Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Windows 7 Blue screen - can't restore Image

blue screen malware restore doesnt work

  • Please log in to reply

#1
Kova

Kova

    New Member

  • Member
  • Pip
  • 8 posts

Hello,

my name is Tommy.

 

I must admit I found other forum first, there I posted my question, they moved it from Windows 7 to malware section, but nobody replied. 

I hope somebody could help me here.

 

Thanks in advance. I'm not sure is this malware, I can't find it :(

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 24-04-2014
Ran by SYSTEM on MININT-HFUVASU on 24-04-2014 13:42:44
Running from G:\
Windows 7 Ultimate Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery

The current controlset is ControlSet001
[b]ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.[/b]


The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/ 
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/ 
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [112512 2010-03-13] (Microsoft Corporation)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1842472 2009-09-17] (Synaptics Incorporated)
HKLM\...\Run: [MSC] => C:\Program Files\Microsoft Security Client\msseces.exe [1281512 2013-01-27] (Microsoft Corporation)
HKLM\...\Run: [PLFSetI] => C:\Windows\PLFSetI.exe [200704 2008-07-29] ()
HKLM-x32\...\Run: [VirtualCloneDrive] => C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe [89456 2011-03-07] (Elaborate Bytes AG)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-08-15] (Apple Inc.)
HKLM-x32\...\Run: [CancelAutoPlay] => C:\Program Files (x86)\Vip mobilni internet\CancelAutoPlay.exe [414544 2012-03-12] ()
HKLM-x32\...\Run: [UIExec] => C:\Program Files (x86)\Vip mobilni internet\UIExec.exe [156448 2012-05-11] ()
HKU\Admin\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [20924576 2014-02-10] (Skype Technologies S.A.)

==================== Services (Whitelisted) =================

S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [398184 2012-12-14] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [682344 2012-12-14] (Malwarebytes Corporation)
S2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [22056 2013-01-27] (Microsoft Corporation)
S3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [379360 2013-01-27] (Microsoft Corporation)
S2 UI Assistant Service; C:\Program Files (x86)\Vip mobilni internet\AssistantServices.exe [274760 2012-07-18] ()

==================== Drivers (Whitelisted) ====================

S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [24176 2012-12-14] (Malwarebytes Corporation)
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [230320 2013-01-20] (Microsoft Corporation)
S2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [130008 2013-01-20] (Microsoft Corporation)
S3 nuvotoncir; C:\Windows\System32\DRIVERS\nuvotoncir.sys [48128 2009-06-24] (Nuvoton Technology Corporation)
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
S3 ZTEusbnet; system32\DRIVERS\ZTEusbnet.sys [X]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-04-24 13:29 - 2014-04-24 13:42 - 00000000 ____D () C:\FRST

==================== One Month Modified Files and Folders =======

2014-04-24 13:42 - 2014-04-24 13:29 - 00000000 ____D () C:\FRST
2014-04-24 11:56 - 2014-02-23 07:55 - 00000000 ____D () C:\Program Files (x86)\Vip mobilni internet
2014-04-24 11:56 - 2013-04-04 07:52 - 00000000 ____D () C:\users\Admin
2014-04-24 11:56 - 2010-11-20 23:16 - 00000000 ___RD () C:\Users\Public\Recorded TV
2014-04-24 11:56 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\registration
2014-04-24 11:55 - 2013-04-25 12:53 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Skype
2014-04-24 02:31 - 2013-04-24 03:53 - 00000000 ____D () C:\Users\Admin\Desktop\New Folder
2014-04-06 10:47 - 2013-04-04 07:49 - 01785016 _____ () C:\Windows\WindowsUpdate.log
2014-04-06 10:46 - 2009-07-13 21:13 - 00713888 _____ () C:\Windows\System32\PerfStringBackup.INI
2014-04-06 10:43 - 2009-07-13 20:45 - 00021472 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-04-06 10:43 - 2009-07-13 20:45 - 00021472 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-04-06 10:36 - 2013-04-24 03:43 - 00000942 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-04-06 10:36 - 2009-07-13 21:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-04-06 10:36 - 2009-07-13 20:51 - 00068248 _____ () C:\Windows\setupact.log
2014-04-04 23:33 - 2013-04-24 03:43 - 00000946 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-04-04 23:31 - 2013-04-12 03:33 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-04-02 13:28 - 2013-04-24 03:43 - 00003942 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-04-02 13:28 - 2013-04-24 03:43 - 00003690 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore

Some content of TEMP:
====================
C:\Users\Admin\AppData\Local\Temp\ose00000.exe
C:\Users\Admin\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Admin\AppData\Local\Temp\Uninstaller.exe


==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
C:\Windows\system32\codeintegrity\Bootcat.cache IS MISSING <==== ATTENTION!.

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2014-02-23 07:41:54
Restore point made on: 2014-02-23 07:53:14
Restore point made on: 2014-03-02 09:35:53
Restore point made on: 2014-03-06 08:42:53
Restore point made on: 2014-03-16 11:43:14
Restore point made on: 2014-03-20 14:20:44
Restore point made on: 2014-03-24 04:16:42
Restore point made on: 2014-03-28 10:10:15
Restore point made on: 2014-04-01 10:43:45
Restore point made on: 2014-04-06 10:47:36

==================== Memory info =========================== 

Percentage of memory in use: 17%
Total physical RAM: 3070.43 MB
Available physical RAM: 2526.38 MB
Total Pagefile: 3068.63 MB
Available Pagefile: 2512.72 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:97.56 GB) (Free:65.56 GB) NTFS
Drive e: (New Volume) (Fixed) (Total:200.43 GB) (Free:193.32 GB) NTFS
Drive g: (GRMCULXFRER) (Removable) (Total:30.22 GB) (Free:30.22 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298 GB) (Disk ID: 400427B8)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=98 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=200 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 30 GB) (Disk ID: 000A0D74)
Partition 4: (Active) - (Size=30 GB) - (Type=0C)


LastRegBack: 2014-03-30 12:45

==================== End Of Log ============================

  • 0

Advertisements


#2
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,008 posts

Hello Tommy,

 

Welcome to Geekstogo.

 

I see you had a thread at Bleeping Computers, is that still going?

 

You should only be receiving help from one source. :)

 

Looking at your log I am not sure we can solve your problem but let's have a go.

 

Please download the attached fixlist.txt file to your flashdrive .

NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

 

After that see if you can boot up normally. Come back and tell me how it went.


  • 1

#3
Kova

Kova

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts

True I have there, but nobody repied, and it is kinda urgent, thank you very much for your reply I will try it and report.


  • 0

#4
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,008 posts

:thumbsup:


  • 0

#5
Kova

Kova

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts

Nope, I can't boot normally, still blue screen :(

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 24-04-2014
Ran by SYSTEM at 2014-04-29 22:29:40 Run:2
Running from G:\
Boot Mode: Recovery
==============================================

Content of fixlist:
*****************
LastRegBack: 2014-03-30 12:45

*****************

DEFAULT hive was successfully copied to System32\config\HiveBackup
DEFAULT hive was successfully restored from registry back up.
SAM hive was successfully copied to System32\config\HiveBackup
SAM hive was successfully restored from registry back up.
SECURITY hive was successfully copied to System32\config\HiveBackup
SECURITY hive was successfully restored from registry back up.
SOFTWARE hive was successfully copied to System32\config\HiveBackup
SOFTWARE hive was successfully restored from registry back up.
SYSTEM hive was successfully copied to System32\config\HiveBackup
SYSTEM hive was successfully restored from registry back up.

==== End of Fixlog ====


  • 0

#6
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,008 posts

Okay, that was an outside chance anyway.

There is an error showing in the FRST scan - C:\Windows\system32\codeintegrity\Bootcat.cache IS MISSING <==== ATTENTION!.

I have found similar problems where copying the codeintegrity\Bootcat.cache file from another Win 7 machine with the same version OS has got machines to boot up but the BSOD problem persists at every restart. That is, copying the boot cache is only a temporary solution.

I think the boot cache error is an indication i.e. a symptom, not the cause.

A colleague has pointed out that it may be something to do with corruption in one of the catroot folders. I also wonder whether a security program is/was involved, I have found reports saying that there are known issues with AVs corrupting System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}.

 

If necessary we can create a boot disc and access data on the machine if you need to back up anything before a reinstallation but for now, let's do this:

Please download the attached fixlist.txt file to your flashdrive .

NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.
 


  • 0

#7
Kova

Kova

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts

Emeral, I made that, I found one post on forum where people said to delete that file, so I did, so I don't think that was cause or have anything to do with this issue, I deleted it afterwards, I will try this file right now and let you know.


  • 0

#8
Kova

Kova

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts

This time no fix-log, and it did finish all OK.

No luck, still blue screen :(

 

I made backup of the files, problem is they are not on normal place like Documents etc, they are on Desktop and all around. That is one of the reasons I try to repair it, cause I'm not 100% sure that I backed up all important stuff.


  • 0

#9
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,008 posts
I made that, I found one post on forum where people said to delete that file, so I did, so I don't think that was cause or have anything to do with this issue, I deleted it afterwards


Hmm... I wonder if there still might be a problem there though... let's leave it for now.
 

 

This time no fix-log, and it did finish all OK.


Something wrong there, I wonder, did you have the fix on the flash drive where the FRST tool is?

Let's try something different:

Please download the attached fixlist.txt file to your flashdrive .

NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

This should allow you to boot normally for now.

After that

Please run another FRST scan with the Addition.txt box ticked.

This time do not go into System Recovery Options... just run FRST from the flash drive or, if you like, download a new copy of FRST to your desktop and run it from there.

 and post back the two logs generated - FRST.txt and Addition.txt.


  • 0

#10
Kova

Kova

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts

Thank you very much, I really appreciate it.

 

On stick I have FRST64.exe and fixlist, I ran it:

Fixlog.txt made:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 24-04-2014
Ran by SYSTEM at 2014-05-01 04:11:52 Run:4
Running from G:\
Boot Mode: Recovery
==============================================

Content of fixlist:
*****************
nointegritychecks on:
*****************


The operation completed successfully.

==== End of Fixlog ====

 

Restarted...

 

After Starting Windows screen with Windows Logo, blue screen ...

 

I have issue with your After that tutorial, how can I run it from stick if not going to Recovery Options? Or Desktop? When I can't get to Boot.

I Ran scan with Addition.txt checked:

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 24-04-2014
Ran by SYSTEM on MININT-44IC39P on 01-05-2014 04:12:22
Running from G:\
Windows 7 Ultimate Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery

The current controlset is ControlSet001
[b]ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.[/b]


The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/ 
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/ 
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [112512 2010-03-13] (Microsoft Corporation)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1842472 2009-09-17] (Synaptics Incorporated)
HKLM\...\Run: [MSC] => C:\Program Files\Microsoft Security Client\msseces.exe [1281512 2013-01-27] (Microsoft Corporation)
HKLM\...\Run: [PLFSetI] => C:\Windows\PLFSetI.exe [200704 2008-07-29] ()
HKLM-x32\...\Run: [VirtualCloneDrive] => C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe [89456 2011-03-07] (Elaborate Bytes AG)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-08-15] (Apple Inc.)
HKLM-x32\...\Run: [CancelAutoPlay] => C:\Program Files (x86)\Vip mobilni internet\CancelAutoPlay.exe [414544 2012-03-12] ()
HKLM-x32\...\Run: [UIExec] => C:\Program Files (x86)\Vip mobilni internet\UIExec.exe [156448 2012-05-11] ()
HKU\Admin\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [20587168 2013-11-18] (Skype Technologies S.A.)

==================== Services (Whitelisted) =================

S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [398184 2012-12-14] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [682344 2012-12-14] (Malwarebytes Corporation)
S2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [22056 2013-01-27] (Microsoft Corporation)
S3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [379360 2013-01-27] (Microsoft Corporation)
S2 UI Assistant Service; C:\Program Files (x86)\Vip mobilni internet\AssistantServices.exe [274760 2012-07-18] ()

==================== Drivers (Whitelisted) ====================

S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [24176 2012-12-14] (Malwarebytes Corporation)
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [230320 2013-01-20] (Microsoft Corporation)
S2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [130008 2013-01-20] (Microsoft Corporation)
S3 nuvotoncir; C:\Windows\System32\DRIVERS\nuvotoncir.sys [48128 2009-06-24] (Nuvoton Technology Corporation)
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
S3 ZTEusbnet; system32\DRIVERS\ZTEusbnet.sys [X]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-04-29 22:29 - 2014-04-29 22:29 - 00000000 ____D () C:\Windows\System32\config\HiveBackup
2014-04-24 13:29 - 2014-05-01 04:12 - 00000000 ____D () C:\FRST

==================== One Month Modified Files and Folders =======

2014-05-01 04:12 - 2014-04-24 13:29 - 00000000 ____D () C:\FRST
2014-04-29 22:29 - 2014-04-29 22:29 - 00000000 ____D () C:\Windows\System32\config\HiveBackup
2014-04-24 14:31 - 2014-02-23 07:55 - 00000000 ____D () C:\Program Files (x86)\Vip mobilni internet
2014-04-24 14:31 - 2013-04-25 12:53 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Skype
2014-04-24 14:31 - 2013-04-25 12:52 - 00000000 ___RD () C:\Program Files (x86)\Skype
2014-04-24 14:31 - 2013-04-24 03:53 - 00000000 ____D () C:\Users\Admin\Desktop\New Folder
2014-04-24 14:31 - 2013-04-12 03:32 - 00000000 ____D () C:\Windows\System32\Macromed
2014-04-24 14:31 - 2013-04-04 07:52 - 00000000 ____D () C:\users\Admin
2014-04-24 14:31 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\registration
2014-04-24 14:31 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\AppCompat
2014-04-24 14:30 - 2013-05-25 04:57 - 00000000 ____D () C:\Users\Admin\AppData\Local\Microsoft Games
2014-04-24 14:30 - 2013-04-25 12:52 - 00000000 ____D () C:\ProgramData\Skype
2014-04-24 14:30 - 2013-04-24 03:42 - 00000000 ____D () C:\Users\Admin\AppData\Local\Google
2014-04-24 14:21 - 2014-03-18 12:41 - 00000000 ____D () C:\Users\Admin\AppData\Local\Skype
2014-04-24 11:56 - 2010-11-20 23:16 - 00000000 ___RD () C:\Users\Public\Recorded TV

Some content of TEMP:
====================
C:\Users\Admin\AppData\Local\Temp\ose00000.exe
C:\Users\Admin\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Admin\AppData\Local\Temp\Uninstaller.exe


==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


nointegritychecks: ==> Integrity Checks is disabled <===== ATTENTION!

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2014-02-23 07:41:54
Restore point made on: 2014-02-23 07:53:14
Restore point made on: 2014-03-02 09:35:53
Restore point made on: 2014-03-06 08:42:53
Restore point made on: 2014-03-16 11:43:14
Restore point made on: 2014-03-20 14:20:44
Restore point made on: 2014-03-24 04:16:42
Restore point made on: 2014-03-28 10:10:15
Restore point made on: 2014-04-01 10:43:45
Restore point made on: 2014-04-06 10:47:36

==================== Memory info =========================== 

Percentage of memory in use: 18%
Total physical RAM: 3070.43 MB
Available physical RAM: 2512.96 MB
Total Pagefile: 3068.63 MB
Available Pagefile: 2500.27 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:97.56 GB) (Free:65.61 GB) NTFS
Drive e: (New Volume) (Fixed) (Total:200.43 GB) (Free:193.32 GB) NTFS
Drive g: (GRMCULXFRER) (Removable) (Total:30.22 GB) (Free:30.22 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298 GB) (Disk ID: 400427B8)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=98 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=200 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 30 GB) (Disk ID: 000A0D74)
Partition 4: (Active) - (Size=30 GB) - (Type=0C)


LastRegBack: 2014-03-30 12:45

==================== End Of Log ============================

This could be something hardware ha?


Edited by Kova, 30 April 2014 - 06:15 PM.

  • 0

#11
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,008 posts

I have issue with your After that tutorial, how can I run it from stick if not going to Recovery Options? Or Desktop? When I can't get to Boot.


That was only if you were able to boot normally.

What this tells me is that it confirms your statement that you didn't think it was the codeintegrity\Bootcat.cache problem.

 

 

This could be something hardware ha?

 

 

 

I think that is quite likely.

 

Moving on

 

Now to try something else:

This is a way to access your computer using a disk we will create.

Before starting you might like to print these instruction out so that you know what you are doing. The instructions need to be followed exactly.
 

  • Download OTLPE.iso and save it somewhere you can get it.
  • Insert a writable blank CD/DVD in your CD drive and click on the OTPLE.iso to burn a CD.
  • Reboot your infected system using the boot CD you just created.

Your computer should boot up by inserting the CD in the CD/DVD drive and starting your computer physically by pressing the start button. Some computers though are not, for whatever reason, set to boot first from the CD. In that case see the next line.
Note : If you do not know how to set your computer to boot from CD follow the steps here

  • The CD needs to detect your hardware and load the operating system...can take a bit of time, just be patient  :)
  • Your system should now display a Reatogo desktop.
    Note : as you are running from CD it is not exactly speedy
  • Double-click on the OTLPE icon.
  • Select the Windows folder of the infected drive if it asks for a location
  • If asked "Do you wish to load the remote registry", select Yes
  • If asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start.
  • Press Run Scan to start the scan.
  • When finished, the file will be saved  in drive C:\OTL.txt
  • Copy this file to your USB drive if you do not have internet connection on this system.
  • Right click the file and select send to : select the USB drive.  
  • Confirm that it has copied to the USB drive by selecting it
  • You can backup any files that you wish from this OS
  • Please post the contents of the C:\OTL.txt file in your reply.

  • 0

#12
Kova

Kova

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
OTL logfile created on: 5/1/2014 5:57:23 AM - Run 
OTLPE by OldTimer - Version 3.1.48.0     Folder = X:\Programs\OTLPE
64bit-Windows 7 Ultimate Service Pack 1 (Version = 6.1.7601) - Type = System
Internet Explorer (Version = 9.0.8112.16421)
Locale: 0000041a | Country: Hrvatska | Language: HRV | Date Format: d.M.yyyy.
 
3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 91.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 98.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = D: | %SystemRoot% = D:\Windows | %ProgramFiles% = D:\Program Files (x86)
Drive C: | 100.00 Mb Total Space | 73.89 Mb Free Space | 73.89% Space Free | Partition Type: NTFS
Drive D: | 97.56 Gb Total Space | 65.61 Gb Free Space | 67.25% Space Free | Partition Type: NTFS
Drive E: | 200.43 Gb Total Space | 193.33 Gb Free Space | 96.46% Space Free | Partition Type: NTFS
Drive X: | 284.12 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
 
Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet001
 
[color=#E56717]========== Win32 Services (SafeList) ==========[/color]
 
SRV:[b]64bit:[/b] - [2013/05/27 01:50:47 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand] -- D:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:[b]64bit:[/b] - [2013/01/27 05:34:32 | 000,379,360 | ---- | M] (Microsoft Corporation) [On_Demand] -- D:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)
SRV:[b]64bit:[/b] - [2013/01/27 05:34:32 | 000,022,056 | ---- | M] (Microsoft Corporation) [Auto] -- D:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV:[b]64bit:[/b] - [2009/08/17 20:36:20 | 000,203,264 | ---- | M] (AMD) [Auto] -- D:\Windows\System32\atiesrxx.exe -- (AMD External Events Utility)
SRV:[b]64bit:[/b] - [2009/07/13 21:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand] -- D:\Windows\System32\appmgmts.dll -- (AppMgmt)
SRV:[b]64bit:[/b] - [2009/07/01 12:54:02 | 000,864,032 | ---- | M] (Broadcom Corporation.) [Auto] -- D:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe -- (btwdins)
SRV - [2014/03/16 15:31:58 | 000,257,928 | ---- | M] (Adobe Systems Incorporated) [On_Demand] -- D:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2013/09/05 05:34:30 | 000,171,680 | R--- | M] (Skype Technologies) [Auto] -- D:\Program Files (x86)\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2013/05/14 08:26:12 | 003,289,208 | ---- | M] (Skype Technologies S.A.) [Auto] -- D:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe -- (Skype C2C Service)
SRV - [2012/12/14 10:49:28 | 000,682,344 | ---- | M] (Malwarebytes Corporation) [Auto] -- D:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2012/12/14 10:49:28 | 000,398,184 | ---- | M] (Malwarebytes Corporation) [Auto] -- D:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)
SRV - [2012/07/18 11:05:22 | 000,274,760 | ---- | M] () [Auto] -- D:\Program Files (x86)\Vip mobilni internet\AssistantServices.exe -- (UI Assistant Service)
SRV - [2009/06/10 17:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [On_Demand] -- D:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
 
 
[color=#E56717]========== Driver Services (SafeList) ==========[/color]
 
DRV:[b]64bit:[/b] - [2013/01/20 09:59:04 | 000,130,008 | ---- | M] (Microsoft Corporation) [Kernel | Auto] -- D:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv)
DRV:[b]64bit:[/b] - [2012/12/14 10:49:28 | 000,024,176 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand] -- D:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)
DRV:[b]64bit:[/b] - [2012/12/13 07:50:36 | 000,054,784 | ---- | M] (Apple, Inc.) [Kernel | On_Demand] -- D:\Windows\System32\drivers\usbaapl64.sys -- (USBAAPL64)
DRV:[b]64bit:[/b] - [2012/08/23 10:12:16 | 000,029,696 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- D:\Windows\system32\drivers\terminpt.sys -- (terminpt)
DRV:[b]64bit:[/b] - [2012/08/23 10:10:20 | 000,019,456 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- D:\Windows\System32\drivers\rdpvideominiport.sys -- (RdpVideoMiniport)
DRV:[b]64bit:[/b] - [2012/08/23 10:08:26 | 000,030,208 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- D:\Windows\system32\drivers\TsUsbGD.sys -- (TsUsbGD)
DRV:[b]64bit:[/b] - [2012/08/23 10:07:35 | 000,057,856 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- D:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:[b]64bit:[/b] - [2012/02/06 04:55:48 | 000,011,776 | ---- | M] (MBB Incorporated) [Kernel | On_Demand] -- D:\Windows\System32\drivers\massfilter.sys -- (massfilter)
DRV:[b]64bit:[/b] - [2010/12/07 06:06:30 | 000,123,520 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand] -- D:\Windows\System32\drivers\ZTEusbser6k.sys -- (ZTEusbser6k)
DRV:[b]64bit:[/b] - [2010/12/07 06:06:30 | 000,123,520 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand] -- D:\Windows\System32\drivers\ZTEusbnmea.sys -- (ZTEusbnmea)
DRV:[b]64bit:[/b] - [2010/12/07 06:06:30 | 000,123,520 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand] -- D:\Windows\System32\drivers\ZTEusbmdm6k.sys -- (ZTEusbmdm6k)
DRV:[b]64bit:[/b] - [2010/11/20 23:23:48 | 000,117,248 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- D:\Windows\System32\drivers\tsusbhub.sys -- (tsusbhub)
DRV:[b]64bit:[/b] - [2010/11/20 23:23:48 | 000,088,960 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- D:\Windows\System32\drivers\Synth3dVsc.sys -- (Synth3dVsc)
DRV:[b]64bit:[/b] - [2010/11/20 23:23:48 | 000,071,168 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- D:\Windows\system32\drivers\dmvsc.sys -- (dmvsc)
DRV:[b]64bit:[/b] - [2010/11/20 23:23:47 | 000,109,056 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- D:\Windows\System32\drivers\sdbus.sys -- (sdbus)
DRV:[b]64bit:[/b] - [2009/08/17 21:48:48 | 006,037,504 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand] -- D:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)
DRV:[b]64bit:[/b] - [2009/06/25 11:04:20 | 000,067,584 | ---- | M] (REDC) [Kernel | Auto] -- D:\Windows\System32\drivers\rimmpx64.sys -- (rimmptsk)
DRV:[b]64bit:[/b] - [2009/06/25 10:38:52 | 000,057,856 | ---- | M] (REDC) [Kernel | Auto] -- D:\Windows\System32\drivers\rixdpx64.sys -- (rismxdp)
DRV:[b]64bit:[/b] - [2009/06/25 10:13:44 | 000,055,296 | ---- | M] (REDC) [Kernel | Auto] -- D:\Windows\System32\drivers\rimspx64.sys -- (rimsptsk)
DRV:[b]64bit:[/b] - [2009/06/24 08:03:24 | 000,048,128 | ---- | M] (Nuvoton Technology Corporation) [Kernel | On_Demand] -- D:\Windows\System32\drivers\nuvotoncir.sys -- (nuvotoncir)
DRV:[b]64bit:[/b] - [2009/06/10 17:01:11 | 001,485,312 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- D:\Windows\System32\drivers\VSTDPV6.SYS -- (SrvHsfV92)
DRV:[b]64bit:[/b] - [2009/06/10 17:01:11 | 000,740,864 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- D:\Windows\System32\drivers\VSTCNXT6.SYS -- (SrvHsfWinac)
DRV:[b]64bit:[/b] - [2009/06/10 17:01:11 | 000,292,864 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- D:\Windows\System32\drivers\VSTAZL6.SYS -- (SrvHsfHDA)
DRV:[b]64bit:[/b] - [2009/06/10 16:38:56 | 000,000,308 | ---- | M] () [File_System | On_Demand] -- D:\Windows\System32\wbem\ntfs.mof -- (Ntfs)
DRV:[b]64bit:[/b] - [2009/06/10 16:35:28 | 005,434,368 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- D:\Windows\System32\drivers\netw5v64.sys -- (netw5v64) Intel(R)
DRV:[b]64bit:[/b] - [2009/06/10 16:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- D:\Windows\system32\drivers\evbda.sys -- (ebdrv)
DRV:[b]64bit:[/b] - [2009/06/10 16:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- D:\Windows\system32\drivers\bxvbda.sys -- (b06bdrv)
DRV:[b]64bit:[/b] - [2009/06/10 16:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- D:\Windows\System32\drivers\b57nd60a.sys -- (b57nd60a)
 
[color=#E56717]========== Standard Registry (SafeList) ==========[/color]
 
 
[color=#E56717]========== Internet Explorer ==========[/color]
 
 
 
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\Admin_ON_D\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
 
 
FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: D:\Windows\System32\Macromed\Flash\NPSWF64_12_0_0_77.dll ()
FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE:  File not found
FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: D:\Program Files\Microsoft Office\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@adobe.com/FlashPlayer: D:\Windows\SysWOW64\Macromed\Flash\NPSWF32_12_0_0_77.dll ()
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@Apple.com/iTunes,version=:  
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@Apple.com/iTunes,version=1.0: D:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE:  File not found
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: D:\Program Files (x86)\Microsoft Office\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: D:\Program Files (x86)\Microsoft Office\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=3: D:\Program Files (x86)\Google\Update\1.3.22.5\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9: D:\Program Files (x86)\Google\Update\1.3.22.5\npGoogleUpdate3.dll (Google Inc.)
 
 
 
O1 HOSTS File: ([2009/06/10 17:00:26 | 000,000,824 | ---- | M]) - D:\Windows\System32\drivers\etc\hosts
O2:[b]64bit:[/b] - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - D:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - D:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O4:[b]64bit:[/b] - HKLM..\Run: [MSC] D:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4:[b]64bit:[/b] - HKLM..\Run: [PLFSetI] D:\Windows\PLFSetI.exe ()
O4 - HKLM..\Run: [APSDaemon] D:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [CancelAutoPlay] D:\Program Files (x86)\Vip mobilni internet\CancelAutoPlay.exe ()
O4 - HKLM..\Run: [UIExec] D:\Program Files (x86)\Vip mobilni internet\UIExec.exe ()
O4 - HKU\LocalService_ON_D..\Run: [Sidebar] D:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\NetworkService_ON_D..\Run: [Sidebar] D:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\LocalService_ON_D..\RunOnce: [mctadmin]  File not found
O4 - HKU\NetworkService_ON_D..\RunOnce: [mctadmin]  File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O8:[b]64bit:[/b] - Extra context menu item: Send image to &Bluetooth Device... - D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O8:[b]64bit:[/b] - Extra context menu item: Send page to &Bluetooth Device... - D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O8 - Extra context menu item: Send image to &Bluetooth Device... - D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Send page to &Bluetooth Device... - D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9:[b]64bit:[/b] - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - D:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Skype Technologies S.A.)
O9:[b]64bit:[/b] - Extra Button: @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9:[b]64bit:[/b] - Extra 'Tools' menuitem : @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - D:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Send To Bluetooth - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : Send to &Bluetooth Device... - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O10:[b]64bit:[/b] - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - D:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - D:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O13:[b]64bit:[/b] - gopher Prefix: missing
O13 - gopher Prefix: missing
O18:[b]64bit:[/b] - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - Reg Error: Key error. File not found
O18:[b]64bit:[/b] - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - D:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Skype Technologies S.A.)
O20:[b]64bit:[/b] - HKLM Winlogon: Shell - (explorer.exe) - D:\Windows\explorer.exe (Microsoft Corporation)
O20:[b]64bit:[/b] - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - D:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:[b]64bit:[/b] - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - D:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O21:[b]64bit:[/b] - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O33 - MountPoints2\{6c9f85e0-a54f-11e3-bfd8-001e681351e0}\Shell - "" = AutoRun
O33 - MountPoints2\{6c9f85e0-a54f-11e3-bfd8-001e681351e0}\Shell\AutoRun\command - "" = F:\Autorun.exe
O33 - MountPoints2\{88cdc2d2-9c9c-11e3-9350-00a0c6000000}\Shell - "" = AutoRun
O33 - MountPoints2\{88cdc2d2-9c9c-11e3-9350-00a0c6000000}\Shell\AutoRun\command - "" = F:\Autorun.exe
O33 - MountPoints2\{acacd94b-a548-11e3-84f4-001e681351e0}\Shell - "" = AutoRun
O33 - MountPoints2\{acacd94b-a548-11e3-84f4-001e681351e0}\Shell\AutoRun\command - "" = F:\Autorun.exe
O33 - MountPoints2\{dec8872f-dcae-11e2-87b5-00a0c6000000}\Shell - "" = AutoRun
O33 - MountPoints2\{dec8872f-dcae-11e2-87b5-00a0c6000000}\Shell\AutoRun\command - "" = F:\Autorun.exe
O33 - MountPoints2\{e24a29f5-acc8-11e2-8093-001e681351e0}\Shell - "" = AutoRun
O33 - MountPoints2\{e24a29f5-acc8-11e2-8093-001e681351e0}\Shell\AutoRun\command - "" = F:\Autorun.exe
O33 - MountPoints2\{e24a2a0a-acc8-11e2-8093-001e681351e0}\Shell - "" = AutoRun
O33 - MountPoints2\{e24a2a0a-acc8-11e2-8093-001e681351e0}\Shell\AutoRun\command - "" = H:\Autorun.exe
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\Autorun.exe
O33 - MountPoints2\H\Shell - "" = AutoRun
O33 - MountPoints2\H\Shell\AutoRun\command - "" = H:\Autorun.exe
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
[b]64bit:[/b] O35 - HKLM\..comfile [open] -- "%1" %* File not found
[b]64bit:[/b] O35 - HKLM\..exefile [open] -- "%1" %* File not found
O37:[b]64bit:[/b] - HKLM\...com [@ = comfile] -- "%1" %*
O37:[b]64bit:[/b] - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
 
[color=#E56717]========== Files/Folders - Created Within 30 Days ==========[/color]
 
[2014/04/24 17:29:07 | 000,000,000 | ---D | C] -- D:\FRST
 
[color=#E56717]========== Files - Modified Within 30 Days ==========[/color]
 
[2014/05/01 08:10:57 | 000,067,584 | --S- | M] () -- D:\Windows\bootstat.dat
[2014/04/24 18:31:20 | 000,000,000 | ---D | M] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
[2014/04/24 18:31:20 | 000,000,000 | ---D | M] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
[2014/04/08 09:54:55 | 2414,682,112 | -HS- | M] () -- D:\hiberfil.sys
 
[color=#E56717]========== Files Created - No Company Name ==========[/color]
 
[2014/02/23 11:53:03 | 000,003,676 | ---- | C] () -- D:\Windows\SysWow64\Language.ini
[2013/04/08 14:35:36 | 000,626,688 | ---- | C] () -- D:\Windows\Image.dll
[2013/04/08 14:35:36 | 000,200,704 | ---- | C] () -- D:\Windows\PLFSetI.exe
[2013/04/08 14:35:36 | 000,020,480 | ---- | C] () -- D:\Windows\USB_VIDEO_REG.exe
[2013/04/08 14:35:36 | 000,000,323 | ---- | C] () -- D:\Windows\PidList.ini
[2013/04/04 11:48:26 | 000,000,000 | ---- | C] () -- D:\Windows\ativpsrm.bin
[2010/11/20 23:24:49 | 000,252,928 | ---- | C] () -- D:\Windows\SysWow64\DShowRdpFilter.dll
[2009/07/14 01:38:36 | 000,067,584 | --S- | C] () -- D:\Windows\bootstat.dat
[2009/07/13 22:35:51 | 000,000,741 | ---- | C] () -- D:\Windows\SysWow64\NOISE.DAT
[2009/07/13 22:34:42 | 000,215,943 | ---- | C] () -- D:\Windows\SysWow64\dssec.dat
[2009/07/13 20:10:29 | 000,043,131 | ---- | C] () -- D:\Windows\mib.bin
[2009/07/13 19:42:10 | 000,064,000 | ---- | C] () -- D:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 18:25:04 | 000,197,632 | ---- | C] () -- D:\Windows\SysWow64\ir32_32.dll
[2009/07/13 17:03:59 | 000,364,544 | ---- | C] () -- D:\Windows\SysWow64\msjetoledb40.dll
[2009/06/10 17:26:10 | 000,673,088 | ---- | C] () -- D:\Windows\SysWow64\mlang.dat
 
[color=#E56717]========== LOP Check ==========[/color]
 
[2013/09/02 11:15:58 | 000,000,000 | ---D | M] -- D:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
[2009/07/14 01:08:56 | 000,000,000 | -HSD | M] -- D:\ProgramData\Application Data
[2009/07/14 01:08:56 | 000,000,000 | -HSD | M] -- D:\ProgramData\Desktop
[2009/07/14 01:08:56 | 000,000,000 | -HSD | M] -- D:\ProgramData\Documents
[2013/05/09 08:49:01 | 000,000,000 | ---D | M] -- D:\ProgramData\EPSON
[2009/07/14 01:08:56 | 000,000,000 | -HSD | M] -- D:\ProgramData\Favorites
[2009/07/14 01:08:56 | 000,000,000 | -HSD | M] -- D:\ProgramData\Start Menu
[2009/07/14 01:08:56 | 000,000,000 | -HSD | M] -- D:\ProgramData\Templates
[2014/01/19 12:53:57 | 000,032,630 | ---- | M] () -- D:\Windows\Tasks\SCHEDLGU.TXT
 
[color=#E56717]========== Purity Check ==========[/color]
 
 
< End of report >


  • 0

#13
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,008 posts

Hello again Tommy,

 

Nothing in the way of malware leaping out at me there.

 

Have you tried running System File Checker and chkdsk?  If not then let's see if we can run System File Checker through OTLPE

 

Please run OTLPE

  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :Files
    sfc /scannow /offbootdir=y:\ /offwindir=c:\windows /c
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Post the log that is produced
  • Attempt to reboot normally into Windows

  • 0

#14
Kova

Kova

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts

Thanks, I'll try it right now, I can't find log created, but I know what was written:

 

d:\cmd.bat deleted successfully 

d:\cmd.txt deleted successfully 

 

Thats all.

 

Trying chkdsk from Reatogo X PE

No errors found

 

No go, still Blue screen, guys, don't bother anymore, I will just format it, I had enough of it, don't want to bother you anymore. 


Edited by Kova, 01 May 2014 - 04:19 AM.

  • 0

#15
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,008 posts

Yes I think we have run out of options.

 

You can use Reatgo X PE to access your data and copy it to a back up disc or some such and after that re-format and reinstall.

 

I wish you the best of luck. :)


  • 0






Similar Topics


Also tagged with one or more of these keywords: blue screen, malware, restore doesnt work

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP