Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ran Hitman Pro 64 to remove malware = PC won't Boot


  • This topic is locked This topic is locked
214 replies to this topic

#1 BataTester

BataTester

  • Members
  • 111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:04 AM

Posted 17 March 2017 - 03:02 AM

I ran Hitman Pro64 on Dell laptop Windows 10 machine....
It apparently deleted part of the MBR,
now my machine will not boot.

It goes straight to the repair screen,
and the repair will not work.

I do not have any restore points, so I can't even try restore.

 

I ran across this thread.

https://www.bleepingcomputer.com/forums/t/482827/ran-hitman-pro-64-to-remove-malware-pc-wont-boot/

 

I ran the Farbar Recovery Scan tool and have a log saved.

 

FRST.txt

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 27-02-2017 01
Ran by SYSTEM on MININT-BIEJ0IK (16-03-2017 22:55:29)
Running from F:\
Platform: Windows 10 Home Version 1607 (X64) Language: English (United States)
Internet Explorer Version 11
Boot Mode: Recovery
Default: ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [8512760 2015-12-27] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1411320 2015-12-27] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_PushButton] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1411320 2015-12-27] (Realtek Semiconductor)
HKLM\...\Run: [QuickSet] => c:\Program Files\Dell\QuickSet\QuickSet.exe [5762408 2013-03-05] (Dell Inc.)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [3952832 2016-08-18] (Synaptics Incorporated)
HKLM\...\Run: [WindowsDefender] => C:\Program Files\Windows Defender\MSASCuiL.exe [631808 2016-10-01] (Microsoft Corporation)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [176440 2016-11-01] (Apple Inc.)
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [285240 2012-11-19] (Intel Corporation)
HKLM-x32\...\Run: [IndexSearch] => C:\Program Files (x86)\Nuance\PaperPort\IndexSearch.exe [46952 2011-08-02] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PaperPort PTD] => C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe [30568 2011-08-02] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [BCSSync] => C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [89184 2012-11-05] (Microsoft Corporation)
Winlogon\Notify\igfxcui: igfxdev.dll [X]
HKLM\...\Policies\Explorer\Run: [BtvStack] => C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\BtvStack.exe
Startup: C:\Users\Larry\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DishAnywherePlayerShortcut.lnk [2016-10-31]
ShortcutTarget: DishAnywherePlayerShortcut.lnk -> C:\Program Files (x86)\DishAnywhereDesktop\DishAnywherePlayer.exe (Sling Media Inc.)
GroupPolicy: Restriction - Chrome <======= ATTENTION

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 ABBYY.Licensing.PDFTransformer.Classic.4.0; C:\Program Files (x86)\ABBYY PDF Transformer+\NetworkLicenseServer.exe [965848 2015-06-22] (ABBYY Production LLC)
S2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2016-09-22] (Apple Inc.)
S2 igfxCUIService1.0.0.0; C:\Windows\system32\igfxCUIService.exe [337888 2016-05-03] (Intel Corporation)
S2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [165760 2012-07-17] (Intel Corporation)
S2 PDFProFiltSrvPP; C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe [145256 2011-08-02] (Nuance Communications, Inc.)
S2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [312056 2015-12-27] (Realtek Semiconductor)
S2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [10351856 2016-12-15] (TeamViewer GmbH)
S2 Update service; C:\Program Files (x86)\Popcorn Time\Updater.exe [339968 2016-08-26] (Popcorn Time)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [347328 2016-07-16] (Microsoft Corporation)
S2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [103720 2016-07-16] (Microsoft Corporation)
S2 ZAtheros Wlan Agent; C:\Program Files (x86)\Dell Wireless\Ath_WlanAgent.exe [81536 2012-12-26] (Atheros)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 dtlitescsibus; C:\Windows\System32\drivers\dtlitescsibus.sys [30264 2016-01-31] (Disc Soft Ltd)
S3 dtliteusbbus; C:\Windows\System32\drivers\dtliteusbbus.sys [47672 2016-01-31] (Disc Soft Ltd)
S3 hitmanpro37; C:\WINDOWS\system32\drivers\hitmanpro37.sys [32512 2017-02-26] ()
S3 mbamchameleon; C:\WINDOWS\system32\drivers\mbamchameleon.sys [140672 2016-03-10] (Malwarebytes)
S3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [192216 2017-02-21] (Malwarebytes)
S3 NetAdapterCx; C:\Windows\System32\drivers\NetAdapterCx.sys [90624 2016-07-16] ()
S3 rt640x64; C:\Windows\System32\drivers\rt640x64.sys [896744 2015-12-27] (Realtek                                            )
S3 RTSUER; C:\Windows\system32\Drivers\RtsUer.sys [402960 2015-05-14] (Realsil Semiconductor Corporation)
S3 SmbDrv; C:\Windows\System32\drivers\Smb_driver_AMDASF.sys [28040 2012-12-20] (Synaptics Incorporated)
S3 SmbDrvI; C:\Windows\system32\DRIVERS\Smb_driver_Intel.sys [51392 2016-08-18] (Synaptics Incorporated)
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [44056 2016-07-16] (Microsoft Corporation)
S0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [290144 2016-07-16] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [123232 2016-07-16] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-03-16 14:09 - 2017-03-16 15:50 - 00000000 _____ C:\Recovery.txt
2017-02-28 12:15 - 2017-02-28 15:29 - 00000000 ____D C:\FRST
2017-02-28 09:55 - 2017-02-28 09:57 - 00000000 ____D C:\Windows\System32\config\MyBackUp
2017-02-26 19:54 - 2017-03-16 00:33 - 288618412 _____ C:\Windows\MEMORY.DMP
2017-02-26 19:51 - 2017-02-26 19:51 - 00012872 _____ (SurfRight B.V.) C:\Windows\System32\bootdelete.exe
2017-02-26 19:10 - 2014-09-03 14:36 - 11194928 _____ (SurfRight B.V.) C:\Users\Larry\Desktop\HitmanPro_x64.exe.BAK
2017-02-26 18:41 - 2017-02-26 18:41 - 00000687 _____ C:\Users\Larry\Desktop\JRT.txt
2017-02-22 18:38 - 2017-02-22 18:39 - 09261616 _____ (Piriform Ltd) C:\Users\Larry\Downloads\ccsetup527(2).exe
2017-02-21 19:56 - 2017-02-21 19:56 - 04015056 _____ C:\Users\Larry\Desktop\adwcleaner_6.043.exe
2017-02-20 17:52 - 2017-02-20 17:52 - 09261616 _____ (Piriform Ltd) C:\Users\Larry\Downloads\ccsetup527(1).exe
2017-02-20 17:48 - 2017-02-20 17:49 - 09261616 _____ (Piriform Ltd) C:\Users\Larry\Downloads\ccsetup527.exe

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-03-16 15:32 - 2016-07-16 03:47 - 00028672 _____ C:\Windows\System32\config\BCD-Template
2017-03-16 15:15 - 2016-10-20 11:05 - 00000000 ____D C:\Windows\Microsoft Antimalware
2017-02-26 19:53 - 2016-07-15 22:04 - 01572864 _____ C:\Windows\System32\config\BBI
2017-02-26 19:52 - 2016-10-01 17:36 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-02-26 19:51 - 2015-06-04 20:41 - 00010534 _____ C:\Windows\System32\.crusader
2017-02-26 19:39 - 2016-10-01 16:55 - 00000000 ____D C:\Windows\System32\SleepStudy
2017-02-26 19:10 - 2015-06-07 18:24 - 00032512 _____ C:\Windows\System32\Drivers\hitmanpro37.sys
2017-02-26 18:40 - 2016-11-19 10:59 - 00000000 ____D C:\Users\Larry\AppData\LocalLow\Mozilla
2017-02-26 17:00 - 2015-06-04 14:51 - 00000000 ____D C:\Program Files (x86)\TeamViewer
2017-02-26 16:04 - 2015-06-07 17:50 - 00000000 __SHD C:\Users\Larry\IntelGraphicsProfiles
2017-02-26 13:52 - 2016-11-30 14:36 - 00000000 ____D C:\Users\Christy\AppData\LocalLow\Mozilla
2017-02-26 13:50 - 2016-07-16 03:47 - 00000000 ___HD C:\Program Files\WindowsApps
2017-02-26 13:50 - 2016-07-16 03:47 - 00000000 ____D C:\Windows\AppReadiness
2017-02-26 13:44 - 2015-06-08 20:09 - 00000000 __SHD C:\Users\Christy\IntelGraphicsProfiles
2017-02-22 20:45 - 2014-03-18 16:31 - 00000000 ____D C:\Windows\System32\MRT
2017-02-22 20:38 - 2014-03-18 16:31 - 138020592 ____C (Microsoft Corporation) C:\Windows\System32\MRT.exe
2017-02-22 19:11 - 2014-11-06 09:41 - 00000000 ____D C:\Users\Larry\AppData\Local\ElevatedDiagnostics
2017-02-22 19:10 - 2016-07-16 03:47 - 00000000 ____D C:\Windows\System32\NDF
2017-02-22 19:06 - 2016-10-01 17:35 - 00002858 _____ C:\Windows\System32\Tasks\CCleanerSkipUAC
2017-02-22 18:39 - 2015-06-03 10:33 - 00000865 _____ C:\Users\Public\Desktop\CCleaner.lnk
2017-02-21 17:46 - 2016-07-16 03:36 - 00000000 ____D C:\Windows\CbsTemp
2017-02-21 08:14 - 2014-04-06 19:15 - 00192216 _____ (Malwarebytes) C:\Windows\System32\Drivers\MBAMSwissArmy.sys
2017-02-20 22:33 - 2016-07-16 03:45 - 00000000 ____D C:\Windows\INF
2017-02-20 18:08 - 2016-01-18 04:59 - 01291332 _____ C:\Windows\System32\PerfStringBackup.INI
2017-02-20 17:31 - 2016-11-19 08:48 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2017-02-20 17:31 - 2014-04-06 15:36 - 00000936 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4153170585-3532641655-1280828286-1001UA.job
2017-02-20 17:31 - 2014-04-06 15:36 - 00000884 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4153170585-3532641655-1280828286-1001Core.job
2017-02-20 17:31 - 2014-03-20 07:33 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2017-02-20 17:31 - 2014-03-17 14:40 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2017-02-20 17:27 - 2016-07-16 03:47 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2017-02-20 17:27 - 2016-07-16 03:47 - 00000000 ____D C:\Windows\System32\Macromed
2017-02-20 17:27 - 2014-06-29 18:16 - 00000000 ____D C:\Users\Larry\AppData\Local\Adobe

==================== Known DLLs (Whitelisted) =========================

[2017-01-07 18:14] - [2016-12-09 02:10] - 1461200 ____A () C:\Windows\System32\user32.dll

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe
[2017-01-10 14:39] - [2016-12-13 20:24] - 0673792 ____A (Microsoft Corporation) 917F081E2AB667C44F7D96DE1D16DFAE

C:\Windows\System32\wininit.exe
[2016-07-16 03:42] - [2016-07-16 03:42] - 0304240 ____A (Microsoft Corporation) 99A19C9A74E2F9820E501DCE77F84F70

C:\Windows\explorer.exe
[2016-12-10 12:26] - [2016-11-11 01:56] - 4673304 ____A (Microsoft Corporation) 4E10FB1A015B49AC68F76C1A3F4D9C0F

C:\Windows\SysWOW64\explorer.exe
[2016-12-10 12:40] - [2016-11-10 23:41] - 4311736 ____A (Microsoft Corporation) AF46710DDB8B0E304AA4FD2B940CABD8

C:\Windows\System32\svchost.exe
[2016-07-16 03:42] - [2016-07-16 03:42] - 0044496 ____A (Microsoft Corporation) 36F670D89040709013F6A460176767EC

C:\Windows\SysWOW64\svchost.exe
[2016-07-16 03:42] - [2016-07-16 03:42] - 0038792 ____A (Microsoft Corporation) 1F8434DD4907C832E6E90D6298EAB85B

C:\Windows\System32\services.exe
[2016-12-10 12:29] - [2016-11-11 01:51] - 0454592 ____A (Microsoft Corporation) 3C69CC28665854F1AAB4B4005005FA31

C:\Windows\System32\User32.dll
[2017-01-07 18:14] - [2016-12-09 02:10] - 1461200 ____A () 691B0B0B7BD595354A96EC073A7E11EC

C:\Windows\System32\User32.dll => no Company Name <===== ATTENTION

C:\Windows\SysWOW64\User32.dll
[2017-01-07 18:20] - [2016-12-09 01:52] - 1435896 ____A (Microsoft Corporation) 4BEC594A3D4AEAFAC400D88F7E328C7B

C:\Windows\System32\userinit.exe
[2016-07-16 03:42] - [2016-07-16 03:42] - 0033280 ____A (Microsoft Corporation) C1B1FFC800BE2F31EB2CF8CB40629C69

C:\Windows\SysWOW64\userinit.exe
[2016-07-16 03:42] - [2016-07-16 03:42] - 0027648 ____A (Microsoft Corporation) FA900E6CCCF0A429D5B720C6F0E2274B

C:\Windows\System32\rpcss.dll
[2016-07-16 03:42] - [2016-07-16 03:42] - 0888320 ____A (Microsoft Corporation) 7BD259FC59CF9C2AE1B979564B374CC6

C:\Windows\System32\dnsapi.dll
[2016-10-05 18:17] - [2016-09-15 09:30] - 0646136 ____A (Microsoft Corporation) 96B8A433F6407DE34850927C96C6CE9B

C:\Windows\SysWOW64\dnsapi.dll
[2016-10-05 18:27] - [2016-09-15 09:37] - 0496872 ____A (Microsoft Corporation) 227CFE3EDA82029AAC1C088A16297CD7

C:\Windows\System32\Drivers\volsnap.sys
[2016-07-16 03:42] - [2016-07-16 03:42] - 0391520 ____A (Microsoft Corporation) BF2546583BB75F01DDA60A7921DFB230


==================== Association (Whitelisted) =============


==================== Restore Points =========================


==================== Memory info ===========================

Percentage of memory in use: 18%
Total physical RAM: 3983.35 MB
Available physical RAM: 3256.74 MB
Total Virtual: 3983.35 MB
Available Virtual: 3303.8 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:284.38 GB) (Free:185.16 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive d: (ESD-ISO) (Removable) (Total:29.75 GB) (Free:19.75 GB) NTFS
Drive e: (Repair disc Windows 10 64-bit) (CDROM) (Total:0.33 GB) (Free:0 GB) UDF
Drive f: (WDO_MEDIA64) (Removable) (Total:0.97 GB) (Free:0.97 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.5 GB) (Free:0.49 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298.1 GB) (Disk ID: 2DCEEA90)

Partition: GPT.

========================================================
Disk: 1 (Size: 29.8 GB) (Disk ID: 0B4790E4)
Partition 1: (Active) - (Size=29.7 GB) - (Type=07 NTFS)

========================================================
Disk: 2 (MBR Code: Windows 7 or 8) (Size: 1000 MB) (Disk ID: 00000000)

Partition: GPT.

LastRegBack: 2017-02-20 18:44

==================== End of FRST.txt ============================

 

Search.txt

 

Farbar Recovery Scan Tool (x64) Version: 27-02-2017 01
Ran by SYSTEM (16-03-2017 23:41:09)
Running from F:\
Boot Mode: Recovery

================== Search Files: "srevices.exe" =============

====== End of Search ======

 

 

 

 

That is where I am now....any help is appreciated.

I would strongly prefer fixing this over reformatting.

Thank You

IF THIS THE WRONG FORUM PLEASE LET ME KNOW.


Edited by BataTester, 17 March 2017 - 09:24 PM.
Moved from Crashes/BSODs to Malware Removal Logs - Hamluis.


BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,398 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:04 PM

Posted 18 March 2017 - 07:42 PM

It does not look as an MBR issue.

 

Open FRST as you did before.

Type the following in the edit box on FRST, after "Search:".

User32.dll

It then should look like:

Search: User32.dll

Click Search Files button and post the log (Search.txt) it makes on the USB drive in your next reply.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 BataTester

BataTester
  • Topic Starter

  • Members
  • 111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:04 AM

Posted 19 March 2017 - 10:59 PM

Farbar Recovery Scan Tool (x64) Version: 27-02-2017 01
Ran by SYSTEM (19-03-2017 20:27:01)
Running from E:\
Boot Mode: Recovery

================== Search Files: "User32.dll" =============

C:\Windows\WinSxS\wow64_microsoft-windows-user32_31bf3856ad364e35_10.0.14393.576_none_1145a9e43fbf1684\user32.dll
[2017-01-07 18:20][2016-12-09 01:52] 1435896 ____A (Microsoft Corporation) 4BEC594A3D4AEAFAC400D88F7E328C7B

C:\Windows\WinSxS\wow64_microsoft-windows-user32_31bf3856ad364e35_10.0.14393.0_none_0501820eb86fe594\user32.dll
[2016-07-16 03:42][2017-01-17 18:32] 0029582 ____A () 13D6E985D707841BEBC08EB17087E0C1

C:\Windows\WinSxS\amd64_microsoft-windows-user32_31bf3856ad364e35_10.0.14393.0_none_faacd7bc840f2399\user32.dll
[2016-07-16 03:42][2017-01-16 10:38] 0020417 ____A () D89E8D6801A5B151B0316614A15C34F8

C:\Windows\SysWOW64\user32.dll
[2017-01-07 18:20][2016-12-09 01:52] 1435896 ____A (Microsoft Corporation) 4BEC594A3D4AEAFAC400D88F7E328C7B

C:\Windows\System32\user32.dll
[2017-01-07 18:14][2016-12-09 02:10] 1461200 ____A () 691B0B0B7BD595354A96EC073A7E11EC

C:\Windows\softwaredistribution.bak6\Download\1a946a1a7028fc73f13d3f0d25a4dc97\wow64_microsoft-windows-user32_31bf3856ad364e35_6.3.9600.17415_none_c898117a757ab429\user32.dll
[2015-03-05 07:50][2014-10-28 17:04] 1376256 ____A (Microsoft Corporation) 76C5CF09F53A3B089B5581B9938F8CAE

C:\Windows\softwaredistribution.bak6\Download\1a946a1a7028fc73f13d3f0d25a4dc97\amd64_microsoft-windows-user32_31bf3856ad364e35_6.3.9600.17415_none_be4367284119f22e\user32.dll
[2015-03-05 07:50][2014-10-28 20:00] 1540696 ____A (Microsoft Corporation) 25026E350BC3BE37631634EC72B10BD5

X:\windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_10.0.14393.351_none_07019a2c0b52a3a6\user32.dll
[2016-11-20 12:22][2016-11-20 12:22] 1461200 ____A (Microsoft Corporation) 5757459686554B784F3CCE8C3BAF6D8B

X:\windows\system32\user32.dll
[2016-11-20 12:22][2016-11-20 12:22] 1461200 ____A (Microsoft Corporation) 5757459686554B784F3CCE8C3BAF6D8B

====== End of Search ======



#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,398 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:04 PM

Posted 20 March 2017 - 10:35 AM

Download the attached file [attachment=191758:Fixlist.txt] and save it in the same directory FRST64 is saved.

  • Start FRST64 with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please copy and paste its contents in your next reply.

 

Try to restart in Normal Mode and let me know the outcome.
 

 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 BataTester

BataTester
  • Topic Starter

  • Members
  • 111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:04 AM

Posted 20 March 2017 - 10:44 AM

Fix result of Farbar Recovery Scan Tool (x64) Version: 27-02-2017 01
Ran by SYSTEM (20-03-2017 08:42:35) Run:2
Running from E:\
Boot Mode: Recovery
==============================================

fixlist content:
*****************
Replace: C:\Windows\softwaredistribution.bak6\Download\1a946a1a7028fc73f13d3f0d25a4dc97\amd64_microsoft-windows-user32_31bf3856ad364e35_6.3.9600.17415_none_be4367284119f22e\user32.dll C:\Windows\System32\user32.dll
CMD: bcdedit /enum all /v
*****************

C:\Windows\System32\user32.dll => moved successfully
C:\Windows\softwaredistribution.bak6\Download\1a946a1a7028fc73f13d3f0d25a4dc97\amd64_microsoft-windows-user32_31bf3856ad364e35_6.3.9600.17415_none_be4367284119f22e\user32.dll copied successfully to C:\Windows\System32\user32.dll

========= bcdedit /enum all /v =========

The boot configuration data store could not be opened.
The requested system device cannot be found.

========= End of CMD: =========


==== End of Fixlog 08:42:36 ====



#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,398 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:04 PM

Posted 20 March 2017 - 11:33 AM

Restart the computer to the RE command prompt. At the prompt type

Bootrec/rebuildbcd

Press enter and follow the prompts to select your OS.

Keep me posted

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 BataTester

BataTester
  • Topic Starter

  • Members
  • 111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:04 AM

Posted 20 March 2017 - 12:06 PM

It identified 1 installation [1] c:windows

I entered Y

The requested system device could not be found.



#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,398 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:04 PM

Posted 20 March 2017 - 01:21 PM

Please download Listparts to a flash drive.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Plug the flashdrive into the infected PC.

From an Off position Start the computer, enter the System Recovery Options.

To enter the System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Click on Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:



Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\ListParts.exe (for x64 bit version type e:\ListParts64.exe) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Put check mark on List BCD.
  • Press Scan button.
  • It will make a log (Result.txt) in the flash drive. Please copy and paste it to your reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 BataTester

BataTester
  • Topic Starter

  • Members
  • 111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:04 AM

Posted 20 March 2017 - 01:57 PM

This is windows 10

I put in a command to be able to F8 to put in safe mode but any selection takes me to {computer was not able to start we will restart for you} Then it reboots

And goes in to windows defender off line loop. I set bios to load from usb windows 10 setup / repair to go to repair command prompt so i did not have to

hit F12 every time. The only way to get to command prompt is from usb or dvd. I hope this makes sense. Thanks



#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,398 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:04 PM

Posted 20 March 2017 - 02:01 PM

How did you run FRST? Follow the same process as FRST. Boot with  the DVD or USB.


Edited by JSntgRvr, 20 March 2017 - 02:03 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 BataTester

BataTester
  • Topic Starter

  • Members
  • 111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:04 AM

Posted 20 March 2017 - 02:04 PM

When i run listparts.exe it says { not recognized internal or external command, operable program or bath file.}


When i run listparts.exe it says { not recognized internal or external command, operable program or bath file.}


When i run listparts.exe it says { not recognized internal or external command, operable program or bath file.}



#12 BataTester

BataTester
  • Topic Starter

  • Members
  • 111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:04 AM

Posted 20 March 2017 - 02:10 PM

Iam back on track. When i rebooted it changed drive letters on me



#13 BataTester

BataTester
  • Topic Starter

  • Members
  • 111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:04 AM

Posted 20 March 2017 - 02:11 PM

ListParts by Farbar Version: 31-07-2014
Ran by SYSTEM (administrator) on 20-03-2017 at 12:08:50
WIN_81 (X64)
Running From: F:\
Language: English (United States)
************************************************************

========================= Memory info ======================

Percentage of memory in use: 13%
Total physical RAM: 3983.35 MB
Available physical RAM: 3426.02 MB
Total Pagefile: 3983.35 MB
Available Pagefile: 3462.38 MB
Total Virtual: 131072 MB
Available Virtual: 131071.89 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:284.38 GB) (Free:185.16 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive d: (ESD-ISO) (Removable) (Total:29.75 GB) (Free:19.75 GB) NTFS
4 Drive f: (WDO_MEDIA64) (Removable) (Total:0.97 GB) (Free:0.91 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.5 GB) (Free:0.5 GB) NTFS


  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online          298 GB      0 B        *
  Disk 1    Online           29 GB      0 B         
  Disk 2    Online         1000 MB      0 B         

Partitions of Disk 0:
===============


Disk ID: {7C4ED532-4EE7-4DC3-8EC9-F52E39E95D90}

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    System (partition with boot components)             500 MB  1024 KB
  Partition 2    OEM                 40 MB   501 MB
  Partition 3    Reserved           128 MB   541 MB
  Partition 4    Recovery           490 MB   669 MB
  Partition 5    Primary            284 GB  1159 MB
  Partition 6    Recovery           450 MB   285 GB
  Partition 7    Recovery            12 GB   285 GB

======================================================================================================

Disk: 0
Partition 1
Type    : c12a7328-f81f-11d2-ba4b-00a0c93ec93b
Hidden  : Yes
Required: No
Attrib  : 0X8000000000000000

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2         ESP          FAT32  Partition    500 MB  Healthy    Hidden  

======================================================================================================

Disk: 0
Partition 2
Type    : 796badd3-6bbf-4d9f-b631-466eb71a4965
Hidden  : Yes
Required: Yes
Attrib  : 0X8000000000000001

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 8         DIAGS        FAT32  Partition     40 MB  Healthy    Hidden  

======================================================================================================

Disk: 0
Partition 3
Type    : e3c9e316-0b5c-4db8-817d-f92df00215ae
Hidden  : Yes
Required: No
Attrib  : 0X8000000000000000

There is no volume associated with this partition.

======================================================================================================

Disk: 0
Partition 4
Type    : de94bba4-06d1-4d40-a16a-bfd50179d6ac
Hidden  : Yes
Required: Yes
Attrib  : 0X8000000000000001

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 3         WINRETOOLS   NTFS   Partition    490 MB  Healthy    Hidden  

======================================================================================================

Disk: 0
Partition 5
Type    : ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
Hidden  : No
Required: No
Attrib  : 0000000000000000

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1     C   OS           NTFS   Partition    284 GB  Healthy            

======================================================================================================

Disk: 0
Partition 6
Type    : de94bba4-06d1-4d40-a16a-bfd50179d6ac
Hidden  : Yes
Required: Yes
Attrib  : 0X8000000000000001

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 4                      NTFS   Partition    450 MB  Healthy    Hidden  

======================================================================================================

Disk: 0
Partition 7
Type    : de94bba4-06d1-4d40-a16a-bfd50179d6ac
Hidden  : Yes
Required: Yes
Attrib  : 0X8000000000000001

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 5         PBR Image    NTFS   Partition     12 GB  Healthy    Hidden  

======================================================================================================

Partitions of Disk 1:
===============


Disk ID: 0B4790E4

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary             29 GB  1024 KB

======================================================================================================

Disk: 1
Partition 1
Type  : 07
Hidden: No
Active: Yes

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 6     D   ESD-ISO      NTFS   Removable     29 GB  Healthy            

======================================================================================================

Partitions of Disk 2:
===============


Disk ID: 00000000

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary            998 MB    31 KB

======================================================================================================

Disk: 2
Partition 1
Type  : 0B
Hidden: No
Active: Yes

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 7     F   WDO_MEDIA64  FAT32  Removable    998 MB  Healthy            

======================================================================================================
============================== MBR Partition Table ==================

==============================
Partitions of Disk 0:
===============
Disk ID: 2DCEEA90

Partition : GPT Partition Type
==============================
Partitions of Disk 1:
===============
Disk ID: 0B4790E4
Partition 1: (Active) - (Size=30 GB) - (Type=07 NTFS)

==============================
Partitions of Disk 2:
===============
Disk ID: 00000000

Partition: GPT Partition Type.

The boot configuration data store could not be opened.
The requested system device cannot be found.


****** End Of Log ******



#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,398 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:04 PM

Posted 20 March 2017 - 02:44 PM

Seems that the partition with the boot components is not active. Lets try to fix that.

 

Download the enclosed file:  [attachment=191773:fix.txt]
 
Save it in the same location Listparts is saved.

  • From an Off position (You must run this fix after turning the computer Off, that is very important,) run ListParts as you did before, except that.
  • This time around Press the Fix button and wait.
  • When it is done close the notification pop up. Click Scan (make sure there is a check mark on List BCD), then copy and paste the log (Result.txt) it will produce on your next reply.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 BataTester

BataTester
  • Topic Starter

  • Members
  • 111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:04 AM

Posted 20 March 2017 - 02:52 PM

ListParts by Farbar Version: 31-07-2014
Ran by SYSTEM (administrator) on 20-03-2017 at 12:50:27
WIN_81 (X64)
Running From: E:\
Language: English (United States)
************************************************************

========================= Memory info ======================

Percentage of memory in use: 15%
Total physical RAM: 3983.35 MB
Available physical RAM: 3383.64 MB
Total Pagefile: 3983.35 MB
Available Pagefile: 3424.33 MB
Total Virtual: 131072 MB
Available Virtual: 131071.88 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:284.38 GB) (Free:185.16 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive d: (ESD-ISO) (Removable) (Total:29.75 GB) (Free:19.75 GB) NTFS
3 Drive e: (WDO_MEDIA64) (Removable) (Total:0.97 GB) (Free:0.91 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.5 GB) (Free:0.49 GB) NTFS


  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online          298 GB      0 B        *
  Disk 1    Online           29 GB      0 B         
  Disk 2    Online         1000 MB      0 B         

Partitions of Disk 0:
===============


Disk ID: {7C4ED532-4EE7-4DC3-8EC9-F52E39E95D90}

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    System (partition with boot components)             500 MB  1024 KB
  Partition 2    OEM                 40 MB   501 MB
  Partition 3    Reserved           128 MB   541 MB
  Partition 4    Recovery           490 MB   669 MB
  Partition 5    Primary            284 GB  1159 MB
  Partition 6    Recovery           450 MB   285 GB
  Partition 7    Recovery            12 GB   285 GB

======================================================================================================

Disk: 0
Partition 1
Type    : c12a7328-f81f-11d2-ba4b-00a0c93ec93b
Hidden  : Yes
Required: No
Attrib  : 0X8000000000000000

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2         ESP          FAT32  Partition    500 MB  Healthy    Hidden  

======================================================================================================

Disk: 0
Partition 2
Type    : 796badd3-6bbf-4d9f-b631-466eb71a4965
Hidden  : Yes
Required: Yes
Attrib  : 0X8000000000000001

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 8         DIAGS        FAT32  Partition     40 MB  Healthy    Hidden  

======================================================================================================

Disk: 0
Partition 3
Type    : e3c9e316-0b5c-4db8-817d-f92df00215ae
Hidden  : Yes
Required: No
Attrib  : 0X8000000000000000

There is no volume associated with this partition.

======================================================================================================

Disk: 0
Partition 4
Type    : de94bba4-06d1-4d40-a16a-bfd50179d6ac
Hidden  : Yes
Required: Yes
Attrib  : 0X8000000000000001

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 3         WINRETOOLS   NTFS   Partition    490 MB  Healthy    Hidden  

======================================================================================================

Disk: 0
Partition 5
Type    : ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
Hidden  : No
Required: No
Attrib  : 0000000000000000

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1     C   OS           NTFS   Partition    284 GB  Healthy            

======================================================================================================

Disk: 0
Partition 6
Type    : de94bba4-06d1-4d40-a16a-bfd50179d6ac
Hidden  : Yes
Required: Yes
Attrib  : 0X8000000000000001

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 4                      NTFS   Partition    450 MB  Healthy    Hidden  

======================================================================================================

Disk: 0
Partition 7
Type    : de94bba4-06d1-4d40-a16a-bfd50179d6ac
Hidden  : Yes
Required: Yes
Attrib  : 0X8000000000000001

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 5         PBR Image    NTFS   Partition     12 GB  Healthy    Hidden  

======================================================================================================

Partitions of Disk 1:
===============


Disk ID: 0B4790E4

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary             29 GB  1024 KB

======================================================================================================

Disk: 1
Partition 1
Type  : 07
Hidden: No
Active: Yes

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 6     D   ESD-ISO      NTFS   Removable     29 GB  Healthy            

======================================================================================================

Partitions of Disk 2:
===============


Disk ID: 00000000

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary            998 MB    31 KB

======================================================================================================

Disk: 2
Partition 1
Type  : 0B
Hidden: No
Active: Yes

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 7     E   WDO_MEDIA64  FAT32  Removable    998 MB  Healthy            

======================================================================================================
============================== MBR Partition Table ==================

==============================
Partitions of Disk 0:
===============
Disk ID: 2DCEEA90

Partition : GPT Partition Type
==============================
Partitions of Disk 1:
===============
Disk ID: 0B4790E4
Partition 1: (Active) - (Size=30 GB) - (Type=07 NTFS)

==============================
Partitions of Disk 2:
===============
Disk ID: 00000000

Partition: GPT Partition Type.

The boot configuration data store could not be opened.
The system cannot find the file specified.


****** End Of Log ******






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users