Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Black Screen after PC Boot


  • This topic is locked This topic is locked
26 replies to this topic

#1 C0113c70r

C0113c70r

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:08 AM

Posted 01 September 2016 - 06:12 AM

Problem: When attempting a normal startup, my laptop first shows the HP boot logo then a solid black screen with no mouse pointer and no blinking cursor. After less than a minute the depth of darkness in the black screen changes as if my computer is going into sleep or hibernation mode.

Right now, I am only able to log onto my computer in Safe Mode. However, a solid black screen also appears for about a minute before the password login screen when logging into Safe Mode.

The Backstory: On 29 Aug I clicked a link online that opened a video and created a pop-under. Using my mouse, I first closed the pop-under. I then stopped the video that was playing and closed that browser window. Immediately, my mouse icon disappeared. I figured that something nasty might be happening to my computer so I shut down the computer manually using the power button. When I turned my computer back on, a moment later, I began experiencing the black screen problem.

Additional Concerns:

(1) Since this black screen problem began, I have noticed a hidden file with a Chinese filename tucked away in my C:\Windows\ directory. The filename is 捉湯牗獫䤮䥎

(2) My system logs are showing a lof of errors associated with Bonjour Service since the black screen problem began. I did not knowingly install Bonjour Service and do not know what it is for.

What I have done so far (I believe this is the correct order in which I did things):

(1) Ran Automatic Repair [Startup Settings -> Troubleshoot -> Advanced Options -> Automatic Repair]. According to the SrtTrail.txt log file, all tests performed by Automatic Repair "Completed successfully. Error code = 0x0". The final section of the logfile states "Root cause found: Boot status indicates that the OS booted successfully." NOTE: I am still getting the black screen.

(2) Performed a System Restore to Restore Point dated 22 Aug 2016.

(3) Ran HijackThis and checked the log at the hijackthis(dot)de site which didn't return any nasties. NOTE: I noticed a couple of peculiar items listed in the HijackThis log, as follows:
O4 - HKUS\S-1-5-18\..\Run: [] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [] (User 'Default user')

(4) Updated Windows Defender Sig files and ran Windows Defender scanner. No Infections Found.

(5) Updated Spybot S&D Sig files and rand Spybot S&D scanner. No Infections Found.

(6) Updated Malwarebytes Anti-Malware Sig files and ran the scanner. No Infections Found.

(7) Updated TrojanHunter 6.1 Sig files and ran the scanner. TWO infections detected: (1) Generic.TrojanDownloader.A; (2) LdPinch.1457. Cleaned/Deleted the infected files. NOTE: Both of these infected files were exe ebooks.

(8) Installed and ran CCleaner Pro (Trial Version). Analyzed and cleaned Internet Explorer, Windows Explorer and System using default settings in CCleaner.

(9) Installed AdwCleaner 6.0.1.0. After installing, I ran AdwCleaner and received the following error message: "Titlebar: AdwCleaner - v.6.010 - ToolsLib: AdwCleaner.exe - Application Error; Message: The instruction at 0x77779f03 referenced memory at 0x000000b6. The memory could not be read. Click on OK to terminate the program". NOTE: After rebooting my computer back into Safe Mode, I was able to successfully scan my computer with AdwCleaner. The second time that I ran the scanner it detected 1 folder, 1 file, and 2 registry entries. By this time I had requested help in the BC forum so I did not click the clean button.

(10) Installed and ran SUPERAntiSpyware. No potentially harmful items detected.

(11) Attempted to install Emsisoft AntiMalware 11.0.0.6054. Received the following error message - Titlebar: "Emsisoft Protection"; Message: "A major problem prevents application start. Emsisoft Security can't connect to the service application. Please restart your PC and try again or contact support if the problem remains." NOTE: This was probably because I was attempting to install the software in Safe Mode.

(12) See #9 above. This is where I ran AdwCleaner the second time.

-- END of what I have done so far --

FRST.txt

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 31-08-2016
Ran by C0113c70r (administrator) on BLUEAEGIS (01-09-2016 18:03:29)
Running from C:\Users\C0113c70r\Desktop\Security
Loaded Profiles: C0113c70r (Available Profiles: C0113c70r)
Platform: Windows 8.1 (Update) (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Safe Mode (with Networking)
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore64.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(IvoSoft) C:\Program Files\Classic Shell\ClassicStartMenu.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\ImmersiveControlPanel\SystemSettings.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7642328 2014-10-07] (Realtek Semiconductor)
HKLM\...\Run: [SimplePass] => C:\Program Files\Hewlett-Packard\SimplePass\ClientCore.exe [3962936 2014-03-29] (Hewlett-Packard)
HKLM\...\Run: [OPBHOBroker] => C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBroker.exe [415288 2014-03-29] (Hewlett-Packard)
HKLM\...\Run: [OPBHOBrokerDesktop] => C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBrokerDsktop.exe [415288 2014-03-29] (Hewlett-Packard)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2818800 2014-06-17] (Synaptics Incorporated)
HKLM\...\Run: [Classic Start Menu] => C:\Program Files\Classic Shell\ClassicStartMenu.exe [163520 2015-04-10] (IvoSoft)
HKLM-x32\...\Run: [AccelerometerSysTrayApplet] => C:\Program Files (x86)\Hewlett-Packard\HP 3D DriveGuard\AccelerometerST.exe [126240 2014-04-02] (Hewlett-Packard Company)
HKLM-x32\...\Run: [HPMessageService] => C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPMSGSVC.exe [509192 2014-10-10] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\S-1-5-21-1403587705-295510217-1205112951-1001\...\Run: [SpybotPostWindows10UpgradeReInstall] => C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe [1011200 2015-07-29] (Safer-Networking Ltd.)
HKU\S-1-5-21-1403587705-295510217-1205112951-1001\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-18\...\Run: [] => 0
ShellIconOverlayIdentifiers: [ShareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\Program Files\Classic Shell\ClassicExplorer64.dll [2015-04-10] (IvoSoft)
ShellIconOverlayIdentifiers-x32: [ShareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\Program Files\Classic Shell\ClassicExplorer32.dll [2015-04-10] (IvoSoft)
Startup: C:\Users\C0113c70r\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk [2016-06-12]
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
BootExecute: autocheck autochk * sdnclean64.exe

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{DE1D7ADD-AEA2-4EA5-81C3-636F4C8154E0}: [DhcpNameServer] 168.94.0.14 168.94.0.15
Tcpip\..\Interfaces\{F3BF8A9E-CB3A-4B06-93E0-913D395ABD7B}: [DhcpNameServer] 192.168.1.1

Internet Explorer:
==================
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://hp13.msn.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://hp13.msn.com
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://hp13.msn.com
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://hp13.msn.com
HKU\S-1-5-21-1403587705-295510217-1205112951-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://hp13.msn.com
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {AFA422D1-7ADC-43F1-AF6E-5DB54EB8CD49} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKU\S-1-5-21-1403587705-295510217-1205112951-1001 -> {AFA422D1-7ADC-43F1-AF6E-5DB54EB8CD49} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
BHO: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Program Files\Classic Shell\ClassicExplorer64.dll [2015-04-10] (IvoSoft)
BHO: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPluginx64.dll [2013-08-28] (Hewlett-Packard)
BHO: ClassicIEBHO Class -> {EA801577-E6AD-4BD5-8F71-4BE0154331A4} -> C:\Program Files\Classic Shell\ClassicIEDLL_64.dll [2015-04-10] (IvoSoft)
BHO-x32: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Program Files\Classic Shell\ClassicExplorer32.dll [2015-04-10] (IvoSoft)
BHO-x32: Evernote extension -> {92EF2EAD-A7CE-4424-B0DB-499CF856608E} -> C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll [2014-07-26] (Evernote Corp., 305 Walnut Street, Redwood City, CA 94063)
BHO-x32: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll [2013-08-28] (Hewlett-Packard)
BHO-x32: ClassicIEBHO Class -> {EA801577-E6AD-4BD5-8F71-4BE0154331A4} -> C:\Program Files\Classic Shell\ClassicIEDLL_32.dll [2015-04-10] (IvoSoft)
Toolbar: HKLM - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer64.dll [2015-04-10] (IvoSoft)
Toolbar: HKLM-x32 - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer32.dll [2015-04-10] (IvoSoft)
Handler-x32: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files (x86)\Common Files\Microsoft Shared\Web Folders\pkmcdo.dll [2001-01-22] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Users\C0113c70r\AppData\Roaming\Mozilla\Firefox\Profiles\zsq10piz.default-1439955462752
FF NewTab: hxxp://www.google.com
FF DefaultSearchEngine.US: Google
FF Homepage: hxxps://www.google.com
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_22_0_0_209.dll [2016-07-14] ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_22_0_0_209.dll [2016-07-14] ()
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\windows\SysWOW64\Adobe\Director\np32dsw_1204144.dll [2013-09-05] (Adobe Systems, Inc.)
FF Plugin-x32: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/pdf -> C:\Program Files (x86)\Foxit PhantomPDF\plugins\npFoxitPhantomPDFPlugin.dll [2014-06-20] ()
FF Plugin-x32: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.fdf -> C:\Program Files (x86)\Foxit PhantomPDF\plugins\npFoxitPhantomPDFPlugin.dll [2014-06-20] ()
FF Plugin-x32: @glance.net/GlanceClient -> C:\Program Files (x86)\Glance29\npglance.dll [2014-09-16] (Glance Networks, Inc.)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.56 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2014-09-04] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2014-09-04] (Intel Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-30] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-30] (Google Inc.)
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll [2016-05-23] ()
FF Extension: (YesScript) - C:\Users\C0113c70r\AppData\Roaming\Mozilla\Firefox\Profiles\zsq10piz.default-1439955462752\extensions\yesscript@userstyles.org.xpi [2016-08-04]
FF Extension: (Free Visio Viewer (Mac, Windows, Linux)) - C:\Users\C0113c70r\AppData\Roaming\Mozilla\Firefox\Profiles\zsq10piz.default-1439955462752\Extensions\jid0-3uZ3BaNBn8N0eej5ThAAoBGd4SA@jetpack.xpi [2016-04-28]
FF Extension: (Invite All (for Facebook)) - C:\Users\C0113c70r\AppData\Roaming\Mozilla\Firefox\Profiles\zsq10piz.default-1439955462752\Extensions\jid0-zs24wecdcQo0Lp18D7QOV4WSZFo@jetpack.xpi [2016-04-28]
FF Extension: (Google Translator for Firefox) - C:\Users\C0113c70r\AppData\Roaming\Mozilla\Firefox\Profiles\zsq10piz.default-1439955462752\Extensions\translator@zoli.bod.xpi [2016-08-19]
FF Extension: (New Tab Homepage) - C:\Users\C0113c70r\AppData\Roaming\Mozilla\Firefox\Profiles\zsq10piz.default-1439955462752\Extensions\{66E978CD-981F-47DF-AC42-E3CF417C1467}.xpi [2015-10-03]
FF Extension: (Block site) - C:\Users\C0113c70r\AppData\Roaming\Mozilla\Firefox\Profiles\zsq10piz.default-1439955462752\Extensions\{dd3d7613-0246-469d-bc65-2a3cc1668adc} [2016-06-08]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [172344 2014-07-23] (SUPERAntiSpyware.com)
S2 a2AntiMalware; C:\Program Files\Emsisoft Anti-Malware\a2service.exe [10900888 2016-01-06] (Emsisoft Ltd)
S3 becldr3Service; C:\Program Files\BCL Technologies\easyConverter SDK 3\Common\becldr.exe [263168 2013-07-04] () [File not signed]
S2 cbVSCService11; C:\Program Files (x86)\Cobian Backup 11\cbVSCService11.exe [67584 2013-03-07] (CobianSoft, Luis Cobian) [File not signed]
S2 ftpqueue; C:\Program Files\WS_FTP Pro\ftpsched.exe [212992 2015-06-29] (Ipswitch, Inc., 81 Hartwell Ave, Lexington MA 02421) [File not signed]
S2 GamesAppIntegrationService; C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe [350064 2016-05-23] (WildTangent)
S2 HPWMISVC; C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPWMISVC.exe [569608 2014-10-10] (Hewlett-Packard Development Company, L.P.)
S2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [16232 2014-06-25] (Intel Corporation)
S2 igfxCUIService1.0.0.0; C:\Windows\system32\igfxCUIService.exe [328296 2014-10-07] (Intel Corporation)
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [887256 2014-05-14] (Intel® Corporation)
S2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [131544 2014-09-04] (Intel Corporation)
S3 iumsvc; C:\Program Files (x86)\Intel\Intel® Update Manager\bin\iumsvc.exe [178312 2015-09-26] (Intel Corporation)
S2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [154584 2014-09-04] (Intel Corporation)
S3 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [221832 2014-10-02] (McAfee, Inc.)
R2 mfevtp; C:\Windows\system32\mfevtps.exe [189920 2014-10-02] (McAfee, Inc.)
S2 omniserv; C:\Program Files\Hewlett-Packard\SimplePass\OmniServ.exe [88064 2014-03-29] (Softex Inc.) [File not signed]
S2 RapportMgmtService; C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe [2383344 2016-07-11] (IBM Corp.)
S2 RichVideo64; C:\Program Files\CyberLink\Shared files\RichVideo64.exe [389896 2014-04-15] ()
S2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [292568 2014-09-05] (Realtek Semiconductor)
S2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
S2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
S2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-26] (Safer-Networking Ltd.)
S2 SecureLine; C:\Program Files\AVAST Software\SecureLine\VpnSvc.exe [592392 2016-05-24] ()
S3 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]
S2 SynTPEnhService; C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe [191728 2014-06-17] (Synaptics Incorporated)
S3 vmicvss; C:\Windows\System32\ICSvc.dll [524800 2014-10-29] (Microsoft Corporation)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366520 2015-02-04] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2015-02-04] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [72136 2014-10-02] (McAfee, Inc.)
S1 CLVirtualDrive; C:\Windows\system32\DRIVERS\CLVirtualDrive.sys [91912 2013-11-13] (CyberLink)
R0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3357024 2013-08-22] (Broadcom Corporation)
S1 epp; C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\epp.sys [123992 2015-10-23] (Emsisoft Ltd)
S1 glancedrv; C:\Windows\system32\DRIVERS\glancedrv.sys [36384 2009-05-13] (Glance Networks, Inc)
R3 MEIx64; C:\Windows\system32\DRIVERS\TeeDriverx64.sys [126976 2014-09-04] (Intel Corporation)
S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [181584 2014-10-02] (McAfee, Inc.)
S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [313680 2014-10-02] (McAfee, Inc.)
S0 mfeelamk; C:\Windows\System32\drivers\mfeelamk.sys [70608 2014-10-01] (McAfee, Inc.)
R3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [526360 2014-10-02] (McAfee, Inc.)
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [786304 2014-10-02] (McAfee, Inc.)
S3 mfencbdc; C:\Windows\system32\DRIVERS\mfencbdc.sys [447440 2014-09-19] (McAfee, Inc.)
S3 mfencrk; C:\Windows\system32\DRIVERS\mfencrk.sys [96600 2014-09-19] (McAfee, Inc.)
R0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [348560 2014-10-02] (McAfee, Inc.)
S1 RapportCerberus_1609042; C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus64_1609042.sys [1157960 2016-08-04] (IBM Corp.)
S1 RapportEI64; C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys [544360 2016-07-11] (IBM Corp.)
S0 RapportHades64; C:\Windows\System32\Drivers\RapportHades64.sys [215560 2016-07-11] (IBM Corp.)
S0 RapportKE64; C:\Windows\System32\Drivers\RapportKE64.sys [470056 2016-07-11] (IBM Corp.)
S1 RapportPG64; C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys [525992 2016-07-11] (IBM Corp.)
S3 RTSPER; C:\Windows\system32\DRIVERS\RtsPer.sys [506072 2014-06-21] (Realsil Semiconductor Corporation)
R3 RTWlanE; C:\Windows\system32\DRIVERS\rtwlane.sys [3593432 2014-10-08] (Realtek Semiconductor Corporation )
S1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-13] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S3 SmbDrv; C:\Windows\System32\drivers\Smb_driver_AMDASF.sys [30448 2014-06-17] (Synaptics Incorporated)
R3 SmbDrvI; C:\Windows\system32\DRIVERS\Smb_driver_Intel.sys [31472 2014-06-17] (Synaptics Incorporated)
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [44024 2015-02-04] (Microsoft Corporation)
S0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [264000 2015-02-04] (Microsoft Corporation)
S2 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2015-02-04] (Microsoft Corporation)
R3 WirelessButtonDriver; C:\Windows\System32\drivers\WirelessButtonDriver64.sys [20800 2013-07-23] (Hewlett-Packard Development Company, L.P.)
S1 MpKsl93049860; \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Default\MpKsl93049860.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-08-31 16:42 - 2016-08-31 17:06 - 00000000 ____D C:\Users\C0113c70r\Downloads\Autoruns
2016-08-31 14:32 - 2016-08-31 21:46 - 00000000 ____D C:\Program Files\Emsisoft Anti-Malware
2016-08-31 14:32 - 2016-08-31 14:32 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Emsisoft Anti-Malware
2016-08-31 14:23 - 2016-08-31 14:31 - 00000000 ____D C:\Users\C0113c70r\Downloads\Emsisoft
2016-08-31 13:52 - 2016-08-31 13:52 - 00000000 ____D C:\Users\C0113c70r\AppData\Roaming\SUPERAntiSpyware.com
2016-08-31 13:52 - 2016-08-31 13:52 - 00000000 ____D C:\ProgramData\SUPERAntiSpyware.com
2016-08-31 13:52 - 2016-08-31 13:52 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
2016-08-31 13:52 - 2016-08-31 13:52 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2016-08-31 13:50 - 2016-08-31 13:50 - 00000000 ____D C:\Users\C0113c70r\Downloads\SuperAntiSpyware
2016-08-31 13:36 - 2016-08-31 21:28 - 00000000 ____D C:\AdwCleaner
2016-08-31 13:09 - 2016-08-31 13:09 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2016-08-31 13:09 - 2016-08-31 13:09 - 00000000 ____D C:\Program Files\CCleaner
2016-08-31 13:07 - 2016-08-31 13:07 - 00000000 ____D C:\Users\C0113c70r\Downloads\CCleaner Trial
2016-08-31 10:24 - 2016-08-31 10:24 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TrojanHunter
2016-08-31 09:22 - 2016-09-01 18:03 - 00000000 ___RD C:\Users\C0113c70r\Desktop\Security
2016-08-31 01:32 - 2016-08-31 01:32 - 00000000 ____D C:\Windows\LastGood
2016-08-30 18:56 - 2016-09-01 18:03 - 00000000 ____D C:\FRST
2016-08-30 18:50 - 2016-08-31 09:21 - 00000000 ____D C:\Users\C0113c70r\Downloads\FRST
2016-08-30 09:48 - 2016-08-30 09:48 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cobian Backup 11
2016-08-30 09:48 - 2016-08-30 09:48 - 00000000 ____D C:\Program Files (x86)\Cobian Backup 11
2016-08-30 09:47 - 2016-08-30 09:47 - 00000000 ____D C:\Users\C0113c70r\Downloads\Cobian Backup
2016-08-30 09:30 - 2016-08-30 09:31 - 00000000 ____D C:\Users\C0113c70r\Documents\BleepingComputer
2016-08-30 06:00 - 2016-08-30 06:00 - 00000000 _____ C:\Recovery.txt
2016-08-29 15:34 - 2016-08-29 15:35 - 135766800 ____N (Microsoft Corporation) C:\Users\C0113c70r\Downloads\msert.exe
2016-08-29 15:28 - 2016-08-29 15:28 - 00000000 ____D C:\Windows\LastGood.Tmp
2016-08-29 14:16 - 2016-08-29 14:16 - 00000000 ____D C:\Users\C0113c70r\Downloads\Norton
2016-08-20 19:33 - 2016-08-27 22:31 - 00000000 ____D C:\Users\C0113c70r\Documents\_Genealogy
2016-08-15 18:41 - 2016-08-15 18:41 - 00000000 ____D C:\Users\C0113c70r\Documents\Punch! Software
2016-08-15 18:31 - 2016-08-15 18:31 - 00000000 ____D C:\Users\C0113c70r\AppData\Roaming\Punch! Software
2016-08-15 18:31 - 2016-08-15 18:31 - 00000000 ____D C:\ProgramData\Punch! Software
2016-08-15 18:31 - 2016-08-15 18:31 - 00000000 ____D C:\Program Files (x86)\IMSI Design
2016-08-15 15:58 - 2016-08-15 18:26 - 00000000 ____D C:\Users\C0113c70r\Downloads\IMSI TurboFloorPlan 3D Home and Landscape Pro 2015 17.5
2016-08-12 22:46 - 2016-08-30 04:21 - 00000000 ____D C:\Program Files (x86)\Q3D
2016-08-08 23:22 - 2016-08-08 23:23 - 00000000 ____D C:\Users\C0113c70r\Downloads\InDesign Scripts
2016-08-08 18:25 - 2016-08-08 18:25 - 00000000 ____D C:\Users\C0113c70r\AppData\Roaming\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2016-08-08 18:16 - 2016-08-08 18:16 - 00001218 _____ C:\Users\C0113c70r\Desktop\Adobe InDesign CS5.lnk
2016-08-08 17:26 - 2016-08-08 17:26 - 00003512 _____ C:\Windows\System32\Tasks\AdobeAAMUpdater-1.0-BlueAegis-C0113c70r
2016-08-08 17:21 - 2016-08-08 17:21 - 00000000 ____D C:\ProgramData\regid.1986-12.com.adobe
2016-08-08 17:15 - 2016-08-30 04:21 - 00000000 ____D C:\Program Files\Common Files\Adobe
2016-08-08 17:15 - 2016-08-30 04:02 - 00000000 ____D C:\Program Files\Adobe
2016-08-08 17:13 - 2016-08-30 04:21 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe
2016-08-08 17:13 - 2016-08-30 04:21 - 00000000 ____D C:\Program Files (x86)\Adobe Media Player
2016-08-08 17:07 - 2016-08-30 04:08 - 00000000 ____D C:\Users\Default\AppData\Roaming\Macromedia
2016-08-08 17:07 - 2016-08-30 04:08 - 00000000 ____D C:\Users\Default User\AppData\Roaming\Macromedia
2016-08-08 16:54 - 2016-08-30 04:08 - 00000000 ____D C:\Users\C0113c70r\Desktop\Adobe InDesign CS5
2016-08-07 19:48 - 2016-08-07 19:48 - 00000117 _____ C:\Windows\捉湯牗獫䤮䥎
2016-08-05 17:00 - 2016-08-05 17:00 - 00348160 _____ C:\Windows\SysWOW64\FM20.oca
2016-08-05 16:56 - 2016-08-05 16:56 - 00090624 _____ C:\Windows\SysWOW64\MSHFLXGD.oca
2016-08-05 16:56 - 2016-08-05 16:56 - 00069632 _____ C:\Windows\SysWOW64\MSDATLST.oca
2016-08-04 20:39 - 2016-08-09 20:48 - 00000000 ____D C:\Users\C0113c70r\Documents\Adobe InDesign Projects
2016-08-04 15:25 - 2016-08-30 04:08 - 00000000 ____D C:\Users\Default\AppData\Local\Trusteer
2016-08-04 15:25 - 2016-08-30 04:08 - 00000000 ____D C:\Users\Default User\AppData\Local\Trusteer
2016-08-03 14:14 - 2016-08-03 14:14 - 00001049 _____ C:\Users\C0113c70r\Desktop\Advanced PDF Tools v1.3.lnk
2016-08-03 14:14 - 2016-08-03 14:14 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advanced PDF Tools v1.3
2016-08-03 14:14 - 2016-08-03 14:14 - 00000000 ____D C:\Program Files (x86)\Advanced PDF Tools v1.3

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-09-01 17:16 - 2015-05-11 05:11 - 00000000 ____D C:\Users\C0113c70r\AppData\Local\ClassicShell
2016-09-01 08:12 - 2014-03-18 16:53 - 00958356 _____ C:\Windows\system32\PerfStringBackup.INI
2016-09-01 08:12 - 2013-08-22 20:36 - 00000000 ____D C:\Windows\Inf
2016-08-31 21:47 - 2013-08-22 21:45 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-08-31 13:11 - 2014-04-03 06:51 - 00000000 ____D C:\Windows\Panther
2016-08-31 12:43 - 2016-06-11 05:14 - 00000000 ____D C:\Program Files (x86)\Adobe
2016-08-31 10:24 - 2016-06-26 12:28 - 00000000 ____D C:\Program Files (x86)\TrojanHunter
2016-08-31 09:37 - 2015-07-08 11:30 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-08-30 20:07 - 2016-06-11 09:19 - 00000000 ____D C:\Users\C0113c70r\Documents\DeleteMe
2016-08-30 04:21 - 2016-07-15 23:22 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Trusteer Endpoint Protection
2016-08-30 04:21 - 2016-06-29 08:36 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-08-30 04:21 - 2016-06-12 13:46 - 00000000 ____D C:\ProgramData\FLEXnet
2016-08-30 04:21 - 2015-10-30 03:42 - 00000000 ____D C:\Users\C0113c70r\AppData\Local\III
2016-08-30 04:21 - 2015-05-15 13:01 - 00000000 ___SD C:\Windows\system32\GWX
2016-08-30 04:21 - 2015-05-11 10:03 - 00000000 ____D C:\Users\C0113c70r\AppData\Local\Microsoft Help
2016-08-30 04:21 - 2015-05-11 06:01 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2016-08-30 04:18 - 2013-08-22 22:36 - 00000000 ___HD C:\Program Files\WindowsApps
2016-08-30 04:09 - 2013-08-22 22:36 - 00000000 ____D C:\Windows\registration
2016-08-30 04:08 - 2016-05-31 22:03 - 00000000 ____D C:\Users\C0113c70r\Documents\VB Blue Aegis
2016-08-30 04:08 - 2015-05-22 22:43 - 00000000 ____D C:\Users\C0113c70r\Documents\Stock Market Investing
2016-08-30 04:08 - 2015-05-22 22:05 - 00000000 ____D C:\Users\C0113c70r\Documents\_Family Tree 2014
2016-08-30 04:08 - 2015-05-22 21:57 - 00000000 ____D C:\Users\C0113c70r\Documents\_Family Tree
2016-08-30 04:08 - 2015-05-11 04:44 - 00000000 ____D C:\Users\C0113c70r\AppData\Roaming\Macromedia
2016-08-30 04:08 - 2015-05-11 04:32 - 00000000 ____D C:\Users\C0113c70r\AppData\Roaming\Adobe
2016-08-30 04:06 - 2015-05-11 04:32 - 00000000 ____D C:\Users\C0113c70r\AppData\Local\VirtualStore
2016-08-30 04:05 - 2015-05-11 06:27 - 00000000 ____D C:\Users\C0113c70r\AppData\Local\Adobe
2016-08-30 04:03 - 2016-06-11 05:13 - 00000000 ____D C:\ProgramData\Adobe
2016-08-29 13:48 - 2013-08-22 20:25 - 00262144 ___SH C:\Windows\system32\config\BBI
2016-08-29 13:45 - 2015-05-11 04:32 - 00000000 ____D C:\Users\C0113c70r
2016-08-29 13:44 - 2013-08-22 21:44 - 07735200 _____ C:\Windows\system32\FNTCACHE.DAT
2016-08-29 09:09 - 2015-05-16 03:35 - 00000000 ____D C:\Users\C0113c70r\Documents\My PSP Files
2016-08-29 08:44 - 2013-08-22 22:36 - 00000000 ____D C:\Windows\AppReadiness
2016-08-29 08:37 - 2016-06-05 22:00 - 00000000 ____D C:\Users\C0113c70r\Documents\Youcam
2016-08-27 08:57 - 2016-07-18 23:54 - 00000000 ____D C:\Users\C0113c70r\Documents\Shipping
2016-08-26 13:43 - 2015-05-22 22:33 - 00000000 ____D C:\Users\C0113c70r\Documents\203 Dauphin Street
2016-08-25 12:23 - 2015-06-09 09:38 - 00000000 ____D C:\Users\C0113c70r\AppData\Local\ElevatedDiagnostics
2016-08-23 22:07 - 2015-05-22 22:33 - 00000000 ____D C:\Users\C0113c70r\Documents\C0113c70r
2016-08-15 15:58 - 2015-05-11 10:25 - 02494976 ___SH C:\Users\C0113c70r\Downloads\Thumbs.db
2016-08-13 18:27 - 2015-05-11 06:27 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-08-13 17:58 - 2015-10-10 22:29 - 00000926 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-08-13 17:01 - 2015-10-10 22:29 - 00000922 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-08-12 22:58 - 2015-05-11 04:38 - 00003598 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-1403587705-295510217-1205112951-1001
2016-08-12 19:48 - 2015-06-02 01:48 - 00003190 _____ C:\Windows\System32\Tasks\HPCeeScheduleForC0113c70r
2016-08-12 19:48 - 2015-06-02 01:48 - 00000368 _____ C:\Windows\Tasks\HPCeeScheduleForC0113c70r.job
2016-08-12 07:06 - 2015-05-15 08:10 - 00000000 ____D C:\Users\C0113c70r\Documents\Family Tree Maker
2016-08-09 15:29 - 2016-01-04 12:23 - 00000039 _____ C:\Windows\vbaddin.ini
2016-08-09 07:39 - 2015-05-27 12:10 - 01161432 ____N C:\Users\C0113c70r\AppData\Local\GDIPFONTCACHEV1.DAT
2016-08-08 16:50 - 2014-03-18 16:38 - 00000000 ____D C:\Windows\ShellNew
2016-08-06 20:06 - 2016-06-24 10:38 - 00029184 _____ C:\Windows\SysWOW64\MSINET.oca
2016-08-05 17:00 - 2016-05-28 12:37 - 00035328 _____ C:\Windows\SysWOW64\COMCT332.oca
2016-08-05 16:45 - 2015-07-23 22:30 - 00064000 _____ C:\Windows\SysWOW64\RICHTX32.oca
2016-08-05 15:39 - 2016-05-30 03:26 - 00065536 _____ C:\Windows\SysWOW64\MSDATGRD.oca
2016-08-05 15:39 - 2016-05-28 12:37 - 00135168 _____ C:\Windows\SysWOW64\MSCOMCT2.oca
2016-08-05 15:38 - 2016-05-30 03:26 - 00035840 _____ C:\Windows\SysWOW64\MSADODC.oca
2016-08-04 15:08 - 2016-06-04 12:32 - 00069120 _____ C:\Windows\SysWOW64\DBLIST32.oca
2016-08-03 14:16 - 2015-07-12 11:42 - 00000000 ____D C:\Users\C0113c70r\Downloads\_INSTALLED

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-08-24 22:32

==================== End of FRST.txt ============================

Attached Files


If you didn't get the answer you wanted to hear,

you were probably asking the wrong question.


BC AdBot (Login to Remove)

 


#2 polskamachina

polskamachina

  • Malware Response Team
  • 3,936 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:04:08 PM

Posted 03 September 2016 - 06:03 PM

Hi C0113c70r :)

 

My name is polskamachina and I would like to welcome you to the Malware Removal Forum. I will be helping you with your malware issues.

What follows below are some ground rules for this forum.
 
I will reply as soon as possible (typically within 24-48 hours). In turn, I ask that you please respond within 72 hours. If you know you will be away longer than that, please let me know. I am in California at GMT-7 hours (Pacific Standard Time). If I do not respond to you within 48 hours, feel free to send me a private message.

Some points for you to keep in mind:

  • Do NOT run any tools unless instructed to do so.
  • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine. Running any additional tools may detect false positives, interfere with our tools, cause unforeseen damage, or system instability.
  • Do not attach logs or use code boxes, just copy and paste the text.
  • I cannot see your computer. Periodically update me on the condition of your computer, and provide as much detail as you can in every post.
  • Once things seem to be working again, please do not abandon the thread. I will give an "all-clean" message at the very end.
  • NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planned. You can put them on a CD/DVD, external drive or a flash drive, anywhere except on the computer.
  • NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. Please remember to copy the entire post so you do not miss any instructions.

Please give me some time to review your situation and I will get back to you with further instructions.
 
polskamachina



#3 C0113c70r

C0113c70r
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:08 AM

Posted 03 September 2016 - 08:21 PM

Thank you polskamachina. Feel free to call me Roy if it will be easier for you.

Ground rules read and understood. I am constantly monitoring my posts at BC and I typically respond within just a few hours. I am in Thailand at GMT+7 and am online and checking this forum until around midnight my time (noon your time).

On 30 Aug, after these problems started and before I began requesting BC assistance, I did download, install and run Cobian Backup. My important documents have been backed up to an external drive.

 

* Edited - Wrong date... should have been 30 Aug. Sorry for the wrong info.


Edited by C0113c70r, 04 September 2016 - 12:29 AM.

If you didn't get the answer you wanted to hear,

you were probably asking the wrong question.


#4 polskamachina

polskamachina

  • Malware Response Team
  • 3,936 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:04:08 PM

Posted 03 September 2016 - 10:06 PM

Hi Roy,

On 08 Aug, after these problems started and before I began requesting BC assistance, I did download, install and run Cobian Backup. My important documents have been backed up to an external drive.

:thumbup2:
 
polskamachina



#5 polskamachina

polskamachina

  • Malware Response Team
  • 3,936 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:04:08 PM

Posted 04 September 2016 - 10:43 PM

Hi Roy :)
 
I noticed in your logs remnants of a McAffe software installation. We should remove it completely since it isn't really installed.
Please start you computer in Safe Mode with Networking mode.

  • Download the McAffe Consumer Products Removal Tool to your desktop (or other folder of your choosing)
  • Double-click the program and allow it to remove everything associated with the McAfee installation
  • If a restart is required, let the system restart

Next:
 
We need to run a fix with FRST64.

  • Copy and paste the text below in its entirety into an empty Notepad window
CloseProcesses:
HKU\S-1-5-18\...\Run: [] => 0
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
2016-08-07 19:48 - 2016-08-07 19:48 - 00000117 _____ C:\Windows\捉湯牗獫䤮䥎
S1 MpKsl93049860; \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Default\MpKsl93049860.sys [X]
HKU\S-1-5-21-1403587705-295510217-1205112951-1001\...\Run: [AdobeBridge] => [X]
AlternateDataStreams: C:\ProgramData\Temp:0B4227B4 [127]
AlternateDataStreams: C:\ProgramData\Temp:C05ABBB5 [156]
  • Save the file as fixlist.txt to your \Desktop\Security folder. Note: FRST64 and fixlist.txt need to be in the same folder in order for the fix to work
  • Close Notepad
  • Run the FRST64 program
  • When the window opens, click on the Fix button
  • The fix should only take a few moments to run
  • After completion, a log named Fixlog.txt will be created in the same folder from which FRST64 was run
  • Please copy and paste that log into your next reply to me
  • Restart your computer in Normal mode and let me know if you notice any improvement

In summary I will need from you:

  • Fixlog.txt
  • Can you start you computer in Normal mode now?

Let me know if you have any questions.
 
polskamachina



#6 C0113c70r

C0113c70r
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:08 AM

Posted 04 September 2016 - 11:34 PM

I downloaded and ran the McAfee Consumer Products Removal Tool. A reboot was required at the end of removal. I allowed the PC to attempt to reboot in normal mode, but that did not work so I had to reboot into Safe Mode with Networking again.

Because of the Chinese characters for the one file in the fixlist, Notepad returns the following error when I try to save the fixlist.txt file -

"C:\Users\C0113c70r\Desktop\Security\fixlist.txt This file contains characters in Unicode format which will be lost if you save thi file as an ANSI encoded text file. To keep the Unicode information, click Cancel below and then select one of the Unicode options from the Encoding drop down list. Continue? [OK][Cancel]"

I went ahead and clicked OK to save the file, BUT I did not run FRST64 on it at this point because of the error message. Instead, I re-opened the fixlist.txt file and noticed that the Chinese characters had all been changed in the filename to a string of question marks. That line looks as follows -

2016-08-07 19:48 - 2016-08-07 19:48 - 00000117 _____ C:\Windows\??????

What do you recommend that I do from here? Should I remove that line from the fislist.txt before running FRST64?


If you didn't get the answer you wanted to hear,

you were probably asking the wrong question.


#7 polskamachina

polskamachina

  • Malware Response Team
  • 3,936 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:04:08 PM

Posted 05 September 2016 - 12:05 AM

Hi Roy :)

 

Sorry that you experienced a problem with the fixlist. You did the correct thing by saving it as an Ansi encoded file. Let me check for a solution. Please don't run any other tools or fixes until I get back to you.

 

polskamachina



#8 C0113c70r

C0113c70r
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:08 AM

Posted 05 September 2016 - 11:52 AM

Thanks polskamachina.

Regarding that Chinese filename... I have been scouring the internet for information on what this file could possibly be. I have found a couple of sites that say these types of files are "created as a result of Windows trying to load non-text data as Unicode plaintext."


If you didn't get the answer you wanted to hear,

you were probably asking the wrong question.


#9 polskamachina

polskamachina

  • Malware Response Team
  • 3,936 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:04:08 PM

Posted 05 September 2016 - 04:08 PM

Hi Roy :)
 
Let's try running the fix again in Safe Mode with Networking but this time:

  • Download the attached fixlist to the folder where your FRST64 program resides, C:\Users\C0113c70r\Desktop\Security.
  • Run the FRST64 program
  • When the window opens, click on the Fix button
  • The fix should only take a few moments to run
  • After completion, a log named Fixlog.txt will be created in the same folder from which FRST64 was run
  • Please copy and paste that log into your next reply to me
  • Restart your computer in Normal mode and let me know if you notice any improvement

In summary I will need from you:

  • Fixlog.txt
  • Can you start you computer in Normal mode now?

Let me know if you have any questions.
 
polskamachina
 
Attached Files



#10 C0113c70r

C0113c70r
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:08 AM

Posted 05 September 2016 - 07:29 PM

Something is wrong with the link. I clicked the link for the attachment and got a BC page saying "Sorry, you don't have permission for that! You do not have permission to view this attachment. Need help?
* Our help documentation
* Contact the community administrator

NOTE: I then clicked the link in my first post to download the Addition.txt file, just to see if I could download the attachments from this site, and that link worked just fine.

 

Edit -

Security measures may be in place at BC to keep members from downloading files named "fixlist.txt" to keep members from trying to use other's fixlists for their problems.

Maybe if the file was renamed to something like "myfile.txt" I might be able to download it and then rename it on my end.


Edited by C0113c70r, 05 September 2016 - 07:51 PM.

If you didn't get the answer you wanted to hear,

you were probably asking the wrong question.


#11 C0113c70r

C0113c70r
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:08 AM

Posted 05 September 2016 - 08:26 PM

Okay... I read the FRST64 tutorial and it said to save the file in Unicode instead of ANSI when non-ANSI characters are used, so that is what I did. I then ran the fixlist.txt through FRST64.

I allowed my computer to attempt to reboot into Normal mode. It did not work. I still got the black screen.

I am still able to login in Safe Mode. The hidden file with the Chinese filename is no longer in my C:\Windows\ directory.

Here is the Fixlog.txt...

Fix result of Farbar Recovery Scan Tool (x64) Version: 31-08-2016
Ran by C0113c70r (06-09-2016 08:01:50) Run:1
Running from C:\Users\C0113c70r\Desktop\Security
Loaded Profiles: C0113c70r (Available Profiles: C0113c70r)
Boot Mode: Safe Mode (with Networking)
==============================================

fixlist content:
*****************
CloseProcesses:
HKU\S-1-5-18\...\Run: [] => 0
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
2016-08-07 19:48 - 2016-08-07 19:48 - 00000117 _____ C:\Windows\捉湯牗獫䤮䥎
S1 MpKsl93049860; \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Default\MpKsl93049860.sys [X]
HKU\S-1-5-21-1403587705-295510217-1205112951-1001\...\Run: [AdobeBridge] => [X]
AlternateDataStreams: C:\ProgramData\Temp:0B4227B4 [127]
AlternateDataStreams: C:\ProgramData\Temp:C05ABBB5 [156]
*****************

Processes closed successfully.
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => key removed successfully
HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found.
"HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SDWinLogon" => key removed successfully
C:\Windows\捉湯牗獫䤮䥎 => moved successfully
MpKsl93049860 => service removed successfully
HKU\S-1-5-21-1403587705-295510217-1205112951-1001\Software\Microsoft\Windows\CurrentVersion\Run\\AdobeBridge => value removed successfully
C:\ProgramData\Temp => ":0B4227B4" ADS removed successfully.
C:\ProgramData\Temp => ":C05ABBB5" ADS removed successfully.


The system needed a reboot.

==== End of Fixlog 08:01:51 ====


If you didn't get the answer you wanted to hear,

you were probably asking the wrong question.


#12 polskamachina

polskamachina

  • Malware Response Team
  • 3,936 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:04:08 PM

Posted 06 September 2016 - 12:57 AM

Hi Roy :)
 
Nice job figuring out the fixlist message. That was entirely my fault for not uploading it correctly.
 
Now that we've eliminated those items as contributing to your unbootable system problem, I am going to recommend that you try this procedure. It's quick and easy and there's a chance it might help.
 
===================================================
Power Drain
--------------------

  • Shut down your computer
  • Remove the power cord
  • Remove the battery if your computer is a laptop
  • Hold down the power on button for 30 seconds
  • Replace the battery as necessary
  • Plug in the power cord
  • Boot your computer and test the performance

In the meantime, I'm going to consult with staff to see if we can get you up and running as quickly as possible.

 

polskamachina



#13 C0113c70r

C0113c70r
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:08 AM

Posted 06 September 2016 - 01:22 AM

The Power Drain trick did not work. After doing the Power Drain I tried to boot into normal mode and got the black screen. I waited for a couple of minutes before deciding to shut back down and boot up again in Safe Mode with Networking.

I am wondering... When I manually shut down right before the black screen problem started I was online... If Microsoft Windows was in the process of installing an update in the background, could my manual shutdown have corrupted the update and resulted in this problem? Is there any scan that can be done to find out?


Edited by C0113c70r, 06 September 2016 - 01:22 AM.

If you didn't get the answer you wanted to hear,

you were probably asking the wrong question.


#14 polskamachina

polskamachina

  • Malware Response Team
  • 3,936 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:04:08 PM

Posted 06 September 2016 - 12:37 PM

Hi Roy :)
 

If Microsoft Windows was in the process of installing an update in the background, could my manual shutdown have corrupted the update and resulted in this problem? Is there any scan that can be done to find out?

Yes, you are correct. A manual shutdown could cause a problem like that. I am working on a fix to remedy that. :busy:

 

polskamachina



#15 C0113c70r

C0113c70r
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:08 AM

Posted 06 September 2016 - 08:28 PM

Thank you polskamachina.


If you didn't get the answer you wanted to hear,

you were probably asking the wrong question.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users