Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unable to boot - FRST logs included


  • This topic is locked This topic is locked
1 reply to this topic

#1 elmaga

elmaga

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:21 PM

Posted 13 January 2015 - 08:42 PM

Hi everyone, I've been unable to boot since today.

Safe mod is not working, too. I recently did a complete scan with both MCAfee and MalwareBytes before getting stuck in a boot loop and I'm suspecting some kind of ransomware.

 

I can access startup recovery, so I did an FRST scan. I'll post the log.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 12-01-2015 02
Ran by SYSTEM on MININT-J9M3C82 on 14-01-2015 01:52:44
Running from f:\
Platform: Windows 7 Ultimate (X86) OS Language: Italiano (Italia)
Internet Explorer Version 11
Boot Mode: Recovery
 
The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [] => [X]
HKLM\...\Run: [HP Software Update] => C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [96056 2013-05-30] (Hewlett-Packard)
HKLM\...\Run: [mcpltui_exe] => C:\Program Files\Common Files\McAfee\Platform\mcuicnt.exe [499352 2014-09-17] (McAfee, Inc.)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [507776 2014-10-07] (Oracle Corporation)
HKLM\...\RunOnce: [*Restore] => C:\Windows\system32\rstrui.exe [262656 2010-11-20] (Microsoft Corporation)
HKU\Administrator\...\Run: [Facebook Update] => C:\Users\Administrator\AppData\Local\Facebook\Update\FacebookUpdate.exe [138096 2014-03-17] (Facebook Inc.)
HKU\Administrator\...\Run: [YcPack] => regsvr32.exe C:\Users\Administrator\AppData\Local\YcPack\dvWINt5.dll <===== ATTENTION
HKU\Administrator\...\Run: [Ajworks] => C:\Windows\System32\regsvr32.exe C:\Users\Administrator\AppData\Local\YTZPack\BluetoothCommsCtrl.dll
HKU\Administrator\...\Run: [Spotify Web Helper] => "C:\Users\Administrator\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe"
HKU\Administrator\...\Policies\Explorer: [NoFolderOptions] 0
HKU\Administrator\...\Policies\Explorer: [NoControlPanel] 0
 
========================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 AgereModemAudio; C:\Program Files\LSI SoftModem\agrsmsvc.exe [26112 2009-12-03] (LSI Corporation)
S2 HomeNetSvc; C:\Program Files\Common Files\Mcafee\Platform\McSvcHost\McSvHost.exe [286672 2014-10-31] (McAfee, Inc.)
S2 McAPExe; C:\Program Files\McAfee\MSC\McAPExe.exe [529216 2014-10-06] (McAfee, Inc.)
S3 McAWFwk; c:\Program Files\Common Files\McAfee\ActWiz\McAWFwk.exe [287728 2013-04-09] (McAfee, Inc.)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.150\McCHSvc.exe [235696 2014-04-09] (McAfee, Inc.)
S2 mccspsvc; C:\Program Files\Common Files\McAfee\CSP\1.3.336.0\McCSPServiceHost.exe [338160 2014-11-21] (McAfee, Inc.)
S2 McMPFSvc; C:\Program Files\Common Files\Mcafee\Platform\McSvcHost\McSvHost.exe [286672 2014-10-31] (McAfee, Inc.)
S2 McNaiAnn; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [286672 2014-10-31] (McAfee, Inc.)
S3 McODS; C:\Program Files\McAfee\VirusScan\mcods.exe [471560 2014-12-03] (McAfee, Inc.)
S4 McOobeSv2; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [286672 2014-10-31] (McAfee, Inc.)
S2 mcpltsvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [286672 2014-10-31] (McAfee, Inc.)
S2 McProxy; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [286672 2014-10-31] (McAfee, Inc.)
S2 mfecore; C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe [661088 2014-11-06] (McAfee, Inc.)
S2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [171368 2014-10-01] (McAfee, Inc.)
S2 mfevtp; C:\Windows\system32\mfevtps.exe [179608 2014-10-01] (McAfee, Inc.)
S2 MSK80Service; C:\Program Files\Common Files\Mcafee\Platform\McSvcHost\McSvHost.exe [286672 2014-10-31] (McAfee, Inc.)
S3 COMSysApp; %SystemRoot%\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [62840 2014-10-01] (McAfee, Inc.)
S3 e1express; C:\Windows\System32\DRIVERS\e1e6232.sys [219352 2009-06-05] (Intel Corporation)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [147912 2013-09-23] (McAfee, Inc.)
S3 hxctlflt; C:\Windows\System32\DRIVERS\hxctlflt.sys [99968 2009-02-09] (Guillemot Corporation)
S3 KORGUMDS; C:\Windows\System32\Drivers\KORGUMDS.SYS [24096 2012-10-05] (KORG INC.)
S2 McPvDrv; C:\Windows\system32\drivers\McPvDrv.sys [67800 2014-09-11] (McAfee, Inc.)
S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [135880 2014-10-01] (McAfee, Inc.)
S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [238312 2014-10-01] (McAfee, Inc.)
S3 mfebopk; C:\Windows\System32\drivers\mfebopk.sys [67824 2014-10-01] (McAfee, Inc.)
S3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [371712 2014-10-01] (McAfee, Inc.)
S0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [575992 2014-10-01] (McAfee, Inc.)
S3 mfencbdc; C:\Windows\System32\DRIVERS\mfencbdc.sys [352360 2014-09-19] (McAfee, Inc.)
S3 mfencrk; C:\Windows\System32\DRIVERS\mfencrk.sys [81304 2014-09-19] (McAfee, Inc.)
S0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [217232 2014-10-01] (McAfee, Inc.)
S3 SNPSTD3; C:\Windows\System32\DRIVERS\snpstd3.sys [10371072 2007-07-17] (Sonix Co. Ltd.)
S0 sptd; C:\Windows\System32\Drivers\sptd.sys [320120 2014-03-17] (Duplex Secure Ltd.)
S4 eabfiltr; No ImagePath
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-01-14 01:52 - 2015-01-14 01:52 - 00000000 ____D () C:\FRST
2015-01-13 20:53 - 2015-01-13 20:53 - 05309348 _____ () C:\Users\Administrator\Desktop\autotune.wav
2015-01-13 19:51 - 2015-01-13 19:51 - 00071184 _____ () C:\Users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2015-01-13 19:42 - 2015-01-13 20:17 - 00000000 ____D () C:\Program Files\Antares Audio Technologies
2015-01-13 19:42 - 2015-01-13 19:42 - 00000000 ____D () C:\ProgramData\PACE
2015-01-13 19:42 - 2015-01-13 19:42 - 00000000 ____D () C:\Program Files\Common Files\VST3
2015-01-13 19:19 - 2015-01-13 19:19 - 00034393 _____ () C:\ComboFix.txt
2015-01-13 18:40 - 2015-01-13 21:56 - 00000000 ____D () C:\Windows\erdnt
2015-01-13 18:40 - 2015-01-13 19:19 - 00000000 ____D () C:\Qoobox
2015-01-08 13:26 - 2015-01-14 00:55 - 00000000 ____D () C:\Users\Administrator\AppData\Local\YTZPack
2015-01-08 13:26 - 2015-01-14 00:55 - 00000000 ____D () C:\Users\Administrator\AppData\Local\YcPack
2015-01-08 13:15 - 2015-01-08 13:15 - 00000000 ___DC () C:\ProgramData\{957E0013-BE0F-48C1-BF3F-B4B6CC7B6D3B}
2015-01-08 12:50 - 2015-01-08 12:50 - 00000000 __HDC () C:\ProgramData\{8248E23A-B811-474B-951C-5AD780E7F743}
2015-01-08 00:03 - 2015-01-08 12:18 - 00000000 ____D () C:\Users\Administrator\Desktop\3DMGAME-Football.Manager.2015.v15.1.3.Cracked-3DM
2015-01-07 22:45 - 2015-01-07 22:45 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\NCH Software
2015-01-07 22:44 - 2015-01-07 22:59 - 00000000 ____D () C:\Program Files\NCH Software
2015-01-07 22:44 - 2015-01-07 22:44 - 00001086 _____ () C:\Users\Public\Desktop\WavePad Sound Editor.lnk
2015-01-07 22:44 - 2015-01-07 22:44 - 00000000 ____D () C:\ProgramData\NCH Software
2015-01-07 01:27 - 2015-01-07 01:28 - 00000000 ____D () C:\Users\Administrator\Documents\AirDroid
2015-01-06 01:18 - 2015-01-06 01:19 - 00000000 ____D () C:\Users\Administrator\Desktop\Tor Browser_
2015-01-05 23:44 - 2015-01-13 00:02 - 00000000 ____D () C:\Users\Administrator\Desktop\BLACK LITHIUM
2014-12-22 16:10 - 2014-12-13 04:33 - 00115712 _____ (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-01-14 00:55 - 2014-12-09 18:40 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2015-01-14 00:55 - 2014-05-26 02:00 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2015-01-14 00:55 - 2014-03-18 02:18 - 00000000 ____D () C:\Program Files\CCleaner
2015-01-14 00:47 - 2014-03-17 14:30 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\uTorrent
2015-01-14 00:47 - 2014-03-15 20:20 - 00000000 __RSD () C:\Users\Administrator\Documents\Archivi protetti McAfee
2015-01-14 00:47 - 2009-07-14 03:37 - 00000000 ____D () C:\Windows\System32\it-IT
2015-01-14 00:46 - 2014-03-15 11:39 - 00000000 ____D () C:\users\Administrator
2015-01-14 00:46 - 2009-07-14 03:37 - 00000000 ____D () C:\Windows\registration
2015-01-14 00:44 - 2014-10-17 00:53 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Mozilla
2015-01-13 21:54 - 2014-07-28 21:52 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\Samsung
2015-01-13 21:49 - 2009-07-14 03:37 - 00000000 ____D () C:\Windows\System32\LogFiles
2015-01-09 09:54 - 2014-03-15 11:40 - 01658888 _____ () C:\Windows\System32\PerfStringBackup.INI
2015-01-09 09:54 - 2009-07-14 09:21 - 00740896 _____ () C:\Windows\System32\perfh010.dat
2015-01-09 09:54 - 2009-07-14 09:21 - 00146918 _____ () C:\Windows\System32\perfc010.dat
2015-01-08 21:40 - 2014-09-20 01:44 - 00000000 ____D () C:\Users\Administrator\Desktop\Progetti FL
2015-01-08 21:00 - 2014-11-02 18:54 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\vlc
2015-01-08 20:56 - 2014-03-17 22:14 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\Spotify
2015-01-08 15:07 - 2014-03-17 16:11 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\Adobe
2015-01-07 21:36 - 2014-03-17 22:15 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Spotify
2015-01-05 22:34 - 2014-09-20 01:45 - 00000000 ____D () C:\Users\Administrator\Desktop\Guitar Pro
2015-01-05 15:47 - 2014-04-29 20:32 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\Audacity
2015-01-02 17:41 - 2014-03-15 20:16 - 00000000 ____D () C:\Program Files\McAfee
2014-12-17 00:44 - 2014-03-15 20:14 - 00000000 ____D () C:\Program Files\Common Files\McAfee
2014-12-17 00:43 - 2014-03-15 20:14 - 00000000 ____D () C:\ProgramData\McAfee
 
Some content of TEMP:
====================
C:\Users\Administrator\AppData\Local\Temp\mp3el.exe
 
 
==================== Known DLLs (Whitelisted) ============
 
C:\Windows\System32\user32.dll IS MISSING <==== ATTENTION!.
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe
[2014-10-15 00:37] - [2014-07-17 02:39] - 0304128 ____A (Microsoft Corporation) 52449FD429D6053B78AE564DEF303870
 
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll IS MISSING <==== ATTENTION!.
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== Restore Points  =========================
 
Restore point made on: 2015-01-11 21:30:41
Restore point made on: 2015-01-13 19:41:07
 
==================== Memory info =========================== 
 
Percentage of memory in use: 21%
Total physical RAM: 2039.3 MB
Available physical RAM: 1609.67 MB
Total Pagefile: 2039.3 MB
Available Pagefile: 1607.88 MB
Total Virtual: 2047.88 MB
Available Virtual: 1952.46 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:148.95 GB) (Free:85.38 GB) NTFS
Drive f: () (Removable) (Total:7.45 GB) (Free:7.44 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (Riservato per il sistema) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 149.1 GB) (Disk ID: CB64FC8A)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=149 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (Size: 7.5 GB) (Disk ID: 70707573)
No partition Table on disk 1.
 
 
LastRegBack: 2014-03-15 12:25
 
==================== End Of Log ============================
 
 
 
 
 
 
This is the search log for the missing DLL
 
Farbar Recovery Scan Tool (x86) Version: 12-01-2015 02
Ran by SYSTEM at 2015-01-14 01:58:10
Running from f:\
Boot Mode: Recovery
 
================== Search: "user32.dll" ===================
 
C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.20496_none_cd8e8f8de7d4e9b5\user32.dll
[2009-09-15 04:37][2009-09-15 04:37] 0811520 ____A (Microsoft Corporation) AE2B4D47934D3798C984D51B1694A490
 
C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16400_none_cd604238ce73b38f\user32.dll
[2009-09-15 04:37][2009-09-15 04:37] 0811520 ____A (Microsoft Corporation) C7B21BEF09EC7249556BEE19F9D314CB
 
C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_cd0ec264ceb014a3\user32.dll
[2009-07-14 00:24][2009-07-14 02:16] 0811520 ____A (Microsoft Corporation) 34B7E222E81FAFA885F0C5F2CFA56861
 
X:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_cd0ec264ceb014a3\user32.dll
[2009-07-14 00:24][2009-07-14 02:16] 0811520 ____A (Microsoft Corporation) 34B7E222E81FAFA885F0C5F2CFA56861
 
X:\Windows\System32\user32.dll
[2009-07-14 00:24][2009-07-14 02:16] 0811520 ____A (Microsoft Corporation) 34B7E222E81FAFA885F0C5F2CFA56861
 
X:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_cd0ec264ceb014a3\user32.dll
[2009-07-14 00:24][2009-07-14 02:16] 0811520 ____A (Microsoft Corporation) 34B7E222E81FAFA885F0C5F2CFA56861
 
X:\Windows\System32\user32.dll
[2009-07-14 00:24][2009-07-14 02:16] 0811520 ____A (Microsoft Corporation) 34B7E222E81FAFA885F0C5F2CFA56861
 
=== End Of Search ===


Thanks in advance for your help.

 



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:21 PM

Posted 14 January 2015 - 03:52 AM

Yo´re being helped on another forum already...


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users