 00024576 ____A (Microsoft Corporation) C:\Windows\System32\cryptdlg.dll
2013-06-11 13:50 - 2013-06-11 13:50 - 00000000 ____D C:\Program Files\NETGEAR
2013-06-10 06:25 - 2013-06-10 06:25 - 00101107 ____A C:\Users\Tom\Desktop\xfer.xps
2013-06-08 09:52 - 2013-06-08 09:52 - 09108001 ____A C:\Users\Tom\Desktop\R6300-V1.0.2.38_1.0.33.zip
2013-06-08 09:38 - 2013-06-08 09:38 - 00065560 ____A C:\Users\Tom\Desktop\NETGEAR_R6300.cfg
2013-06-06 11:18 - 2013-06-06 11:19 - 00000000 ____D C:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-06-06 11:18 - 2013-06-06 11:19 - 00000000 ____D C:\Program Files\iTunes
2013-06-06 10:10 - 2013-03-04 18:14 - 00036512 ___RA (Symantec Corporation) C:\Windows\System32\Drivers\SymIMV.sys
2013-06-02 19:41 - 2013-06-02 19:42 - 00000000 ____D C:\Program Files\QuickTime

==================== One Month Modified Files and Folders ========

2013-06-30 14:12 - 2013-06-30 14:12 - 00000000 ____D C:\FRST
2013-06-30 07:02 - 2007-08-28 14:42 - 00000000 ____D C:\ProgramData\Sonic
2013-06-30 07:02 - 2006-11-02 05:00 - 00032638 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2013-06-30 07:01 - 2007-09-13 16:59 - 00000000 ____D C:\ProgramData\NVIDIA
2013-06-30 07:01 - 2006-11-02 05:00 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-06-30 07:01 - 2006-11-02 04:46 - 00003552 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2013-06-30 07:01 - 2006-11-02 04:46 - 00003552 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2013-06-29 19:55 - 2012-10-07 09:46 - 00002061 ____A C:\Users\Public\Desktop\Norton 360.lnk
2013-06-29 19:12 - 2013-06-29 19:12 - 00000000 ____D C:\Windows\LastGood
2013-06-29 17:01 - 2013-06-29 17:01 - 00000000 ____D C:\Windows\LastGood.Tmp
2013-06-29 16:59 - 2006-11-02 04:59 - 00681822 ____A C:\Windows\PFRO.log
2013-06-26 06:02 - 2007-08-28 14:26 - 01243707 ____A C:\Windows\WindowsUpdate.log
2013-06-25 23:27 - 2008-11-02 14:19 - 00000680 ____A C:\Users\Tom\AppData\Local\d3d9caps.dat
2013-06-25 13:03 - 2005-08-28 16:56 - 00000000 ____D C:\Users\Tom\Documents\mail
2013-06-23 15:35 - 2012-04-07 04:08 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-06-23 15:21 - 2009-11-07 19:43 - 00000880 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-06-23 08:40 - 2009-03-25 12:53 - 00000868 ____A C:\Windows\Tasks\Google Software Updater.job
2013-06-22 20:21 - 2009-11-07 19:43 - 00000876 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-06-21 16:43 - 2011-01-28 17:43 - 00001070 ____A C:\Windows\Tasks\Roxio PhotoShow Updater.job
2013-06-18 18:03 - 2009-08-22 08:31 - 00000000 ____D C:\Users\Tom\AppData\Roaming\HpUpdate
2013-06-18 17:03 - 2011-12-28 17:09 - 00000000 ____D C:\Users\Tom\Desktop\Discover
2013-06-18 02:10 - 2006-11-02 02:33 - 00827398 ____A C:\Windows\System32\PerfStringBackup.INI
2013-06-17 14:33 - 2010-02-21 13:19 - 00142496 ____A (Symantec Corporation) C:\Windows\System32\Drivers\SYMEVENT.SYS
2013-06-17 14:33 - 2010-02-21 13:19 - 00007611 ____A C:\Windows\System32\Drivers\SYMEVENT.CAT
2013-06-15 18:31 - 2010-02-21 13:17 - 00000000 ____D C:\Windows\System32\Drivers\N360
2013-06-13 14:27 - 2013-06-13 14:27 - 00000908 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-06-13 14:27 - 2013-06-13 14:27 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-06-13 00:59 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\rescache
2013-06-13 00:21 - 2007-08-28 14:46 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-06-13 00:11 - 2006-11-02 02:24 - 73381792 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2013-06-11 13:51 - 2007-09-03 09:43 - 00000000 ____D C:\users\Tom
2013-06-11 13:50 - 2013-06-11 13:50 - 00000000 ____D C:\Program Files\NETGEAR
2013-06-11 13:50 - 2013-01-05 11:47 - 00002005 ____A C:\Users\Public\Desktop\NETGEAR USB Control Center.lnk
2013-06-11 13:35 - 2012-04-07 04:08 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2013-06-11 13:35 - 2011-05-15 08:32 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2013-06-10 06:25 - 2013-06-10 06:25 - 00101107 ____A C:\Users\Tom\Desktop\xfer.xps
2013-06-08 09:59 - 2012-09-07 13:32 - 00000000 ____D C:\Users\Tom\Desktop\Chase Visa
2013-06-08 09:56 - 2010-07-05 14:02 - 00000000 ____D C:\Users\Tom\Desktop\Amex Optima
2013-06-08 09:52 - 2013-06-08 09:52 - 09108001 ____A C:\Users\Tom\Desktop\R6300-V1.0.2.38_1.0.33.zip
2013-06-08 09:38 - 2013-06-08 09:38 - 00065560 ____A C:\Users\Tom\Desktop\NETGEAR_R6300.cfg
2013-06-06 11:19 - 2013-06-06 11:18 - 00000000 ____D C:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-06-06 11:19 - 2013-06-06 11:18 - 00000000 ____D C:\Program Files\iTunes
2013-06-06 11:19 - 2012-09-15 08:11 - 00001666 ____A C:\Users\Public\Desktop\iTunes.lnk
2013-06-06 11:18 - 2007-09-18 17:56 - 00000000 ____D C:\Program Files\Common Files\Apple
2013-06-06 11:18 - 2007-09-18 17:37 - 00000000 ____D C:\Program Files\iPod
2013-06-06 10:15 - 2010-02-21 13:17 - 00000000 ____D C:\ProgramData\Norton
2013-06-06 10:02 - 2010-02-21 13:18 - 00000000 ____D C:\Program Files\Symantec
2013-06-02 19:42 - 2013-06-02 19:41 - 00000000 ____D C:\Program Files\QuickTime

==================== Known DLLs (Whitelisted) ============

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: <===== ATTENTION!
HKLM\...\exefile\DefaultIcon:  <===== ATTENTION!
HKLM\...\exefile\open\command:  <===== ATTENTION!

==================== Restore Points  =========================

==================== Memory info ===========================

Percentage of memory in use: 22%
Total physical RAM: 4029.14 MB
Available physical RAM: 3140.69 MB
Total Pagefile: 3898.63 MB
Available Pagefile: 3125.66 MB
Total Virtual: 2047.88 MB
Available Virtual: 1972.51 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:455.71 GB) (Free:94.78 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive j: () (Removable) (Total:7.49 GB) (Free:7.33 GB) FAT32
Drive x: (RECOVERY) (Fixed) (Total:10 GB) (Free:5.45 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 466 GB) (Disk ID: 38000000)
Partition 1: (Not Active) - (Size=55 MB) - (Type=DE)
Partition 2: (Not Active) - (Size=10 GB) - (Type=07 NTFS)
Partition 3: (Active) - (Size=456 GB) - (Type=07 NTFS)

========================================================
Disk: 5 (Size: 8 GB) (Disk ID: 00000000)
Partition 1: (Active) - (Size=8 GB) - (Type=0B)

LastRegBack: 2013-06-25 23:20

==================== End Of Log ============================



#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:46 PM

Posted 30 June 2013 - 04:49 PM

Seems that the software hive of the registry is not loading. Lets replace the registry with its backup.

 

Download the enclosed file.

 

Save it next to FRST. Run FRST as you did before, except that this time around click on the Fix button and wait.

 

The tool will make a log in the flashdrive (Fixlog.txt) please post it to your reply.

 

Attempt to boot in Normal Mode and let me know the outcome.

 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 MID1991

MID1991
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 30 June 2013 - 05:16 PM

Normal boot returned me to start up repair

 

here is the log

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 30-06-2013 02
Ran by SYSTEM at 2013-06-30 17:12:33 Run:1
Running from J:\
Boot Mode: Recovery

==============================================

DEFAULT hive was successfully copied to System32\config\HiveBackup
DEFAULT hive was successfully restored from registry back up.
SAM hive was successfully copied to System32\config\HiveBackup
SAM hive was successfully restored from registry back up.
SECURITY hive was successfully copied to System32\config\HiveBackup
SECURITY hive was successfully restored from registry back up.
Could not copy SOFTWARE hive.
Could not restore SOFTWARE hive from registry back up.
SYSTEM hive was successfully copied to System32\config\HiveBackup
SYSTEM hive was successfully restored from registry back up.

==== End of Fixlog ====



#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:46 PM

Posted 30 June 2013 - 06:01 PM

Lets try that again.

 

Download the enclosed file.

 

Save it next to FRST. Run FRST as you did before, except that this time around click on the Fix button and wait.

 

The tool will make a log in the flashdrive (Fixlog.txt) please post it to your reply.

 

Attempt to boot in Normal Mode and let me know the outcome.

 

 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 MID1991

MID1991
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 30 June 2013 - 06:16 PM

Normal boot again returned me to start up repair

 

here is the log

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 30-06-2013 02
Ran by SYSTEM at 2013-06-30 18:12:45 Run:2
Running from J:\
Boot Mode: Recovery

==============================================

permissions for "C:\WINDOWS\System32\config\software" were reset successfully
DEFAULT hive was successfully copied to System32\config\HiveBackup
DEFAULT hive was successfully restored from registry back up.
SAM hive was successfully copied to System32\config\HiveBackup
SAM hive was successfully restored from registry back up.
SECURITY hive was successfully copied to System32\config\HiveBackup
SECURITY hive was successfully restored from registry back up.
Could not copy SOFTWARE hive.
Could not restore SOFTWARE hive from registry back up.
SYSTEM hive was successfully copied to System32\config\HiveBackup
SYSTEM hive was successfully restored from registry back up.

==== End of Fixlog ====



#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:46 PM

Posted 30 June 2013 - 06:24 PM

Run FRST as you did before.

Type the following in the edit box on FRST, after "Search:".

software

It then should look like:

Search: software

Click Search button and post the log (Search.txt) it makes on the USB drive in your next reply.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 MID1991

MID1991
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 30 June 2013 - 06:40 PM

Here you go

 

Farbar Recovery Scan Tool (x86) Version: 30-06-2013 02
Ran by SYSTEM at 2013-06-30 18:31:22
Running from D:\
Boot Mode: Recovery

================== Search: "software" ===================

C:\Windows\System32\config\software
[2006-11-02 02:22] - [2013-06-30 18:24] - 70254592 ____A () D41D8CD98F00B204E9800998ECF8427E

C:\Windows\System32\config\RegBack\SOFTWARE
[2006-11-02 04:46] - [2013-06-25 23:20] - 69877760 ____A () 2E5B5E4A21B91C1C0DAAF76D03074380

=== End Of Search ===



#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:46 PM

Posted 30 June 2013 - 06:48 PM

Let me attempt to rename that file first.

 

Download the enclosed file.

 

Save it next to FRST. Run FRST as you did before, except that this time around click on the Fix button and wait.

 

The tool will make a log in the flashdrive (Fixlog.txt) please post it to your reply.

 

 

 

 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users