Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Black screen with cursor, frst64 repeatedly says winlogon userinit.exe

Black screen frst64 winlogon

  • Please log in to reply

#1
keithclem

keithclem

    New Member

  • Member
  • Pip
  • 9 posts

A friend used the computer for web browsing (perhaps introducing a virus) and possibly badly shutdown system during update. Since then system boots to black screen with cursor, occasional blue circle if some key is pressed. Cursor moves across extended screen.    Same when booting to safe mode. Boots to 'repair' OK where I ran FRST64. I think this found a virus 'zero???' but removed it, altrhough I cannot find the log of that. It also replaced some group policy (G:\FRST\Quarantine\C\Windows\System32\GroupPolicy).  After  a number of iterations removing/replacing unwanted registry, service and driver entries, FRST64 now does not seem to replace the userinit entry in the winlogon key, although it does say it has and regedit says it is OK. Since this is precisely the area of error I suspect there is something wrong.

 

Note that trying to repair computer finds nothing wrong and restore system back-up fails after a lengthy restore with 0x80070002 error. The system has dual boot and the other Win7 system is good. Chkdsk and virus scan from this system are OK.

 

Find latest fixlog and scanlog below. The Winlogon restoration has been repeatedly tried but does not clear when rescanned. Note that to get to this stage many FRST fix runs were done , a few other 'fixes' were tried. I have tried copying (by export and import) the good winlogon key from the dual boot system but do not think this worked as it does not put it into the correct control set. I might have to resort to doing it manually. But as I said it looks OK when viewed with regeit , just FRST64 is saying it is wrong.  

 

Fix result of Farbar Recovery Scan Tool (x64) Version:29-12-2015
Ran by SYSTEM (2015-12-30 19:59:32) Run:13
Running from F:\
Boot Mode: Recovery
==============================================

fixlist content:
*****************
HKLM\...\Winlogon: [Userinit] C:\Windows\system32\userinit.exe,
*****************

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Userinit => value restored successfully

==== End of Fixlog 19:59:32 ====

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:29-12-2015
Ran by SYSTEM on MININT-544NOFG (30-12-2015 19:56:47)
Running from F:\
Platform: Windows 7 Ultimate (X64) Language: English (United States)
Internet Explorer Version 10
Boot Mode: Recovery
Default: ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Winlogon: [Userinit] G:\Windows\system32\userinit.exe,

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-12-20 11:25 - 2015-12-30 19:56 - 00000000 ____D C:\FRST

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-12-30 19:21 - 2009-07-13 21:32 - 00000000 ____D C:\Windows\Downloaded Program Files
2015-12-30 19:20 - 2009-07-13 23:46 - 00000000 __SHD C:\Windows\BitLockerDiscoveryVolumeContents
2015-12-30 19:20 - 2009-07-13 23:46 - 00000000 ____D C:\Windows\ShellNew
2015-12-30 19:20 - 2009-07-13 23:46 - 00000000 ____D C:\Program Files\Windows Journal
2015-12-30 19:20 - 2009-07-13 21:32 - 00000000 ____D C:\Windows\System32\WinBioPlugIns
2015-12-30 19:20 - 2009-07-13 21:32 - 00000000 ____D C:\Windows\Offline Web Pages
2015-12-30 19:20 - 2009-07-13 21:32 - 00000000 ____D C:\Windows\addins
2015-12-30 19:20 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Sidebar
2015-12-30 19:20 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Portable Devices
2015-12-30 19:20 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Photo Viewer
2015-12-30 19:20 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Defender
2015-12-30 19:20 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\DVD Maker
2015-12-30 19:20 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Sidebar
2015-12-30 19:20 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Portable Devices
2015-12-30 19:20 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Photo Viewer
2015-12-30 19:20 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Defender
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 __RSD C:\Windows\Media
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\TAPI
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\Setup
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\ras
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\oobe
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\migwiz
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\manifeststore
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\lv-LV
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\lt-LT
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\InstallShield
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\icsxml
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\et-EE
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\Dism
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\com
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\catroot2.bak
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\AdvancedInstallers
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\sysprep
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\Setup
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\ras
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\oobe
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\migwiz
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\manifeststore
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\lv-LV
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\lt-LT
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\icsxml
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\ias
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\et-EE
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\Dism
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\com
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\AdvancedInstallers
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\servicing
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\PolicyDefinitions
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\L2Schemas
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\IME
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\Cursors
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\System
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\Services
2015-12-30 19:17 - 2012-05-31 13:19 - 00000000 ____D C:\Windows\en
2015-12-30 19:17 - 2011-12-16 03:15 - 00000000 ____D C:\Windows\rescache
2015-12-30 19:17 - 2011-11-19 14:48 - 00000000 ____D C:\Windows\System32\Macromed
2015-12-30 19:17 - 2011-10-18 14:41 - 00000000 ____D C:\Windows\System32\SPReview
2015-12-30 19:17 - 2011-09-21 05:18 - 00000000 ____D C:\Windows\pss
2015-12-30 19:17 - 2011-05-04 11:40 - 00000000 ____D C:\Windows\Minidump
2015-12-30 19:17 - 2011-03-16 11:43 - 00000000 ____D C:\Windows\CheckSur
2015-12-30 19:17 - 2011-03-16 11:26 - 00000000 ____D C:\Windows\System32\EventProviders
2015-12-30 19:17 - 2010-07-19 03:44 - 00000000 ____D C:\Windows\SysWOW64\SPOOL
2015-12-30 19:17 - 2010-07-13 00:41 - 00000000 ____D C:\Windows\Downloaded Installations
2015-12-30 19:17 - 2010-07-04 11:06 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2015-12-30 19:17 - 2010-06-15 12:46 - 00000000 ____D C:\Windows\SysWOW64\1033
2015-12-30 19:17 - 2010-06-15 12:46 - 00000000 ____D C:\Windows\System32\1033
2015-12-30 19:17 - 2010-06-15 12:25 - 00000000 ____D C:\Windows\System32\Tasks\OfficeSoftwareProtectionPlatform
2015-12-30 19:17 - 2010-02-25 23:56 - 00000000 ____D C:\Windows\SoftwareDistributionold
2015-12-30 19:17 - 2009-07-13 21:37 - 00000000 ____D C:\Windows\SysWOW64\winrm
2015-12-30 19:17 - 2009-07-13 21:37 - 00000000 ____D C:\Windows\SysWOW64\WCN
2015-12-30 19:17 - 2009-07-13 21:37 - 00000000 ____D C:\Windows\SysWOW64\slmgr
2015-12-30 19:17 - 2009-07-13 21:37 - 00000000 ____D C:\Windows\SysWOW64\Printing_Admin_Scripts
2015-12-30 19:17 - 2009-07-13 21:37 - 00000000 ____D C:\Windows\System32\winrm
2015-12-30 19:17 - 2009-07-13 21:37 - 00000000 ____D C:\Windows\System32\WCN
2015-12-30 19:17 - 2009-07-13 21:37 - 00000000 ____D C:\Windows\System32\slmgr
2015-12-30 19:17 - 2009-07-13 21:37 - 00000000 ____D C:\Windows\System32\Printing_Admin_Scripts
2015-12-30 19:17 - 2009-07-13 21:32 - 00000000 ____D C:\Windows\Performance
2015-12-30 19:17 - 2009-07-13 21:09 - 00000000 ____D C:\Windows\System32\Tasks\WPD
2015-12-30 19:17 - 2009-07-13 20:45 - 00000000 ____D C:\Windows\Setup
2015-12-30 19:17 - 2009-07-13 19:20 - 00000000 ___HD C:\Windows\System32\GroupPolicy
2015-12-30 19:17 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\MUI
2015-12-30 19:17 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\Msdtc
2015-12-30 19:17 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\IME
2015-12-30 19:17 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\spool
2015-12-30 19:17 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\SMI
2015-12-30 19:17 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF
2015-12-30 19:17 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\MUI
2015-12-30 19:17 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\IME
2015-12-30 19:17 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\security
2015-12-30 19:17 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\schemas
2015-12-30 19:17 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\Resources
2015-12-30 19:17 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\PLA
2015-12-30 19:17 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\Help
2015-12-30 19:17 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\Globalization
2015-12-30 19:17 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\Branding
2015-12-30 19:16 - 2012-10-14 03:57 - 00000000 ____D C:\Program Files (x86)\Ask.com
2015-12-30 19:16 - 2012-05-17 14:37 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2015-12-30 19:16 - 2012-05-17 14:37 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2015-12-30 19:16 - 2012-05-01 03:57 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2015-12-30 19:16 - 2011-10-19 02:13 - 00000000 ____D C:\Program Files\Microsoft Security Client
2015-12-30 19:16 - 2011-10-17 13:49 - 00000000 ____D C:\Program Files (x86)\HP
2015-12-30 19:16 - 2011-10-17 13:42 - 00000000 ____D C:\ProgramData\HP
2015-12-30 19:16 - 2011-06-06 07:53 - 00000000 ____D C:\Program Files\Java
2015-12-30 19:16 - 2010-07-02 08:13 - 00000000 ___RD C:\Users\Keith\Virtual Machines
2015-12-30 19:16 - 2010-06-22 02:20 - 00000000 ____D C:\Program Files (x86)\Adobe
2015-12-30 19:16 - 2010-06-17 13:51 - 00000000 ____D C:\Program Files (x86)\Java
2015-12-30 19:16 - 2010-06-15 12:23 - 00000000 ____D C:\ProgramData\Microsoft Help
2015-12-30 19:16 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\MSBuild
2015-12-30 19:16 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\AppCompat
2015-12-30 19:16 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared
2015-12-30 19:12 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
2015-12-30 18:59 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\Web
2015-12-30 18:59 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\Vss
2015-12-30 18:56 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\Msdtc
2015-12-30 18:52 - 2009-07-13 20:45 - 00000000 ____D C:\Windows\ServiceProfiles
2015-12-30 18:47 - 2011-12-27 14:16 - 00000000 ____D C:\Windows\Hewlett-Packard
2015-12-30 18:45 - 2012-08-02 01:13 - 00000000 ____D C:\Users\Keith\AppData\Roaming\TomTom
2015-12-30 18:45 - 2011-05-25 07:11 - 00000000 ____D C:\Users\Keith\AppData\Roaming\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2015-12-30 18:45 - 2010-06-22 02:20 - 00000000 ____D C:\Users\Keith\AppData\Roaming\Macromedia
2015-12-30 18:45 - 2010-06-22 02:20 - 00000000 ____D C:\Users\Keith\AppData\Roaming\Adobe
2015-12-30 18:45 - 2010-06-17 13:51 - 00000000 ____D C:\Users\Keith\AppData\LocalLow\Sun
2015-12-30 18:45 - 2010-06-15 15:38 - 00000000 ____D C:\users\Keith
2015-12-30 18:44 - 2010-06-22 02:20 - 00000000 ____D C:\ProgramData\Adobe
2015-12-30 18:43 - 2012-09-22 11:26 - 00000000 __SHD C:\found.000
2015-12-30 18:43 - 2011-01-24 11:29 - 00000000 ____D C:\Program Files (x86)\Google
2015-12-30 18:43 - 2010-06-15 12:23 - 00000000 __RHD C:\MSOCache
2015-12-30 18:43 - 2010-06-15 12:23 - 00000000 ____D C:\Program Files (x86)\Microsoft Office
2015-12-30 11:26 - 2009-07-13 21:13 - 00870974 _____ C:\Windows\System32\PerfStringBackup.INI
2015-12-30 11:26 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\inf
2015-12-30 11:25 - 2012-06-15 02:56 - 00000896 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-12-30 11:24 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-12-19 08:52 - 2014-01-29 02:45 - 00000000 ____D C:\Program Files (x86)\7-Zip
2015-12-19 08:51 - 2015-10-09 08:55 - 00000000 ____D C:\Program Files (x86)\WinMerge
2015-12-19 08:51 - 2015-09-15 04:34 - 00000000 ___RD C:\Users\jowettguest\Virtual Machines
2015-12-19 08:51 - 2015-09-15 04:33 - 00000000 ____D C:\users\jowettguest
2015-12-19 08:51 - 2015-05-14 11:59 - 00000000 ____D C:\Program Files (x86)\cwRsync
2015-12-19 08:51 - 2015-04-29 08:16 - 00000000 ____D C:\Program Files (x86)\Gallery Remote
2015-12-19 08:51 - 2015-02-12 00:24 - 00000000 ____D C:\Program Files (x86)\QuickTime
2015-12-19 08:51 - 2014-07-22 04:15 - 00000000 ___RD C:\Program Files (x86)\Skype
2015-12-19 08:51 - 2014-07-22 04:15 - 00000000 ____D C:\ProgramData\Skype
2015-12-19 08:51 - 2014-07-11 01:43 - 00000000 ____D C:\Program Files (x86)\Wondershare
2015-12-19 08:51 - 2014-02-22 05:19 - 00000000 ____D C:\Program Files (x86)\Apple Software Update
2015-12-19 08:51 - 2014-01-29 09:06 - 00000000 ____D C:\Program Files (x86)\Replay Telecorder for Skype
2015-12-19 08:51 - 2014-01-29 09:05 - 00000000 ____D C:\Program Files (x86)\Replay Media Splitter
2015-12-19 08:51 - 2014-01-29 09:04 - 00000000 ____D C:\Program Files (x86)\Replay Converter 4
2015-12-19 08:51 - 2014-01-29 08:55 - 00000000 ____D C:\Program Files (x86)\Replay Music 6
2015-12-19 08:51 - 2014-01-29 07:16 - 00000000 ____D C:\Program Files (x86)\Replay Video Capture 7
2015-12-19 08:51 - 2014-01-29 07:12 - 00000000 ____D C:\Program Files (x86)\WinPcap
2015-12-19 08:51 - 2014-01-29 07:10 - 00000000 ____D C:\Windows\Applian Director
2015-12-19 08:51 - 2013-11-05 15:02 - 00000000 ____D C:\Program Files (x86)\ImageMagick-6.8.7-Q16
2015-12-19 08:51 - 2013-05-01 02:40 - 00000000 ____D C:\Program Files (x86)\ImgBurn
2015-12-19 08:50 - 2015-04-05 00:59 - 00000000 ___SD C:\Windows\SysWOW64\GWX
2015-12-19 08:50 - 2015-04-05 00:59 - 00000000 ___SD C:\Windows\System32\GWX
2015-12-19 08:50 - 2014-05-07 22:59 - 00000000 ___SD C:\Windows\System32\CompatTel
2015-12-19 08:50 - 2011-11-07 09:22 - 00000000 ____D C:\Windows\System32\Tasks\Event Viewer Tasks
2015-12-17 06:46 - 2012-08-06 01:55 - 00000000 ____D C:\Users\Keith\Documents\Outlook Files
2015-12-09 19:35 - 2013-07-15 15:55 - 00000000 ____D C:\Windows\System32\MRT
2015-12-08 05:14 - 2015-03-24 01:29 - 00000000 ____D C:\ProgramData\Oracle

==================== Known DLLs (Whitelisted) =========================

C:\Windows\SysWOW64\LPK.dll IS MISSING <==== ATTENTION

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\dnsapi.dll => MD5 is legit
C:\Windows\SysWOW64\dnsapi.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE Association (Whitelisted) =============

==================== Restore Points =========================

Restore point date: 2015-12-30 11:26

==================== Memory info ===========================

Percentage of memory in use: 12%
Total physical RAM: 6141.46 MB
Available physical RAM: 5371.24 MB
Total Virtual: 6139.61 MB
Available Virtual: 5378.43 MB

==================== Drives ================================

Drive c: (w7-os) (Fixed) (Total:244.14 GB) (Free:189.35 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive e: (InboardFiles) (Fixed) (Total:931.51 GB) (Free:719.37 GB) NTFS
Drive f: (newback) (Fixed) (Total:931.51 GB) (Free:616.91 GB) NTFS
Drive g: (OtherBackup) (Fixed) (Total:931.51 GB) (Free:4.72 GB) NTFS
Drive h: (edit) (Fixed) (Total:146.48 GB) (Free:114.03 GB) NTFS
Drive i: (2-OS) (Fixed) (Total:48.83 GB) (Free:47.27 GB) NTFS
Drive j: (vhd) (Fixed) (Total:472.51 GB) (Free:172.33 GB) NTFS
Drive k: (pagefile) (Fixed) (Total:19.53 GB) (Free:10.03 GB) NTFS
Drive l: (GB1CULXFRER_EN_DVD) (CDROM) (Total:3.2 GB) (Free:0 GB) UDF
Drive m: (SystemBackUp) (Fixed) (Total:931.51 GB) (Free:0 GB) NTFS
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (OnboardRAID) (Fixed) (Total:931.51 GB) (Free:574.51 GB) NTFS ==>[system with boot components (obtained from drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: A906E018)
Partition 1: (Active) - (Size=931.5 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: 628E907E)
Partition 1: (Not Active) - (Size=19.5 GB) - (Type=07 NTFS)
Partition 2: (Active) - (Size=244.1 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=667.8 GB) - (Type=OF Extended)

========================================================
Disk: 2 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: 628E907F)
Partition 1: (Not Active) - (Size=931.5 GB) - (Type=07 NTFS)

========================================================
Disk: 3 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: A6BA6F9E)
Partition 1: (Not Active) - (Size=931.5 GB) - (Type=07 NTFS)

========================================================
Disk: 4 (MBR Code: Windows XP) (Size: 931.5 GB) (Disk ID: C6C7B88F)
Partition 1: (Not Active) - (Size=931.5 GB) - (Type=07 NTFS)

========================================================
Disk: 5 (Size: 931.5 GB) (Disk ID: 08632CC2)
Partition 1: (Not Active) - (Size=931.5 GB) - (Type=07 NTFS)

LastRegBack: 2015-12-30 17:48

==================== End of FRST.txt ============================


  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,887 posts
  • MVP

I wouldn't worry about the userinit entry - not everything that shows up in FRST needs to be fixed.

 

.  Looks to me like you may have had some hard drive damage:

 

2015-12-30 18:43 - 2012-09-22 11:26 - 00000000 __SHD C:\found.000

 

found.000 is a folder where disk check puts the files it recovers from bad sectors.  You might look in the folder.  Sometimes you can tell what files they were.

 

Also you need to fix:

 

C:\Windows\SysWOW64\LPK.dll IS MISSING <==== ATTENTION

 

Which you can't do with a fixlist.  Do you have a copy of lpk.dll on your other boot?  I can upload one from my 64bit Windows 7 if you need it just let me know.

 

Do you see any logs in C:\FRST\logs?  It would be helpful to know what has been done to the system.


  • 0

#3
keithclem

keithclem

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts

Thanks,

I had replaced the LPK.dll previously from the dual boot system that works.  Not quite sure why it showed up again in that FRST run.  Maybe the restoration I tried yesterday took it out again.

The found.000 contains Dirooo0.chk which has about 50 files and three directories that all look to be intact and part of the abobe system dating back to 2011. I could try to restore them to the system if I can find the parent directory. An initial search of the dual boot system did not find where they should lie. The image directory shows a modified date a couple of days ago although no files are later than 2011. 

 

Found.0001 is also on the drive but dates to 2014 and contains authcab.cab. I suspect this may be from a previous hard shutdown but did not seem to cause problems.

 

I still am suspicious of the userinit.exe 'error' as this seems to be exactly from where the symptom could emanate .  It does not occur when running FRST on the working dual boot system.

 

Notice above I changed the drive from which userinit.exe was loaded to C: from G: just to see if that made a difference. It did not.

Is the double \ after winlogon normal in the fixlog line below?

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Userinit => value restored successfully

 

I have attached the other logs and scans.

Attached Files


  • 0

#4
keithclem

keithclem

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts

I have replaced the lpk.dll again and rebooted. There is no change with the system going to the black screen with cursor after loading the pnp driver in safe mode.

Could it be that the user profile links have been lost and userinit.exe cannot find the profiles? Or could it be that some other flag such as one to complete system initialisation after an update has not been cleared.  There is usually a pause where the screen goes black with cursor before  displaying the logon screen, especially after a system update . The system seems to be hung in this state although other background prcesses are operating with a lot of initial disk activity.

 

Is there anything I can try to pinpoint where the system is hung? The system seems to respond to keystrokes. What sequence could be used to bring about a soft shutdown from this state?  The keyboard sleep button works by the way but this just brings the system back to the same state on wake up.


  • 0

#5
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,887 posts
  • MVP

The double \\ indicates that it is a value below HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon and not a subkey.    

 

Looks like this in mine:

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

    ReportBootOk    REG_SZ    1
    Shell    REG_SZ    explorer.exe
    PreCreateKnownFolders    REG_SZ    {A520A1A4-1780-4FF6-BD18-167343C5AF16}
    Userinit    REG_SZ    C:\Windows\system32\userinit.exe,
    VMApplet    REG_SZ    SystemPropertiesPerformance.exe /pagefile
    AutoRestartShell    REG_DWORD    0x1
    Background    REG_SZ    0 0 0
    CachedLogonsCount    REG_SZ    10
    DebugServerCommand    REG_SZ    no
    ForceUnlockLogon    REG_DWORD    0x0
    LegalNoticeCaption    REG_SZ    
    LegalNoticeText    REG_SZ    
    PasswordExpiryWarning    REG_DWORD    0x5
    PowerdownAfterShutdown    REG_SZ    0
    ShutdownWithoutLogon    REG_SZ    0
    WinStationsDisabled    REG_SZ    0
    DisableCAD    REG_DWORD    0x1
    scremoveoption    REG_SZ    0
    ShutdownFlags    REG_DWORD    0x27
 
I see you have just added something so will post this and then read what you just added

  • 0

#6
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,887 posts
  • MVP

Since you have a second system turn on boot logging (MSCONFIG then Boot and you can check the boot log box)on the second system and reboot into Safe mode.  Then look at \windows\ntbtlog.txt  it should be essentially what you see when you boot into Safe Mode and it lists the drivers as it starts them.  How far does yours get and what is the next driver?

 

This is from a regular boot on my 32 bit system

 

 Service Pack 110 26 2015 16:36:14.109
Loaded driver \SystemRoot\system32\ntkrnlpa.exe
Loaded driver \SystemRoot\system32\halmacpi.dll
Loaded driver \SystemRoot\system32\kdcom.dll
Loaded driver \SystemRoot\system32\mcupdate_AuthenticAMD.dll
Loaded driver \SystemRoot\system32\PSHED.dll
Loaded driver \SystemRoot\system32\BOOTVID.dll
Loaded driver \SystemRoot\system32\CLFS.SYS
Loaded driver \SystemRoot\system32\CI.dll
Loaded driver \SystemRoot\system32\drivers\Wdf01000.sys
Loaded driver \SystemRoot\system32\drivers\WDFLDR.SYS
Loaded driver \SystemRoot\system32\drivers\ACPI.sys
Loaded driver \SystemRoot\system32\drivers\WMILIB.SYS
Loaded driver \SystemRoot\system32\drivers\msisadrv.sys
Loaded driver \SystemRoot\system32\drivers\pci.sys
Loaded driver \SystemRoot\system32\drivers\vdrvroot.sys
Loaded driver \SystemRoot\System32\drivers\partmgr.sys
Loaded driver \SystemRoot\system32\drivers\volmgr.sys
Loaded driver \SystemRoot\System32\drivers\volmgrx.sys
Loaded driver \SystemRoot\System32\drivers\mountmgr.sys
Loaded driver \SystemRoot\system32\drivers\atapi.sys
Loaded driver \SystemRoot\system32\drivers\ataport.SYS
Loaded driver \SystemRoot\system32\drivers\msahci.sys
Loaded driver \SystemRoot\system32\drivers\PCIIDEX.SYS
Loaded driver \SystemRoot\system32\DRIVERS\amd_sata.sys
Loaded driver \SystemRoot\system32\DRIVERS\storport.sys
Loaded driver \SystemRoot\system32\DRIVERS\amd_xata.sys
Loaded driver \SystemRoot\system32\drivers\amdxata.sys
Loaded driver \SystemRoot\system32\drivers\fltmgr.sys
Loaded driver \SystemRoot\system32\drivers\fileinfo.sys
Loaded driver \SystemRoot\System32\Drivers\Ntfs.sys
Loaded driver \SystemRoot\System32\Drivers\msrpc.sys
Loaded driver \SystemRoot\System32\Drivers\ksecdd.sys
Loaded driver \SystemRoot\System32\Drivers\cng.sys
Loaded driver \SystemRoot\System32\drivers\pcw.sys
Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.sys
Loaded driver \SystemRoot\system32\drivers\ndis.sys
Loaded driver \SystemRoot\system32\drivers\NETIO.SYS
Loaded driver \SystemRoot\System32\Drivers\ksecpkg.sys
Loaded driver \SystemRoot\System32\drivers\tcpip.sys
Loaded driver \SystemRoot\System32\drivers\fwpkclnt.sys
Loaded driver \SystemRoot\system32\drivers\volsnap.sys
Loaded driver \SystemRoot\System32\Drivers\spldr.sys
Loaded driver \SystemRoot\System32\drivers\rdyboost.sys
Loaded driver \SystemRoot\System32\Drivers\ngvss.sys
Loaded driver \SystemRoot\System32\Drivers\mup.sys
Loaded driver \SystemRoot\System32\drivers\hwpolicy.sys
Loaded driver \SystemRoot\System32\DRIVERS\fvevol.sys
Loaded driver \SystemRoot\system32\drivers\disk.sys
Loaded driver \SystemRoot\system32\drivers\CLASSPNP.SYS
Loaded driver \SystemRoot\System32\Drivers\aswVmm.sys
Loaded driver \SystemRoot\System32\Drivers\aswRvrt.sys
Loaded driver \SystemRoot\system32\DRIVERS\cdrom.sys
Loaded driver \SystemRoot\system32\drivers\aswSnx.sys
Loaded driver \SystemRoot\system32\drivers\aswSP.sys
Loaded driver \SystemRoot\System32\Drivers\Null.SYS
Loaded driver \SystemRoot\System32\Drivers\Beep.SYS
Loaded driver \SystemRoot\System32\drivers\vga.sys
Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys
Loaded driver \SystemRoot\system32\drivers\rdpencdd.sys
Loaded driver \SystemRoot\system32\drivers\rdprefmp.sys
Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS
Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS
Loaded driver \SystemRoot\system32\DRIVERS\tdx.sys
Loaded driver \SystemRoot\system32\drivers\afd.sys
Loaded driver \SystemRoot\system32\drivers\aswRdr2.sys
Loaded driver \SystemRoot\System32\DRIVERS\netbt.sys
Loaded driver \SystemRoot\system32\DRIVERS\wfplwf.sys
Loaded driver \SystemRoot\system32\DRIVERS\pacer.sys
Loaded driver \SystemRoot\system32\DRIVERS\nbdrv.sys
Loaded driver \SystemRoot\system32\DRIVERS\netbios.sys
Loaded driver \SystemRoot\system32\DRIVERS\serial.sys
Loaded driver \SystemRoot\system32\DRIVERS\wanarp.sys
Loaded driver \SystemRoot\system32\DRIVERS\termdd.sys
Loaded driver \SystemRoot\system32\DRIVERS\rdbss.sys
Loaded driver \SystemRoot\system32\drivers\nsiproxy.sys
Loaded driver \SystemRoot\system32\DRIVERS\mssmbios.sys
Loaded driver \SystemRoot\System32\drivers\discache.sys
Loaded driver \SystemRoot\System32\Drivers\dfsc.sys
Loaded driver \SystemRoot\system32\DRIVERS\blbdrive.sys
Loaded driver \SystemRoot\system32\DRIVERS\tunnel.sys
Loaded driver \SystemRoot\system32\DRIVERS\atikmdag.sys
Loaded driver \SystemRoot\System32\drivers\dxgkrnl.sys
Loaded driver \SystemRoot\system32\DRIVERS\atikmpag.sys
Loaded driver \SystemRoot\system32\DRIVERS\HDAudBus.sys
Loaded driver \SystemRoot\system32\DRIVERS\Rt86win7.sys
Loaded driver \SystemRoot\system32\DRIVERS\xhcdrv.sys
Loaded driver \SystemRoot\system32\DRIVERS\usbfilter.sys
Loaded driver \SystemRoot\system32\DRIVERS\amdxhc.sys
Loaded driver \SystemRoot\system32\DRIVERS\usbohci.sys
Loaded driver \SystemRoot\system32\DRIVERS\usbehci.sys
Loaded driver \SystemRoot\system32\DRIVERS\serenum.sys
Loaded driver \SystemRoot\system32\DRIVERS\amdppm.sys
Loaded driver \SystemRoot\system32\DRIVERS\wmiacpi.sys
Loaded driver \SystemRoot\system32\DRIVERS\CompositeBus.sys
Loaded driver \SystemRoot\system32\DRIVERS\AgileVpn.sys
Loaded driver \SystemRoot\system32\DRIVERS\rasl2tp.sys
Loaded driver \SystemRoot\system32\DRIVERS\ndistapi.sys
Loaded driver \SystemRoot\system32\DRIVERS\ndiswan.sys
Loaded driver \SystemRoot\system32\DRIVERS\raspppoe.sys
Loaded driver \SystemRoot\system32\DRIVERS\raspptp.sys
Loaded driver \SystemRoot\system32\DRIVERS\rassstp.sys
Loaded driver \SystemRoot\system32\DRIVERS\kbdclass.sys
Loaded driver \SystemRoot\system32\DRIVERS\mouclass.sys
Loaded driver \SystemRoot\system32\DRIVERS\swenum.sys
Loaded driver \SystemRoot\system32\DRIVERS\umbus.sys
Did not load driver \SystemRoot\System32\drivers\vga.sys
Loaded driver \SystemRoot\system32\DRIVERS\ViaHub3.sys
Loaded driver \SystemRoot\system32\DRIVERS\amdhub30.sys
Loaded driver \SystemRoot\system32\DRIVERS\usbhub.sys
Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS
Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS
Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS
Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS
Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS
Loaded driver \SystemRoot\system32\drivers\AtihdW73.sys
Loaded driver \SystemRoot\system32\drivers\RTKVHDA.sys
Loaded driver \SystemRoot\system32\drivers\hidusb.sys
Loaded driver \SystemRoot\system32\DRIVERS\mouhid.sys
Loaded driver \SystemRoot\system32\DRIVERS\monitor.sys
Loaded driver \SystemRoot\system32\DRIVERS\usbccgp.sys
Loaded driver \SystemRoot\system32\DRIVERS\kbdhid.sys
Loaded driver \SystemRoot\system32\drivers\luafv.sys
Loaded driver \SystemRoot\system32\drivers\aswMonFlt.sys
Loaded driver \SystemRoot\system32\drivers\aswStm.sys
Loaded driver \SystemRoot\system32\DRIVERS\lltdio.sys
Loaded driver \SystemRoot\system32\DRIVERS\rspndr.sys
Loaded driver \SystemRoot\system32\drivers\HTTP.sys
Loaded driver \SystemRoot\system32\DRIVERS\bowser.sys
Loaded driver \SystemRoot\System32\drivers\mpsdrv.sys
Loaded driver \SystemRoot\system32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\system32\DRIVERS\mrxsmb10.sys
Loaded driver \SystemRoot\system32\DRIVERS\mrxsmb20.sys
Did not load driver \SystemRoot\system32\drivers\parport.sys
Loaded driver \??\C:\Program Files\ATI Technologies\ATI.ACE\Fuel\i386\AODDriver2.sys
Loaded driver \SystemRoot\system32\drivers\aswHwid.sys
Loaded driver \??\C:\Windows\system32\giveio.sys
Loaded driver \??\C:\Windows\system32\drivers\npf.sys
Loaded driver \SystemRoot\system32\drivers\peauth.sys
Loaded driver \??\C:\Windows\system32\speedfan.sys
Loaded driver \SystemRoot\System32\DRIVERS\srvnet.sys
Loaded driver \SystemRoot\System32\drivers\tcpipreg.sys
Loaded driver \??\C:\Program Files\AVAST Software\Avast\ng\vbox\VBoxAswDrv.sys
Loaded driver \SystemRoot\System32\DRIVERS\srv2.sys
Loaded driver \SystemRoot\System32\DRIVERS\srv.sys
Did not load driver \SystemRoot\System32\DRIVERS\srv.sys
Loaded driver \SystemRoot\system32\DRIVERS\asyncmac.sys
 
Got to go.  Wife says Dinner's ready.

  • 0

#7
keithclem

keithclem

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts

See attached ntblog file .

 

Seems as though it is not loading a lot of drivers. Any idea why?

 

What are @nettun.inf etc?

 

Thanks for the help.

Attached Files


  • 0

#8
keithclem

keithclem

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts

I have looked for solutions to this and all suggest repairing the system which I have already tried and it errors. I would be happy to try again though.

Interestingly the log says it cannot load the video driver ATI Radeon HD 4600 Series. So can I help the system repair that? I do have a working dual boot.


  • 0

#9
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,887 posts
  • MVP

Normally when I see a ntbtlog like this I would say you are missing the intel chipset utility, network driver and video driver.  Not sure how to add these when it won't boot tho.  Look in \windows\inf 

 

and you should find the cpu.inf, netrasa.inf and other files mentioned in the ntbtlog.inf.  These refer to .sys files that usually wind up in \windows\system32\drivers but a few may go to \windows\sysWOW64\drivers and some in \windows\system32 and \windows\sysWOW64 

 

These eventually have entries in the registry in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ and sometimes also HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root (with LEGACY_ )

 

Looking at my CPU.inf which is different from yours since I have an AMD CPU I see under

 

[SourceDisksFiles]

 

4 files:

 

processr.sys = 3426
intelppm.sys = 3426
viac7.sys = 3426
amdk8.sys = 3426
amdppm.sys = 3426
 
All four are present in \windows\system32\drivers
 
 
Example:
 
and show up in  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\
 
Windows Registry Editor Version 5.00
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\AmdK8]
"Start"=dword:00000003
"Type"=dword:00000001
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,72,\
  00,69,00,76,00,65,00,72,00,73,00,5c,00,61,00,6d,00,64,00,6b,00,38,00,2e,00,\
  73,00,79,00,73,00,00,00
"DisplayName"="AMD K8 Processor Driver"
"Group"="Extended Base"
"DriverPackageId"="cpu.inf_x86_neutral_729b871528391032"
 
(Image Path looks like this in regedit:
 
\SystemRoot\system32\drivers\amdk8.sys
 
but when you export it comes out in hex)
 
I don't see it in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root
 
One other thing I should mention.  Each .inf file has a corresponding .pnf file which is a compiled version of the .inf file.  You can delete the pnf file and windows will create a new one.
 
Also in each .inf file that comes from Microsoft and is thus a standard part of windows will be 
 
A header that looks like this:
 
; NETRASA.INF -- WAN Miniports and wrappers
;
; Copyright © Microsoft Corporation.  All rights reserved.
 
[Version]
Signature   = "$Windows NT$"
Class       = Net
ClassGUID   = {4d36e972-e325-11ce-bfc1-08002be10318}
Provider    = %Msft%
DriverVer=06/21/2006,6.1.7601.17514
 
So netrasa.inf is a windows file.  Not a good thing that it doesn't load.
 
It just has a single file:
 
[SourceDisksFiles]
rasirda.sys = 3426
 
But it's not in drivers or the registry (at least on mine)  so we have to look further in the .inf file.
 
We see a  [Services] sections. and under it we find it adds
 
11 services with addservice
 
These will be the names in the registry.
 
Further down you see it is mainly concerned with the files:
 
%systemroot%\system32\rascfg.dll
 
and
 
ndistapi.sys
 
 
 
 

  • 0

#10
keithclem

keithclem

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts

After having a look at the first failure of nettun.inf and not discovering anything amiss-

 

I deleted all the .pnf files.

I  copied all files present in my dual boot system that works (but not present in the failing system) across to the failing drive  from windows system32 and syswow64 except for the config and boot directories. There seems to be no difference in the ntblog or black screen symptom!

I will see if I can understand what the nettun.inf file is trying to do and why the ISATAP adapter is not loading.

 

Also a little confused by

'Did not load driver @hal.inf,%acpi_amd64.devicedesc%;ACPI x64-based PC'

since I am on an Intel PC. It seems that the system has a few goes at doing the same thing e.g loading the ATI driver. What script drives this loading and it is it this that is screwed?


  • 0

#11
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,887 posts
  • MVP

I assume that the hal.inf  file is the source of the .%acpi_amd64.devicedesc%;ACPI x64-based PC'

 

I don't have an intel machine but this is my hal.inf from the 64 bit AMD Win 7

 

 
[Version]
Signature="$WINDOWS NT$"
Class=Computer
ClassGuid={4D36E966-E325-11CE-BFC1-08002BE10318}
Provider=%MSFT%
DriverVer=06/21/2006,6.1.7600.16385
 
[rp_tags_addreg]
HKR,,ResourcePickerTags,0x00000000,"HAL"
 
[SourceDisksNames]
3426=windows cd
 
[SourceDisksFiles]
ntkrnlmp.exe = 3426
hal.dll     = 3426
 
[DestinationDirs]
DefaultDestDir = 11
 
[ControlFlags]
BasicDriverOk=*
 
[Manufacturer]
%GENDEV_MFG%=GENDEV_SYS,NTamd64
 
[GENDEV_SYS.NTamd64]
%ACPI_AMD64.DeviceDesc%   = ACPI_AMD64_HAL, ACPIAPIC
 
 
;****************************************************
; Standard AMD64 HAL.  Although there is only one HAL, we have two install
; sections so that we can move from the UP kernel to the MP kernel when
; processors are added to the machine.
 
[ACPI_AMD64_HAL]
AddReg = rp_tags_addreg
Reboot
 
 
[Strings]
;Non-localizable
MSFT              = "Microsoft"
;Localizable
;*******************************************
;device descriptions
 
GENDEV_MFG = "(Standard computers)"
 
ACPI_AMD64.DeviceDesc     = "ACPI x64-based PC"
 
;Non-localizable
REG_EXPAND_SZ                = 0x00020000
REG_DWORD                    = 0x00010001
 
 
The other thing that can get messed up is the permissions on the files.
 
Right click on the file and select Properties then Security.  System and Administrators should have Full Control. on some of them and on others Trusted Installer is the only one with Full Control.  System & Admin only can Read & Execute and Read
 
Are you sure ntbtlog.txt is getting new info each boot?

  • 0

#12
keithclem

keithclem

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts

NTBLOG has current date timestamp so think it is being updated.

My hal.inf is the same on both dual boot systems and is AMD and is the same as yours, so even more confused as I have an INTEL machine so why is it loading an amd hal?

 

What file is driving the driver load?

 

I did get some permissions issues when trying to copy files so I need to open those files up from just being Trusted Installer .

I wonder if a virus has changed permissions....

I will try an iacls on the windows directory to see if I can clear.


  • 0

#13
keithclem

keithclem

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts

I have done an ntblog on the working system and it has none of the 'inf' file loading

Compare the two attached . The Service Pack 1 is the one that is working the Service pack 111 is the one that is not.

 

I suspect a reinstall is necessary unless you can think of anything to try.

Attached Files


  • 0

#14
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,887 posts
  • MVP

Not sure what guides it a reinstall is probably the quickest solution.

 

It's odd that it looks good up until it loads CLASSPNP.SYS then it goes off into did not load a bunch of stuff.

 

The only thing to I can think to do is to look at the good boot with Process Monitor.  It may give you an idea of the proper sequencing and where it looks in the registry.

 

 
 
Right click on it and run as admin then Options, Enable boot logging and restart
 
When you run Process Monitor again it will tell you you have a boot log and ask if you want to see it.
 
It's pretty detailed so may be too much info.

  • 0






Similar Topics


Also tagged with one or more of these keywords: Black screen, frst64, winlogon

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP