Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Can't get into Windows [Solved]


  • This topic is locked This topic is locked

#1
RedSuedePump

RedSuedePump

    Member

  • Member
  • PipPipPip
  • 163 posts

Hi,

 

My daughter uses my old desktop to use skype and play Minecraft and other online games (mostly Roblox) and has done so without any trouble for the last year or so.

 

However, now, when she tries to start the computer up, it goes into automatic repair mode and we are then told it can't be repaired, so we can either turn it off or reset it.

 

The reset has two options, you either lose all of your files or you keep them. We tried the option where you get to keep them and it was unsuccessful, so it looks like we are going to have to reset Windows and lose all of her data. It's not a massive loss, all she'll lose is all of her Minecraft worlds, her Roblox log-in and her Minecraft mods (which we could download again). That said, I'd like to see if there are any other options open to us, before we abandon the data.

 

I can also go into advanced options where there are various other repair options which end unsuccessfully, but it also gives me the chance to open the Command prompt, which does open up.

 

Is there anything that can be done in the Command prompt mode that would enable us to get back into Windows to save her files?

 

Obviously, I haven't attached an FRST file, as I can't get into Windows and run it.

 

Thanks in advance for any help.

 

RSP


  • 0

Advertisements


#2
dbreeze

dbreeze

    Trusted Helper

  • Malware Removal
  • 2,213 posts
Since this is the same as an "un-bootable Windows system", you can use these steps in this link: http://www.geekstogo...l/#entry2151691

This will get a log that can help us see what is happening on this system. Thank you.
  • 0

#3
RedSuedePump

RedSuedePump

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 163 posts

Hi,

 

Sorry for the delay in replying. The link that you posted is for VISTA and Windows 7. The problem PC runs on Windows 10 and doesn't seem to work with those instructions. Pressing F8 doesn't get me anything during boot-up.

 

Is there a similar tutorial for Windows 10?

 

TIA

 

RSP


  • 0

#4
dbreeze

dbreeze

    Trusted Helper

  • Malware Removal
  • 2,213 posts

If you get to the Command Prompt, what happens if you type notepad.exe and press enter?  Does the Notepad program open up?


  • 0

#5
RedSuedePump

RedSuedePump

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 163 posts

Hi,

 

I've tried that and the notepad opened up.

 

Does that mean we can use the command prompt to run FRST?

 

Regards

 

RSP


  • 0

#6
dbreeze

dbreeze

    Trusted Helper

  • Malware Removal
  • 2,213 posts
Yes, it does; let use the following steps to do that ....
 
On a clean working computer >
 
First, we need to use McShield to make sure the Computer is clean and then make sure the USB drive (stick) is also clean >>>
 
Download MCShield to your desktop and install 
It will initially run a scan and show the result as a toaster by the system clock 
Then in the control centre select scanner and tick unhide items on flash drives
 
lug in the drive and McShield will start a scan
Let McShield clean whatever it finds (if anything)
Select logs and then copy/paste it to your next post
 
 
Second, Copy FRST to the USB drive 

 
Please download Farbar Recovery Scan Tool 32bit and save it to your USB.
Please download Farbar Recovery Scan Tool 64bit and save it to your USB.
(Note: Only one of these will run on the problem system; you can delete the other one.  I would suggest you try the FRST64.exe file first as most newer systems are 64 bit.)
 
Remove the USB drive from the working PC and plug it into the problem system.
 
Start the Command Prompt on the problem system as you did before and start Notepad.exe.

Under File menu select Open
Select "Computer" and find your flash drive letter and close the notepad. 
In the command window type e:\frst64.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.  Also, if FRST64.exe does not run, then try e:\frst.exe next.
The tool will start to run. 
When the tool opens click Yes to disclaimer. 
 
Press the Scan button. 
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
  • 0

#7
RedSuedePump

RedSuedePump

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 163 posts

Hi,

 

I think I've managed that. I think the stick was clean, as indicated by the MC report:

 

>>> MCShield AllScans.txt <<<

-----------------------------




MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2016.2.21.1 / Windows 8.1 <<<


21/08/2017 12:56:01 > Drive C: - scan started (no label ~465 GB, NTFS HDD )...



=> The drive is clean.


21/08/2017 12:56:02 > Drive D: - scan started (EDWARD ~14872 MB, FAT32 flash drive )...



=> The drive is clean.


21/08/2017 12:56:02 > Drive H: - scan started (Iomega_HDD ~932 GB, NTFS HDD )...



=> The drive is clean.





MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2016.2.21.1 / Windows 8.1 <<<


21/08/2017 13:01:58 > Drive D: - scan started (EDWARD ~14872 MB, FAT32 flash drive )...



=> The drive is clean.

I then ran FRST64 from the stick and got this report:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 15-06-2017 01 (ATTENTION: ====> FRSTversion is 67 days old and could be outdated)
Ran by SYSTEM on MININT-DK8QGAI (21-08-2017 13:15:32)
Running from g:\
Platform: WIN_10 (X64) Language: English (United Kingdom)
Boot Mode: Recovery
Default: ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Winlogon: [Userinit]
HKLM\...\Winlogon: [Shell]  [0 ] () <=== ATTENTION
HKLM-x32\...\Winlogon: [Shell]  [0 ] () <=== ATTENTION
HKLM\...\InprocServer32: [Default-wbemess]  <==== ATTENTION
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox]  <==== ATTENTION
GroupPolicy: Restriction <======= ATTENTION

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

"ȡ" => service could not be unlocked. <===== ATTENTION

S3 CertPropSvc; C:\Windows\system32\svchost.exe [47664 2017-03-18] (Microsoft Corporation)
S3 CertPropSvc; C:\Windows\SysWOW64\svchost.exe [40904 2017-03-18] (Microsoft Corporation)
S3 DevQueryBroker; C:\Windows\system32\svchost.exe [47664 2017-03-18] (Microsoft Corporation)
S3 DevQueryBroker; C:\Windows\SysWOW64\svchost.exe [40904 2017-03-18] (Microsoft Corporation)
S3 IpxlatCfgSvc; C:\Windows\System32\svchost.exe [47664 2017-03-18] (Microsoft Corporation)
S3 IpxlatCfgSvc; C:\Windows\SysWOW64\svchost.exe [40904 2017-03-18] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S5 acpitime; C:\Windows\System32\Drivers\acpitime.sys [14336 2017-03-18] (Microsoft Corporation)
S2 Bonjour Service; no ImagePath
S5 ȡ;  <===== ATTENTION: Locked Service

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-08-21 13:15 - 2017-08-21 13:15 - 00000000 ____D C:\FRST
2017-08-04 13:44 - 2017-08-04 13:44 - 00000000 ___HD C:\$SysReset
2017-08-04 11:47 - 2017-08-04 11:47 - 00000000 __SHD C:\found.000
2017-08-02 08:18 - 2017-08-02 08:18 - 00171192 _____ (BullGuard Ltd.) C:\Windows\System32\BgGamingMonitor.dll
2017-08-02 08:18 - 2017-08-02 08:18 - 00152640 _____ (BullGuard Ltd.) C:\Windows\SysWOW64\BgGamingMonitor.dll
2017-08-02 08:18 - 2017-08-02 08:18 - 00076568 _____ (BullGuard Ltd.) C:\Windows\System32\BGLsp.dll
2017-08-02 08:18 - 2017-08-02 08:18 - 00061720 _____ (BullGuard Ltd.) C:\Windows\SysWOW64\BGLsp.dll
2017-07-27 17:13 - 2017-07-27 17:13 - 00003364 _____ C:\Windows\System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-2882271800-3895786522-2728777584-1001
2017-07-25 12:56 - 2017-07-25 12:56 - 03404723 _____ C:\Users\Edward\Downloads\forge-1.7.10-10.13.4.1558-1.7.10-installer-win.exe
2017-07-25 12:38 - 2017-07-25 12:40 - 00000000 ____D C:\Users\Edward\Desktop\Mod Store
2017-07-22 09:08 - 2017-07-22 09:08 - 00000000 ____D C:\Users\Edward\AppData\Local\DBG

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-08-04 08:04 - 2017-07-14 06:58 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-08-04 08:04 - 2017-07-14 06:42 - 00000000 ____D C:\users\Edward
2017-08-04 08:04 - 2017-03-18 11:40 - 01310720 _____ C:\Windows\System32\config\BBI
2017-08-04 08:04 - 2016-11-16 15:50 - 00000000 ____D C:\Users\Edward\AppData\LocalLow\Mozilla
2017-08-04 08:02 - 2014-12-17 00:47 - 00000000 ____D C:\ProgramData\BullGuard
2017-08-04 07:51 - 2017-07-14 06:58 - 00004562 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2017-08-04 07:41 - 2016-06-29 16:03 - 00001434 _____ C:\Users\Edward\Desktop\ROBLOX Player.lnk
2017-08-04 07:41 - 2016-06-29 16:02 - 00001249 _____ C:\Users\Edward\Desktop\ROBLOX Studio.lnk
2017-08-04 07:36 - 2017-07-14 06:36 - 00000000 ____D C:\Windows\System32\SleepStudy
2017-08-04 07:35 - 2017-03-18 21:03 - 00000000 ____D C:\Windows\LiveKernelReports
2017-08-02 06:03 - 2017-07-14 06:41 - 00000180 _____ C:\Windows\System32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat
2017-08-02 06:03 - 2014-12-17 00:42 - 00000000 __SHD C:\Users\Edward\IntelGraphicsProfiles
2017-08-01 14:55 - 2017-03-18 21:03 - 00000000 ___HD C:\Program Files\WindowsApps
2017-08-01 14:55 - 2017-03-18 21:03 - 00000000 ____D C:\Windows\AppReadiness
2017-07-31 17:01 - 2017-03-18 21:01 - 00000000 ____D C:\Windows\INF
2017-07-28 14:46 - 2016-06-29 16:02 - 00000000 ____D C:\Users\Edward\AppData\Local\Roblox
2017-07-27 17:23 - 2017-03-18 21:03 - 00000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2017-07-27 17:23 - 2014-12-18 17:48 - 00000000 ____D C:\Program Files\Microsoft Office 15
2017-07-27 17:12 - 2014-12-18 17:57 - 00000000 ___RD C:\Users\Edward\OneDrive
2017-07-26 18:57 - 2016-06-19 17:01 - 00001274 _____ C:\Users\Edward\Desktop\nativelog.txt
2017-07-26 18:41 - 2016-06-19 16:34 - 00000000 ____D C:\Users\Edward\AppData\Roaming\.minecraft
2017-07-26 16:12 - 2017-07-14 06:59 - 00869770 _____ C:\Windows\System32\PerfStringBackup.INI
2017-07-25 13:51 - 2015-02-24 19:09 - 00000000 ____D C:\Users\Edward\AppData\Roaming\Skype
2017-07-25 10:13 - 2014-12-17 00:48 - 00000258 __RSH C:\ProgramData\ntuser.pol
2017-07-25 10:12 - 2017-07-14 06:36 - 00256568 _____ C:\Windows\System32\FNTCACHE.DAT

==================== Known DLLs (Whitelisted) =========================


==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe
[2017-07-14 07:28] - [2017-07-14 07:28] - 0706560 _____ (Microsoft Corporation) 31E3287EF6D97C5864A301CEA75BBBA1

C:\Windows\System32\wininit.exe
[2017-07-14 07:28] - [2017-07-14 07:28] - 0318232 _____ (Microsoft Corporation) B2DB5876B6F68D32E470F691C7088F3F

C:\Windows\explorer.exe
[2017-07-14 07:28] - [2017-07-14 07:28] - 4847424 _____ (Microsoft Corporation) CA3BF0F15BA4F24D511BFEE725CC89BD

C:\Windows\SysWOW64\explorer.exe
[2017-07-14 07:28] - [2017-07-14 07:28] - 4469840 _____ (Microsoft Corporation) FC1145751AC6E4FF1656381BB09A5AA3

C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2017-07-14 07:18] - [2017-07-14 07:18] - 1085440 _____ (Microsoft Corporation) 0E79A4C76CAAA0CFE9CA42C13E5AA086

C:\Windows\System32\dnsapi.dll => MD5 is legit
C:\Windows\SysWOW64\dnsapi.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys
[2017-03-18 20:57] - [2017-03-18 20:57] - 0397216 _____ (Microsoft Corporation) E3429DBBEA3965BB96E24B16EF4A2551


==================== Association (Whitelisted) =============

HKLM\...\.exe:  =>  <===== ATTENTION
HKLM\...\exefile\DefaultIcon:  <===== ATTENTION
HKLM\...\exefile\shell\open\command:  <===== ATTENTION

==================== Restore Points =========================


==================== Memory info ===========================

Percentage of memory in use: 17%
Total physical RAM: 3972.53 MB
Available physical RAM: 3269.46 MB
Total Virtual: 3972.53 MB
Available Virtual: 3298.06 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:148.27 GB) (Free:121.27 GB) NTFS
Drive e: () (Fixed) (Total:0.44 GB) (Free:0.07 GB) NTFS
Drive g: (EDWARD) (Removable) (Total:14.52 GB) (Free:14.52 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.5 GB) (Free:0.49 GB) NTFS
Drive y: (System Reserved) (Fixed) (Total:0.34 GB) (Free:0.09 GB) NTFS ==>[system with boot components (obtained from drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 149.1 GB) (Disk ID: 9EB79EB7)
Partition 1: (Active) - (Size=350 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=148.3 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=450 MB) - (Type=27)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 14.5 GB) (Disk ID: C4B5D987)
Partition 1: (Active) - (Size=14.5 GB) - (Type=0C)

LastRegBack: 2017-07-29 11:33

==================== End of FRST.txt ============================

 

When I've used FRST before, there's always been an 'Addition' report, but that didn't happen this time.

 

Regards

 

RSP


  • 0

#8
dbreeze

dbreeze

    Trusted Helper

  • Malware Removal
  • 2,213 posts
Yes, this time there is only the one log as FRST is running in the Recovery Environment not a normal loaded OS.
 
 
Open notepad by pressing the Windows Key + R Key, typing in Notepad in the Run dialog and then pressing Enter.  Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy. Paste this into the open notepad. Save it to your desktop as fixlist.txt
 
 

HKLM\...\Winlogon: [Shell]  [0 ] () <=== ATTENTION
HKLM-x32\...\Winlogon: [Shell]  [0 ] () <=== ATTENTION
HKLM\...\InprocServer32: [Default-wbemess]  <==== ATTENTION
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox]  <==== ATTENTION
GroupPolicy: Restriction <======= ATTENTION
HKLM\...\.exe:  =>  <===== ATTENTION
HKLM\...\exefile\DefaultIcon:  <===== ATTENTION
HKLM\...\exefile\shell\open\command:  <===== ATTENTION

 

 
NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.  Therefore, copy this Fixlist.txt file onto the RUFUS USB drive.
 
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
 
Run FRST64 as you did to make the scan log but this time you will press the Fix button instead of the sccan button.
 
Press_the_FIX_button.png
 
When finished FRST will generate a log on the USB drive (Fixlog.txt). Please post it to your reply.
 
After the log has been saved, please remove the USB drive from the system and restart the computer.  Does it boot up now?
  • 0

#9
RedSuedePump

RedSuedePump

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 163 posts

Hi,

 

Here's the fixlog:

 

fixlist content:
*****************
HKLM\...\Winlogon: [Shell]  [0 ] () <=== ATTENTION
HKLM-x32\...\Winlogon: [Shell]  [0 ] () <=== ATTENTION
HKLM\...\InprocServer32: [Default-wbemess]  <==== ATTENTION
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox]  <==== ATTENTION
GroupPolicy: Restriction <======= ATTENTION
HKLM\...\.exe:  =>  <===== ATTENTION
HKLM\...\exefile\DefaultIcon:  <===== ATTENTION
HKLM\...\exefile\shell\open\command:  <===== ATTENTION
*****************

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => value restored successfully
HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => value restored successfully
HKLM\Software\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32\\Default => value restored successfully
HKLM\Software\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default => value restored successfully
C:\Windows\System32\GroupPolicy\Machine => moved successfully
C:\Windows\System32\GroupPolicy\GPT.ini => moved successfully
HKLM\Software\Classes\.exe\\Default => value restored successfully
HKLM\Software\Classes\exefile\DefaultIcon\\Default => value restored successfully
HKLM\Software\Classes\exefile\shell\open\command\\Default => value restored successfully

==== End of Fixlog 12:29:30 ====

 

Unfortunately, when I restart the computer, nothing has changed. It goes through the automatic repair and diagnose processes but doesn't progress to Windows and I'm left with either turning it off or the other oprtions I listed originally.

 

Regards

 

RSP


  • 0

#10
RedSuedePump

RedSuedePump

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 163 posts

By the way, just in case it's useful, I also ran an FRST scan after the fixlist, to see if any problems remain.

 

Here's the scan log:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 15-06-2017 01 (ATTENTION: ====> FRSTversion is 68 days old and could be outdated)
Ran by SYSTEM on MININT-P1NG9UD (22-08-2017 13:05:29)
Running from g:\
Platform: WIN_10 (X64) Language: English (United Kingdom)
Boot Mode: Recovery
Default: ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Winlogon: [Userinit]

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

"ȡ" => service could not be unlocked. <===== ATTENTION

S3 CertPropSvc; C:\Windows\system32\svchost.exe [47664 2017-03-18] (Microsoft Corporation)
S3 CertPropSvc; C:\Windows\SysWOW64\svchost.exe [40904 2017-03-18] (Microsoft Corporation)
S3 DevQueryBroker; C:\Windows\system32\svchost.exe [47664 2017-03-18] (Microsoft Corporation)
S3 DevQueryBroker; C:\Windows\SysWOW64\svchost.exe [40904 2017-03-18] (Microsoft Corporation)
S3 IpxlatCfgSvc; C:\Windows\System32\svchost.exe [47664 2017-03-18] (Microsoft Corporation)
S3 IpxlatCfgSvc; C:\Windows\SysWOW64\svchost.exe [40904 2017-03-18] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S5 acpitime; C:\Windows\System32\Drivers\acpitime.sys [14336 2017-03-18] (Microsoft Corporation)
S2 Bonjour Service; no ImagePath
S5 ȡ;  <===== ATTENTION: Locked Service

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-08-21 13:15 - 2017-08-22 12:29 - 00000000 ____D C:\FRST
2017-08-04 13:44 - 2017-08-04 13:44 - 00000000 ___HD C:\$SysReset
2017-08-04 11:47 - 2017-08-04 11:47 - 00000000 __SHD C:\found.000
2017-08-02 08:18 - 2017-08-02 08:18 - 00171192 _____ (BullGuard Ltd.) C:\Windows\System32\BgGamingMonitor.dll
2017-08-02 08:18 - 2017-08-02 08:18 - 00152640 _____ (BullGuard Ltd.) C:\Windows\SysWOW64\BgGamingMonitor.dll
2017-08-02 08:18 - 2017-08-02 08:18 - 00076568 _____ (BullGuard Ltd.) C:\Windows\System32\BGLsp.dll
2017-08-02 08:18 - 2017-08-02 08:18 - 00061720 _____ (BullGuard Ltd.) C:\Windows\SysWOW64\BGLsp.dll
2017-07-27 17:13 - 2017-07-27 17:13 - 00003364 _____ C:\Windows\System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-2882271800-3895786522-2728777584-1001
2017-07-25 12:56 - 2017-07-25 12:56 - 03404723 _____ C:\Users\Edward\Downloads\forge-1.7.10-10.13.4.1558-1.7.10-installer-win.exe
2017-07-25 12:38 - 2017-07-25 12:40 - 00000000 ____D C:\Users\Edward\Desktop\Mod Store

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-08-22 12:29 - 2013-08-22 15:36 - 00000000 ___HD C:\Windows\System32\GroupPolicy
2017-08-04 08:04 - 2017-07-14 06:58 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-08-04 08:04 - 2017-07-14 06:42 - 00000000 ____D C:\users\Edward
2017-08-04 08:04 - 2017-03-18 11:40 - 01310720 _____ C:\Windows\System32\config\BBI
2017-08-04 08:04 - 2016-11-16 15:50 - 00000000 ____D C:\Users\Edward\AppData\LocalLow\Mozilla
2017-08-04 08:02 - 2014-12-17 00:47 - 00000000 ____D C:\ProgramData\BullGuard
2017-08-04 07:51 - 2017-07-14 06:58 - 00004562 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2017-08-04 07:41 - 2016-06-29 16:03 - 00001434 _____ C:\Users\Edward\Desktop\ROBLOX Player.lnk
2017-08-04 07:41 - 2016-06-29 16:02 - 00001249 _____ C:\Users\Edward\Desktop\ROBLOX Studio.lnk
2017-08-04 07:36 - 2017-07-14 06:36 - 00000000 ____D C:\Windows\System32\SleepStudy
2017-08-04 07:35 - 2017-03-18 21:03 - 00000000 ____D C:\Windows\LiveKernelReports
2017-08-02 06:03 - 2017-07-14 06:41 - 00000180 _____ C:\Windows\System32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat
2017-08-02 06:03 - 2014-12-17 00:42 - 00000000 __SHD C:\Users\Edward\IntelGraphicsProfiles
2017-08-01 14:55 - 2017-03-18 21:03 - 00000000 ___HD C:\Program Files\WindowsApps
2017-08-01 14:55 - 2017-03-18 21:03 - 00000000 ____D C:\Windows\AppReadiness
2017-07-31 17:01 - 2017-03-18 21:01 - 00000000 ____D C:\Windows\INF
2017-07-28 14:46 - 2016-06-29 16:02 - 00000000 ____D C:\Users\Edward\AppData\Local\Roblox
2017-07-27 17:23 - 2017-03-18 21:03 - 00000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2017-07-27 17:23 - 2014-12-18 17:48 - 00000000 ____D C:\Program Files\Microsoft Office 15
2017-07-27 17:12 - 2014-12-18 17:57 - 00000000 ___RD C:\Users\Edward\OneDrive
2017-07-26 18:57 - 2016-06-19 17:01 - 00001274 _____ C:\Users\Edward\Desktop\nativelog.txt
2017-07-26 18:41 - 2016-06-19 16:34 - 00000000 ____D C:\Users\Edward\AppData\Roaming\.minecraft
2017-07-26 16:12 - 2017-07-14 06:59 - 00869770 _____ C:\Windows\System32\PerfStringBackup.INI
2017-07-25 13:51 - 2015-02-24 19:09 - 00000000 ____D C:\Users\Edward\AppData\Roaming\Skype
2017-07-25 10:13 - 2014-12-17 00:48 - 00000258 __RSH C:\ProgramData\ntuser.pol
2017-07-25 10:12 - 2017-07-14 06:36 - 00256568 _____ C:\Windows\System32\FNTCACHE.DAT

==================== Known DLLs (Whitelisted) =========================


==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe
[2017-07-14 07:28] - [2017-07-14 07:28] - 0706560 _____ (Microsoft Corporation) 31E3287EF6D97C5864A301CEA75BBBA1

C:\Windows\System32\wininit.exe
[2017-07-14 07:28] - [2017-07-14 07:28] - 0318232 _____ (Microsoft Corporation) B2DB5876B6F68D32E470F691C7088F3F

C:\Windows\explorer.exe
[2017-07-14 07:28] - [2017-07-14 07:28] - 4847424 _____ (Microsoft Corporation) CA3BF0F15BA4F24D511BFEE725CC89BD

C:\Windows\SysWOW64\explorer.exe
[2017-07-14 07:28] - [2017-07-14 07:28] - 4469840 _____ (Microsoft Corporation) FC1145751AC6E4FF1656381BB09A5AA3

C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2017-07-14 07:18] - [2017-07-14 07:18] - 1085440 _____ (Microsoft Corporation) 0E79A4C76CAAA0CFE9CA42C13E5AA086

C:\Windows\System32\dnsapi.dll => MD5 is legit
C:\Windows\SysWOW64\dnsapi.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys
[2017-03-18 20:57] - [2017-03-18 20:57] - 0397216 _____ (Microsoft Corporation) E3429DBBEA3965BB96E24B16EF4A2551


==================== Association (Whitelisted) =============


==================== Restore Points =========================


==================== Memory info ===========================

Percentage of memory in use: 17%
Total physical RAM: 3972.53 MB
Available physical RAM: 3266.84 MB
Total Virtual: 3972.53 MB
Available Virtual: 3296 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:148.27 GB) (Free:121.27 GB) NTFS
Drive e: () (Fixed) (Total:0.44 GB) (Free:0.07 GB) NTFS
Drive g: (EDWARD) (Removable) (Total:14.52 GB) (Free:14.52 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.5 GB) (Free:0.49 GB) NTFS
Drive y: (System Reserved) (Fixed) (Total:0.34 GB) (Free:0.09 GB) NTFS ==>[system with boot components (obtained from drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 149.1 GB) (Disk ID: 9EB79EB7)
Partition 1: (Active) - (Size=350 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=148.3 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=450 MB) - (Type=27)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 14.5 GB) (Disk ID: C4B5D987)
Partition 1: (Active) - (Size=14.5 GB) - (Type=0C)

LastRegBack: 2017-07-29 11:33

==================== End of FRST.txt ============================

 

Regards

 

RSP


  • 0

Advertisements


#11
dbreeze

dbreeze

    Trusted Helper

  • Malware Removal
  • 2,213 posts

In examining both logs, it looks like the locked service is the cause of the problem.  

 

Please delete the Fixlist.txt file from the Rufus USB drive (if the file is still there).

 

Download the attached Fixlist.txt file from this post directly to the Rufus USB drive.  The attached file has the proper code format (I hope) so that FRST can disable the locked service.

 

Plug the USB drive into the infected system and run this Fixlist.  Let me know if that allows the system to boot better.

Attached Files


  • 0

#12
RedSuedePump

RedSuedePump

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 163 posts

Hi,

 

I followed your instructions, but unfortunately, I still can't get into Windows.

 

Here's the fixlog:

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 15-06-2017 01
Ran by SYSTEM (23-08-2017 07:48:15) Run:2
Running from g:\
Boot Mode: Recovery
==============================================

fixlist content:
*****************

DisableService: ȡ

*****************

ȡ => not found.

==== End of Fixlog 07:48:15 ====

 

Regards

 

RSP


  • 0

#13
dbreeze

dbreeze

    Trusted Helper

  • Malware Removal
  • 2,213 posts

Sorry about this but the last Fixlog confirmed my fears; I don't believe we will be able to get this manually.  The key part of the malware has locked itself by making a service / driver combination that has non-standard characters in its' identification tags.  This effectively hides the service / driver from manual script removal.  

 

It may be possible for a stand- alone (boots to its' own OS not the PC's system) scanner to find and remove this service / driver.  If you want to try one last burn and scanner, please follow the steps in the first post here ( http://www.geekstogo...stem-tutorial/)and make an AVG Rescue CD.

 

I know you mentioned trying to save what was on the system but the other option of doing a Factory Reset (format and restore to factory "Out of Box Experience") would be the best way to ensure removal of any lingering malware.  The choice is up to your and your daughter.


  • 0

#14
RedSuedePump

RedSuedePump

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 163 posts

Hi,

 

I tried to do a factory reset and it couldn't do that either. Nothing has changed in the options available to me on boot up, so I'll give the AVG rescue cd a go tomorrow.

 

Will let you know how I get on.

 

RSP


  • 0

#15
RedSuedePump

RedSuedePump

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 163 posts

Hi,

 

I managed to set up and AVG rescue cd and ran it in the infected computer.

 

I have to say that some of the screens/options were not as set out in the instructions, so maybe the software has changed since that tutorial?

 

Anyway, I ran it, but couldn't configure it for internet access, so it's not the latest version.

 

When I ran the scan, it reported 1,311 infections, 1 warning and 4 errors.

 

When I pressed enter to continue (step 13 in the tutorial), I arrived at a screen that says 'Select files' at the top and then at the bottom I can select Action, Select All, Deselect All or Return. I can't see how I can do step 14 from here. There are 1,306 files listed in the screen.

 

My comments are:

 

1) The infected computer accesses the internet via a wifi stick. If I was to hard wire it to the router, do you think the AVG software would update successfully?

2) There seem to be a vast number of files to repair. Should I attempt this, or is there an easier way? Or should I just give up and get a factory reset?

3) The guy at the local computer shop says he can do a factory reset for me for £65. I don't have the cds (Windows 10) to do this myself and the infected computer can't access the internet at the moment. Do I have any options other that giving up and paying £65?

 

I sense that I am not that far from a solution, but my lack of knowledge leaves a long way between it and me!

 

I'd appreciate any guidance you can offer.

 

RSP


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP