1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Inactive Windows unable to start

Discussion in 'Malware and Virus Removal Archive' started by rthompson, 2015/02/02.

Page 2 of 3
  1. 2015/02/03
    rthompson

    rthompson Well-Known Member Thread Starter

    Joined:
    2009/12/22
    Messages:
    330
    Likes Received:
    1
    I haven't tried booting to safe mode. What happens is the start screen comes up and it looks as if the images are stretched out across the screen. It then shuts down and enters into automatic repair mode
     
    rthompson,
    #21
  2. 2015/02/03
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Check safe mode please.
     
    broni,
    #22


  3. to hide this advert.

  4. 2015/02/03
    rthompson

    rthompson Well-Known Member Thread Starter

    Joined:
    2009/12/22
    Messages:
    330
    Likes Received:
    1
    Tried booting in safe mode, no joy. Error screen came up and it rebooted to automatic repair mode
     
    rthompson,
    #23
  5. 2015/02/03
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    At this point there is nothing malicious left on your computer so there is a good chance that the infection seriously damaged Windows installation.

    We can try one more thing but I wouldn't hold your breath.

    We searched for explorer.exe;User32.dll;volsnap.sys files but they all look legit.
    There is a slight chance that one of more of those files are simply corrupted so I uploaded all three files from my Windows 7 installation here: https://www.sendspace.com/file/0zpene
    Download the above file and unzip it.
    Inside you'll find explorer.exe;User32.dll;volsnap.sys files.
    Copy those 3 files to a root of your USB flash drive.

    Re-run very same search as in my reply #18 so I can see my files are in right location.
    Post search log.
     
    broni,
    #24
  6. 2015/02/03
    rthompson

    rthompson Well-Known Member Thread Starter

    Joined:
    2009/12/22
    Messages:
    330
    Likes Received:
    1
    search log

    Farbar Recovery Scan Tool (x64) Version: 01-02-2015
    Ran by SYSTEM at 2015-02-03 22:44:33
    Running from e:\
    Boot Mode: Recovery

    ================== Search Files: "explorer.exe;user32.dll;volsnap.sys" =============

    C:\Windows\explorer.exe
    [2014-11-15 15:26][2014-08-22 23:48] 2374784 ____A (Microsoft Corporation) ACDBE1ED38167C8B01B8F63161BB2CEA

    C:\Windows\WinSxS\wow64_microsoft-windows-user32_31bf3856ad364e35_6.3.9600.17347_none_c879a06475913d83\user32.dll
    [2014-11-15 15:43][2014-09-18 16:16] 1346048 ____A (Microsoft Corporation) 5F333FDBF392850373C89BDA31EBEC1B

    C:\Windows\WinSxS\wow64_microsoft-windows-user32_31bf3856ad364e35_6.3.9600.17238_none_c8856eb475883dc2\user32.dll
    [2014-11-22 17:13][2014-12-21 02:58] 0069789 ____A () 070D3596E11153FB60FD134C2A3BB599

    C:\Windows\WinSxS\wow64_microsoft-windows-user32_31bf3856ad364e35_6.3.9600.17031_none_c87e68e2758e9213\user32.dll
    [2014-08-08 15:56][2014-12-21 02:58] 0070247 ____A () 2AC315053FE3ECD1FAE8E5948537469B

    C:\Windows\WinSxS\wow64_microsoft-windows-user32_31bf3856ad364e35_6.3.9600.16441_none_c873b756759688ff\user32.dll
    [2014-08-05 04:54][2014-12-21 02:58] 0080858 ____A () E6825152A841EFF8C62655C52CFFFEDD

    C:\Windows\WinSxS\wow64_microsoft-windows-user32_31bf3856ad364e35_6.3.9600.16384_none_c84b769e75b447a1\user32.dll
    [2013-08-21 18:51][2014-12-21 02:58] 0082750 ____A () 7D7B79CE43DC3CEF0E0312A8B99B3939

    C:\Windows\WinSxS\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.3.9600.17284_none_4cc798c1821453a8\explorer.exe
    [2014-11-15 15:26][2014-08-22 23:13] 2084520 ____A (Microsoft Corporation) 195822ACCDAA2B4815DD01BAFC335595

    C:\Windows\WinSxS\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.3.9600.17238_none_4d01a98581e82d4f\explorer.exe
    [2014-11-22 17:22][2014-12-09 01:42] 0220250 ____A () 286928E00AD34E9F88EB5BFA52660A70

    C:\Windows\WinSxS\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.3.9600.17039_none_4d02a60381e74c58\explorer.exe
    [2014-08-08 16:09][2014-12-09 01:42] 0208662 ____A () C131BC6F12417306A9C8469CA49110B1

    C:\Windows\WinSxS\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.3.9600.17031_none_4cfaa3b381ee81a0\explorer.exe
    [2014-08-08 15:57][2014-11-15 11:21] 0015546 ____A () 347EFF7EC89C3EB4F72F2408E1C4E16D

    C:\Windows\WinSxS\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.3.9600.16441_none_4ceff22781f6788c\explorer.exe
    [2014-08-05 04:54][2014-11-15 11:20] 0238918 ____A () 5177BB4FECDDB9CDBCF10EF65916968D

    C:\Windows\WinSxS\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.3.9600.16408_none_4d2233dd81cfba29\explorer.exe
    [2014-08-05 05:01][2014-11-15 11:20] 0239123 ____A () 7B546CB045C2A84D26A8D2FE07F9F98C

    C:\Windows\WinSxS\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.3.9600.16384_none_4cc7b16f8214372e\explorer.exe
    [2013-08-21 18:06][2014-11-15 11:20] 0268164 ____A () 578A251C234E51BC6B9D684480EEB9DB

    C:\Windows\WinSxS\amd64_volume.inf_31bf3856ad364e35_6.3.9600.17215_none_06c1ae9bcfd2737b\volsnap.sys
    [2014-11-22 17:21][2014-06-18 18:13] 0310080 ___AC (Microsoft Corporation) 64CA2B4A49A8EAF495E435623ECCE7DB

    C:\Windows\WinSxS\amd64_volume.inf_31bf3856ad364e35_6.3.9600.17041_none_069d39e3cfee67a4\volsnap.sys
    [2014-08-28 02:17][2014-12-09 01:25] 0031490 ____A () 50C79EDB89463E12CA94E0840DFD0932

    C:\Windows\WinSxS\amd64_volume.inf_31bf3856ad364e35_6.3.9600.17031_none_06a809cfcfe64bb3\volsnap.sys
    [2014-08-08 15:56][2014-11-15 10:15] 0033436 ____A () A24CC4ADEC9998D129FB7F5A1D1BA606

    C:\Windows\WinSxS\amd64_volume.inf_31bf3856ad364e35_6.3.9600.16523_none_06b4fa95cfdc3a92\volsnap.sys
    [2014-08-05 04:48][2014-11-15 10:15] 0043446 ____A () 462507EFFF00135C173E059BF0AE287B

    C:\Windows\WinSxS\amd64_volume.inf_31bf3856ad364e35_6.3.9600.16384_none_0675178bd00c0141\volsnap.sys
    [2013-08-22 03:40][2014-11-15 10:15] 0043661 ____A () 0BEEEDD2D3CD2A33EDD3C32B89881486

    C:\Windows\WinSxS\amd64_microsoft-windows-user32_31bf3856ad364e35_6.3.9600.17347_none_be24f61241307b88\user32.dll
    [2014-11-15 15:43][2014-09-21 20:38] 1519488 ____A (Microsoft Corporation) F0A117D19873FCDF801F082F33BFBB6C

    C:\Windows\WinSxS\amd64_microsoft-windows-user32_31bf3856ad364e35_6.3.9600.17238_none_be30c46241277bc7\user32.dll
    [2014-11-22 17:21][2014-12-09 01:13] 0126009 ____A () AF8914D00B6E8CE87EBA8A245D43CB36

    C:\Windows\WinSxS\amd64_microsoft-windows-user32_31bf3856ad364e35_6.3.9600.17031_none_be29be90412dd018\user32.dll
    [2014-08-08 15:56][2014-12-09 01:13] 0124983 ____A () 31ADEF7B319B46AA8F3B5CA26234310F

    C:\Windows\WinSxS\amd64_microsoft-windows-user32_31bf3856ad364e35_6.3.9600.16441_none_be1f0d044135c704\user32.dll
    [2013-08-22 01:56][2014-11-15 09:34] 0114641 ____A () FE5A453CBC75DAEE1A8F1BC3C0EE4AC5

    C:\Windows\WinSxS\amd64_microsoft-windows-user32_31bf3856ad364e35_6.3.9600.16384_none_bdf6cc4c415385a6\user32.dll
    [2013-08-22 01:56][2014-11-15 09:34] 0114641 ____A () FE5A453CBC75DAEE1A8F1BC3C0EE4AC5

    C:\Windows\WinSxS\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.3.9600.17284_none_4272ee6f4db391ad\explorer.exe
    [2014-11-15 15:26][2014-08-22 23:48] 2374784 ____A (Microsoft Corporation) ACDBE1ED38167C8B01B8F63161BB2CEA

    C:\Windows\WinSxS\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.3.9600.17238_none_42acff334d876b54\explorer.exe
    [2014-11-22 17:22][2014-12-03 02:23] 0270774 ____A () 2195687491E604BA42961470EDA7660E

    C:\Windows\WinSxS\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.3.9600.17039_none_42adfbb14d868a5d\explorer.exe
    [2014-08-08 16:09][2014-12-03 02:23] 0271249 ____A () 667BC926C7CB889BF276A5FEA316CAEE

    C:\Windows\WinSxS\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.3.9600.17031_none_42a5f9614d8dbfa5\explorer.exe
    [2014-08-08 15:57][2014-09-16 01:31] 0169957 ____A () 6D919C26DCB567396CD2E119B8E4310E

    C:\Windows\WinSxS\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.3.9600.16441_none_429b47d54d95b691\explorer.exe
    [2014-08-05 04:54][2014-09-16 01:31] 0283735 ____A () FA98C5D746E7C9E0912E88AC44FF9926

    C:\Windows\WinSxS\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.3.9600.16408_none_42cd898b4d6ef82e\explorer.exe
    [2014-08-05 05:01][2014-08-23 23:27] 0133444 ____A () 3DDF61E1B538A1205612192A61CC2376

    C:\Windows\WinSxS\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.3.9600.16384_none_4273071d4db37533\explorer.exe
    [2013-08-22 01:01][2014-08-23 23:26] 0274077 ____A () 95F49CF19E3CA220190E7927773EE5B1

    C:\Windows\SysWOW64\explorer.exe
    [2014-11-15 15:26][2014-08-22 23:13] 2084520 ____A (Microsoft Corporation) 195822ACCDAA2B4815DD01BAFC335595

    C:\Windows\SysWOW64\user32.dll
    [2014-11-15 15:43][2014-09-18 16:16] 1346048 ____A (Microsoft Corporation) 5F333FDBF392850373C89BDA31EBEC1B

    C:\Windows\System32\user32.dll
    [2014-11-15 15:43][2014-09-21 20:38] 1519488 ____A (Microsoft Corporation) F0A117D19873FCDF801F082F33BFBB6C

    C:\Windows\System32\DriverStore\FileRepository\volume.inf_amd64_8687137d6e4faf5d\volsnap.sys
    [2014-11-22 17:21][2014-06-18 18:13] 0310080 ___AC (Microsoft Corporation) 64CA2B4A49A8EAF495E435623ECCE7DB

    C:\Windows\System32\drivers\volsnap.sys
    [2014-11-22 17:21][2014-06-18 18:13] 0310080 ___AC (Microsoft Corporation) 64CA2B4A49A8EAF495E435623ECCE7DB

    X:\Windows\WinSxS\amd64_volume.inf_31bf3856ad364e35_6.3.9600.16384_none_0675178bd00c0141\volsnap.sys
    [2013-08-22 05:45][2013-08-22 05:45] 0312160 ____A (Microsoft Corporation) 9F9CE33B50611A1C61A46B8911E0B30B

    X:\Windows\WinSxS\amd64_microsoft-windows-user32_31bf3856ad364e35_6.3.9600.16384_none_bdf6cc4c415385a6\user32.dll
    [2013-08-22 05:45][2013-08-22 05:45] 1517984 ____A (Microsoft Corporation) 1A811BAFA2114C2FC878507F9F86566C

    X:\Windows\System32\user32.dll
    [2013-08-22 05:45][2013-08-22 05:45] 1517984 ____A (Microsoft Corporation) 1A811BAFA2114C2FC878507F9F86566C

    X:\Windows\System32\DriverStore\FileRepository\volume.inf_amd64_50d690313539fa92\volsnap.sys
    [2013-08-22 05:45][2013-08-22 05:45] 0312160 ____A (Microsoft Corporation) 9F9CE33B50611A1C61A46B8911E0B30B

    X:\Windows\System32\drivers\volsnap.sys
    [2013-08-22 05:45][2013-08-22 05:45] 0312160 ____A (Microsoft Corporation) 9F9CE33B50611A1C61A46B8911E0B30B

    ====== End Of Search ======
     
    rthompson,
    #25
  7. 2015/02/03
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    I don't see those three files on drive E (USB).
    What happened?
     
    broni,
    #26
  8. 2015/02/03
    rthompson

    rthompson Well-Known Member Thread Starter

    Joined:
    2009/12/22
    Messages:
    330
    Likes Received:
    1
    They are there, I checked before I changed systems.
     
    rthompson,
    #27
  9. 2015/02/03
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Put USB drive back to your computer, open Windows Explorer and attach a screenshot of USB drive directory.
     
    broni,
    #28
  10. 2015/02/03
    rthompson

    rthompson Well-Known Member Thread Starter

    Joined:
    2009/12/22
    Messages:
    330
    Likes Received:
    1
    I have no screenshot software.
     
    rthompson,
    #29
  11. 2015/02/03
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    OK....on YOUR computer...make sure USB flash drive is in....

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2
    64-bit users go HERE
    • Double-click SystemLook.exe to run it.
    • Vista users:: Right click on SystemLook.exe, click Run As Administrator
    • Copy the content of the following box and paste it into the main textfield:
    Code:
    :filefind
explorer.exe
User32.dll
volsnap.sys
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
    broni,
    #30
  12. 2015/02/03
    rthompson

    rthompson Well-Known Member Thread Starter

    Joined:
    2009/12/22
    Messages:
    330
    Likes Received:
    1
    systemlook.txt

    SystemLook 30.07.11 by jpshortstuff
    Log created at 23:26 on 03/02/2015 by Owner
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "explorer.exe "
    C:\WINDOWS\explorer.exe --a---- 1033728 bytes [12:00 14/04/2008] [12:00 14/04/2008] 12896823FB95BFB3DC9B46BCAEDC9923
    C:\WINDOWS\erdnt\cache\explorer.exe --a---- 1033728 bytes [17:49 05/10/2012] [12:00 14/04/2008] 12896823FB95BFB3DC9B46BCAEDC9923
    C:\WINDOWS\system32\dllcache\explorer.exe --a--c- 1033728 bytes [12:00 14/04/2008] [12:00 14/04/2008] 12896823FB95BFB3DC9B46BCAEDC9923

    Searching for "User32.dll "
    C:\WINDOWS\erdnt\cache\user32.dll --a---- 578560 bytes [17:48 05/10/2012] [12:00 14/04/2008] B26B135FF1B9F60C9388B4A7D16F600B
    C:\WINDOWS\system32\user32.dll --a---- 578560 bytes [12:00 14/04/2008] [12:00 14/04/2008] B26B135FF1B9F60C9388B4A7D16F600B
    C:\WINDOWS\system32\dllcache\user32.dll --a--c- 578560 bytes [12:00 14/04/2008] [12:00 14/04/2008] B26B135FF1B9F60C9388B4A7D16F600B

    Searching for "volsnap.sys "
    C:\WINDOWS\system32\dllcache\volsnap.sys --a--c- 52352 bytes [12:00 14/04/2008] [12:00 14/04/2008] 4C8FCB5CC53AAB716D810740FE59D025
    C:\WINDOWS\system32\drivers\volsnap.sys --a---- 52352 bytes [12:00 14/04/2008] [12:00 14/04/2008] 4C8FCB5CC53AAB716D810740FE59D025

    -= EOF =-
     
    rthompson,
    #31
  13. 2015/02/03
    rthompson

    rthompson Well-Known Member Thread Starter

    Joined:
    2009/12/22
    Messages:
    330
    Likes Received:
    1
    I don't get it

    when I open e: the files are there
     
    rthompson,
    #32
  14. 2015/02/03
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    How to create a screenshot...

    With the window open that you want to take the Screenshot of, press the Print Screen/SysRq Key (next to F12 on the keyboard).
    If you only want a screenshot of an active window within the main window press ALT+Print Screen/SysRq.

    Now open Microsoft Paint by pressing Start > All Programs > Accessories > Paint.

    This will open the Paint window.
    On the menu bar at the top left, click on Edit and select Paste. This will put your screenshot in the Paint window.

    Next, click File on the menu bar and click Save As.

    In the drop-down box that appears, where it shows File name replace the highlighted Untitled with a suitable name.
    In the Save as type box press the down arrow and select JPEG from the list of options.
    In the Save in box at the top press the down arrow and navigate to Desktop and select it then press Save at the bottom.

    Attach the file to your next reply.
     
    broni,
    #33
  15. 2015/02/03
    rthompson

    rthompson Well-Known Member Thread Starter

    Joined:
    2009/12/22
    Messages:
    330
    Likes Received:
    1
    screenshot

    How do I attach the file?
     
    rthompson,
    #34
  16. 2015/02/03
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Upload the file(s) here: http://www.sendspace.com/
    Click on Browse button and navigate to the file you want to upload.
    Click on Upload button.
    Click on FIRST Copy Link button and paste the link in your next reply.
     
    broni,
    #35
  17. 2015/02/03
    rthompson

    rthompson Well-Known Member Thread Starter

    Joined:
    2009/12/22
    Messages:
    330
    Likes Received:
    1
    rthompson,
    #36
  18. 2015/02/03
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    OK....

    Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back into bad computer.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    On Vista or Windows 7/8: Now please enter System Recovery Options.
    On Windows XP: Now please boot into the OTLPE CD.
    Run [color= "#0000FF"]FRST(FRST64)[/color] and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    See if you can boot.
     

    Attached Files:

    broni,
    #37
  19. 2015/02/03
    rthompson

    rthompson Well-Known Member Thread Starter

    Joined:
    2009/12/22
    Messages:
    330
    Likes Received:
    1
    fixlog.txt

    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 01-02-2015
    Ran by SYSTEM at 2015-02-04 00:22:58 Run:3
    Running from e:\
    Boot Mode: Recovery
    ==============================================

    Content of fixlist:
    *****************
    S2 SWUpdater; C:\Program Files (x86)\StormWatch\SWUpdaterSvc.exe [X]
    Replace: e:\explorer.exe C:\Windows\explorer.exe
    Replace: e:\user32.dll C:\Windows\System32\user32.dll
    Replace: e:\volsnap.sys C:\Windows\System32\drivers\volsnap.sys
    *****************

    SWUpdater => Service deleted successfully.
    C:\Windows\explorer.exe => Moved successfully.
    e:\explorer.exe copied successfully to C:\Windows\explorer.exe
    C:\Windows\System32\user32.dll => Moved successfully.
    e:\user32.dll copied successfully to C:\Windows\System32\user32.dll
    C:\Windows\System32\drivers\volsnap.sys => Moved successfully.
    e:\volsnap.sys copied successfully to C:\Windows\System32\drivers\volsnap.sys

    ==== End of Fixlog 00:22:59 ====

    No joy
     
    rthompson,
    #38
  20. 2015/02/03
    rthompson

    rthompson Well-Known Member Thread Starter

    Joined:
    2009/12/22
    Messages:
    330
    Likes Received:
    1
    wrong directory

    They should have been copied to x:
     
    rthompson,
    #39
  21. 2015/02/03
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Unfortunately at this point I'm out of options.
    You'll have to reinstall Windows.
     
    broni,
    #40
Page 2 of 3

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...