Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unable to boot - winsrv.dll missing


  • This topic is locked This topic is locked
29 replies to this topic

#1 SlurpyCello

SlurpyCello

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Zealand
  • Local time:10:04 AM

Posted 25 February 2016 - 03:33 AM

Hi,

 

I have a Gateway PC running Windows 7 Home Premium (64 bit) and last week it failed to boot. Also unable to boot to Safe Mode. Tried running Startup Repair and booting from last known good configuration but that didn't help. Also tried CHKDSK but didn't seem to find anything. 
Next step was to try the Farbar Recovery Scan Tool, which said that the winsrv.dll was missing from C:\Windows\System32 folder.
I retrieved the latest version of winsrv.dll I could find from the C:\Windows\WinSxS folder and copied that into the System32 folder but am now getting a BSOD with message:
"STOP: c0000142 {DLL initialization failed} Intialization of the dynamic link library winsrv failed. The process is terminating abnormally"
Have re-tried Startup Repair and ran sfc /scannow from the command prompt to see if that helps but no luck. 
 
Any ideas where to go from here?
 
Thanks in advance.
 


BC AdBot (Login to Remove)

 


#2 blueelvis

blueelvis

    Bleep Blop Bleep


  • Malware Response Team
  • 1,666 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:34 AM

Posted 28 February 2016 - 03:17 AM

Hi SlurpyCello,


It seems like you copied the wrong version of the DLL file. The WinSXS folder keeps multiple copies of the important files so that they could be restored in case of problems.

Are you able to find other versions of the file?


-Pranav

Member of the Bleeping Computer A.I.I. early response team!


In case I have been helping you and you haven't received a reply from me in 48 hours, please feel free to PM me. Anything else? Still feel free to PM me :)

Did you read this? http://omgdebugging.com/5-tips-for-getting-the-best-bang-for-the-buck-at-fast-food-joints/

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,994 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:04 PM

Posted 28 February 2016 - 02:55 PM

Hello SlurpyCello,

Since you state that you've used FRST and since your respondent knows how to use that tool, I'm going to move this topic to the forum where those tools can be used. The topic link remains the same which is: http://www.bleepingcomputer.com/forums/t/606380/

~ OB :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#4 SlurpyCello

SlurpyCello
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Zealand
  • Local time:10:04 AM

Posted 28 February 2016 - 03:43 PM

Thanks OB, and thanks Pranav for the advice. I checked and there are several other versions of the DLL in the WinSXS folder so I'll work my way through those and let you know if I have any success.



#5 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,499 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:04 PM

Posted 28 February 2016 - 09:30 PM

Greetings SlurpyCello and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far.

Please do this.

===================================================

Farbar's Recovery Scan Tool

--------------------

For this step you will need a USB flash drive and start on a clean computer.
  • From a working computer please download Farbar Recovery Scan Tool and save it to a flash drive. You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Plug the flashdrive into the infected PC and follow the 2 step process below to enter the System Recovery Options using one of the three options listed, then running Farbar's Recover Scan Tool
----------

Entering into the System Recovery Options

Option #1

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key (possibly another key) until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
Option #2

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next
----------

Running Farbar's Recovery Scan Tool in System Recovery
  • Once you are in the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

  • Select Command Prompt
  • In the command window type in Notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select Computer and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    • Note: Replace letter e with the drive letter of your flash drive.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:
  • FRST.txt

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#6 SlurpyCello

SlurpyCello
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Zealand
  • Local time:10:04 AM

Posted 29 February 2016 - 03:40 AM

Okay, I found 25 different versions of winsrv.dll in the WinSXS folder, tried copying each one into the system32 folder and rebooting but still had the same problem each time :angry:

 

Anyway, thanks for your reply Gary, here's the contents of the FRST.txt when I ran frst64.exe without any version of winsrv.dll in the system32 folder (which was how it was when this all started).

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:07-02-2016
Ran by SYSTEM on MINWINPC (29-02-2016 21:06:23)
Running from I:\
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 9
Boot Mode: Recovery
Default: ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [IAAnotif] => C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-10-13] (Intel Corporation)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [10060320 2010-02-09] (Realtek Semiconductor)
HKLM\...\Run: [RunDLLEntry_THXCfg] => C:\Windows\system32\RunDLL32.exe C:\Windows\system32\THXCfg64.dll,RunDLLEntry THXCfg64
HKLM\...\Run: [BitDefender Antiphishing Helper 32] => C:\Program Files\BitDefender\BitDefender 2010\Antispam32\IEShow.exe [71152 2009-10-18] (BitDefender S.R.L.)
HKLM\...\Run: [BitDefender Antiphishing Helper] => C:\Program Files\BitDefender\BitDefender 2010\IEShow.exe [76296 2009-10-19] (BitDefender S.R.L.)
HKLM\...\Run: [BDAgent] => C:\Program Files\BitDefender\BitDefender 2010\bdagent.exe [1704568 2012-11-02] (BitDefender S.R.L.)
HKLM-x32\...\Run: [BackupManagerTray] => C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe [244480 2009-11-17] (NewTech Infosystems, Inc.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [35696 2009-02-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Hotkey Utility] => C:\Program Files (x86)\Gateway\Hotkey Utility\HotkeyUtility.exe [563744 2010-03-25] ()
HKLM-x32\...\Run: [GrooveMonitor] => C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe [30040 2009-02-25] (Microsoft Corporation)
HKLM-x32\...\Run: [SwitchBoard] => C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-18] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AdobeCS5ServiceManager] => C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe [402432 2010-07-22] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Acrobat Assistant 8.0] => C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe [642664 2013-05-07] (Adobe Systems Inc.)
HKLM-x32\...\Run: [Adobe Acrobat Speed Launcher] => C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe [44128 2013-05-07] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [EEventManager] => C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe [976832 2009-12-16] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [SunJavaUpdateSched] => "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
HKLM-x32\...\Run: [Fitbit Connect] => C:\Program Files (x86)\Fitbit Connect\Fitbit Connect.exe [4377256 2015-09-03] (Fitbit, Inc.)
HKLM-x32\...\Run: [BrStsMon00] => C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe [3076096 2012-06-05] (Brother Industries, Ltd.)
HKU\Default\...\RunOnce: [ScrSav] => C:\Program Files (x86)\Gateway\Screensaver\run_Gateway.exe [162336 2009-07-21] ()
HKU\Default\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\Gateway.scr [425984 2009-08-04] ()
HKU\Default User\...\RunOnce: [ScrSav] => C:\Program Files (x86)\Gateway\Screensaver\run_Gateway.exe [162336 2009-07-21] ()
HKU\Default User\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\Gateway.scr [425984 2009-08-04] ()
HKU\Gateway\...\Run: [Google Update] => C:\Users\Gateway\AppData\Local\Google\Update\GoogleUpdate.exe [144200 2015-08-30] (Google Inc.)
HKU\Gateway\...\Run: [AdobeBridge] => [X]
HKU\Gateway\...\Run: [GoogleDriveSync] => C:\Program Files (x86)\Google\Drive\googledrivesync.exe [23499656 2016-01-14] (Google)
HKU\Gateway\...\Run: [Dropbox Update] => C:\Users\Gateway\AppData\Local\Dropbox\Update\DropboxUpdate.exe [134512 2015-06-20] (Dropbox, Inc.)
HKU\Gateway\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8418584 2015-07-17] (Piriform Ltd)
HKU\Gateway\...\Run: [Fitbit Connect] => C:\Program Files (x86)\Fitbit Connect\Fitbit Connect.exe [4377256 2015-09-03] (Fitbit, Inc.)
HKU\Gateway\...\Run: [ISUSPM] => C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe [222496 2009-05-04] (Acresso Corporation)
HKU\Gateway\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\WLXPGSS.SCR [306544 2009-07-10] (Microsoft Corporation)
HKU\UpdatusUser\...\RunOnce: [ScrSav] => C:\Program Files (x86)\Gateway\Screensaver\run_Gateway.exe [162336 2009-07-21] ()
HKU\UpdatusUser\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\Gateway.scr [425984 2009-08-04] ()
Startup: C:\Users\Gateway\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk [2015-12-10]
ShortcutTarget: Dropbox.lnk ->  (No File)
Startup: C:\Users\Gateway\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EvernoteClipper.lnk [2013-11-07]
ShortcutTarget: EvernoteClipper.lnk -> C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe (Evernote Corp., 305 Walnut Street, Redwood City, CA 94063)
Startup: C:\Users\Gateway\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk [2010-06-22]
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 ABBYY.Licensing.FineReader.Sprint.9.0; C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [759048 2009-05-13] (ABBYY)
S2 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-17] (ArcSoft Inc.)
S3 Arrakis3; C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\arrakis3.exe [278224 2009-10-19] (BitDefender S.R.L. hxxp://www.bitdefender.com)
S2 c2cautoupdatesvc; C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1433216 2016-01-07] (Microsoft Corporation)
S2 c2cpnrsvc; C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1773696 2016-01-07] (Microsoft Corporation)
S2 Fitbit Connect; C:\Program Files (x86)\Fitbit Connect\FitbitConnectService.exe [5750440 2015-09-03] (Fitbit, Inc.)
S2 LIVESRV; C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe [409672 2011-03-07] (BitDefender S.R.L.)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1133880 2015-06-17] (Malwarebytes Corporation)
S2 MotoHelper; C:\Program Files (x86)\Motorola\MotoHelper\MotoHelperService.exe [227184 2011-08-10] ()
S2 PDFProFiltSrvPP; C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe [145256 2011-08-01] (Nuance Communications, Inc.)
S2 ReflectService.exe; C:\Program Files\Macrium\Reflect\ReflectService.exe [302200 2013-01-09] ()
S3 scan; C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\scan.dll [393728 2010-03-11] (S.C. BitDefender S.R.L)
S2 USBS3S4Detection; C:\OEM\USBDECTION\USBS3S4Detection.exe [76320 2009-12-09] ()
S2 VSSERV; C:\Program Files\BitDefender\BitDefender 2010\vsserv.exe [2299656 2010-03-23] (BitDefender S.R.L.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-13] (Microsoft Corporation)
S2 WTabletServiceCon; C:\Program Files\Tablet\Pen\WTabletServiceCon.exe [627992 2013-12-16] (Wacom Technology, Corp.)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 BDFM; C:\Windows\System32\DRIVERS\bdfm.sys [163936 2010-01-28] (BitDefender S.R.L. Bucharest, ROMANIA)
S1 BdfNdisf; C:\Windows\System32\DRIVERS\BdfNdisf6.sys [88144 2010-06-19] (BitDefender LLC)
S0 bdfsfltr; C:\Windows\System32\DRIVERS\bdfsfltr.sys [347336 2010-02-21] (BitDefender)
S1 bdfwfpf; C:\Program Files\Common Files\BitDefender\BitDefender Firewall\bdfwfpf.sys [89680 2010-06-19] (BitDefender LLC)
S2 BDVEDISK; C:\Program Files\BitDefender\BitDefender 2010\bdvedisk.sys [103944 2010-01-18] (BitDefender)
S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-06-17] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-06-17] (Malwarebytes Corporation)
S0 phylock; C:\Windows\System32\drivers\phylock.sys [32904 2012-10-14] (TeraByte, Inc.)
S0 SmartDefragDriver; C:\Windows\System32\Drivers\SmartDefragDriver.sys [21184 2014-06-03] (IObit)
S3 TBIMount; C:\Windows\System32\drivers\tbimount.sys [371848 2012-09-29] (TeraByte, Inc.)
S3 libusb0; system32\DRIVERS\libusb0.sys [X]
S3 motusbdevice; system32\DRIVERS\motusbdevice.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-02-27 17:19 - 2016-02-27 17:19 - 00000000 _____ C:\Recovery.txt
2016-02-22 13:51 - 2016-02-22 14:00 - 00000000 ____D C:\RescueCD Logs
2016-02-19 12:41 - 2016-02-11 23:47 - 01161216 _____ (Microsoft Corporation) C:\Windows\System32\kernel32.dll
2016-02-19 12:41 - 2011-11-16 22:41 - 01731920 _____ (Microsoft Corporation) C:\Windows\System32\ntdll.dll
2016-02-19 12:41 - 2011-10-25 21:21 - 00043520 _____ (Microsoft Corporation) C:\Windows\System32\csrsrv.dll
2016-02-19 12:41 - 2010-11-20 05:26 - 00403968 _____ (Microsoft Corporation) C:\Windows\System32\gdi32.dll
2016-02-19 12:26 - 2010-11-20 05:27 - 01008128 _____ (Microsoft Corporation) C:\Windows\System32\user32.dll
2016-02-19 12:26 - 2009-07-13 17:40 - 00052736 _____ (Microsoft Corporation) C:\Windows\System32\basesrv.dll
2016-02-16 20:57 - 2016-02-16 21:12 - 00000000 ____D C:\MyRegBack
2016-02-14 15:18 - 2016-02-14 15:18 - 00008192 _____ C:\lsnc.isk20160214231809071.isk
2016-02-14 15:18 - 2016-02-14 15:18 - 00000435 _____ C:\lsmc.isk20160214231808822.isk
2016-02-14 15:18 - 2016-02-09 23:39 - 78295040 _____ C:\Windows\System32\config\SOFTWARE.SAV
2016-02-14 15:18 - 2016-02-09 23:39 - 22429696 _____ C:\Windows\System32\config\SYSTEM.SAV
2016-02-14 15:18 - 2016-02-09 23:39 - 00483328 _____ C:\Windows\System32\config\DEFAULT.SAV
2016-02-14 15:18 - 2016-02-09 23:39 - 00028672 _____ C:\Windows\System32\config\SAM.SAV
2016-02-14 15:18 - 2016-02-09 23:38 - 00032768 _____ C:\Windows\System32\config\SECURITY.SAV
2016-02-14 12:59 - 2016-02-29 21:06 - 00000000 ____D C:\FRST
2016-02-11 23:54 - 2016-02-11 23:54 - 01114112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
2016-02-11 23:54 - 2016-02-11 23:54 - 00274944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2016-02-11 23:47 - 2016-02-11 23:47 - 00424448 _____ (Microsoft Corporation) C:\Windows\System32\KernelBase.dll
2016-02-11 21:22 - 2016-02-11 21:22 - 00000000 __SHD C:\found.000
2016-02-11 11:35 - 2016-02-20 16:43 - 00855320 _____ C:\Windows\ntbtlog.txt
2016-02-08 12:26 - 2016-02-10 10:41 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-02-02 23:16 - 2016-02-02 23:16 - 00234870 _____ C:\Users\Gateway\Downloads\hello-life-combo-3.jpeg
2016-02-02 23:16 - 2016-02-02 23:16 - 00159946 _____ C:\Users\Gateway\Downloads\hello-life-combo-1.jpeg
2016-02-02 23:16 - 2016-02-02 23:16 - 00111025 _____ C:\Users\Gateway\Downloads\hello-life-combo-2.jpeg
2016-02-01 22:01 - 2016-02-01 22:01 - 00135955 _____ C:\Users\Gateway\Downloads\STMNT-002656.pdf

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-02-22 23:59 - 2010-06-13 10:52 - 00000000 ____D C:\E-Other
2016-02-17 14:48 - 2011-01-23 02:01 - 00000000 ____D C:\Temp
2016-02-11 23:55 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\AdvancedInstallers
2016-02-10 21:37 - 2015-06-20 17:24 - 00000926 _____ C:\Windows\Tasks\DropboxUpdateTaskUserS-1-5-21-817619117-1185775497-3052143766-1000UA.job
2016-02-10 21:31 - 2011-06-29 00:59 - 00000916 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-817619117-1185775497-3052143766-1000UA.job
2016-02-10 21:30 - 2012-08-28 04:20 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-02-10 21:25 - 2012-02-05 01:26 - 00000288 _____ C:\Windows\Tasks\my-books Communicator.job
2016-02-10 21:23 - 2010-06-12 23:49 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-02-10 17:36 - 2015-06-20 17:24 - 00000874 _____ C:\Windows\Tasks\DropboxUpdateTaskUserS-1-5-21-817619117-1185775497-3052143766-1000Core.job
2016-02-10 13:23 - 2010-06-12 23:49 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-02-10 11:40 - 2011-06-29 00:59 - 00002384 _____ C:\Users\Gateway\Desktop\Google Chrome.lnk
2016-02-10 10:50 - 2009-07-13 20:45 - 00009920 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-02-10 10:50 - 2009-07-13 20:45 - 00009920 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-02-10 10:45 - 2013-05-13 00:51 - 00000000 ___RD C:\Users\Gateway\Google Drive
2016-02-10 10:44 - 2013-08-08 00:43 - 00000000 ___RD C:\Users\Gateway\Dropbox
2016-02-10 10:43 - 2013-08-08 00:40 - 00000000 ____D C:\Users\Gateway\AppData\Roaming\Dropbox
2016-02-10 10:41 - 2012-04-26 22:35 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2016-02-10 10:41 - 2010-08-21 22:54 - 00000328 _____ C:\Windows\Tasks\GlaryInitialize.job
2016-02-10 10:41 - 2010-05-11 11:28 - 00000000 ____D C:\ProgramData\NVIDIA
2016-02-10 10:41 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-02-10 00:32 - 2012-08-28 04:20 - 00796864 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2016-02-10 00:32 - 2012-08-28 04:20 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2016-02-10 00:32 - 2011-10-15 13:09 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2016-02-09 22:31 - 2011-06-29 00:59 - 00000864 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-817619117-1185775497-3052143766-1000Core.job
2016-02-09 21:14 - 2009-07-13 21:13 - 00739728 _____ C:\Windows\System32\PerfStringBackup.INI
2016-02-09 21:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\inf
2016-02-09 10:37 - 2013-08-08 00:41 - 00006373 _____ C:\Windows\wininit.ini
2016-02-07 23:58 - 2010-06-19 15:30 - 00000376 _____ C:\Users\Gateway\AppData\Roamingprivacy.xml
2016-02-02 11:23 - 2010-06-18 15:20 - 00000000 ____D C:\Users\Gateway\AppData\Local\CrashDumps
2016-02-01 13:18 - 2010-06-12 23:49 - 00003894 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2016-02-01 13:18 - 2010-06-12 23:49 - 00003642 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore

Some files in TEMP:
====================
C:\Users\Gateway\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmp5vh07h.dll
C:\Users\Gateway\AppData\Local\Temp\SetupUtil.exe
C:\Users\Gateway\AppData\Local\Temp\_is1A44.exe


==================== Known DLLs (Whitelisted) =========================


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\dnsapi.dll => MD5 is legit
C:\Windows\SysWOW64\dnsapi.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
C:\Windows\System32\winsrv.dll IS MISSING <==== ATTENTION

==================== EXE Association (Whitelisted) =============


==================== Restore Points =========================


==================== Memory info ===========================

Percentage of memory in use: 10%
Total physical RAM: 8183.11 MB
Available physical RAM: 7312.21 MB
Total Virtual: 8181.31 MB
Available Virtual: 7328.31 MB

==================== Drives ================================

Drive c: (Gateway) (Fixed) (Total:1843.82 GB) (Free:899.81 GB) NTFS
Drive d: (SYSTEM RESERVED) (Fixed) (Total:0.2 GB) (Free:0.13 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive g: (PQSERVICE) (Fixed) (Total:19 GB) (Free:7.73 GB) NTFS
Drive h: (Photos) (Fixed) (Total:1863.01 GB) (Free:441.63 GB) NTFS
Drive i: (Lexar) (Removable) (Total:14.91 GB) (Free:3.66 GB) NTFS
Drive k: (LAZESOFT) (Removable) (Total:7.19 GB) (Free:7.01 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================


LastRegBack: 2016-02-09 23:39

==================== End of FRST.txt ============================



#7 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,499 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:04 PM

Posted 29 February 2016 - 11:05 AM

Greetings and welcome.

I wouldn't recommend the hit and miss attempts to resolve the issue. If we could stick to just the instructions I provide we can track together to make sure we are clear on things. In addition, if you would like to continue with assistance here you will need to abandon the topic at Geekstogo.

Do these look familiar to you?

C:\lsnc.isk20160214231809071.isk
C:\lsmc.isk20160214231808822.isk
C:\E-Other


Please do this.

===================================================

Farbar's Recovery Scan Tool - Run Fix

--------------------
  • From a clean computer press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Click Format then check Word Wrap
  • Please copy and paste the contents of the below code box into the open notepad and save it on the flashdrive as fixlist.txt
HKU\Gateway\...\Run: [AdobeBridge] => [X]
ShortcutTarget: Dropbox.lnk ->  (No File)
S3 libusb0; system32\DRIVERS\libusb0.sys [X]
S3 motusbdevice; system32\DRIVERS\motusbdevice.sys [X]
C:\Users\Gateway\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmp5vh07h.dll
C:\Users\Gateway\AppData\Local\Temp\SetupUtil.exe
C:\Users\Gateway\AppData\Local\Temp\_is1A44.ex
  • Insert the USB device into your infected computer
  • Enter the System Recovery Options (press F8 during boot up), select Repair Your Computer, then select Command Prompt.
  • Run FRST as you did the first time and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a Fixlog.txt document on your USB device. Copy and paste that information in your reply.
  • Type the following in the Search Field
winsrv.dll
  • Click Search File(s) button
  • A Search.txt document will be saved to your USB device
  • Copy and paste the contents of that document your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Recognize entries?
  • Fixlog
  • Search log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#8 SlurpyCello

SlurpyCello
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Zealand
  • Local time:10:04 AM

Posted 29 February 2016 - 02:18 PM

Thanks Gary.

 

I don't recognize the files C:\lsnc.isk20160214231809071.isk or C:\lsmc.isk20160214231808822.isk

C:\E-Other is just a folder containing various items and subfolders.

 

Fixlog.txt:

 

Fix result of Farbar Recovery Scan Tool (x64) Version:27-02-2016
Ran by SYSTEM (2016-03-01 07:57:38) Run:2
Running from M:\
Boot Mode: Recovery
==============================================
 
fixlist content:
*****************
HKU\Gateway\...\Run: [AdobeBridge] => [X]
ShortcutTarget: Dropbox.lnk ->  (No File)
S3 libusb0; system32\DRIVERS\libusb0.sys [X]
S3 motusbdevice; system32\DRIVERS\motusbdevice.sys [X]
C:\Users\Gateway\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmp5vh07h.dll
C:\Users\Gateway\AppData\Local\Temp\SetupUtil.exe
C:\Users\Gateway\AppData\Local\Temp\_is1A44.ex
*****************
 
HKU\Gateway\Software\Microsoft\Windows\CurrentVersion\Run\\AdobeBridge => value removed successfully
ShortcutTarget: Dropbox.lnk ->  (No File) => not found.
libusb0 => service removed successfully
motusbdevice => service removed successfully
C:\Users\Gateway\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmp5vh07h.dll => moved successfully
C:\Users\Gateway\AppData\Local\Temp\SetupUtil.exe => moved successfully
"C:\Users\Gateway\AppData\Local\Temp\_is1A44.ex" => not found.
 
==== End of Fixlog 07:57:40 ====
 
Search.txt:
 
Farbar Recovery Scan Tool (x64) Version:27-02-2016
Ran by SYSTEM (2016-03-01 07:58:51)
Running from M:\
Boot Mode: Recovery
 
================== Search Files: "winsrv.dll" =============
 
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.22177_none_14f039eccc407b3f\winsrv.dll
[2016-02-24 16:05][2012-11-29 21:55] 0215040 ____A (Microsoft Corporation) C2B1F6196C7FE1EA1BF827312B095D06
 
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.22125_none_152448f4cc19bcdc\winsrv.dll
[2012-12-12 07:31][2012-10-04 09:43] 0215040 ____A (Microsoft Corporation) CC44EBC3E04E76AABE19EB4A16663E4A
 
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.22091_none_14d49672cc561df0\winsrv.dll
[2012-10-09 23:31][2012-08-20 10:27] 0215040 ____A (Microsoft Corporation) 111AFE35DD2D423EE8E176CA7B2BBDC7
 
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.21756_none_1504fba6cc30ff4f\winsrv.dll
[2011-08-10 00:46][2011-06-23 21:27] 0214528 ____A (Microsoft Corporation) C13D05A015346DED3D722BE285814495
 
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.21738_none_151c9c12cc1efa1b\winsrv.dll
[2011-07-15 11:57][2011-06-02 23:01] 0214528 ____A (Microsoft Corporation) 5AA1C7B5F471C4657BE38447BC397665
 
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.21728_none_15276bfecc16de2a\winsrv.dll
[2011-07-16 12:17][2011-05-13 23:11] 0214528 ____A (Microsoft Corporation) 1A589228B6DC007120F877DBBD6CB79D
 
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.21624_none_152368f0cc1a7ba7\winsrv.dll
[2011-02-09 20:04][2010-12-18 00:52] 0214016 ____A (Microsoft Corporation) A199CC08A13EEB667412423F712FE817
 
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.18015_none_14a57c15b2f40121\winsrv.dll
[2016-02-24 15:57][2012-11-29 21:45] 0215040 ____A (Microsoft Corporation) 9E479C2B605C25DA4971ABA36250FAEF
 
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.17965_none_146f9457b31c5994\winsrv.dll
[2012-12-12 07:31][2012-10-04 09:45] 0215040 ____A (Microsoft Corporation) 72CC564BBC70DE268784BCE91EB8A28F
 
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.17932_none_148d033db306b9bc\winsrv.dll
[2012-10-09 23:31][2012-08-20 10:48] 0215040 ____A (Microsoft Corporation) F46BBAAC1C4980F4D0DD463F190A42D3
 
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.17641_none_14812d55b30fc4e1\winsrv.dll
[2011-08-10 00:46][2011-06-23 21:34] 0214528 ____A (Microsoft Corporation) EB6A48CC998E1090E44E8E7F1009A640
 
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.17625_none_149ace55b2fbf25b\winsrv.dll
[2011-07-15 11:57][2011-06-02 22:57] 0214528 ____A (Microsoft Corporation) 9F761CE1C6C013120B2F0DB27D48C06F
 
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.17617_none_14a79ed5b2f20918\winsrv.dll
[2011-07-16 12:17][2011-05-13 23:24] 0214528 ____A (Microsoft Corporation) 3A8135A7DED2FA0DAD3BDE1B14865A8A
 
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.17527_none_149ccd03b2fa27e2\winsrv.dll
[2011-02-09 20:04][2010-12-17 03:42] 0214016 ____A (Microsoft Corporation) 15822E7206C7A0A893395CB07A63C7E1
 
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.17514_none_14a49c11b2f4bfec\winsrv.dll
[2011-06-01 22:28][2010-11-20 05:27] 0214016 ____A (Microsoft Corporation) E0406AEF04B088D1C49FC78D0546F689
 
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.21386_none_12fe0cb0cf2311ed\winsrv.dll
[2016-02-24 16:00][2012-11-29 21:43] 0215040 ____A (Microsoft Corporation) B0F0F844BB3BA4C25837310FD0909BFD
 
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.21335_none_13331c02cefb6ce1\winsrv.dll
[2012-12-12 07:31][2012-10-04 09:35] 0215040 ____A (Microsoft Corporation) 7C17C4AACC79E619E6A4131F51588ED3
 
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.21306_none_13548c10cee23265\winsrv.dll
[2012-10-09 23:31][2012-08-20 11:06] 0215040 ____A (Microsoft Corporation) 0E83424D4CEC0665A3A916AD6B261E53
 
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.20995_none_12f25ea6cf2be9d0\winsrv.dll
[2011-08-10 00:46][2011-06-23 21:26] 0214528 ____A (Microsoft Corporation) 6D408ABD60A995A2DAB4BAAE38BCA04F
 
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.20978_none_130aff5ccf18fdf3\winsrv.dll
[2011-07-15 11:57][2011-06-02 22:59] 0214528 ____A (Microsoft Corporation) 55917E3ABDDC20D0AAEAC49F5CE67462
 
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.20864_none_1311cc3acf147f7f\winsrv.dll
[2011-02-09 20:04][2010-12-21 23:15] 0214016 ____A (Microsoft Corporation) 571543B93AE0319185970848024C9E04
 
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.17179_none_12823ec9b5faa510\winsrv.dll
[2016-02-24 15:55][2012-11-29 21:49] 0215040 ____A (Microsoft Corporation) C4C551E6AB333C0EB812A3A4672E89DB
 
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.17135_none_12a97d51b5ddcff0\winsrv.dll
[2012-12-12 07:31][2012-10-04 09:38] 0215040 ____A (Microsoft Corporation) 4343295C52C8B1ADD906F1A37B940AA1
 
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.17107_none_12cbeda9b5c3aecb\winsrv.dll
[2012-10-09 23:31][2012-08-18 07:42] 0215040 ____A (Microsoft Corporation) 79CDA06F75AD5373DD447F57575C4400
 
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.16850_none_128f0019b5f25b8f\winsrv.dll
[2011-08-10 00:46][2011-07-15 21:26] 0214528 ____A (Microsoft Corporation) 0CB6EBF4B461A6043353C570BD72A1E1
 
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.16823_none_12b270bbb5d753c1\winsrv.dll
[2011-07-15 11:57][2011-06-01 22:44] 0214528 ____A (Microsoft Corporation) DE09FA38A6544829F012B9531C18454F
 
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.16816_none_12c04185b5cc83d5\winsrv.dll
[2011-07-16 12:17][2011-05-13 23:41] 0214528 ____A (Microsoft Corporation) 3739AA2F57FE492EA976E20C56CDF2F4
 
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.16723_none_12b26ed5b5d7569a\winsrv.dll
[2011-02-09 20:04][2010-12-20 22:16] 0214016 ____A (Microsoft Corporation) B200DECA2186858595A97FBE63E896CC
 
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.16385_none_12738849b6063c52\winsrv.dll
[2009-07-13 15:38][2009-07-13 17:41] 0214016 ____A (Microsoft Corporation) 457B44AB6D502E55F64A867D4F35C76C
 
C:\Temp\winsrv.dll
[2016-02-14 15:54][2010-11-20 05:27] 0214016 ____A (Microsoft Corporation) E0406AEF04B088D1C49FC78D0546F689
 
C:\E-Other\winsrv.dll
[2016-02-19 12:41][2012-10-04 09:43] 0215040 ____A (Microsoft Corporation) CC44EBC3E04E76AABE19EB4A16663E4A
 
X:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.16385_none_12738849b6063c52\winsrv.dll
[2009-07-13 15:38][2009-07-13 17:41] 0214016 ____A (Microsoft Corporation) 457B44AB6D502E55F64A867D4F35C76C
 
X:\Windows\System32\winsrv.dll
[2009-07-13 15:38][2009-07-13 17:41] 0214016 ____A (Microsoft Corporation) 457B44AB6D502E55F64A867D4F35C76C
 
====== End of Search ======
 
Many thanks for your help, much appreciated.
 
 


#9 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,499 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:04 PM

Posted 29 February 2016 - 02:28 PM

Greetings,
 

C:\E-Other is just a folder containing various items and subfolders.

I am assuming these are entries you are aware of?

Please do this.

===================================================

Farbar's Recovery Scan Tool - Run Fix

--------------------
  • From a clean computer press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Click Format then check Word Wrap
  • Please copy and paste the contents of the below code box into the open notepad and save it on the flashdrive as fixlist.txt
C:\lsnc.isk20160214231809071.isk
C:\lsmc.isk20160214231808822.isk
cmd: copy /y C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.17179_none_12823ec9b5faa510\winsrv.dll C:\Windows\System32
  • Insert the USB device into your infected computer
  • Enter the System Recovery Options (press F8 during boot up), select Repair Your Computer, then select Command Prompt.
  • Run FRST as you did the first time and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a Fixlog.txt document on your USB device. Copy and paste that information in your reply.
  • Please attempt to boot your computer into Normal Mode or, if not, Safe Mode
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Recognize entries?
  • Fixlist
  • Can you boot into Normal or Safe Mode?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#10 SlurpyCello

SlurpyCello
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Zealand
  • Local time:10:04 AM

Posted 29 February 2016 - 02:47 PM

Yes, I recognize the entries in C:\E-Other.

 

Fixlog.txt:

 

Fix result of Farbar Recovery Scan Tool (x64) Version:27-02-2016
Ran by SYSTEM (2016-03-01 08:41:18) Run:3
Running from M:\
Boot Mode: Recovery
==============================================
 
fixlist content:
*****************
C:\lsnc.isk20160214231809071.isk
C:\lsmc.isk20160214231808822.isk
cmd: copy /y C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.17179_none_12823ec9b5faa510\winsrv.dll C:\Windows\System32
*****************
 
C:\lsnc.isk20160214231809071.isk => moved successfully
C:\lsmc.isk20160214231808822.isk => moved successfully
 
=========  copy /y C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.17179_none_12823ec9b5faa510\winsrv.dll C:\Windows\System32 =========
 
        1 file(s) copied.
 
========= End of CMD: =========
 
 
==== End of Fixlog 08:41:20 ====
 
Sadly not able to boot into normal or safe mode. In normal mode I get the Windows logo up for a few seconds then it goes back to the beginning of the process.


#11 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,499 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:04 PM

Posted 29 February 2016 - 04:06 PM

OK thanks, please do this.

===================================================

Farbar's Recovery Scan Tool - Run Fix

--------------------
  • From a clean computer press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Click Format then check Word Wrap
  • Please copy and paste the contents of the below code box into the open notepad and save it on the flashdrive as fixlist.txt
LastRegBack: 2016-02-09 23:39
  • Insert the USB device into your infected computer
  • Enter the System Recovery Options (press F8 during boot up), select Repair Your Computer, then select Command Prompt.
  • Run FRST as you did the first time and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a Fixlog.txt document on your USB device. Copy and paste that information in your reply.
  • Please attempt to boot your computer into Normal Mode or, if not, Safe Mode
  • If you can not boot complete the next step
===================================================

Diagnose Blue Screen of Death (BSOD) Errors by Disabling Automatic Restart

--------------------
  • When you boot your machine, press F8 to list the startup options, exactly as you would if you were trying to enter Safe Mode
  • Select Disable Automatic Restart on System Failure, as shown here:

advancedoptions.png

  • When your system BSODs, write down the STOP error code, as well as any written out error message back here. The STOP error will always appear, but the message may not.

bsod_c.jpg

  • Please include this information in your reply.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlist
  • Can you boot?
  • Blue Screen information, if applicable

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#12 SlurpyCello

SlurpyCello
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Zealand
  • Local time:10:04 AM

Posted 01 March 2016 - 12:54 AM

Fixlog:

 

Fix result of Farbar Recovery Scan Tool (x64) Version:27-02-2016
Ran by SYSTEM (2016-03-01 18:45:42) Run:4
Running from M:\
Boot Mode: Recovery
==============================================
 
fixlist content:
*****************
LastRegBack: 2016-02-09 23:39
*****************
 
DEFAULT => copied successfully to System32\config\HiveBackup
DEFAULT => restored successfully from registry back up
SAM => copied successfully to System32\config\HiveBackup
SAM => restored successfully from registry back up
SECURITY => copied successfully to System32\config\HiveBackup
SECURITY => restored successfully from registry back up
SOFTWARE => copied successfully to System32\config\HiveBackup
SOFTWARE => restored successfully from registry back up
SYSTEM => copied successfully to System32\config\HiveBackup
SYSTEM => restored successfully from registry back up
 
==== End of Fixlog 18:45:49 ====
 
 
Unable to boot (either normal or safe mode)
 
 
Blue screen info:
STOP: C0000142 {DLL initialization failure}
Initialization of the dynamic link library winsrv failed. The process is terminating abnormally.


#13 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,499 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:04 PM

Posted 01 March 2016 - 01:11 PM

Gretings,

A few things.

I would recommend you back up your data files if you haven't done so already as we may not be able to overcome this without more drastic measures. I would like to know your files are safe.

-----

Do you know the date when this symptom started?

-----

If you have any USB devices attached please remove them and try to boot.

-----

Boot into the Recovery Environment and copy the following file onto your USB device. Copy and paste the information in your reply

C:\Windows\System32\LogFiles\Srt\SrtTrail.txt

-----

Please do these things.

===================================================

Running chkdsk /r from Recovery Environment in Windows 7

--------------------
  • Boot your computer into the Recovery Environment (tap F8)
  • Select Command Prompt
  • Type c: and Enter
  • Type chkdsk /r and Enter
  • If you receive a message about unmounting the volume check Yes
  • If the program doesn't start automatically repeat the chkdsk /r command
  • Once the process is finished please write down any information provided on the screen
  • Attempt to reboot your computer into Normal Mode.
  • If you receive a Blue Screen of Death (BSOD) please provide that information in your post.
Note: This process may take awhile to complete. You may also notice the progress bar jumping back and forth. This is normal. Please be patient.

===================================================

Running sfc /scannow in Windows 7/Vista Recovery Environment

-----------------
  • Restart the computer
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears
  • Use the arrow keys to select the Repair your computer menu item
  • Select English as the keyboard language settings, and then click Next
  • For Windows 8 hit the Windows Key + I at the same time, click the Power button, then hold down the Shift Key while clicking Restart
  • Once you are in the System Recovery Options menu you will get the following options

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

  • Select Command Prompt
  • Type the following (there is a space before each "/") after the Command Prompt and hit Enter (if you receive an error replace /OFFBOOTDIR=C:\ with /OFFBOOTDIR=C
    D:\
    )

SFC /SCANNOW /OFFBOOTDIR=C:\ /OFFWINDIR=[b]C:\WINDOWS

  • Allow the process to complete
  • Attempt to boot your computer into Normal Mode and check the performance
===================================================

Things I would like to see in your next reply. Please be sure to [b]copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Symptom start date
  • SrtTrail.txt
  • Did chkdsk run?
  • Did sfc run?
  • Are you able to boot?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#14 SlurpyCello

SlurpyCello
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Zealand
  • Local time:10:04 AM

Posted 01 March 2016 - 02:46 PM

Thanks Gary, I've already backed up my data files from that drive.

 

The problem started on the morning of Friday 12th February when I tried to restart the PC. Prior to this I had probably restarted it on around Wednesday 10th February with no problems.

 

I'll start on your other tasks shortly but just have a quick question - when I go to the command prompt, and do a DIR C:, it says the volume in drive C is SYSTEM RESERVED and there are no files to view. My normal C: drive (where the OS is installed) is actually E. So for the commands above should I be replacing C: with E: (so run chkdsk /r from the E drive etc.)?



#15 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,499 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:04 PM

Posted 01 March 2016 - 03:39 PM

Yes, use the E drive.

Do you recall doing any Windows Updates just before this happened. There are reports this is sometimes caused by an update.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users