Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows 7 Black screen with cursor - rpcss.dll


  • This topic is locked This topic is locked
28 replies to this topic

#1 vpuleo

vpuleo

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 01 July 2014 - 06:46 PM

Hi - I'm hoping someone can assist with a fixlist based on the below log and search. Thanks!
 
Vin

Attached Files


Edited by Queen-Evie, 01 July 2014 - 07:07 PM.
moved from Windows 7 to Malware Removal Logs. FRST logs are allowed only in MRL


BC AdBot (Login to Remove)

 


#2 vpuleo

vpuleo
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 01 July 2014 - 07:10 PM

I'm not able to boot into Safe Mode. I can get to CMD from the System Recovery Option, but SFC isn't able to run -- "There is a system repair pending which requires reboot...."


Edited by vpuleo, 01 July 2014 - 07:12 PM.


#3 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,455 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:26 PM

Posted 01 July 2014 - 08:04 PM

Download the enclosed file. 

 

Save it in the same location FRST is saved

 

Run FRST as you did before, except that this time around, click on the Fix button and wait.

 

The tool will make a log in the same location FRST is saved (Fixlog.txt), Please post it to your reply.
 
Attempt to boot in Normal or Safe Mode. Let me know the outcome.
 

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#4 vpuleo

vpuleo
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 01 July 2014 - 08:32 PM

logging in now but it still seems to be going to the black screen with the cursor, DOH! Thanks your your help..... here's the log, I may need to run it again to confirm the rpcss is still there (?).

 

 

 

Could not find C:\Windows\System32\rpcss.dll.
Could not find C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d\rpcss.dll.
 

Attached Files



#5 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,455 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:26 PM

Posted 01 July 2014 - 08:38 PM

Please search for the rpcss.dll once again and post its report.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#6 vpuleo

vpuleo
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 01 July 2014 - 08:44 PM

Here it is

Attached Files



#7 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,455 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:26 PM

Posted 01 July 2014 - 08:47 PM

Download the enclosed file. 

 

Save it in the same location FRST is saved

 

Run FRST as you did before, except that this time around, click on the Fix button and wait.

 

The tool will make a log in the same location FRST is saved (Fixlog.txt), Please post it to your reply.
 
Attempt to boot in Normal or Safe Mode. Let me know the outcome.
 

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#8 vpuleo

vpuleo
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 01 July 2014 - 08:55 PM

normal boot had the same problem, trying safe mode now.

Attached Files



#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,455 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:26 PM

Posted 01 July 2014 - 09:04 PM

Did you attempted any fixes on your own that are not included here?

 

Please re-scan with FRST and post its report.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 vpuleo

vpuleo
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 01 July 2014 - 09:23 PM

here it is!

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 01-07-2014
Ran by SYSTEM on MININT-CDS8FUA on 01-07-2014 22:19:31
Running from C:\
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Recovery
 
The current controlset is ControlSet006
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.
 
 
The only official download link for FRST:
Download link from any site other than Bleeping Computer is unpermitted or outdated.
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13307496 2011-10-16] (Realtek Semiconductor)
HKLM\...\Run: [VIRTU_MVP_AUTORUN] => %ProgramFiles%\Lucidlogix Technologies\VIRTU MVP\MVPControlPanel.Exe /hide
HKLM\...\Run: [XFast LAN] => C:\Program Files\ASRock\XFast LAN\cFosSpeed.exe [1441152 2011-10-19] (cFos Software GmbH)
HKLM\...\Run: [THXCfg64] => C:\Windows\system32\THXCfg64.dll [26624 2011-05-13] (Creative Technology Ltd.)
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284440 2011-11-29] (Intel Corporation)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291608 2012-01-26] (Intel Corporation)
HKLM-x32\...\Run: [XFastUSB] => C:\Program Files (x86)\XFastUSB\XFastUsb.exe [5019360 2013-02-01] (FNet Co., Ltd.)
HKLM-x32\...\Run: [THX TruStudio NB Settings] => C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe [909824 2011-05-19] (Creative Technology Ltd)
HKLM-x32\...\Run: [UpdReg] => C:\Windows\UpdReg.EXE [90112 2000-05-10] (Creative Technology Ltd.)
HKLM-x32\...\Run: [avast] => C:\Program Files\AVAST Software\Avast\avastUI.exe [4297136 2012-10-30] (AVAST Software)
HKLM-x32\...\Run: [VirtualCloneDrive] => C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe [89456 2011-03-07] (Elaborate Bytes AG)
HKLM-x32\...\Run: [ControlCenter4] => C:\Program Files (x86)\ControlCenter4\BrCcBoot.exe [143360 2012-09-06] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [BrStsMon00] => C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe [3076096 2012-06-06] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [642808 2012-12-19] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [946352 2012-12-18] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-10-23] (Apple Inc.)
HKLM-x32\...\Run: [LifeCam] => C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe [119152 2010-05-20] (Microsoft Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\Puleo\...\RunOnce: [FlashPlayerUpdate] - C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_9_900_170_ActiveX.exe [839560 2014-01-03] (Adobe Systems Incorporated)
ShellIconOverlayIdentifiers: 00avast -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll (AVAST Software)
ShellIconOverlayIdentifiers-x32: EnhancedStorageShell -> {D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D} =>  No File
ShellIconOverlayIdentifiers-x32: SharingPrivate -> {08244EE6-92F0-47f2-9FC9-929BAA2E7235} =>  No File
 
==================== Services (Whitelisted) =================
 
S2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [44808 2012-10-30] (AVAST Software)
S2 cFosSpeedS; C:\Program Files\ASRock\XFast LAN\spd.exe [395136 2011-10-19] (cFos Software GmbH)
S2 ISCTAgent; C:\Program Files\Intel\Intel® Smart Connect Technology Agent\iSCTAgent.exe [133632 2012-02-09] ()
S2 WlanWpsSvc; C:\Program Files (x86)\NETGEAR\WNA1000M\WlanWpsSvc.exe [167936 2011-06-30] ()
 
==================== Drivers (Whitelisted) ====================
 
S0 asahci64; C:\Windows\System32\DRIVERS\asahci64.sys [49760 2011-09-21] (Asmedia Technology)
S0 AsrRamDisk; C:\Windows\System32\DRIVERS\AsrRamDisk.sys [31016 2012-01-13] (ASRock Inc.)
S2 aswFsBlk; C:\Windows\System32\Drivers\aswFsBlk.sys [25232 2012-10-30] (AVAST Software)
S2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [71600 2012-10-30] (AVAST Software)
S1 aswRdr; C:\Windows\System32\Drivers\aswrdr2.sys [54072 2012-10-15] (AVAST Software)
S1 aswSnx; C:\Windows\System32\Drivers\aswSnx.sys [984144 2012-10-30] (AVAST Software)
S1 aswSP; C:\Windows\System32\Drivers\aswSP.sys [370288 2012-10-30] (AVAST Software)
S1 aswTdi; C:\Windows\System32\Drivers\aswTdi.sys [59728 2012-10-30] (AVAST Software)
S3 FNETTBOH_305; C:\Windows\System32\drivers\FNETTBOH_305.SYS [32320 2013-11-26] (FNet Co., Ltd.)
S1 FNETURPX; C:\Windows\System32\drivers\FNETURPX.SYS [15936 2013-02-01] (FNet Co., Ltd.)
S5 GEARAspiWDM; C:\Windows\System32\Drivers\GEARAspiWDM.sys [33240 2012-08-21] (GEAR Software Inc.)
S3 ikbevent; C:\Windows\System32\DRIVERS\ikbevent.sys [25536 2012-02-09] ()
S3 imsevent; C:\Windows\System32\DRIVERS\imsevent.sys [25536 2012-02-09] ()
S3 ISCT; C:\Windows\System32\DRIVERS\ISCTD64.sys [44992 2012-02-09] ()
S3 RTL8192cu; C:\Windows\System32\DRIVERS\WNA1000M.sys [855144 2011-01-31] (Realtek Semiconductor Corporation                           )
S0 vsock; C:\Windows\System32\drivers\vsock.sys [70296 2012-10-24] (VMware, Inc.)
S3 WPRO_41_2001; C:\Windows\System32\drivers\WPRO_41_2001.sys [34752 2014-07-01] ()
 
========================== Drivers MD5 =======================
 
C:\Windows\system32\drivers\1394ohci.sys ==> MD5 is legit
C:\Windows\System32\drivers\ACPI.sys ==> MD5 is legit
C:\Windows\system32\drivers\acpipmi.sys ==> MD5 is legit
C:\Windows\system32\drivers\adp94xx.sys ==> MD5 is legit
C:\Windows\system32\drivers\adpahci.sys ==> MD5 is legit
C:\Windows\system32\drivers\adpu320.sys ==> MD5 is legit
C:\Windows\system32\drivers\afd.sys 79059559E89D06E8B80CE2944BE20228
C:\Windows\system32\drivers\agp440.sys ==> MD5 is legit
C:\Windows\system32\drivers\aliide.sys ==> MD5 is legit
C:\Windows\system32\drivers\amdide.sys ==> MD5 is legit
C:\Windows\system32\drivers\amdk8.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\atikmdag.sys 22A14DF59FB8D0BE918C597988AF4296
C:\Windows\System32\DRIVERS\atikmpag.sys EE22D3ED6D55A855E709F811CCCA97ED
C:\Windows\system32\drivers\amdppm.sys ==> MD5 is legit
C:\Windows\system32\drivers\amdsata.sys D4121AE6D0C0E7E13AA221AA57EF2D49
C:\Windows\system32\drivers\amdsbs.sys ==> MD5 is legit
C:\Windows\System32\drivers\amdxata.sys 540DAF1CEA6094886D72126FD7C33048
C:\Windows\system32\drivers\appid.sys ==> MD5 is legit
C:\Windows\system32\drivers\arc.sys ==> MD5 is legit
C:\Windows\system32\drivers\arcsas.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\asahci64.sys 4DFF4312661F54EE87DC9A13CAEE60E0
C:\Windows\System32\DRIVERS\AsrAppCharger.sys E1AFEE1584C74050DE0DD16DE2A54BF3
C:\Windows\System32\DRIVERS\AsrRamDisk.sys 0C3F9E39C0B10D351026D580D9FF6F86
C:\Windows\System32\Drivers\aswFsBlk.sys 4FCAEF0C5BE7629AEB878998E0FE959B
C:\Windows\system32\drivers\aswMonFlt.sys B50CDD87772D6A11CB90924AAD399DF8
C:\Windows\System32\Drivers\aswrdr2.sys 57768C7DB4681F2510F247F82EF31D4F
C:\Windows\System32\Drivers\aswSnx.sys E71D826A1F3CE9C9DE3E77F2D02AFFBF
C:\Windows\System32\Drivers\aswSP.sys 538A32E2C99BF073D4CA76C30BEDAA60
C:\Windows\System32\Drivers\aswTdi.sys 6EDC79D73745FD44C41B55B2D13D0B70
C:\Windows\System32\DRIVERS\asyncmac.sys ==> MD5 is legit
C:\Windows\System32\drivers\atapi.sys ==> MD5 is legit
C:\Windows\System32\drivers\AtihdW76.sys 437F55435623D4D54D36197F5AD8B435
C:\Windows\system32\drivers\bxvbda.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\b57nd60a.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Beep.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\blbdrive.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\bowser.sys ==> MD5 is legit
C:\Windows\system32\drivers\BrFiltLo.sys ==> MD5 is legit
C:\Windows\system32\drivers\BrFiltUp.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Brserid.sys ==> MD5 is legit
C:\Windows\System32\Drivers\BrSerWdm.sys ==> MD5 is legit
C:\Windows\System32\Drivers\BrUsbMdm.sys ==> MD5 is legit
C:\Windows\System32\Drivers\BrUsbSer.sys ==> MD5 is legit
C:\Windows\system32\drivers\bthmodem.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\cdfs.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\cdrom.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\cfosspeed6.sys 33B82CF69E41B38A2EC0C3CABDE80D6E
C:\Windows\system32\drivers\circlass.sys ==> MD5 is legit
C:\Windows\System32\CLFS.sys ==> MD5 is legit
C:\Windows\system32\drivers\CmBatt.sys ==> MD5 is legit
C:\Windows\system32\drivers\cmdide.sys ==> MD5 is legit
C:\Windows\System32\Drivers\cng.sys EBF28856F69CF094A902F884CF989706
C:\Windows\system32\drivers\compbatt.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\CompositeBus.sys ==> MD5 is legit
C:\Windows\system32\drivers\crcdisk.sys ==> MD5 is legit
C:\Windows\System32\Drivers\dfsc.sys ==> MD5 is legit
C:\Windows\System32\drivers\discache.sys ==> MD5 is legit
C:\Windows\System32\drivers\disk.sys ==> MD5 is legit
C:\Windows\system32\drivers\drmkaud.sys ==> MD5 is legit
C:\Windows\System32\drivers\dxgkrnl.sys 88612F1CE3BF42256913BF6E61C70D52
C:\Windows\system32\drivers\evbda.sys ==> MD5 is legit
C:\Windows\System32\Drivers\ElbyCDIO.sys A05FC7ECA0966EBB70E4D17B855A853B
C:\Windows\system32\drivers\elxstor.sys ==> MD5 is legit
C:\Windows\system32\drivers\errdev.sys ==> MD5 is legit
C:\Windows\System32\Drivers\exfat.sys ==> MD5 is legit
C:\Windows\System32\Drivers\fastfat.sys ==> MD5 is legit
C:\Windows\system32\drivers\fdc.sys ==> MD5 is legit
C:\Windows\System32\drivers\fileinfo.sys ==> MD5 is legit
C:\Windows\System32\drivers\filetrace.sys ==> MD5 is legit
C:\Windows\system32\drivers\flpydisk.sys ==> MD5 is legit
C:\Windows\System32\drivers\fltmgr.sys ==> MD5 is legit
C:\Windows\System32\drivers\FNETTBOH_305.SYS 508401A63E6B1CBF0B9C9A011498731F
C:\Windows\System32\drivers\FNETURPX.SYS 7C3C4B4C951EC1BDFD4F769D05E2CC68
C:\Windows\System32\drivers\FsDepends.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Fs_Rec.sys 6BD9295CC032DD3077C671FCCF579A7B
C:\Windows\System32\DRIVERS\fvevol.sys 8F6322049018354F45F05A2FD2D4E5E0
C:\Windows\system32\drivers\gagp30kx.sys ==> MD5 is legit
C:\Windows\system32\drivers\hcmon.sys 3CC07DAD48FA53193AE2F85DD8200B5E
C:\Windows\system32\drivers\hcw85cir.sys ==> MD5 is legit
C:\Windows\System32\drivers\HdAudio.sys 975761C778E33CD22498059B91E7373A
C:\Windows\System32\DRIVERS\HDAudBus.sys ==> MD5 is legit
C:\Windows\system32\drivers\HidBatt.sys ==> MD5 is legit
C:\Windows\system32\drivers\hidbth.sys ==> MD5 is legit
C:\Windows\system32\drivers\hidir.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\hidusb.sys ==> MD5 is legit
C:\Windows\system32\drivers\HpSAMD.sys ==> MD5 is legit
C:\Windows\System32\drivers\HTTP.sys ==> MD5 is legit
C:\Windows\System32\drivers\hwpolicy.sys ==> MD5 is legit
C:\Windows\system32\drivers\i8042prt.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\iaStor.sys C224331A54571C8C9162F7714400BBBD
C:\Windows\system32\drivers\iaStorV.sys AAAF44DB3BD0B9D1FB6969B23ECC8366
C:\Windows\System32\DRIVERS\igdkmd64.sys 54E37A4E66B2CA1C38E9728FAD5F9822
C:\Windows\system32\drivers\iirsp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ikbevent.sys 67999A9D34A0B2479381E7A61AFC37AB
C:\Windows\System32\DRIVERS\imsevent.sys DDAE90DD5BDAC53C8C5CD5B82FC1F1B4
C:\Windows\System32\drivers\RTKVHD64.sys F2744FD54BE1580BE05916D1C755C92A
C:\Windows\System32\DRIVERS\IntcDAud.sys 6C9FFFECA9FED31347D211C5D1FFBD2D
C:\Windows\system32\drivers\intelide.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\intelppm.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ipfltdrv.sys ==> MD5 is legit
C:\Windows\system32\drivers\IPMIDrv.sys ==> MD5 is legit
C:\Windows\System32\drivers\ipnat.sys ==> MD5 is legit
C:\Windows\System32\drivers\irenum.sys ==> MD5 is legit
C:\Windows\system32\drivers\isapnp.sys ==> MD5 is legit
C:\Windows\system32\drivers\msiscsi.sys 96BB922A0981BC7432C8CF52B5410FE6
C:\Windows\System32\DRIVERS\ISCTD64.sys 970995B7C36F4408ED31C3BF204FE1F5
C:\Windows\System32\DRIVERS\iusb3hcs.sys 6BCEF45131C8B8E1C558BE540B190B3C
C:\Windows\System32\DRIVERS\iusb3hub.sys F080EADA8715F811B58BD35BB774F2F9
C:\Windows\System32\DRIVERS\iusb3xhc.sys 0F1756D9396740F053221FA6260FCE66
C:\Windows\System32\DRIVERS\kbdclass.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\kbdhid.sys ==> MD5 is legit
C:\Windows\System32\Drivers\ksecdd.sys 8F489706472F7E9A06BAAA198703FA64
C:\Windows\System32\Drivers\ksecpkg.sys 868A2CAAB12EFC7A021682BCA0EEC54C
C:\Windows\system32\drivers\ksthunk.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\lltdio.sys ==> MD5 is legit
C:\Windows\system32\drivers\lsi_fc.sys ==> MD5 is legit
C:\Windows\system32\drivers\lsi_sas.sys ==> MD5 is legit
C:\Windows\system32\drivers\lsi_sas2.sys ==> MD5 is legit
C:\Windows\system32\drivers\lsi_scsi.sys ==> MD5 is legit
C:\Windows\system32\drivers\luafv.sys ==> MD5 is legit
C:\Windows\System32\drivers\MBfilt64.sys 8FF2D95CBA49B405C5DE27039FF0BF35
C:\Windows\system32\drivers\megasas.sys ==> MD5 is legit
C:\Windows\system32\drivers\MegaSR.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\HECIx64.sys 772A1DEEDFDBC244183B5C805D1B7D85
C:\Windows\System32\drivers\modem.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\monitor.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\mouclass.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\mouhid.sys ==> MD5 is legit
C:\Windows\System32\drivers\mountmgr.sys ==> MD5 is legit
C:\Windows\system32\drivers\mpio.sys ==> MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys ==> MD5 is legit
C:\Windows\system32\drivers\mrxdav.sys 1A4F75E63C9FB84B85DFFC6B63FD5404
C:\Windows\System32\DRIVERS\mrxsmb.sys A5D9106A73DC88564C825D317CAC68AC
C:\Windows\System32\DRIVERS\mrxsmb10.sys D711B3C1D5F42C0C2415687BE09FC163
C:\Windows\System32\DRIVERS\mrxsmb20.sys 9423E9D355C8D303E76B8CFBD8A5C30C
C:\Windows\System32\drivers\msahci.sys ==> MD5 is legit
C:\Windows\system32\drivers\msdsm.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Msfs.sys ==> MD5 is legit
C:\Windows\System32\drivers\mshidkmdf.sys ==> MD5 is legit
C:\Windows\System32\drivers\msisadrv.sys ==> MD5 is legit
C:\Windows\System32\drivers\MSKSSRV.sys ==> MD5 is legit
C:\Windows\System32\drivers\MSPCLOCK.sys ==> MD5 is legit
C:\Windows\System32\drivers\MSPQM.sys ==> MD5 is legit
C:\Windows\System32\Drivers\MsRPC.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\mssmbios.sys ==> MD5 is legit
C:\Windows\System32\drivers\MSTEE.sys ==> MD5 is legit
C:\Windows\system32\drivers\MTConfig.sys ==> MD5 is legit
C:\Windows\System32\Drivers\mup.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\nwifi.sys ==> MD5 is legit
C:\Windows\System32\drivers\ndis.sys 760E38053BF56E501D562B70AD796B88
C:\Windows\System32\DRIVERS\ndiscap.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ndistapi.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ndisuio.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ndiswan.sys ==> MD5 is legit
C:\Windows\System32\Drivers\NDProxy.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\netbios.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\netbt.sys ==> MD5 is legit
C:\Windows\system32\drivers\nfrd960.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Npfs.sys ==> MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Ntfs.sys 1A29A59A4C5BA6F8C85062A613B7E2B2
C:\Windows\System32\Drivers\Null.sys ==> MD5 is legit
C:\Windows\system32\drivers\nvraid.sys 0A92CB65770442ED0DC44834632F66AD
C:\Windows\system32\drivers\nvstor.sys DAB0E87525C10052BF65F06152F37E4A
C:\Windows\system32\drivers\nv_agp.sys ==> MD5 is legit
C:\Windows\system32\drivers\ohci1394.sys ==> MD5 is legit
C:\Windows\system32\drivers\parport.sys ==> MD5 is legit
C:\Windows\System32\drivers\partmgr.sys E9766131EEADE40A27DC27D2D68FBA9C
C:\Windows\System32\drivers\pci.sys ==> MD5 is legit
C:\Windows\system32\drivers\pciide.sys ==> MD5 is legit
C:\Windows\system32\drivers\pcmcia.sys ==> MD5 is legit
C:\Windows\System32\drivers\pcw.sys ==> MD5 is legit
C:\Windows\System32\drivers\peauth.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\raspptp.sys ==> MD5 is legit
C:\Windows\system32\drivers\processr.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\pacer.sys ==> MD5 is legit
C:\Windows\system32\drivers\ql2300.sys ==> MD5 is legit
C:\Windows\system32\drivers\ql40xx.sys ==> MD5 is legit
C:\Windows\system32\drivers\qwavedrv.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rasacd.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\AgileVpn.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rasl2tp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\raspppoe.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rassstp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rdbss.sys ==> MD5 is legit
C:\Windows\system32\drivers\rdpbus.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\RDPCDD.sys ==> MD5 is legit
C:\Windows\System32\drivers\rdpencdd.sys ==> MD5 is legit
C:\Windows\System32\drivers\rdprefmp.sys ==> MD5 is legit
C:\Windows\System32\Drivers\RDPWD.sys E61608AA35E98999AF9AAEEEA6114B0A
C:\Windows\System32\drivers\rdyboost.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rspndr.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\Rt64win7.sys 9140DB0911DE035FED0A9A77A2D156EA
C:\Windows\System32\DRIVERS\WNA1000M.sys C897D07E2C2E89BA638A1B9419660460
C:\Windows\system32\drivers\sbp2port.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\scfilter.sys ==> MD5 is legit
C:\Windows\System32\Drivers\secdrv.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\serenum.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\serial.sys ==> MD5 is legit
C:\Windows\system32\drivers\sermouse.sys ==> MD5 is legit
C:\Windows\system32\drivers\sffdisk.sys ==> MD5 is legit
C:\Windows\system32\drivers\sffp_mmc.sys ==> MD5 is legit
C:\Windows\system32\drivers\sffp_sd.sys ==> MD5 is legit
C:\Windows\system32\drivers\sfloppy.sys ==> MD5 is legit
C:\Windows\system32\drivers\SiSRaid2.sys ==> MD5 is legit
C:\Windows\system32\drivers\sisraid4.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\smb.sys ==> MD5 is legit
C:\Windows\System32\Drivers\spldr.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\srv.sys 441FBA48BFF01FDB9D5969EBC1838F0B
C:\Windows\System32\DRIVERS\srv2.sys B4ADEBBF5E3677CCE9651E0F01F7CC28
C:\Windows\System32\DRIVERS\srvnet.sys 27E461F0BE5BFF5FC737328F749538C3
C:\Windows\system32\drivers\stexstor.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\serscan.sys DECACB6921DED1A38642642685D77DAC
C:\Windows\System32\DRIVERS\swenum.sys ==> MD5 is legit
C:\Windows\System32\drivers\tcpip.sys 40AF23633D197905F03AB5628C558C51
C:\Windows\System32\DRIVERS\tcpip.sys 40AF23633D197905F03AB5628C558C51
C:\Windows\System32\drivers\tcpipreg.sys 1B16D0BD9841794A6E0CDE0CEF744ABC
C:\Windows\System32\drivers\tdpipe.sys ==> MD5 is legit
C:\Windows\System32\drivers\tdtcp.sys 51C5ECEB1CDEE2468A1748BE550CFBC8
C:\Windows\System32\DRIVERS\tdx.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\termdd.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\tssecsrv.sys 4CE278FC9671BA81A138D70823FCAA09
C:\Windows\System32\drivers\tsusbflt.sys ==> MD5 is legit
C:\Windows\system32\drivers\TsUsbGD.sys 9CC2CCAE8A84820EAECB886D477CBCB8
C:\Windows\System32\DRIVERS\tunnel.sys ==> MD5 is legit
C:\Windows\system32\drivers\uagp35.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\udfs.sys ==> MD5 is legit
C:\Windows\system32\drivers\uliagpkx.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\umbus.sys ==> MD5 is legit
C:\Windows\system32\drivers\umpass.sys ==> MD5 is legit
C:\Windows\System32\Drivers\usbaapl64.sys C9E9D59C0099A9FF51697E9306A44240
C:\Windows\System32\drivers\usbaudio.sys B0435098C81D04CAFFF80DDB746CD3A2
C:\Windows\System32\DRIVERS\usbccgp.sys DCA68B0943D6FA415F0C56C92158A83A
C:\Windows\system32\drivers\usbcir.sys 80B0F7D5CCF86CEB5D402EAAF61FEC31
C:\Windows\system32\drivers\usbehci.sys 18A85013A3E0F7E1755365D287443965
C:\Windows\System32\DRIVERS\usbhub.sys 8D1196CFBB223621F2C67D45710F25BA
C:\Windows\system32\drivers\usbohci.sys 765A92D428A8DB88B960DA5A8D6089DC
C:\Windows\system32\drivers\usbprint.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\USBSTOR.SYS FED648B01349A3C8395A5169DB5FB7D6
C:\Windows\system32\drivers\usbuhci.sys DD253AFC3BC6CBA412342DE60C3647F3
C:\Windows\System32\Drivers\usbvideo.sys 1F775DA4CF1A3A1834207E975A72E9D7
C:\Windows\System32\DRIVERS\VClone.sys FD911873C0BB6945FA38C16E9A2B58F9
C:\Windows\System32\drivers\vdrvroot.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\vgapnp.sys ==> MD5 is legit
C:\Windows\System32\drivers\vga.sys ==> MD5 is legit
C:\Windows\system32\drivers\vhdmp.sys ==> MD5 is legit
C:\Windows\system32\drivers\viaide.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\vmci.sys 6203C901DEFF10631AAD919B3BD1489B
C:\Windows\system32\drivers\VMkbd.sys E75DDD0A4768CF509C80E76B8428A644
C:\Windows\System32\DRIVERS\vmnetadapter.sys AEF53B47E960F227BF7638A6A1A9D5C6
C:\Windows\System32\DRIVERS\vmnetbridge.sys C234A1DC2F06A15B9210787F54253810
C:\Windows\system32\drivers\vmnetuserif.sys 25FBBC8C168AEE1753C330352EA6D009
C:\Windows\System32\Drivers\vmusb.sys 415B167695C4B5960A13098622EF3D80
C:\Windows\system32\drivers\vmx86.sys D37CB37BF3FB6612BCA19D81EFA16122
C:\Windows\System32\drivers\volmgr.sys ==> MD5 is legit
C:\Windows\System32\drivers\volmgrx.sys ==> MD5 is legit
C:\Windows\System32\drivers\volsnap.sys ==> MD5 is legit
C:\Windows\system32\drivers\vsmraid.sys ==> MD5 is legit
C:\Windows\System32\drivers\vsock.sys EF1E48D431223F670CFFD6169B1A136F
C:\Windows\System32\DRIVERS\vwifibus.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\vwififlt.sys ==> MD5 is legit
C:\Windows\system32\drivers\wacompen.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\wanarp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\wanarp.sys ==> MD5 is legit
C:\Windows\system32\drivers\wd.sys ==> MD5 is legit
C:\Windows\System32\drivers\Wdf01000.sys E2C933EDBC389386EBE6D2BA953F43D8
C:\Windows\System32\DRIVERS\wfplwf.sys ==> MD5 is legit
C:\Windows\System32\drivers\wimmount.sys ==> MD5 is legit
C:\Windows\SysWOW64\drivers\wimmount.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\WinUsb.sys FE88B288356E7B47B74B13372ADD906D
C:\Windows\system32\drivers\wmiacpi.sys ==> MD5 is legit
C:\Windows\System32\drivers\WPRO_41_2001.sys 7CA09731EB7FC99B910C7F239E57720F
C:\Windows\system32\drivers\ws2ifsl.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\WSDPrint.sys 8D918B1DB190A4D9B1753A66FA8C96E8
C:\Windows\System32\drivers\WudfPf.sys AB886378EEB55C6C75B4F2D14B6C869F
C:\Windows\System32\DRIVERS\WUDFRd.sys DDA4CAF29D8C0A297F886BFE561E6659
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2014-07-01 21:50 - 2010-11-20 05:27 - 00512000 _____ (Microsoft Corporation) C:\Windows\System32\rpcss.dll
2014-07-01 18:59 - 2014-07-01 21:39 - 00000600 _____ () C:\Search.txt
2014-07-01 18:08 - 2014-07-01 22:19 - 00000000 _____ () C:\FRST.txt
2014-07-01 17:57 - 2014-07-01 22:19 - 00000000 ____D () C:\FRST
2014-07-01 13:47 - 2014-07-01 13:47 - 02083840 _____ (Farbar) C:\FRST64.exe
2014-06-10 16:26 - 2014-06-29 12:56 - 00000000 ____D () C:\Windows\SysWOW64\20-20 Technologies
 
==================== One Month Modified Files and Folders =======
 
2014-07-01 22:19 - 2014-07-01 18:08 - 00000000 _____ () C:\FRST.txt
2014-07-01 22:19 - 2014-07-01 17:57 - 00000000 ____D () C:\FRST
2014-07-01 21:39 - 2014-07-01 18:59 - 00000600 _____ () C:\Search.txt
2014-07-01 18:16 - 2010-11-20 19:47 - 00986074 _____ () C:\Windows\PFRO.log
2014-07-01 18:15 - 2013-05-17 05:54 - 00000000 ____D () C:\ProgramData\VMware
2014-07-01 18:15 - 2013-02-01 14:22 - 00034752 _____ () C:\Windows\System32\Drivers\WPRO_41_2001.sys
2014-07-01 13:47 - 2014-07-01 13:47 - 02083840 _____ (Farbar) C:\FRST64.exe
2014-06-29 12:56 - 2014-06-10 16:26 - 00000000 ____D () C:\Windows\SysWOW64\20-20 Technologies
2014-06-29 12:56 - 2013-01-21 17:02 - 00000000 ____D () C:\users\Puleo
2014-06-29 12:56 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\System32\NDF
2014-06-29 12:55 - 2013-07-12 04:24 - 00000000 ____D () C:\ProgramData\pdf995
2014-06-29 12:55 - 2013-05-29 15:00 - 00000000 ____D () C:\Users\Puleo\AppData\Local\Google
2014-06-29 12:55 - 2013-02-01 15:35 - 00000000 ____D () C:\Users\Puleo\AppData\Roaming\Mozilla
2014-06-29 12:55 - 2013-02-01 14:45 - 00000000 ____D () C:\ProgramData\FNET
2014-06-29 12:55 - 2013-02-01 14:15 - 00000000 ____D () C:\ProgramData\Intel
2014-06-29 12:55 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\registration
2014-06-29 12:55 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\AppCompat
2014-06-21 11:09 - 2013-07-17 23:01 - 00000000 ____D () C:\Windows\System32\MRT
2014-06-20 17:14 - 2013-05-29 15:00 - 00000896 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-06-20 17:00 - 2009-07-13 20:45 - 00022080 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-06-20 17:00 - 2009-07-13 20:45 - 00022080 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-06-20 16:57 - 2013-01-21 17:02 - 01766028 _____ () C:\Windows\WindowsUpdate.log
2014-06-20 16:54 - 2009-07-13 20:51 - 00123939 _____ () C:\Windows\setupact.log
2014-06-20 16:53 - 2009-07-13 21:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-06-19 18:52 - 2014-04-23 17:24 - 00000069 _____ () C:\Windows\System32\gehj.zxu
2014-06-19 18:14 - 2013-05-29 15:00 - 00000892 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-06-19 18:09 - 2013-05-29 15:00 - 00003892 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-06-19 18:09 - 2013-05-29 15:00 - 00003640 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-06-16 15:18 - 2013-05-29 15:01 - 00002183 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2014-06-10 15:00 - 2009-07-13 21:13 - 00786766 _____ () C:\Windows\System32\PerfStringBackup.INI
2014-06-01 07:12 - 2013-02-01 18:05 - 00475136 ___SH () C:\Users\Puleo\Documents\Thumbs.db
2014-06-01 07:02 - 2013-02-01 14:38 - 00000000 ____D () C:\Users\Puleo\AppData\Roaming\BitTorrent
 
==================== Known DLLs (Whitelisted) ================
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== Restore Points  =========================
 
Restore point made on: 2014-06-01 07:03:51
Restore point made on: 2014-06-20 17:29:48
Restore point made on: 2014-06-21 11:07:51
 
==================== BCD ================================
 
Windows Boot Manager
--------------------
identifier              {bootmgr}
device                  partition=Y:
description             Windows Boot Manager
locale                  en-US
inherit                 {globalsettings}
default                 {default}
resumeobject            {216fef91-7d03-11e1-968c-f073b35dc48b}
displayorder            {default}
toolsdisplayorder       {memdiag}
timeout                 30
 
Windows Boot Loader
-------------------
identifier              {default}
device                  partition=C:
path                    \Windows\system32\winload.exe
description             Windows 7
locale                  en-US
inherit                 {bootloadersettings}
recoverysequence        {current}
recoveryenabled         Yes
osdevice                partition=C:
systemroot              \Windows
resumeobject            {216fef91-7d03-11e1-968c-f073b35dc48b}
nx                      OptIn
 
Windows Boot Loader
-------------------
identifier              {current}
device                  ramdisk=[C:]\Recovery\216fef93-7d03-11e1-968c-f073b35dc48b\Winre.wim,{216fef94-7d03-11e1-968c-f073b35dc48b}
path                    \windows\system32\winload.exe
description             Windows Recovery Environment
inherit                 {bootloadersettings}
osdevice                ramdisk=[C:]\Recovery\216fef93-7d03-11e1-968c-f073b35dc48b\Winre.wim,{216fef94-7d03-11e1-968c-f073b35dc48b}
systemroot              \windows
nx                      OptIn
winpe                   Yes
 
Resume from Hibernate
---------------------
identifier              {216fef91-7d03-11e1-968c-f073b35dc48b}
device                  partition=C:
path                    \Windows\system32\winresume.exe
description             Windows Resume Application
locale                  en-US
inherit                 {resumeloadersettings}
filedevice              partition=C:
filepath                \hiberfil.sys
debugoptionenabled      No
 
Windows Memory Tester
---------------------
identifier              {memdiag}
device                  partition=Y:
path                    \boot\memtest.exe
description             Windows Memory Diagnostic
locale                  en-US
inherit                 {globalsettings}
badmemoryaccess         Yes
 
EMS Settings
------------
identifier              {emssettings}
bootems                 Yes
 
Debugger Settings
-----------------
identifier              {dbgsettings}
debugtype               Serial
debugport               1
baudrate                115200
 
RAM Defects
-----------
identifier              {badmemory}
 
Global Settings
---------------
identifier              {globalsettings}
inherit                 {dbgsettings}
                        {emssettings}
                        {badmemory}
 
Boot Loader Settings
--------------------
identifier              {bootloadersettings}
inherit                 {globalsettings}
                        {hypervisorsettings}
 
Hypervisor Settings
-------------------
identifier              {hypervisorsettings}
hypervisordebugtype     Serial
hypervisordebugport     1
hypervisorbaudrate      115200
 
Resume Loader Settings
----------------------
identifier              {resumeloadersettings}
inherit                 {globalsettings}
 
Device options
--------------
identifier              {216fef94-7d03-11e1-968c-f073b35dc48b}
description             Ramdisk Options
ramdisksdidevice        partition=C:
ramdisksdipath          \Recovery\216fef93-7d03-11e1-968c-f073b35dc48b\boot.sdi
 
 
==================== Memory info =========================== 
 
Percentage of memory in use: 10%
Total physical RAM: 8085.43 MB
Available physical RAM: 7267.99 MB
Total Pagefile: 8083.63 MB
Available Pagefile: 7260.58 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:319.28 GB) (Free:69.91 GB) NTFS
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 466 GB) (Disk ID: 71A3309E)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=146 GB) - (Type=06)
Partition 3: (Not Active) - (Size=319 GB) - (Type=07 NTFS)
 
 
LastRegBack: 2014-06-20 17:22
 
==================== End Of Log ============================

Attached Files

  • Attached File  FRST.txt   32.09KB   6 downloads

Edited by JSntgRvr, 02 July 2014 - 06:53 PM.


#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,455 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:26 PM

Posted 01 July 2014 - 09:30 PM

Lets check the disk partitions:

 

Please download  Listparts to a flash drive.
 
Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
 
Shut down and plug the flashdrive into the infected PC.
 
From an Off position, start the computer and enter the System Recovery Options. (Very important that you start from an Off position when running this tool)
 
To enter the System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Click on  Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
 
On the System Recovery Options menu you will get the following options:
 

Startup Repair

System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool

Command Prompt

 

  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\ListParts.exe (for x64 bit version type e:\ListParts64.exe)  and press Enter
Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Put check mark on List BCD.
  • Press Scan button.
  • It will make a log (Result.txt) in the flash drive. Please copy and paste it to your reply.
 

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 vpuleo

vpuleo
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 02 July 2014 - 05:33 AM

Here is the log. Thanks again for all your help!

 

ListParts by Farbar Version: 17-04-2014
Ran by SYSTEM (administrator) on 02-07-2014 at 06:31:19
Windows 7 (X64)
Running From: G:\
Language: 0409
************************************************************
 
========================= Memory info ====================== 
 
Percentage of memory in use: 7%
Total physical RAM: 8085.43 MB
Available physical RAM: 7454.35 MB
Total Pagefile: 8083.63 MB
Available Pagefile: 7434.49 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB
 
======================= Partitions =========================
 
1 Drive c: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
3 Drive e: () (Fixed) (Total:319.28 GB) (Free:69.91 GB) NTFS
5 Drive g: (USB DRIVE) (Removable) (Total:0.06 GB) (Free:0.01 GB) FAT
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
 
  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online          465 GB      0 B         
  Disk 1    Online           61 MB      0 B         
 
Partitions of Disk 0:
===============
 
Disk ID: 71A3309E
 
  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary            100 MB  1024 KB
  Partition 2    Primary            146 GB   101 MB
  Partition 3    Primary            319 GB   146 GB
 
======================================================================================================
 
Disk: 0
Partition 1
Type  : 07
Hidden: No
Active: Yes
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1     C   System Rese  NTFS   Partition    100 MB  Healthy            
 
======================================================================================================
 
Disk: 0
Partition 2
Type  : 06
Hidden: No
Active: No
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2     D                RAW    Partition    146 GB  Healthy            
 
======================================================================================================
 
Disk: 0
Partition 3
Type  : 07
Hidden: No
Active: No
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 3     E                NTFS   Partition    319 GB  Healthy            
 
======================================================================================================
 
Partitions of Disk 1:
===============
 
Disk ID: 7D4EF775
 
  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary             61 MB    16 KB
 
======================================================================================================
 
Disk: 1
Partition 1
Type  : 06
Hidden: No
Active: Yes
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 4     G   USB DRIVE    FAT    Removable     61 MB  Healthy            
 
======================================================================================================
============================== MBR Partition Table ==================
 
==============================
Partitions of Disk 0:
===============
Disk ID: 71A3309E
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=146 GB) - (Type=06)
Partition 3: (Not Active) - (Size=319 GB) - (Type=07 NTFS)
 
==============================
Partitions of Disk 1:
===============
Disk ID: 7D4EF775
Partition 1: (Active) - (Size=61 MB) - (Type=06)
 
 
Windows Boot Manager
--------------------
identifier              {bootmgr}
device                  partition=C:
description             Windows Boot Manager
locale                  en-US
inherit                 {globalsettings}
default                 {default}
resumeobject            {216fef91-7d03-11e1-968c-f073b35dc48b}
displayorder            {default}
toolsdisplayorder       {memdiag}
timeout                 30
 
Windows Boot Loader
-------------------
identifier              {default}
device                  partition=E:
path                    \Windows\system32\winload.exe
description             Windows 7
locale                  en-US
inherit                 {bootloadersettings}
recoverysequence        {current}
recoveryenabled         Yes
osdevice                partition=E:
systemroot              \Windows
resumeobject            {216fef91-7d03-11e1-968c-f073b35dc48b}
nx                      OptIn
 
Windows Boot Loader
-------------------
identifier              {current}
device                  ramdisk=[E:]\Recovery\216fef93-7d03-11e1-968c-f073b35dc48b\Winre.wim,{216fef94-7d03-11e1-968c-f073b35dc48b}
path                    \windows\system32\winload.exe
description             Windows Recovery Environment
inherit                 {bootloadersettings}
osdevice                ramdisk=[E:]\Recovery\216fef93-7d03-11e1-968c-f073b35dc48b\Winre.wim,{216fef94-7d03-11e1-968c-f073b35dc48b}
systemroot              \windows
nx                      OptIn
winpe                   Yes
 
Resume from Hibernate
---------------------
identifier              {216fef91-7d03-11e1-968c-f073b35dc48b}
device                  partition=E:
path                    \Windows\system32\winresume.exe
description             Windows Resume Application
locale                  en-US
inherit                 {resumeloadersettings}
filedevice              partition=E:
filepath                \hiberfil.sys
debugoptionenabled      No
 
Windows Memory Tester
---------------------
identifier              {memdiag}
device                  partition=C:
path                    \boot\memtest.exe
description             Windows Memory Diagnostic
locale                  en-US
inherit                 {globalsettings}
badmemoryaccess         Yes
 
EMS Settings
------------
identifier              {emssettings}
bootems                 Yes
 
Debugger Settings
-----------------
identifier              {dbgsettings}
debugtype               Serial
debugport               1
baudrate                115200
 
RAM Defects
-----------
identifier              {badmemory}
 
Global Settings
---------------
identifier              {globalsettings}
inherit                 {dbgsettings}
                        {emssettings}
                        {badmemory}
 
Boot Loader Settings
--------------------
identifier              {bootloadersettings}
inherit                 {globalsettings}
                        {hypervisorsettings}
 
Hypervisor Settings
-------------------
identifier              {hypervisorsettings}
hypervisordebugtype     Serial
hypervisordebugport     1
hypervisorbaudrate      115200
 
Resume Loader Settings
----------------------
identifier              {resumeloadersettings}
inherit                 {globalsettings}
 
Device options
--------------
identifier              {216fef94-7d03-11e1-968c-f073b35dc48b}
description             Ramdisk Options
ramdisksdidevice        partition=E:
ramdisksdipath          \Recovery\216fef93-7d03-11e1-968c-f073b35dc48b\boot.sdi
 
 
****** End Of Log ****** 

Attached Files


Edited by JSntgRvr, 02 July 2014 - 10:55 AM.


#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,455 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:26 PM

Posted 02 July 2014 - 11:03 AM

Save these instructions to a notepad document and save it in the flashdrive, so you can have access to it while at the prompt.

 

Boot to the Recovery Command prompt.

 

At the prompt type the following and press Enter:

 

SFC /ScanNow /offbootdir=c:\ /offwindir=e:\

 

Let me know the outcome.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 vpuleo

vpuleo
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 02 July 2014 - 11:14 AM

Hi - I had tried this before and SFC wouldn't run... I got the "system repair pending that requires a reboot to coomplete" message. I won't be able to try it again for few hours, but will let you know the outcome. Thanks!!!



#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,455 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:26 PM

Posted 02 July 2014 - 11:17 AM

Try it, as now we have the correct offbootdir and offwindir switches.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users