1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Inactive-A BSoD Error c000021a on Startup

Discussion in 'Malware and Virus Removal' started by mia4sanne, 2016/04/09.

Thread Status:
Not open for further replies.
  1. 2016/04/09
    mia4sanne

    mia4sanne New Member Thread Starter

    Joined:
    2016/04/09
    Messages:
    4
    Likes Received:
    0
    [Inactive-A] BSoD Error c000021a on Startup

    I havent updated any software or drivers on my laptop but now I am getting the BSoD error:

    STOP: c000021a fatal system error
    The initial session process or system process

    I have tried the following with the same issue:
    startup repair
    windows memory diagnostic
    windows normal startup
    safe mode
    last known good configuration

    Problem signature:
    Problem Event Name: StartupRepairOffline
    Problem Signature 01: 6.1.7600.16385
    Problem Signature 02: 6.1.7600.16385
    Problem Signature 03: unknown
    Problem Signature 04: -1
    Problem Signature 05: AutoFailover
    Problem Signature 06: 14
    Problem Signature 07: NoRootCause
    OS Version: 6.1.7600.2.0.0.256.1
    Locale ID: 1033

    Read our privacy statement online:
    http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0409

    If the online privacy statement is not available, please read our privacy statement offline:
    X:\windows\system32\en-US\erofflps.txt


    I read a previous thread that refers to the same error and so installed FRST.

    This is the log:

    Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:05-03-2016 01
    Ran by SYSTEM on MININT-321CD6I (10-04-2016 15:32:27)
    Running from F:\
    Platform: WIN_7 (X86) Language: English (United States)
    Boot Mode: Recovery
    Default: ControlSet001
    ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.

    Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

    ==================== Registry (Whitelisted) ===========================

    (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

    HKLM\...\Winlogon: [Userinit]
    HKLM\...\Winlogon: [Shell] [x ] () <=== ATTENTION
    HKLM\...\InprocServer32: [Default-wbemess] <==== ATTENTION
    HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] <==== ATTENTION
    HKU\my name\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [6825888 2016-02-29] (SUPERAntiSpyware)
    HKU\my name\...\Run: [Dropbox Update] => C:\Users\my name\AppData\Local\Dropbox\Update\DropboxUpdate.exe [134512 2015-06-21] (Dropbox, Inc.)
    HKU\my name\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner.exe [6667992 2016-03-11] (Piriform Ltd)
    HKU\my name\...\Run: [uTorrent] => C:\Users\my name\AppData\Roaming\uTorrent\uTorrent.exe [1959424 2016-04-06] (BitTorrent Inc.)
    HKU\User\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner.exe [6667992 2016-03-11] (Piriform Ltd)

    ==================== Services (Whitelisted) ========================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    S2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE.EXE [142648 2014-07-22] (SUPERAntiSpyware.com)
    S2 AgereModemAudio; C:\Program Files\LSI SoftModem\agrsmsvc.exe [14336 2009-03-27] (LSI Corporation)
    S2 ATService; C:\Program Files\Fingerprint Sensor\AtService.exe [1819968 2009-12-17] (AuthenTec, Inc.)
    S3 AvgAMPS; C:\Program Files\AVG\Av\avgamps.exe [604144 2016-03-01] (AVG Technologies CZ, s.r.o.)
    S2 AVGIDSAgent; C:\Program Files\AVG\Av\avgidsagent.exe [3934184 2016-03-01] (AVG Technologies CZ, s.r.o.)
    S2 avgsvc; C:\Program Files\AVG\Framework\Common\avgsvcx.exe [886032 2016-03-22] (AVG Technologies CZ, s.r.o.)
    S2 avgwd; C:\Program Files\AVG\Av\avgwdsvcx.exe [561104 2016-03-01] (AVG Technologies CZ, s.r.o.)
    S2 cfWiMAXService; C:\Program Files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe [185712 2009-10-27] (TOSHIBA CORPORATION)
    S2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX86\OfficeClickToRun.exe [1916656 2016-02-08] (Microsoft Corporation)
    S2 ConfigFree Service; C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe [46448 2009-03-10] (TOSHIBA CORPORATION)
    S4 MSSQLServerADHelper; c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [44384 2010-12-09] (Microsoft Corporation)
    S2 MYOB AccountRight Library; C:\Program Files\MYOB\AccountRight\Servers\Huxley.Library.WindowsService.exe [17752 2014-03-23] (MYOB Technology Pty Ltd)
    S2 MYOB AccountRight Server 2014.1; C:\Program Files\MYOB\AccountRight\2014.1\NZ\Huxley.Server.WindowsService.exe [15192 2014-03-23] (MYOB Technology Pty Ltd)
    S2 MYOB AccountRight Server Locator; C:\Program Files\MYOB\AccountRight\Servers\Huxley.ServerLocator.WindowsService.exe [16216 2014-03-23] (MYOB Technology Pty Ltd)
    S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [211216 2010-01-18] ()
    S2 RSELSVC; C:\Program Files\TOSHIBA\RSelect\RSelSvc.exe [62832 2009-07-07] (TOSHIBA Corporation)
    S3 TMachInfo; C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [51512 2009-10-06] (TOSHIBA Corporation)
    S2 TOSHIBA eco Utility Service; C:\Program Files\TOSHIBA\TECO\TecoService.exe [238960 2009-12-22] (TOSHIBA Corporation)
    S3 TOSHIBA HDD SSD Alert Service; C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [111960 2009-12-24] (TOSHIBA Corporation)
    S3 TPCHSrv; C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe [677232 2009-12-24] (TOSHIBA Corporation)
    S2 TTPDSrv; C:\windows\System32\TTPDSRV.exe [73728 2007-11-07] (TOSHIBA Corporation)
    S2 TTService; C:\Program Files\TorrentsTime Media Player\bin\TTService.exe [3543576 2016-02-15] (TorrentsTime)
    S2 vToolbarUpdater40.2.8; C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\40.2.8\ToolbarUpdater.exe [1957448 2016-03-24] (AVG Secure Search)
    S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-26] (Microsoft Corporation)
    S2 WtuSystemSupport; C:\Program Files\AVG Web TuneUp\WtuSystemSupport.exe [1216584 2016-03-24] ()

    ===================== Drivers (Whitelisted) ==========================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    S1 Avgdiskx; C:\Windows\System32\DRIVERS\avgdiskx.sys [149936 2015-11-05] (AVG Technologies CZ, s.r.o.)
    S1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdriverx.sys [256432 2016-01-25] (AVG Technologies CZ, s.r.o.)
    S0 AVGIDSHX; C:\Windows\System32\DRIVERS\avgidshx.sys [207792 2016-01-25] (AVG Technologies CZ, s.r.o.)
    S1 AVGIDSShim; C:\Windows\System32\DRIVERS\avgidsshimx.sys [31664 2015-11-19] (AVG Technologies CZ, s.r.o.)
    S1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [229296 2015-10-20] (AVG Technologies CZ, s.r.o.)
    S0 Avglogx; C:\Windows\System32\DRIVERS\avglogx.sys [297904 2016-02-02] (AVG Technologies CZ, s.r.o.)
    S0 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [205744 2016-03-01] (AVG Technologies CZ, s.r.o.)
    S0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [37296 2015-12-03] (AVG Technologies CZ, s.r.o.)
    S1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [231856 2015-10-07] (AVG Technologies CZ, s.r.o.)
    S0 Avgunivx; C:\Windows\System32\DRIVERS\avgunivx.sys [23472 2016-01-07] (AVG Technologies CZ, s.r.o.)
    S3 PGEffect; C:\Windows\System32\DRIVERS\pgeffect.sys [24064 2009-06-22] (TOSHIBA Corporation)
    S2 risdpcie; C:\Windows\System32\DRIVERS\risdpe86.sys [49152 2009-07-28] (REDC)
    S2 rixdpcie; C:\Windows\System32\DRIVERS\rixdpe86.sys [45056 2011-04-25] (REDC)
    S1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12880 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
    S1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [67664 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
    S2 TVALZFL; C:\Windows\System32\DRIVERS\TVALZFL.sys [12920 2009-06-19] (TOSHIBA Corporation)
    S3 wisdpen; C:\Windows\System32\DRIVERS\wisdpen.sys [37232 2011-01-03] (Wacom Technology)
    S3 lmimirr; system32\DRIVERS\lmimirr.sys [X]

    ==================== NetSvcs (Whitelisted) ===================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


    ==================== One Month Created files and folders ========

    (If an entry is included in the fixlist, the file/folder will be moved.)

    2016-04-10 14:56 - 2016-04-10 15:32 - 00000000 ____D C:\FRST
    2016-04-09 18:53 - 2016-04-09 19:14 - 00527914 _____ C:\Windows\ntbtlog.txt
    2016-04-07 15:13 - 2016-04-09 04:23 - 00000000 ____D C:\Users\my name\AppData\LocalLow\uTorrent
    2016-04-06 21:54 - 2016-04-06 21:54 - 00000000 __RHD C:\MSOCache
    2016-04-01 11:15 - 2016-04-01 11:15 - 00000000 ____D C:\Users\Test\Documents\Custom Office Templates
    2016-04-01 11:15 - 2016-04-01 11:15 - 00000000 ____D C:\Users\Test\AppData\Roaming\TFPU
    2016-04-01 11:14 - 2016-04-01 11:14 - 00113080 _____ C:\Users\Test\AppData\Local\GDIPFONTCACHEV1.DAT
    2016-04-01 11:14 - 2016-04-01 11:14 - 00000000 ____D C:\Users\Test\AppData\Roaming\Intel Corporation
    2016-04-01 11:14 - 2016-04-01 11:14 - 00000000 ____D C:\Users\Test\AppData\Roaming\Intel
    2016-04-01 11:14 - 2016-04-01 11:14 - 00000000 ____D C:\Users\Test\AppData\Roaming\AVG
    2016-04-01 11:14 - 2016-04-01 11:14 - 00000000 ____D C:\Users\Test\AppData\Local\Google
    2016-04-01 11:14 - 2016-04-01 11:14 - 00000000 ____D C:\Users\Test\AppData\Local\AVG Web TuneUp
    2016-04-01 11:14 - 2016-04-01 11:14 - 00000000 ____D C:\Users\Test\AppData\Local\Avg
    2016-04-01 11:13 - 2016-04-01 11:14 - 00000000 ____D C:\users\Test
    2016-04-01 11:13 - 2016-04-01 11:13 - 00000020 ___SH C:\Users\Test\ntuser.ini
    2016-04-01 11:13 - 2016-04-01 11:13 - 00000000 _SHDL C:\Users\Test\My Documents
    2016-04-01 11:13 - 2016-04-01 11:13 - 00000000 _SHDL C:\Users\Test\Documents\My Videos
    2016-04-01 11:13 - 2016-04-01 11:13 - 00000000 _SHDL C:\Users\Test\Documents\My Pictures
    2016-04-01 11:13 - 2016-04-01 11:13 - 00000000 _SHDL C:\Users\Test\Documents\My Music
    2016-04-01 11:13 - 2016-04-01 11:13 - 00000000 ____D C:\Users\Test\AppData\Roaming\Adobe
    2016-04-01 11:13 - 2016-04-01 11:13 - 00000000 ____D C:\Users\Test\AppData\Local\VirtualStore
    2016-04-01 11:13 - 2014-08-11 13:57 - 00000000 ____D C:\Users\Test\AppData\Local\Microsoft Help
    2016-04-01 11:13 - 2014-03-31 20:31 - 00000000 ____D C:\Users\Test\AppData\Roaming\TuneUp Software
    2016-04-01 11:13 - 2009-07-13 23:49 - 00000000 ____D C:\Users\Test\AppData\Roaming\Media Center Programs
    2016-04-01 10:54 - 2016-04-01 10:54 - 00000000 ____D C:\Program Files\Common Files\DESIGNER
    2016-04-01 03:38 - 2016-04-01 10:56 - 00000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
    2016-04-01 03:38 - 2016-04-01 03:38 - 00000000 ____D C:\Program Files\Microsoft Office
    2016-04-01 03:34 - 2016-04-01 03:35 - 00000000 ____D C:\Program Files\Microsoft Office 15
    2016-04-01 00:03 - 2016-04-01 00:03 - 00000000 __SHD C:\found.004
    2016-03-31 17:44 - 2016-03-31 17:44 - 00000000 ___DC C:\Users\my name\AppData\Local\MigWiz
    2016-03-30 17:45 - 2016-03-30 17:45 - 00000000 __SHD C:\found.003
    2016-03-27 16:01 - 2016-03-27 16:01 - 00001022 _____ C:\Users\Public\Desktop\EPUB File Reader.lnk
    2016-03-27 16:01 - 2016-03-27 16:01 - 00000000 ____D C:\Program Files\EPUB File Reader
    2016-03-16 00:36 - 2016-04-02 01:51 - 00000000 ____D C:\Users\my name\AppData\Roaming\dvdcss
    2016-03-14 11:15 - 2016-03-14 11:16 - 00000000 ____D C:\ProgramData\Avg_Update_0316tb


    ==================== One Month Modified files and folders ========

    (If an entry is included in the fixlist, the file/folder will be moved.)

    2016-04-10 15:03 - 2014-11-05 14:24 - 00000000 ____D C:\Program Files\AVG Web TuneUp
    2016-04-10 15:03 - 2014-06-08 02:08 - 00000000 ____D C:\Users\User\AppData\OICE_15_974FA576_32C1D314_1E77
    2016-04-10 15:03 - 2014-06-08 02:06 - 00000000 ____D C:\Users\User\AppData\OICE_15_974FA576_32C1D314_3D1E
    2016-04-10 15:03 - 2014-05-04 00:48 - 00000000 ____D C:\Users\User\AppData\OICE_15_974FA576_32C1D314_1E6B
    2016-04-09 05:08 - 2014-08-31 02:07 - 00000000 ____D C:\Users\my name\AppData\Roaming\uTorrent
    2016-04-09 04:46 - 2015-07-17 18:25 - 00000000 ____D C:\Users\my name\Downloads\Movies
    2016-04-09 04:34 - 2015-03-16 03:22 - 00000000 ____D C:\Users\my name\AppData\Roaming\vlc
    2016-04-09 04:31 - 2009-07-13 20:34 - 00022208 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2016-04-09 04:31 - 2009-07-13 20:34 - 00022208 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2016-04-09 04:30 - 2010-01-14 05:23 - 00006388 _____ C:\Windows\System32\PerfStringBackup.INI
    2016-04-09 04:17 - 2014-07-15 15:39 - 00000000 ___RD C:\Users\my name\Dropbox
    2016-04-09 04:06 - 2010-09-12 05:33 - 00000000 ____D C:\ProgramData\MFAData
    2016-04-08 20:57 - 2014-06-24 12:10 - 00000000 ____D C:\Users\my name\Documents\Outlook Files
    2016-04-08 16:01 - 2014-07-20 12:21 - 00797376 _____ (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
    2016-04-08 16:01 - 2014-07-20 12:21 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
    2016-04-07 20:05 - 2014-08-30 19:28 - 00311740 _____ C:\Users\my name\Documents\Learning taking place signs.pptx
    2016-04-07 18:48 - 2015-06-05 04:02 - 00000000 ____D C:\Users\my name\Documents\Word files
    2016-04-05 04:30 - 2014-06-24 12:08 - 00000000 ____D C:\users\my name
    2016-04-03 23:18 - 2014-11-24 12:55 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
    2016-04-02 10:57 - 2014-09-11 18:37 - 00000000 ____D C:\Users\my name\AppData\Local\CrashDumps
    2016-04-02 01:54 - 2009-07-13 20:33 - 00434240 _____ C:\Windows\System32\FNTCACHE.DAT
    2016-04-01 11:08 - 2014-08-16 20:00 - 00000000 ____D C:\Users\my name\AppData\Local\ElevatedDiagnostics
    2016-04-01 10:55 - 2009-07-13 18:37 - 00000000 ____D C:\Program Files\Common Files\microsoft shared
    2016-04-01 03:23 - 2009-07-13 20:52 - 00000000 ____D C:\Windows\System32\FxsTmp
    2016-03-31 17:46 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\registration
    2016-03-30 16:05 - 2015-07-17 17:27 - 00002100 _____ C:\Users\Public\Desktop\Google Chrome.lnk
    2016-03-28 13:09 - 2014-11-06 13:07 - 00000000 ____D C:\Users\my name\AppData\Local\CutePDF Writer
    2016-03-28 12:47 - 2016-02-01 01:27 - 00000000 ____D C:\Users\my name\Documents\IR Letter
    2016-03-26 02:54 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\inf
    2016-03-26 02:35 - 2015-03-15 17:45 - 00000936 _____ C:\Users\Public\Desktop\CCleaner.lnk
    2016-03-24 21:15 - 2014-11-05 14:24 - 00000000 ____D C:\ProgramData\AVG Web TuneUp
    2016-03-24 11:08 - 2015-04-04 06:00 - 00000000 ___SD C:\Windows\System32\GWX
    2016-03-20 23:54 - 2014-07-15 15:36 - 00000000 ____D C:\Users\my name\AppData\Roaming\Dropbox
    2016-03-15 13:08 - 2015-10-24 00:40 - 00000877 _____ C:\Users\Public\Desktop\AVG Protection.lnk
    2016-03-15 03:21 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\rescache


    ==================== Known DLLs (Whitelisted) =========================


    ==================== Bamital & volsnap =================

    (There is no automatic fix for files that do not pass verification.)

    C:\Windows\explorer.exe
    [2016-02-09 17:21] - [2016-01-21 21:12] - 2973184 ____A (Microsoft Corporation) 2A156D5EBF221EF2A6AE7CE452324DAC

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe
    [2015-05-12 13:09] - [2015-04-12 19:19] - 0259072 ____A (Microsoft Corporation) 0780A42DBD7D9969F9BF4A19AA4285B5

    C:\Windows\System32\User32.dll
    [2015-12-08 19:43] - [2015-11-10 10:39] - 0811520 ____A (Microsoft Corporation) 4C5A23AE4F5157F579C89736EA5D42CE

    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\System32\rpcss.dll => MD5 is legit
    C:\Windows\System32\dnsapi.dll => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE Association (Whitelisted) =============



    HKLM\...\.exe: => <===== ATTENTION
    HKLM\...\exefile\DefaultIcon: <===== ATTENTION
    HKLM\...\exefile\open\command: <===== ATTENTION

    ==================== Restore Points =========================


    ==================== Memory info ===========================

    Percentage of memory in use: 13%
    Total physical RAM: 3824.43 MB
    Available physical RAM: 3314.56 MB
    Total Virtual: 3822.7 MB
    Available Virtual: 3318.49 MB

    ==================== Drives ================================

    Drive c: (S3A9101D001) (Fixed) (Total:107.67 GB) (Free:7.06 GB) NTFS ==>[system with boot components (obtained from drive)]
    Drive d: (System) (Fixed) (Total:1.46 GB) (Free:1.29 GB) NTFS ==>[system with boot components (obtained from drive)]
    Drive f: () (Removable) (Total:7.45 GB) (Free:7.45 GB) FAT32
    Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

    ==================== MBR & Partition Table ==================

    ========================================================
    Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 119.2 GB) (Disk ID: 5FD58A2C)
    Partition 1: (Active) - (Size=1.5 GB) - (Type=27)
    Partition 2: (Not Active) - (Size=107.7 GB) - (Type=07 NTFS)
    Partition 3: (Not Active) - (Size=10.1 GB) - (Type=17)

    ========================================================
    Disk: 1 (Size: 7.5 GB) (Disk ID: 00000000)

    Partition: GPT.


    LastRegBack: 2016-04-09 00:41

    ==================== End of FRST.txt ============================
     
  2. 2016/04/10
    lj50 Lifetime Subscription

    lj50 SuperGeek WindowsBBS Team Member

    Joined:
    2003/07/04
    Messages:
    2,801
    Likes Received:
    137
    Try reading: This first. Then have your machine checked by broni.
     
    Last edited: 2016/04/10
    lj50,
    #2

  3. to hide this advert.

  4. 2016/04/10
    mia4sanne

    mia4sanne New Member Thread Starter

    Joined:
    2016/04/09
    Messages:
    4
    Likes Received:
    0
    Hi lj50 - thanks for the suggestions.

    I've completed the steps as suggested in the thread provided. The results are below:

    X:\sources\recovery\Tools>c:

    C:\>Bcdedit /export C:\BCD_Backup
    The operation completed successfully.

    C:\>ren c:\boot\bcd bcd.old
    The system cannot find the file specified.

    C:\>ren c:\boot\bcd bcd.old
    The system cannot find the file specified.

    C:\>Bootrec.exe /rebuildbcd
    Scanning all disks for Windows installations.

    Please wait, since this may take a while...

    Successfully scanned Windows installations.
    Total identified Windows installations: 0
    The operation completed successfully.

    C:\>Bootrec.exe /fixmbr
    The operation completed successfully.

    C:\>
    C:\>Bootrec.exe /fixboot
    The volume does not contain a recognized file system.
    Please make sure that all required file system drivers are loaded an
    olume is not corrupted.

    C:\>sfc /scannow /offbootdir=c:\ /offwindir=c:\windows

    Beginning system scan. This process will take some time.


    Windows Resource Protection could not perform the requested operatio

    C:\>chkdsk c: /r
    The type of the file system is NTFS.
    Cannot lock current drive.

    Chkdsk cannot run because the volume is in use by another
    process. Chkdsk may run if this volume is dismounted first.
    ALL OPENED HANDLES TO THIS VOLUME WOULD THEN BE INVALID.
    Would you like to force a dismount on this volume? (Y/N) n

    Chkdsk cannot run because the volume is in use by another
    process. Would you like to schedule this volume to be
    checked the next time the system restarts? (Y/N) y

    This volume will be checked the next time the system restarts.

    C:\>chkdsk /r
    The type of the file system is NTFS.
    Cannot lock current drive.

    Chkdsk cannot run because the volume is in use by another
    process. Chkdsk may run if this volume is dismounted first.
    ALL OPENED HANDLES TO THIS VOLUME WOULD THEN BE INVALID.
    Would you like to force a dismount on this volume? (Y/N) y
    Volume dismounted. All opened handles to this volume are now invali
    Volume label is S3A9101D001.

    CHKDSK is verifying files (stage 1 of 5)...
    207360 file records processed.
    File verification completed.
    1508 large file records processed.
    0 bad file records processed.
    2 EA records processed.
    79 reparse records processed.
    CHKDSK is verifying indexes (stage 2 of 5)...
    267756 index entries processed.
    Index verification completed.
    0 unindexed files scanned.
    0 unindexed files recovered.
    CHKDSK is verifying security descriptors (stage 3 of 5)...
    207360 file SDs/SIDs processed.
    Security descriptor verification completed.
    30199 data files processed.
    CHKDSK is verifying Usn Journal...
    36152248 USN bytes processed.
    Usn Journal verification completed.
    CHKDSK is verifying file data (stage 4 of 5)...
    41 percent complete. (48984 of 207344 files processed)
    Windows replaced bad clusters in file 49087
    of name \Users\SALARO~1\AppData\Local\MigWiz\debug.log.
    Windows replaced bad clusters in file 49101
    of name \Users\SALARO~1\AppData\Local\MigWiz\setupact.log.
    207344 files processed.
    File data verification completed.
    CHKDSK is verifying free space (stage 5 of 5)...
    1852617 free clusters processed.
    Free space verification is complete.
    CHKDSK discovered free space marked as allocated in the volume bitma
    Windows has made corrections to the file system.

    112905215 KB total disk space.
    105078964 KB in 149952 files.
    99228 KB in 30200 indexes.
    0 KB in bad sectors.
    316555 KB in use by the system.
    65536 KB occupied by the log file.
    7410468 KB available on disk.

    4096 bytes in each allocation unit.
    28226303 total allocation units on disk.
    1852617 allocation units available on disk.
    Failed to transfer logged messages to the event log with status 50.

    I exited the command prompt and restarted ... same c000021a error.

    Ran the same FRST and following results:

    Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:05-03-2016 01
    Ran by SYSTEM on MININT-VG0L7SG (11-04-2016 10:42:59)
    Running from F:\
    Platform: WIN_7 (X86) Language: English (United States)
    Boot Mode: Recovery
    Default: ControlSet001
    ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.

    Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

    ==================== Registry (Whitelisted) ===========================

    (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

    HKLM\...\Winlogon: [Userinit]
    HKLM\...\Winlogon: [Shell] [x ] () <=== ATTENTION
    HKLM\...\InprocServer32: [Default-wbemess] <==== ATTENTION
    HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] <==== ATTENTION
    HKU\my username\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [6825888 2016-02-29] (SUPERAntiSpyware)
    HKU\my username\...\Run: [Dropbox Update] => C:\Users\my username\AppData\Local\Dropbox\Update\DropboxUpdate.exe [134512 2015-06-21] (Dropbox, Inc.)
    HKU\my username\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner.exe [6667992 2016-03-11] (Piriform Ltd)
    HKU\my username\...\Run: [uTorrent] => C:\Users\my username\AppData\Roaming\uTorrent\uTorrent.exe [1959424 2016-04-06] (BitTorrent Inc.)
    HKU\User\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner.exe [6667992 2016-03-11] (Piriform Ltd)

    ==================== Services (Whitelisted) ========================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    S2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE.EXE [142648 2014-07-22] (SUPERAntiSpyware.com)
    S2 AgereModemAudio; C:\Program Files\LSI SoftModem\agrsmsvc.exe [14336 2009-03-27] (LSI Corporation)
    S2 ATService; C:\Program Files\Fingerprint Sensor\AtService.exe [1819968 2009-12-17] (AuthenTec, Inc.)
    S3 AvgAMPS; C:\Program Files\AVG\Av\avgamps.exe [604144 2016-03-01] (AVG Technologies CZ, s.r.o.)
    S2 AVGIDSAgent; C:\Program Files\AVG\Av\avgidsagent.exe [3934184 2016-03-01] (AVG Technologies CZ, s.r.o.)
    S2 avgsvc; C:\Program Files\AVG\Framework\Common\avgsvcx.exe [886032 2016-03-22] (AVG Technologies CZ, s.r.o.)
    S2 avgwd; C:\Program Files\AVG\Av\avgwdsvcx.exe [561104 2016-03-01] (AVG Technologies CZ, s.r.o.)
    S2 cfWiMAXService; C:\Program Files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe [185712 2009-10-27] (TOSHIBA CORPORATION)
    S2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX86\OfficeClickToRun.exe [1916656 2016-02-08] (Microsoft Corporation)
    S2 ConfigFree Service; C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe [46448 2009-03-10] (TOSHIBA CORPORATION)
    S4 MSSQLServerADHelper; c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [44384 2010-12-09] (Microsoft Corporation)
    S2 MYOB AccountRight Library; C:\Program Files\MYOB\AccountRight\Servers\Huxley.Library.WindowsService.exe [17752 2014-03-23] (MYOB Technology Pty Ltd)
    S2 MYOB AccountRight Server 2014.1; C:\Program Files\MYOB\AccountRight\2014.1\NZ\Huxley.Server.WindowsService.exe [15192 2014-03-23] (MYOB Technology Pty Ltd)
    S2 MYOB AccountRight Server Locator; C:\Program Files\MYOB\AccountRight\Servers\Huxley.ServerLocator.WindowsService.exe [16216 2014-03-23] (MYOB Technology Pty Ltd)
    S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [211216 2010-01-18] ()
    S2 RSELSVC; C:\Program Files\TOSHIBA\RSelect\RSelSvc.exe [62832 2009-07-07] (TOSHIBA Corporation)
    S3 TMachInfo; C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [51512 2009-10-06] (TOSHIBA Corporation)
    S2 TOSHIBA eco Utility Service; C:\Program Files\TOSHIBA\TECO\TecoService.exe [238960 2009-12-22] (TOSHIBA Corporation)
    S3 TOSHIBA HDD SSD Alert Service; C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [111960 2009-12-24] (TOSHIBA Corporation)
    S3 TPCHSrv; C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe [677232 2009-12-24] (TOSHIBA Corporation)
    S2 TTPDSrv; C:\windows\System32\TTPDSRV.exe [73728 2007-11-07] (TOSHIBA Corporation)
    S2 TTService; C:\Program Files\TorrentsTime Media Player\bin\TTService.exe [3543576 2016-02-15] (TorrentsTime)
    S2 vToolbarUpdater40.2.8; C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\40.2.8\ToolbarUpdater.exe [1957448 2016-03-24] (AVG Secure Search)
    S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-26] (Microsoft Corporation)
    S2 WtuSystemSupport; C:\Program Files\AVG Web TuneUp\WtuSystemSupport.exe [1216584 2016-03-24] ()

    ===================== Drivers (Whitelisted) ==========================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    S1 Avgdiskx; C:\Windows\System32\DRIVERS\avgdiskx.sys [149936 2015-11-05] (AVG Technologies CZ, s.r.o.)
    S1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdriverx.sys [256432 2016-01-25] (AVG Technologies CZ, s.r.o.)
    S0 AVGIDSHX; C:\Windows\System32\DRIVERS\avgidshx.sys [207792 2016-01-25] (AVG Technologies CZ, s.r.o.)
    S1 AVGIDSShim; C:\Windows\System32\DRIVERS\avgidsshimx.sys [31664 2015-11-19] (AVG Technologies CZ, s.r.o.)
    S1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [229296 2015-10-20] (AVG Technologies CZ, s.r.o.)
    S0 Avglogx; C:\Windows\System32\DRIVERS\avglogx.sys [297904 2016-02-02] (AVG Technologies CZ, s.r.o.)
    S0 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [205744 2016-03-01] (AVG Technologies CZ, s.r.o.)
    S0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [37296 2015-12-03] (AVG Technologies CZ, s.r.o.)
    S1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [231856 2015-10-07] (AVG Technologies CZ, s.r.o.)
    S0 Avgunivx; C:\Windows\System32\DRIVERS\avgunivx.sys [23472 2016-01-07] (AVG Technologies CZ, s.r.o.)
    S3 PGEffect; C:\Windows\System32\DRIVERS\pgeffect.sys [24064 2009-06-22] (TOSHIBA Corporation)
    S2 risdpcie; C:\Windows\System32\DRIVERS\risdpe86.sys [49152 2009-07-28] (REDC)
    S2 rixdpcie; C:\Windows\System32\DRIVERS\rixdpe86.sys [45056 2011-04-25] (REDC)
    S1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12880 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
    S1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [67664 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
    S2 TVALZFL; C:\Windows\System32\DRIVERS\TVALZFL.sys [12920 2009-06-19] (TOSHIBA Corporation)
    S3 wisdpen; C:\Windows\System32\DRIVERS\wisdpen.sys [37232 2011-01-03] (Wacom Technology)
    S3 lmimirr; system32\DRIVERS\lmimirr.sys [X]

    ==================== NetSvcs (Whitelisted) ===================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


    ==================== One Month Created files and folders ========

    (If an entry is included in the fixlist, the file/folder will be moved.)

    2016-04-11 09:59 - 2016-04-11 10:11 - 00028672 _____ C:\BCD_Backup
    2016-04-10 14:56 - 2016-04-11 10:42 - 00000000 ____D C:\FRST
    2016-04-09 18:53 - 2016-04-09 19:14 - 00527914 _____ C:\Windows\ntbtlog.txt
    2016-04-08 21:42 - 2016-04-08 22:44 - 00011443 _____ C:\Users\my username\Documents\What I want specifically.xlsx
    2016-04-08 21:42 - 2016-04-08 21:42 - 00000165 ____H C:\Users\my username\Documents\~$What I want specifically.xlsx
    2016-04-07 22:29 - 2016-04-07 22:29 - 00181160 _____ C:\Users\my username\Documents\Rolani resignation letters.pdf
    2016-04-07 21:27 - 2016-04-07 21:27 - 00634269 _____ C:\Users\my username\Documents\printer output 'confiden_001.pdf
    2016-04-07 18:57 - 2016-04-07 18:57 - 00017815 _____ C:\Users\my username\Documents\Vetting result request as at 8Apr16.xlsx
    2016-04-07 18:41 - 2016-04-07 18:41 - 00104173 _____ C:\Users\my username\Documents\IF DD Cancellation 8Apr16.pdf
    2016-04-07 16:02 - 2016-04-07 16:02 - 00034759 _____ C:\Users\my username\Documents\Final pay report Tilly.pdf
    2016-04-07 16:01 - 2016-04-07 16:01 - 00038633 _____ C:\Users\my username\Documents\Final pay report Agnes 0403.16.pdf
    2016-04-07 16:01 - 2016-04-07 16:01 - 00036369 _____ C:\Users\my username\Documents\Final pay report Rolani 04.03.16.pdf
    2016-04-07 16:01 - 2016-04-07 16:01 - 00030236 _____ C:\Users\my username\Documents\Final pay report Layne.pdf
    2016-04-07 15:13 - 2016-04-09 04:23 - 00000000 ____D C:\Users\my username\AppData\LocalLow\uTorrent
    2016-04-06 21:54 - 2016-04-06 21:54 - 00000000 __RHD C:\MSOCache
    2016-04-05 21:17 - 2016-04-05 21:19 - 00104246 _____ C:\Users\my username\Documents\Leave Form 6Apr16.xlsx
    2016-04-04 03:07 - 2016-04-04 03:09 - 00011863 _____ C:\Users\my username\Documents\Master Work Task List.xlsx
    2016-04-03 22:02 - 2016-04-04 12:22 - 00011139 _____ C:\Users\my username\Documents\What do I want from the Sedona Method.xlsx
    2016-04-03 22:02 - 2016-04-03 22:02 - 00000165 ____H C:\Users\my username\Documents\~$What do I want from the Sedona Method.xlsx
    2016-04-03 02:58 - 2016-04-03 02:58 - 00059728 _____ C:\Users\my username\Documents\Police Vet and file notes M Lulu.pdf
    2016-04-03 02:57 - 2016-04-03 02:57 - 00150769 _____ C:\Users\my username\Documents\Police Vet reports.pdf
    2016-04-03 02:27 - 2016-04-03 02:27 - 00552102 _____ C:\Users\my username\Documents\46372 VT progress report.pdf
    2016-04-03 02:21 - 2016-04-03 02:21 - 00233477 _____ C:\Users\my username\Documents\Management Mentor Teachers and Network Leaders Meeting 29th March 2016.pdf
    2016-04-03 00:48 - 2016-04-03 00:48 - 00955839 _____ C:\Users\my username\Documents\mataese info_001.pdf
    2016-04-03 00:47 - 2016-04-03 00:47 - 00847859 _____ C:\Users\my username\Documents\leise info_001.pdf
    2016-04-02 20:44 - 2016-04-02 20:49 - 00011705 _____ C:\Users\my username\Documents\Completing.xlsx
    2016-04-02 10:57 - 2016-04-03 21:55 - 00001074 _____ C:\Users\my username\Documents\Daily affirmation.txt
    2016-04-01 11:15 - 2016-04-01 11:15 - 00000000 ____D C:\Users\Test\Documents\Custom Office Templates
    2016-04-01 11:15 - 2016-04-01 11:15 - 00000000 ____D C:\Users\Test\AppData\Roaming\TFPU
    2016-04-01 11:14 - 2016-04-01 11:14 - 00113080 _____ C:\Users\Test\AppData\Local\GDIPFONTCACHEV1.DAT
    2016-04-01 11:14 - 2016-04-01 11:14 - 00000000 ____D C:\Users\Test\AppData\Roaming\Intel Corporation
    2016-04-01 11:14 - 2016-04-01 11:14 - 00000000 ____D C:\Users\Test\AppData\Roaming\Intel
    2016-04-01 11:14 - 2016-04-01 11:14 - 00000000 ____D C:\Users\Test\AppData\Roaming\AVG
    2016-04-01 11:14 - 2016-04-01 11:14 - 00000000 ____D C:\Users\Test\AppData\Local\Google
    2016-04-01 11:14 - 2016-04-01 11:14 - 00000000 ____D C:\Users\Test\AppData\Local\AVG Web TuneUp
    2016-04-01 11:14 - 2016-04-01 11:14 - 00000000 ____D C:\Users\Test\AppData\Local\Avg
    2016-04-01 11:13 - 2016-04-01 11:14 - 00000000 ____D C:\users\Test
    2016-04-01 11:13 - 2016-04-01 11:13 - 00000020 ___SH C:\Users\Test\ntuser.ini
    2016-04-01 11:13 - 2016-04-01 11:13 - 00000000 _SHDL C:\Users\Test\My Documents
    2016-04-01 11:13 - 2016-04-01 11:13 - 00000000 _SHDL C:\Users\Test\Documents\My Videos
    2016-04-01 11:13 - 2016-04-01 11:13 - 00000000 _SHDL C:\Users\Test\Documents\My Pictures
    2016-04-01 11:13 - 2016-04-01 11:13 - 00000000 _SHDL C:\Users\Test\Documents\My Music
    2016-04-01 11:13 - 2016-04-01 11:13 - 00000000 ____D C:\Users\Test\AppData\Roaming\Adobe
    2016-04-01 11:13 - 2016-04-01 11:13 - 00000000 ____D C:\Users\Test\AppData\Local\VirtualStore
    2016-04-01 11:13 - 2014-08-11 13:57 - 00000000 ____D C:\Users\Test\AppData\Local\Microsoft Help
    2016-04-01 11:13 - 2014-03-31 20:31 - 00000000 ____D C:\Users\Test\AppData\Roaming\TuneUp Software
    2016-04-01 11:13 - 2009-07-13 23:49 - 00000000 ____D C:\Users\Test\AppData\Roaming\Media Center Programs
    2016-04-01 10:54 - 2016-04-01 10:54 - 00000000 ____D C:\Program Files\Common Files\DESIGNER
    2016-04-01 03:38 - 2016-04-01 10:56 - 00000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
    2016-04-01 03:38 - 2016-04-01 03:38 - 00000000 ____D C:\Program Files\Microsoft Office
    2016-04-01 03:34 - 2016-04-01 03:35 - 00000000 ____D C:\Program Files\Microsoft Office 15
    2016-04-01 03:02 - 2016-04-01 03:02 - 00390464 _____ C:\Users\my username\Documents\MoE Appendices 1Apr16.pdf
    2016-04-01 00:45 - 2016-04-01 00:45 - 00049845 ____H C:\Users\my username\Documents\~WRL0487.tmp
    2016-04-01 00:42 - 2016-04-01 00:42 - 00264457 _____ C:\Users\my username\Documents\HS22FirstAidQual Puafiti Fetoai 1Apr16.pdf
    2016-04-01 00:03 - 2016-04-01 00:03 - 00000000 __SHD C:\found.004
    2016-03-31 23:16 - 2016-04-07 19:53 - 00000000 ____D C:\Users\my username\Documents\Facebook pics
    2016-03-31 17:44 - 2016-03-31 17:44 - 00000000 ___DC C:\Users\my username\AppData\Local\MigWiz
    2016-03-31 16:06 - 2016-03-31 16:06 - 00591067 _____ C:\Users\my username\Documents\Code of Conduct HNZ.pdf
    2016-03-31 11:54 - 2016-03-31 11:54 - 00000874 _____ C:\Users\my username\Documents\Clarity is power.txt
    2016-03-30 22:22 - 2016-03-30 22:22 - 00089696 _____ C:\Users\my username\Documents\19 December 2014 Mo Tatou - Measina docx 1.pdf
    2016-03-30 17:45 - 2016-03-30 17:45 - 00000000 __SHD C:\found.003
    2016-03-29 19:35 - 2016-03-29 19:35 - 00077650 _____ C:\Users\my username\Documents\Sign in sheet process 30Mar16.pptx
    2016-03-28 23:11 - 2016-03-28 23:11 - 04943309 _____ C:\Users\my username\Documents\Sign in sheet sample.pdf
    2016-03-28 13:09 - 2016-03-28 13:09 - 00245284 _____ C:\Users\my username\Documents\Primary - Kiwibank Internet Banking.pdf
    2016-03-27 17:12 - 2016-03-27 17:14 - 00000574 _____ C:\Users\my username\Documents\to do list.txt
    2016-03-27 16:01 - 2016-03-27 16:01 - 00001022 _____ C:\Users\Public\Desktop\EPUB File Reader.lnk
    2016-03-27 16:01 - 2016-03-27 16:01 - 00000000 ____D C:\Program Files\EPUB File Reader
    2016-03-27 02:00 - 2016-04-02 20:03 - 00024079 _____ C:\Users\my username\Documents\Life Purpose exercise Roseanne.xlsx
    2016-03-27 02:00 - 2016-03-27 02:00 - 00000165 ____H C:\Users\my username\Documents\~$Life Purpose exercise Roseanne.xlsx
    2016-03-26 00:05 - 2016-04-04 12:19 - 00014555 _____ C:\Users\my username\Documents\Success is a learned behaviour Roseanne.xlsx
    2016-03-25 13:22 - 2016-03-25 13:22 - 02941439 _____ C:\Users\my username\Documents\tuivaiti ex 1 26mar16.wma
    2016-03-25 13:03 - 2016-03-25 13:03 - 00013530 _____ C:\Users\my username\Desktop\TSP30DayJourney - Shortcut.lnk
    2016-03-24 23:29 - 2016-03-24 23:29 - 00106136 _____ C:\Users\my username\Documents\Tina Manase Final Payslip.pdf
    2016-03-24 23:28 - 2016-03-24 23:28 - 00047939 _____ C:\Users\my username\Documents\Final Payslip Tina Manase.pdf
    2016-03-24 22:55 - 2016-03-24 22:55 - 00024330 _____ C:\Users\my username\Documents\Tina Manase leave report.pdf
    2016-03-23 17:02 - 2016-03-23 17:02 - 00072585 _____ C:\Users\my username\Documents\Final Pay details Rolani Moasegi.pdf
    2016-03-23 17:02 - 2016-03-23 17:02 - 00027377 _____ C:\Users\my username\Documents\Annual leave report prior to adjustments.pdf
    2016-03-23 17:01 - 2016-03-23 17:01 - 00221629 _____ C:\Users\my username\Documents\Rolani Moasegi recalculations and adjustments.pdf
    2016-03-23 17:01 - 2016-03-23 17:01 - 00193042 _____ C:\Users\my username\Documents\Rolani Moasegi timesheets.pdf
    2016-03-23 17:01 - 2016-03-23 17:01 - 00114743 _____ C:\Users\my username\Documents\Rolani Moasegi Payslips prior to resignation.pdf
    2016-03-23 17:00 - 2016-03-23 17:00 - 00035124 _____ C:\Users\my username\Documents\Payment Summary Rolani Moasegi.pdf
    2016-03-23 16:29 - 2016-03-23 16:29 - 00204380 _____ C:\Users\my username\Documents\Payment summaries for Resigned Auckland Staff.pdf
    2016-03-23 16:28 - 2016-03-23 16:28 - 00010101 _____ C:\Users\my username\Documents\PaySlips20160103Rolani.pdf
    2016-03-23 16:28 - 2016-03-23 16:28 - 00009932 _____ C:\Users\my username\Documents\PaySummary20160103Rolan.pdf
    2016-03-23 14:47 - 2016-03-23 14:47 - 00196795 _____ C:\Users\my username\Documents\NZ Print Invoice.pdf
    2016-03-22 15:35 - 2016-03-22 15:35 - 00076774 _____ C:\Users\my username\Documents\Flow Chart for becoming an Educator 23Mar16.pptx
    2016-03-21 16:30 - 2016-03-21 16:30 - 00235031 _____ C:\Users\my username\Documents\Tilly Sa wage records.pdf
    2016-03-21 16:21 - 2016-03-21 16:21 - 00063158 _____ C:\Users\my username\Documents\payrollDetailedReport.pdf
    2016-03-21 16:18 - 2016-03-21 16:18 - 00177740 _____ C:\Users\my username\Documents\Agnes Kapisi Sevi Pay History.pdf
    2016-03-21 13:17 - 2016-03-21 13:17 - 00146581 _____ C:\Users\my username\Documents\Ministry of Education EC20 outcome.pdf
    2016-03-19 17:54 - 2016-03-19 17:54 - 00346970 _____ C:\Users\my username\Documents\APIA CENTRAL HOTEL SAMOA _ ROOMS 20Mar16.pdf
    2016-03-16 11:58 - 2016-03-16 11:58 - 00009963 _____ C:\Users\my username\Documents\Vaosefa Lesa reimbursement 2Mar16.pdf
    2016-03-16 11:22 - 2016-03-16 11:22 - 00099605 _____ C:\Users\my username\Documents\46494 EC20.pdf
    2016-03-16 00:36 - 2016-04-02 01:51 - 00000000 ____D C:\Users\my username\AppData\Roaming\dvdcss
    2016-03-14 22:19 - 2016-03-14 22:19 - 00017358 _____ C:\Users\my username\Documents\Malaeola Reimbursements due 16MAR16.xlsb
    2016-03-14 18:25 - 2016-03-14 18:25 - 00010248 _____ C:\Users\my username\Documents\Payroll 15Mar16.xlsx
    2016-03-14 11:15 - 2016-03-14 11:16 - 00000000 ____D C:\ProgramData\Avg_Update_0316tb
    2016-03-14 00:47 - 2016-03-14 00:47 - 00000282 _____ C:\Users\my username\Documents\Children to transfer from Nafoaga to Maninoa.txt
    2016-03-13 19:04 - 2016-03-13 19:06 - 00000000 ____D C:\Users\my username\Desktop\46494 EC20
    2016-03-13 18:43 - 2016-03-13 18:43 - 00301501 _____ C:\Users\my username\Documents\Attendance Hours 46494.pdf
    2016-03-13 16:04 - 2016-03-13 16:04 - 00082870 _____ C:\Users\my username\Updated 12Mar16 Consolidated Children list.xlsx
    2016-03-13 13:13 - 2016-03-13 14:40 - 00011353 _____ C:\Users\my username\Documents\Staff contact details 14Mar16.xlsx
    2016-03-13 12:18 - 2016-03-13 12:19 - 00020906 _____ C:\Users\my username\Malaeola Attendance 2016-01-25 to 2016-02-01.xlsx
    2016-03-13 02:42 - 2016-03-13 02:42 - 00189074 _____ C:\Users\my username\Documents\Le Manumea Internet Access.pptx
    2016-03-12 13:42 - 2016-03-14 00:47 - 00000863 _____ C:\Users\my username\Documents\APT for EC20 process.txt
    2016-03-12 00:21 - 2016-03-28 15:14 - 00001895 _____ C:\Users\my username\Documents\letter to Rob and Zechariah.txt
    2016-03-12 00:07 - 2016-03-12 00:07 - 172407050 _____ C:\Users\my username\Documents\Remote Desktop Redirected Printer Doc.pdf

    ==================== One Month Modified files and folders ========

    (If an entry is included in the fixlist, the file/folder will be moved.)

    2016-04-11 09:58 - 2015-07-17 18:25 - 00000000 ____D C:\Users\my username\Downloads\Movies
    2016-04-10 15:03 - 2014-11-05 14:24 - 00000000 ____D C:\Program Files\AVG Web TuneUp
    2016-04-10 15:03 - 2014-06-08 02:08 - 00000000 ____D C:\Users\User\AppData\OICE_15_974FA576_32C1D314_1E77
    2016-04-10 15:03 - 2014-06-08 02:06 - 00000000 ____D C:\Users\User\AppData\OICE_15_974FA576_32C1D314_3D1E
    2016-04-10 15:03 - 2014-05-04 00:48 - 00000000 ____D C:\Users\User\AppData\OICE_15_974FA576_32C1D314_1E6B
    2016-04-09 05:08 - 2014-08-31 02:07 - 00000000 ____D C:\Users\my username\AppData\Roaming\uTorrent
    2016-04-09 04:34 - 2015-03-16 03:22 - 00000000 ____D C:\Users\my username\AppData\Roaming\vlc
    2016-04-09 04:31 - 2009-07-13 20:34 - 00022208 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2016-04-09 04:31 - 2009-07-13 20:34 - 00022208 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2016-04-09 04:30 - 2010-01-14 05:23 - 00006388 _____ C:\Windows\System32\PerfStringBackup.INI
    2016-04-09 04:17 - 2014-07-15 15:39 - 00000000 ___RD C:\Users\my username\Dropbox
    2016-04-09 04:06 - 2010-09-12 05:33 - 00000000 ____D C:\ProgramData\MFAData
    2016-04-08 20:57 - 2014-06-24 12:10 - 00000000 ____D C:\Users\my username\Documents\Outlook Files
    2016-04-08 16:01 - 2014-07-20 12:21 - 00797376 _____ (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
    2016-04-08 16:01 - 2014-07-20 12:21 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
    2016-04-07 20:05 - 2014-08-30 19:28 - 00311740 _____ C:\Users\my username\Documents\Learning taking place signs.pptx
    2016-04-07 18:48 - 2015-06-05 04:02 - 00000000 ____D C:\Users\my username\Documents\Word files
    2016-04-05 04:30 - 2014-06-24 12:08 - 00000000 ____D C:\users\my username
    2016-04-03 23:18 - 2014-11-24 12:55 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
    2016-04-02 10:57 - 2014-09-11 18:37 - 00000000 ____D C:\Users\my username\AppData\Local\CrashDumps
    2016-04-02 01:54 - 2009-07-13 20:33 - 00434240 _____ C:\Windows\System32\FNTCACHE.DAT
    2016-04-01 11:08 - 2014-08-16 20:00 - 00000000 ____D C:\Users\my username\AppData\Local\ElevatedDiagnostics
    2016-04-01 10:55 - 2009-07-13 18:37 - 00000000 ____D C:\Program Files\Common Files\microsoft shared
    2016-04-01 03:23 - 2009-07-13 20:52 - 00000000 ____D C:\Windows\System32\FxsTmp
    2016-03-31 17:46 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\registration
    2016-03-30 16:05 - 2015-07-17 17:27 - 00002100 _____ C:\Users\Public\Desktop\Google Chrome.lnk
    2016-03-28 13:09 - 2014-11-06 13:07 - 00000000 ____D C:\Users\my username\AppData\Local\CutePDF Writer
    2016-03-28 12:47 - 2016-02-01 01:27 - 00000000 ____D C:\Users\my username\Documents\IR Letter
    2016-03-26 02:54 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\inf
    2016-03-26 02:35 - 2015-03-15 17:45 - 00000936 _____ C:\Users\Public\Desktop\CCleaner.lnk
    2016-03-24 21:15 - 2014-11-05 14:24 - 00000000 ____D C:\ProgramData\AVG Web TuneUp
    2016-03-24 11:08 - 2015-04-04 06:00 - 00000000 ___SD C:\Windows\System32\GWX
    2016-03-20 23:54 - 2014-07-15 15:36 - 00000000 ____D C:\Users\my username\AppData\Roaming\Dropbox
    2016-03-20 17:54 - 2014-09-08 15:48 - 00137364 _____ C:\Users\my username\Documents\Learning taking place signs Ia Taaui Measina.pptx
    2016-03-16 12:55 - 2015-12-10 11:31 - 00000000 ____D C:\Users\my username\Documents\Finance docs
    2016-03-16 12:23 - 2016-02-16 10:48 - 00000000 ____D C:\Users\my username\Desktop\Auckland 17Feb16
    2016-03-15 13:08 - 2015-10-24 00:40 - 00000877 _____ C:\Users\Public\Desktop\AVG Protection.lnk
    2016-03-15 03:21 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\rescache
    2016-03-15 02:03 - 2016-03-10 02:00 - 00011485 _____ C:\Users\my username\Documents\Nafoaga reimbursements due 16Mar16.xlsb
    2016-03-15 01:55 - 2016-03-10 02:01 - 00011486 _____ C:\Users\my username\Documents\Maninoa reimbursements due 16Mar16.xlsb
    2016-03-13 18:37 - 2016-03-11 13:51 - 00095783 _____ C:\Users\my username\12Mar16 Consolidated Children list.xlsx
    2016-03-13 02:52 - 2015-12-07 12:13 - 00016276 _____ C:\Users\my username\Documents\Staff timesheet as at 8Dec2015.xlsx

    ==================== Known DLLs (Whitelisted) =========================


    ==================== Bamital & volsnap =================

    (There is no automatic fix for files that do not pass verification.)

    C:\Windows\explorer.exe
    [2016-02-09 17:21] - [2016-01-21 21:12] - 2973184 ____A (Microsoft Corporation) 2A156D5EBF221EF2A6AE7CE452324DAC

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe
    [2015-05-12 13:09] - [2015-04-12 19:19] - 0259072 ____A (Microsoft Corporation) 0780A42DBD7D9969F9BF4A19AA4285B5

    C:\Windows\System32\User32.dll
    [2015-12-08 19:43] - [2015-11-10 10:39] - 0811520 ____A (Microsoft Corporation) 4C5A23AE4F5157F579C89736EA5D42CE

    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\System32\rpcss.dll => MD5 is legit
    C:\Windows\System32\dnsapi.dll => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE Association (Whitelisted) =============



    HKLM\...\.exe: => <===== ATTENTION
    HKLM\...\exefile\DefaultIcon: <===== ATTENTION
    HKLM\...\exefile\open\command: <===== ATTENTION

    ==================== Restore Points =========================


    ==================== Memory info ===========================

    Percentage of memory in use: 13%
    Total physical RAM: 3824.43 MB
    Available physical RAM: 3316.42 MB
    Total Virtual: 3822.7 MB
    Available Virtual: 3320.11 MB

    ==================== Drives ================================

    Drive c: (S3A9101D001) (Fixed) (Total:107.67 GB) (Free:7.06 GB) NTFS
    Drive d: (System) (Fixed) (Total:1.46 GB) (Free:1.29 GB) NTFS ==>[system with boot components (obtained from drive)]
    Drive f: () (Removable) (Total:7.45 GB) (Free:2.55 GB) FAT32
    Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

    ==================== MBR & Partition Table ==================

    ========================================================
    Disk: 0 (MBR Code: Windows 7 or 8) (Size: 119.2 GB) (Disk ID: 5FD58A2C)
    Partition 1: (Active) - (Size=1.5 GB) - (Type=27)
    Partition 2: (Not Active) - (Size=107.7 GB) - (Type=07 NTFS)
    Partition 3: (Not Active) - (Size=10.1 GB) - (Type=17)

    ========================================================
    Disk: 1 (Size: 7.5 GB) (Disk ID: 00000000)

    Partition: GPT.


    LastRegBack: 2016-04-09 00:41

    ==================== End of FRST.txt ============================

    I couldnt execute the remaining instructions as broni had indicated they were specific to that user.
     
  5. 2016/04/11
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ===========================

    Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    On Vista or Windows 7/8: Now please enter System Recovery Options.
    On Windows XP: Now please boot into the OTLPE CD.
    Run [color= "#0000FF"]FRST(FRST64)[/color] and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    See if you can boot normally.
     

    Attached Files:

  6. 2016/04/12
    mia4sanne

    mia4sanne New Member Thread Starter

    Joined:
    2016/04/09
    Messages:
    4
    Likes Received:
    0
    Hi Broni

    Thank you for your help. I followed the directions as provided

    Download attached fixlist.txt file and saved it to my USB
    Entered into System Recovery Options.
    Ran FRST and pressed the Fix button just once.
    The fixlog.txt was displayed on completion and saved to the USB

    I then tried to boot normally - same error: C000021a.

    Please find fixlog.txt details below:

    Fix result of Farbar Recovery Scan Tool (x86) Version:05-03-2016 01
    Ran by SYSTEM (2016-04-12 17:17:39) Run:1
    Running from F:\
    Boot Mode: Recovery

    ==============================================

    fixlist content:
    *****************
    HKLM\...\Winlogon: [Shell] [x ] () <=== ATTENTION
    HKLM\...\InprocServer32: [Default-wbemess] <==== ATTENTION
    HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] <==== ATTENTION
    S3 lmimirr; system32\DRIVERS\lmimirr.sys [X]
    HKLM\...\.exe: => <===== ATTENTION
    HKLM\...\exefile\DefaultIcon: <===== ATTENTION
    HKLM\...\exefile\open\command: <===== ATTENTION

    *****************

    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => value restored successfully
    HKLM\Software\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32\\Default => value restored successfully
    HKLM\Software\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default => value restored successfully
    lmimirr => service removed successfully.
    HKLM\Software\Classes\.exe\\Default => value restored successfully
    HKLM\Software\Classes\exefile\DefaultIcon\\Default => value restored successfully
    HKLM\Software\Classes\exefile\shell\open\command\\Default => value restored successfully

    ==== End of Fixlog 17:17:39 ====
     
  7. 2016/04/12
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please post fresh FRST log.
     
  8. 2016/04/12
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    In your new log I don't see anything malicious so let's try one more fix..

    Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    On Vista or Windows 7/8: Now please enter System Recovery Options.
    On Windows XP: Now please boot into the OTLPE CD.
    Run [color= "#0000FF"]FRST(FRST64)[/color] and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    See if you can boot normally.
     

    Attached Files:

  9. 2016/04/12
    mia4sanne

    mia4sanne New Member Thread Starter

    Joined:
    2016/04/09
    Messages:
    4
    Likes Received:
    0
    Yay! You're an absolute gem Broni ... i'm logged into my laptop and everything is still there.

    Is there anything further I need to do?

    Fix result of Farbar Recovery Scan Tool (x86) Version:05-03-2016 01
    Ran by SYSTEM (2016-04-13 12:03:05) Run:2
    Running from F:\
    Boot Mode: Recovery

    ==============================================

    fixlist content:
    *****************
    LastRegBack: 2016-04-09 00:41
    *****************

    DEFAULT => copied successfully to System32\config\HiveBackup
    DEFAULT => restored successfully from registry back up
    SAM => copied successfully to System32\config\HiveBackup
    SAM => restored successfully from registry back up
    SECURITY => copied successfully to System32\config\HiveBackup
    SECURITY => restored successfully from registry back up
    SOFTWARE => copied successfully to System32\config\HiveBackup
    SOFTWARE => restored successfully from registry back up
    SYSTEM => copied successfully to System32\config\HiveBackup
    SYSTEM => restored successfully from registry back up

    ==== End of Fixlog 12:03:08 ====
     
  10. 2016/04/12
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Great news :)

    Let's run some more scans just to make sure...

    [​IMG] Download RogueKiller from one of the following links and save it to your Desktop:

    Link 1
    Link 2
    • Close all the running programs
    • Windows Vista/7/8 users: right click on RogueKiller.exe, click Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • Pre-scan will start. Let it finish.
    • Click on SCAN button.
    • Wait until the Status box shows Scan Finished
    • Click on Delete.
    • Wait until the Status box shows Deleting Finished.
    • Click on Report and copy/paste the content of the Notepad into your next reply.
    • RKreport.txt could also be found on your desktop.
    • If more than one log is produced post all logs.
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again
    [​IMG] Please download Malwarebytes Anti-Malware (MBAM) to your desktop.
    NOTE. If you already have MBAM 2.0 installed scroll down.
    • Double-click mbam-setup-2.0.0.1000.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
    • Click Finish.
    • On the Dashboard, click the 'Update Now >>' link
    • After the update completes, click the 'Scan Now >>' button.
    • Or, on the Dashboard, click the Scan Now >> button.
    • If an update is available, click the Update Now button.
    • A Threat Scan will begin.
    • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
    • In most cases, a restart will be required.
    • Wait for the prompt to restart the computer to appear, then click on Yes.
    If you already have MBAM 2.0 installed:
    • On the Dashboard, click the 'Update Now >>' link
    • After the update completes, click the 'Scan Now >>' button.
    • Or, on the Dashboard, click the Scan Now >> button.
    • If an update is available, click the Update Now button.
    • A Threat Scan will begin.
    • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
    • In most cases, a restart will be required.
    • Wait for the prompt to restart the computer to appear, then click on Yes.
    How to get logs:
    (Export log to save as txt)
    • After the restart once you are back at your desktop, open MBAM once more.
    • Click on the History tab > Application Logs.
    • Double click on the Scan Log which shows the Date and time of the scan just performed.
    • Click 'Export'.
    • Click 'Text file (*.txt)'
    • In the Save File dialog box which appears, click on Desktop.
    • In the File name: box type a name for your scan log.
    • A message box named 'File Saved' should appear stating "Your file has been successfully exported ".
    • Click Ok
    • Attach that saved log to your next reply.
    (Copy to clipboard for pasting into forum replies or tickets)
    • After the restart once you are back at your desktop, open MBAM once more.
    • Click on the History tab > Application Logs.
    • Double click on the Scan Log which shows the Date and time of the scan just performed.
    • Click 'Copy to Clipboard'
    • Paste the contents of the clipboard into your reply.
    [​IMG] Please download AdwCleaner by Xplode onto your desktop.
    • Close all open programs and internet browsers.
    • Double click on adwcleaner.exe to run the tool.
    • Click on Scan button.
    • When the scan has finished click on Clean button.
    • Your computer will be rebooted automatically. A text file will open after the restart.
    • Please post the contents of that logfile with your next reply.
    • You can find the logfile at C:\AdwCleaner[S1].txt as well.
    [​IMG] Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator ".
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Post the contents of JRT.txt into your next message.
     
  11. 2016/04/13
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please download ComboFix from Here, Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Very Important! Temporarily disable your anti-virus and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
      If the connection is not there use restore point you created prior to running Combofix.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results ". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error Illegal operation attempted on a registery key that has been marked for deletion, restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try the following...

    Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Download Rkill (courtesy of BleepingComputer.com) to your desktop.
    There are 2 different versions. If one of them won't run then download and try to run the other one.
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
    iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

    Restart computer in safe mode

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Windows Vista, 7 or 8 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    When the scan is done Notepad will open with rKill.txt log.
    NOTE. rKill.txt log will also be present on your desktop.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.
     
  12. 2016/04/18
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Still with me?
     
  13. 2016/04/23
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    This topic is marked as abandoned and closed due to inactivity.

    This member will NOT be eligible to receive any more help in malware removal forum.
     
Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.