Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

win7 boots to black screen w/cursor


  • This topic is locked This topic is locked
45 replies to this topic

#1 Netghost56

Netghost56

  • Members
  • 973 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:10:48 PM

Posted 15 August 2014 - 10:38 AM

Orginal topic is here for more info: http://www.bleepingcomputer.com/forums/t/544324/need-help-fixing-boot-issue/

 

Here's the Farbar scan:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 31-10-2013 (ATTENTION: ====> FRST version is 95 days old and could be outdated)
Ran by SYSTEM on MININT-SJQ8JNL on 03-02-2014 09:58:03
Running from F:\
Windows 7 Professional Service Pack 1 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1602856 2010-01-07] (Synaptics Incorporated)
HKLM\...\Run: [SysTrayApp] - C:\Program Files\IDT\WDM\sttray.exe [495708 2010-04-06] (IDT, Inc.)
HKLM\...\Run: [HotKeysCmds] - C:\Windows\system32\hkcmd.exe [ ] ()
HKLM\...\Run: [QuickSet] - C:\Program Files\Dell\QuickSet\quickset.exe [3873648 2010-01-15] (Dell Inc.)
HKLM\...\Run: [FreeFallProtection] - C:\Program Files\STMicroelectronics\AccelerometerP11\FF_Protection.exe [726640 2010-08-02] ()
HKLM\...\Run: [Broadcom Wireless Manager UI] - C:\Program Files\Dell\DW WLAN Card\WLTRAY.EXE [5249024 2010-12-14] (Dell Inc.)
HKLM\...\Run: [Dell Webcam Central] - C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe [409744 2009-06-24] (Creative Technology Ltd)
HKLM\...\Run: [AVG_UI] - C:\Program Files\AVG\AVG2014\avgui.exe [4956176 2013-11-07] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKU\Paul Snyder\...\Run: [swg] - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [ 2011-04-14] (Google Inc.)

========================== Services (Whitelisted) =================

S2 AVGIDSAgent; C:\Program Files\AVG\AVG2014\avgidsagent.exe [3478544 2013-11-11] (AVG Technologies CZ, s.r.o.)
S2 avgwd; C:\Program Files\AVG\AVG2014\avgwdsvc.exe [348008 2013-09-23] (AVG Technologies CZ, s.r.o.)
S2 ptumlcmsvc; C:\Windows\system32\ptumlcmsvc.exe [143360 2012-09-21] (DEVGURU Co., LTD)
S3 TMBMServer; c:\Program Files\Trend Micro\BM\TMBMSRV.exe [345352 2009-12-01] (Trend Micro Inc.)
S2 wltrysvc; C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe [4539392 2010-12-14] (Dell Inc.)

==================== Drivers (Whitelisted) ====================

S3 Acceler; C:\Windows\System32\DRIVERS\Accelern.sys [43888 2010-07-09] (ST Microelectronics)
S1 Avgdiskx; C:\Windows\System32\DRIVERS\avgdiskx.sys [120600 2013-11-05] (AVG Technologies CZ, s.r.o.)
S1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdriverx.sys [209176 2013-11-04] (AVG Technologies CZ, s.r.o.)
S0 AVGIDSHX; C:\Windows\System32\DRIVERS\avgidshx.sys [147768 2013-10-24] (AVG Technologies CZ, s.r.o.)
S1 AVGIDSShim; C:\Windows\System32\DRIVERS\avgidsshimx.sys [22840 2013-09-16] (AVG Technologies CZ, s.r.o.)
S1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [176952 2013-10-31] (AVG Technologies CZ, s.r.o.)
S0 Avglogx; C:\Windows\System32\DRIVERS\avglogx.sys [222520 2013-10-31] (AVG Technologies CZ, s.r.o.)
S0 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [102712 2013-09-30] (AVG Technologies CZ, s.r.o.)
S0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [27448 2013-09-09] (AVG Technologies CZ, s.r.o.)
S1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [193848 2013-08-01] (AVG Technologies CZ, s.r.o.)
S3 BCM42RLY; C:\Windows\System32\drivers\BCM42RLY.sys [18424 2010-12-14] (Broadcom Corporation)
S3 CtAudDrv; C:\Windows\system32\Drivers\CtAudDrv.sys [134144 2009-05-28] (Creative Technology Ltd.)
S3 PTUMLBUS; C:\Windows\System32\DRIVERS\PTUMLBUS.sys [88632 2012-09-21] (DEVGURU Co., LTD.)
S3 PTUMLCVsp; C:\Windows\System32\DRIVERS\PTUMLCVsp.sys [169016 2012-09-21] (DEVGURU Co., LTD.(www.devguru.co.kr))
S3 PTUMLMBMP; C:\Windows\System32\DRIVERS\PTUMLMBMP.sys [279864 2012-09-21] (DEVGURU Co., LTD.)
S3 PTUMLMdm; C:\Windows\System32\DRIVERS\PTUMLMdm.sys [169016 2012-09-21] (DEVGURU Co., LTD.(www.devguru.co.kr))
S3 PTUMLNVsp; C:\Windows\System32\DRIVERS\PTUMLNVsp.sys [169656 2012-09-21] (DEVGURU Co., LTD.(www.devguru.co.kr))
S3 PTUMLRMNET; C:\Windows\System32\DRIVERS\PTUMLRMNET.sys [59704 2012-09-21] (DEVGURU Co., LTD.)
S3 PTUMLVsp; C:\Windows\System32\DRIVERS\PTUMLVsp.sys [169016 2012-09-21] (DEVGURU Co., LTD.(www.devguru.co.kr))
S0 stdcfltn; C:\Windows\System32\DRIVERS\stdcfltn.sys [17648 2010-07-09] (ST Microelectronics)
S3 tmactmon; C:\Windows\System32\DRIVERS\tmactmon.sys [59472 2010-07-19] (Trend Micro Inc.)
S2 tmcomm; C:\Windows\System32\DRIVERS\tmcomm.sys [163408 2010-07-19] (Trend Micro Inc.)
S3 tmevtmgr; C:\Windows\System32\DRIVERS\tmevtmgr.sys [51792 2010-07-19] (Trend Micro Inc.)
S1 tmlwf; C:\Windows\System32\DRIVERS\tmlwf.sys [146448 2009-07-15] (Trend Micro Inc.)
S1 tmtdi; C:\Windows\System32\DRIVERS\tmtdi.sys [89872 2009-07-15] (Trend Micro Inc.)
S2 tmwfp; C:\Windows\System32\DRIVERS\tmwfp.sys [283152 2009-07-15] (Trend Micro Inc.)
S3 PTUMLNET61; system32\DRIVERS\PTUMLNET61.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-01-31 11:56 - 2014-01-31 11:56 - 00000000 ____D C:\FRST
2014-01-30 15:04 - 2013-11-07 13:32 - 04121952 _____ (Kaspersky Lab ZAO) C:\Users\Paul Snyder\Desktop\tdsskiller.exe
2014-01-30 14:32 - 2014-01-30 15:14 - 00000000 ____D C:\AdwCleaner
2014-01-30 14:23 - 2013-07-31 11:08 - 00661184 _____ (Sysinternals - www.sysinternals.com) C:\Users\Paul Snyder\Desktop\autoruns.exe
2014-01-21 09:17 - 2014-01-21 09:17 - 00000000 ____D C:\ProgramData\Verizon Wireless
2014-01-21 09:16 - 2014-01-21 09:16 - 00001248 _____ C:\Users\Public\Desktop\VZAccess Manager.lnk
2014-01-21 09:13 - 2014-01-21 09:13 - 00000000 ____D C:\Users\Paul Snyder\AppData\Roaming\hpqLog
2014-01-21 09:13 - 2014-01-21 09:13 - 00000000 ____D C:\Program Files\PANTECH
2014-01-21 09:13 - 2012-09-21 00:13 - 00279864 _____ (DEVGURU Co., LTD.) C:\Windows\System32\Drivers\PTUMLMBMP.sys
2014-01-21 09:13 - 2012-09-21 00:13 - 00169656 _____ (DEVGURU Co., LTD.(www.devguru.co.kr)) C:\Windows\System32\Drivers\PTUMLNVsp.sys
2014-01-21 09:13 - 2012-09-21 00:13 - 00169016 _____ (DEVGURU Co., LTD.(www.devguru.co.kr)) C:\Windows\System32\Drivers\PTUMLVsp.sys
2014-01-21 09:13 - 2012-09-21 00:13 - 00169016 _____ (DEVGURU Co., LTD.(www.devguru.co.kr)) C:\Windows\System32\Drivers\PTUMLMdm.sys
2014-01-21 09:13 - 2012-09-21 00:13 - 00169016 _____ (DEVGURU Co., LTD.(www.devguru.co.kr)) C:\Windows\System32\Drivers\PTUMLCVsp.sys
2014-01-21 09:13 - 2012-09-21 00:13 - 00088632 _____ (DEVGURU Co., LTD.) C:\Windows\System32\Drivers\PTUMLBUS.sys
2014-01-21 09:13 - 2012-09-21 00:13 - 00059704 _____ (DEVGURU Co., LTD.) C:\Windows\System32\Drivers\PTUMLRMNET.sys
2014-01-21 09:12 - 2014-01-21 09:13 - 00115312 _____ C:\Windows\System32\PTUMLsetup_20140121.log

==================== One Month Modified Files and Folders =======

2014-01-31 14:34 - 2013-12-05 08:49 - 00000000 ____D C:\ProgramData\MFAData
2014-01-31 11:56 - 2014-01-31 11:56 - 00000000 ____D C:\FRST
2014-01-31 10:16 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\LogFiles
2014-01-31 10:16 - 2009-07-13 18:03 - 48234496 _____ C:\Windows\System32\config\software.bak
2014-01-31 08:40 - 2009-07-13 18:03 - 15990784 _____ C:\Windows\System32\config\system.bak
2014-01-31 07:36 - 2009-07-13 18:03 - 00524288 _____ C:\Windows\System32\config\default.bak
2014-01-31 07:36 - 2009-07-13 18:03 - 00262144 _____ C:\Windows\System32\config\security.bak
2014-01-31 07:20 - 2009-07-13 18:03 - 00262144 _____ C:\Windows\System32\config\sam.bak
2014-01-31 07:19 - 2009-07-13 20:55 - 01932734 _____ C:\Windows\WindowsUpdate.log
2014-01-31 07:00 - 2009-07-13 20:34 - 00014256 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-01-31 07:00 - 2009-07-13 20:34 - 00014256 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-01-31 06:18 - 2010-12-14 08:14 - 00745000 _____ C:\Windows\System32\PerfStringBackup.INI
2014-01-31 06:14 - 2009-07-13 20:39 - 00089570 _____ C:\Windows\setupact.log
2014-01-30 15:14 - 2014-01-30 14:32 - 00000000 ____D C:\AdwCleaner
2014-01-30 14:57 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\NDF
2014-01-30 14:44 - 2014-01-03 09:38 - 00000089 _____ C:\Windows\System32\imvmw.jxk
2014-01-30 11:52 - 2011-03-24 13:21 - 00000000 ____D C:\Users\Paul Snyder\Documents\Outlook Files
2014-01-30 11:29 - 2013-10-23 08:12 - 00000000 ____D C:\Users\Paul Snyder\Desktop\Cossatot Submittals
2014-01-23 07:23 - 2013-12-04 08:50 - 00000000 ____D C:\Users\Paul Snyder\AppData\Local\Windows Live
2014-01-21 09:17 - 2014-01-21 09:17 - 00000000 ____D C:\ProgramData\Verizon Wireless
2014-01-21 09:16 - 2014-01-21 09:16 - 00001248 _____ C:\Users\Public\Desktop\VZAccess Manager.lnk
2014-01-21 09:16 - 2011-03-24 12:43 - 00000000 ____D C:\Program Files\Verizon Wireless
2014-01-21 09:13 - 2014-01-21 09:13 - 00000000 ____D C:\Users\Paul Snyder\AppData\Roaming\hpqLog
2014-01-21 09:13 - 2014-01-21 09:13 - 00000000 ____D C:\Program Files\PANTECH
2014-01-21 09:13 - 2014-01-21 09:12 - 00115312 _____ C:\Windows\System32\PTUMLsetup_20140121.log
2014-01-21 08:54 - 2011-04-14 05:13 - 00000000 ____D C:\Program Files\Common Files\Adobe
2014-01-20 11:41 - 2013-12-09 11:36 - 00000000 ____D C:\Users\Paul Snyder\AppData\Local\CrashDumps
2014-01-15 07:06 - 2013-07-21 14:32 - 00000000 ____D C:\Windows\System32\MRT
2014-01-15 07:05 - 2012-09-06 05:35 - 83425928 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe

Some content of TEMP:
====================
C:\Users\Paul Snyder\AppData\Local\Temp\ntdll_dump.dll
C:\Users\Paul Snyder\AppData\Local\Temp\Quarantine.exe


==================== Known DLLs (Whitelisted) ============


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================


==================== Memory info ===========================

Percentage of memory in use: 15%
Total physical RAM: 2934.68 MB
Available physical RAM: 2473.62 MB
Total Pagefile: 2932.96 MB
Available Pagefile: 2486.42 MB
Total Virtual: 2047.88 MB
Available Virtual: 1939.75 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:218.2 GB) (Free:185.32 GB) NTFS
Drive e: (GSP1RMCHPFRER_EN_DVD) (CDROM) (Total:2.39 GB) (Free:0 GB) UDF
Drive f: (SCHMIDT) (Removable) (Total:3.72 GB) (Free:2.28 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (RECOVERY) (Fixed) (Total:14.65 GB) (Free:9.89 GB) NTFS ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 233 GB) (Disk ID: 61D41571)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=15 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=218 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 4 GB) (Disk ID: 0BC30785)
Partition 1: (Not Active) - (Size=4 GB) - (Type=0B)


LastRegBack: 2014-01-30 08:09

==================== End Of Log ============================



BC AdBot (Login to Remove)

 


m

#2 SleepyDude

SleepyDude

  • Malware Response Team
  • 2,932 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:03:48 AM

Posted 15 August 2014 - 11:19 AM

Hi,

 

Please download a fresh copy of FRST to your flash drive and run it like you did before then post the new log.

The tool is updated almost daily to cover new infections and to include extra features that's why I need to see a report generated by the most current version.


• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

 
Proud graduate of GeekU and member of UNITE
___
Rui

 
 


#3 Netghost56

Netghost56
  • Topic Starter

  • Members
  • 973 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:10:48 PM

Posted 15 August 2014 - 11:28 AM

OK here you go. Funny how the last version of frst I used showed win7 as a x86 install, but this one shows x64.

I haven't had to use frst very often, hence why I haven't updated it. It's a full time job trying to keep all the apps updated!

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 15-08-2014
Ran by SYSTEM on MININT-GPJTCOT on 15-08-2014 11:25:27
Running from F:\
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 9
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.


The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [cAudioFilterAgent] => C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe [564352 2011-12-15] (Conexant Systems, Inc.)
HKLM\...\Run: [SmartAudio] => C:\Program Files\CONEXANT\SAII\SAIICpl.exe [310912 2011-06-24] (Conexant Systems, Inc.)
HKLM\...\Run: [CDAServer] => C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe [462712 2012-03-09] ()
HKLM-x32\...\Run: [TkBellExe] => C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe [295512 2013-09-05] (RealNetworks, Inc.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [{9374fbe5-87bd-281e-06f8-b8decc93ee20}] => C:\ProgramData\Microsoft\{9374fbe5-87bd-281e-06f8-b8decc93ee20}\{9374fbe5-87bd-281e-06f8-b8decc93ee20}.exe [211513 2014-04-03] ()
HKLM-x32\...\Run: [Shelll] => C:\Users\Meineke\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d.exe [11776 2014-07-10] ()
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer\Run: [{9374fbe5-87bd-281e-06f8-b8decc93ee20}] => C:\ProgramData\Microsoft\{9374fbe5-87bd-281e-06f8-b8decc93ee20}\{9374fbe5-87bd-281e-06f8-b8decc93ee20}.exe [211513 2014-04-03] ( ())
HKU\Meineke\...\Run: [EEDSpeedLauncher] => rundll32.exe C:\Windows\system32\eed_ec.dll,SpeedLauncher
HKU\Meineke\...\Run: [Shelll] => C:\Users\Meineke\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d.exe [11776 2014-07-10] ()
HKU\Meineke\...\Run: [Emyx] => C:\Users\Meineke\AppData\Local\Temp\Exot\emyx.exe [385536 2012-10-11] (CHENGDU WEISHU TECHNOLOGY CO., LTD.) <===== ATTENTION
Startup: C:\Users\Meineke\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d.exe ()
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [161560 2012-02-28] (Intel Corporation)
S2 RealNetworks Downloader Resolver Service; C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [39056 2013-08-14] ()

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)


==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-08-15 09:22 - 2014-08-15 11:25 - 00000000 ____D () C:\FRST
2014-08-13 05:43 - 2014-08-12 04:12 - 01310720 _____ () C:\Windows\System32\config\DEFAULT.old
2014-08-13 05:43 - 2014-08-11 18:03 - 00262144 _____ () C:\Windows\System32\config\SECURITY.old
2014-08-13 05:43 - 2013-01-31 06:32 - 00262144 _____ () C:\Windows\System32\config\SAM.old
2014-08-11 11:18 - 2013-03-05 03:00 - 00306819 _____ (Maskiseft Corporatien) C:\Windows\SysWOW64\sexyerab(17).exe
2014-07-23 15:33 - 2014-07-24 03:50 - 00003336 _____ () C:\Windows\System32\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-2825841727-344447983-2286369605-1000
2014-07-23 15:33 - 2014-07-24 03:50 - 00003206 _____ () C:\Windows\System32\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-2825841727-344447983-2286369605-1000

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-08-15 11:25 - 2014-08-15 09:22 - 00000000 ____D () C:\FRST
2014-08-15 06:32 - 2010-11-20 19:47 - 00427472 _____ () C:\Windows\PFRO.log
2014-08-14 14:30 - 2009-07-13 18:34 - 50855936 _____ () C:\Windows\System32\config\SOFTWARE.old
2014-08-14 12:01 - 2009-07-13 18:34 - 19922944 _____ () C:\Windows\System32\config\SYSTEM.old
2014-08-12 04:12 - 2014-08-13 05:43 - 01310720 _____ () C:\Windows\System32\config\DEFAULT.old
2014-08-12 03:19 - 2012-10-10 03:23 - 00000000 ____D () C:\users\Meineke
2014-08-12 03:18 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\System32\NDF
2014-08-12 03:18 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\AppCompat
2014-08-11 18:30 - 2013-09-05 07:39 - 00000000 ____D () C:\ProgramData\Real
2014-08-11 18:06 - 2009-07-13 20:45 - 00025680 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-08-11 18:06 - 2009-07-13 20:45 - 00025680 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-08-11 18:03 - 2014-08-13 05:43 - 00262144 _____ () C:\Windows\System32\config\SECURITY.old
2014-08-11 17:53 - 2014-04-07 13:47 - 00000099 _____ () C:\Users\Public\LMDebug.log
2014-08-11 14:40 - 2013-08-28 04:25 - 00061578 _____ () C:\SwatchIT.txt
2014-08-09 06:22 - 2013-09-18 07:21 - 00001653 _____ () C:\PartOrderResp.xml
2014-08-09 06:22 - 2013-09-18 07:21 - 00001550 _____ () C:\PartOrderReq.xml
2014-08-09 06:22 - 2013-09-18 07:21 - 00001479 _____ () C:\PartInqResp.xml
2014-08-09 06:22 - 2013-09-18 07:21 - 00001393 _____ () C:\PartInqReq.xml
2014-07-24 12:33 - 2013-11-20 05:44 - 00000900 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-07-24 12:09 - 2012-08-27 21:58 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-07-24 04:33 - 2013-11-20 05:44 - 00000896 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-07-24 04:25 - 2012-08-27 21:56 - 01202420 _____ () C:\Windows\WindowsUpdate.log
2014-07-24 03:50 - 2014-07-23 15:33 - 00003336 _____ () C:\Windows\System32\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-2825841727-344447983-2286369605-1000
2014-07-24 03:50 - 2014-07-23 15:33 - 00003206 _____ () C:\Windows\System32\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-2825841727-344447983-2286369605-1000
2014-07-24 03:50 - 2014-07-11 04:20 - 00000000 _____ () C:\ProgramData\rdpclip.exe
2014-07-24 03:49 - 2009-07-13 21:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-07-24 03:49 - 2009-07-13 20:51 - 00049543 _____ () C:\Windows\setupact.log
2014-07-18 09:45 - 2013-11-20 05:45 - 00002185 _____ () C:\Users\Public\Desktop\Google Chrome.lnk

Files to move or delete:
====================
C:\Users\Meineke\AppData\Local\Temp\Exot\emyx.exe
C:\ProgramData\rdpclip.exe


Some content of TEMP:
====================
C:\Users\Meineke\AppData\Local\Temp\0048.dll
C:\Users\Meineke\AppData\Local\Temp\0189.dll
C:\Users\Meineke\AppData\Local\Temp\0249.dll
C:\Users\Meineke\AppData\Local\Temp\0346.dll
C:\Users\Meineke\AppData\Local\Temp\0529.dll
C:\Users\Meineke\AppData\Local\Temp\0928.dll
C:\Users\Meineke\AppData\Local\Temp\71258B4049.exe
C:\Users\Meineke\AppData\Local\Temp\avs.dll
C:\Users\Meineke\AppData\Local\Temp\Command.exe
C:\Users\Meineke\AppData\Local\Temp\dmkoq.dll
C:\Users\Meineke\AppData\Local\Temp\e.dll
C:\Users\Meineke\AppData\Local\Temp\knwk.dll
C:\Users\Meineke\AppData\Local\Temp\kqmln.dll
C:\Users\Meineke\AppData\Local\Temp\kvccy.dll
C:\Users\Meineke\AppData\Local\Temp\Ms_Cleaner.exe
C:\Users\Meineke\AppData\Local\Temp\OptimizerPro.exe
C:\Users\Meineke\AppData\Local\Temp\Svchost.exe
C:\Users\Meineke\AppData\Local\Temp\Sys_Drive.exe
C:\Users\Meineke\AppData\Local\Temp\Sys_Drivepp.exe
C:\Users\Meineke\AppData\Local\Temp\User32.exe
C:\Users\Meineke\AppData\Local\Temp\wcrash.exe
C:\Users\Meineke\AppData\Local\Temp\WiFi-Cfg.exe
C:\Users\Meineke\AppData\Local\Temp\xrksg.dll


==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== Restore Points  =========================


==================== Memory info ===========================

Percentage of memory in use: 17%
Total physical RAM: 3998.08 MB
Available physical RAM: 3310.04 MB
Total Pagefile: 3996.28 MB
Available Pagefile: 3402.13 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:464.99 GB) (Free:172.47 GB) NTFS
Drive e: (GRMCHPXFRER_EN_DVD) (CDROM) (Total:3.09 GB) (Free:0 GB) UDF
Drive f: (USB30BLACK) (Removable) (Total:29.06 GB) (Free:18.83 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (RECOVERY) (Fixed) (Total:0.74 GB) (Free:0.51 GB) NTFS ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 932 GB) (Disk ID: 6324C508)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=753 MB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=465 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 29 GB) (Disk ID: C3072E18)
Partition 1: (Active) - (Size=29 GB) - (Type=0C)


LastRegBack: 2014-07-29 05:32

==================== End Of Log ============================



#4 SleepyDude

SleepyDude

  • Malware Response Team
  • 2,932 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:03:48 AM

Posted 15 August 2014 - 12:19 PM

Hi,

The new log show some malware not listed on the older one...

Let's see if after the following steps the system can boot normaly.


Step 1 - FRST Fix

!!! WARNING !!! The following fix is only relevant for this system and no other, running the script on another computer will not work and may cause problems...

  • Attached File  fixlist.txt   2.43KB   7 downloads
  • Download the file above and save it to the Flash Drive as fixlist.txt
    (It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work!)
  • Now boot from the DVD and access the System Recovery Options and the Command Prompt like you did before.
    FRST_Fix.png
  • Run FRST64 and press the Fix button just once and Wait.
  • The tool will make a log on the flashdrive (Fixlog.txt) please post it in your next reply.
  • Restart the computer and let me know if you can access the Desktop normally.

 

 

Things I would like to see in your next reply:

  • The Fixlog.txt log
  • Can you access the Desktop now?

• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

 
Proud graduate of GeekU and member of UNITE
___
Rui

 
 


#5 Netghost56

Netghost56
  • Topic Starter

  • Members
  • 973 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:10:48 PM

Posted 15 August 2014 - 12:29 PM

Here's the fixlog. Still no change. Normal or Safe mode.

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 15-08-2014
Ran by SYSTEM at 2014-08-15 12:25:12 Run:1
Running from F:\
Boot Mode: Recovery
==============================================

Content of fixlist:
*****************
HKLM-x32\...\Run: [{9374fbe5-87bd-281e-06f8-b8decc93ee20}] => C:\ProgramData\Microsoft\{9374fbe5-87bd-281e-06f8-b8decc93ee20}\{9374fbe5-87bd-281e-06f8-b8decc93ee20}.exe [211513 2014-04-03] ()
HKLM-x32\...\Run: [Shelll] => C:\Users\Meineke\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d.exe [11776 2014-07-10] ()
HKLM\...\Policies\Explorer\Run: [{9374fbe5-87bd-281e-06f8-b8decc93ee20}] => C:\ProgramData\Microsoft\{9374fbe5-87bd-281e-06f8-b8decc93ee20}\{9374fbe5-87bd-281e-06f8-b8decc93ee20}.exe [211513 2014-04-03] ( ())
HKU\Meineke\...\Run: [Shelll] => C:\Users\Meineke\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d.exe [11776 2014-07-10] ()
HKU\Meineke\...\Run: [Emyx] => C:\Users\Meineke\AppData\Local\Temp\Exot\emyx.exe [385536 2012-10-11] (CHENGDU WEISHU TECHNOLOGY CO., LTD.) <===== ATTENTION
Startup: C:\Users\Meineke\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d.exe ()
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
C:\ProgramData\Microsoft\{9374fbe5-87bd-281e-06f8-b8decc93ee20}
C:\Users\Meineke\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d.exe
C:\Users\Meineke\AppData\Local\Temp\Exot
2014-08-11 11:18 - 2013-03-05 03:00 - 00306819 _____ (Maskiseft Corporatien) C:\Windows\SysWOW64\sexyerab(17).exe
C:\Users\Meineke\AppData\Local\Temp\Exot\emyx.exe
C:\ProgramData\rdpclip.exe
C:\Users\Meineke\AppData\Local\Temp\0048.dll
C:\Users\Meineke\AppData\Local\Temp\0189.dll
C:\Users\Meineke\AppData\Local\Temp\0249.dll
C:\Users\Meineke\AppData\Local\Temp\0346.dll
C:\Users\Meineke\AppData\Local\Temp\0529.dll
C:\Users\Meineke\AppData\Local\Temp\0928.dll
C:\Users\Meineke\AppData\Local\Temp\71258B4049.exe
C:\Users\Meineke\AppData\Local\Temp\avs.dll
C:\Users\Meineke\AppData\Local\Temp\Command.exe
C:\Users\Meineke\AppData\Local\Temp\dmkoq.dll
C:\Users\Meineke\AppData\Local\Temp\e.dll
C:\Users\Meineke\AppData\Local\Temp\knwk.dll
C:\Users\Meineke\AppData\Local\Temp\kqmln.dll
C:\Users\Meineke\AppData\Local\Temp\kvccy.dll
C:\Users\Meineke\AppData\Local\Temp\Ms_Cleaner.exe
C:\Users\Meineke\AppData\Local\Temp\OptimizerPro.exe
C:\Users\Meineke\AppData\Local\Temp\Svchost.exe
C:\Users\Meineke\AppData\Local\Temp\Sys_Drive.exe
C:\Users\Meineke\AppData\Local\Temp\Sys_Drivepp.exe
C:\Users\Meineke\AppData\Local\Temp\User32.exe
C:\Users\Meineke\AppData\Local\Temp\wcrash.exe
C:\Users\Meineke\AppData\Local\Temp\WiFi-Cfg.exe
C:\Users\Meineke\AppData\Local\Temp\xrksg.dll

*****************

HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\{9374fbe5-87bd-281e-06f8-b8decc93ee20} => value deleted successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\Shelll => value deleted successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\\{9374fbe5-87bd-281e-06f8-b8decc93ee20} => value deleted successfully.
HKU\Meineke\Software\Microsoft\Windows\CurrentVersion\Run\\Shelll => value deleted successfully.
HKU\Meineke\Software\Microsoft\Windows\CurrentVersion\Run\\Emyx => value deleted successfully.
C:\Users\Meineke\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d.exe => Moved successfully.
C:\Windows\System32\GroupPolicy\Machine => Moved successfully.
C:\Windows\System32\GroupPolicy\GPT.ini => Moved successfully.
C:\ProgramData\Microsoft\{9374fbe5-87bd-281e-06f8-b8decc93ee20} => Moved successfully.
"C:\Users\Meineke\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d.exe" => File/Directory not found.
C:\Users\Meineke\AppData\Local\Temp\Exot => Moved successfully.
C:\Windows\SysWOW64\sexyerab(17).exe => Moved successfully.
"C:\Users\Meineke\AppData\Local\Temp\Exot\emyx.exe" => File/Directory not found.
C:\ProgramData\rdpclip.exe => Moved successfully.
C:\Users\Meineke\AppData\Local\Temp\0048.dll => Moved successfully.
C:\Users\Meineke\AppData\Local\Temp\0189.dll => Moved successfully.
C:\Users\Meineke\AppData\Local\Temp\0249.dll => Moved successfully.
C:\Users\Meineke\AppData\Local\Temp\0346.dll => Moved successfully.
C:\Users\Meineke\AppData\Local\Temp\0529.dll => Moved successfully.
C:\Users\Meineke\AppData\Local\Temp\0928.dll => Moved successfully.
C:\Users\Meineke\AppData\Local\Temp\71258B4049.exe => Moved successfully.
C:\Users\Meineke\AppData\Local\Temp\avs.dll => Moved successfully.
C:\Users\Meineke\AppData\Local\Temp\Command.exe => Moved successfully.
C:\Users\Meineke\AppData\Local\Temp\dmkoq.dll => Moved successfully.
C:\Users\Meineke\AppData\Local\Temp\e.dll => Moved successfully.
C:\Users\Meineke\AppData\Local\Temp\knwk.dll => Moved successfully.
C:\Users\Meineke\AppData\Local\Temp\kqmln.dll => Moved successfully.
C:\Users\Meineke\AppData\Local\Temp\kvccy.dll => Moved successfully.
C:\Users\Meineke\AppData\Local\Temp\Ms_Cleaner.exe => Moved successfully.
C:\Users\Meineke\AppData\Local\Temp\OptimizerPro.exe => Moved successfully.
C:\Users\Meineke\AppData\Local\Temp\Svchost.exe => Moved successfully.
C:\Users\Meineke\AppData\Local\Temp\Sys_Drive.exe => Moved successfully.
C:\Users\Meineke\AppData\Local\Temp\Sys_Drivepp.exe => Moved successfully.
C:\Users\Meineke\AppData\Local\Temp\User32.exe => Moved successfully.
C:\Users\Meineke\AppData\Local\Temp\wcrash.exe => Moved successfully.
C:\Users\Meineke\AppData\Local\Temp\WiFi-Cfg.exe => Moved successfully.
C:\Users\Meineke\AppData\Local\Temp\xrksg.dll => Moved successfully.

==== End of Fixlog ====



#6 SleepyDude

SleepyDude

  • Malware Response Team
  • 2,932 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:03:48 AM

Posted 15 August 2014 - 02:43 PM

Hi,

 

I have another fixlist.txt bellow for you please repeat the steps you did before.

After running the Fix you should see a MBRDUMP.txt file on your flashdrive. Please attach this file to your next reply.

 

Note: The fix will not change anything it's only to collect more information from the system.

 

Attached File  fixlist.txt   16bytes   4 downloads

 


• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

 
Proud graduate of GeekU and member of UNITE
___
Rui

 
 


#7 Netghost56

Netghost56
  • Topic Starter

  • Members
  • 973 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:10:48 PM

Posted 15 August 2014 - 03:07 PM

Here's the file. Hope it helps!

Attached Files



#8 SleepyDude

SleepyDude

  • Malware Response Team
  • 2,932 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:03:48 AM

Posted 15 August 2014 - 03:41 PM

Hi,
 
If you boot from the Windows 7 Professional Service Pack 1 (X64) DVD access the System Recovery Options and from there select System Restore does windows show you a restore point created on 2014-07-29?

 

If you see that please try to restore to that date.


• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

 
Proud graduate of GeekU and member of UNITE
___
Rui

 
 


#9 Netghost56

Netghost56
  • Topic Starter

  • Members
  • 973 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:10:48 PM

Posted 15 August 2014 - 03:45 PM

I get "There was an unexpected error: The system cannot find the file specified." Error 0x80070002

"Please close System Restore and try again".

 

Before, I would get "There are no restore points available."

 

System Image Recovery states there isn't a image file available.



#10 SleepyDude

SleepyDude

  • Malware Response Team
  • 2,932 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:03:48 AM

Posted 15 August 2014 - 03:50 PM

I get "There was an unexpected error: The system cannot find the file specified." Error 0x80070002

"Please close System Restore and try again".

 

Before, I would get "There are no restore points available."

 

System Image Recovery states there isn't a image file available.

 

Ok, In that case we will use FRST to restore the registry and see what happens.

 

New fix for you attached. Please apply it just like before.

 

Attached File  fixlist.txt   29bytes   4 downloads

 

Let me know if it boots after this.


• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

 
Proud graduate of GeekU and member of UNITE
___
Rui

 
 


#11 Netghost56

Netghost56
  • Topic Starter

  • Members
  • 973 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:10:48 PM

Posted 15 August 2014 - 03:59 PM

Still no change.

 

I feel I should point out that when using Startup Repair and telling the system to Reboot, I still get the Boot Menu (with optioons for Safe Mode, etc) without hitting F8, as if I have done a hard shutdown.



#12 SleepyDude

SleepyDude

  • Malware Response Team
  • 2,932 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:03:48 AM

Posted 15 August 2014 - 04:04 PM

Still no change.
 
I feel I should point out that when using Startup Repair and telling the system to Reboot, I still get the Boot Menu (with optioons for Safe Mode, etc) without hitting F8, as if I have done a hard shutdown.

 
If you have the option to Launch Startup Repair select that, and do this for 3 times.


• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

 
Proud graduate of GeekU and member of UNITE
___
Rui

 
 


#13 Netghost56

Netghost56
  • Topic Starter

  • Members
  • 973 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:10:48 PM

Posted 15 August 2014 - 04:15 PM

Booting from disc, ran Startup Repair 3 times. Each time it took 3 seconds and could not detect a problem.

 

First time I ever ran it during initial diag, it found problems. 2nd time before it even ran it detect problem in boot and supposedly fixed that. But since the last time I ran a chkdsk it hasn't found a problem.



#14 Netghost56

Netghost56
  • Topic Starter

  • Members
  • 973 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:10:48 PM

Posted 15 August 2014 - 04:27 PM

I'm curious if removing the drivers will help...I notice that when I'm at the black screen with the cursor, when I press the power button to initiate shutdown, the cursor fades away, as if going into sleep mode.



#15 SleepyDude

SleepyDude

  • Malware Response Team
  • 2,932 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:03:48 AM

Posted 16 August 2014 - 05:42 AM

Hi,

 

Please post the last fixlog.txt and a new FRST scan log (FRST.txt) to check the actual system state.


• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

 
Proud graduate of GeekU and member of UNITE
___
Rui

 
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users