Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows 7 failed to load


  • This topic is locked This topic is locked
50 replies to this topic

#1 HerrBack

HerrBack

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:09:35 PM

Posted 21 January 2017 - 07:06 PM

Hi everybody,

I have similar problem as this user:
https://www.bleepingcomputer.com/forums/t/448339/windows-failed-to-start-system-repair-cant-discover-problem/
and this one
https://www.bleepingcomputer.com/forums/t/633720/windows-7-failed-to-load/

I am unable to boot the computer and the Windows Repair wont work. It displays an error like this:

The Windows Repair Problem Signature
Problem Event Name: Startup Repair Offline
Problem Signature 1: 6.1.7600.16385
Problem Signature 2: 6.1.7600.16385
...

I ran the FRST64 scan for more information about possible problems. Unfortunalely I am not an computer expert so I cant decide if anything is wrong. The problems started before X-mas.

Please see log FRST64 log file below.

I would really appriciate some help as the computer is my father´s and I am trying to help him fix it.

Greetings

Jon

 

LOG FILE BELOW
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 18-01-2017
Ran by SYSTEM on MININT-UC640HP (21-01-2017 22:28:48)
Running from G:\
Platform: Windows 7 Ultimate Service Pack 1 (X64) Language: Svenska (Sverige)
Internet Explorer Version 11
Boot Mode: Recovery
Default: ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [10038304 2010-01-29] (Realtek Semiconductor)
HKLM\...\Run: [MSC] => C:\Program Files\Microsoft Security Client\msseces.exe [1340192 2016-01-29] (Microsoft Corporation)
HKLM-x32\...\Run: [KeePass 2 PreLoad] => C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe [2117632 2014-07-06] (Dominik Reichl)
HKLM\...\RunOnce: [*WerKernelReporting] => C:\Windows\SYSTEM32\WerFault.exe [415232 2009-07-14] (Microsoft Corporation)
HKLM\...\RunOnce: [*Restore] => C:\Windows\system32\rstrui.exe [296960 2016-04-09] (Microsoft Corporation)
Startup: C:\Users\Ulf\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk [2016-11-28]
ShortcutTarget: Dropbox.lnk ->  (No File)
Startup: C:\Users\Ulf\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EvernoteClipper.lnk [2014-08-10]
ShortcutTarget: EvernoteClipper.lnk ->  (No File)
Startup: C:\Users\Ulf\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EvernoteTray.lnk [2014-08-10]
ShortcutTarget: EvernoteTray.lnk ->  (No File)
Startup: C:\Users\Ulf\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LibreOffice 3.5.lnk [2012-08-21]
ShortcutTarget: LibreOffice 3.5.lnk -> C:\Program Files (x86)\LibreOffice 3.5\program\quickstart.exe (No File)
GroupPolicy\User: Restriction <======= ATTENTION
GroupPolicyUsers\S-1-5-21-439633082-3305728546-597235088-1007\User: Restriction - Chrome <======= ATTENTION
GroupPolicyUsers\S-1-5-21-439633082-3305728546-597235088-1006\User: Restriction <======= ATTENTION
GroupPolicyUsers\S-1-5-21-439633082-3305728546-597235088-1003\User: Restriction <======= ATTENTION
GroupPolicyScripts: Restriction <======= ATTENTION

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
S2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2016-01-29] (Microsoft Corporation)
S3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [374344 2016-01-29] (Microsoft Corporation)
S2 NitroReaderDriverReadSpool3; C:\Program Files\Common Files\Nitro\Reader\3.0\NitroPDFReaderDriverService3x64.exe [230416 2013-07-26] (Nitro PDF Software)
S2 Secunia PSI Agent; C:\Program Files (x86)\Secunia\PSI\PSIA.exe [1328736 2012-09-24] (Secunia)
S2 Secunia Update Agent; C:\Program Files (x86)\Secunia\PSI\sua.exe [656480 2012-09-24] (Secunia)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 camdrv42; C:\Windows\System32\DRIVERS\camdrv42.sys [1533952 2007-05-04] ()
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-10-05] (Malwarebytes Corporation)
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [289120 2015-11-13] (Microsoft Corporation)
S3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [15416 2009-07-16] ()
S0 NDIS; C:\Windows\System32\drivers\ndis.sys [950720 2015-10-13] ()
S3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [133816 2015-11-13] (Microsoft Corporation)
S3 Tdsshbecr; C:\Windows\System32\DRIVERS\shbecr.sys [50176 2008-09-22] (Todos Data System AB)
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
S3 vmci; \SystemRoot\system32\DRIVERS\vmci.sys [X]
S3 VMnetAdapter; system32\DRIVERS\vmnetadapter.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-01-21 22:28 - 2017-01-21 22:28 - 00000000 ____D C:\FRST

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)


ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-439633082-3305728546-597235088-1003\$b6218d23f9e7bc15363a4b7e930f0c6e

Some files in TEMP:
====================
C:\Users\Ulf\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpj2rhno.dll
C:\Users\Ulf\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Ulf\AppData\Local\Temp\vlc-2.2.1-win32.exe


==================== Known DLLs (Whitelisted) =========================

[2016-04-10 10:18] - [2016-02-03 19:58] - 0862208 ____A () C:\Windows\System32\OLEAUT32.dll
[2016-07-19 12:52] - [2016-06-10 18:45] - 2392576 ____A () C:\Windows\SysWOW64\WININET.dll

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe
[2016-07-06 13:38] - [2016-04-09 06:53] - 3231232 ____A (Microsoft Corporation) 9DA3B83F80E205B6C601EEE1312FD0A0

C:\Windows\SysWOW64\explorer.exe
[2016-07-06 13:38] - [2016-04-09 06:44] - 2973184 ____A (Microsoft Corporation) 3DA48EA028AD771C5B71727F0C3984E9

C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\dnsapi.dll => MD5 is legit
C:\Windows\SysWOW64\dnsapi.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== Association (Whitelisted) =============


==================== Restore Points =========================


==================== Memory info ===========================

Percentage of memory in use: 13%
Total physical RAM: 6135.12 MB
Available physical RAM: 5335.67 MB
Total Virtual: 6133.32 MB
Available Virtual: 5348.5 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:55.8 GB) (Free:8.92 GB) NTFS
Drive d: (Data) (Fixed) (Total:931.51 GB) (Free:813.47 GB) NTFS
Drive f: (GSP1RMCPRXFREO_SV_DVD) (CDROM) (Total:2.97 GB) (Free:0 GB) UDF
Drive g: () (Removable) (Total:14.31 GB) (Free:14.31 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (Reserverad av systemet) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 55.9 GB) (Disk ID: 5EEBD84B)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=55.8 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 931.5 GB) (Disk ID: 011AA696)
Partition 1: (Not Active) - (Size=931.5 GB) - (Type=07 NTFS)

========================================================
Disk: 2 (Size: 14.3 GB) (Disk ID: 00000000)

Partition: GPT.

LastRegBack: 2016-08-06 12:42

==================== End of FRST.txt ============================

 



BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:35 PM

Posted 21 January 2017 - 10:13 PM

Hi, and welcome.

Lets give it a try

Download the attached file [attachment=189513:fixlist.txt] and save it in the same directory FRST64 is saved (Desktop).
  • Start FRST64.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.
Please copy and paste its contents in your next reply.

Retry Normal Mode and let me know the outcome.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 HerrBack

HerrBack
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:09:35 PM

Posted 22 January 2017 - 05:13 AM

Hello

Thx for the quick response. I ran the FRST64 with the Fixlist.txt. Unfortunately there was no change in the bootup process. Please see the Fixlog.txt below.

Regards
Jon

Fix result of Farbar Recovery Scan Tool (x64) Version: 18-01-2017
Ran by SYSTEM (22-01-2017 11:05:54) Run:1
Running from G:\
Boot Mode: Recovery
==============================================

fixlist content:
*****************
HKLM\...\RunOnce: [*WerKernelReporting] => C:\Windows\SYSTEM32\WerFault.exe [415232 2009-07-14] (Microsoft Corporation)
HKLM\...\RunOnce: [*Restore] => C:\Windows\system32\rstrui.exe [296960 2016-04-09] (Microsoft Corporation)
Startup: C:\Users\Ulf\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk [2016-11-28]
ShortcutTarget: Dropbox.lnk ->  (No File)
Startup: C:\Users\Ulf\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EvernoteClipper.lnk [2014-08-10]
ShortcutTarget: EvernoteClipper.lnk ->  (No File)
Startup: C:\Users\Ulf\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EvernoteTray.lnk [2014-08-10]
ShortcutTarget: EvernoteTray.lnk ->  (No File)
Startup: C:\Users\Ulf\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LibreOffice 3.5.lnk [2012-08-21]
ShortcutTarget: LibreOffice 3.5.lnk -> C:\Program Files (x86)\LibreOffice 3.5\program\quickstart.exe (No File)
GroupPolicy\User: Restriction <======= ATTENTION
GroupPolicyUsers\S-1-5-21-439633082-3305728546-597235088-1007\User: Restriction - Chrome <======= ATTENTION
GroupPolicyUsers\S-1-5-21-439633082-3305728546-597235088-1006\User: Restriction <======= ATTENTION
GroupPolicyUsers\S-1-5-21-439633082-3305728546-597235088-1003\User: Restriction <======= ATTENTION
GroupPolicyScripts: Restriction <======= ATTENTION
C:\$Recycle.Bin\S-1-5-21-439633082-3305728546-597235088-1003\$b6218d23f9e7bc15363a4b7e930f0c6e
C:\Users\Ulf\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpj2rhno.dll
C:\Users\Ulf\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Ulf\AppData\Local\Temp\vlc-2.2.1-win32.exe

*****************

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\\*WerKernelReporting => value removed successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\\*Restore => value removed successfully
C:\Users\Ulf\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk => moved successfully
ShortcutTarget: Dropbox.lnk ->  (No File) => not found.
C:\Users\Ulf\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EvernoteClipper.lnk => moved successfully
ShortcutTarget: EvernoteClipper.lnk ->  (No File) => not found.
C:\Users\Ulf\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EvernoteTray.lnk => moved successfully
ShortcutTarget: EvernoteTray.lnk ->  (No File) => not found.
C:\Users\Ulf\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LibreOffice 3.5.lnk => moved successfully
C:\Program Files (x86)\LibreOffice 3.5\program\quickstart.exe => not found.
C:\Windows\System32\GroupPolicy\User => moved successfully
C:\Windows\System32\GroupPolicy\GPT.ini => moved successfully
C:\Windows\System32\GroupPolicyUsers\S-1-5-21-439633082-3305728546-597235088-1007\User => moved successfully
C:\Windows\System32\GroupPolicyUsers\S-1-5-21-439633082-3305728546-597235088-1006\User => moved successfully
C:\Windows\System32\GroupPolicyUsers\S-1-5-21-439633082-3305728546-597235088-1003\User => moved successfully
C:\Windows\System32\GroupPolicy\Machine => moved successfully
C:\$Recycle.Bin\S-1-5-21-439633082-3305728546-597235088-1003\$b6218d23f9e7bc15363a4b7e930f0c6e => moved successfully
C:\Users\Ulf\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpj2rhno.dll => moved successfully
C:\Users\Ulf\AppData\Local\Temp\SkypeSetup.exe => moved successfully
C:\Users\Ulf\AppData\Local\Temp\vlc-2.2.1-win32.exe => moved successfully

==== End of Fixlog 11:05:54 ====



#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:35 PM

Posted 22 January 2017 - 10:10 AM

Please download Listparts to a flash drive.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Plug the flashdrive into the infected PC.

From an Off position in the computer, enter the System Recovery Options. (You must start with your computer off.)

To enter the System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Click on Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:


Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\ListParts.exe (for x64 bit version type e:\ListParts64.exe) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Put check mark on List BCD.
  • Press Scan button.
  • It will make a log (Result.txt) in the flash drive. Please copy and paste it to your reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 HerrBack

HerrBack
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:09:35 PM

Posted 22 January 2017 - 10:53 AM

Hello again!

I ran the ListParts64 and here is the log - Result.txt

 

Thx
Jon

 

ListParts by Farbar Version: 31-07-2014
Ran by SYSTEM (administrator) on 22-01-2017 at 16:50:17
Windows 7 (X64)
Running From: G:\
Language: Svenska (Sverige)
************************************************************

========================= Memory info ======================

Percentage of memory in use: 10%
Total physical RAM: 6135.12 MB
Available physical RAM: 5505.25 MB
Total Pagefile: 6133.32 MB
Available Pagefile: 5479.3 MB
Total Virtual: 8192 MB
Available Virtual: 8191.93 MB

======================= Partitions =========================

1 Drive c: (Reserverad av systemet) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (Data) (Fixed) (Total:931.51 GB) (Free:813.32 GB) NTFS
3 Drive e: () (Fixed) (Total:55.8 GB) (Free:8.62 GB) NTFS
4 Drive f: (GSP1RMCPRXFREO_SV_DVD) (CDROM) (Total:2.97 GB) (Free:0 GB) UDF
5 Drive g: () (Removable) (Total:14.31 GB) (Free:14.31 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

  Disk nr   Status         Storlek  Ledigt   Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk nr 0    Online           55 G B      0 B         
  Disk nr 1    Online          931 G B      0 B         
  Disk nr 2    Online           14 G B      0 B         


Partitions of Disk 0:
===============

Disk 0 „r nu den valda disken.

Disk-ID: 5EEBD84B

  Partitionsnr   Typ               Storlek  Start
  -------------  ----------------  -------  -------
  Partitionsnr 1    Prim„r             100 M   1024 K
  Partitionsnr 2    Prim„r              55 G    101 M

======================================================================================================

Disk: 0
Disk 0 „r nu den valda disken.

Partition 1 „r nu den valda partitionen.

Partition 1
Typ   : 07
Dold  : Nej
Aktiv : Ja
Offset i byte: 1048576

  Volymnr     Enh  Etikett      Fils.  Typ         Storlek  Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volymnr 1     C   Reserverad   NTFS   Partition    100 M   Felfri             

======================================================================================================

Disk: 0
Disk 0 „r nu den valda disken.

Partition 2 „r nu den valda partitionen.

Partition 2
Typ   : 07
Dold  : Nej
Aktiv : Nej
Offset i byte: 105906176

  Volymnr     Enh  Etikett      Fils.  Typ         Storlek  Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volymnr 2     E                NTFS   Partition     55 G   Felfri             

======================================================================================================

Partitions of Disk 1:
===============

Disk 1 „r nu den valda disken.

Disk-ID: 011AA696

  Partitionsnr   Typ               Storlek  Start
  -------------  ----------------  -------  -------
  Partitionsnr 1    Prim„r             931 G     31 K

======================================================================================================

Disk: 1
Disk 1 „r nu den valda disken.

Partition 1 „r nu den valda partitionen.

Partition 1
Typ   : 07
Dold  : Nej
Aktiv : Nej
Offset i byte: 32256

  Volymnr     Enh  Etikett      Fils.  Typ         Storlek  Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volymnr 3     D   Data         NTFS   Partition    931 G   Felfri             

======================================================================================================

Partitions of Disk 2:
===============

Disk 2 „r nu den valda disken.

Disk-ID: 00000000

  Partitionsnr   Typ               Storlek  Start
  -------------  ----------------  -------  -------
  Partitionsnr 1    Prim„r              14 G     16 K

======================================================================================================

Disk: 2
Disk 2 „r nu den valda disken.

Partition 1 „r nu den valda partitionen.

Partition 1
Typ   : 0C
Dold  : Nej
Aktiv : Nej
Offset i byte: 16384

  Volymnr     Enh  Etikett      Fils.  Typ         Storlek  Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volymnr 4     G                FAT32  Flyttbar      14 G   Felfri             

======================================================================================================
============================== MBR Partition Table ==================

==============================
Partitions of Disk 0:
===============
Disk ID: 5EEBD84B
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=56 GB) - (Type=07 NTFS)

==============================
Partitions of Disk 1:
===============
Disk ID: 011AA696
Partition 1: (Not Active) - (Size=932 GB) - (Type=07 NTFS)

==============================
Partitions of Disk 2:
===============
Disk ID: 00000000

Partition: GPT Partition Type.


Starthanteraren
---------------
identifier              {bootmgr}
device                  partition=C:
description             Windows Boot Manager
locale                  sv-SE
inherit                 {globalsettings}
default                 {default}
resumeobject            {8aaff59d-1afe-11e0-a36e-bd6f474ff761}
displayorder            {default}
toolsdisplayorder       {memdiag}
timeout                 30

Startinl„saren
--------------
identifier              {default}
device                  partition=E:
path                    \Windows\system32\winload.exe
description             Windows 7
locale                  sv-SE
inherit                 {bootloadersettings}
recoverysequence        {8aaff59f-1afe-11e0-a36e-bd6f474ff761}
recoveryenabled         Yes
osdevice                partition=E:
systemroot              \Windows
resumeobject            {8aaff59d-1afe-11e0-a36e-bd6f474ff761}
nx                      OptIn

Startinl„saren
--------------
identifier              {8aaff59f-1afe-11e0-a36e-bd6f474ff761}
device                  ramdisk=[E:]\Recovery\8aaff59f-1afe-11e0-a36e-bd6f474ff761\Winre.wim,{8aaff5a0-1afe-11e0-a36e-bd6f474ff761}
path                    \windows\system32\winload.exe
description             Windows Recovery Environment
inherit                 {bootloadersettings}
osdevice                ramdisk=[E:]\Recovery\8aaff59f-1afe-11e0-a36e-bd6f474ff761\Winre.wim,{8aaff5a0-1afe-11e0-a36e-bd6f474ff761}
systemroot              \windows
nx                      OptIn
winpe                   Yes

Start fr†n vilol„ge
-------------------
identifier              {8aaff59d-1afe-11e0-a36e-bd6f474ff761}
device                  partition=E:
path                    \Windows\system32\winresume.exe
description             Windows Resume Application
locale                  sv-SE
inherit                 {resumeloadersettings}
filedevice              partition=E:
filepath                \hiberfil.sys
debugoptionenabled      No

Minnestestaren
--------------
identifier              {memdiag}
device                  partition=C:
path                    \boot\memtest.exe
description             Windows Minnesdiagnostik
locale                  sv-SE
inherit                 {globalsettings}
badmemoryaccess         Yes

EMS-inst„llningar
-----------------
identifier              {emssettings}
bootems                 Yes

Inst„llningar f”r fels”kare
---------------------------
identifier              {dbgsettings}
debugtype               Serial
debugport               1
baudrate                115200

RAM-fel
-------
identifier              {badmemory}

Globala inst„llningar
---------------------
identifier              {globalsettings}
inherit                 {dbgsettings}
                        {emssettings}
                        {badmemory}

Inst„llningar f”r Startinl„saren
------------------------------
identifier              {bootloadersettings}
inherit                 {globalsettings}
                        {hypervisorsettings}

Hypervisorinst„llningar
-------------------
identifier              {hypervisorsettings}
hypervisordebugtype     Serial
hypervisordebugport     1
hypervisorbaudrate      115200

terst„ll inst„llningar f”r inl„saren
-------------------------------------
identifier              {resumeloadersettings}
inherit                 {globalsettings}

Enhetsalternativ
----------------
identifier              {8aaff5a0-1afe-11e0-a36e-bd6f474ff761}
description             Ramdisk Options
ramdisksdidevice        partition=E:
ramdisksdipath          \Recovery\8aaff59f-1afe-11e0-a36e-bd6f474ff761\boot.sdi


****** End Of Log ******



#6 HerrBack

HerrBack
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:09:35 PM

Posted 22 January 2017 - 10:54 AM

By the way. I booted the computer from the Windows Repair Disc to get into the Recovery Console.



#7 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:35 PM

Posted 22 January 2017 - 01:14 PM

From an Off position, bring the computer to a command prompt in the Recovery Environment. At the prompt type the following and press Enter:

CHKDSK /R E:

 

This will check the disk partition windows is installed. It will take some time. Let me know if repairs are done.

 

Once completed, type the following at the prompt and press Enter. (Use the correct syntax)

 

SFC /ScanNow /offbootdir=C:\ /offwindir=E:\Windows

 

This will check the integrity of the file system an perform any repairs needed.

 

 

Let me know the outcome.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#8 HerrBack

HerrBack
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:09:35 PM

Posted 22 January 2017 - 01:40 PM

Hello

 

I ran CHKDSK /R E: with repairs done (see below, some in Swedish)

X:\sources>CHKDSK /R E:
Filsystemet är av typen NTFS.

CHKDSK verifierar filer (steg 1 av 5)...
  253184 filposter har behandlats.
Filverifieringen är klar.
  1695 stora filposter har behandlats.
  0 skadade filposter har behandlats.
  4 EA-poster har behandlats.
  128 referensposter har behandlats.
CHKDSK verifierar index (steg 2 av 5)...
  325778 indexposter har behandlats.
Indexverifieringen är klar.
  0 oindexerade filer har genomsökts.
  0 oindexerade filer har återställts.
CHKDSK verifierar säkerhetsbeskrivare (steg 3 av 5)...
  253184 fil-SD/SID-poster har behandlats.
Verifieringen av säkerhetsbeskrivare är klar.
  36298 datafiler har behandlats.
CHKDSK verifierar USN-journalen...
  36564072 USN-byte har behandlats.
Verifieringen av USN-journalen är klar.
CHKDSK verifierar fildata (steg 4 av 5)...
41 procent klart. (66300 av 253168 filer har behandlats)
Windows ersatte skadade kluster i filen 66801
med namnet \PROGRA~3\MICROS~1\Windows\WER\REPORT~2\KE9C01~1\WER-11~1.XML.
43 procent klart. (116860 av 253168 filer har behandlats)
Windows ersatte skadade kluster i filen 116887
med namnet \PROGRA~3\MICROS~1\MICROS~2\Scans\MPCACH~1.79.
46 procent klart. (245175 av 253168 filer har behandlats)
Windows ersatte skadade kluster i filen 246596
med namnet \PROGRA~3\MICROS~1\Windows\WER\REPORT~1\NONCRI~4.190\Report.wer.
  253168 filer har behandlats.
Verifieringen av filinformationen är klar.
CHKDSK verifierar ledigt diskutrymme (steg 5 av 5)...
  2263092 lediga kluster har bearbetats.
Verifieringen av ledigt diskutrymme är klar.
CHKDSK hittade ledigt diskutrymme som markerats som
allokerat i MFT-bitmappen.
CHKDSK hittade ledigt diskutrymme markerat som allokerat i volymbitmappen.
Korrigeringar har gjorts i filsystemet.

  58510335 kB diskutrymme totalt.
  48973364 kB i 174651 filer.
    124616 kB i 36299 index.
         0 kB i skadade sektorer.
    359987 kB används av operativsystemet.
     65536 kB hårddisksutrymme används av loggfilen.
   9052368 kB ledigt utrymme.

      4096 byte i varje allokeringsenhet.
  14627583 allokeringsenheter finns totalt på disken.
   2263092 allokeringsenheter är tillgängliga på disken.
 

 

I also ran SFC /ScanNow /offbootdir=C:\ /offwindir=E:\Windows with no repairs or corrections.

Should I try and boot the computer?

Regards

 



#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:35 PM

Posted 22 January 2017 - 05:00 PM

Yes.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 HerrBack

HerrBack
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:09:35 PM

Posted 22 January 2017 - 05:23 PM

Unfortunately no luck. When booting the computer goes into Automatic Repair as before and eventually fails. Any ides of what to do next?
Regards
Jon



#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:35 PM

Posted 22 January 2017 - 05:27 PM

Any error messages?

 

Run FRST once again and post the new FRST.txt log.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 HerrBack

HerrBack
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:09:35 PM

Posted 22 January 2017 - 06:42 PM

Yes, after Automatic Repair fails you get this error description:

The Windows Repair Problem Signature
Problem Event Name: Startup Repair Offline
Problem Signature 1: 6.1.7600.16385
Problem Signature 2: 6.1.7600.16385
Problem Signature 3: Unknown
Problem Signature 4: 21200642
Problem Signature 5: AutoFailover
Problem Signature 6: 34
Problem Signature 7: BadDriver
OS Version: 6.1.7601.2.1.0.256.1
Locale ID: 1053

 

The FRST returned this log (with all the options included):

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 18-01-2017
Ran by SYSTEM on MININT-JBJLO3V (23-01-2017 00:37:01)
Running from G:\
Platform: Windows 7 Ultimate Service Pack 1 (X64) Language: Svenska (Sverige)
Internet Explorer Version 11
Boot Mode: Recovery
Default: ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [10038304 2010-01-29] (Realtek Semiconductor)
HKLM\...\Run: [MSC] => C:\Program Files\Microsoft Security Client\msseces.exe [1340192 2016-01-29] (Microsoft Corporation)
HKLM-x32\...\Run: [KeePass 2 PreLoad] => C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe [2117632 2014-07-06] (Dominik Reichl)

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
S2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2016-01-29] (Microsoft Corporation)
S3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [374344 2016-01-29] (Microsoft Corporation)
S2 NitroReaderDriverReadSpool3; C:\Program Files\Common Files\Nitro\Reader\3.0\NitroPDFReaderDriverService3x64.exe [230416 2013-07-26] (Nitro PDF Software)
S2 Secunia PSI Agent; C:\Program Files (x86)\Secunia\PSI\PSIA.exe [1328736 2012-09-24] (Secunia)
S2 Secunia Update Agent; C:\Program Files (x86)\Secunia\PSI\sua.exe [656480 2012-09-24] (Secunia)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 camdrv42; C:\Windows\System32\DRIVERS\camdrv42.sys [1533952 2007-05-04] ()
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-10-05] (Malwarebytes Corporation)
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [289120 2015-11-13] (Microsoft Corporation)
S3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [15416 2009-07-16] ()
S0 NDIS; C:\Windows\System32\drivers\ndis.sys [950720 2015-10-13] ()
S3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [133816 2015-11-13] (Microsoft Corporation)
S3 Tdsshbecr; C:\Windows\System32\DRIVERS\shbecr.sys [50176 2008-09-22] (Todos Data System AB)
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
S3 vmci; \SystemRoot\system32\DRIVERS\vmci.sys [X]
S3 VMnetAdapter; system32\DRIVERS\vmnetadapter.sys [X]

========================== Drivers MD5 =======================

C:\Windows\system32\drivers\1394ohci.sys ==> MD5 is legit
C:\Windows\System32\drivers\ACPI.sys ==> MD5 is legit
C:\Windows\system32\drivers\acpipmi.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\adp94xx.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\adpahci.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\adpu320.sys ==> MD5 is legit
C:\Windows\system32\drivers\afd.sys 9A4A1EEE802BF2F878EE8EAB407B21B7
C:\Windows\system32\drivers\agp440.sys ==> MD5 is legit
C:\Windows\system32\drivers\aliide.sys ==> MD5 is legit
C:\Windows\system32\drivers\amdide.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\amdk8.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\amdppm.sys ==> MD5 is legit
C:\Windows\system32\drivers\amdsata.sys D4121AE6D0C0E7E13AA221AA57EF2D49
C:\Windows\system32\DRIVERS\amdsbs.sys ==> MD5 is legit
C:\Windows\System32\drivers\amdxata.sys 540DAF1CEA6094886D72126FD7C33048
C:\Windows\system32\drivers\appid.sys 6474F8823C7188D2DA579F01FB6CED6B
C:\Windows\system32\DRIVERS\arc.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\arcsas.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\asyncmac.sys ==> MD5 is legit
C:\Windows\System32\drivers\atapi.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\bxvbda.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\b57nd60a.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Beep.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\blbdrive.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\bowser.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\BrFiltLo.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\BrFiltUp.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Brserid.sys ==> MD5 is legit
C:\Windows\System32\Drivers\BrSerWdm.sys ==> MD5 is legit
C:\Windows\System32\Drivers\BrUsbMdm.sys ==> MD5 is legit
C:\Windows\System32\Drivers\BrUsbSer.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\bthmodem.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\camdrv42.sys 19C8E65DC74D8240C3C8BE0F8751B17E
C:\Windows\System32\DRIVERS\cdfs.sys ==> MD5 is legit
C:\Windows\system32\drivers\cdrom.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\circlass.sys ==> MD5 is legit
C:\Windows\System32\CLFS.sys 404B7DF9CA4D1CB675045AF220FF3285
C:\Windows\system32\DRIVERS\CmBatt.sys ==> MD5 is legit
C:\Windows\system32\drivers\cmdide.sys ==> MD5 is legit
C:\Windows\System32\Drivers\cng.sys 3323F76352B0AF14B2CDC4DFBF3E980A
C:\Windows\system32\DRIVERS\compbatt.sys ==> MD5 is legit
C:\Windows\system32\drivers\CompositeBus.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\crcdisk.sys ==> MD5 is legit
C:\Windows\System32\drivers\csc.sys ==> MD5 is legit
C:\Windows\System32\Drivers\dfsc.sys ==> MD5 is legit
C:\Windows\System32\drivers\discache.sys ==> MD5 is legit
C:\Windows\System32\drivers\disk.sys 616387BBD83372220B09DE95F4E67BBC
C:\Windows\system32\drivers\drmkaud.sys 26FE888505E5A945B0536AF9A2A27A6F
C:\Windows\System32\drivers\dxgkrnl.sys 723545858DF4B8485F09C85D8119B0C0
C:\Windows\system32\DRIVERS\evbda.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\elxstor.sys ==> MD5 is legit
C:\Windows\system32\drivers\errdev.sys ==> MD5 is legit
C:\Windows\System32\Drivers\exfat.sys ==> MD5 is legit
C:\Windows\System32\Drivers\fastfat.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\fdc.sys ==> MD5 is legit
C:\Windows\System32\drivers\fileinfo.sys ==> MD5 is legit
C:\Windows\System32\drivers\filetrace.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\flpydisk.sys ==> MD5 is legit
C:\Windows\System32\drivers\fltmgr.sys ==> MD5 is legit
C:\Windows\System32\drivers\FsDepends.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Fs_Rec.sys 6BD9295CC032DD3077C671FCCF579A7B
C:\Windows\System32\DRIVERS\fvevol.sys 8F6322049018354F45F05A2FD2D4E5E0
C:\Windows\system32\DRIVERS\gagp30kx.sys ==> MD5 is legit
C:\Windows\system32\drivers\hcw85cir.sys ==> MD5 is legit
C:\Windows\system32\drivers\HdAudio.sys 975761C778E33CD22498059B91E7373A
C:\Windows\system32\drivers\HDAudBus.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\HidBatt.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\hidbth.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\hidir.sys ==> MD5 is legit
C:\Windows\system32\drivers\hidusb.sys ==> MD5 is legit
C:\Windows\system32\drivers\HpSAMD.sys ==> MD5 is legit
C:\Windows\System32\drivers\HTTP.sys F61634BEC53F73702A10DE69F6DCAF57
C:\Windows\System32\drivers\hwpolicy.sys ==> MD5 is legit
C:\Windows\system32\drivers\i8042prt.sys ==> MD5 is legit
C:\Windows\system32\drivers\iaStorV.sys AAAF44DB3BD0B9D1FB6969B23ECC8366
C:\Windows\system32\DRIVERS\iirsp.sys ==> MD5 is legit
C:\Windows\System32\drivers\RTKVHD64.sys A3BCBD0F710580A07D1B929D787D36CE
C:\Windows\system32\drivers\intelide.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\intelppm.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ipfltdrv.sys ==> MD5 is legit
C:\Windows\system32\drivers\IPMIDrv.sys ==> MD5 is legit
C:\Windows\System32\drivers\ipnat.sys ==> MD5 is legit
C:\Windows\System32\drivers\irenum.sys ==> MD5 is legit
C:\Windows\system32\drivers\isapnp.sys ==> MD5 is legit
C:\Windows\system32\drivers\msiscsi.sys 96BB922A0981BC7432C8CF52B5410FE6
C:\Windows\System32\DRIVERS\jraid.sys A7D927151F9EC136863FC71B08C68B84
C:\Windows\system32\drivers\kbdclass.sys ==> MD5 is legit
C:\Windows\system32\drivers\kbdhid.sys ==> MD5 is legit
C:\Windows\System32\Drivers\ksecdd.sys 3974E5264A0481600370C5BEED061DDF
C:\Windows\System32\Drivers\ksecpkg.sys 6E85615A86FE86E76DAE49BF9F227483
C:\Windows\system32\drivers\ksthunk.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\lltdio.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\lsi_fc.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\lsi_sas.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\lsi_sas2.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\lsi_scsi.sys ==> MD5 is legit
C:\Windows\system32\drivers\luafv.sys ==> MD5 is legit
C:\Windows\system32\drivers\mbam.sys CFBC6C6D8A492697CABD1D353EE64933
C:\Windows\system32\drivers\mwac.sys D61070CFAD43038DC56AEAD9BFE9CE2A
C:\Windows\system32\DRIVERS\megasas.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\MegaSR.sys ==> MD5 is legit
C:\Windows\System32\drivers\modem.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\monitor.sys ==> MD5 is legit
C:\Windows\system32\drivers\mouclass.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\mouhid.sys ==> MD5 is legit
C:\Windows\System32\drivers\mountmgr.sys 67050452C0118BAF2883928E6FCCFE47
C:\Windows\System32\DRIVERS\MpFilter.sys DA0FAEE45D6F03D7647851A20977A7D0
C:\Windows\system32\drivers\mpio.sys ==> MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys ==> MD5 is legit
C:\Windows\system32\drivers\mrxdav.sys D7ADC2B83CA0B0381F75A98351F72CEE
C:\Windows\System32\DRIVERS\mrxsmb.sys 10112D850C844606419C79EE24EE6016
C:\Windows\System32\DRIVERS\mrxsmb10.sys DCC4343B422A13B42C7678998449CE8A
C:\Windows\System32\DRIVERS\mrxsmb20.sys 46C4F5BEE8D98BB1688752EAD0ABB7C0
C:\Windows\system32\drivers\msahci.sys ==> MD5 is legit
C:\Windows\system32\drivers\msdsm.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Msfs.sys ==> MD5 is legit
C:\Windows\System32\drivers\mshidkmdf.sys ==> MD5 is legit
C:\Windows\System32\drivers\msisadrv.sys ==> MD5 is legit
C:\Windows\System32\drivers\MSKSSRV.sys ==> MD5 is legit
C:\Windows\System32\drivers\MSPCLOCK.sys ==> MD5 is legit
C:\Windows\System32\drivers\MSPQM.sys ==> MD5 is legit
C:\Windows\System32\Drivers\MsRPC.sys ==> MD5 is legit
C:\Windows\system32\drivers\mssmbios.sys ==> MD5 is legit
C:\Windows\System32\drivers\MSTEE.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\MTConfig.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ASACPI.sys 19B006B181E3875FD254F7B67ACF1E7C
C:\Windows\System32\Drivers\mup.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\mv91xx.sys 8DB5861A8DB19ABAF430FCD001EF5E93
C:\Windows\System32\DRIVERS\nwifi.sys ==> MD5 is legit
C:\Windows\System32\drivers\ndis.sys 2D756AB696815EC0B790321C942BB862
C:\Windows\System32\DRIVERS\ndiscap.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ndistapi.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ndisuio.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ndiswan.sys ==> MD5 is legit
C:\Windows\System32\Drivers\NDProxy.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\netbios.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\netbt.sys E47D571FEC2C76E867935109AB2A770C
C:\Windows\system32\DRIVERS\nfrd960.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\NisDrvWFP.sys 6D79C8CB73187FBEAAD1F680FADF98D3
C:\Windows\System32\Drivers\Npfs.sys ==> MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Ntfs.sys 47B2D0B31BDC3EBE6090228E2BA3764D
C:\Windows\System32\Drivers\Null.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\nusb3hub.sys 285ACEC1B13A15BA520AAE06BACB9CFF
C:\Windows\System32\DRIVERS\nusb3xhc.sys F6D625FF7B56BB6EA063F0D3A5BBC996
C:\Windows\System32\drivers\nvhda64v.sys 554964B900AE2954B8B589B6287034AC
C:\Windows\System32\DRIVERS\nvlddmkm.sys E71E299FF15390E585BACF2C18F55078
C:\Windows\system32\drivers\nvraid.sys 0A92CB65770442ED0DC44834632F66AD
C:\Windows\system32\drivers\nvstor.sys DAB0E87525C10052BF65F06152F37E4A
C:\Windows\system32\drivers\nv_agp.sys ==> MD5 is legit
C:\Windows\system32\drivers\ohci1394.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\parport.sys ==> MD5 is legit
C:\Windows\System32\drivers\partmgr.sys E9766131EEADE40A27DC27D2D68FBA9C
C:\Windows\System32\drivers\pci.sys ==> MD5 is legit
C:\Windows\System32\drivers\pciide.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\pcmcia.sys ==> MD5 is legit
C:\Windows\System32\drivers\pcw.sys ==> MD5 is legit
C:\Windows\System32\drivers\peauth.sys ED6E75158D28D33A2E2A020AC5B2B59D
C:\Windows\System32\DRIVERS\raspptp.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\processr.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\pacer.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\psi_mf.sys FB46E9A827A8799EBD7BFA9128C91F37
C:\Windows\system32\DRIVERS\ql2300.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\ql40xx.sys ==> MD5 is legit
C:\Windows\system32\drivers\qwavedrv.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rasacd.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\AgileVpn.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rasl2tp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\raspppoe.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rassstp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rdbss.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rdpbus.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\RDPCDD.sys ==> MD5 is legit
C:\Windows\System32\drivers\rdpdr.sys ==> MD5 is legit
C:\Windows\System32\drivers\rdpencdd.sys ==> MD5 is legit
C:\Windows\System32\drivers\rdprefmp.sys ==> MD5 is legit
C:\Windows\System32\drivers\rdpvideominiport.sys 313F68E1A3E6345A4F47A36B07062F34
C:\Windows\System32\Drivers\RDPWD.sys FE571E088C2D83619D2D48D4E961BF41
C:\Windows\System32\drivers\rdyboost.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rspndr.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\Rt64win7.sys EE082E06A82FF630351D1E0EBBD3D8D0
C:\Windows\system32\drivers\vms3cap.sys ==> MD5 is legit
C:\Windows\system32\drivers\sbp2port.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\scfilter.sys ==> MD5 is legit
C:\Windows\System32\Drivers\secdrv.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\serenum.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\serial.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\sermouse.sys ==> MD5 is legit
C:\Windows\system32\drivers\sffdisk.sys ==> MD5 is legit
C:\Windows\system32\drivers\sffp_mmc.sys ==> MD5 is legit
C:\Windows\system32\drivers\sffp_sd.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\sfloppy.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\SiSRaid2.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\sisraid4.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\smb.sys ==> MD5 is legit
C:\Windows\System32\Drivers\spldr.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\srv.sys F2F4B895296EE3ECCE781CC2A296A5D1
C:\Windows\System32\DRIVERS\srv2.sys FD0008BEDD2723170CCA7D61837DFD52
C:\Windows\System32\DRIVERS\srvnet.sys 63B5845D9379262083655D5C6AB8DFC5
C:\Windows\system32\DRIVERS\stexstor.sys ==> MD5 is legit
C:\Windows\System32\drivers\vmstorfl.sys ==> MD5 is legit
C:\Windows\system32\drivers\storvsc.sys ==> MD5 is legit
C:\Windows\system32\drivers\swenum.sys ==> MD5 is legit
C:\Windows\System32\drivers\tcpip.sys 04ADD18EE5CC9FBEDAEC1DD1CD0CB45E
C:\Windows\System32\DRIVERS\tcpip.sys 04ADD18EE5CC9FBEDAEC1DD1CD0CB45E
C:\Windows\System32\drivers\tcpipreg.sys 1B16D0BD9841794A6E0CDE0CEF744ABC
C:\Windows\System32\drivers\tdpipe.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\shbecr.sys 03E62CD83A62859F4F796434EE6C385E
C:\Windows\System32\drivers\tdtcp.sys 51C5ECEB1CDEE2468A1748BE550CFBC8
C:\Windows\System32\DRIVERS\tdx.sys AA77EB517D2F07A947294F260E3ACA83
C:\Windows\system32\drivers\termdd.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\tssecsrv.sys E232A3B43A894BB327FC161529BD9ED1
C:\Windows\System32\drivers\tsusbflt.sys 17C6B51CBCCDED95B3CC14E22791F85E
C:\Windows\System32\DRIVERS\tunnel.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\uagp35.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\udfs.sys ==> MD5 is legit
C:\Windows\system32\drivers\uliagpkx.sys ==> MD5 is legit
C:\Windows\system32\drivers\umbus.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\umpass.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\usbaudio.sys B0435098C81D04CAFFF80DDB746CD3A2
C:\Windows\System32\DRIVERS\usbccgp.sys DCA68B0943D6FA415F0C56C92158A83A
C:\Windows\system32\drivers\usbcir.sys 80B0F7D5CCF86CEB5D402EAAF61FEC31
C:\Windows\System32\DRIVERS\usbehci.sys 18A85013A3E0F7E1755365D287443965
C:\Windows\System32\DRIVERS\usbhub.sys 8D1196CFBB223621F2C67D45710F25BA
C:\Windows\system32\drivers\usbohci.sys 765A92D428A8DB88B960DA5A8D6089DC
C:\Windows\System32\DRIVERS\usbprint.sys ==> MD5 is legit
C:\Windows\system32\drivers\usbscan.sys 9661DA76B4531B2DA272ECCE25A8AF24
C:\Windows\System32\DRIVERS\USBSTOR.SYS D029DD09E22EB24318A8FC3D8138BA43
C:\Windows\System32\DRIVERS\usbuhci.sys DD253AFC3BC6CBA412342DE60C3647F3
C:\Windows\System32\drivers\vdrvroot.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\vgapnp.sys ==> MD5 is legit
C:\Windows\System32\drivers\vga.sys ==> MD5 is legit
C:\Windows\system32\drivers\vhdmp.sys ==> MD5 is legit
C:\Windows\system32\drivers\viaide.sys ==> MD5 is legit
C:\Windows\System32\drivers\vmbus.sys ==> MD5 is legit
C:\Windows\system32\drivers\VMBusHID.sys ==> MD5 is legit
C:\Windows\System32\drivers\volmgr.sys ==> MD5 is legit
C:\Windows\System32\drivers\volmgrx.sys ==> MD5 is legit
C:\Windows\System32\drivers\volsnap.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\vpchbus.sys B4A73CA4EF9A02B9738CEA9AD5FE5917
C:\Windows\System32\DRIVERS\vpcnfltr.sys E675FB2B48C54F09895482E2253B289C
C:\Windows\System32\DRIVERS\vpcusb.sys 5FB42082B0D19A0268705F1DD343DF20
C:\Windows\System32\drivers\vpcvmm.sys 207B6539799CC1C112661A9B620DD233
C:\Windows\system32\DRIVERS\vsmraid.sys ==> MD5 is legit
C:\Windows\System32\drivers\vwifibus.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\wacompen.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\wanarp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\wanarp.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\wd.sys ==> MD5 is legit
C:\Windows\System32\drivers\Wdf01000.sys E2C933EDBC389386EBE6D2BA953F43D8
C:\Windows\System32\DRIVERS\wfplwf.sys ==> MD5 is legit
C:\Windows\System32\drivers\wimmount.sys ==> MD5 is legit
C:\Windows\SysWOW64\drivers\wimmount.sys ==> MD5 is legit
C:\Windows\system32\drivers\WinUsb.sys FE88B288356E7B47B74B13372ADD906D
C:\Windows\system32\drivers\wmiacpi.sys ==> MD5 is legit
C:\Windows\system32\drivers\ws2ifsl.sys ==> MD5 is legit
C:\Windows\System32\drivers\WudfPf.sys AB886378EEB55C6C75B4F2D14B6C869F
C:\Windows\System32\DRIVERS\WUDFRd.sys DDA4CAF29D8C0A297F886BFE561E6659

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Three Months Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-01-23 01:20 - 2017-01-23 01:20 - 77365248 _____ C:\Windows\System32\config\SOFTWARE.bdkup
2017-01-23 01:20 - 2017-01-23 01:20 - 21233664 _____ C:\Windows\System32\config\SYSTEM.bdkup
2017-01-23 01:20 - 2017-01-23 01:20 - 00786432 _____ C:\Windows\System32\config\DEFAULT.bdkup
2017-01-23 00:28 - 2017-01-23 01:22 - 00000000 ____D C:\RescueCD Logs
2017-01-22 09:16 - 2017-01-22 09:16 - 00000000 ____D C:\Windows\Microsoft Antimalware
2017-01-22 00:45 - 2017-01-22 00:45 - 00000056 _____ C:\.directory
2017-01-21 22:28 - 2017-01-23 00:37 - 00000000 ____D C:\FRST
2016-11-02 23:53 - 2016-11-02 23:53 - 540493145 _____ C:\Windows\MEMORY.DMP
2016-11-02 23:53 - 2016-11-02 23:53 - 00669016 _____ C:\Windows\Minidump\110216-20077-01.dmp

==================== Three Months Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-01-23 01:20 - 2012-10-22 09:02 - 00000000 ____D C:\users\Besökare.Mickey_Finn
2017-01-23 01:20 - 2012-08-22 18:18 - 00000000 ____D C:\users\UpdatusUser
2017-01-23 01:20 - 2011-01-08 13:13 - 00000000 ____D C:\users\Ulf
2017-01-23 01:20 - 2011-01-08 02:17 - 00000000 ____D C:\users\Styrkonto
2017-01-22 11:05 - 2009-07-14 04:20 - 00000000 ___HD C:\Windows\System32\GroupPolicy

==================== Known DLLs (Whitelisted) =========================

[2016-04-10 10:18] - [2016-02-03 19:58] - 0862208 ____A () C:\Windows\System32\OLEAUT32.dll
[2016-07-19 12:52] - [2016-06-10 18:45] - 2392576 ____A () C:\Windows\SysWOW64\WININET.dll

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe
[2016-07-06 13:38] - [2016-04-09 06:53] - 3231232 ____A (Microsoft Corporation) 9DA3B83F80E205B6C601EEE1312FD0A0

C:\Windows\SysWOW64\explorer.exe
[2016-07-06 13:38] - [2016-04-09 06:44] - 2973184 ____A (Microsoft Corporation) 3DA48EA028AD771C5B71727F0C3984E9

C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\dnsapi.dll => MD5 is legit
C:\Windows\SysWOW64\dnsapi.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== Association (Whitelisted) =============


==================== Restore Points =========================


==================== BCD ================================

Starthanteraren
---------------
identifier              {bootmgr}
device                  partition=Y:
description             Windows Boot Manager
locale                  sv-SE
inherit                 {globalsettings}
default                 {default}
resumeobject            {8aaff59d-1afe-11e0-a36e-bd6f474ff761}
displayorder            {default}
toolsdisplayorder       {memdiag}
timeout                 30

Startinl„saren
--------------
identifier              {default}
device                  partition=C:
path                    \Windows\system32\winload.exe
description             Windows 7
locale                  sv-SE
inherit                 {bootloadersettings}
recoverysequence        {8aaff59f-1afe-11e0-a36e-bd6f474ff761}
recoveryenabled         Yes
osdevice                partition=C:
systemroot              \Windows
resumeobject            {8aaff59d-1afe-11e0-a36e-bd6f474ff761}
nx                      OptIn

Startinl„saren
--------------
identifier              {8aaff59f-1afe-11e0-a36e-bd6f474ff761}
device                  ramdisk=[C:]\Recovery\8aaff59f-1afe-11e0-a36e-bd6f474ff761\Winre.wim,{8aaff5a0-1afe-11e0-a36e-bd6f474ff761}
path                    \windows\system32\winload.exe
description             Windows Recovery Environment
inherit                 {bootloadersettings}
osdevice                ramdisk=[C:]\Recovery\8aaff59f-1afe-11e0-a36e-bd6f474ff761\Winre.wim,{8aaff5a0-1afe-11e0-a36e-bd6f474ff761}
systemroot              \windows
nx                      OptIn
winpe                   Yes

Start fr†n vilol„ge
-------------------
identifier              {8aaff59d-1afe-11e0-a36e-bd6f474ff761}
device                  partition=C:
path                    \Windows\system32\winresume.exe
description             Windows Resume Application
locale                  sv-SE
inherit                 {resumeloadersettings}
filedevice              partition=C:
filepath                \hiberfil.sys
debugoptionenabled      No

Minnestestaren
--------------
identifier              {memdiag}
device                  partition=Y:
path                    \boot\memtest.exe
description             Windows Minnesdiagnostik
locale                  sv-SE
inherit                 {globalsettings}
badmemoryaccess         Yes

EMS-inst„llningar
-----------------
identifier              {emssettings}
bootems                 Yes

Inst„llningar f”r fels”kare
---------------------------
identifier              {dbgsettings}
debugtype               Serial
debugport               1
baudrate                115200

RAM-fel
-------
identifier              {badmemory}

Globala inst„llningar
---------------------
identifier              {globalsettings}
inherit                 {dbgsettings}
                        {emssettings}
                        {badmemory}

Inst„llningar f”r Startinl„saren
------------------------------
identifier              {bootloadersettings}
inherit                 {globalsettings}
                        {hypervisorsettings}

Hypervisorinst„llningar
-------------------
identifier              {hypervisorsettings}
hypervisordebugtype     Serial
hypervisordebugport     1
hypervisorbaudrate      115200

terst„ll inst„llningar f”r inl„saren
-------------------------------------
identifier              {resumeloadersettings}
inherit                 {globalsettings}

Enhetsalternativ
----------------
identifier              {8aaff5a0-1afe-11e0-a36e-bd6f474ff761}
description             Ramdisk Options
ramdisksdidevice        partition=C:
ramdisksdipath          \Recovery\8aaff59f-1afe-11e0-a36e-bd6f474ff761\boot.sdi


==================== Memory info ===========================

Percentage of memory in use: 12%
Total physical RAM: 6135.12 MB
Available physical RAM: 5350.38 MB
Total Virtual: 6133.32 MB
Available Virtual: 5337.74 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:55.8 GB) (Free:8.53 GB) NTFS
Drive d: (Data) (Fixed) (Total:931.51 GB) (Free:813.32 GB) NTFS
Drive f: (GSP1RMCPRXFREO_SV_DVD) (CDROM) (Total:2.97 GB) (Free:0 GB) UDF
Drive g: () (Removable) (Total:14.31 GB) (Free:14.31 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (Reserverad av systemet) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 55.9 GB) (Disk ID: 5EEBD84B)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=55.8 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 931.5 GB) (Disk ID: 011AA696)
Partition 1: (Not Active) - (Size=931.5 GB) - (Type=07 NTFS)

========================================================
Disk: 2 (Size: 14.3 GB) (Disk ID: 00000000)

Partition: GPT.

LastRegBack: 2016-08-06 12:42

==================== End of FRST.txt ============================

 

 

Thx



#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:35 PM

Posted 22 January 2017 - 07:37 PM

Lets search for copies of important files that appear without a signature.

 

Open FRST as you did before.

Type the following in the edit box on FRST, after "Search:".

ASACPI.sys;ndis.sys;OLEAUT32.dll;WININET.dll;explorer.exe

It then should look like:

Search: ASACPI.sys;ndis.sys;OLEAUT32.dll;WININET.dll;explorer.exe

Click Search Files button and post the log (Search.txt) it makes on the USB drive in your next reply.
 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:35 PM

Posted 22 January 2017 - 07:57 PM

Just for the heck of it, have you tried tapping on F8 during startup to enter the advanced menu and select Safe Mode?


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 HerrBack

HerrBack
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:09:35 PM

Posted 25 January 2017 - 04:32 PM

Hello again.
Will be in the far north for a few days with zero Internet.
I´ll continue in a few days
Regards
Jon






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users