Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Black screen w/Cursor


  • This topic is locked This topic is locked
3 replies to this topic

#1 ryohanlon

ryohanlon

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:45 AM

Posted 15 January 2018 - 07:35 AM

I would appreciate any help with the appended FarBar FRST64 log file.

 

Original problem manifested itself as frozen Windows 7 64 bit operation requiring 6 second reboot.  Rebooting caused blue screen.

The Microsoft Windows repair took 16 hours. (1TB with 600 used), that led to booting to black screen with mouse cursor. 

I created a recovery cd via recdisc on a desktop system that allowed me to backup my files (~30 GB) via DOS.

 

These are the steps I have taken to fix my 2 year old Toshiba Satellite thus far

- repair windows

  this took ~18 hours to complete and led to the black screen with mouse cursor

- there were no system restore points available and I had no image to restore

- chkdsk /x 

  didn't find any problems (but took >10 hours)

- ran memory test, 2 passes with no errors

- sfc /scannow followed by a reboot and running again led to same reboot request message

- sfc /scannow /offbootdir=c:\ /offwindir=c:\windows

  The above command resulted in something like Windows Resource Protection did not detect any integrity violations

- replaced HD

- cloned old HD to new hard drive (took  16 hours using Acronis 2013,  ignored sector errors)

- chkdsk /x , took < 1 hour (new drive is ssd)

- repeated a bunch of the above steps a few times

- cloned new internal HD to external USB HD, took ~3 hours

 

I now have a fast booting to black screen with cursor Windows 7 system.

 

- ran FRST64

here are the results

(I see that maybe rpcss.dll is not 'legit, but didn't want to proceed without guidance)

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 14.01.2018
Ran by SYSTEM on MININT-GVQ2IAA (15-01-2018 05:10:28)
Running from F:\farbar recovery tool
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11
Boot Mode: Recovery
Default: ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [] => [X]
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13667032 2014-02-24] (Realtek Semiconductor)
HKLM\...\Run: [TCrdMain] => C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe [2853968 2014-02-25] (TOSHIBA Corporation)
HKLM\...\Run: [TPwrMain] => C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE [595840 2012-03-02] ()
HKLM\...\Run: [BatteryManager] => C:\Program Files\TOSHIBA\Power Saver\TBatmgrTrayIcon.exe [287104 2014-02-25] (TOSHIBA Corporation)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2810608 2014-02-21] (Synaptics Incorporated)
HKLM\...\Run: [TSleepSrv] => C:\Program Files (x86)\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe [1500240 2013-04-16] (TOSHIBA)
HKLM\...\Run: [Teco] => C:\Program Files\TOSHIBA\TECO\Teco.exe [1604168 2013-11-26] (TOSHIBA Corporation)
HKLM\...\Run: [TosSENotify] => C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe [711040 2013-08-20] (TOSHIBA Corporation)
HKLM\...\Run: [TosVolRegulator] => C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe [24376 2009-11-11] (TOSHIBA Corporation)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [292848 2013-12-20] (Intel Corporation)
HKLM-x32\...\Run: [ToshibaServiceStation] => C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe [1298816 2011-07-11] (TOSHIBA Corporation)
HKLM-x32\...\Run: [UsbCipHelper] => C:\Program Files (x86)\Rockwell Automation\UsbCipDriver\UsbCipHelper\UsbCipHelper.exe [2846208 2016-02-18] (Rockwell Automation, Inc.)
HKLM-x32\...\Run: [ControlCenter3] => C:\Program Files (x86)\Brother\ControlCenter3\brctrcen.exe [114688 2008-12-24] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [BrStsMon00] => C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe [2629632 2012-09-25] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [Dropbox] => C:\Program Files (x86)\Dropbox\Client\Dropbox.exe [3567928 2017-12-04] (Dropbox, Inc.)
HKLM-x32\...\Run: [Intuit SyncManager] => C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe [3776824 2015-11-03] (Intuit Inc. All rights reserved.)
HKLM-x32\...\Run: [WRSVC] => C:\Program Files (x86)\Webroot\WRSA.exe [1061680 2017-11-07] (Webroot)
HKLM-x32\...\Run: [ActivationNotifier] => C:\Program Files (x86)\Rockwell Software\FactoryTalk Activation\Tools\ActivationNotifier.exe [113488 2014-09-09] (Rockwell Automation, Inc.)
HKLM-x32\...\Run: [FactoryTalk Directory Information] => C:\Program Files (x86)\Common Files\Rockwell\FTLoginLogout.exe [360664 2015-10-19] (Rockwell Automation, Inc.)
HKLM-x32\...\Run: [ITSecMng] => %ProgramFiles(x86)%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
HKLM-x32\...\Run: [SOPAS USB Listener] => C:\Program Files (x86)\SICK\SOPAS ET\SopasUSBListener.exe [245760 2015-05-08] ()
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587288 2017-07-21] (Oracle Corporation)
HKLM-x32\...\Run: [Cisco AnyConnect Secure Mobility Agent for Windows] => C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe [975248 2015-07-24] (Cisco Systems, Inc.)
HKLM\...\RunOnce: [*WerKernelReporting] => C:\Windows\SYSTEM32\WerFault.exe [415232 2009-07-13] (Microsoft Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
Winlogon\Notify\PCANotify: C:\Windows\SysWOW64\PCANotify.dll [2007-04-27] (Symantec Corporation)
HKLM\...\Policies\Explorer: [NoViewOnDrive] 0
HKLM\...\Policies\Explorer: [DisableLocalMachineRun] 0
HKLM\...\Policies\Explorer: [DisableLocalMachineRunOnce] 0
HKLM\...\Policies\Explorer: [DisableCurrentUserRun] 0
HKLM\...\Policies\Explorer: [DisableCurrentUserRunOnce] 0
HKLM\...\Policies\Explorer: [NoViewContextMenu] 0
HKLM\...\Policies\Explorer: [NoShellSearchButton] 0
HKLM\...\Policies\Explorer: [NoFind] 0
HKLM\...\Policies\Explorer: [NoFile] 0
HKLM\...\Policies\Explorer: [HideClock] 0
HKLM\...\Policies\Explorer: [NoTrayContextMenu] 0
HKLM\...\Policies\Explorer: [NoTrayItemsDisplay] 0
HKLM\...\Policies\Explorer: [NoSetFolders] 0
HKLM\...\Policies\Explorer: [NoDevMgrUpdate] 0
HKLM\...\Policies\Explorer: [NoSetTaskbar] 0
HKLM\...\Policies\Explorer: [NoDeletePrinter] 0
HKLM\...\Policies\Explorer: [NoDFSTab] 0
HKLM\...\Policies\Explorer: [NoChangeStartMenu] 0
HKLM\...\Policies\Explorer: [NoLogoff] 0
HKLM\...\Policies\Explorer: [NoWindowsUpdate] 0
HKLM\...\Policies\Explorer: [NoEncryptOnMove] 0
HKLM\...\Policies\Explorer: [NoRunasInstallPrompt] 0
HKLM\...\Policies\Explorer: [NoResolveSearch] 0
HKLM\...\Policies\Explorer: [NoSaveSettings] 0
HKLM\...\Policies\Explorer: [NoHardwareTab] 0
HKLM\...\Policies\Explorer: [NoStartMenuSubFolders] 0
HKLM\...\Policies\Explorer: [NoDesktop] 0
HKU\Paul\...\Policies\system: [DisableCMD] 0
HKU\Paul\...\Policies\system: [NoDispAppearancePage] 0
HKU\Paul\...\Policies\system: [NoDispBackgroundPage] 0
HKU\Paul\...\Policies\system: [NoDispSettingsPage] 0
HKU\Paul\...\Policies\Explorer: [NoViewOnDrive] 0
HKU\Paul\...\Policies\Explorer: [DisableLocalMachineRun] 0
HKU\Paul\...\Policies\Explorer: [DisableLocalMachineRunOnce] 0
HKU\Paul\...\Policies\Explorer: [DisableCurrentUserRun] 0
HKU\Paul\...\Policies\Explorer: [DisableCurrentUserRunOnce] 0
HKU\Paul\...\Policies\Explorer: [NoViewContextMenu] 0
HKU\Paul\...\Policies\Explorer: [NoShellSearchButton] 0
HKU\Paul\...\Policies\Explorer: [NoFind] 0
HKU\Paul\...\Policies\Explorer: [NoFile] 0
HKU\Paul\...\Policies\Explorer: [HideClock] 0
HKU\Paul\...\Policies\Explorer: [NoTrayContextMenu] 0
HKU\Paul\...\Policies\Explorer: [NoTrayItemsDisplay] 0
HKU\Paul\...\Policies\Explorer: [NoSetFolders] 0
HKU\Paul\...\Policies\Explorer: [NoDevMgrUpdate] 0
HKU\Paul\...\Policies\Explorer: [NoSetTaskbar] 0
HKU\Paul\...\Policies\Explorer: [NoDeletePrinter] 0
HKU\Paul\...\Policies\Explorer: [NoDFSTab] 0
HKU\Paul\...\Policies\Explorer: [NoChangeStartMenu] 0
HKU\Paul\...\Policies\Explorer: [NoLogoff] 0
HKU\Paul\...\Policies\Explorer: [NoWindowsUpdate] 0
HKU\Paul\...\Policies\Explorer: [NoEncryptOnMove] 0
HKU\Paul\...\Policies\Explorer: [NoRunasInstallPrompt] 0
HKU\Paul\...\Policies\Explorer: [NoResolveSearch] 0
HKU\Paul\...\Policies\Explorer: [NoSaveSettings] 0
HKU\Paul\...\Policies\Explorer: [NoHardwareTab] 0
HKU\Paul\...\Policies\Explorer: [NoStartMenuSubFolders] 0
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 1784-PCIDS DeviceNet; C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\PcidsService.exe [109568 2012-06-05] (Rockwell Automation)
S2 awhost32; C:\Program Files (x86)\Symantec\pcAnywhere\awhost32.exe [136568 2008-09-05] (Symantec Corporation)
S4 Bonjour Service; C:\Program Files (x86)\Xamarin\Bonjour\mDNSResponder.exe [394752 2015-07-15] (Apple Inc.)
S2 chromoting; C:\Program Files (x86)\Google\Chrome Remote Desktop\63.0.3239.32\remoting_host.exe [71512 2017-11-02] (Google Inc.)
S2 dbupdate; C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [143144 2016-08-25] (Dropbox, Inc.)
S3 dbupdatem; C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [143144 2016-08-25] (Dropbox, Inc.)
S2 DbxSvc; C:\Windows\system32\DbxSvc.exe [51016 2017-12-04] (Dropbox, Inc.)
S3 deskPDF Studio XE; C:\Program Files\deskPDF Studio XE\ws.exe [2320848 2016-04-03] (LULU Software)
S3 deskPDF Studio XE CrashHandler; C:\Program Files\deskPDF Studio XE\crash-handler-ws.exe [920528 2016-04-03] (LULU Software)
S2 deskPDF Studio XE Creator; C:\Program Files\deskPDF Studio XE\creator-ws.exe [733136 2016-04-03] (LULU Software)
S2 dsNcService; C:\Program Files (x86)\Juniper Networks\Common Files\dsNcService.exe [673744 2017-02-16] (Pulse Secure, LLC)
S2 dts_apo_service; C:\Program Files (x86)\DTS, Inc\DTS Studio Sound\dts_apo_service.exe [21840 2014-03-04] ()
S3 EmuLogix 5868 Slot0; C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe [1425408 2005-07-08] (Rockwell Automation)
S3 EmuLogix 5868 Slot1; C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe [1425408 2005-07-08] (Rockwell Automation)
S3 EmuLogix 5868 Slot10; C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe [1425408 2005-07-08] (Rockwell Automation)
S3 EmuLogix 5868 Slot11; C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe [1425408 2005-07-08] (Rockwell Automation)
S3 EmuLogix 5868 Slot12; C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe [1425408 2005-07-08] (Rockwell Automation)
S3 EmuLogix 5868 Slot13; C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe [1425408 2005-07-08] (Rockwell Automation)
S3 EmuLogix 5868 Slot14; C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe [1425408 2005-07-08] (Rockwell Automation)
S3 EmuLogix 5868 Slot15; C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe [1425408 2005-07-08] (Rockwell Automation)
S3 EmuLogix 5868 Slot16; C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe [1425408 2005-07-08] (Rockwell Automation)
S3 EmuLogix 5868 Slot2; C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe [1425408 2005-07-08] (Rockwell Automation)
S3 EmuLogix 5868 Slot3; C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe [1425408 2005-07-08] (Rockwell Automation)
S3 EmuLogix 5868 Slot4; C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe [1425408 2005-07-08] (Rockwell Automation)
S3 EmuLogix 5868 Slot5; C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe [1425408 2005-07-08] (Rockwell Automation)
S3 EmuLogix 5868 Slot6; C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe [1425408 2005-07-08] (Rockwell Automation)
S3 EmuLogix 5868 Slot7; C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe [1425408 2005-07-08] (Rockwell Automation)
S3 EmuLogix 5868 Slot8; C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe [1425408 2005-07-08] (Rockwell Automation)
S3 EmuLogix 5868 Slot9; C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe [1425408 2005-07-08] (Rockwell Automation)
S2 FactoryTalk Activation Service; C:\Program Files (x86)\Rockwell Software\FactoryTalk Activation\lmgrd.exe [1443632 2013-06-19] (Flexera Software LLC)
S2 FactoryTalk Gateway; C:\Program Files (x86)\Rockwell Software\RSOPC Gateway\RSOPCGateway.exe [588136 2011-11-18] (Rockwell Automation, Inc.)
S2 FTActivationBoost; C:\Program Files (x86)\Rockwell Software\FactoryTalk Activation\Tools\FTActivationBoost.exe [149840 2014-09-09] (Rockwell Automation, Inc.)
S2 FTAE_Archiver; C:\Program Files (x86)\Common Files\Rockwell\FTAEArchiver.exe [72920 2015-10-21] (Rockwell Automation, Inc.)
S2 FTAE_HistServ; C:\Program Files (x86)\Common Files\Rockwell\FTAE_HistServ.exe [158936 2015-10-21] (Rockwell Automation, Inc.)
S2 FTSysDiagSvcHost; C:\Program Files (x86)\Common Files\Rockwell\FTSysDiagSvcHost.exe [76504 2015-07-06] (Rockwell Automation, Inc.)
S3 fussvc; C:\Program Files (x86)\Windows Kits\8.1\App Certification Kit\fussvc.exe [142336 2014-02-19] (Microsoft Corporation)
S3 GamesAppIntegrationService; C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe [227904 2014-02-25] (WildTangent)
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [828376 2013-08-27] (Intel® Corporation)
S2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [131544 2013-12-09] (Intel Corporation)
S2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-12-09] (Intel Corporation)
S3 LogReceiver; C:\Program Files (x86)\Rockwell Software\RSLinx Enterprise\LogReceiver.exe [82648 2015-10-25] (Rockwell Automation, Inc.)
S2 MSSQL$SQLEXPRESS; c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [29293408 2010-12-10] (Microsoft Corporation)
S4 msvsmon80; C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x64\msvsmon.exe [4476096 2005-09-23] (Microsoft Corporation)
S4 msvsmon90; C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x64\msvsmon.exe [4466688 2007-11-07] (Microsoft Corporation)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [268192 2015-03-19] ()
S2 PassThru Service; C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [166912 2013-10-17] ()
S2 radaq; C:\Program Files (x86)\Rockwell Software\Studio 5000\Common\V2\bin\daq.exe [5337576 2015-11-03] (Rockwell Automation, Inc.)
S2 ramkMsgKernelSvc; C:\Program Files (x86)\Rockwell Software\Studio 5000\Common\V2\bin\ramkMsgKernelSvc.exe [51176 2015-11-03] (Rockwell Automation, Inc.)
S2 raOSGi; C:\Program Files (x86)\Rockwell Software\Studio 5000\Common\V2\bin\raOSGi.exe [86528 2015-11-03] (Apache Software Foundation)
S2 RnaAeServer; C:\Program Files (x86)\Common Files\Rockwell\RnaAeServer.exe [165592 2015-10-21] (Rockwell Automation, Inc.)
S2 RnaAlarmMux; C:\Program Files (x86)\Common Files\Rockwell\RnaAlarmMux.exe [736472 2015-10-21] (Rockwell Automation, Inc.)
S3 RSLinx; C:\Program Files (x86)\Rockwell Software\RSLinx\RSLINX.EXE [3318968 2016-06-13] (Rockwell Automation, Inc.)
S2 RSLinxNG; C:\Program Files (x86)\Rockwell Software\RSLinx Enterprise\RSLinxNG.exe [308440 2015-10-25] (Rockwell Automation, Inc.)
S3 SimModuleService; C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\SimModuleService.exe [95232 2012-06-05] ()
S2 SMITS; C:\windows\SysWOW64\SMITSC.exe [13312 2015-01-08] ()
S2 ss_conn_service; C:\Program Files\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe [754784 2016-07-21] (DEVGURU Co., LTD.)
S3 Te.Service; C:\Program Files (x86)\Windows Kits\8.1\Testing\Runtimes\TAEF\Wex.Services.exe [119808 2013-08-22] (Microsoft Corporation)
S3 Visual Studio Analyzer RPC bridge; C:\Program Files (x86)\Microsoft Visual Studio\Common\Tools\VS-Ent98\Vanalyzr\varpc.exe [34036 1998-06-05] (Microsoft Corporation)
S3 VsEtwService120; C:\Program Files\Microsoft Visual Studio 12.0\Common7\Packages\Debugger\Services\VsEtwService.exe [87728 2013-10-04] (Microsoft Corporation)
S3 VSStandardCollectorService140; C:\Program Files (x86)\Microsoft Visual Studio 14.0\Team Tools\DiagnosticsHub\Collector\StandardCollector.Service.exe [52968 2015-07-06] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)
S2 WRSVC; C:\Program Files (x86)\Webroot\WRSA.exe [1061680 2017-11-07] (Webroot)
S2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [3820960 2015-03-19] (Intel® Corporation)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 akshasp; C:\Windows\System32\DRIVERS\akshasp.sys [87864 2017-02-10] (SafeNet, Inc.)
S3 aksusb; C:\Windows\System32\DRIVERS\aksusb.sys [332088 2017-02-10] (SafeNet, Inc.)
S1 awecho; C:\Windows\SysWow64\drivers\awechomd.sys [16696 2007-03-30] (Symantec Corporation)
S1 AW_HOST; C:\Windows\SysWow64\drivers\aw_host5.sys [23864 2007-03-30] (Symantec Corporation)
S2 config; C:\Windows\System32\DRIVERS\ibtfudrv.sys [120528 2014-04-14] (Intel Corporation)
S3 FTDIBUS; C:\Windows\System32\drivers\ftdibus.sys [118160 2016-10-04] (Future Technology Devices International Ltd.)
S3 FTSER2K; C:\Windows\System32\drivers\ftser2k.sys [88752 2016-10-04] ()
S2 Hardlock; C:\windows\system32\drivers\hardlock.sys [1287496 2017-02-10] (SafeNet, Inc.)
S0 iaStorF; C:\Windows\System32\DRIVERS\iaStorF.sys [28008 2013-11-21] (Intel Corporation)
S3 MEIx64; C:\Windows\System32\DRIVERS\TeeDriverx64.sys [100312 2013-12-09] (Intel Corporation)
S3 NETwNs64; C:\Windows\System32\DRIVERS\Netwsw02.sys [3440408 2015-03-23] (Intel Corporation)
S0 PxHlpa64; C:\Windows\System32\drivers\PxHlpa64.sys [56336 2013-07-19] (Corel Corporation)
S3 qcusbser; C:\Windows\System32\DRIVERS\qcusbser.sys [254520 2017-03-15] (QUALCOMM Incorporated)
S3 RAUSBCIP; C:\Windows\System32\drivers\rausbcipwdf.sys [112032 2016-03-03] (Rockwell Automation, Inc.)
S3 RSP2STOR; C:\Windows\System32\DRIVERS\RtsP2Stor.sys [293592 2014-02-11] (Realtek Semiconductor Corp.)
S3 RSSERIAL; C:\Windows\SysWOW64\RSSERIAL.SYS [155440 1999-05-11] (Rockwell Software Inc.)
S3 SmbDrvI; C:\Windows\System32\DRIVERS\Smb_driver_Intel.sys [31472 2014-02-21] (Synaptics Incorporated)
S1 soldisk5; C:\windows\system32\drivers\soldisk5.sys [230592 2013-12-12] (EldoS Corporation)
S1 solfs5; C:\windows\system32\drivers\solfs5.sys [418496 2013-12-12] (EldoS Corporation)
S1 VirtualBackplane; C:\Windows\System32\Drivers\VirtualBackplane.sys [51200 2011-06-02] (Rockwell Automation)
S3 vpnva; C:\Windows\System32\DRIVERS\vpnva64-6.sys [52592 2015-07-24] (Cisco Systems, Inc.)
S3 WDC_SAM; C:\Windows\System32\DRIVERS\wdcsam64_prewin8.sys [23200 2016-04-19] (Western Digital Technologies)
S0 WRkrn; C:\Windows\System32\drivers\WRkrn.sys [143744 2017-10-10] (Webroot)
S3 wrUrlFlt; C:\windows\system32\DRIVERS\wrUrlFlt.sys [67024 2017-11-09] (Webroot)
S3 NAVENG; \??\C:\Program Files (x86)\Norton Security with Backup\NortonData\22.6.0.142\Definitions\SDSDefs\20160727.008\ENG64.SYS [X]
S3 NAVEX15; \??\C:\Program Files (x86)\Norton Security with Backup\NortonData\22.6.0.142\Definitions\SDSDefs\20160727.008\EX64.SYS [X]
S3 pcidnt; \SystemRoot\System32\Drivers\pcidnt.sys [X]
S0 SR; no ImagePath
S2 srservice; no ImagePath
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-01-15 05:10 - 2018-01-15 05:10 - 000000000 ____D C:\FRST
2018-01-14 16:23 - 2018-01-14 16:23 - 000719440 _____ C:\Windows\Minidump\011418-5928-01.dmp
2018-01-14 15:11 - 2018-01-14 15:11 - 000719440 _____ C:\Windows\Minidump\011418-5974-01.dmp
2018-01-11 13:57 - 2018-01-15 02:19 - 002643960 _____ C:\Windows\ntbtlog.txt
2018-01-10 13:24 - 2018-01-10 13:24 - 000000000 __SHD C:\found.000
2018-01-09 17:23 - 2018-01-09 17:23 - 000000000 ____D C:\Users\Paul\Documents\DataMan Images
2018-01-05 12:44 - 2018-01-05 12:44 - 000002357 _____ C:\Users\Public\Desktop\DataMan 5.7.0_sr2 Setup Tool.lnk
2018-01-05 12:44 - 2018-01-05 12:44 - 000002357 _____ C:\ProgramData\Desktop\DataMan 5.7.0_sr2 Setup Tool.lnk
2018-01-05 12:44 - 2018-01-05 12:44 - 000000000 ____D C:\Users\Paul\Documents\Cognex
2018-01-04 09:57 - 2018-01-04 09:58 - 000000004 ____H C:\ProgramData\cm-lock
2017-12-19 10:07 - 2017-12-19 10:07 - 000000000 ____D C:\Users\Paul\AppData\Local\GoToAssist Remote Support Customer
2017-12-19 10:07 - 2017-12-19 10:07 - 000000000 ____D C:\Users\Paul\AppData\Local\GoTo Opener
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-01-15 02:19 - 2017-10-10 10:10 - 000114672 _____ (Webroot) C:\Windows\System32\WRusr.dll
2018-01-15 02:19 - 2017-01-22 04:15 - 000182192 _____ (Webroot) C:\Windows\SysWOW64\WRusr.dll
2018-01-14 16:23 - 2017-03-09 21:13 - 684978122 _____ C:\Windows\MEMORY.DMP
2018-01-14 16:23 - 2017-03-09 21:13 - 000000000 ____D C:\Windows\Minidump
2018-01-14 12:51 - 2015-05-16 04:28 - 000000000 ____D C:\ProgramData\WRData
2018-01-13 14:32 - 2009-07-13 19:20 - 000000000 ____D C:\Windows\System32\winevt
2018-01-12 13:04 - 2017-01-26 11:15 - 000000000 ____D C:\Users\Paul\Desktop\install
2018-01-12 11:04 - 2017-01-21 19:33 - 000000000 ____D C:\Users\Paul\Desktop\IndustrySys
2018-01-10 02:23 - 2017-01-26 13:31 - 000000068 __RSH C:\Windows\System32\Drivers\WUDFRd.winsecurity
2018-01-10 01:53 - 2017-01-26 13:31 - 000000068 __RSH C:\Windows\System32\Drivers\vpcvmm.winsecurity
2018-01-10 01:39 - 2017-05-04 17:34 - 000000904 _____ C:\Windows\Tasks\DropboxUpdateTaskMachineUA.job
2018-01-10 01:30 - 2014-12-11 02:06 - 000000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2018-01-10 01:30 - 2009-07-13 20:45 - 000027568 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2018-01-10 01:30 - 2009-07-13 20:45 - 000027568 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2018-01-09 18:47 - 2017-05-04 17:34 - 000000900 _____ C:\Windows\Tasks\DropboxUpdateTaskMachineCore.job
2018-01-08 11:01 - 2017-10-19 07:08 - 000000000 ____D C:\Users\Paul\Desktop\Rice Lake
2018-01-05 12:44 - 2009-07-13 19:20 - 000000000 ____D C:\Windows\inf
2018-01-05 12:42 - 2014-12-11 02:13 - 000000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2018-01-05 12:35 - 2017-08-11 08:18 - 000000000 ____D C:\SerialPortTester
2018-01-04 21:02 - 2015-10-20 11:14 - 000016008 _____ C:\Users\Paul\Desktop\notestome.txt
2018-01-04 10:04 - 2009-07-13 21:13 - 000882980 _____ C:\Windows\System32\PerfStringBackup.INI
2018-01-04 09:55 - 2009-07-13 21:08 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2017-12-19 14:58 - 2016-05-14 16:22 - 000000000 ____D C:\Users\Paul\AppData\Local\CrashDumps
 
Some files in TEMP:
====================
2001-04-30 14:01 - 2001-04-30 14:01 - 000733344 _____ (Microsoft Corporation) C:\Users\Paul\AppData\Local\Temp\hhupd.exe
2017-08-07 07:57 - 2017-08-07 07:57 - 000740416 _____ (Oracle Corporation) C:\Users\Paul\AppData\Local\Temp\jre-8u144-windows-au.exe
2017-11-09 11:34 - 2017-11-09 11:34 - 002073168 _____ (Pulse Secure, LLC) C:\Users\Paul\AppData\Local\Temp\JuniperSetupClientInstaller.exe
2017-02-22 08:44 - 2017-11-09 11:34 - 002458096 _____ () C:\Users\Paul\AppData\Local\Temp\neoNCSetup64.exe
2017-01-26 12:21 - 2007-10-15 11:12 - 000145184 _____ (Microsoft Corporation) C:\Users\Paul\AppData\Local\Temp\ose00000.exe
2017-12-15 08:37 - 2017-12-15 08:37 - 000043520 ____N () C:\Users\Paul\AppData\Local\Temp\proxy_vole9168869582135008588.dll
2017-01-21 07:58 - 2006-05-24 09:10 - 000455600 _____ (Macrovision Corporation) C:\Users\Paul\AppData\Local\Temp\_isA6C9.exe
2017-10-20 06:56 - 2017-10-20 07:01 - 000000000 _____ () C:\Users\Paul\AppData\Local\Temp\{8718A85C-BBEE-4BEF-AABD-35CD76CC7631}-DropboxClient_37.4.29.exe
 
==================== Known DLLs (Whitelisted) =========================
 
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2017-05-25 08:04] - [2017-04-17 07:37] - 000512000 _____ (Microsoft Corporation) 5E9F8D029D9B03110D835CBFC058068B
 
C:\Windows\System32\dnsapi.dll => MD5 is legit
C:\Windows\SysWOW64\dnsapi.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== Association (Whitelisted) =============
 
 
==================== Restore Points  =========================
 
 
==================== Memory info =========================== 
 
Percentage of memory in use: 13%
Total physical RAM: 8108.17 MB
Available physical RAM: 7048.8 MB
Total Virtual: 8106.37 MB
Available Virtual: 7083.63 MB
 
==================== Drives ================================
 
Drive c: (TI10709000C) (Fixed) (Total:922.38 GB) (Free:395.47 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive d: (System) (Fixed) (Total:1.46 GB) (Free:1.24 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive e: (Repair disc Windows 7 64-bit) (CDROM) (Total:0.16 GB) (Free:0 GB) UDF
Drive f: () (Removable) (Total:0.94 GB) (Free:0.2 GB) FAT
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 953.9 GB) (Disk ID: D9E28589)
Partition 1: (Active) - (Size=1.5 GB) - (Type=27)
Partition 2: (Not Active) - (Size=922.4 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=30 GB) - (Type=17)
 
========================================================
Disk: 1 (Size: 962.2 MB) (Disk ID: A722C209)
Partition 1: (Active) - (Size=962 MB) - (Type=0E)
 
LastRegBack: 2016-04-08 05:57
 
==================== End of FRST.txt ============================

Edited by ryohanlon, 15 January 2018 - 12:52 PM.
Moved to Malware Removal Logs Forum. FRST log included.


BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,398 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:45 AM

Posted 17 January 2018 - 09:13 PM

Greetings ryohanlon and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far.

The rpcss.dll file is legitimate.

While at the black screen with cursor hit ctrl + alt + del at the same time. Can you tell me if you have an option to select Task Manager?

Please do this.

===================================================

Farbar's Recovery Scan Tool - Run Fix

--------------------
  • From a clean computer press the at the same time
  • Type notepad and press Enter
  • Copy and paste the contents of the below code box into the open notepad and save it on the flashdrive as fixlist.txt
C:\ProgramData\cm-lock
2018-01-10 02:23 - 2017-01-26 13:31 - 000000068 __RSH C:\Windows\System32\Drivers\WUDFRd.winsecurity
2018-01-10 01:53 - 2017-01-26 13:31 - 000000068 __RSH C:\Windows\System32\Drivers\vpcvmm.winsecurity
C:\Users\Paul\AppData\Local\Temp\hhupd.exe
S3 pcidnt; \SystemRoot\System32\Drivers\pcidnt.sys [X]
S0 SR; no ImagePath
S2 srservice; no ImagePath
Replace: C:\Windows\Minidump\011418-5928-01.dmp F:\farbar recovery tool
Replace: C:\Windows\Minidump\011418-5974-01.dmp F:\farbar recovery tool
emptytemp:
  • Insert the USB device into your infected computer
  • Enter the Recovery Command Prompt as you previously did
  • Run FRST as you did the first time and press Fix
  • A Fixlog.txt document will be saved on your USB device
  • Copy and paste that information in your reply.
  • 2 .dmp files will be placed on your USB device. Please attach those files to your reply
  • Attempt to boot your computer into Normal Mode or, if not, Safe Mode
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Task Manager?
  • Fixlog
  • Attached .dmp files
  • Does your computer boot properly?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#3 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,398 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:45 AM

Posted 20 January 2018 - 09:39 AM

Greetings,

===================================================

Do You Still Need Help?

It has been 3 days since my last post.
  • Do you still need help with this?
  • If you have not replied within 48 hours I will assume you have abandoned the Topic and it will be closed.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,398 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:45 AM

Posted 22 January 2018 - 08:32 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users