Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Computer Won't Boot - Malware Related [Solved]

PC wont boot - MBAMSwissArmy

  • This topic is locked This topic is locked

#46
Tom1178

Tom1178

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts

I ran FRST with fixlist and the results are below.

 

Fix result of Farbar Recovery Scan Tool (x86) Version: 23-11-2016
Ran by SYSTEM (04-12-2016 15:16:56) Run:4
Running from F:\
Boot Mode: Recovery

==============================================

fixlist content:
*****************
replace: C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.19061_none_cf068ea4cbca196c\user32.dll C:\Windows\System32\User32.dll
*****************

C:\Windows\System32\User32.dll => moved successfully
C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.19061_none_cf068ea4cbca196c\user32.dll copied successfully to C:\Windows\System32\User32.dll

==== End of Fixlog 15:16:56 ====

 

It still won't boot. On boot it wants to run Startup Repair (recommended). Earlier, when I tried to run sfc, it wouldn't run and there was a notification that there was a repair pending. I assume that there is an instruction in a file somewhere which causes it to behave that way. Do we know where that file/instruction is, and can we get around it?

 

Thanks,

Tom


  • 0

Advertisements


#47
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,990 posts

 

Do we know where that file/instruction is, and can we get around it?

 

 

Well my understanding is that repair pending means a reboot is required and then run Startup Repair. As with so much of Microsoft's systems though there are other approaches. We have already tried Startup Repair without success but no harm in trying it again.

I do think we need to address the corruption problem to see if we can get your machine to boot up but we must first check the User32.dll situation because that alone will prevent the machine booting up i.e. even if there was no corruption the machine wouldn't boot if there is a problem with the User32.dll.

 

The fix seems to have worked but you still can't boot up so I think that we need to run FRST again to see whether there is still a problem with User32.dll even so.


  • 0

#48
Tom1178

Tom1178

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts

OK, I ran FRST/Scan again. FRST.txt follows:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 23-11-2016
Ran by SYSTEM on MININT-61JK398 (04-12-2016 17:39:39)
Running from F:\
Platform: Windows 7 Home Premium Service Pack 1 (X86) Language: English (United States)
Internet Explorer Version 11
Boot Mode: Recovery
Default: ControlSet004
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [HP Software Update] => C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [96056 2013-05-30] (Hewlett-Packard)
HKLM\...\Run: [EvtMgr6] => C:\Program Files\Logitech\SetPointP\SetPoint.exe [2303256 2014-05-19] (Logitech, Inc.)
HKLM\...\Run: [CmPCIaudio] => RunDll32 CMICNFG3.cpl,CMICtrlWnd
HKLM\...\Run: [ACPW09EN] => C:\Program Files\ACD Systems\ACDSee Pro\9.0\acdIDInTouch2.exe [1731016 2016-07-14] (ACD Systems)
HKLM\...\Run: [ShadowPlay] => "C:\Windows\system32\rundll32.exe" C:\Windows\system32\nvspcap.dll,ShadowPlayOnSystemStart
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [587288 2016-09-22] (Oracle Corporation)
Winlogon\Notify\LBTWlgn: c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll [2014-03-24] (Logitech, Inc.)

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 HPSupportSolutionsFrameworkService; C:\Program Files\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe [29728 2016-08-14] (HP Inc.)
S4 lxdp_device; C:\Windows\system32\lxdpcoms.exe [589824 2007-11-19] ( )
S2 NvContainerLocalSystem; C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe [420920 2016-10-25] (NVIDIA Corporation)
S3 NvContainerNetworkService; C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe [420920 2016-10-25] (NVIDIA Corporation)
S2 NVIDIA Wireless Controller Service; C:\Program Files\NVIDIA Corporation\GeForce Experience Service\nvwirelesscontroller.exe [931896 2016-10-25] (NVIDIA Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-26] (Microsoft Corporation)
S2 WsAppService; C:\Program Files\Wondershare\WAF\2.3.0.5\WsAppService.exe [415232 2016-08-09] (Wondershare)
S3 WsDrvInst; C:\Program Files\Wondershare\Dr.Fone for Android (CPC)\DriverInstall.exe [115856 2016-09-21] (Wondershare)
S2 avast! Antivirus; "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" [X]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 Btcsrusb; C:\Windows\System32\Drivers\btcusb.sys [47504 2016-08-25] (IVT Corporation.)
S3 cmuda3; C:\Windows\System32\drivers\cmudax3.sys [1872192 2009-11-30] (C-Media Inc)
S3 DCamUSBEMPIA; C:\Windows\System32\DRIVERS\emDevice.sys [185472 2013-04-16] (eMPIA Technology Corp.)
S3 dg_ssudbus; C:\Windows\System32\DRIVERS\ssudbus.sys [108032 2016-10-25] (Samsung Electronics Co., Ltd.)
S3 DualCoreCenter; C:\Program Files\MSI\DualCoreCenter\NTGLM7X.sys [36152 2010-02-08] (MICRO-STAR INT'L CO., LTD.)
S3 emAudio; C:\Windows\System32\drivers\emAudio.sys [26112 2013-07-04] (eMPIA Technology Corp.)
S3 FiltUSBEMPIA; C:\Windows\System32\DRIVERS\emFilter.sys [5632 2013-04-16] (eMPIA Technology Corp.)
S1 HWiNFO32; C:\Windows\system32\drivers\HWiNFO32.SYS [23840 2016-08-25] (REALiX™)
S3 LEqdUsb; C:\Windows\System32\Drivers\LEqdUsb.Sys [42264 2014-03-18] (Logitech, Inc.)
S3 LHidEqd; C:\Windows\System32\Drivers\LHidEqd.Sys [10136 2014-03-18] (Logitech, Inc.)
S2 mi2c; C:\Windows\system32\drivers\mi2c.sys [18224 2016-01-28] (Nicomsoft Ltd.)
S3 NVR0Dev; C:\Windows\nvoclock.sys [6912 2006-10-13] (NVidia Corp.)
S3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [27704 2016-10-25] (NVIDIA Corporation)
S3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad32v.sys [42040 2016-10-25] (NVIDIA Corporation)
S3 RushTopDevice2; C:\Program Files\MSI\DualCoreCenter\RushTop.sys [55296 2009-03-18] (Your Corporation)
S3 ScanUSBEMPIA; C:\Windows\System32\DRIVERS\emScan.sys [6144 2013-04-16] (eMPIA Technology Corp.)
S3 ssudmdm; C:\Windows\System32\DRIVERS\ssudmdm.sys [147072 2016-09-05] (Samsung Electronics Co., Ltd.)
S3 aswHwid; \SystemRoot\system32\drivers\aswHwid.sys [X]
S1 aswKbd; \SystemRoot\system32\drivers\aswKbd.sys [X]
S2 aswMonFlt; \SystemRoot\system32\drivers\aswMonFlt.sys [X]
S1 aswRdr; \SystemRoot\system32\drivers\aswRdr2.sys [X]
S0 aswRvrt; no ImagePath
S1 aswSnx; \SystemRoot\system32\drivers\aswSnx.sys [X]
S1 aswSP; \SystemRoot\system32\drivers\aswSP.sys [X]
S2 aswStm; \SystemRoot\system32\drivers\aswStm.sys [X]
S0 aswVmm; no ImagePath
S0 MBAMSwissArmy; system32\drivers\MBAMSwissArmy.sys [X]
S3 MSICDSetup; \??\E:\CDriver.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-11-26 07:43 - 2016-12-04 17:39 - 00000000 ____D C:\FRST
2016-11-18 07:18 - 2016-11-18 08:44 - 00000000 ____D C:\Users\TK\AppData\LocalLow\Mozilla
2016-11-18 06:16 - 2016-11-18 06:16 - 00003288 ____N C:\bootsqm.dat
2016-11-09 12:11 - 2016-11-09 12:11 - 00074635 _____ C:\Users\TK\Documents\H6LLWJ.pdf
2016-11-08 09:56 - 2016-11-08 09:56 - 04629193 _____ C:\Users\TK\Downloads\TomTom-ONEv5-XLv2-en-GB.pdf
2016-11-07 11:13 - 2016-10-25 12:21 - 00095800 _____ (NVIDIA Corporation) C:\Windows\System32\nvaudcap32v.dll
2016-11-07 11:13 - 2016-10-25 12:21 - 00042040 _____ (NVIDIA Corporation) C:\Windows\System32\Drivers\nvvad32v.sys
2016-11-07 07:12 - 2016-11-07 07:12 - 00011895 _____ C:\Users\TK\Documents\Flash GN.xlsx

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-11-30 03:58 - 2016-08-21 04:10 - 00775920 _____ C:\Windows\ntbtlog.txt
2016-11-27 17:07 - 2015-04-06 16:04 - 00000000 ____D C:\ProgramData\NVIDIA
2016-11-27 16:58 - 2016-09-24 04:21 - 00000000 ____D C:\Program Files\Mozilla Firefox
2016-11-27 16:58 - 2015-04-06 20:59 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2016-11-18 06:23 - 2009-07-13 20:34 - 00028720 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-11-18 06:23 - 2009-07-13 20:34 - 00028720 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-11-18 05:50 - 2015-04-06 10:31 - 00000000 ____D C:\users\TK
2016-11-16 16:14 - 2010-11-20 13:01 - 00006206 _____ C:\Windows\System32\PerfStringBackup.INI
2016-11-09 12:13 - 2015-04-22 08:09 - 00223744 ___SH C:\Users\TK\Documents\Thumbs.db
2016-11-08 08:22 - 2016-01-28 11:15 - 00182784 ___SH C:\Users\TK\Downloads\Thumbs.db
2016-11-08 07:36 - 2015-04-14 05:16 - 00000000 ____D C:\Users\TK\AppData\Roaming\NVIDIA
2016-11-07 12:29 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\inf
2016-11-07 11:14 - 2016-10-08 00:38 - 00001374 _____ C:\Users\Public\Desktop\GeForce Experience.lnk
2016-11-07 11:14 - 2015-04-06 16:02 - 00000000 ____D C:\ProgramData\NVIDIA Corporation
2016-11-07 11:13 - 2015-04-06 16:01 - 00000000 ____D C:\Program Files\NVIDIA Corporation
2016-11-06 10:43 - 2015-05-05 07:23 - 00001259 _____ C:\Users\TK\Desktop\BillPay.txt
2016-11-05 07:12 - 2015-04-13 04:37 - 00000000 ____D C:\Users\TK\AppData\Local\Microsoft Help

==================== Known DLLs (Whitelisted) =========================

[2016-09-22 08:43] - [2015-11-10 10:39] - 0811520 ____A () C:\Windows\System32\user32.dll

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll
[2016-09-22 08:43] - [2015-11-10 10:39] - 0811520 ____A () 2587CB3072AC5D41985B75833C765D2A

C:\Windows\System32\User32.dll => no Company Name <===== ATTENTION

C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\dnsapi.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== Association (Whitelisted) =============

==================== Restore Points  =========================


==================== Memory info ===========================

Percentage of memory in use: 12%
Total physical RAM: 4095.37 MB
Available physical RAM: 3596.41 MB
Total Virtual: 4093.65 MB
Available Virtual: 3593.62 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:456.77 GB) (Free:384.24 GB) NTFS ==>[drive with boot components (obtained from BCD)]
Drive d: (DISK 1 PART 2) (Fixed) (Total:8.99 GB) (Free:5.61 GB) NTFS
Drive f: (TRAVELDRIVE) (Removable) (Total:3.73 GB) (Free:1.36 GB) FAT32
Drive g: (TOSHIBA EXT) (Fixed) (Total:298.01 GB) (Free:158.97 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: ED50ED50)
Partition 1: (Active) - (Size=456.8 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=9 GB) - (Type=05)

========================================================
Disk: 1 (Size: 3.7 GB) (Disk ID: 28032449)
Partition 1: (Not Active) - (Size=3.7 GB) - (Type=0B)

========================================================
Disk: 2 (MBR Code: Windows 7 or Vista) (Size: 298.1 GB) (Disk ID: C27C4F8F)
Partition 1: (Not Active) - (Size=298.1 GB) - (Type=0C)


LastRegBack: 2016-11-05 08:53

==================== End of FRST.txt ============================

 

Thanks,

Tom


  • 0

#49
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,990 posts

That log still shows a corrupt User32.dll. In fact there appears to be no change at all even though FRST reported a successful fix.

I don't know why that is happening. Time to consult again.

Might be a while but I will come back as soon as I can. :)


  • 0

#50
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,990 posts

Hi Tom,

 

Just an update to let you know I haven't forgotten you.

 

A number of people are looking at this.

 

What we have is something not seen before. That is, the FRST fixes appearing to be successful but on further examination (FRST scan) are seen to not have worked or only partially worked.

 

There is definitely corruption there which might or might not be at the root of it.

 

In any event another colleague suggests we attempt a different fix.

 

Now

 

Open notepad.

Please copy the contents of the code box below.

To do this highlight the contents of the box and right click on it. Paste this into the open notepad.

Save it on the flashdrive as fixlist.txt
 

Start
CMD: wevtutil el | Foreach-Object {Write-Host "Clearing $_"; wevtutil cl "$_"}
Replace: C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.23528_none_cfc274bde4c0ef6f\user32.dll C:\WINDOWS\System32\user32.dll
End

This script is specifically written for the infection on this person's computer. It should NOT to be used on another machine. It may cause serious damage even to the point of rendering the computer unusable.

Please enter System Recovery Options, as we've done previously.
Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

 

Try a reboot. If that doesn't work run another FRST scan and post back.


  • 0

#51
Tom1178

Tom1178

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts

Hi emeraldnzl,

 

First of all, I never thought you had forgotten me and I want to take this opportunity to thank you, and your associates, for taking the time to help me.

 

Now, I ran the fix script and the log is below. Based on the result shown in the log, I didn't try a restart. I believe that a space may be needed in the first line of the script as follows:

 

"Foreach-Object" should read "For each-Object". I admit I may be overreaching, and, if I am, I apologize.

 

Fix result of Farbar Recovery Scan Tool (x86) Version: 23-11-2016
Ran by SYSTEM (05-12-2016 21:04:56) Run:5
Running from F:\
Boot Mode: Recovery

==============================================

fixlist content:
*****************
Start
CMD: wevtutil el | Foreach-Object {Write-Host "Clearing $_"; wevtutil cl "$_"}
Replace: C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.23528_none_cfc274bde4c0ef6f\user32.dll C:\WINDOWS\System32\user32.dll
End
*****************

========= wevtutil el | Foreach-Object {Write-Host "Clearing $_"; wevtutil cl "$_"} =========

'Foreach-Object' is not recognized as an internal or external command,
operable program or batch file.

========= End of CMD: =========

C:\WINDOWS\System32\user32.dll => moved successfully
C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.23528_none_cfc274bde4c0ef6f\user32.dll copied successfully to C:\WINDOWS\System32\user32.dll

==== End of Fixlog 21:04:56 ====

 

Thanks again for your help.

 

Tom

 

Edit to add:

After I submitted my last post, I thought better of it and I tried a restart. The computer sat at the 'Starting Windows' splash screen for quite a while and went nowhere.

T.


Edited by Tom1178, 05 December 2016 - 08:23 PM.

  • 0

#52
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,990 posts

 

I believe that a space may be needed in the first line of the script as follows:

 

No the line is correct but looking again I think we may have been asking too much. I believe it's a PowerShell command which wouldn't normally work in the Recovery Environment. An outside chance that didn't come off lol.

 

Moving on

 

Let's try Chkdsk again but from a different approach.

 

On the System Recovery Options menu you will get the following options:

        Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt


  

  • Select Command Prompt
  • Type in the following and press Enter

bcdedit | find "osdevice"

Take note the osdevice partition letter, then type.

 CHKDSK X: /r  (Note the space... it should be there)

 Where X is the osdevice letter, and press Enter


  •     Allow chkdsk to perform all 5 stages. This may take some time, so please be patient.
  •     When complete, close the Command Prompt window, and click on the Restart button to restart your computer.

 

 

 


  • 0

#53
Tom1178

Tom1178

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts

OK, ran the bcdedit | find "osdevice" instruction. Result: os device     partition=C:. Then ran chkdsk c: /r. Result below. 

 

 

5753 Chkdsk4.JPG

 

 

Thanks,

Tom

 

PS. Forgot to mention that I copied the Windows Event Logs from the last start (11/28/2016). I have System, Application, and Microsoft-Windows-Kernel-EventTracing%4Admin.evtx, so they are available if needed.

 

T.


Edited by Tom1178, 06 December 2016 - 08:38 AM.

  • 0

#54
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,990 posts

Insufficient disk space to fix volume bitmap. chkdsk aborted.


This confirms again that there is a problem with your hard drive. I think that corruption is why our fixes are not working.

You might be interested in this thread from Windows 7 forums.

https://windowsforum...iskspace.75328/

I guess you could try a format and reinstallation. That might work if the hard drive itself is okay but if it is failing the best solution is to replace it.

I don't have any other solutions I am afraid. :(


  • 0

#55
Tom1178

Tom1178

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts

emeraldnzl,

 

I needed some time to consider my options. I've come to the conclusion that I'll buy a new drive and do a clean install of Win 7. I dislike ambiguity and that's where we are. I ran SeaTools again and the drive checks out OK, and SMART shows no issues. On the other hand, we can't complete a chkdsk.

 

I would like to take this opportunity to thank you, and your associates, for all the work you put in. I really appreciate it

 

Thanks again,

Tom


  • 0

Advertisements


#56
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,990 posts

 

I've come to the conclusion that I'll buy a new drive and do a clean install of Win 7.

 

That is the way I would go if it happened to one of my machines. :)

 

 

I would like to take this opportunity to thank you, and your associates, for all the work you put in. I really appreciate it

 

You are very welcome. :happy:


  • 0

#57
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,990 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP