Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Black screen with cursor, frst64 repeatedly says winlogon userinit.exe

Started by keithclem , Dec 31 2015 04:22 AM

Black screen frst64 winlogon

Please log in to reply

#1
keithclem

Posted 31 December 2015 - 04:22 AM

New Member

Member
9 posts

A friend used the computer for web browsing (perhaps introducing a virus) and possibly badly shutdown system during update. Since then system boots to black screen with cursor, occasional blue circle if some key is pressed. Cursor moves across extended screen. Same when booting to safe mode. Boots to 'repair' OK where I ran FRST64. I think this found a virus 'zero???' but removed it, altrhough I cannot find the log of that. It also replaced some group policy (G:\FRST\Quarantine\C\Windows\System32\GroupPolicy). After a number of iterations removing/replacing unwanted registry, service and driver entries, FRST64 now does not seem to replace the userinit entry in the winlogon key, although it does say it has and regedit says it is OK. Since this is precisely the area of error I suspect there is something wrong.

Note that trying to repair computer finds nothing wrong and restore system back-up fails after a lengthy restore with 0x80070002 error. The system has dual boot and the other Win7 system is good. Chkdsk and virus scan from this system are OK.

Find latest fixlog and scanlog below. The Winlogon restoration has been repeatedly tried but does not clear when rescanned. Note that to get to this stage many FRST fix runs were done , a few other 'fixes' were tried. I have tried copying (by export and import) the good winlogon key from the dual boot system but do not think this worked as it does not put it into the correct control set. I might have to resort to doing it manually. But as I said it looks OK when viewed with regeit , just FRST64 is saying it is wrong.

Fix result of Farbar Recovery Scan Tool (x64) Version:29-12-2015
Ran by SYSTEM (2015-12-30 19:59:32) Run:13
Running from F:\
Boot Mode: Recovery
==============================================

fixlist content:
*****************
HKLM\...\Winlogon: [Userinit] C:\Windows\system32\userinit.exe,
*****************

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Userinit => value restored successfully

==== End of Fixlog 19:59:32 ====

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:29-12-2015
Ran by SYSTEM on MININT-544NOFG (30-12-2015 19:56:47)
Running from F:\
Platform: Windows 7 Ultimate (X64) Language: English (United States)
Internet Explorer Version 10
Boot Mode: Recovery
Default: ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Winlogon: [Userinit] G:\Windows\system32\userinit.exe,

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-12-20 11:25 - 2015-12-30 19:56 - 00000000 ____D C:\FRST

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-12-30 19:21 - 2009-07-13 21:32 - 00000000 ____D C:\Windows\Downloaded Program Files
2015-12-30 19:20 - 2009-07-13 23:46 - 00000000 __SHD C:\Windows\BitLockerDiscoveryVolumeContents
2015-12-30 19:20 - 2009-07-13 23:46 - 00000000 ____D C:\Windows\ShellNew
2015-12-30 19:20 - 2009-07-13 23:46 - 00000000 ____D C:\Program Files\Windows Journal
2015-12-30 19:20 - 2009-07-13 21:32 - 00000000 ____D C:\Windows\System32\WinBioPlugIns
2015-12-30 19:20 - 2009-07-13 21:32 - 00000000 ____D C:\Windows\Offline Web Pages
2015-12-30 19:20 - 2009-07-13 21:32 - 00000000 ____D C:\Windows\addins
2015-12-30 19:20 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Sidebar
2015-12-30 19:20 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Portable Devices
2015-12-30 19:20 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Photo Viewer
2015-12-30 19:20 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Defender
2015-12-30 19:20 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\DVD Maker
2015-12-30 19:20 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Sidebar
2015-12-30 19:20 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Portable Devices
2015-12-30 19:20 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Photo Viewer
2015-12-30 19:20 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Defender
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 __RSD C:\Windows\Media
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\TAPI
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\Setup
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\ras
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\oobe
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\migwiz
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\manifeststore
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\lv-LV
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\lt-LT
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\InstallShield
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\icsxml
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\et-EE
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\Dism
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\com
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\catroot2.bak
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\AdvancedInstallers
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\sysprep
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\Setup
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\ras
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\oobe
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\migwiz
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\manifeststore
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\lv-LV
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\lt-LT
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\icsxml
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\ias
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\et-EE
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\Dism
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\com
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\AdvancedInstallers
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\servicing
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\PolicyDefinitions
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\L2Schemas
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\IME
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\Cursors
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\System
2015-12-30 19:20 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\Services
2015-12-30 19:17 - 2012-05-31 13:19 - 00000000 ____D C:\Windows\en
2015-12-30 19:17 - 2011-12-16 03:15 - 00000000 ____D C:\Windows\rescache
2015-12-30 19:17 - 2011-11-19 14:48 - 00000000 ____D C:\Windows\System32\Macromed
2015-12-30 19:17 - 2011-10-18 14:41 - 00000000 ____D C:\Windows\System32\SPReview
2015-12-30 19:17 - 2011-09-21 05:18 - 00000000 ____D C:\Windows\pss
2015-12-30 19:17 - 2011-05-04 11:40 - 00000000 ____D C:\Windows\Minidump
2015-12-30 19:17 - 2011-03-16 11:43 - 00000000 ____D C:\Windows\CheckSur
2015-12-30 19:17 - 2011-03-16 11:26 - 00000000 ____D C:\Windows\System32\EventProviders
2015-12-30 19:17 - 2010-07-19 03:44 - 00000000 ____D C:\Windows\SysWOW64\SPOOL
2015-12-30 19:17 - 2010-07-13 00:41 - 00000000 ____D C:\Windows\Downloaded Installations
2015-12-30 19:17 - 2010-07-04 11:06 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2015-12-30 19:17 - 2010-06-15 12:46 - 00000000 ____D C:\Windows\SysWOW64\1033
2015-12-30 19:17 - 2010-06-15 12:46 - 00000000 ____D C:\Windows\System32\1033
2015-12-30 19:17 - 2010-06-15 12:25 - 00000000 ____D C:\Windows\System32\Tasks\OfficeSoftwareProtectionPlatform
2015-12-30 19:17 - 2010-02-25 23:56 - 00000000 ____D C:\Windows\SoftwareDistributionold
2015-12-30 19:17 - 2009-07-13 21:37 - 00000000 ____D C:\Windows\SysWOW64\winrm
2015-12-30 19:17 - 2009-07-13 21:37 - 00000000 ____D C:\Windows\SysWOW64\WCN
2015-12-30 19:17 - 2009-07-13 21:37 - 00000000 ____D C:\Windows\SysWOW64\slmgr
2015-12-30 19:17 - 2009-07-13 21:37 - 00000000 ____D C:\Windows\SysWOW64\Printing_Admin_Scripts
2015-12-30 19:17 - 2009-07-13 21:37 - 00000000 ____D C:\Windows\System32\winrm
2015-12-30 19:17 - 2009-07-13 21:37 - 00000000 ____D C:\Windows\System32\WCN
2015-12-30 19:17 - 2009-07-13 21:37 - 00000000 ____D C:\Windows\System32\slmgr
2015-12-30 19:17 - 2009-07-13 21:37 - 00000000 ____D C:\Windows\System32\Printing_Admin_Scripts
2015-12-30 19:17 - 2009-07-13 21:32 - 00000000 ____D C:\Windows\Performance
2015-12-30 19:17 - 2009-07-13 21:09 - 00000000 ____D C:\Windows\System32\Tasks\WPD
2015-12-30 19:17 - 2009-07-13 20:45 - 00000000 ____D C:\Windows\Setup
2015-12-30 19:17 - 2009-07-13 19:20 - 00000000 ___HD C:\Windows\System32\GroupPolicy
2015-12-30 19:17 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\MUI
2015-12-30 19:17 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\Msdtc
2015-12-30 19:17 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\SysWOW64\IME
2015-12-30 19:17 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\spool
2015-12-30 19:17 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\SMI
2015-12-30 19:17 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF
2015-12-30 19:17 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\MUI
2015-12-30 19:17 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\IME
2015-12-30 19:17 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\security
2015-12-30 19:17 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\schemas
2015-12-30 19:17 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\Resources
2015-12-30 19:17 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\PLA
2015-12-30 19:17 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\Help
2015-12-30 19:17 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\Globalization
2015-12-30 19:17 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\Branding
2015-12-30 19:16 - 2012-10-14 03:57 - 00000000 ____D C:\Program Files (x86)\Ask.com
2015-12-30 19:16 - 2012-05-17 14:37 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2015-12-30 19:16 - 2012-05-17 14:37 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2015-12-30 19:16 - 2012-05-01 03:57 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2015-12-30 19:16 - 2011-10-19 02:13 - 00000000 ____D C:\Program Files\Microsoft Security Client
2015-12-30 19:16 - 2011-10-17 13:49 - 00000000 ____D C:\Program Files (x86)\HP
2015-12-30 19:16 - 2011-10-17 13:42 - 00000000 ____D C:\ProgramData\HP
2015-12-30 19:16 - 2011-06-06 07:53 - 00000000 ____D C:\Program Files\Java
2015-12-30 19:16 - 2010-07-02 08:13 - 00000000 ___RD C:\Users\Keith\Virtual Machines
2015-12-30 19:16 - 2010-06-22 02:20 - 00000000 ____D C:\Program Files (x86)\Adobe
2015-12-30 19:16 - 2010-06-17 13:51 - 00000000 ____D C:\Program Files (x86)\Java
2015-12-30 19:16 - 2010-06-15 12:23 - 00000000 ____D C:\ProgramData\Microsoft Help
2015-12-30 19:16 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\MSBuild
2015-12-30 19:16 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\AppCompat
2015-12-30 19:16 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared
2015-12-30 19:12 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
2015-12-30 18:59 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\Web
2015-12-30 18:59 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\Vss
2015-12-30 18:56 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\Msdtc
2015-12-30 18:52 - 2009-07-13 20:45 - 00000000 ____D C:\Windows\ServiceProfiles
2015-12-30 18:47 - 2011-12-27 14:16 - 00000000 ____D C:\Windows\Hewlett-Packard
2015-12-30 18:45 - 2012-08-02 01:13 - 00000000 ____D C:\Users\Keith\AppData\Roaming\TomTom
2015-12-30 18:45 - 2011-05-25 07:11 - 00000000 ____D C:\Users\Keith\AppData\Roaming\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2015-12-30 18:45 - 2010-06-22 02:20 - 00000000 ____D C:\Users\Keith\AppData\Roaming\Macromedia
2015-12-30 18:45 - 2010-06-22 02:20 - 00000000 ____D C:\Users\Keith\AppData\Roaming\Adobe
2015-12-30 18:45 - 2010-06-17 13:51 - 00000000 ____D C:\Users\Keith\AppData\LocalLow\Sun
2015-12-30 18:45 - 2010-06-15 15:38 - 00000000 ____D C:\users\Keith
2015-12-30 18:44 - 2010-06-22 02:20 - 00000000 ____D C:\ProgramData\Adobe
2015-12-30 18:43 - 2012-09-22 11:26 - 00000000 __SHD C:\found.000
2015-12-30 18:43 - 2011-01-24 11:29 - 00000000 ____D C:\Program Files (x86)\Google
2015-12-30 18:43 - 2010-06-15 12:23 - 00000000 __RHD C:\MSOCache
2015-12-30 18:43 - 2010-06-15 12:23 - 00000000 ____D C:\Program Files (x86)\Microsoft Office
2015-12-30 11:26 - 2009-07-13 21:13 - 00870974 _____ C:\Windows\System32\PerfStringBackup.INI
2015-12-30 11:26 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\inf
2015-12-30 11:25 - 2012-06-15 02:56 - 00000896 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-12-30 11:24 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-12-19 08:52 - 2014-01-29 02:45 - 00000000 ____D C:\Program Files (x86)\7-Zip
2015-12-19 08:51 - 2015-10-09 08:55 - 00000000 ____D C:\Program Files (x86)\WinMerge
2015-12-19 08:51 - 2015-09-15 04:34 - 00000000 ___RD C:\Users\jowettguest\Virtual Machines
2015-12-19 08:51 - 2015-09-15 04:33 - 00000000 ____D C:\users\jowettguest
2015-12-19 08:51 - 2015-05-14 11:59 - 00000000 ____D C:\Program Files (x86)\cwRsync
2015-12-19 08:51 - 2015-04-29 08:16 - 00000000 ____D C:\Program Files (x86)\Gallery Remote
2015-12-19 08:51 - 2015-02-12 00:24 - 00000000 ____D C:\Program Files (x86)\QuickTime
2015-12-19 08:51 - 2014-07-22 04:15 - 00000000 ___RD C:\Program Files (x86)\Skype
2015-12-19 08:51 - 2014-07-22 04:15 - 00000000 ____D C:\ProgramData\Skype
2015-12-19 08:51 - 2014-07-11 01:43 - 00000000 ____D C:\Program Files (x86)\Wondershare
2015-12-19 08:51 - 2014-02-22 05:19 - 00000000 ____D C:\Program Files (x86)\Apple Software Update
2015-12-19 08:51 - 2014-01-29 09:06 - 00000000 ____D C:\Program Files (x86)\Replay Telecorder for Skype
2015-12-19 08:51 - 2014-01-29 09:05 - 00000000 ____D C:\Program Files (x86)\Replay Media Splitter
2015-12-19 08:51 - 2014-01-29 09:04 - 00000000 ____D C:\Program Files (x86)\Replay Converter 4
2015-12-19 08:51 - 2014-01-29 08:55 - 00000000 ____D C:\Program Files (x86)\Replay Music 6
2015-12-19 08:51 - 2014-01-29 07:16 - 00000000 ____D C:\Program Files (x86)\Replay Video Capture 7
2015-12-19 08:51 - 2014-01-29 07:12 - 00000000 ____D C:\Program Files (x86)\WinPcap
2015-12-19 08:51 - 2014-01-29 07:10 - 00000000 ____D C:\Windows\Applian Director
2015-12-19 08:51 - 2013-11-05 15:02 - 00000000 ____D C:\Program Files (x86)\ImageMagick-6.8.7-Q16
2015-12-19 08:51 - 2013-05-01 02:40 - 00000000 ____D C:\Program Files (x86)\ImgBurn
2015-12-19 08:50 - 2015-04-05 00:59 - 00000000 ___SD C:\Windows\SysWOW64\GWX
2015-12-19 08:50 - 2015-04-05 00:59 - 00000000 ___SD C:\Windows\System32\GWX
2015-12-19 08:50 - 2014-05-07 22:59 - 00000000 ___SD C:\Windows\System32\CompatTel
2015-12-19 08:50 - 2011-11-07 09:22 - 00000000 ____D C:\Windows\System32\Tasks\Event Viewer Tasks
2015-12-17 06:46 - 2012-08-06 01:55 - 00000000 ____D C:\Users\Keith\Documents\Outlook Files
2015-12-09 19:35 - 2013-07-15 15:55 - 00000000 ____D C:\Windows\System32\MRT
2015-12-08 05:14 - 2015-03-24 01:29 - 00000000 ____D C:\ProgramData\Oracle

==================== Known DLLs (Whitelisted) =========================

C:\Windows\SysWOW64\LPK.dll IS MISSING <==== ATTENTION

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\dnsapi.dll => MD5 is legit
C:\Windows\SysWOW64\dnsapi.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE Association (Whitelisted) =============

==================== Restore Points =========================

Restore point date: 2015-12-30 11:26

==================== Memory info ===========================

Percentage of memory in use: 12%
Total physical RAM: 6141.46 MB
Available physical RAM: 5371.24 MB
Total Virtual: 6139.61 MB
Available Virtual: 5378.43 MB

==================== Drives ================================

Drive c: (w7-os) (Fixed) (Total:244.14 GB) (Free:189.35 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive e: (InboardFiles) (Fixed) (Total:931.51 GB) (Free:719.37 GB) NTFS
Drive f: (newback) (Fixed) (Total:931.51 GB) (Free:616.91 GB) NTFS
Drive g: (OtherBackup) (Fixed) (Total:931.51 GB) (Free:4.72 GB) NTFS
Drive h: (edit) (Fixed) (Total:146.48 GB) (Free:114.03 GB) NTFS
Drive i: (2-OS) (Fixed) (Total:48.83 GB) (Free:47.27 GB) NTFS
Drive j: (vhd) (Fixed) (Total:472.51 GB) (Free:172.33 GB) NTFS
Drive k: (pagefile) (Fixed) (Total:19.53 GB) (Free:10.03 GB) NTFS
Drive l: (GB1CULXFRER_EN_DVD) (CDROM) (Total:3.2 GB) (Free:0 GB) UDF
Drive m: (SystemBackUp) (Fixed) (Total:931.51 GB) (Free:0 GB) NTFS
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (OnboardRAID) (Fixed) (Total:931.51 GB) (Free:574.51 GB) NTFS ==>[system with boot components (obtained from drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: A906E018)
Partition 1: (Active) - (Size=931.5 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: 628E907E)
Partition 1: (Not Active) - (Size=19.5 GB) - (Type=07 NTFS)
Partition 2: (Active) - (Size=244.1 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=667.8 GB) - (Type=OF Extended)

========================================================
Disk: 2 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: 628E907F)
Partition 1: (Not Active) - (Size=931.5 GB) - (Type=07 NTFS)

========================================================
Disk: 3 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: A6BA6F9E)
Partition 1: (Not Active) - (Size=931.5 GB) - (Type=07 NTFS)

========================================================
Disk: 4 (MBR Code: Windows XP) (Size: 931.5 GB) (Disk ID: C6C7B88F)
Partition 1: (Not Active) - (Size=931.5 GB) - (Type=07 NTFS)

========================================================
Disk: 5 (Size: 931.5 GB) (Disk ID: 08632CC2)
Partition 1: (Not Active) - (Size=931.5 GB) - (Type=07 NTFS)

LastRegBack: 2015-12-30 17:48

==================== End of FRST.txt ============================

#2
RKinner

Posted 31 December 2015 - 08:29 AM

Malware Expert

Expert
24,624 posts

I wouldn't worry about the userinit entry - not everything that shows up in FRST needs to be fixed.

. Looks to me like you may have had some hard drive damage:

2015-12-30 18:43 - 2012-09-22 11:26 - 00000000 __SHD C:\found.000

found.000 is a folder where disk check puts the files it recovers from bad sectors. You might look in the folder. Sometimes you can tell what files they were.

Also you need to fix:

C:\Windows\SysWOW64\LPK.dll IS MISSING <==== ATTENTION

Which you can't do with a fixlist. Do you have a copy of lpk.dll on your other boot? I can upload one from my 64bit Windows 7 if you need it just let me know.

Do you see any logs in C:\FRST\logs? It would be helpful to know what has been done to the system.

#3
keithclem

Posted 01 January 2016 - 05:11 PM

New Member

Topic Starter
Member
9 posts

Thanks,

I had replaced the LPK.dll previously from the dual boot system that works. Not quite sure why it showed up again in that FRST run. Maybe the restoration I tried yesterday took it out again.

The found.000 contains Dirooo0.chk which has about 50 files and three directories that all look to be intact and part of the abobe system dating back to 2011. I could try to restore them to the system if I can find the parent directory. An initial search of the dual boot system did not find where they should lie. The image directory shows a modified date a couple of days ago although no files are later than 2011.

Found.0001 is also on the drive but dates to 2014 and contains authcab.cab. I suspect this may be from a previous hard shutdown but did not seem to cause problems.

I still am suspicious of the userinit.exe 'error' as this seems to be exactly from where the symptom could emanate . It does not occur when running FRST on the working dual boot system.

Notice above I changed the drive from which userinit.exe was loaded to C: from G: just to see if that made a difference. It did not.

Is the double \ after winlogon normal in the fixlog line below?

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Userinit => value restored successfully

I have attached the other logs and scans.

Attached Files

Fixlog_30-12-2015_16-06-55.txt 4.93KB 591 downloads
Fixlog_30-12-2015_16-09-59.txt 5.71KB 592 downloads
Fixlog_30-12-2015_16-12-11.txt 2.85KB 604 downloads
Fixlog_30-12-2015_16-58-52.txt 905bytes 556 downloads
Fixlog_30-12-2015_18-24-58.txt 1.2KB 575 downloads
Fixlog_30-12-2015_18-29-31.txt 54.95KB 588 downloads
Fixlog_30-12-2015_18-32-13.txt 456bytes 590 downloads
Fixlog_30-12-2015_19-35-47.txt 3.93KB 647 downloads
Fixlog_30-12-2015_19-37-39.txt 5.28KB 586 downloads
Fixlog_30-12-2015_19-38-47.txt 2.41KB 644 downloads
Fixlog_30-12-2015_19-46-08.txt 2.25KB 621 downloads
Fixlog_30-12-2015_19-48-10.txt 457bytes 592 downloads
Fixlog_30-12-2015_19-59-32.txt 457bytes 590 downloads
FRST_20-12-2015_11-26-19.txt 21.6KB 580 downloads
FRST_30-12-2015_12-29-22.txt 22.12KB 557 downloads
FRST_30-12-2015_13-04-16.txt 38.51KB 573 downloads
FRST_30-12-2015_16-14-54.txt 15.54KB 571 downloads
FRST_30-12-2015_16-54-37.txt 15.41KB 573 downloads
FRST_30-12-2015_16-57-21.txt 15.54KB 565 downloads
FRST_30-12-2015_16-59-55.txt 15.54KB 562 downloads
FRST_30-12-2015_17-51-39.txt 15.56KB 559 downloads
FRST_30-12-2015_18-20-40.txt 15.41KB 543 downloads
FRST_30-12-2015_18-22-30.txt 59.55KB 569 downloads
FRST_30-12-2015_18-26-17.txt 59.48KB 571 downloads
FRST_30-12-2015_18-30-24.txt 15.49KB 556 downloads
FRST_30-12-2015_18-32-56.txt 15.49KB 564 downloads
FRST_30-12-2015_19-31-39.txt 24.85KB 551 downloads
FRST_30-12-2015_19-47-03.txt 18.49KB 559 downloads
FRST_30-12-2015_19-49-02.txt 18.49KB 562 downloads
FRST_30-12-2015_19-57-02.txt 18.49KB 554 downloads

#4
keithclem

Posted 01 January 2016 - 05:37 PM

New Member

Topic Starter
Member
9 posts

I have replaced the lpk.dll again and rebooted. There is no change with the system going to the black screen with cursor after loading the pnp driver in safe mode.

Could it be that the user profile links have been lost and userinit.exe cannot find the profiles? Or could it be that some other flag such as one to complete system initialisation after an update has not been cleared. There is usually a pause where the screen goes black with cursor before displaying the logon screen, especially after a system update . The system seems to be hung in this state although other background prcesses are operating with a lot of initial disk activity.

Is there anything I can try to pinpoint where the system is hung? The system seems to respond to keystrokes. What sequence could be used to bring about a soft shutdown from this state? The keyboard sleep button works by the way but this just brings the system back to the same state on wake up.

#5
RKinner

Posted 01 January 2016 - 05:39 PM

Malware Expert

Expert
24,624 posts

The double \\ indicates that it is a value below HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon and not a subkey.

Looks like this in mine:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

ReportBootOk REG_SZ 1

Shell REG_SZ explorer.exe

PreCreateKnownFolders REG_SZ {A520A1A4-1780-4FF6-BD18-167343C5AF16}

Userinit REG_SZ C:\Windows\system32\userinit.exe,

VMApplet REG_SZ SystemPropertiesPerformance.exe /pagefile

AutoRestartShell REG_DWORD 0x1

Background REG_SZ 0 0 0

CachedLogonsCount REG_SZ 10

DebugServerCommand REG_SZ no

ForceUnlockLogon REG_DWORD 0x0

LegalNoticeCaption REG_SZ

LegalNoticeText REG_SZ

PasswordExpiryWarning REG_DWORD 0x5

PowerdownAfterShutdown REG_SZ 0

ShutdownWithoutLogon REG_SZ 0

WinStationsDisabled REG_SZ 0

DisableCAD REG_DWORD 0x1

scremoveoption REG_SZ 0

ShutdownFlags REG_DWORD 0x27

I see you have just added something so will post this and then read what you just added

#6
RKinner

Posted 01 January 2016 - 06:21 PM

Malware Expert

Expert
24,624 posts

Since you have a second system turn on boot logging (MSCONFIG then Boot and you can check the boot log box)on the second system and reboot into Safe mode. Then look at \windows\ntbtlog.txt it should be essentially what you see when you boot into Safe Mode and it lists the drivers as it starts them. How far does yours get and what is the next driver?

This is from a regular boot on my 32 bit system

Service Pack 110 26 2015 16:36:14.109

Loaded driver \SystemRoot\system32\ntkrnlpa.exe

Loaded driver \SystemRoot\system32\halmacpi.dll

Loaded driver \SystemRoot\system32\kdcom.dll

Loaded driver \SystemRoot\system32\mcupdate_AuthenticAMD.dll

Loaded driver \SystemRoot\system32\PSHED.dll

Loaded driver \SystemRoot\system32\BOOTVID.dll

Loaded driver \SystemRoot\system32\CLFS.SYS

Loaded driver \SystemRoot\system32\CI.dll

Loaded driver \SystemRoot\system32\drivers\Wdf01000.sys

Loaded driver \SystemRoot\system32\drivers\WDFLDR.SYS

Loaded driver \SystemRoot\system32\drivers\ACPI.sys

Loaded driver \SystemRoot\system32\drivers\WMILIB.SYS

Loaded driver \SystemRoot\system32\drivers\msisadrv.sys

Loaded driver \SystemRoot\system32\drivers\pci.sys

Loaded driver \SystemRoot\system32\drivers\vdrvroot.sys

Loaded driver \SystemRoot\System32\drivers\partmgr.sys

Loaded driver \SystemRoot\system32\drivers\volmgr.sys

Loaded driver \SystemRoot\System32\drivers\volmgrx.sys

Loaded driver \SystemRoot\System32\drivers\mountmgr.sys

Loaded driver \SystemRoot\system32\drivers\atapi.sys

Loaded driver \SystemRoot\system32\drivers\ataport.SYS

Loaded driver \SystemRoot\system32\drivers\msahci.sys

Loaded driver \SystemRoot\system32\drivers\PCIIDEX.SYS

Loaded driver \SystemRoot\system32\DRIVERS\amd_sata.sys

Loaded driver \SystemRoot\system32\DRIVERS\storport.sys

Loaded driver \SystemRoot\system32\DRIVERS\amd_xata.sys

Loaded driver \SystemRoot\system32\drivers\amdxata.sys

Loaded driver \SystemRoot\system32\drivers\fltmgr.sys

Loaded driver \SystemRoot\system32\drivers\fileinfo.sys

Loaded driver \SystemRoot\System32\Drivers\Ntfs.sys

Loaded driver \SystemRoot\System32\Drivers\msrpc.sys

Loaded driver \SystemRoot\System32\Drivers\ksecdd.sys

Loaded driver \SystemRoot\System32\Drivers\cng.sys

Loaded driver \SystemRoot\System32\drivers\pcw.sys

Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.sys

Loaded driver \SystemRoot\system32\drivers\ndis.sys

Loaded driver \SystemRoot\system32\drivers\NETIO.SYS

Loaded driver \SystemRoot\System32\Drivers\ksecpkg.sys

Loaded driver \SystemRoot\System32\drivers\tcpip.sys

Loaded driver \SystemRoot\System32\drivers\fwpkclnt.sys

Loaded driver \SystemRoot\system32\drivers\volsnap.sys

Loaded driver \SystemRoot\System32\Drivers\spldr.sys

Loaded driver \SystemRoot\System32\drivers\rdyboost.sys

Loaded driver \SystemRoot\System32\Drivers\ngvss.sys

Loaded driver \SystemRoot\System32\Drivers\mup.sys

Loaded driver \SystemRoot\System32\drivers\hwpolicy.sys

Loaded driver \SystemRoot\System32\DRIVERS\fvevol.sys

Loaded driver \SystemRoot\system32\drivers\disk.sys

Loaded driver \SystemRoot\system32\drivers\CLASSPNP.SYS

Loaded driver \SystemRoot\System32\Drivers\aswVmm.sys

Loaded driver \SystemRoot\System32\Drivers\aswRvrt.sys

Loaded driver \SystemRoot\system32\DRIVERS\cdrom.sys

Loaded driver \SystemRoot\system32\drivers\aswSnx.sys

Loaded driver \SystemRoot\system32\drivers\aswSP.sys

Loaded driver \SystemRoot\System32\Drivers\Null.SYS

Loaded driver \SystemRoot\System32\Drivers\Beep.SYS

Loaded driver \SystemRoot\System32\drivers\vga.sys

Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys

Loaded driver \SystemRoot\system32\drivers\rdpencdd.sys

Loaded driver \SystemRoot\system32\drivers\rdprefmp.sys

Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS

Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS

Loaded driver \SystemRoot\system32\DRIVERS\tdx.sys

Loaded driver \SystemRoot\system32\drivers\afd.sys

Loaded driver \SystemRoot\system32\drivers\aswRdr2.sys

Loaded driver \SystemRoot\System32\DRIVERS\netbt.sys

Loaded driver \SystemRoot\system32\DRIVERS\wfplwf.sys

Loaded driver \SystemRoot\system32\DRIVERS\pacer.sys

Loaded driver \SystemRoot\system32\DRIVERS\nbdrv.sys

Loaded driver \SystemRoot\system32\DRIVERS\netbios.sys

Loaded driver \SystemRoot\system32\DRIVERS\serial.sys

Loaded driver \SystemRoot\system32\DRIVERS\wanarp.sys

Loaded driver \SystemRoot\system32\DRIVERS\termdd.sys

Loaded driver \SystemRoot\system32\DRIVERS\rdbss.sys

Loaded driver \SystemRoot\system32\drivers\nsiproxy.sys

Loaded driver \SystemRoot\system32\DRIVERS\mssmbios.sys

Loaded driver \SystemRoot\System32\drivers\discache.sys

Loaded driver \SystemRoot\System32\Drivers\dfsc.sys

Loaded driver \SystemRoot\system32\DRIVERS\blbdrive.sys

Loaded driver \SystemRoot\system32\DRIVERS\tunnel.sys

Loaded driver \SystemRoot\system32\DRIVERS\atikmdag.sys

Loaded driver \SystemRoot\System32\drivers\dxgkrnl.sys

Loaded driver \SystemRoot\system32\DRIVERS\atikmpag.sys

Loaded driver \SystemRoot\system32\DRIVERS\HDAudBus.sys

Loaded driver \SystemRoot\system32\DRIVERS\Rt86win7.sys

Loaded driver \SystemRoot\system32\DRIVERS\xhcdrv.sys

Loaded driver \SystemRoot\system32\DRIVERS\usbfilter.sys

Loaded driver \SystemRoot\system32\DRIVERS\amdxhc.sys

Loaded driver \SystemRoot\system32\DRIVERS\usbohci.sys

Loaded driver \SystemRoot\system32\DRIVERS\usbehci.sys

Loaded driver \SystemRoot\system32\DRIVERS\serenum.sys

Loaded driver \SystemRoot\system32\DRIVERS\amdppm.sys

Loaded driver \SystemRoot\system32\DRIVERS\wmiacpi.sys

Loaded driver \SystemRoot\system32\DRIVERS\CompositeBus.sys

Loaded driver \SystemRoot\system32\DRIVERS\AgileVpn.sys

Loaded driver \SystemRoot\system32\DRIVERS\rasl2tp.sys

Loaded driver \SystemRoot\system32\DRIVERS\ndistapi.sys

Loaded driver \SystemRoot\system32\DRIVERS\ndiswan.sys

Loaded driver \SystemRoot\system32\DRIVERS\raspppoe.sys

Loaded driver \SystemRoot\system32\DRIVERS\raspptp.sys

Loaded driver \SystemRoot\system32\DRIVERS\rassstp.sys

Loaded driver \SystemRoot\system32\DRIVERS\kbdclass.sys

Loaded driver \SystemRoot\system32\DRIVERS\mouclass.sys

Loaded driver \SystemRoot\system32\DRIVERS\swenum.sys

Loaded driver \SystemRoot\system32\DRIVERS\umbus.sys

Did not load driver \SystemRoot\System32\drivers\vga.sys

Loaded driver \SystemRoot\system32\DRIVERS\ViaHub3.sys

Loaded driver \SystemRoot\system32\DRIVERS\amdhub30.sys

Loaded driver \SystemRoot\system32\DRIVERS\usbhub.sys

Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS

Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS

Loaded driver \SystemRoot\system32\drivers\AtihdW73.sys

Loaded driver \SystemRoot\system32\drivers\RTKVHDA.sys

Loaded driver \SystemRoot\system32\drivers\hidusb.sys

Loaded driver \SystemRoot\system32\DRIVERS\mouhid.sys

Loaded driver \SystemRoot\system32\DRIVERS\monitor.sys

Loaded driver \SystemRoot\system32\DRIVERS\usbccgp.sys

Loaded driver \SystemRoot\system32\DRIVERS\kbdhid.sys

Loaded driver \SystemRoot\system32\drivers\luafv.sys

Loaded driver \SystemRoot\system32\drivers\aswMonFlt.sys

Loaded driver \SystemRoot\system32\drivers\aswStm.sys

Loaded driver \SystemRoot\system32\DRIVERS\lltdio.sys

Loaded driver \SystemRoot\system32\DRIVERS\rspndr.sys

Loaded driver \SystemRoot\system32\drivers\HTTP.sys

Loaded driver \SystemRoot\system32\DRIVERS\bowser.sys

Loaded driver \SystemRoot\System32\drivers\mpsdrv.sys

Loaded driver \SystemRoot\system32\DRIVERS\mrxsmb.sys

Loaded driver \SystemRoot\system32\DRIVERS\mrxsmb10.sys

Loaded driver \SystemRoot\system32\DRIVERS\mrxsmb20.sys

Did not load driver \SystemRoot\system32\drivers\parport.sys

Loaded driver \??\C:\Program Files\ATI Technologies\ATI.ACE\Fuel\i386\AODDriver2.sys

Loaded driver \SystemRoot\system32\drivers\aswHwid.sys

Loaded driver \??\C:\Windows\system32\giveio.sys

Loaded driver \??\C:\Windows\system32\drivers\npf.sys

Loaded driver \SystemRoot\system32\drivers\peauth.sys

Loaded driver \??\C:\Windows\system32\speedfan.sys

Loaded driver \SystemRoot\System32\DRIVERS\srvnet.sys

Loaded driver \SystemRoot\System32\drivers\tcpipreg.sys

Loaded driver \??\C:\Program Files\AVAST Software\Avast\ng\vbox\VBoxAswDrv.sys

Loaded driver \SystemRoot\System32\DRIVERS\srv2.sys

Loaded driver \SystemRoot\System32\DRIVERS\srv.sys

Did not load driver \SystemRoot\System32\DRIVERS\srv.sys

Loaded driver \SystemRoot\system32\DRIVERS\asyncmac.sys

Got to go. Wife says Dinner's ready.

#7
keithclem

Posted 02 January 2016 - 06:42 AM

New Member

Topic Starter
Member
9 posts

See attached ntblog file .

Seems as though it is not loading a lot of drivers. Any idea why?

What are @nettun.inf etc?

Thanks for the help.

Attached Files

ntbtlog.txt 784.53KB 612 downloads

#8
keithclem

Posted 02 January 2016 - 06:54 AM

New Member

Topic Starter
Member
9 posts

I have looked for solutions to this and all suggest repairing the system which I have already tried and it errors. I would be happy to try again though.

Interestingly the log says it cannot load the video driver ATI Radeon HD 4600 Series. So can I help the system repair that? I do have a working dual boot.

#9
RKinner

Posted 02 January 2016 - 07:45 AM

Malware Expert

Expert
24,624 posts

Normally when I see a ntbtlog like this I would say you are missing the intel chipset utility, network driver and video driver. Not sure how to add these when it won't boot tho. Look in \windows\inf

and you should find the cpu.inf, netrasa.inf and other files mentioned in the ntbtlog.inf. These refer to .sys files that usually wind up in \windows\system32\drivers but a few may go to \windows\sysWOW64\drivers and some in \windows\system32 and \windows\sysWOW64

These eventually have entries in the registry in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ and sometimes also HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root (with LEGACY_ )

Looking at my CPU.inf which is different from yours since I have an AMD CPU I see under

[SourceDisksFiles]

4 files:

processr.sys = 3426

intelppm.sys = 3426

viac7.sys = 3426

amdk8.sys = 3426

amdppm.sys = 3426

All four are present in \windows\system32\drivers

Example:

and show up in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\AmdK8]

"Start"=dword:00000003

"Type"=dword:00000001

"ErrorControl"=dword:00000001

"ImagePath"=hex(2):5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,72,\

00,69,00,76,00,65,00,72,00,73,00,5c,00,61,00,6d,00,64,00,6b,00,38,00,2e,00,\

73,00,79,00,73,00,00,00

"DisplayName"="AMD K8 Processor Driver"

"Group"="Extended Base"

"DriverPackageId"="cpu.inf_x86_neutral_729b871528391032"

(Image Path looks like this in regedit:

\SystemRoot\system32\drivers\amdk8.sys

but when you export it comes out in hex)

I don't see it in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root

One other thing I should mention. Each .inf file has a corresponding .pnf file which is a compiled version of the .inf file. You can delete the pnf file and windows will create a new one.

Also in each .inf file that comes from Microsoft and is thus a standard part of windows will be

A header that looks like this:

; NETRASA.INF -- WAN Miniports and wrappers

;

[Version]

Signature = "$Windows NT$"

Class = Net

ClassGUID = {4d36e972-e325-11ce-bfc1-08002be10318}

Provider = %Msft%

DriverVer=06/21/2006,6.1.7601.17514

So netrasa.inf is a windows file. Not a good thing that it doesn't load.

It just has a single file:

[SourceDisksFiles]

rasirda.sys = 3426

But it's not in drivers or the registry (at least on mine) so we have to look further in the .inf file.

We see a [Services] sections. and under it we find it adds

11 services with addservice

These will be the names in the registry.

Further down you see it is mainly concerned with the files:

%systemroot%\system32\rascfg.dll

and

ndistapi.sys

#10
keithclem

Posted 03 January 2016 - 05:20 AM

New Member

Topic Starter
Member
9 posts

After having a look at the first failure of nettun.inf and not discovering anything amiss-

I deleted all the .pnf files.

I copied all files present in my dual boot system that works (but not present in the failing system) across to the failing drive from windows system32 and syswow64 except for the config and boot directories. There seems to be no difference in the ntblog or black screen symptom!

I will see if I can understand what the nettun.inf file is trying to do and why the ISATAP adapter is not loading.

Also a little confused by

'Did not load driver @hal.inf,%acpi_amd64.devicedesc%;ACPI x64-based PC'

since I am on an Intel PC. It seems that the system has a few goes at doing the same thing e.g loading the ATI driver. What script drives this loading and it is it this that is screwed?

#11
RKinner

Posted 03 January 2016 - 07:19 AM

Malware Expert

Expert
24,624 posts

I assume that the hal.inf file is the source of the .%acpi_amd64.devicedesc%;ACPI x64-based PC'

I don't have an intel machine but this is my hal.inf from the 64 bit AMD Win 7

[Version]

Signature="$WINDOWS NT$"

Class=Computer

ClassGuid={4D36E966-E325-11CE-BFC1-08002BE10318}

Provider=%MSFT%

DriverVer=06/21/2006,6.1.7600.16385

[rp_tags_addreg]

HKR,,ResourcePickerTags,0x00000000,"HAL"

[SourceDisksNames]

3426=windows cd

[SourceDisksFiles]

ntkrnlmp.exe = 3426

hal.dll = 3426

[DestinationDirs]

DefaultDestDir = 11

[ControlFlags]

BasicDriverOk=*

[Manufacturer]

%GENDEV_MFG%=GENDEV_SYS,NTamd64

[GENDEV_SYS.NTamd64]

%ACPI_AMD64.DeviceDesc% = ACPI_AMD64_HAL, ACPIAPIC

;****************************************************

; Standard AMD64 HAL. Although there is only one HAL, we have two install

; sections so that we can move from the UP kernel to the MP kernel when

; processors are added to the machine.

[ACPI_AMD64_HAL]

AddReg = rp_tags_addreg

Reboot

[Strings]

;Non-localizable

MSFT = "Microsoft"

;Localizable

;*******************************************

;device descriptions

GENDEV_MFG = "(Standard computers)"

ACPI_AMD64.DeviceDesc = "ACPI x64-based PC"

;Non-localizable

REG_EXPAND_SZ = 0x00020000

REG_DWORD = 0x00010001

The other thing that can get messed up is the permissions on the files.

Right click on the file and select Properties then Security. System and Administrators should have Full Control. on some of them and on others Trusted Installer is the only one with Full Control. System & Admin only can Read & Execute and Read

Are you sure ntbtlog.txt is getting new info each boot?

#12
keithclem

Posted 03 January 2016 - 08:07 AM

New Member

Topic Starter
Member
9 posts

NTBLOG has current date timestamp so think it is being updated.

My hal.inf is the same on both dual boot systems and is AMD and is the same as yours, so even more confused as I have an INTEL machine so why is it loading an amd hal?

What file is driving the driver load?

I did get some permissions issues when trying to copy files so I need to open those files up from just being Trusted Installer .

I wonder if a virus has changed permissions....

I will try an iacls on the windows directory to see if I can clear.

#13
keithclem

Posted 03 January 2016 - 08:30 AM

New Member

Topic Starter
Member
9 posts

I have done an ntblog on the working system and it has none of the 'inf' file loading

Compare the two attached . The Service Pack 1 is the one that is working the Service pack 111 is the one that is not.

I suspect a reinstall is necessary unless you can think of anything to try.

Attached Files

ntbtlog.txt 15.57KB 569 downloads
ntbtlog.txt 1.29MB 564 downloads

#14
RKinner

Posted 03 January 2016 - 08:56 AM

Malware Expert

Expert
24,624 posts

Not sure what guides it a reinstall is probably the quickest solution.

It's odd that it looks good up until it loads CLASSPNP.SYS then it goes off into did not load a bunch of stuff.

The only thing to I can think to do is to look at the good boot with Process Monitor. It may give you an idea of the proper sequencing and where it looks in the registry.

download Process Monitor http://live.sysinter...com/Procmon.exe

Right click on it and run as admin then Options, Enable boot logging and restart

When you run Process Monitor again it will tell you you have a boot log and ask if you want to see it.

It's pretty detailed so may be too much info.

Back to Computer Won't Boot - Malware Related · Next Unread Topic →

Also tagged with one or more of these keywords: Black screen, frst64, winlogon

Security → Virus, Spyware, Malware Removal → Windows automatic repair loop issue Started by CoffeeDonutMan123 , 27 Nov 2017 startup issue, black screen	0 replies 2,419 views	CoffeeDonutMan123 27 Nov 2017
Security → Virus, Spyware, Malware Removal → Computer Starts up Too Slow, Black Screen before loading Desktop Started by simon_grylls , 10 Feb 2017 Bootslow, Black Screen, Lag, Boot and 3 more...	Hot 14 replies 7,044 views	simon_grylls 12 Feb 2017
Hardware → Hardware, Components and Peripherals → Gigabyte R9 380 display issue Started by Bankabilla , 21 Oct 2016 GPU, Radeon, black screen	1 reply 4,008 views	phillpower2 21 Oct 2016
Retired Forums → Windows Vista and Windows 7 → screen goes black while watching movies Started by shaz , 08 Jul 2016 black screen, movies and 2 more...	1 reply 2,033 views	oliverpowell 13 Jul 2016
Retired Forums → Windows Vista and Windows 7 → Windows wont boot after install display driver Started by Amir Hamidovic , 03 Apr 2016 black screen, windows wont boot and 2 more...	5 replies 2,863 views	Amir Hamidovic 06 Jun 2016