Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Problem I've Never Seen Before - X:\windows\system32> - Boot Loop


  • This topic is locked This topic is locked
25 replies to this topic

#1 dafoneguy

dafoneguy

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:04 AM

Posted 31 December 2015 - 03:50 PM

I've built my own PC's for home and my business for over 20 years (not an expert though), and this past week I ran across a problem with my Mom's computer that I've never seen before. I just built her computer about a year ago with her budget in mind.
 
Computer Specs:
ASUS P97-K Socket 1150
Intel Haswell Core i3 4150 CPU
Cooler Master Hyper TX3 CPU Cooler
8GB Corsair XMS DDR3 1333 Memory
Intel 530 SSD
OS: Windows 7 Professional
 
At first my Mom told me she possible had a power surge from recent thunderstorms that passed through. She told me this based on the storms and what came up on the screen when she tried to reboot:
 
"Power Supply Surges Detected During the Previous Power On.
 ASUS Anti-Surge was triggered to protect the system from unstable power supply unit!
 Press F1 to Run SETUP"
 
When you power the system down using the switch on the power supply and power back on, the message goes away and I can hit delete and go into the BIOS.
 
I checked the Power Supply with my power supply tester and it checks fine. All green lights, no burnt smell, etc. I removed the SSD Boot Hard Drive and tested it on my PC and there is no issues that I can see, the SSD hard drive seems fine. I ran a memory test using MemTest86 and the memory passes with flying colors. As far as I can tell the CPU is good, but I haven't yet removed it to try in another motherboard.
 
When I try to boot into Windows, it stops and goes to a black screen and into a boot loop.
 
When I try boot into Windows repair from the SSD or from a Windows Repair disk in the DVD Rom Drive it doesn't see the C: Drive.
 
Startup Repair says "Your computer was unable to start.  Startup Repair is checking your system for problems....
 
Then I get "Do you want to restore your computer using System Restore?  When I choose Restore it starts Attempting repairs....."
After the Repair Attempt this is what I get: "Startup Repair cannot repair this computer automatically"
 
Problem signature:
Problem Signature 01:    6.1.7600.16385
Problem Signature 02:    6.1.7600.16835
Problem Signature 03:    unknown
Problem Signature 04:    21198981
Problem Signature 05:    AutoFailover
Problem Signature 06:    23
Problem Signature 07:    NoRootCause
OS Version:                     6.1.7600.2.0.0.256.1
Local ID:                         1033
 
In startup repair when I click View Advanced Repair Options for System Recover and Support and open the Command Prompt Propmpt this is what I see:
 
X:\windows\system32>
 
From what I can tell, the computer is not seeing the C: Drive and I'm thinking it's possible that it could be a virus and not a hardware issue.
 
I downloaded and ran FRST64.exe from USB Flash Drive
 
Here's my log:
 

 
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:31-12-2015
Ran by SYSTEM on MININT-9KOQEER (31-12-2015 11:56:07)
Running from F:\
Platform: Windows 7 Professional (X64) Language: English (United States)
Internet Explorer Version 11
Boot Mode: Recovery
Default: ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7611608 2014-05-27] (Realtek Semiconductor)
HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [287592 2014-05-28] (Intel Corporation)
HKLM\...\Run: [ISCT Tray] => C:\Program Files\Intel\Intel® Smart Connect Technology Agent\iSCTsysTray8.exe [5860656 2014-06-18] (Intel Corporation)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [292848 2014-02-20] (Intel Corporation)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [334896 2015-06-08] (Oracle Corporation)
HKLM-x32\...\Run: [QHSafeTray] => C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe [1032312 2015-09-20] ()
HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
HKLM-x32\...\Run: [BCSSync] => C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [89184 2012-11-05] (Microsoft Corporation)
HKLM-x32\...\Run: [WebStorage] => C:\Program Files (x86)\ASUS\WebStorage\2.0.1.213\AsusWSPanel.exe [5099840 2013-06-26] (ASUS Cloud Corporation)
HKLM-x32\...\Run: [EaseUS TB Tray Agent] => C:\Program Files (x86)\EaseUS\TrayPopup\TrayTipAgent.exe [253992 2014-12-14] ()
HKLM\...\RunOnce: [*Restore] => C:\Windows\system32\rstrui.exe [296960 2015-07-22] (Microsoft Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\Betty\...\Run: [SpybotPostWindows10UpgradeReInstall] => C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe [1011200 2015-07-28] (Safer-Networking Ltd.)
HKU\Betty\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\Bubbles.scr [899584 2010-11-20] (Microsoft Corporation)
BootExecute: PDBoot.exeautocheck autochk *

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 asComSvc; C:\Program Files (x86)\ASUS\AXSP\1.02.00\atkexComSvc.exe [936728 2014-01-27] ()
S2 asHmComSvc; C:\Program Files (x86)\ASUS\AAHM\1.00.22\aaHMSvc.exe [954648 2014-01-27] (ASUSTeK Computer Inc.)
S2 AsusFanControlService; C:\Program Files (x86)\ASUS\AsusFanControlService\1.05.08\AsusFanControlService.exe [387896 2014-04-06] (ASUSTeK Computer Inc.)
S2 EaseUS Agent; C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe [37416 2015-06-22] (CHENGDU YIWO Tech Development Co., Ltd)
S2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [16232 2014-05-28] (Intel Corporation)
S2 ISCTAgent; C:\Program Files\Intel\Intel® Smart Connect Technology Agent\iSCTAgent.exe [209712 2014-06-18] ()
S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1513784 2015-10-05] (Malwarebytes)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
S2 QHActiveDefense; C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe [858744 2015-09-20] (QIHU 360 SOFTWARE CO. LIMITED)
S2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
S2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
S2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
S2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [5495056 2015-06-18] (TeamViewer GmbH)
S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S1 360AntiHacker; C:\Windows\System32\Drivers\360AntiHacker64.sys [137296 2015-07-28] (360.cn)
S3 360AvFlt; C:\Windows\System32\DRIVERS\360AvFlt.sys [77904 2015-09-20] (360.cn)
S1 360Box64; C:\Windows\System32\DRIVERS\360Box64.sys [319568 2015-09-20] (360.cn)
S3 360Camera; C:\Windows\System32\Drivers\360Camera64.sys [40520 2015-05-31] (360.cn)
S1 360FsFlt; C:\Windows\System32\DRIVERS\360FsFlt.sys [363088 2015-07-28] (360.cn)
S1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [15232 2014-01-27] ()
S1 AsUpIO; C:\Windows\SysWow64\drivers\AsUpIO.sys [14464 2014-02-24] ()
S3 ASUSFILTER; C:\Windows\SysWow64\drivers\ASUSFILTER.sys [46152 2011-09-19] (MCCI Corporation)
S1 BAPIDRV; C:\Windows\System32\DRIVERS\BAPIDRV64.sys [178768 2015-08-14] (360.cn)
S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
S0 EUBKMON; C:\Windows\System32\drivers\EUBKMON.sys [48168 2014-12-14] ()
S0 iaStorF; C:\Windows\System32\DRIVERS\iaStorF.sys [28008 2014-05-28] (Intel Corporation)
S3 ikbevent; C:\Windows\System32\DRIVERS\ikbevent.sys [22216 2014-05-27] ()
S3 imsevent; C:\Windows\System32\DRIVERS\imsevent.sys [22728 2014-05-27] ()
S3 INETMON; C:\Windows\System32\Drivers\INETMON.sys [25800 2014-05-27] ()
S4 IOMap; C:\Windows\system32\drivers\IOMap64.sys [24824 2014-04-06] (ASUSTeK Computer Inc.)
S3 ISCT; C:\Windows\System32\DRIVERS\ISCTD.sys [44744 2014-02-03] ()
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
S3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [192216 2015-12-15] (Malwarebytes)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-10-05] (Malwarebytes Corporation)
S3 MEIx64; C:\Windows\System32\DRIVERS\TeeDriverx64.sys [129312 2014-09-30] (Intel Corporation)
S3 RTTEAMPT; C:\Windows\System32\DRIVERS\RtTeam620.sys [58512 2012-07-03] (Realtek Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-12-31 11:55 - 2015-12-31 11:56 - 00000000 ____D C:\FRST
2015-12-14 15:59 - 2015-12-14 15:59 - 00489897 _____ C:\Users\Betty\Downloads\Mod3TopicFcreatures.pdf
2015-12-14 15:40 - 2015-12-14 15:40 - 00191134 _____ C:\Users\Betty\Downloads\Mod3TopicE-part1-Les14-17-Test.pdf
2015-12-13 13:48 - 2015-12-13 13:48 - 00551999 _____ C:\Users\Betty\Desktop\is-that-divisible-game.pdf
2015-12-13 12:54 - 2015-12-13 12:54 - 04955144 _____ C:\Users\Betty\Downloads\math-g5-m2-topic-h-lessons-28-29.zip
2015-12-13 12:54 - 2015-12-13 12:54 - 04955144 _____ C:\Users\Betty\Downloads\math-g5-m2-topic-h-lessons-28-29 (1).zip
2015-12-12 17:38 - 2015-12-12 17:38 - 00073586 _____ C:\Users\Betty\Downloads\export.pdf
2015-12-12 17:18 - 2015-12-12 17:18 - 14428626 _____ C:\Users\Betty\Downloads\math-g5-m3-full-module (2).pdf
2015-12-12 17:18 - 2015-12-12 17:18 - 14428626 _____ C:\Users\Betty\Downloads\math-g5-m3-full-module (1).pdf
2015-12-12 17:04 - 2015-12-12 17:05 - 14428626 _____ C:\Users\Betty\Downloads\math-g5-m3-full-module.pdf
2015-12-12 07:56 - 2015-12-12 07:56 - 12789488 _____ (ASUS Cloud Corporation) C:\Users\Betty\Downloads\ASUSWebStorageSyncAgent2.2.4.537 (1).exe
2015-12-10 14:38 - 2015-12-10 14:38 - 00401969 _____ C:\Users\Betty\Downloads\Mod3-TopicHtest.pdf
2015-12-10 14:37 - 2015-12-10 14:37 - 00200310 _____ C:\Users\Betty\Downloads\Mod3TopicCtest.pdf
2015-12-10 14:20 - 2015-12-10 14:20 - 00063306 _____ C:\Users\Betty\Downloads\Mod 2 Topic G (2).pdf
2015-12-10 14:17 - 2015-12-10 14:17 - 00404322 _____ C:\Users\Betty\Downloads\Mod 2 Topic F Quiz (5).flipchart
2015-12-10 14:17 - 2015-12-10 14:17 - 00404322 _____ C:\Users\Betty\Downloads\Mod 2 Topic F Quiz (4).flipchart
2015-12-10 14:17 - 2015-12-10 14:17 - 00404322 _____ C:\Users\Betty\Downloads\Mod 2 Topic F Quiz (3).flipchart
2015-12-09 17:25 - 2015-12-09 17:26 - 22830016 _____ C:\Users\Betty\Downloads\math-g5-m2-topic-g-lessons-24-27.zip
2015-12-09 17:24 - 2015-12-09 17:24 - 21063302 _____ C:\Users\Betty\Downloads\math-g5-m2-topic-f-lessons-19-23 (1).zip
2015-12-09 17:23 - 2015-12-09 17:24 - 21063302 _____ C:\Users\Betty\Downloads\math-g5-m2-topic-f-lessons-19-23.zip
2015-12-09 16:37 - 2015-12-09 16:37 - 00180848 _____ C:\Users\Betty\Downloads\DivisibilityRules.pdf
2015-12-09 16:36 - 2015-12-09 16:36 - 00874539 _____ C:\Users\Betty\Downloads\DivisibilityRulesposter.pdf
2015-12-09 16:31 - 2015-12-09 16:31 - 00042579 _____ C:\Users\Betty\Downloads\HundredsChart.pdf
2015-12-08 16:40 - 2015-12-08 16:40 - 00004880 _____ C:\Users\Betty\Downloads\plain (5).pdf
2015-12-08 16:39 - 2015-12-08 16:39 - 00005038 _____ C:\Users\Betty\Downloads\plain (3).pdf
2015-12-08 16:39 - 2015-12-08 16:39 - 00004717 _____ C:\Users\Betty\Downloads\plain (4).pdf
2015-12-08 16:38 - 2015-12-08 16:38 - 00004886 _____ C:\Users\Betty\Downloads\plain (2).pdf
2015-12-06 10:31 - 2015-12-06 14:36 - 00201473 _____ C:\Users\Betty\Desktop\class attendance record15-164A.pdf
2015-12-05 18:13 - 2015-12-13 17:20 - 00199927 _____ C:\Users\Betty\Desktop\class attendance record15-165A.pdf
2015-12-05 17:53 - 2015-12-13 17:20 - 00203958 _____ C:\Users\Betty\Desktop\class attendance record15-164B.pdf
2015-12-05 17:37 - 2015-12-06 14:41 - 00200570 _____ C:\Users\Betty\Desktop\class attendance record15-16 5B.pdf
2015-12-03 15:20 - 2015-12-03 15:20 - 00095709 _____ C:\Users\Betty\Desktop\Mod 2 Topic F (1).pdf
2015-12-03 15:01 - 2015-12-03 15:01 - 00095769 _____ C:\Users\Betty\Downloads\Mod 2 Topic F (1).pdf
2015-12-01 15:17 - 2015-12-01 15:17 - 00010149 _____ C:\Users\Betty\Desktop\Multiplication Tables_ 1-12. No Answers..html

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-12-27 14:42 - 2015-07-27 07:02 - 00000000 __RHD C:\MSOCache
2015-12-27 14:42 - 2015-07-27 05:33 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2015-12-27 14:42 - 2015-07-26 13:24 - 00000000 ____D C:\users\Betty
2015-12-27 14:42 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
2015-12-27 14:42 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\inf
2015-12-27 14:42 - 2009-07-13 19:20 - 00000000 ____D C:\Windows
2015-12-25 18:22 - 2009-07-13 23:45 - 00000000 ___RD C:\Users\Public\Recorded TV
2015-12-24 14:13 - 2015-07-29 13:34 - 00000000 ____D C:\Users\Betty\Documents\Outlook Files
2015-12-15 06:51 - 2015-07-26 15:00 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-12-15 06:45 - 2015-07-27 06:55 - 00192216 _____ (Malwarebytes) C:\Windows\System32\Drivers\MBAMSwissArmy.sys
2015-12-15 06:35 - 2015-07-26 15:01 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-12-15 05:35 - 2015-07-26 15:01 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-12-14 04:06 - 2015-07-28 06:37 - 00000000 ____D C:\Program Files (x86)\TeamViewer
2015-12-13 13:18 - 2009-07-13 21:13 - 00783114 _____ C:\Windows\System32\PerfStringBackup.INI
2015-12-13 12:52 - 2015-08-15 05:36 - 00000000 ____D C:\Users\Betty\Desktop\Miscellaneous
2015-12-13 12:49 - 2015-11-24 14:23 - 00000000 ____D C:\Users\Betty\Desktop\Daily Absentees and Behavior
2015-12-09 15:37 - 2015-11-27 17:33 - 00002183 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2015-12-09 08:51 - 2015-10-13 21:51 - 08879808 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2015-12-09 08:51 - 2015-07-26 15:00 - 00796864 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-12-09 08:51 - 2015-07-26 15:00 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-12-09 08:51 - 2015-07-26 15:00 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-12-07 16:49 - 2015-11-24 14:20 - 00000000 ____D C:\Users\Betty\Desktop\5th Grade Math
2015-12-02 11:18 - 2015-07-26 13:44 - 00301728 _____ (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2015-12-02 05:30 - 2015-07-26 15:01 - 00003894 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2015-12-02 05:30 - 2015-07-26 15:01 - 00003642 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore

==================== Known DLLs (Whitelisted) =========================


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\dnsapi.dll => MD5 is legit
C:\Windows\SysWOW64\dnsapi.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE Association (Whitelisted) =============


==================== Restore Points =========================

Restore point date: 2015-12-01 05:28
Restore point date: 2015-12-08 06:46
Restore point date: 2015-12-15 07:34
Restore point date: 2015-12-18 19:18
Restore point date: 2015-12-22 06:45
Restore point date: 2015-12-27 18:34

==================== Memory info ===========================

Percentage of memory in use: 10%
Total physical RAM: 8068 MB
Available physical RAM: 7234.3 MB
Total Virtual: 8066.14 MB
Available Virtual: 7241.48 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:111.69 GB) (Free:49.37 GB) NTFS
Drive e: (Repair disc Windows 7 64-bit) (CDROM) (Total:0.16 GB) (Free:0 GB) UDF
Drive f: (KINGSTON) (Removable) (Total:0.93 GB) (Free:0.92 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[system with boot components (obtained from drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 111.8 GB) (Disk ID: D26E36C0)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=111.7 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 953.5 MB) (Disk ID: 04030201)
Partition 1: (Active) - (Size=953 MB) - (Type=0B)


LastRegBack: 2015-07-26 14:10

==================== End of FRST.txt ============================

 
Any assistance would be greatly appreciated!

Edited by Oh My!, 11 January 2016 - 04:36 PM.


BC AdBot (Login to Remove)

 


#2 dafoneguy

dafoneguy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:04 AM

Posted 01 January 2016 - 02:42 PM

Bump



#3 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,733 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:04 AM

Posted 05 January 2016 - 03:55 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/600961 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new FRST log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download FRST by Farbar from the following link if you no longer have it available and save it to your destop.

    FRST Download Link

  • When you go to the above page, there will be 32-bit and 64-bit downloads available. Please click on the appropriate one for your version of Windows. If you are unsure as to whether your Windows is 32-bit or 64-bit, please see this tutorial.
  • Double click on the FRST icon and allow it to run.
  • Agree to the usage agreement and FRST will open. Do not make any changes and click on the Scan button.
  • Notepad will open with the results.
  • Post the new logs as explained in the prep guide.
  • Close the program window, and delete the program from your desktop.


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#4 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,733 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:04 AM

Posted 10 January 2016 - 04:00 PM

Hello again!

I haven't heard from you in 5 days. Therefore, I am going to assume that you no longer need our help, and close this topic.

If you do still need help, please send a Private Message to any Moderator within the next five days. Be sure to include a link to your topic in your Private Message.

Thank you for using Bleeping Computer, and have a great day!

#5 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,486 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:03:04 AM

Posted 11 January 2016 - 04:31 PM

This topic has been re-opened at the request of the person who originally posted.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,486 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:03:04 AM

Posted 11 January 2016 - 04:47 PM

Greetings dafoneguy and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far.

Please do this.

===================================================

Obtaining BCD Information From the Recovery Environment

--------------------
  • Insert a USB device into your compromised computer
  • Please boot back into the Recovery Environment Command Prompt. Type these, pressing Enter after each line:

bcdedit /enum
diskpart
list volume

  • Click on the very small black box in the upper left corner of the command screen
  • Click Edit, then Select All
  • Click Edit, then Copy
  • At the Command Prompt type Exit and hit Enter
  • At the Command Prompt type Notepad and hit Enter
  • Right click inside the Notepad document and select Paste
  • Click File, Save As.., and save the document on your USB drive as bcd.txt
  • Copy and paste the results in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • bcd.txt

Edited by Oh My!, 11 January 2016 - 10:03 PM.
Changes instructions

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#7 dafoneguy

dafoneguy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:04 AM

Posted 12 January 2016 - 11:44 AM

Below is the bcd.txt information you asked for:

 

Microsoft Windows [Version 6.1.7600]

 

X:\windows\system32>bcdedit /enum

Windows Boot Manager
--------------------
identifier              {bootmgr}
device                  partition=C:
description             Windows Boot Manager
locale                  en-US
inherit                 {globalsettings}
default                 {default}
resumeobject            {d5582836-3460-11e5-b79f-ba40b141391c}
displayorder            {default}
toolsdisplayorder       {memdiag}
timeout                 30

Windows Boot Loader
-------------------
identifier              {default}
device                  partition=D:
path                    \Windows\system32\winload.exe
description             Windows 7
locale                  en-US
inherit                 {bootloadersettings}
recoverysequence        {d5582838-3460-11e5-b79f-ba40b141391c}
recoveryenabled         Yes
osdevice                partition=D:
systemroot              \Windows
resumeobject            {d5582836-3460-11e5-b79f-ba40b141391c}
nx                      OptIn

X:\windows\system32>diskpart

Microsoft DiskPart version 6.1.7600
Copyright © 1999-2008 Microsoft Corporation.
On computer: MININT-0K6C6I8

DISKPART> list volume

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
  Volume 0     E   Repair disc  UDF    DVD-ROM      165 MB  Healthy
  Volume 1     C   System Rese  NTFS   Partition    100 MB  Healthy
  Volume 2     D                NTFS   Partition    111 GB  Healthy
  Volume 3     F   KINGSTON     FAT32  Removable    953 MB  Healthy

DISKPART>


Edited by dafoneguy, 12 January 2016 - 11:45 AM.


#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,486 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:03:04 AM

Posted 12 January 2016 - 05:06 PM

Thank you Tim.

Please attempt this.

===================================================

Running sfc /scannow in Windows 7/Vista Recovery Environment

-----------------
  • Restart the computer
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears
  • Use the arrow keys to select the Repair your computer menu item
  • Select English as the keyboard language settings, and then click Next
  • Once you are in the System Recovery Options menu you will get the following options

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

  • Select Command Prompt
  • Type the following (there is a space before each "/") after the Command Prompt and hit Enter (if you receive an error replace C:\ with D:\)

SFC /SCANNOW /OFFBOOTDIR=C:\ /OFFWINDIR=D:\WINDOWS

  • Attempt to boot your computer into Normal Mode and check the performance
===================================================

Running chkdsk /r from Recovery Environment in Windows 7

--------------------
  • Boot your computer into the Recovery Environment (tap F8)
  • Select Command Prompt
  • Type c: and Enter
  • Type chkdsk /r and Enter
  • If you receive a message about unmounting the volume check Yes
  • If the program doesn't start automatically repeat the chkdsk /r command
  • Once the process is finished please write down any information provided on the screen
  • Attempt to reboot your computer into Normal Mode.
  • If you receive a Blue Screen of Death (BSOD) please provide that information in your post.
Note: This process may take awhile to complete. You may also notice the progress bar jumping back and forth. This is normal. Please be patient.

===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Did sfc /scannow run?
  • Did chkdsk run
  • Update on computer condition

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#9 dafoneguy

dafoneguy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:04 AM

Posted 12 January 2016 - 05:38 PM

I have a Windows Repair Disk in Drive D: which is the DVD Burner/Reader. The OS is on Drive C:

 

When I go to command prompt this is what I see in the DOS Window:

X:\windows\system32>

 

I typed in SFC /SCANNOW /OFFBOOTDIR=C:\ /OFFWINDIR=D:\WINDOWS and this is what I got:

 

Beginning system scan. This process will take some time.

 

Windows Resource Protection found corrupt files but was unable to fix some of them.

Details are included in the CBS.log windir\logs\CBS\CBS.log. For example C:\Windows\Logs\CBS\CBS.log

 

X:\windows\system32>

 

When I tried to start Windows normally, it stopped at the windows logo and went back to boot loop.

 

chkdsk ran and this is what I got:

 

Microsoft Windows [Version 6.1.7600]


X:\windows\system32>C:

C:\>chkdsk /r
The type of the file system is NTFS.
Cannot lock current drive.

Chkdsk cannot run because the volume is in use by another
process.  Chkdsk may run if this volume is dismounted first.
ALL OPENED HANDLES TO THIS VOLUME WOULD THEN BE INVALID.
Would you like to force a dismount on this volume? (Y/N) y
Volume dismounted.  All opened handles to this volume are now invalid.
Volume label is System Reserved.

CHKDSK is verifying files (stage 1 of 5)...
  256 file records processed.
File verification completed.
  0 large file records processed.
  0 bad file records processed.
  0 EA records processed.
  0 reparse records processed.
CHKDSK is verifying indexes (stage 2 of 5)...
  332 index entries processed.
Index verification completed.
  0 unindexed files scanned.
  0 unindexed files recovered.
CHKDSK is verifying security descriptors (stage 3 of 5)...
  256 file SDs/SIDs processed.
Security descriptor verification completed.
  39 data files processed.
CHKDSK is verifying Usn Journal...
  174648 USN bytes processed.
Usn Journal verification completed.
CHKDSK is verifying file data (stage 4 of 5)...
  240 files processed.
File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
  19220 free clusters processed.
Free space verification is complete.
Windows has checked the file system and found no problems.

    102399 KB total disk space.
     22200 KB in 49 files.
        20 KB in 40 indexes.
         0 KB in bad sectors.
      3299 KB in use by the system.
      2048 KB occupied by the log file.
     76880 KB available on disk.

      4096 bytes in each allocation unit.
     25599 total allocation units on disk.
     19220 allocation units available on disk.
Failed to transfer logged messages to the event log with status 50.

C:\>

 

Windows will NOT start normally. Still in boot loop.

 

Computer is not seeing the C: Drive

In DOS Window it shows:  X:\windows\system32>

 

X: should be C:

 

Is this a hardware issue with the motherboard?  Or could a virus cause the PC not to see the C: Drive and boot into windows?

 

Thanks for your help!


Edited by dafoneguy, 12 January 2016 - 05:58 PM.


#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,486 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:03:04 AM

Posted 12 January 2016 - 06:02 PM

The X: is correct in the Recovery Environment.

Have you attempted to boot into Safe Mode? Can you at least get to that screen to see the Safe Mode option (if it doesn't work)?

Edited by Oh My!, 12 January 2016 - 06:03 PM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#11 dafoneguy

dafoneguy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:04 AM

Posted 12 January 2016 - 06:05 PM

Yes, I have tried booting into Safe Mode, no go. Cannot get to Safe Mode option.

 

I get system recovery option and "start windows normally"


Edited by dafoneguy, 12 January 2016 - 06:08 PM.


#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,486 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:03:04 AM

Posted 12 January 2016 - 06:30 PM

Please attempt this.

===================================================

Obtaining Minidump Files in the Recovery Environment

--------------------
  • Insert a USB device into your compromised computer
  • Boot your computer into the Recovery Environment
  • Select Command Prompt
  • Type Notepad and hit Enter
  • Click File, then Open
  • Navigate to the following folder:

D:\WINDOWS\Minidump (may be a different drive letter)

  • Right click on the folder and select Send to
  • Send the folder to your USB drive
  • Zip and upload the folder here.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Uploaded Minidump folder

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#13 dafoneguy

dafoneguy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:04 AM

Posted 12 January 2016 - 06:57 PM

I cannot find the file you are asking for.

 

I also tried this:

 

D:\>wmic RECOVEROS set DebugFilePath = Minidump
Updating property(s) of '\\MININT-QCJ5RAH\ROOT\CIMV2:Win32_OSRecoveryConfigurati
on.Name="|X:\\windows|"'
Property(s) update successful.

D:\>Notepad

D:\>X:

X:\Windows\System32>wmic RECOVEROS set DebugFilePath = Minidump
Updating property(s) of '\\MININT-QCJ5RAH\ROOT\CIMV2:Win32_OSRecoveryConfigurati
on.Name="|X:\\windows|"'
Property(s) update successful.

 

 

When I open Notepad in DOS Window, I see (3) Hard Drives, but there is only (1) Intel SSD installed in PC.

 

These are the (3) Drives that show in Notepad when I save a file:

System Reserved (C:)         Local Disk (D:)

Boot (X:)

 

And I was wrong earlier, The Windows Repair Disk in the DVD Drive is CD Drive (E:)

X:\Windows\System32>


Edited by dafoneguy, 12 January 2016 - 07:01 PM.


#14 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,486 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:03:04 AM

Posted 12 January 2016 - 07:02 PM

Thanks for your patience and your efforts. I am trying to work through some lesser intrusive steps before addressing the Registry.

Please do this.

===================================================

Farbar's Recovery Scan Tool - Run Fix

--------------------
  • From a clean computer press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Click Format then check Word Wrap
  • Please copy and paste the contents of the below code box into the open notepad and save it on the flashdrive as fixlist.txt
FindFolder: Minidump
  • Insert the USB device into your infected computer
  • Enter the System Recovery Options (press F8 during boot up), select Repair Your Computer, then select Command Prompt.
  • Run FRST as you did the first time and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a Fixlog.txt document on your USB device. Copy and paste that information in your reply.
  • Please attempt to boot your computer into Normal Mode or, if not, Safe Mode
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlog

Edited by Oh My!, 12 January 2016 - 08:38 PM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#15 dafoneguy

dafoneguy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:04 AM

Posted 12 January 2016 - 07:25 PM

Here is the fixlog.txt :

 

Fix result of Farbar Recovery Scan Tool (x64) Version:31-12-2015
Ran by SYSTEM (2016-01-12 16:22:40) Run:1
Running from f:\
Boot Mode: Recovery
==============================================

fixlist content:
*****************
FindFolder:
Minidump
*****************

================== FindFolder: "FindFolder:" ===================

No File

=== End of FindFolder ===
Minidump => Error: No automatic fix found for this entry.

==== End of Fixlog 16:22:40 ====






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users