Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Black Screen with Mouse cursor only in both normal and safe mode


  • This topic is locked This topic is locked
16 replies to this topic

#1 pain995

pain995

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 30 January 2014 - 03:44 PM

I have been going crazy with these types of issues. Windows 7 boots to a black screen with a mouse cursor that I can move.  However I cannot boot into windows normally or in safe mode .  Things I have tried that have been unsuccessful are.

 

  • Sytem repair from OS disk
  • System restore (no restore points)
  • ChkDsk
  • Virus scans from Hirems boot disk
  • Fix Boot Fix MBR
  • Last known Good Configuration
  • Command prompt from os disk and checked HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon  Shell value = Explorer.exe  and userinit value = C:\WINDOWS\system32\userinit.exe
  • Mawarebytes PE bootdisk 

I'm sure I'm missing other things I have tried.   The only time I have been able to resolve these without reimaging is when there was a restore point.  I really need to figure out what I'm not doing before I end up losing it haha.  

 

Thanks for any help you can provide.

 



BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,924 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:34 PM

Posted 30 January 2014 - 08:51 PM

I will ask another that handles these non -booters to look here.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,929 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:34 PM

Posted 31 January 2014 - 03:10 AM

Hi pain995
  • Please download Farbar Recovery Scan Tool and save it to a flash drive.

    Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

    Plug the flashdrive into the infected PC.
    :spacer:
  • If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

    If you are using Vista or Windows 7 enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
    To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html



    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
  • On the System Recovery Options menu you will get the following options:
    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt


    Select Command Prompt
    :spacer:
  • Once in the Command Prompt:
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#4 pain995

pain995
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 31 January 2014 - 08:32 AM

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 29-01-2014 01
Ran by SYSTEM on MININT-6IM89P3 on 31-01-2014 08:29:23
Running from F:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery
 
The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.
 
 
The only official download link for FRST:
Download link from any site other than Bleeping Computer is unpermitted or outdated.
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [MSC] - c:\Program Files\Microsoft Security Client\msseces.exe [1266912 2013-10-23] (Microsoft Corporation)
HKLM-x32\...\Run: [IAStorIcon] - C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2010-06-08] (Intel Corporation)
HKLM-x32\...\Run: [Dell Webcam Central] - C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe [409744 2009-06-24] (Creative Technology Ltd)
HKLM-x32\...\Run: [] - [x]
HKLM-x32\...\Run: [GrooveMonitor] - C:\Program Files (x86)\Microsoft Office 2007\Office12\GrooveMonitor.exe [30040 2009-02-26] (Microsoft Corporation)
HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254696 2011-06-09] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [DATAMNGR] - C:\Program Files (x86)\Search Results Toolbar\Datamngr\datamngrUI.exe [1683608 2012-12-26] (Bandoo Media Inc)
HKLM-x32\...\Run: [Sophos AutoUpdate Monitor] - C:\Program Files (x86)\Sophos\AutoUpdate\almon.exe [439536 2010-09-21] (Sophos Plc)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [843712 2012-04-03] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59280 2012-08-27] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [421776 2012-09-09] (Apple Inc.)
HKLM-x32\...\Run: [InboxToolbar] - "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /STARTUP
HKLM\...\RunOnce: [*WerKernelReporting] - %SYSTEMROOT%\SYSTEM32\WerFault.exe -k -rq [415232 2009-07-13] (Microsoft Corporation)
HKLM\...\RunOnce: [*Restore] - C:\Windows\system32\rstrui.exe /RUNONCE [296960 2009-07-13] (Microsoft Corporation)
HKLM-x32\...\RunOnce: [Launcher] - C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\Launcher.exe [163040 2010-08-11] (Softthinks)
HKLM-x32\...\RunOnce: [DSUpdateLauncher] - "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe" /NOCONSOLE /D="C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate" /RUNAS "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe" [161088 2010-07-21] ()
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\Katie\...\Run: [Skype] - C:\Program Files (x86)\Skype\Phone\Skype.exe [17418928 2012-07-13] (Skype Technologies S.A.)
HKU\Katie\...\Run: [swg] - C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2011-02-15] (Google Inc.)
HKU\Katie\...\Run: [Facebook Update] - C:\Users\Katie\AppData\Local\Facebook\Update\FacebookUpdate.exe [138096 2012-07-11] (Facebook Inc.)
HKU\Katie\...\Run: [Spotify Web Helper] - C:\Users\Katie\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe [1168896 2013-12-04] (Spotify Ltd)
HKU\Katie\...\Run: [Spotify] - C:\Users\Katie\AppData\Roaming\Spotify\Spotify.exe [5951488 2013-12-04] (Spotify Ltd)
HKU\Katie\...\Run: [AGupdate] - C:\Program Files (x86)\AppGraffiti\AGupdate.exe [894048 2013-03-19] (Omega Partners Ltd)
AppInit_DLLs: C:\PROGRA~3\Wincert\WIN64C~1.DLL => C:\ProgramData\Wincert\win64cert.dll [8704 2012-12-20] ()
AppInit_DLLs: C:\PROGRA~2\SEARCH~2\Datamngr\x64\datamngr.dll => C:\Program Files (x86)\Search Results Toolbar\Datamngr\x64\datamngr.dll [2018824 2012-12-26] (Bandoo Media Inc)
AppInit_DLLs: C:\PROGRA~2\SEARCH~2\Datamngr\x64\IEBHO.dll => C:\Program Files (x86)\Search Results Toolbar\Datamngr\x64\IEBHO.dll [1531400 2012-12-26] (Bandoo Media Inc)
AppInit_DLLs: C:\PROGRA~2\SEARCH~1\SEARCH~1\x64\datamngr.dll => C:\Program Files (x86)\SearchCore for Browsers\SearchCore for Browsers\x64\datamngr.dll [1778584 2011-09-27] (Bandoo Media, inc)
AppInit_DLLs: C:\PROGRA~2\SEARCH~1\SEARCH~1\x64\IEBHO.dll => C:\Program Files (x86)\SearchCore for Browsers\SearchCore for Browsers\x64\IEBHO.dll [1790872 2011-09-27] (Bandoo Media, inc)
AppInit_DLLs: C:\PROGRA~2\Sophos\SOPHOS~1\SOPHOS~2.DLL => C:\Program Files (x86)\Sophos\Sophos Anti-Virus\sophos_detoured_x64.dll [241136 2011-10-13] (Sophos Plc)
AppInit_DLLs-x32: C:\PROGRA~3\Wincert\WIN32C~1.DLL => C:\ProgramData\Wincert\win32cert.dll [7168 2012-12-20] ()
AppInit_DLLs-x32: C:\PROGRA~2\SEARCH~2\Datamngr\datamngr.dll => C:\Program Files (x86)\Search Results Toolbar\Datamngr\datamngr.dll [1540248 2012-12-26] (Bandoo Media Inc)
AppInit_DLLs-x32: C:\PROGRA~2\SEARCH~2\Datamngr\IEBHO.dll => C:\Program Files (x86)\Search Results Toolbar\Datamngr\IEBHO.dll [1189384 2012-12-26] (Bandoo Media Inc)
AppInit_DLLs-x32: C:\PROGRA~2\Sophos\SOPHOS~1\SOPHOS~1.DLL => C:\Program Files (x86)\Sophos\Sophos Anti-Virus\sophos_detoured.dll [234408 2011-10-13] (Sophos Plc)
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
 
==================== Services (Whitelisted) =================
 
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.130\McCHSvc.exe [288776 2013-09-06] (McAfee, Inc.)
S3 Microsoft Office Groove Audit Service; C:\Program Files (x86)\Microsoft Office 2007\Office12\GrooveAuditService.exe [64856 2009-02-26] (Microsoft Corporation)
S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2013-10-23] (Microsoft Corporation)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [340240 2010-03-05] ()
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [348376 2013-10-23] (Microsoft Corporation)
S2 SAVAdminService; C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe [163056 2010-10-08] (Sophos Plc)
S2 SAVService; C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe [97520 2010-06-04] (Sophos Plc)
S2 Sophos AutoUpdate Service; C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe [232472 2012-04-11] (Sophos Plc)
S2 swi_service; C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe [1543704 2012-02-21] (Sophos Plc)
 
==================== Drivers (Whitelisted) ====================
 
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [248240 2013-09-27] (Microsoft Corporation)
S2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [134944 2013-09-27] (Microsoft Corporation)
S1 SAVOnAccess; C:\Windows\System32\DRIVERS\savonaccess.sys [142328 2010-10-08] (Sophos Plc)
S4 SophosBootDriver; C:\Windows\System32\DRIVERS\SophosBootDriver.sys [25608 2009-02-09] (Sophos Plc)
S2 {1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7}; C:\Program Files (x86)\CyberLink\PowerDVD DX\000.fcl [146928 2009-12-29] (CyberLink Corp.)
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2014-01-31 08:28 - 2014-01-31 08:29 - 00000000 ____D C:\FRST
2014-01-30 07:05 - 2014-01-30 07:05 - 05177551 ____R (Swearware) C:\ComboFix.exe
2014-01-26 09:55 - 2014-01-26 09:55 - 00460104 _____ C:\Windows\Minidump\012614-29000-01.dmp
2014-01-25 15:15 - 2014-01-25 15:15 - 00460096 _____ C:\Windows\Minidump\012514-29702-01.dmp
2014-01-24 12:20 - 2014-01-24 12:20 - 00460096 _____ C:\Windows\Minidump\012414-29702-01.dmp
2014-01-21 15:22 - 2014-01-21 15:22 - 00460096 _____ C:\Windows\Minidump\012114-30279-01.dmp
2014-01-21 10:22 - 2014-01-21 10:22 - 00460112 _____ C:\Windows\Minidump\012114-29468-01.dmp
2014-01-20 10:35 - 2014-01-20 10:35 - 00460096 _____ C:\Windows\Minidump\012014-28875-01.dmp
2014-01-20 09:53 - 2014-01-20 09:53 - 00279616 _____ C:\Windows\Minidump\012014-28953-01.dmp
2014-01-16 12:42 - 2014-01-16 12:43 - 00020400 _____ C:\Users\Katie\Desktop\Lilly4_2.htm
2014-01-02 08:40 - 2014-01-02 08:40 - 00037376 _____ C:\Windows\System32\kgctciw.iuo
2014-01-02 08:30 - 2014-01-19 10:09 - 00000085 _____ C:\Windows\System32\qqlnul.rip
2014-01-02 08:19 - 2014-01-02 08:40 - 00000102 _____ C:\Windows\System32\ojvsmv.ewk
2014-01-02 08:19 - 2014-01-02 08:19 - 00000064 _____ C:\Windows\System32\yrto.mzy
2014-01-02 08:03 - 2014-01-02 08:03 - 00219314 ____S C:\Windows\System32\hipcir.rno
2014-01-02 00:01 - 2014-01-02 00:01 - 00000000 ____D C:\Windows\System32\SPReview
 
==================== One Month Modified Files and Folders =======
 
2014-01-31 08:29 - 2014-01-31 08:28 - 00000000 ____D C:\FRST
2014-01-30 07:05 - 2014-01-30 07:05 - 05177551 ____R (Swearware) C:\ComboFix.exe
2014-01-29 00:04 - 2013-06-18 15:11 - 00000000 ____D C:\Program Files (x86)\Inbox Toolbar
2014-01-29 00:04 - 2013-01-13 18:06 - 00000000 ____D C:\Program Files (x86)\Shopping Sidekick Plugin
2014-01-26 09:55 - 2014-01-26 09:55 - 00460104 _____ C:\Windows\Minidump\012614-29000-01.dmp
2014-01-26 09:54 - 2013-02-16 14:00 - 321249252 _____ C:\Windows\MEMORY.DMP
2014-01-25 15:15 - 2014-01-25 15:15 - 00460096 _____ C:\Windows\Minidump\012514-29702-01.dmp
2014-01-24 12:20 - 2014-01-24 12:20 - 00460096 _____ C:\Windows\Minidump\012414-29702-01.dmp
2014-01-21 15:22 - 2014-01-21 15:22 - 00460096 _____ C:\Windows\Minidump\012114-30279-01.dmp
2014-01-21 10:22 - 2014-01-21 10:22 - 00460112 _____ C:\Windows\Minidump\012114-29468-01.dmp
2014-01-20 10:35 - 2014-01-20 10:35 - 00460096 _____ C:\Windows\Minidump\012014-28875-01.dmp
2014-01-20 09:53 - 2014-01-20 09:53 - 00279616 _____ C:\Windows\Minidump\012014-28953-01.dmp
2014-01-20 08:53 - 2012-10-31 07:03 - 00000000 ____D C:\Users\Katie\AppData\Roaming\Spotify
2014-01-20 08:51 - 2011-02-15 16:39 - 00000892 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-01-20 08:51 - 2011-02-14 16:12 - 00000000 ____D C:\Users\Katie\AppData\Local\SoftThinks
2014-01-20 08:51 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2014-01-20 08:51 - 2009-07-13 20:51 - 00063872 _____ C:\Windows\setupact.log
2014-01-20 08:49 - 2012-10-31 07:05 - 00000000 ____D C:\Users\Katie\AppData\Local\Spotify
2014-01-19 10:14 - 2012-08-20 02:56 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-01-19 10:13 - 2011-02-15 16:39 - 00000896 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-01-19 10:09 - 2014-01-02 08:30 - 00000085 _____ C:\Windows\System32\qqlnul.rip
2014-01-19 09:59 - 2010-12-01 08:15 - 01086845 _____ C:\Windows\WindowsUpdate.log
2014-01-19 09:34 - 2011-08-28 09:56 - 00000928 _____ C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-970929299-2235386031-768270542-1000UA.job
2014-01-19 00:32 - 2012-02-11 19:18 - 00000452 ____H C:\Windows\Tasks\Norton Security Scan for Katie.job
2014-01-19 00:14 - 2011-08-28 09:56 - 00000906 _____ C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-970929299-2235386031-768270542-1000Core.job
2014-01-19 00:04 - 2011-02-15 10:08 - 00000000 ____D C:\ProgramData\Microsoft Help
2014-01-18 09:35 - 2011-07-05 13:22 - 00002145 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2014-01-18 09:33 - 2009-07-13 21:13 - 00732638 _____ C:\Windows\System32\PerfStringBackup.INI
2014-01-17 07:29 - 2010-12-01 09:21 - 00000000 ____D C:\Program Files (x86)\Dell DataSafe Local Backup
2014-01-16 12:43 - 2014-01-16 12:42 - 00020400 _____ C:\Users\Katie\Desktop\Lilly4_2.htm
2014-01-16 12:28 - 2009-07-13 20:45 - 00013872 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-01-16 12:28 - 2009-07-13 20:45 - 00013872 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-01-06 07:56 - 2011-02-15 16:34 - 00000000 ____D C:\Users\Katie\AppData\Roaming\Skype
2014-01-02 08:40 - 2014-01-02 08:40 - 00037376 _____ C:\Windows\System32\kgctciw.iuo
2014-01-02 08:40 - 2014-01-02 08:19 - 00000102 _____ C:\Windows\System32\ojvsmv.ewk
2014-01-02 08:19 - 2014-01-02 08:19 - 00000064 _____ C:\Windows\System32\yrto.mzy
2014-01-02 08:03 - 2014-01-02 08:03 - 00219314 ____S C:\Windows\System32\hipcir.rno
2014-01-02 08:03 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\sysprep
2014-01-02 00:01 - 2014-01-02 00:01 - 00000000 ____D C:\Windows\System32\SPReview
 
Some content of TEMP:
====================
C:\Users\Katie\AppData\Local\Temp\21802_updater.exe
C:\Users\Katie\AppData\Local\Temp\BundleSweetIMSetup.exe
C:\Users\Katie\AppData\Local\Temp\contentDATs.exe
C:\Users\Katie\AppData\Local\Temp\GoogleToolbarInstaller.exe
C:\Users\Katie\AppData\Local\Temp\installhelper.dll
C:\Users\Katie\AppData\Local\Temp\MybabylonTB.exe
C:\Users\Katie\AppData\Local\Temp\propsys.dll
C:\Users\Katie\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Katie\AppData\Local\Temp\SRAssetsHelper.dll
C:\Users\Katie\AppData\Local\Temp\{A3317D84-72A0-45A8-9F44-7D17FFA75466}-27.0.1453.110_27.0.1453.94_chrome_updater.exe
 
 
==================== Known DLLs (Whitelisted) ================
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== EXE ASSOCIATION =====================
 
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
 
==================== Restore Points  =========================
 
Restore point made on: 2014-01-02 00:01:34
Restore point made on: 2014-01-06 08:03:13
Restore point made on: 2014-01-16 12:25:17
Restore point made on: 2014-01-19 00:02:13
 
==================== Memory info =========================== 
 
Percentage of memory in use: 16%
Total physical RAM: 3894.68 MB
Available physical RAM: 3247.66 MB
Total Pagefile: 3892.88 MB
Available Pagefile: 3240.8 MB
Total Virtual: 8192 MB
Available Virtual: 8191.87 MB
 
==================== Drives ================================
 
Drive c: (OS) (Fixed) (Total:581.42 GB) (Free:520.31 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive e: (GRMCENXVOL_EN_DVD) (CDROM) (Total:2.96 GB) (Free:0 GB) UDF
Drive f: (8GB) (Removable) (Total:7.26 GB) (Free:6.81 GB) NTFS
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (Recovery) (Fixed) (Total:14.65 GB) (Free:7.85 GB) NTFS ==>[System with boot components (obtained from reading drive)]
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 596 GB) (Disk ID: 344822FE)
Partition 1: (Not Active) - (Size=100 MB) - (Type=DE)
Partition 2: (Active) - (Size=15 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=581 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 7 GB) (Disk ID: C3072E18)
Partition 1: (Active) - (Size=7 GB) - (Type=07 NTFS)
 
 
LastRegBack: 2014-01-19 00:19
 
==================== End Of Log ============================


#5 pain995

pain995
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 31 January 2014 - 08:38 AM

I also just noticed I had a typo in my initial post.  There are restore points on the system but they do not work because of missing files that appear to be removed from offline scanners.



#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,929 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:34 PM

Posted 31 January 2014 - 12:06 PM

Hi, do you have an XP installation on this computer or did you upgrade from XP to windows 7 at some point?


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 pain995

pain995
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 31 January 2014 - 12:25 PM

No windows XP came with Windows 7.



#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,929 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:34 PM

Posted 31 January 2014 - 01:27 PM

What scanner did you use to remove malware and do you have any idea what files were removed?


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 pain995

pain995
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 31 January 2014 - 01:33 PM

I ran MalwareBytes and when I tried to do a system restore afterwards I believe it refereed to Babylon Toolbar not found and the system restore would fail.  I'm not sure if the user had ran any other scanners prior to me receiving it.



#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,929 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:34 PM

Posted 31 January 2014 - 01:48 PM

At the black screen with mouse pointer does Alt-Ctrl-Del do anything?


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 pain995

pain995
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 31 January 2014 - 02:02 PM

Nope tried Ctrl-Alt-Esc also with no success.



#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,929 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:34 PM

Posted 31 January 2014 - 03:04 PM

It looks also like you ran Combofix. Do you know if the system rebooted normally after combofix was run or did the problem occur immediately after running combofix?


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 pain995

pain995
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 31 January 2014 - 03:27 PM

No this problem was happening beforehand.   I attempted to run ComboFix from a Hirems boot cd and it would not run.  i then downloaded ComboFix to the HDD and tried running it from HDD while booted to the Hirems boot disk however it would not run because of rootkit activity.  So I tried but was never was able to run ComboFix successfully.



#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,929 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:34 PM

Posted 01 February 2014 - 09:02 AM

Do you have a Windows 7 installation disk?


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 pain995

pain995
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 01 February 2014 - 10:57 AM

Yes I do






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users