Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

after spybot scan, laptop boot up with black screen


  • This topic is locked This topic is locked
35 replies to this topic

#1 zeotrex

zeotrex

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 15 June 2018 - 04:32 AM

I google for helps and read few posts here which are similar to my situation. Please help...

 

I friend's laptop last scanned with spybot and after reboot, it just came up with black screen... power is on.. and i tried several solution and are not helpful. here are the situation...

 

laptop screen are always black. I plug to an external lcd and it is working on the monitor. The windows was directed to auto repair and not helping. I tried f8, but cannot boot into any sofe mode nor last good startup..

 

As on repair screen, i tried the restore point, there are 3 restore point, 1. last day when it crashed. 2. and 3. are windows critical updates. all the 3 restore points not working. when they restore half way, they just failed.

 

pls he;p

 

Opps... Win 7 it is


Edited by zeotrex, 15 June 2018 - 06:53 AM.


BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 56,298 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:08:36 AM

Posted 15 June 2018 - 06:01 AM

Which version of Windows, please?

 

Louis



#3 zeotrex

zeotrex
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 15 June 2018 - 07:50 AM

I tried to run frst.exe, but prompted "the subsystem needed to support the image type is not present."



#4 zeotrex

zeotrex
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 16 June 2018 - 07:27 AM

any help pls.......



#5 polskamachina

polskamachina

  • Malware Response Team
  • 4,040 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:36 AM

Posted 18 June 2018 - 12:47 PM

Hi zeotrex :)
My name is polskamachina and I would like to :welcome: you to the Malware Removal Forum. I will be helping you with your malware issues.

What follows below are some ground rules for this forum.
 
I will reply as soon as possible (typically within 24-48 hours). In turn, I ask that you please respond within 72 hours. If you know you will be away longer than that, please let me know. I am in California at GMT-7 hours. If I do not respond to you within 48 hours, feel free to send me a private message.

Some points for you to keep in mind:

  • Do NOT run any tools unless instructed to do so.
  • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine. Running any additional tools may detect false positives, interfere with our tools, cause unforeseen damage, or system instability.
  • Do not attach logs or use code boxes, just copy and paste the text into your replies to me.
  • I cannot see your computer. Periodically update me on the condition of your computer, and provide as much detail as you can in every post.
  • Once things seem to be working again, please do not abandon the thread. I will give an "all-clean" message at the very end.
  • NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planned. You can put them on a CD/DVD, external drive or a flash drive, anywhere except on the computer.
  • NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. Please remember to copy the entire post so you do not miss any instructions.

Let's begin:
 
Please read all of the instructions carefully before proceeding:

  • On a clean machine, please download Farbar Recovery Scan Tool and save it to a flash drive.
    Note: You need to download the version compatible with your machine. FRST.exe is for 32 bit. FRST64.exe is for 64-bit. If you are not sure which version you have, you may try both of them. Only one version will work
  • Once you have downloaded FRST onto the clean machine, remove the flash drive and plug it into the infected PC

Next:

  • On your infected machine, enter the System Recovery Environment Command Prompt:  The directions are here. If you do not have an installation or recovery DVD, then click the next link for an alternate method to get to the command prompt and begin at Step 3.
  • Once in the Command Prompt:
    • In the command window type, notepad and press Enter
    • Notepad opens. Under File menu select, Open
    • Select Computer and find your flash drive letter and close notepad
    • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • A log will be created named, FRST.txt and copied to your flash drive.
    • Turn off your infected computer
    • Put the flash drive back into your working computer
    • Copy and paste FRST.txt from your flash drive into your next reply to me

In summary I will need from you:

  • FRST.txt

Let me know if you have any questions.
 
polskamachina



#6 zeotrex

zeotrex
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 18 June 2018 - 02:44 PM

i cant run the frst.exe...

I am prompted "the subsystem needed to support the image type is not present."



#7 polskamachina

polskamachina

  • Malware Response Team
  • 4,040 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:36 AM

Posted 18 June 2018 - 04:26 PM

Hi zeotrek :)

 

Did you try running the 64-bit version, FRST64.exe?

 

polskamachina



#8 zeotrex

zeotrex
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 18 June 2018 - 09:35 PM

oh... it works with FRST64.exe.... i thought the windows is 32bit ...

 

let me get back to you on the log shortly



#9 zeotrex

zeotrex
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 18 June 2018 - 09:38 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 06.06.2018 01
Ran by SYSTEM on MININT-7L1I4BS (19-06-2018 09:48:19)
Running from G:\
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11
Boot Mode: Recovery
Default: ControlSet002
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SmartAudio] => C:\Program Files\CONEXANT\SAII\SAIICpl.exe [307768 2010-04-27] ()
HKLM\...\Run: [Energy Management] => C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe [9768352 2012-12-16] (Lenovo (Beijing) Limited)
HKLM\...\Run: [EnergyUtility] => C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe [5940128 2012-12-16] (Lenovo(beijing) Limited)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2741544 2011-04-07] (Synaptics Incorporated)
HKLM\...\Run: [Qpost_Pro] => C:\Program Files (x86)\QPostPro\QplusPhoneSeller.exe [2520160 2014-03-02] (Giosis)
HKLM\...\Run: [AVGUI.exe] => C:\Program Files (x86)\AVG\Antivirus\AvLaunch.exe [291056 2018-04-17] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [298296 2018-04-07] (Apple Inc.)
HKLM-x32\...\Run: [YouCam Mirage] => C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe [136488 2010-12-04] (CyberLink)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [98304 2011-01-24] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [NSCSysTrayUI_XEROX] => C:\Program Files (x86)\XEROX\NetworkScan\NSCSysUI_XEROX.exe [266240 2009-01-13] (XEROX)
HKLM-x32\...\Run: [Qpost_Pro] => C:\Program Files (x86)\QPostPro\QplusPhoneSeller.exe [2520160 2014-03-02] (Giosis)
HKLM-x32\...\Run: [vProt] => C:\Program Files (x86)\AVG Web TuneUp\vprot.exe [2162760 2016-07-21] ()
HKLM-x32\...\Run: [AvgUi] => "C:\Program Files (x86)\AVG\Framework\Common\avguirna.exe" /lps=fmw
HKLM-x32\...\Run: [Dropbox] => C:\Program Files (x86)\Dropbox\Client\Dropbox.exe [3642688 2018-04-23] (Dropbox, Inc.)
HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [6788032 2018-04-19] (Safer-Networking Ltd.)
HKLM\...\RunOnce: [*Restore] => C:\Windows\system32\rstrui.exe [296960 2018-03-30] (Microsoft Corporation)
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\Account\...\Run: [swg] => C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2012-12-18] (Google Inc.)
HKU\Account\...\Run: [AVG-Secure-Search-Update_0913b] => C:\Users\Account\AppData\Roaming\AVG 0913b Campaign\AVG-Secure-Search-Update-0913b.exe /PROMPT --mid 0acb8a3543b547d0b5e04149084ca970-8871f940fff3c513c87493a6713fb2facccaf989 --CMPID 0913b
HKU\Account\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [30877280 2014-12-10] (Skype Technologies S.A.)
HKU\Account\...\Run: [GoogleDriveSync] => C:\Program Files (x86)\Google\Drive\googledrivesync.exe [25638872 2018-04-22] (Google)
HKU\Account\...\Run: [hdacc] => C:\Program Files (x86)\JJPlayer\hdacc.exe [339640 2015-02-26] (jjvod.com)
BootExecute: autocheck autochk * sdnclean64.exe

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-06-19 09:45 - 2018-06-19 09:48 - 000000000 ____D C:\FRST

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-06-17 18:01 - 2018-05-07 02:06 - 000000000 ____D C:\Windows\pss
2018-06-17 18:01 - 2018-05-07 01:56 - 000000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2018-06-17 18:01 - 2018-05-03 06:06 - 000000000 ____D C:\Program Files\iPod
2018-06-17 18:01 - 2018-05-03 06:05 - 000000000 ____D C:\Program Files\iTunes
2018-06-17 18:01 - 2018-04-05 19:45 - 000000000 ____D C:\ProgramData\McAfee Security Scan
2018-06-17 18:01 - 2018-03-05 07:26 - 000000000 ____D C:\ProgramData\Apple Computer
2018-06-17 18:01 - 2018-01-28 06:15 - 000000000 ____D C:\Windows\System32\Tasks\AVG
2018-06-17 18:01 - 2018-01-28 06:15 - 000000000 ____D C:\Program Files\Common Files\AVG
2018-06-17 18:01 - 2016-02-02 06:33 - 000000000 ____D C:\users\TEMP
2018-06-17 18:01 - 2015-08-31 03:54 - 000000000 ____D C:\Program Files (x86)\TaobaoProtect
2018-06-17 18:01 - 2015-08-23 05:15 - 000000000 ____D C:\ProgramData\JJPlayer
2018-06-17 18:01 - 2015-05-06 06:04 - 000000000 ____D C:\Program Files (x86)\AVG Web TuneUp
2018-06-17 18:01 - 2014-12-11 03:52 - 000000000 ____D C:\Windows\System32\appraiser
2018-06-17 18:01 - 2014-06-30 17:59 - 000000000 ____D C:\Users\Account\AppData\Roaming\TaobaoProtect
2018-06-17 18:01 - 2014-04-30 06:44 - 000000000 ___SD C:\Windows\System32\CompatTel
2018-06-17 18:01 - 2013-03-16 06:32 - 000000000 ____D C:\Users\Public\Documents\ppstream
2018-06-17 18:01 - 2012-12-29 23:48 - 000000000 ____D C:\Users\Account\AppData\Roaming\PPStream
2018-06-17 18:01 - 2012-12-19 20:52 - 000000000 ____D C:\Program Files (x86)\AliWangWang
2018-06-17 18:01 - 2012-12-18 17:36 - 000000000 ____D C:\ProgramData\QvodPlayer
2018-06-17 18:01 - 2012-12-18 15:31 - 000000000 ____D C:\Windows\SysWOW64\Macromed
2018-06-17 18:01 - 2012-12-18 15:31 - 000000000 ____D C:\Windows\System32\Macromed
2018-06-17 18:01 - 2012-12-16 18:38 - 000000000 ____D C:\users\Account
2018-06-17 18:01 - 2009-07-13 19:20 - 000000000 ____D C:\Windows\rescache
2018-06-17 18:01 - 2009-07-13 19:20 - 000000000 ____D C:\Windows\inf
2018-06-17 18:01 - 2009-07-13 19:20 - 000000000 ____D C:\Program Files\Common Files\Microsoft Shared
2018-06-17 18:00 - 2009-07-13 19:20 - 000000000 ____D C:\Windows\registration
2018-06-17 17:59 - 2018-05-07 01:56 - 000000000 ____D C:\Windows\System32\Tasks\Safer-Networking
2018-06-17 17:57 - 2014-03-12 06:49 - 000000000 ____D C:\ProgramData\Real
2018-06-17 17:56 - 2016-06-05 06:23 - 000000000 ____D C:\Program Files (x86)\Dropbox
2018-06-17 17:55 - 2012-12-18 15:04 - 000000000 __RHD C:\MSOCache

Some files in TEMP:
====================
2015-10-25 06:41 - 2015-10-25 06:41 - 002892128 _____ (AVG Technologies) C:\Users\Account\AppData\Local\Temp\avg-9b037361-8333-4226-882d-164f984c737c.exe
2016-07-27 05:42 - 2016-06-21 02:49 - 000186640 _____ (AVG Technologies CZ, s.r.o.) C:\Users\Account\AppData\Local\Temp\avguirn_081364122381.exe
2016-06-01 05:11 - 2016-04-21 18:01 - 000186640 _____ (AVG Technologies CZ, s.r.o.) C:\Users\Account\AppData\Local\Temp\avguirn_081514327446.exe
2016-08-24 05:22 - 2016-07-19 22:01 - 000186640 _____ (AVG Technologies CZ, s.r.o.) C:\Users\Account\AppData\Local\Temp\avguirn_081984633679.exe
2016-04-18 05:33 - 2016-03-23 00:57 - 000186640 _____ (AVG Technologies CZ, s.r.o.) C:\Users\Account\AppData\Local\Temp\avguirn_08520692735.exe
2016-06-26 04:55 - 2016-05-17 21:03 - 000186640 _____ (AVG Technologies CZ, s.r.o.) C:\Users\Account\AppData\Local\Temp\avguirn_08691155186.exe
2016-04-07 05:37 - 2016-02-17 20:09 - 000179624 _____ (AVG Technologies CZ, s.r.o.) C:\Users\Account\AppData\Local\Temp\avguirn_0878470979.exe
2015-12-13 04:32 - 2015-12-13 04:32 - 000071168 _____ () C:\Users\Account\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpcwrzni.dll
2013-04-03 07:57 - 2013-04-03 07:57 - 000110472 _____ (TODO: <Company name>) C:\Users\Account\AppData\Local\Temp\fwupnp.dll
2016-04-20 05:30 - 2016-05-19 05:46 - 000076168 _____ (Tencent) C:\Users\Account\AppData\Local\Temp\gjdatareport.dll
2015-08-07 00:39 - 2015-08-07 00:39 - 000000000 _____ () C:\Users\Account\AppData\Local\Temp\GURBC5B.exe
2013-04-03 07:56 - 2013-04-03 07:56 - 000287240 _____ () C:\Users\Account\AppData\Local\Temp\hotchannel.exe
2013-01-12 13:09 - 2013-01-12 13:09 - 000896424 _____ (Oracle Corporation) C:\Users\Account\AppData\Local\Temp\jre-7u11-windows-i586-iftw.exe
2013-01-30 15:58 - 2013-01-30 15:58 - 000897448 _____ (Oracle Corporation) C:\Users\Account\AppData\Local\Temp\jre-7u13-windows-i586-iftw.exe
2013-03-01 12:00 - 2013-03-01 12:00 - 000897448 _____ (Oracle Corporation) C:\Users\Account\AppData\Local\Temp\jre-7u17-windows-i586-iftw.exe
2013-06-13 07:36 - 2013-06-13 07:36 - 000903592 _____ (Oracle Corporation) C:\Users\Account\AppData\Local\Temp\jre-7u25-windows-i586-iftw.exe
2013-10-08 10:27 - 2013-10-08 10:27 - 000915368 _____ (Oracle Corporation) C:\Users\Account\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe
2013-12-19 09:06 - 2013-12-19 09:06 - 000921512 _____ (Oracle Corporation) C:\Users\Account\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe
2014-04-15 12:50 - 2014-04-15 12:50 - 000921512 _____ (Oracle Corporation) C:\Users\Account\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exe
2014-07-14 11:01 - 2014-07-14 11:01 - 000918952 _____ (Oracle Corporation) C:\Users\Account\AppData\Local\Temp\jre-7u65-windows-i586-iftw.exe
2014-07-27 21:15 - 2014-07-27 21:15 - 000918440 _____ (Oracle Corporation) C:\Users\Account\AppData\Local\Temp\jre-7u67-windows-i586-iftw.exe
2013-04-03 07:57 - 2013-04-03 07:57 - 000085896 _____ (TODO: <Company name>) C:\Users\Account\AppData\Local\Temp\logclient.dll
2014-03-12 06:49 - 2018-02-22 20:33 - 000186688 _____ (RealNetworks, Inc.) C:\Users\Account\AppData\Local\Temp\lowproc.exe
2011-03-14 04:31 - 2011-03-14 04:31 - 000149352 ____R (Microsoft Corporation) C:\Users\Account\AppData\Local\Temp\ose00000.exe
2013-04-07 19:38 - 2015-08-22 20:09 - 002635088 _____ (PPTV) C:\Users\Account\AppData\Local\Temp\peer.dll
2014-01-12 23:48 - 2014-05-12 01:18 - 032099416 _____ (PPLive Corporation) C:\Users\Account\AppData\Local\Temp\PPTV_Update.exe
2013-10-29 01:46 - 2013-10-29 01:46 - 001071128 _____ (Tencent) C:\Users\Account\AppData\Local\Temp\QQPCDetector.exe
2014-07-17 19:36 - 2014-06-29 04:37 - 000031096 _____ (Tencent) C:\Users\Account\AppData\Local\Temp\qqsafeud.exe
2012-12-18 17:34 - 2012-12-18 17:34 - 033206456 _____ (Shenzhen Qvod Technology Co.,Ltd) C:\Users\Account\AppData\Local\Temp\QvodSetup5.6.123.20121213.exe
2014-10-20 01:07 - 2018-02-15 23:48 - 023903360 _____ (Shenzhen QVOD Technology Co.,Ltd) C:\Users\Account\AppData\Local\Temp\QvodSetupIOS.exe
2014-08-29 21:54 - 2014-08-29 21:54 - 000347704 _____ (Tencent) C:\Users\Account\AppData\Local\Temp\QzoneMusic.exe
2016-12-18 06:14 - 2016-12-18 06:14 - 001191856 _____ (RealNetworks, Inc.) C:\Users\Account\AppData\Local\Temp\rnsetup0.exe
2013-04-03 07:56 - 2013-04-03 07:56 - 000422280 _____ (PPLive Corporation) C:\Users\Account\AppData\Local\Temp\siteoptimize.exe
2013-06-17 22:04 - 2013-07-17 07:30 - 031954536 _____ (Skype Technologies S.A.) C:\Users\Account\AppData\Local\Temp\SkypeSetup.exe
2014-03-12 06:49 - 2017-09-04 22:52 - 000096440 _____ (RealNetworks, Inc.) C:\Users\Account\AppData\Local\Temp\stubhelper.dll
2013-04-03 07:58 - 2014-05-12 00:38 - 000350032 _____ (PPTV) C:\Users\Account\AppData\Local\Temp\tipsbubble.dll
2013-04-03 07:58 - 2015-08-22 20:09 - 000522656 _____ () C:\Users\Account\AppData\Local\Temp\tipsclient.dll
2013-04-03 07:57 - 2014-01-12 23:29 - 000108960 _____ () C:\Users\Account\AppData\Local\Temp\tipsdone.dll
2014-01-12 23:29 - 2014-01-12 23:29 - 000180560 _____ () C:\Users\Account\AppData\Local\Temp\tipsflash.dll
2013-07-22 19:49 - 2013-07-22 19:49 - 003147912 _____ (百度) C:\Users\Account\AppData\Local\Temp\TTPlayer.exe
2016-08-07 07:12 - 2016-08-07 07:12 - 001072063 _____ (Dropbox, Inc.) C:\Users\Account\AppData\Local\Temp\{3FEBEAFA-2F9F-4EE5-B54F-0CFB79050FDD}-DropboxClient_7.4.30.exe
2016-03-07 20:29 - 2016-03-07 20:29 - 007749208 _____ (Google Inc.) C:\Users\Account\AppData\Local\Temp\{AB956F80-2ACE-4045-B5A6-82F0383836F3}-49.0.2623.87_48.0.2564.116_chrome_updater.exe

==================== Known DLLs (Whitelisted) =========================


==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe
[2018-01-05 05:52] - [2017-12-31 17:50] - 000455680 _____ (Microsoft Corporation) 11D6A262B617130F7C16E308C12E0D41

C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2018-01-05 05:52] - [2017-12-31 18:18] - 000512000 _____ (Microsoft Corporation) BA6C9EE518A11DA4AD061B223EBED3D3

C:\Windows\System32\dnsapi.dll => MD5 is legit
C:\Windows\SysWOW64\dnsapi.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== Association (Whitelisted) =============


==================== Restore Points  =========================

Restore point date: 2018-05-07 03:31
Restore point date: 2018-06-17 02:15

==================== Memory info ===========================

Percentage of memory in use: 10%
Total physical RAM: 8173.86 MB
Available physical RAM: 7333.08 MB
Total Virtual: 8172.06 MB
Available Virtual: 7327.81 MB

==================== Drives ================================

Drive c: (Win 7) (Fixed) (Total:307.91 GB) (Free:134.19 GB) NTFS
Drive e: (Storage) (Fixed) (Total:390.62 GB) (Free:382.78 GB) NTFS
Drive g: () (Removable) (Total:3.73 GB) (Free:3.68 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[system with boot components (obtained from drive)]


==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7/8/10) (Size: 698.6 GB) (Disk ID: 07D4C1E0)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=307.9 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=390.6 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Protective MBR) (Size: 3.7 GB) (Disk ID: 00000000)

Partition: GPT.

LastRegBack: 2018-05-07 03:23

==================== End of FRST.txt ============================



#10 zeotrex

zeotrex
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 18 June 2018 - 09:44 PM

Here's the log polskamachina. Hope you could help to solve the prob. My friend need the laptop without reformatting the system.

 

The last thing happened was she downloaded spybot and ran a scan. When the spybot reboot the windows, it ended black screen.



#11 polskamachina

polskamachina

  • Malware Response Team
  • 4,040 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:36 AM

Posted 19 June 2018 - 11:42 AM

Hi zeotrex,
 
Good job with the FRST64 scan. :thumbup2:

 

Let's try this:

  • Put your flash drive into your clean computer
  • Download the attached file, fixlist.txt, to the same folder as FRST64.exe (on your flash drive)
  • Eject your flash drive from your working computer and put it into your nonworking computer
  • Follow the same procedure you performed previously to boot to the command prompt window
  • Run FRST64.exe from the command prompt window
  • This time, click on Fix
  • When the Fix has completed, a log will be written to your flash drive named, Fixlog.txt
  • Restart your computer and let me know if it boots successfully to your desktop or you still get the black screen
  • Either way, please copy and paste Fixlog.txt into your next reply to me

In summary I will need from you:

  • Fixlog.txt
  • Was you computer able to boot to your desktop?

Let me know if you have any questions

 

polskamachina

Attached Files



#12 zeotrex

zeotrex
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 20 June 2018 - 03:12 AM

Hi Polskamachina,

 

Here's what happened after the system fix and restart.

 

1. The laptop's Screen is still black. But it works on the external LCD monitor.

2. The windows took awhile to load but failed with Blue screen.

3. However after the blue screen, it reboot and reached the safe mode startup screen. I tried safe mode and this time it manage to load up the safe mode windows successfully.

 

Shall i try the restore point from safe mode or uninstall spybot?? Wait for your instruction before doing anything..

 

Below the new log....



#13 zeotrex

zeotrex
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 20 June 2018 - 03:13 AM

Fix result of Farbar Recovery Scan Tool (x64) Version: 06.06.2018 01
Ran by SYSTEM (20-06-2018 15:55:58) Run:1
Running from G:\
Boot Mode: Recovery
==============================================

fixlist content:
*****************
2015-10-25 06:41 - 2015-10-25 06:41 - 002892128 _____ (AVG Technologies) C:\Users\Account\AppData\Local\Temp\avg-9b037361-8333-4226-882d-164f984c737c.exe
2016-07-27 05:42 - 2016-06-21 02:49 - 000186640 _____ (AVG Technologies CZ, s.r.o.) C:\Users\Account\AppData\Local\Temp\avguirn_081364122381.exe
2016-06-01 05:11 - 2016-04-21 18:01 - 000186640 _____ (AVG Technologies CZ, s.r.o.) C:\Users\Account\AppData\Local\Temp\avguirn_081514327446.exe
2016-08-24 05:22 - 2016-07-19 22:01 - 000186640 _____ (AVG Technologies CZ, s.r.o.) C:\Users\Account\AppData\Local\Temp\avguirn_081984633679.exe
2016-04-18 05:33 - 2016-03-23 00:57 - 000186640 _____ (AVG Technologies CZ, s.r.o.) C:\Users\Account\AppData\Local\Temp\avguirn_08520692735.exe
2016-06-26 04:55 - 2016-05-17 21:03 - 000186640 _____ (AVG Technologies CZ, s.r.o.) C:\Users\Account\AppData\Local\Temp\avguirn_08691155186.exe
2016-04-07 05:37 - 2016-02-17 20:09 - 000179624 _____ (AVG Technologies CZ, s.r.o.) C:\Users\Account\AppData\Local\Temp\avguirn_0878470979.exe
2015-12-13 04:32 - 2015-12-13 04:32 - 000071168 _____ () C:\Users\Account\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpcwrzni.dll
2013-04-03 07:57 - 2013-04-03 07:57 - 000110472 _____ (TODO: <Company name>) C:\Users\Account\AppData\Local\Temp\fwupnp.dll
2016-04-20 05:30 - 2016-05-19 05:46 - 000076168 _____ (Tencent) C:\Users\Account\AppData\Local\Temp\gjdatareport.dll
2015-08-07 00:39 - 2015-08-07 00:39 - 000000000 _____ () C:\Users\Account\AppData\Local\Temp\GURBC5B.exe
2013-04-03 07:56 - 2013-04-03 07:56 - 000287240 _____ () C:\Users\Account\AppData\Local\Temp\hotchannel.exe
2013-01-12 13:09 - 2013-01-12 13:09 - 000896424 _____ (Oracle Corporation) C:\Users\Account\AppData\Local\Temp\jre-7u11-windows-i586-iftw.exe
2013-01-30 15:58 - 2013-01-30 15:58 - 000897448 _____ (Oracle Corporation) C:\Users\Account\AppData\Local\Temp\jre-7u13-windows-i586-iftw.exe
2013-03-01 12:00 - 2013-03-01 12:00 - 000897448 _____ (Oracle Corporation) C:\Users\Account\AppData\Local\Temp\jre-7u17-windows-i586-iftw.exe
2013-06-13 07:36 - 2013-06-13 07:36 - 000903592 _____ (Oracle Corporation) C:\Users\Account\AppData\Local\Temp\jre-7u25-windows-i586-iftw.exe
2013-10-08 10:27 - 2013-10-08 10:27 - 000915368 _____ (Oracle Corporation) C:\Users\Account\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe
2013-12-19 09:06 - 2013-12-19 09:06 - 000921512 _____ (Oracle Corporation) C:\Users\Account\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe
2014-04-15 12:50 - 2014-04-15 12:50 - 000921512 _____ (Oracle Corporation) C:\Users\Account\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exe
2014-07-14 11:01 - 2014-07-14 11:01 - 000918952 _____ (Oracle Corporation) C:\Users\Account\AppData\Local\Temp\jre-7u65-windows-i586-iftw.exe
2014-07-27 21:15 - 2014-07-27 21:15 - 000918440 _____ (Oracle Corporation) C:\Users\Account\AppData\Local\Temp\jre-7u67-windows-i586-iftw.exe
2013-04-03 07:57 - 2013-04-03 07:57 - 000085896 _____ (TODO: <Company name>) C:\Users\Account\AppData\Local\Temp\logclient.dll
2014-03-12 06:49 - 2018-02-22 20:33 - 000186688 _____ (RealNetworks, Inc.) C:\Users\Account\AppData\Local\Temp\lowproc.exe
2011-03-14 04:31 - 2011-03-14 04:31 - 000149352 ____R (Microsoft Corporation) C:\Users\Account\AppData\Local\Temp\ose00000.exe
2013-04-07 19:38 - 2015-08-22 20:09 - 002635088 _____ (PPTV) C:\Users\Account\AppData\Local\Temp\peer.dll
2014-01-12 23:48 - 2014-05-12 01:18 - 032099416 _____ (PPLive Corporation) C:\Users\Account\AppData\Local\Temp\PPTV_Update.exe
2013-10-29 01:46 - 2013-10-29 01:46 - 001071128 _____ (Tencent) C:\Users\Account\AppData\Local\Temp\QQPCDetector.exe
2014-07-17 19:36 - 2014-06-29 04:37 - 000031096 _____ (Tencent) C:\Users\Account\AppData\Local\Temp\qqsafeud.exe
2012-12-18 17:34 - 2012-12-18 17:34 - 033206456 _____ (Shenzhen Qvod Technology Co.,Ltd) C:\Users\Account\AppData\Local\Temp\QvodSetup5.6.123.20121213.exe
2014-10-20 01:07 - 2018-02-15 23:48 - 023903360 _____ (Shenzhen QVOD Technology Co.,Ltd) C:\Users\Account\AppData\Local\Temp\QvodSetupIOS.exe
2014-08-29 21:54 - 2014-08-29 21:54 - 000347704 _____ (Tencent) C:\Users\Account\AppData\Local\Temp\QzoneMusic.exe
2016-12-18 06:14 - 2016-12-18 06:14 - 001191856 _____ (RealNetworks, Inc.) C:\Users\Account\AppData\Local\Temp\rnsetup0.exe
2013-04-03 07:56 - 2013-04-03 07:56 - 000422280 _____ (PPLive Corporation) C:\Users\Account\AppData\Local\Temp\siteoptimize.exe
2013-06-17 22:04 - 2013-07-17 07:30 - 031954536 _____ (Skype Technologies S.A.) C:\Users\Account\AppData\Local\Temp\SkypeSetup.exe
2014-03-12 06:49 - 2017-09-04 22:52 - 000096440 _____ (RealNetworks, Inc.) C:\Users\Account\AppData\Local\Temp\stubhelper.dll
2013-04-03 07:58 - 2014-05-12 00:38 - 000350032 _____ (PPTV) C:\Users\Account\AppData\Local\Temp\tipsbubble.dll
2013-04-03 07:58 - 2015-08-22 20:09 - 000522656 _____ () C:\Users\Account\AppData\Local\Temp\tipsclient.dll
2013-04-03 07:57 - 2014-01-12 23:29 - 000108960 _____ () C:\Users\Account\AppData\Local\Temp\tipsdone.dll
2014-01-12 23:29 - 2014-01-12 23:29 - 000180560 _____ () C:\Users\Account\AppData\Local\Temp\tipsflash.dll
2013-07-22 19:49 - 2013-07-22 19:49 - 003147912 _____ (百度) C:\Users\Account\AppData\Local\Temp\TTPlayer.exe
2016-08-07 07:12 - 2016-08-07 07:12 - 001072063 _____ (Dropbox, Inc.) C:\Users\Account\AppData\Local\Temp\{3FEBEAFA-2F9F-4EE5-B54F-0CFB79050FDD}-DropboxClient_7.4.30.exe
2016-03-07 20:29 - 2016-03-07 20:29 - 007749208 _____ (Google Inc.) C:\Users\Account\AppData\Local\Temp\{AB956F80-2ACE-4045-B5A6-82F0383836F3}-49.0.2623.87_48.0.2564.116_chrome_updater.exe
LastRegBack: 2018-05-07 03:23

*****************

C:\Users\Account\AppData\Local\Temp\avg-9b037361-8333-4226-882d-164f984c737c.exe => moved successfully
C:\Users\Account\AppData\Local\Temp\avguirn_081364122381.exe => moved successfully
C:\Users\Account\AppData\Local\Temp\avguirn_081514327446.exe => moved successfully
C:\Users\Account\AppData\Local\Temp\avguirn_081984633679.exe => moved successfully
C:\Users\Account\AppData\Local\Temp\avguirn_08520692735.exe => moved successfully
C:\Users\Account\AppData\Local\Temp\avguirn_08691155186.exe => moved successfully
C:\Users\Account\AppData\Local\Temp\avguirn_0878470979.exe => moved successfully
C:\Users\Account\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpcwrzni.dll => moved successfully
C:\Users\Account\AppData\Local\Temp\fwupnp.dll => moved successfully
C:\Users\Account\AppData\Local\Temp\gjdatareport.dll => moved successfully
C:\Users\Account\AppData\Local\Temp\GURBC5B.exe => moved successfully
C:\Users\Account\AppData\Local\Temp\hotchannel.exe => moved successfully
C:\Users\Account\AppData\Local\Temp\jre-7u11-windows-i586-iftw.exe => moved successfully
C:\Users\Account\AppData\Local\Temp\jre-7u13-windows-i586-iftw.exe => moved successfully
C:\Users\Account\AppData\Local\Temp\jre-7u17-windows-i586-iftw.exe => moved successfully
C:\Users\Account\AppData\Local\Temp\jre-7u25-windows-i586-iftw.exe => moved successfully
C:\Users\Account\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe => moved successfully
C:\Users\Account\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe => moved successfully
C:\Users\Account\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exe => moved successfully
C:\Users\Account\AppData\Local\Temp\jre-7u65-windows-i586-iftw.exe => moved successfully
C:\Users\Account\AppData\Local\Temp\jre-7u67-windows-i586-iftw.exe => moved successfully
C:\Users\Account\AppData\Local\Temp\logclient.dll => moved successfully
C:\Users\Account\AppData\Local\Temp\lowproc.exe => moved successfully
C:\Users\Account\AppData\Local\Temp\ose00000.exe => moved successfully
C:\Users\Account\AppData\Local\Temp\peer.dll => moved successfully
C:\Users\Account\AppData\Local\Temp\PPTV_Update.exe => moved successfully
C:\Users\Account\AppData\Local\Temp\QQPCDetector.exe => moved successfully
C:\Users\Account\AppData\Local\Temp\qqsafeud.exe => moved successfully
C:\Users\Account\AppData\Local\Temp\QvodSetup5.6.123.20121213.exe => moved successfully
C:\Users\Account\AppData\Local\Temp\QvodSetupIOS.exe => moved successfully
C:\Users\Account\AppData\Local\Temp\QzoneMusic.exe => moved successfully
C:\Users\Account\AppData\Local\Temp\rnsetup0.exe => moved successfully
C:\Users\Account\AppData\Local\Temp\siteoptimize.exe => moved successfully
C:\Users\Account\AppData\Local\Temp\SkypeSetup.exe => moved successfully
C:\Users\Account\AppData\Local\Temp\stubhelper.dll => moved successfully
C:\Users\Account\AppData\Local\Temp\tipsbubble.dll => moved successfully
C:\Users\Account\AppData\Local\Temp\tipsclient.dll => moved successfully
C:\Users\Account\AppData\Local\Temp\tipsdone.dll => moved successfully
C:\Users\Account\AppData\Local\Temp\tipsflash.dll => moved successfully
C:\Users\Account\AppData\Local\Temp\TTPlayer.exe => moved successfully
C:\Users\Account\AppData\Local\Temp\{3FEBEAFA-2F9F-4EE5-B54F-0CFB79050FDD}-DropboxClient_7.4.30.exe => moved successfully
C:\Users\Account\AppData\Local\Temp\{AB956F80-2ACE-4045-B5A6-82F0383836F3}-49.0.2623.87_48.0.2564.116_chrome_updater.exe => moved successfully
DEFAULT => copied successfully to System32\config\HiveBackup
DEFAULT => restored successfully from registry back up
SAM => copied successfully to System32\config\HiveBackup
SAM => restored successfully from registry back up
SECURITY => copied successfully to System32\config\HiveBackup
SECURITY => restored successfully from registry back up
SOFTWARE => copied successfully to System32\config\HiveBackup
SOFTWARE => restored successfully from registry back up
SYSTEM => copied successfully to System32\config\HiveBackup
SYSTEM => restored successfully from registry back up

==== End of Fixlog 15:56:07 ====



#14 polskamachina

polskamachina

  • Malware Response Team
  • 4,040 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:36 AM

Posted 20 June 2018 - 11:46 AM

Hi zeotrex,

 

Looks like we've made some good progress. :)

 

You said:

1. The laptop's Screen is still black. But it works on the external LCD monitor.

2. The windows took awhile to load but failed with Blue screen.

3. However after the blue screen, it reboot and reached the safe mode startup screen. I tried safe mode and this time it manage to load up the safe mode windows successfully.

 

Shall i try the restore point from safe mode or uninstall spybot?? Wait for your instruction before doing anything..

If your computer is a laptop, there probably is a special function key for redirecting the video output to the external video port. Look at the function keys at the top of the keyboard and see if you can find a key with a crude graphic picture of a monitor. It may be easier to find this key by the process of elimination. Look at all of the function keys and eliminate the ones which have an obvious function such as volume adjust, brightness adjust, etc. If you're still unsure, the best way to figure this out is to look on the bottom of your laptop and write down the model number. Then using your favorite search engine, search for the owner's manual and download it..Or, you can tell me the model number and I'll find it for you.

 

When the blue screen appeared, did any messages appear? If it happens again, please take note of these messages and let me know what they are.

 

Did you try rebooting again after making it to safe mode to see if you had the option to boot to Normal mode?

 

Regarding uninstalling Spybot, the method we used to get your computer working again was to restore the last working copy of the registry. Since that registry snapshot was most likely created before you installed Spybot, you probably won't see it in your programs listing. If you do see it listed, please let me know.

 

For now, please do the following and nothing else:

  • Run FRST64 again either in Safe mode with Networking or Normal mode if you are able to get that far
  • Click on Scan
  • When the scan has completed, please copy and paste the two logs, Addition.txt and FRST.txt, into your next reply to me

In summary I will need from you:

  • Did you get another blue screen? If so, were there any messages?
  • FRST.txt
  • Addition.txt
  • Were you able to boot to Normal mode?

Let me know if you have any questions.

 

polskamachina



#15 zeotrex

zeotrex
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 20 June 2018 - 10:24 PM

Hi polskamachina.. thanks for the reply.

 

Yes, i am aware of the fn key on the laptop. The fn(F2) to off the laptop's screen and fn(f3) to swap between laptop's own lcd and external mornitor. The laptop's screen is always black.

 

I include the blue screen photo here... Everytime i boot the windows normally, it will ended with the blue screen and restart.

 

Yes, in the safe mode with network, spybot is still on the control panel/program list.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users