Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I might have a Rootkit


  • This topic is locked This topic is locked
78 replies to this topic

#1 docfxit

docfxit

  • Members
  • 135 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 10 May 2017 - 02:54 PM

Is there a way to run FRST on a drive connected via USB?

 

I have a Win7 install that I am getting a stop 0x7b BSOD.  I have a thread in the BSOD forum and they were not able to figure out the problem.  I have performed many things to resolve it. I'd like to try to discover if the Win7 install has a Virus, Trojan, Spyware or Malware that is stopping it from booting.  I have removed the drive from the PC #1 and connected it to PC #2 via USB.  When I run FRST I don't see a way to point it to the USB G: drive. 

 

I have run Bitdefender and Malwarebytes Rootkit scan from PC #2 on the G: drive

   NOTE: I realize these programs can't analyze the registry of the Win7 installed on the G: drive, but they can search the files.

 

How can I diagnose the G: drive for infections?

 

Thank you,

 

Docfxit


Edited by docfxit, 10 May 2017 - 03:01 PM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,760 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:31 AM

Posted 15 May 2017 - 02:55 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> https://www.bleepingcomputer.com/logreply/646306 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new FRST log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download FRST by Farbar from the following link if you no longer have it available and save it to your destop.

    FRST Download Link

  • When you go to the above page, there will be 32-bit and 64-bit downloads available. Please click on the appropriate one for your version of Windows. If you are unsure as to whether your Windows is 32-bit or 64-bit, please see this tutorial.
  • Double click on the FRST icon and allow it to run.
  • Agree to the usage agreement and FRST will open. Do not make any changes and click on the Scan button.
  • Notepad will open with the results.
  • Post the new logs as explained in the prep guide.
  • Close the program window, and delete the program from your desktop.


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 docfxit

docfxit
  • Topic Starter

  • Members
  • 135 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 16 May 2017 - 09:54 AM

Thank you for looking at this problem for me.

I can't boot into normal or safe mode.  When I do I get a BSOD 0x7b.

I do have a Win7 install CD 32bit.

Even though it's not in the instructions for running FRST, I figured out that FRST can be run from the recovery console.

This output has been run from the recovery console.  It didn't produce the file Addition.txt so I can't attach it.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 14-05-2017
Ran by SYSTEM on MININT-2F7B0GI (16-05-2017 08:45:26)
Running from C:\Users\Gary\Desktop\SpywareRemovers
Platform: Windows 7 Professional Service Pack 1 (X86) Language: English (United States)
Internet Explorer Version 11
Boot Mode: Recovery
Default: ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [UnlockerAssistant] => C:\Programs\Unlocker\UnlockerAssistant.exe [17408 2017-02-12] ()
HKLM\...\Run: [Power Manager Startup Utility] => C:\Program Files\Lenovo\PowerMgr\DPMHost.exe [26880 2017-02-12] ()
HKLM\...\Run: [IconSaver] => C:\Programs\IconSaver\IconSaver.exe [110592 2017-02-12] ()
HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [287592 2017-02-12] (Intel Corporation)
HKLM\...\Run: [EvtMgr6] => C:\Program Files\Logitech\SetPointP\SetPoint.exe [2312824 2017-02-12] (Logitech, Inc.)
HKLM\...\Run: [ClipX] => C:\Programs\ClipX\clipx.exe [199168 2017-02-12] ()
HKLM\...\Run: [Client Access Service] => C:\Programs\Client Access\cwbsvstr.exe [14848 2017-02-12] (IBM Corporation)
HKLM\...\Run: [Bitvise SSH Server Activation State Checker] => C:\Programs\BitviseSSHServer\BssActStateCheck.exe [253288 2017-02-12] (Bitvise Limited)
HKLM\...\Run: [Bdagent] => C:\Programs\Bitdefender\Bitdefender 2016\bdagent.exe [1850008 2017-02-12] (Bitdefender)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [508128 2017-02-12] (Adobe Systems Incorporated)
HKLM\...\Run: [MyBackupPC] => C:\Programs\MyBackupPC\mybackuppc.exe [170791 2017-02-12] (Rerware LLC)
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [10889832 2017-02-12] (Realtek Semiconductor)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [587288 2017-02-12] (Oracle Corporation)
HKLM\...\Policies\Explorer: [NoCDBurning] 0
Lsa: [Authentication Packages] msv1_0 BvLsa
Startup: C:\Users\Gary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AS400SignOn.lnk [2017-02-12]
ShortcutTarget: AS400SignOn.lnk ->  (No File)
Startup: C:\Users\Gary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk [2017-02-12]
ShortcutTarget: ERUNT AutoBackup.lnk -> C:\Programs\ERUNT\AUTOBACK.EXE ()
Startup: C:\Users\Gary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Launch K9.lnk [2017-02-12]
ShortcutTarget: Launch K9.lnk -> C:\Programs\K9\K9.exe (KeirNet)
Startup: C:\Users\Gary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Spell Catcher Plus.LNK [2017-02-12]
ShortcutTarget: Spell Catcher Plus.LNK -> C:\Programs\Spell Catcher Plus\Spell Catcher.exe (Rainmaker Research, Inc.)
GroupPolicyScripts: Restriction <======= ATTENTION
GroupPolicyScripts\User: Restriction <======= ATTENTION

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 AGSService; C:\Program Files\Common Files\Adobe\AdobeGCClient\AGSService.exe [2021056 2017-02-12] (Adobe Systems, Incorporated)
S2 atashost; C:\Windows\system32\atashost.exe [149752 2017-02-12] (Cisco WebEx LLC)
S2 BvSshServer; C:\Programs\BitviseSSHServer\BvSshServer.exe [7882648 2017-02-12] (Bitvise Limited)
S2 Cerberus FTP Server; C:\Programs\FTP Cerberus Server\CerberusGUI.exe [9802504 2017-02-12] (Cerberus, LLC)
S3 cphs; C:\Windows\system32\IntelCpHeciSvc.exe [280696 2017-02-12] (Intel Corporation)
S3 Cwbrxd; C:\Windows\cwbrxd.exe [94208 2017-02-12] (IBM Corporation)
S2 FirebirdGuardianDefaultInstance; C:\Program Files\Firebird\Firebird_2_5\bin\fbguard.exe [98304 2017-02-12] (Firebird Project)
S3 FirebirdServerDefaultInstance; C:\Program Files\Firebird\Firebird_2_5\bin\fbserver.exe [3784704 2017-02-12] (Firebird Project)
S3 Garmin Device Interaction Service; C:\Programs\Garmin\Device Interaction Service\GarminService.exe [965136 2017-02-12] (Garmin Ltd. or its subsidiaries)
S2 HPSupportSolutionsFrameworkService; C:\Program Files\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe [28736 2017-02-12] (Hewlett-Packard Company)
S3 ICCS; C:\Program Files\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe [169752 2017-02-12] (Intel Corporation)
S2 igfxCUIService1.0.0.0; C:\Windows\system32\igfxCUIService.exe [274040 2017-02-12] (Intel Corporation)
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [686552 2017-02-12] (Intel® Corporation)
S2 jhi_service; C:\Program Files\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [158496 2017-02-12] (Intel Corporation)
S2 LBAEvent; C:\Program Files\Lenovo\LBAI\LBAEvent.exe [15520 2017-02-12] (Lenovo)
S3 Media Center 22 Service; C:\Programs\JRiver\Media Center 22\JRService.exe [399608 2017-02-12] (JRiver, Inc.)
S2 Mezzmo; C:\Programs\Mezzmo\MezzmoMediaServer.exe [7636840 2017-02-12] (Conceiva Pty. Ltd.)
S2 MsDepSvc; C:\Program Files\IIS\Microsoft Web Deploy\MsDepSvc.exe [84624 2017-02-12] (Microsoft Corporation)
S2 MySQL55; C:\Programs\MySQL\MySQL Server 5.5\my.ini [9499 2017-02-12] ()
S2 PDQInventory; C:\Program Files\Admin Arsenal\PDQ Inventory\PDQInventoryService.exe [106336 2017-02-12] (Admin Arsenal)
S3 Power Manager DBC Service; C:\Program Files\Lenovo\PowerMgr\PWMDBSVC.EXE [61696 2017-02-12] (Lenovo)
S2 ProductAgentService; C:\Program Files\Bitdefender Agent\ProductAgentService.exe [1100392 2017-02-12] (Bitdefender)
S2 ReflectService.exe; C:\Program Files\Macrium\Reflect\ReflectService.exe [2613200 2017-02-12] (Paramount Software UK Ltd)
S2 RetroInstScanService; C:\Program Files\Retrospect\InstantScan\retroisarun.exe [11776 2017-02-12] ()
S2 RetroLauncher; C:\Program Files\Retrospect\Retrospect 11.0\retrorun.exe [107872 2017-02-12] (Retrospect, Inc)
S2 Retrospect Helper; C:\Program Files\Retrospect\Retrospect 11.0\rthlpsvc.exe [179040 2017-02-12] ()
S2 rpm; C:\Programs\RPM\rpmsrv.exe [5965632 2017-02-12] (Brooks Internet Software, Inc.)
S3 salive; C:\Programs\ServersAlive\serversalive.exe [721184 2017-02-12] (Woodstone bvba)
S2 SbieSvc; C:\Programs\Sandboxie\SbieSvc.exe [154768 2017-02-12] (Sandboxie Holdings, LLC)
S2 stunnel; C:\Programs\stunnel\stunnel.exe [117248 2017-02-12] (Michal Trojnara)
S2 TeamViewer; C:\Program Files\TeamViewer\TeamViewer_Service.exe [7500048 2017-02-12] (TeamViewer GmbH)
S2 UPDATESRV; C:\Programs\Bitdefender\Bitdefender 2016\updatesrv.exe [121112 2017-02-12] (Bitdefender)
S2 uvnc_service; C:\Programs\UltraVNC\WinVNC.exe [2011440 2017-02-12] (UltraVNC)
S2 VSSERV; C:\Programs\Bitdefender\Bitdefender 2016\vsserv.exe [1415736 2017-02-12] (Bitdefender)
S4 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2017-02-12] (Microsoft Corporation)
S3 rpcapd; "%ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini" [X]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S0 amdkmafd; C:\Windows\System32\DRIVERS\amdkmafd.sys [15968 2017-02-12] (Advanced Micro Devices, Inc.)
S0 avc3; C:\Windows\System32\DRIVERS\avc3.sys [1285360 2017-02-12] (BitDefender)
S3 avckf; C:\Windows\System32\DRIVERS\avckf.sys [718488 2017-02-12] (BitDefender)
S1 bdfwfpf; C:\Program Files\Common Files\Bitdefender\Bitdefender Firewall\bdfwfpf.sys [105568 2017-02-12] (BitDefender LLC)
S4 BDVEDISK; C:\Windows\System32\DRIVERS\bdvedisk.sys [83824 2017-02-12] (BitDefender)
S3 cpudrv; C:\Program Files\SystemRequirementsLab\cpudrv.sys [11336 2017-02-12] ()
S3 dg_ksudbus; C:\Windows\System32\DRIVERS\ksudbus.sys [75776 2017-02-12] (Microsoft Corporation)
S3 dtlitescsibus; C:\Windows\System32\DRIVERS\dtlitescsibus.sys [26168 2017-02-12] (Disc Soft Ltd)
S3 dtliteusbbus; C:\Windows\System32\DRIVERS\dtliteusbbus.sys [40504 2017-02-12] (Disc Soft Ltd)
S3 e1cexpress; C:\Windows\System32\DRIVERS\e1c6232.sys [380408 2017-02-12] (Intel Corporation)
S2 giveio; C:\Windows\system32\giveio.sys [5248 2017-02-12] ()
S0 gzflt; C:\Windows\System32\DRIVERS\gzflt.sys [196008 2017-02-12] (BitDefender LLC)
S3 hitmanpro37; C:\Windows\system32\drivers\hitmanpro37.sys [32384 2017-02-12] ()
S3 HSFHWBS2; C:\Windows\System32\DRIVERS\HSF_HWB2.sys [251904 2017-02-12] (Conexant Systems, Inc.)
S3 HtcVCom32; C:\Windows\System32\DRIVERS\HtcVComV32.sys [105984 2017-02-12] (QUALCOMM Incorporated)
S1 HWiNFO32; C:\Windows\system32\drivers\HWiNFO32.SYS [23840 2017-02-12] (REALiX™)
S0 iaStorF; C:\Windows\System32\DRIVERS\iaStorF.sys [24424 2017-02-12] (Intel Corporation)
S0 iusb3hcs; C:\Windows\System32\DRIVERS\iusb3hcs.sys [16880 2017-02-12] (Intel Corporation)
S3 iusb3hub; C:\Windows\System32\DRIVERS\iusb3hub.sys [352752 2017-02-12] (Intel Corporation)
S3 iusb3xhc; C:\Windows\System32\DRIVERS\iusb3xhc.sys [801776 2017-02-12] (Intel Corporation)
S3 LBAI; C:\Windows\System32\Drivers\LBAI.sys [8192 2017-02-12] (Lenovo)
S3 LEqdUsb; C:\Windows\System32\Drivers\LEqdUsb.Sys [52368 2017-02-12] (Logitech, Inc.)
S3 LHidEqd; C:\Windows\System32\Drivers\LHidEqd.Sys [20240 2017-02-12] (Logitech, Inc.)
S3 libusb0; C:\Windows\System32\DRIVERS\libusb0.sys [35776 2017-02-12] (hxxp://libusb-win32.sourceforge.net)
S3 MEI; C:\Windows\System32\DRIVERS\TeeDriver.sys [111904 2017-02-12] (Intel Corporation)
S3 MonitorFunction; C:\Windows\System32\DRIVERS\TVMonitor.sys [13304 2017-02-12] (TeamViewer GmbH)
S3 mv2; C:\Windows\System32\DRIVERS\mv2.sys [12472 2017-02-12] (Windows ® Win 7 DDK provider)
S0 MxEFUF; C:\Windows\System32\DRIVERS\MxEFUF32.sys [102728 2017-02-12] (Matrox Graphics Inc.)
S3 NAL; C:\Windows\system32\Drivers\iqvw32.sys [30368 2017-02-12] (Intel Corporation )
S1 nm3; C:\Windows\System32\DRIVERS\nm3.sys [39736 2017-02-12] (Microsoft Corporation)
S2 NPF; C:\Windows\System32\drivers\npf.sys [36600 2017-02-12] (Riverbed Technology, Inc.)
S3 pikbd; C:\Windows\System32\DRIVERS\pikbd.sys [21528 2017-02-12] (Christian Gulden)
S3 PSMounterEx; C:\Windows\system32\drivers\psmounterex.sys [156048 2017-02-12] (Windows ® Win 7 DDK provider)
S0 pssnap; C:\Windows\System32\DRIVERS\pssnap.sys [16016 2017-02-12] (Windows ® Win 7 DDK provider)
S3 PSVolAcc; C:\Windows\System32\Drivers\PSVolAcc.sys [11728 2017-02-12] (Paramount Software UK Ltd)
S3 pwdrvio; C:\Windows\system32\pwdrvio.sys [17160 2017-02-12] ()
S3 pwdspio; C:\Windows\system32\pwdspio.sys [13064 2017-02-12] ()
S3 SbieDrv; C:\Programs\Sandboxie\SbieDrv.sys [177808 2017-02-12] (Sandboxie Holdings, LLC)
S3 SmbDrvI; C:\Windows\System32\DRIVERS\Smb_driver_Intel.sys [28656 2017-02-12] (Synaptics Incorporated)
S2 speedfan; C:\Windows\system32\speedfan.sys [24184 2017-02-12] (Almico Software)
S0 SscRdBus; C:\Windows\System32\DRIVERS\SscRdBus.sys [92840 2017-02-12] (SuperSpeed LLC)
S0 SscRdCls; C:\Windows\System32\DRIVERS\SscRdCls.sys [40984 2017-02-12] (SuperSpeed LLC)
S3 teamviewervpn; C:\Windows\System32\DRIVERS\teamviewervpn.sys [25088 2017-02-12] (TeamViewer GmbH)
S3 udsstub; C:\Windows\System32\DRIVERS\udsstub.sys [16000 2017-02-12] (SysNucleus)
S1 VBoxNetAdp; C:\Windows\System32\DRIVERS\VBoxNetAdp6.sys [104568 2017-02-12] (Oracle Corporation)
S1 VBoxNetLwf; C:\Windows\System32\DRIVERS\VBoxNetLwf.sys [169016 2017-02-12] (Oracle Corporation)
S1 VD_FileDisk; C:\Windows\System32\Drivers\VD_FileDisk.sys [24680 2017-02-12] (CaptainFlint Software)
S3 vpcbus; C:\Windows\System32\DRIVERS\vpchbus.sys [172416 2017-02-12] (Microsoft Corporation)
S1 vpcnfltr; C:\Windows\System32\DRIVERS\vpcnfltr.sys [48128 2017-02-12] (Microsoft Corporation)
S3 vpcusb; C:\Windows\System32\DRIVERS\vpcusb.sys [78336 2017-02-12] (Microsoft Corporation)
S1 vpcvmm; C:\Windows\System32\drivers\vpcvmm.sys [296064 2017-02-12] (Microsoft Corporation)
S3 debutfilter; system32\DRIVERS\debutfilterx86.sys [X]
S0 fltsrv; system32\DRIVERS\fltsrv.sys [X]
S0 iaStorA; system32\DRIVERS\iaStorA.sys [X]
S3 igfx; system32\DRIVERS\igdkmd32.sys [X]
S3 IntcAzAudAddService; system32\drivers\RTKVHDA.sys [X]
S3 NLNdisMP; system32\DRIVERS\nlndis.sys [X]
S3 NLNdisPT; system32\DRIVERS\nlndis.sys [X]
S3 PcdrNdisuio; system32\DRIVERS\pcdrndisuio.sys [X]
S0 snapman; system32\DRIVERS\snapman.sys [X]
S3 taphss6; system32\DRIVERS\taphss6.sys [X]
S5 UnlockerDriver5; C:\Programs\Unlocker\UnlockerDriver5.sys [4096 2017-02-12] ()
S3 VBoxNetFlt; system32\DRIVERS\VBoxNetFlt.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-05-16 08:32 - 2017-05-16 08:45 - 00000000 ____D C:\Users\Gary\Desktop\SpywareRemovers
2017-05-13 09:27 - 2017-05-16 08:45 - 00000000 ____D C:\FRST
2017-04-25 10:46 - 2010-11-20 13:29 - 00194432 _____ (Microsoft Corporation) C:\Windows\System32\halmacpi.dll
2017-04-25 10:44 - 2010-11-20 13:29 - 00137088 _____ (Microsoft Corporation) C:\Windows\System32\halacpi.dll
2017-04-25 09:20 - 2017-04-25 09:20 - 00000073 _____ C:\Windows\{97cfa917-3844-4a7a-ac31-a6f1f232767b}
2017-04-25 09:20 - 2017-02-12 05:45 - 00399860 __RSH C:\bootmgr

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-05-10 19:40 - 2017-02-24 10:21 - 00000000 ____D C:\Windows\Tmp
2017-05-09 13:00 - 2009-07-13 20:52 - 00032768 _____ C:\Windows\System32\config\BCD-Template
2017-05-07 19:02 - 2017-02-20 06:33 - 00000000 ____D C:\BCD_Backup
2017-04-25 10:47 - 2012-08-10 22:36 - 00000000 ____D C:\Temp

==================== Known DLLs (Whitelisted) =========================


==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\dnsapi.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== Association (Whitelisted) =============


==================== Restore Points  =========================


==================== Memory info ===========================

Percentage of memory in use: 7%
Total physical RAM: 8077.12 MB
Available physical RAM: 7458.46 MB
Total Virtual: 8075.41 MB
Available Virtual: 7481.55 MB

==================== Drives ================================

Drive c: (Windows7_OS) (Fixed) (Total:44.2 GB) (Free:2.85 GB) NTFS ==>[drive with boot components (obtained from BCD)]
Drive e: (DocfxitXP) (Fixed) (Total:179.17 GB) (Free:30.77 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive f: (GSP1RMCULFRER_EN_DVD) (CDROM) (Total:2.39 GB) (Free:0 GB) UDF
Drive g: (MULTIBOOT) (Removable) (Total:0.95 GB) (Free:0.07 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (SecurityPartition) (Fixed) (Total:0.2 GB) (Free:0.16 GB) NTFS ==>[system with boot components (obtained from drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 223.6 GB) (Disk ID: 44942579)
Partition 1: (Active) - (Size=203 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=44.2 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=179.2 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 977.5 MB) (Disk ID: 06547C13)
Partition 1: (Active) - (Size=976 MB) - (Type=0C)

LastRegBack: 2017-02-12 05:19

==================== End of FRST.txt ============================

 

Thank you,

 

Docfxit



#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,821 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:31 AM

Posted 19 May 2017 - 07:03 PM

Welcome :)

 

 

We will need more information.

  • Download the enclosed file. Save it in the same location FRST is saved
  • Run FRST as you did before and click on the Fix button
  • It should produce a log in the same location FRST is saved, Fixlog.txt.
  • Please post it in your next reply

 

Open FRST as you did before.
Type the following in the edit box on FRST, after "Search:".

iaStorA.sys;snapman.sys

It then should look like:

Search: iaStorA.sys;snapman.sys

Click Search Files button and post the log (Search.txt) it makes in the same location FRST is saved in your next reply.
 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 docfxit

docfxit
  • Topic Starter

  • Members
  • 135 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 21 May 2017 - 06:02 PM

Thank you for working on this.

 

Here are the files you requested:

Attached File  Fixlog.txt   781bytes   6 downloads

Attached File  Search.txt   238bytes   7 downloads

 

For other people that might read this:

When you can't boot Win7, you can run FRST from Windows Repair Console. 

My Win7 showed in Windows Repair Console that it was on drive D: (yours may be different)

I copied the Program FRST to the desktop of drive D:  When it's run from there it won't find the Fixlist.txt file even though it's in the same folder.

I put FRST.exe and Fixlist.txt    on a thumb drive and ran it from the thumb drive within the repair console and it found Fixlist.txt

 

When you run FRST.exe and you have more than one OS on the drive FRST.exe will ask you which OS you want it to report on.

 

Thank you,

Docfxit



#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,821 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:31 AM

Posted 21 May 2017 - 06:14 PM

We will need more information.

  • Download the enclosed file. Save it in the same location FRST is saved
  • Run FRST as you did before and click on the Fix button
  • It should produce a log in the same location FRST is saved, Fixlog.txt.
  • Please post it in your next reply

 

Open FRST as you did before.
Type the following in the edit box on FRST, after "Search:".

iaStorA.sys;snapman.sys (note there is a semicolon between files)

It then should look like:

Search: iaStorA.sys;snapman.sys  (note there is a semicolon between files)

Click Search Files button and post the log (Search.txt) it makes in the same location FRST is saved in your next reply.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 docfxit

docfxit
  • Topic Starter

  • Members
  • 135 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 21 May 2017 - 09:40 PM

Thank you for the reply...

 

Here are the files you requested:

 

Attached File  Fixlog.txt   5.41KB   7 downloads

 

Attached File  Search.txt   238bytes   7 downloads

 

Thank you,

 

Docfxit



#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,821 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:31 AM

Posted 22 May 2017 - 12:04 PM

Your computer have critical files missing. I would suggest you boot with the Installation CD and perform an Startup Repair and see if that solve the issue. If not, the Startup Repair will produce a report. Post it here.

 

See here for instructions.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 docfxit

docfxit
  • Topic Starter

  • Members
  • 135 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 22 May 2017 - 10:08 PM

I couldn't find the instructions on where to find the report in the link you provided.

I did find a log at:

%WINDIR%\System32\LogFiles\Srt\SrtTrail.txt.

 

Attached File  SrtTrail.txt   16KB   4 downloads

 

Thank you,

 

Docfxit



#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,821 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:31 AM

Posted 22 May 2017 - 10:28 PM

Re run FRST. This time around click on list BCD. Post the new log.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 docfxit

docfxit
  • Topic Starter

  • Members
  • 135 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 22 May 2017 - 11:34 PM

This report will include the BCD:

 

Attached File  FRST.txt   17.6KB   10 downloads

 

Thank you very much for your time,

 

Docfxit



#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,821 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:31 AM

Posted 22 May 2017 - 11:53 PM

Did you attempted a dual boot with XP?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,821 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:31 AM

Posted 22 May 2017 - 11:54 PM

Will review this in the am.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 docfxit

docfxit
  • Topic Starter

  • Members
  • 135 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 23 May 2017 - 10:45 AM

Did you attempted a dual boot with XP?

 

Yes.



#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,821 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:31 AM

Posted 23 May 2017 - 11:21 AM

 

Did you attempted a dual boot with XP?

 

Yes.

 

I believe the setting is wrong and XP does not have a Winload path but a a boot order to a NTLDR

 

Lets try this fix.

  • Download the enclosed file. Save it in the same location FRST is saved
  • Run FRST as you did before and click on the Fix button
  • It should produce a log in the same location FRST is saved, Fixlog.txt.
  • Please post it in your next reply

Attempt to boot to Windows 7.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users