Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Startup Repair Loop


  • Please log in to reply
18 replies to this topic

#1 hic-lock

hic-lock

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 05 March 2014 - 06:46 PM

Hello, my son’s computer seems to be in a Startup Repair Loop that I haven’t been able to find a resolution for.

 

The Lap Top is a Dell Inspiron, 64bit, with Windows 7. He was apparently watching youtube vids one evening, shut down and in the morning it wouldn’t boot past the Startup Repair window.

 

I have run FRST64 several times, tried restore points (there weren’t many and they are VERY old) and tried booting in safe mode with no success.

 

He cannot find his discs to do a full restore. I have made a windows 7 repair disk (I hope properly) from my PC…

 

I ran FRST64 again and have attached the results for your review

 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:27 PM

Posted 06 March 2014 - 10:04 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.

start
HKLM-x32\...\Run: [DATAMNGR] - C:\Program Files (x86)\Searchcore Toolbar\Datamngr\datamngrUI.exe [1693120 2012-03-04] (Discordia, LTD)
HKLM-x32\...\Run: [] - [X]
HKLM-x32\...\Run: [ApnUpdater] - C:\Program Files (x86)\Ask.com\Updater\Updater.exe [1561768 2012-05-04] (Ask)
AppInit_DLLs: C:\PROGRA~2\SEARCH~1\Datamngr\x64\datamngr.dll => C:\Program Files (x86)\Searchcore Toolbar\Datamngr\x64\datamngr.dll [1778584 2012-03-04] (Discordia, LTD)
AppInit_DLLs: C:\PROGRA~2\SEARCH~1\Datamngr\x64\IEBHO.dll => C:\Program Files (x86)\Searchcore Toolbar\Datamngr\x64\IEBHO.dll [1791384 2012-03-04] (Discordia, LTD)
AppInit_DLLs-x32: C:\PROGRA~2\SEARCH~1\Datamngr\datamngr.dll => C:\Program Files (x86)\Searchcore Toolbar\Datamngr\datamngr.dll [1234880 2012-03-04] (Discordia, LTD)
AppInit_DLLs-x32: C:\PROGRA~2\SEARCH~1\Datamngr\IEBHO.dll => C:\Program Files (x86)\Searchcore Toolbar\Datamngr\IEBHO.dll [1233816 2012-03-04] (Discordia, LTD)
C:\Users\eric\AppData\Local\Temp\.exe
C:\Users\eric\AppData\Local\Temp\ApnStub.exe
C:\Users\eric\AppData\Local\Temp\GoogleToolbarInstaller_en32_signed.exe
C:\Users\eric\AppData\Local\Temp\installhelper.dll
C:\Users\eric\AppData\Local\Temp\pcp_bandoo_bundle.exe
C:\Users\eric\AppData\Local\Temp\SRAssetsHelper.dll
C:\Users\eric\AppData\Local\Temp\_isAD1F.exe
C:\Users\eric\AppData\Local\Temp\_isE178.exe

end

Save the files as fixlist.txt in to the same folder as FRST
Run FRST and click Fix only once and wait
The tool will create a log (Fixlog.txt) please post it to your reply.
===

Continue and do what you can to run these tools.

--RogueKiller--
  • Download & SAVE to your Desktop For 32bit system or For 64bit system
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
=======


Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
thisisujrt.gif Please download
Junkware Removal Tool to your Desktop.
  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.
===
Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.

Let me know what problem persists.

#3 hic-lock

hic-lock
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 06 March 2014 - 06:40 PM

FIXLOG:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 16-02-2014

Ran by SYSTEM at 2014-03-06 11:20:37 Run:4

Running from G:\

Boot Mode: Recovery

==============================================

 

Content of fixlist:

*****************

start

HKLM-x32\...\Run: [DATAMNGR] - C:\Program Files (x86)\Searchcore Toolbar\Datamngr\datamngrUI.exe [1693120 2012-03-04] (Discordia, LTD)

HKLM-x32\...\Run: [] - [X]

HKLM-x32\...\Run: [ApnUpdater] - C:\Program Files (x86)\Ask.com\Updater\Updater.exe [1561768 2012-05-04] (Ask)

AppInit_DLLs: C:\PROGRA~2\SEARCH~1\Datamngr\x64\datamngr.dll => C:\Program Files (x86)\Searchcore Toolbar\Datamngr\x64\datamngr.dll [1778584 2012-03-04] (Discordia, LTD)

AppInit_DLLs: C:\PROGRA~2\SEARCH~1\Datamngr\x64\IEBHO.dll => C:\Program Files (x86)\Searchcore Toolbar\Datamngr\x64\IEBHO.dll [1791384 2012-03-04] (Discordia, LTD)

AppInit_DLLs-x32: C:\PROGRA~2\SEARCH~1\Datamngr\datamngr.dll => C:\Program Files (x86)\Searchcore Toolbar\Datamngr\datamngr.dll [1234880 2012-03-04] (Discordia, LTD)

AppInit_DLLs-x32: C:\PROGRA~2\SEARCH~1\Datamngr\IEBHO.dll => C:\Program Files (x86)\Searchcore Toolbar\Datamngr\IEBHO.dll [1233816 2012-03-04] (Discordia, LTD)

C:\Users\eric\AppData\Local\Temp\.exe

C:\Users\eric\AppData\Local\Temp\ApnStub.exe

C:\Users\eric\AppData\Local\Temp\GoogleToolbarInstaller_en32_signed.exe

C:\Users\eric\AppData\Local\Temp\installhelper.dll

C:\Users\eric\AppData\Local\Temp\pcp_bandoo_bundle.exe

C:\Users\eric\AppData\Local\Temp\SRAssetsHelper.dll

C:\Users\eric\AppData\Local\Temp\_isAD1F.exe

C:\Users\eric\AppData\Local\Temp\_isE178.exe

 

end

*****************

 

HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\DATAMNGR => Value deleted successfully.

HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => Value deleted successfully.

HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ApnUpdater => Value deleted successfully.

"C:\\PROGRA~2\\SEARCH~1\\Datamngr\\x64\\datamngr.dll" => Value Data removed successfully.

"C:\\PROGRA~2\\SEARCH~1\\Datamngr\\x64\\IEBHO.dll" => Value Data removed successfully.

"C:\\PROGRA~2\\SEARCH~1\\Datamngr\\datamngr.dll" => Value Data removed successfully.

"C:\\PROGRA~2\\SEARCH~1\\Datamngr\\IEBHO.dll" => Value Data removed successfully.

C:\Users\eric\AppData\Local\Temp\.exe => Moved successfully.

C:\Users\eric\AppData\Local\Temp\ApnStub.exe => Moved successfully.

C:\Users\eric\AppData\Local\Temp\GoogleToolbarInstaller_en32_signed.exe => Moved successfully.

C:\Users\eric\AppData\Local\Temp\installhelper.dll => Moved successfully.

C:\Users\eric\AppData\Local\Temp\pcp_bandoo_bundle.exe => Moved successfully.

C:\Users\eric\AppData\Local\Temp\SRAssetsHelper.dll => Moved successfully.

C:\Users\eric\AppData\Local\Temp\_isAD1F.exe => Moved successfully.

C:\Users\eric\AppData\Local\Temp\_isE178.exe => Moved successfully.

 

==== End of Fixlog ====



#4 hic-lock

hic-lock
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 06 March 2014 - 06:43 PM

I am in the process of running the other programs through the command prompt window as I cannot run them in the normal windows mode



#5 hic-lock

hic-lock
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 06 March 2014 - 08:36 PM

ROGUEKILLER:

 

RogueKiller V8.8.10 _x64_ [Feb 28 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : SYSTEM [Admin rights]
Mode : Remove -- Date : 03/06/2014 17:42:06
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 2 ¤¤¤
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Browser Addons : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤
-> C:\windows\system32\config\SYSTEM | DRVINFO [Drv - C:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - FOUND]
-> C:\windows\system32\config\SOFTWARE | DRVINFO [Drv - C:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - FOUND]
-> C:\windows\system32\config\SECURITY | DRVINFO [Drv - C:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - FOUND]
-> C:\windows\system32\config\SAM | DRVINFO [Drv - C:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - FOUND]
-> C:\windows\system32\config\DEFAULT | DRVINFO [Drv - C:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - FOUND]
-> C:\Users\Default\NTUSER.DAT | DRVINFO [Drv - C:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - NOT_FOUND]
-> C:\Users\eric\NTUSER.DAT | DRVINFO [Drv - C:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - FOUND]
-> C:\Documents and Settings\Default\NTUSER.DAT | DRVINFO [Drv - C:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - NOT_FOUND]
-> C:\Documents and Settings\eric\NTUSER.DAT | DRVINFO [Drv - C:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - FOUND]

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

 

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE)  +++++
--- User ---
[MBR] 0a34cfb3249ed8960cf6cf3c5d377232
[BSP] 536f9f5db694367957b483236d6f8da2 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 610378 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_D_03062014_174206.txt >>
RKreport[0]_S_03062014_174129.txt



#6 hic-lock

hic-lock
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 06 March 2014 - 10:35 PM

I’ve tried running AdwCleaner and Junkware Removal Tool with no success. I had to run it through the windows repair command prompt after coping to the C drive. I couldn’t run the specific directions due to the fact I can’t get to windows directly.

The error “the subsystem needed to support the image type is not present” appeared after attempting to run through the C: drive

After completing what I could, the laptop still goes to the Startup Repair screen.



#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:27 PM

Posted 07 March 2014 - 08:39 AM


Run these tools if you can.

Read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Double-click on TDSSKiller.exe to run the application.
    tdss1.png
  • Click Change parameters
    settings20121003115955.png
  • Check the boxes next to Verify Driver Digital Signature and Detect TDLFS file system, then click OK
    tdss3.png
  • Click on the Start Scan button to begin the scan and wait for it to finish.
    NOTE: Do not use the computer during the scan!
  • During the scan it will look similar to the image below:
    tdss4.jpg
  • When it finishes, you will either see a report that no threats were found like below:
    tdss5.jpg
    If no threats are found at this point, just click the Report selection on the top right of the form to generate a log. A log file report will pop which you can just close since the report file is already saved.
  • If any infection or suspected items are found, you will see a window similar to below:
    tdss7.jpg
    • If you have files that are shown to fail signature check do not take any action on these. Make sure you select Skip. I will tell you what to do with these later. They may not be issues at all.
    • If Suspicious objects are detected, the default action will be Skip. Leave the default set to Skip.
    • If Malicious objects are detected, they will show in the Scan results. TDSSKiller automatically selects an action (Cure or Delete) for malicious objects
    • Make sure that Cure is selected. Important! - If Cure is not available, please choose Skip instead. Do not choose Delete unless instructed to do so.
  • Click Continue to apply selected actions.
  • A reboot may be required to complete disinfection. A window like the below will appear:
    tdss6.jpg
    Reboot immediately if TDSSKiller states that one is needed.
  • Whether an infection is found or not, a log file should have already been created on your C: drive (or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run.
  • Paste the log to your next reply, DO NOT ATTACH IT.
===

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it.
  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please paste the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.
===

#8 hic-lock

hic-lock
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 07 March 2014 - 05:50 PM

I cannot run files, the same error occurs…



#9 nasdaq

nasdaq

  • Malware Response Team
  • 38,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:27 PM

Posted 08 March 2014 - 08:40 AM

Try this one.

Download the correct version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===

#10 hic-lock

hic-lock
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 10 March 2014 - 08:20 AM

thank you nasdaq, i will run this



#11 hic-lock

hic-lock
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 10 March 2014 - 03:51 PM

Nasdaq, I have run FRST64 and copied the log here…

 

I am noticing that my dive letters are changing, from D: to C: for example…

System Reserved (C:)

Local Disk (D:)

Removable Disk (F:)

Removable Disk (G:)

Boot (X:)

 

to….

 

Local Disk (C:)

CD Drive (E:)

Removable Disk (F:)

Removable Disk (G:)

Boot (X:)

System Reserved (Y:)

 

---

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 10-03-2014 01

Ran by SYSTEM on MININT-E7N3DT4 on 10-03-2014 14:08:03

Running from C:\

Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)

Internet Explorer Version 9

Boot Mode: Recovery

 

The current controlset is ControlSet001

ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.

 

 

The only official download link for FRST:

Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/

Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/

Download link from any site other than Bleeping Computer is unpermitted or outdated.

See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

 

==================== Registry (Whitelisted) ==================

 

HKLM\...\Run: [SysTrayApp] - C:\Program Files\IDT\WDM\sttray64.exe [525312 2011-01-24] (IDT, Inc.)

HKLM\...\Run: [IntelPAN] - C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe [1935120 2011-09-15] (Intel® Corporation)

HKLM\...\Run: [BTMTrayAgent] - C:\Program Files (x86)\Intel\Bluetooth\btmshell.dll [10365952 2011-05-19] (Intel Corporation)

HKLM\...\Run: [Logitech Download Assistant] - C:\Windows\System32\LogiLDA.dll [1580368 2010-11-03] (Logitech, Inc.)

Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)

HKU\eric\...\Run: [swg] - C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2012-05-02] (Google Inc.)

HKU\eric\...\Run: [Facebook Update] - C:\Users\eric\AppData\Local\Facebook\Update\FacebookUpdate.exe [138096 2012-07-11] (Facebook Inc.)

HKU\eric\...\Run: [ooVoo.exe] - C:\Program Files (x86)\ooVoo\oovoo.exe [25249400 2012-05-29] (ooVoo LLC)

HKU\eric\...\Run: [Skype] - C:\Program Files (x86)\Skype\Phone\Skype.exe [17425072 2012-06-07] (Skype Technologies S.A.)

Startup: C:\Users\eric\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CurseClientStartup.ccip ()

 

==================== Services (Whitelisted) =================

 

S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [340240 2011-09-15] ()

 

==================== Drivers (Whitelisted) ====================

 

S3 kbdclass; C:\Windows\System32\DRIVERS\kbdclass.sys [50768 2009-07-13] ()

S2 lltdio; C:\Windows\System32\DRIVERS\lltdio.sys [60928 2009-07-13] ()

S3 monitor; C:\Windows\System32\DRIVERS\monitor.sys [30208 2009-07-13] ()

S3 mouclass; C:\Windows\System32\DRIVERS\mouclass.sys [49216 2009-07-13] ()

S1 mssmbios; C:\Windows\System32\DRIVERS\mssmbios.sys [32320 2009-07-13] ()

 

==================== NetSvcs (Whitelisted) ===================

 

 

==================== One Month Created Files and Folders ========

 

2014-03-10 14:08 - 2014-03-10 14:08 - 00000000 _____ () C:\FRST.txt

2014-03-10 14:06 - 2014-03-10 16:29 - 02157056 _____ (Farbar) C:\FRST64.exe

2014-03-07 17:22 - 2014-03-07 17:21 - 02237968 _____ (Kaspersky Lab ZAO) C:\tdsskiller.exe

2014-03-07 16:20 - 2014-03-07 17:45 - 04745728 _____ (AVAST Software) C:\aswMBR.exe

2014-03-06 17:56 - 2014-03-06 12:49 - 01037734 _____ (Thisisu) C:\JRT.exe

2014-03-06 17:49 - 2014-03-06 12:49 - 01244192 _____ () C:\adwcleaner.exe

2014-03-06 17:42 - 2014-03-06 17:46 - 00002750 _____ () C:\RKreport[0]_D_03062014_174206.txt

2014-03-06 17:41 - 2014-03-06 17:41 - 00002701 _____ () C:\RKreport[0]_S_03062014_174129.txt

2014-03-06 17:27 - 2014-03-06 17:42 - 00000000 ____D () C:\RK_Quarantine

2014-03-06 17:24 - 2014-03-06 12:48 - 04413952 _____ () C:\RogueKillerX64.exe

2014-03-01 17:54 - 2014-03-01 17:56 - 00000000 ____D () C:\Windows\System32\config\mybackup

2014-02-17 18:47 - 2014-03-10 14:08 - 00000000 ____D () C:\FRST

 

==================== One Month Modified Files and Folders =======

 

2014-03-10 16:29 - 2014-03-10 14:06 - 02157056 _____ (Farbar) C:\FRST64.exe

2014-03-10 14:08 - 2014-03-10 14:08 - 00000000 _____ () C:\FRST.txt

2014-03-10 14:08 - 2014-02-17 18:47 - 00000000 ____D () C:\FRST

2014-03-07 17:45 - 2014-03-07 16:20 - 04745728 _____ (AVAST Software) C:\aswMBR.exe

2014-03-07 17:21 - 2014-03-07 17:22 - 02237968 _____ (Kaspersky Lab ZAO) C:\tdsskiller.exe

2014-03-06 17:46 - 2014-03-06 17:42 - 00002750 _____ () C:\RKreport[0]_D_03062014_174206.txt

2014-03-06 17:42 - 2014-03-06 17:27 - 00000000 ____D () C:\RK_Quarantine

2014-03-06 17:41 - 2014-03-06 17:41 - 00002701 _____ () C:\RKreport[0]_S_03062014_174129.txt

2014-03-06 12:49 - 2014-03-06 17:56 - 01037734 _____ (Thisisu) C:\JRT.exe

2014-03-06 12:49 - 2014-03-06 17:49 - 01244192 _____ () C:\adwcleaner.exe

2014-03-06 12:48 - 2014-03-06 17:24 - 04413952 _____ () C:\RogueKillerX64.exe

2014-03-01 17:56 - 2014-03-01 17:54 - 00000000 ____D () C:\Windows\System32\config\mybackup

2014-02-27 07:18 - 2012-06-30 19:20 - 00000000 ____D () C:\ProgramData\Skype

2014-02-27 07:18 - 2012-05-02 17:27 - 00000000 ____D () C:\Program Files (x86)\World of Warcraft

2014-02-27 07:18 - 2012-05-01 20:14 - 00000000 ____D () C:\Windows\SysWOW64\Macromed

2014-02-27 07:18 - 2012-05-01 20:14 - 00000000 ____D () C:\Windows\System32\Macromed

2014-02-27 07:18 - 2012-04-24 16:21 - 00000000 ____D () C:\users\eric

2014-02-27 07:18 - 2009-07-13 19:20 - 00000000 __RSD () C:\Windows\Media

2014-02-27 07:18 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\System32\NDF

2014-02-27 07:18 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\registration

2014-02-27 07:18 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\AppCompat

 

==================== Known DLLs (Whitelisted) ================

 

 

==================== Bamital & volsnap Check =================

 

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\rpcss.dll => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

 

==================== EXE ASSOCIATION =====================

 

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

 

==================== Restore Points  =========================

 

Restore point made on: 2012-07-11 19:17:31

Restore point made on: 2012-07-12 07:06:23

Restore point made on: 2012-07-17 15:29:12

Restore point made on: 2012-07-20 17:05:28

Restore point made on: 2012-07-24 05:52:47

Restore point made on: 2012-07-27 06:28:24

Restore point made on: 2012-07-31 08:03:59

Restore point made on: 2012-08-03 15:45:00

 

==================== Memory info ===========================

 

Percentage of memory in use: 13%

Total physical RAM: 6051.18 MB

Available physical RAM: 5244 MB

Total Pagefile: 6049.38 MB

Available Pagefile: 5229.41 MB

Total Virtual: 8192 MB

Available Virtual: 8191.88 MB

 

==================== Drives ================================

 

Drive c: () (Fixed) (Total:596.07 GB) (Free:540.51 GB) NTFS

Drive g: () (Removable) (Total:0.96 GB) (Free:0.92 GB) FAT32

Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

 

==================== MBR & Partition Table ==================

 

========================================================

Disk: 0 (MBR Code: Windows 7 or 8) (Size: 596 GB) (Disk ID: DA2BD2DC)

 

Partition: GPT Partition Type.

 

========================================================

Disk: 2 (Size: 994 MB) (Disk ID: 91F72D24)

Partition 1: (Active) - (Size=984 MB) - (Type=06)

 

 

LastRegBack: 2012-08-01 16:40

 

==================== End Of Log ============================



#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:27 PM

Posted 11 March 2014 - 08:26 AM


How to use the System File Checker tool to troubleshoot missing or corrupted system files on Windows Vista or on Windows 7
http://support.microsoft.com/kb/929833

If you can restart the computer normally when completed.
===

Then execute this if you can.
Following steps involve registry editing. Please create new restore point before proceeding!!!
How to:
XP - http://support.microsoft.com/kb/948247
Vista and Seven - http://windows.microsoft.com/en-gb/windows7/create-a-restore-point
Windows 8 - http://www.eightforums.com/tutorials/4690-restore-point-create-windows-8-a.html

Download this program to your desktop.
Tweaking.com - Windows Repair
http://www.bleepingcomputer.com/download/windows-repair-all-in-one-portable/


Extract and launch the Repair_Windows.exe file

Click on Start repairs tab-click on Start

check mark following options alone

Reset Registry Permissions
Reset File Permissions
Register System Files
Repair WMI
Repair Windows Firewall
Repair Internet Explorer
Repair MDAC & MS Jet
Repair Hosts File
Remove Policies Set By Infections
Repair Icons
Repair Winsock & DNS Cache
Remove Temp Files
Repair Proxy Settings
Unhide Non System Files
Repair Windows Updates
Repair CD/DVD Missing/Not Working
  • Checkmark Restart System When Finished option
  • click the Start button
  • System should restart after repair


#13 hic-lock

hic-lock
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 11 March 2014 - 06:15 PM

When I run sfc /scannow through the command prompt, this is how it goes….

 

“Beginning system scan. This process will take some time.

 

There is a system repair pending which requires reboot to complete. Restart Windows and run sfc again.”

 

I reboot as required and run sfc again and I get the prompt to restart again. This is as far as I can get…



#14 nasdaq

nasdaq

  • Malware Response Team
  • 38,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:27 PM

Posted 12 March 2014 - 08:45 AM

Open the DOS command
Start button > run box > type CMD and hit the OK button.

From the command prompt execute this:

chkdsk /f C:

Instructions on this page.
http://technet.microsoft.com/en-us/magazine/ee872425.aspx

When completed restart the computer normally.

Run the run sfc /scannow command.

If it fails run the Windows Repair tool.

Keep me posted.

#15 hic-lock

hic-lock
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 12 March 2014 - 05:17 PM

Ok nasdaq, I ran chkdsk /f c: and no problems were found, nothing to fix… I restarted the system and it goes right back to the repair setup window.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users