1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Error during startup: Stop: c000021a (Fatal System Error)

Discussion in 'Malware and Virus Removal Archive' started by jharry, 2015/02/07.

  1. 2015/02/07
    jharry

    jharry Inactive Thread Starter

    Joined:
    2008/12/07
    Messages:
    106
    Likes Received:
    1
    [Solved] Error during startup: Stop: c000021a (Fatal System Error)

    My laptop failed to startup. Following are a list of screens (messages) encountered during startup of Windows 7.

    Screen 1:
    Stop: c000021a (Fatal System Error)
    The initial session process or system process terminated unexpectedly with a status of 0x00000000 (0xc0000001 0x000106c8).
    The system has been shut down.

    Screen 2: (after Startup Repair ran for several minutes)
    Startup Repair cannot repair this computer automatically
    Sending more information can help Microsoft create solutions.
    -> Send information about this problem (recommended)
    -> Don't send
    view problem details

    I selected the "send information" option, but probably the information was not sent, because due to the system error, there was no internet connection.

    Screen 3: (after selecting "view problem details ")
    Problem signatures:
    Problem Event Name: StartupRepairOffline
    Problem Signature 01: 6.1.7600.16385
    Problem Signature 02: 6.1.7600.16385
    Problem Signature 03: unknown
    Problem Signature 04: -1
    Problem Signature 05: Auto Failover
    Problem Signature 06: 9
    Problem Signature 07: NoRootCause
    OS Version: 6.1.7600.2.0.0.256.1
    Locale ID: 1033

    Screen 4:
    Windows cannot repair this computer automatically
    view diagnostic and repair details.
    view advanced options for system recovery and support.

    Screen 5: (after selecting "view diagnostic and repair details ")
    Starup Repair diagnosis and repair log
    --------------------------------------
    Last successful boot time: 2/4/2015 6:00:11 AM (GMT)
    Number of repair attempts: 9

    Session details
    ---------------
    System Disk = \Device\Harddisk0
    Windows directory = D:\Windows
    AutoChkRun = 0
    Number of root causes = 1

    Test Performed:
    ---------------
    Name: Check for updates
    Result: Completed successfully. Error code = 0x0
    Time taken = 16 ms

    Test Performed:
    ---------------
    Name: System disk test
    Result: Completed successfully. Error code = 0x0
    Time taken = 0 ms

    Test Performed:
    ---------------
    Name: Disk failure analysis
    Result: Completed successfully. Error code = 0x0
    Time taken = 172 ms

    Test Performed:
    ---------------
    Name: Disk metadata test
    Result: Completed successfully. Error code = 0x0
    Time taken = 62 ms

    Test Performed:
    ---------------
    Name: Target OS test
    Result: Completed successfully. Error code = 0x0
    Time taken = 156 ms

    Test Performed:
    ---------------
    Name: Volume content check
    Result: Completed successfully. Error code = 0x0
    Time taken = 1373 ms

    Test Performed:
    ---------------
    Name: Boot manager diagnosis
    Result: Completed successfully. Error code = 0x0
    Time taken = 0 ms

    Test Performed:
    ---------------
    Name: System boot log diagnosis
    Result: Completed successfully. Error code = 0x0
    Time taken = 0 ms

    Test Performed:
    ---------------
    Name: Event log diagnosis
    Result: Completed successfully. Error code = 0x0
    Time taken = 156 ms

    Test Performed:
    ---------------
    Name: Internal state check
    Result: Completed successfully. Error code = 0x0
    Time taken = 93 ms

    Root cause found
    ----------------
    Startup Repair has tried several times but still cannot determine the cause of the problem.

    (... followed by a similar list of tests performed in the previous repair attempt)

    Screen 6: (after selecting "view advanced options for system recovery and support ")
    To access recovery options log on as a local user.
    To access the command prompt as well, log on using an administrator account.

    I logged on as "owner "

    Screen 7:
    Choose a recovery tool
    Startup Repair
    System Restore
    System Image Recovery
    Windows Memory Diagnostic
    Command Prompt
    Recovery Management (restore system from factory default)

    I tried "Startup Repair" several times. It took me back to Screen 2, and a repetition of Startup Repair with same results.

    I tried "System Restore" several times with different restore points. After choosing a restore point, the following screen appeared:
    You must always restore the drive that contains Windows. Restoring other drives is optional.
    Drive
    (a check box) Local Drive (C:)(System) You must enable System Protection on this drive.

    I was unable to check the check box next to "Local Drive ", therefore unable to perform system restore.

    I did not try "System Image Recovery ", because I did not have a system image.

    I tried "Windows Memory Diagnostic ", no problems were found.

    "Command Prompt" was accessible, But I did not know what to do in Command Prompt.

    I did not try "Recovery Management "

    I also tried several options in the "Boot Menu ". None of them (including "Last good start configuration ") worked. Most options brought me to the same Fatal System Error screen mentioned above.
     
  2. 2015/02/08
    Admin.

    Admin. Administrator Administrator Staff

    Joined:
    2001/12/30
    Messages:
    6,680
    Likes Received:
    104

  3. to hide this advert.

  4. 2015/02/08
    jharry

    jharry Inactive Thread Starter

    Joined:
    2008/12/07
    Messages:
    106
    Likes Received:
    1
    Can't download

    Hi:
    Since my laptop crashes before successful startup, I cannot download anything.
    In command prompt, the C: drive is "System Reserved ", I cannot access its contents. One support source recommends trying the dism command:
    dism /image:C:\ /cleanup-image /revertpendingactions
    But when I execute this command, I get the following response:
    Unable to access the image. Make sure that the image path and the Windows directory for the image exists and you have read permissions on the folder.

    I later found that in the command prompt, C: drive is actually D:. But I also found that dism doesn't have an option called /cleanup-image. There is an option /cleanup-Wim, but there is no option /revertpendingactions. So the advice from the support source may be outdated.

    Some suggested using Dr Watson (drwtsn32.exe), but I couldn't find it on my laptop.
     
    Last edited: 2015/02/08
  5. 2015/02/10
    jharry

    jharry Inactive Thread Starter

    Joined:
    2008/12/07
    Messages:
    106
    Likes Received:
    1
    Hi Arie:
    My previous post described the results I tried following your first link "http://www.windowsbbs.com/windows-7/108848-fatal-system-error.html ". I then tried your link to microsoft "http://support2.microsoft.com/default.aspx?scid=kb;EN-US;314103 ". It showed a page that "applies to a version of Windows other than the one you are using... ", and goes on to describe how to get a dump in Windows XP. But the instructions only apply to the case where at least Windows started and the user can go to the Control Panel to modify some settings. In my case, the fatal error occurred during startup (after the Windows logo swirled and came to a halt). So I don't have the opportunity to carry out the relevant instructions. I tried the option "create a boot log" in the boot menu, but couldn't find a boot log, presumably because the computer restarted right after the fatal error message. I'm in a dilemma. I can choose the "command prompt" option in the "System Recovery Options" window. But I don't know what to do in "command prompt ". Will the "dism" command help? If so, which options should I use?
     
  6. 2015/02/20
    jharry

    jharry Inactive Thread Starter

    Joined:
    2008/12/07
    Messages:
    106
    Likes Received:
    1
    Hi:
    I tried using the sfc command: sfc /scannow, and got the following message:
    "There is a system repair pending which requires reboot to complete. Restart Windows and run sfc again. "
    Restarting Windows brought me to the same "Fatal System Error" mentioned in my first post.
    Is there some way in "Command Prompt" to address the issues I mentioned in my previous posts, i.e.:
    1. Enable "system protection" so that I can restore the system to a previous restore point.
    2. Disable the "system repair pending ", so that I can execute the sfc command.
    3. Use the dism command to fix the startup fatal error.
    Any other suggestions are also appreciated.
     
  7. 2015/02/20
    Evan Omo

    Evan Omo Computer Support Technician Staff

    Joined:
    2006/09/10
    Messages:
    7,899
    Likes Received:
    510
    Hi jharry. Follow these steps:

    1. Enter the advanced recovery options.
    2. Choose the Command Prompt option in the System Recovery Options window
    3. When the Command Prompt window opens type the following commands, exactly as written below, in the order in which they are presented, and press enter after entering each command:

    • Bcdedit /export C:\BCD_Backup
    • ren c:\boot\bcd bcd.old
    • Bootrec.exe /rebuildbcd
    • BootRec.exe /fixmbr
    • BootRec.exe /fixboot
    • sfc /scannow /offbootdir=c:\ /offwindir=c:\windows
    • chkdsk c: /r
    • exit
    4. If you receive any warnings or notifications asking you are you sure press Y to confirm.
    5. After exiting the Command Prompt window, reboot the computer and see if you can boot into Windows 7 successfully.
     
  8. 2015/02/23
    jharry

    jharry Inactive Thread Starter

    Joined:
    2008/12/07
    Messages:
    106
    Likes Received:
    1
    I ran the recommended commands. Following are the commands and the corresponding responses.
    Bcdedit /export C:\BCD_Backup
    The operation completed successfully
    ren c:\boot\bcd bcd.old
    The system cannot find the file specified
    Bootrec.exe /rebuildbcd
    Successfully scanned windows installations.
    Total identified windows installations: 0
    The operation completed successfully.
    BootRec.exe /fixmbr
    The operation completed successfully.
    BootRec.exe /fixboot
    The operation completed successfully.
    sfc /scannow /offbootdir=c:\ /offwindir=c:\windows
    Windows Resource Protection could not start the repair service.
    chkdsk c: /r
    chkdsk cannot run because the volume is in use by another process. Chkdsk may run if this volume is dismounted first…. Would you like to force a dismount on this volume? (Y/N) y
    Volume label is SYSTEM RESERVED.
    Windows has checked the file system and found no problems.
    102399 Total disk space.
    …….
    Failed to transfer logged messages to the event log with status 50


    In this command prompt, the main volume is on Drive D:. I switched to drive D: and performed the same commands as above. The responses were the same except for some slight differences in wording as follows:
    sfc /scannow /offbootdir=d:\ /offwindir=d:\windows
    Windows Resource Protection could not perform the requested operation.
    chkdsk d: /r
    chkdsk cannot run because the volume is in use by another process. Chkdsk may run if this volume is dismounted first…. Would you like to force a dismount on this volume? (Y/N) y
    Volume label is Gateway.
    Windows has checked the file system and found no problems.
    475994135 Total disk space

    Rebooting resulted in the same fatal error message at the start of this thread.
     
  9. 2015/02/23
    Evan Omo

    Evan Omo Computer Support Technician Staff

    Joined:
    2006/09/10
    Messages:
    7,899
    Likes Received:
    510
    Do you have a Windows 7 DVD available that you can use to repair the Windows installation? Have you backed up all the important data on the hard drive?
     
  10. 2015/02/23
    jharry

    jharry Inactive Thread Starter

    Joined:
    2008/12/07
    Messages:
    106
    Likes Received:
    1
    I don't have a Windows 7 DVD. I have backed up all important data on my hard drive.
     
  11. 2015/02/25
    Evan Omo

    Evan Omo Computer Support Technician Staff

    Joined:
    2006/09/10
    Messages:
    7,899
    Likes Received:
    510
  12. 2015/02/26
    jharry

    jharry Inactive Thread Starter

    Joined:
    2008/12/07
    Messages:
    106
    Likes Received:
    1
    Hi Omo:

    I received the following error when attempting to access your recommended link http://www.microsoft.com/en-us/software-recovery.

    502 - Web server received an invalid response while acting as a gateway or proxy server.
    There is a problem with the page you are looking for, and it cannot be displayed. When the Web server (while acting as a gateway or proxy) contacted the upstream content server, it received an invalid response from the content server.
     
  13. 2015/02/26
    Evan Omo

    Evan Omo Computer Support Technician Staff

    Joined:
    2006/09/10
    Messages:
    7,899
    Likes Received:
    510
    Did you try a different Internet browser? The link works fine for me.
     
  14. 2015/02/26
    jharry

    jharry Inactive Thread Starter

    Joined:
    2008/12/07
    Messages:
    106
    Likes Received:
    1
    Hi Omo:

    I was able to access the link using Internet Explorer. After searching for the topic "Create Windows 7 DVD ", the only answer close enough was how to create a Startup Repair Disc. The solution requires access to a computer running Windows 7. Since my laptop running Windows 7 can't even start up, the suggested solution is not available to me (my only other computer runs on Windows XP). On my malfunctioning laptop, I was able to access the command prompt and run regedit, trying to make the computer create a dump file, but the newly edited keys disappeared after I exited regedit. It seems the command prompt (or regedit) does not recognize "owner" as having administrator permissions, although when I first bought the laptop and setup user accounts, I assigned "owner" as having administrator priviledges (I'm the only user of this laptop).
     
  15. 2015/02/26
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Windows 7 repair can be done only from within Windows so it won't work in this case.

    Let see if we can find little bit more about your issue.

    NOTE 1. Use another working computer to download Farbar Recovery Scan Tool. Use USB flash drive to transfer it from good computer to the bad one.
    NOTE 2. Install Panda USB Vaccine, or BitDefender’s USB Immunizer on GOOD computer to protect it from any infected USB device.

    For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
    For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

    If you are using Vista or Windows 7 enter System Recovery Options.

    [color= "#0000FF"]To enter System Recovery Options from the Advanced Boot Options:[/color]
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    [color= "#0000FF"]To enter System Recovery Options by using Windows installation disc:[/color]
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    [color= "#008000"]On the System Recovery Options menu you will get the following options:[/color]

    • Startup Repair
    • System Restore
    • Windows Complete PC Restore
    • Windows Memory Diagnostic Tool
    • Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type [color= "#FF0000"]e[/color]:\frst (for x64 bit version type [color= "#FF0000"]e[/color]:\frst64) and press Enter
      Note: Replace letter [color= "#FF0000"]e[/color] with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
     
  16. 2015/02/27
    jharry

    jharry Inactive Thread Starter

    Joined:
    2008/12/07
    Messages:
    106
    Likes Received:
    1
    Here is the content of frst.txt
    Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 25-02-2015 01
    Ran by SYSTEM on MININT-F5MV7RK on 26-02-2015 21:57:58
    Running from H:\
    Platform: WIN_7 (X64) OS Language: English (United States)
    Internet Explorer Version 10
    Boot Mode: Recovery

    The current controlset is ControlSet002
    ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.

    Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

    ==================== Registry (Whitelisted) ==================

    (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

    HKLM\...\Run: [IAAnotif] => C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-06-04] (Intel Corporation)
    HKLM\...\Run: [cAudioFilterAgent] => C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe [508472 2009-10-09] (Conexant Systems, Inc.)
    HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1842472 2009-09-17] (Synaptics Incorporated)
    HKLM\...\Run: [Acer ePower Management] => C:\Program Files\Gateway\Gateway Power Management\ePowerTray.exe [823840 2009-09-30] (Acer Incorporated)
    HKLM\...\Run: [Microsoft Pinyin IME Migration] => C:\Program Files\Common Files\Microsoft Shared\IME12\IMESC\IMSCMIG.EXE [59248 2011-05-25] (Microsoft Corporation)
    HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [169768 2015-01-27] (Apple Inc.)
    HKLM\...\Winlogon: [Userinit]
    HKLM-x32\...\Winlogon: [Userinit] [X]
    HKLM\...\Winlogon: [Shell] [0 ] () <=== ATTENTION
    HKLM-x32\...\Winlogon: [Shell] [0 ] () <=== ATTENTION
    HKLM\...\Policies\Explorer: [EnableShellExecuteHooks] 1
    HKU\Default\...\RunOnce: [ScrSav] => C:\Program Files (x86)\Gateway\Screensaver\run_Gateway.exe [162336 2009-07-21] ()
    HKU\Default User\...\RunOnce: [ScrSav] => C:\Program Files (x86)\Gateway\Screensaver\run_Gateway.exe [162336 2009-07-21] ()
    HKU\fbwuser\...\RunOnce: [ScrSav] => C:\Program Files (x86)\Gateway\Screensaver\run_Gateway.exe [162336 2009-07-21] ()
    HKU\owner\...\Run: [Google Update] => C:\Users\owner\AppData\Local\Google\Update\GoogleUpdate.exe [116648 2012-12-10] (Google Inc.)
    HKU\owner\...\Run: [BRS] => C:\Program Files (x86)\WSE_Astromenda\BRS\brs.exe [1072128 2014-08-15] ()

    ==================== Services (Whitelisted) =================

    (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

    S2 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)
    S2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77128 2015-01-19] (Apple Inc.)
    S2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2014-07-08] (AVAST Software)
    S2 CAJ Service Host; C:\Program Files (x86)\TTKN\CAJVD\CAJSHost.exe [69040 2012-05-29] (Tongfang Knowledge Network Technology(Beijing) Co., Ltd.)
    S2 Capture Device Service; C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe [198168 2007-03-05] (InterVideo Inc.)
    S2 DeviceHealth; C:\Program Files (x86)\Microsoft Device Health\DhMachineSvc.exe [97432 2014-11-20] ()
    S4 FoxitCloudUpdateService; C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe [263232 2014-01-09] ()
    S4 hshld; C:\Program Files (x86)\Hotspot Shield\bin\cmw_srv.exe [919040 2014-05-16] (AnchorFree Inc.)
    S3 HssTrayService; C:\Program Files (x86)\Hotspot Shield\bin\HssTrayService.EXE [78512 2014-05-16] ()
    S4 HssWd; C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe [430344 2014-05-16] ()
    S2 KMService; C:\Windows\SysWOW64\srvany.exe [8192 2003-04-18] ()
    S4 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-11-21] (Malwarebytes Corporation)
    S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [969016 2014-11-21] (Malwarebytes Corporation)
    S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22056 2013-01-27] ()
    S4 ngSlotD; C:\Program Files (x86)\ngsrv\ngslotd.exe [181624 2012-06-13] (Feitian)
    S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [379360 2013-01-27] ()
    S2 NitroReaderDriverReadSpool; C:\Program Files\Common Files\Nitro PDF\Reader\1.0\NitroPDFReaderDriverServicex64.exe [341296 2011-01-28] (Nitro PDF Software)
    S4 pcas; C:\Program Files (x86)\alipay\aliedit\5.0.0.3597\pcas.exe [581920 2014-12-03] (Alipay.com Inc. )
    S2 PSI_SVC_2; c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe [277360 2013-09-13] (arvato digital services llc)
    S2 RealNetworks Downloader Resolver Service; C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [39568 2014-04-06] ()
    S2 RealPlayer Cloud Service; c:\program files (x86)\real\realplayer\RPDS\Bin\rpdsvc.exe [1141848 2014-04-15] (RealNetworks, Inc.)
    S2 RealPlayerUpdateSvc; C:\Program Files (x86)\Real\UpdateService\RealPlayerUpdateSvc.exe [23552 2014-04-06] ()
    S3 rpcapd; C:\Program Files (x86)\WinPcap\rpcapd.exe [117264 2010-06-25] (CACE Technologies, Inc.)
    S4 secbizsrv; C:\Program Files (x86)\alipay\aliedit\5.0.0.3597\secbizsrv.exe [590112 2014-12-03] (Alipay.com Inc. )
    S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-13] (Microsoft Corporation)
    S2 70e6ca8c; "C:\Windows\system32\rundll32.exe" "c:\Program Files (x86)\Optimizer Pro\OptProCrash.dll ",SVC
    S2 RealtekUSB; C:\Program Files (x86)\Realtek\RTL8187 Wireless LAN Utility\RtlService.exe [X]

    ==================== Drivers (Whitelisted) ====================

    (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

    S2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [29208 2014-07-08] ()
    S2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [79184 2014-07-08] (AVAST Software)
    S1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93568 2014-07-08] (AVAST Software)
    S0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65776 2014-07-08] ()
    S1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1041168 2014-11-21] (AVAST Software)
    S1 aswSP; C:\Windows\system32\drivers\aswSP.sys [427360 2014-07-08] (AVAST Software)
    S2 aswStm; C:\Windows\system32\drivers\aswStm.sys [92008 2014-07-08] (AVAST Software)
    S0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [224896 2014-07-08] ()
    S3 CXIR; C:\Windows\System32\drivers\cxcir.sys [43520 2011-02-15] (Conexant Systems, Inc.)
    S3 CXPOLARIS; C:\Windows\System32\drivers\GTATSC.sys [231808 2011-02-13] (Geniatech Systems, Inc.)
    S3 ewusbnet; C:\Windows\System32\DRIVERS\ewusbnet.sys [243200 2009-10-21] (Huawei Technologies Co., Ltd.)
    S3 hitmanpro35; No ImagePath
    S1 HssDRV6; C:\Windows\System32\DRIVERS\hssdrv6.sys [44744 2014-05-16] (AnchorFree Inc.)
    S3 hwusbdev; C:\Windows\System32\DRIVERS\ewusbdev.sys [114304 2009-10-12] (Huawei Technologies Co., Ltd.)
    S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2014-11-21] (Malwarebytes Corporation)
    S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2014-11-21] (Malwarebytes Corporation)
    S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [230320 2013-01-20] (Microsoft Corporation)
    S2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [130008 2013-01-20] (Microsoft Corporation)
    S3 NPF; C:\Windows\System32\drivers\npf.sys [35344 2010-06-25] (CACE Technologies, Inc.)
    S2 PECKbdProtector; C:\Windows\system32\drivers\PECKP_x64.SYS [53088 2014-12-13] (CSII)
    S3 ProtectorA; C:\Windows\system32\drivers\ProtectorA.sys [22672 2012-01-11] (www.ISRA.org.cn)
    S3 ProtectorA; C:\Windows\SysWOW64\drivers\ProtectorA.sys [20112 2010-12-16] (www.ISRA.org.cn)
    S3 R6BaseSmc; C:\Windows\System32\DRIVERS\smccarda.sys [24360 2012-06-13] (OEM)
    S3 R6BaseSmc; C:\Windows\SysWOW64\DRIVERS\smccarda.sys [14464 2011-05-28] (OEM)
    S2 ROCKEYNT; C:\Windows\SysWOW64\drivers\Rockeynt.sys [18223 2012-12-31] (FeiTian Tech Co.,Ltd)
    S3 taphss6; C:\Windows\System32\DRIVERS\taphss6.sys [42184 2014-05-16] (Anchorfree Inc.)

    ==================== NetSvcs (Whitelisted) ===================

    (If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


    ==================== One Month Created Files and Folders ========

    (If an entry is included in the fixlist, the file\folder will be moved.)

    2015-02-26 21:57 - 2015-02-26 21:57 - 00000000 ____D () C:\FRST
    2015-02-22 22:57 - 2015-02-22 22:57 - 00024576 _____ () C:\BCD_Backup
    2015-02-22 22:57 - 2015-02-22 22:57 - 00021504 ___SH () C:\BCD_Backup.LOG
    2015-02-01 12:40 - 2015-02-01 12:40 - 00001720 _____ () C:\Users\Public\Desktop\iTunes.lnk
    2015-02-01 12:39 - 2015-02-01 12:40 - 00000000 ____D () C:\ProgramData\E1864A66-75E3-486a-BD95-D1B7D99A84A7
    2015-02-01 12:39 - 2015-02-01 12:40 - 00000000 ____D () C:\Program Files\iTunes
    2015-02-01 12:39 - 2015-02-01 12:39 - 00000000 ____D () C:\Program Files\iPod
    2015-02-01 12:39 - 2015-02-01 12:39 - 00000000 ____D () C:\Program Files (x86)\iTunes
    2015-01-30 17:15 - 2015-01-30 17:15 - 00000000 _____ () C:\Windows\WindowsUpdate.log
    2015-01-29 19:17 - 2015-02-03 22:00 - 00000672 _____ () C:\Windows\setupact.log
    2015-01-29 19:17 - 2015-01-29 19:17 - 00000000 _____ () C:\Windows\setuperr.log
    2015-01-29 19:16 - 2015-01-29 19:16 - 00000376 _____ () C:\Windows\PFRO.log
    2015-01-29 16:24 - 2015-01-29 22:42 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\MBAMSwissArmy.sys
    2015-01-29 16:24 - 2015-01-29 16:24 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
    2015-01-29 16:24 - 2014-11-21 06:14 - 00093400 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamchameleon.sys
    2015-01-29 16:24 - 2014-11-21 06:14 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mwac.sys

    ==================== One Month Modified Files and Folders =======

    (If an entry is included in the fixlist, the file\folder will be moved.)

    2015-02-03 22:37 - 2012-12-10 21:54 - 00003878 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-669636167-3881197016-1759864487-1000UA
    2015-02-03 22:37 - 2012-12-10 21:54 - 00003482 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-669636167-3881197016-1759864487-1000Core
    2015-02-03 22:37 - 2012-12-10 21:54 - 00000908 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-669636167-3881197016-1759864487-1000UA.job
    2015-02-03 22:37 - 2012-12-10 21:54 - 00000856 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-669636167-3881197016-1759864487-1000Core.job
    2015-02-03 22:27 - 2014-08-15 13:27 - 00000292 _____ () C:\Windows\Tasks\WSE_Astromenda.job
    2015-02-03 22:15 - 2014-12-05 18:38 - 00000456 _____ () C:\Windows\Tasks\微软设备健康助手自动更新.job
    2015-02-03 22:14 - 2012-04-07 06:57 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
    2015-02-03 22:08 - 2009-07-13 20:45 - 00025840 _____ () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2015-02-03 22:08 - 2009-07-13 20:45 - 00025840 _____ () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2015-02-03 22:04 - 2009-07-13 21:13 - 00726270 _____ () C:\Windows\System32\PerfStringBackup.INI
    2015-02-03 22:00 - 2014-12-08 18:20 - 00000440 _____ () C:\Windows\Tasks\微软设备健康助手开机检测.job
    2015-02-03 22:00 - 2013-09-12 16:15 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2015-02-03 22:00 - 2009-07-13 21:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
    2015-02-03 18:00 - 2010-02-28 16:47 - 00000466 _____ () C:\Windows\Tasks\ParetoLogic Registration.job
    2015-02-03 17:54 - 2010-01-06 21:22 - 00008456 ___SH () C:\ProgramData\KGyGaAvL.sys
    2015-02-03 17:46 - 2013-09-12 16:15 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2015-02-03 17:42 - 2010-03-07 11:32 - 00000000 ____D () C:\Users\owner\AppData\Roaming\HaoZip
    2015-02-03 17:38 - 2011-04-22 00:15 - 00000000 ____D () C:\Users\owner\AppData\Roaming\vlc
    2015-02-03 16:53 - 2014-12-21 22:45 - 00003370 _____ () C:\Windows\System32\Tasks\RealDownloaderRealUpgradeScheduledTaskS-1-5-21-669636167-3881197016-1759864487-1000
    2015-02-03 16:53 - 2014-12-21 22:45 - 00003236 _____ () C:\Windows\System32\Tasks\RealDownloaderRealUpgradeLogonTaskS-1-5-21-669636167-3881197016-1759864487-1000
    2015-02-03 16:37 - 2009-12-18 16:43 - 00000000 ____D () C:\Users\owner\AppData\Roaming\Mozilla
    2015-02-03 16:11 - 2013-07-09 20:06 - 00004182 _____ () C:\Windows\System32\Tasks\avast! Emergency Update
    2015-02-02 18:49 - 2012-02-20 15:19 - 00000000 ____D () C:\Users\owner\Documents\temp
    2015-02-02 18:47 - 2014-06-08 10:16 - 00003214 _____ () C:\Windows\System32\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-669636167-3881197016-1759864487-1000
    2015-02-02 18:47 - 2014-04-21 18:35 - 00003348 _____ () C:\Windows\System32\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-669636167-3881197016-1759864487-1000
    2015-02-01 12:56 - 2010-09-21 20:47 - 00000000 ____D () C:\Users\owner\AppData\Roaming\FreeVideoConverter
    2015-02-01 12:55 - 2010-09-21 20:47 - 00001108 _____ () C:\Users\owner\Desktop\Free Video Converter.lnk
    2015-02-01 12:55 - 2010-09-21 20:47 - 00000000 ____D () C:\Program Files (x86)\Free Video Converter
    2015-02-01 12:39 - 2010-10-15 06:23 - 00000000 ____D () C:\Program Files\Common Files\Apple
    2015-02-01 10:54 - 2010-06-25 07:27 - 00000000 ____D () C:\Users\owner\AppData\Roaming\Ulead Systems
    2015-02-01 10:52 - 2010-06-02 06:08 - 00000000 ____D () C:\Users\owner\AppData\Roaming\dvdcss
    2015-01-30 17:10 - 2011-10-18 00:50 - 00000000 ____D () C:\Users\owner\Documents\accounts
    2015-01-29 19:18 - 2009-12-18 14:55 - 00133024 _____ () C:\Users\owner\AppData\Local\GDIPFONTCACHEV1.DAT
    2015-01-29 19:17 - 2009-07-13 20:45 - 00501024 _____ () C:\Windows\System32\FNTCACHE.DAT
    2015-01-29 16:24 - 2013-07-09 14:08 - 00001069 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2015-01-29 16:24 - 2012-05-22 22:20 - 00000000 ____D () C:\Users\owner\AppData\Roaming\Malwarebytes
    2015-01-29 16:24 - 2012-05-22 22:20 - 00000000 ____D () C:\ProgramData\Malwarebytes
    2015-01-29 16:24 - 2012-05-22 22:20 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2015-01-29 09:36 - 2011-10-15 04:04 - 00000000 ____D () C:\Users\owner\Documents\wusimei
    2015-01-29 00:27 - 2014-08-28 13:56 - 00000191 _____ () C:\Users\owner\AppData\Roaming\WB.CFG
    2015-01-29 00:26 - 2010-02-28 16:47 - 00000440 _____ () C:\Windows\Tasks\ParetoLogic Update Version2.job
    2015-01-28 16:32 - 2011-10-12 15:58 - 00000000 ____D () C:\Users\owner\Documents\worldschool
    2015-01-27 18:27 - 2013-11-10 18:39 - 00000000 ____D () C:\Users\owner\Documents\zhouzhongyi
    2015-01-27 18:16 - 2009-12-19 21:11 - 00000000 ____D () C:\Users\owner\AppData\Roaming\Skype
    2015-01-27 16:14 - 2011-09-07 20:42 - 00005120 _____ () C:\Users\owner\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    2015-01-27 15:15 - 2014-03-16 19:13 - 00002697 _____ () C:\Users\Public\Desktop\Skype.lnk
    2015-01-27 15:15 - 2013-03-23 18:08 - 00000000 ___RD () C:\Program Files (x86)\Skype
    2015-01-27 15:15 - 2009-12-19 21:11 - 00000000 ____D () C:\ProgramData\Skype
    2015-01-27 11:06 - 2010-11-26 16:10 - 00000000 ____D () C:\Users\owner\Documents\sundaya
    2015-01-27 08:58 - 2015-01-26 09:02 - 00000000 ____D () C:\Users\owner\Documents\passport
    2015-01-27 08:57 - 2015-01-24 16:50 - 00000000 ____D () C:\Users\owner\Documents\yhtu
    2015-01-27 08:57 - 2014-03-18 19:00 - 00000000 ____D () C:\Users\owner\Documents\tax

    ZeroAccess:
    C:\$Recycle.Bin\S-1-5-21-669636167-3881197016-1759864487-1000\$b3badc8d50bb3c066fde46b3919fda5d

    ZeroAccess:
    C:\$Recycle.Bin\S-1-5-18\$b3badc8d50bb3c066fde46b3919fda5d

    ==================== Known DLLs (Whitelisted) ================


    ==================== Bamital & volsnap Check =================

    (There is no automatic fix for files that do not pass verification.)

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\rpcss.dll => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
    ATTENTION: ====> ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Microsoft Security Client

    ==================== Restore Points =========================

    Restore point made on: 2014-12-05 21:09:20
    Restore point made on: 2014-12-19 20:23:47
    Restore point made on: 2015-01-19 17:48:37
    Restore point made on: 2015-01-19 17:49:14
    Restore point made on: 2015-01-19 18:09:57

    ==================== Memory info ===========================

    Percentage of memory in use: 18%
    Total physical RAM: 4024.93 MB
    Available physical RAM: 3261.79 MB
    Total Pagefile: 4023.08 MB
    Available Pagefile: 3257.58 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.89 MB

    ==================== Drives ================================

    Drive c: (Gateway) (Fixed) (Total:453.94 GB) (Free:27.13 GB) NTFS
    Drive e: (PQSERVICE) (Fixed) (Total:11.72 GB) (Free:2.57 GB) NTFS
    Drive h: (KINGSTON U3) (Removable) (Total:1.9 GB) (Free:1.41 GB) FAT32
    Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

    ==================== MBR & Partition Table ==================

    ========================================================
    Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: 52D952D9)
    Partition 1: (Not Active) - (Size=11.7 GB) - (Type=27)
    Partition 2: (Active) - (Size=100 MB) - (Type=07 NTFS)
    Partition 3: (Not Active) - (Size=453.9 GB) - (Type=07 NTFS)

    ========================================================
    Disk: 1 (Size: 1.9 GB) (Disk ID: 9B9E7A1B)
    Partition 1: (Active) - (Size=1.9 GB) - (Type=0B)


    LastRegBack: 2014-12-19 20:16

    ==================== End Of Log ============================
     
  17. 2015/02/27
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    You're infected with ZeroAccess rootkit.

    Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    On Vista or Windows 7/8: Now please enter System Recovery Options.
    On Windows XP: Now please boot into the OTLPE CD.
    Run [color= "#0000FF"]FRST(FRST64)[/color] and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    See if you can start your computer normally.
     

    Attached Files:

  18. 2015/02/27
    jharry

    jharry Inactive Thread Starter

    Joined:
    2008/12/07
    Messages:
    106
    Likes Received:
    1
    Dear Broni:
    I followed your instructions. My computer still ended with the same startup error.
    Here are the contents of Fixlog.txt:
    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 25-02-2015 01
    Ran by SYSTEM at 2015-02-27 19:02:43 Run:1
    Running from H:\
    Boot Mode: Recovery
    ==============================================

    Content of fixlist:
    *****************
    HKLM-x32\...\Winlogon: [Userinit] [X]
    HKLM\...\Winlogon: [Shell] [0 ] () <=== ATTENTION
    HKLM-x32\...\Winlogon: [Shell] [0 ] () <=== ATTENTION
    HKU\owner\...\Run: [BRS] => C:\Program Files (x86)\WSE_Astromenda\BRS\brs.exe [1072128 2014-08-15] ()
    C:\Program Files (x86)\WSE_Astromenda
    S2 DeviceHealth; C:\Program Files (x86)\Microsoft Device Health\DhMachineSvc.exe [97432 2014-11-20] ()
    C:\Program Files (x86)\Microsoft Device Health
    S2 70e6ca8c; "C:\Windows\system32\rundll32.exe" "c:\Program Files (x86)\Optimizer Pro\OptProCrash.dll ",SVC
    S2 RealtekUSB; C:\Program Files (x86)\Realtek\RTL8187 Wireless LAN Utility\RtlService.exe [X]
    c:\Program Files (x86)\Optimizer Pro
    S3 hitmanpro35; No ImagePath
    2015-02-03 22:27 - 2014-08-15 13:27 - 00000292 _____ () C:\Windows\Tasks\WSE_Astromenda.job
    C:\$Recycle.Bin\S-1-5-21-669636167-3881197016-1759864487-1000\$b3badc8d50bb3c066fde46b3919fda5d
    C:\$Recycle.Bin\S-1-5-18\$b3badc8d50bb3c066fde46b3919fda5d
    DeleteJunctionsIndirectory: C:\Program Files\Microsoft Security Client

    *****************

    HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\\Userinit => Value was restored successfully.
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value was restored successfully.
    HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value was restored successfully.
    HKU\owner\Software\Microsoft\Windows\CurrentVersion\Run\\BRS => value deleted successfully.
    C:\Program Files (x86)\WSE_Astromenda => Moved successfully.
    DeviceHealth => Service deleted successfully.
    C:\Program Files (x86)\Microsoft Device Health => Moved successfully.
    70e6ca8c => Service deleted successfully.
    RealtekUSB => Service deleted successfully.
    c:\Program Files (x86)\Optimizer Pro => Moved successfully.
    hitmanpro35 => Service deleted successfully.
    C:\Windows\Tasks\WSE_Astromenda.job => Moved successfully.
    C:\$Recycle.Bin\S-1-5-21-669636167-3881197016-1759864487-1000\$b3badc8d50bb3c066fde46b3919fda5d => Moved successfully.
    C:\$Recycle.Bin\S-1-5-18\$b3badc8d50bb3c066fde46b3919fda5d => Moved successfully.
    "C:\Program Files\Microsoft Security Client" => Deleting reparse point and unlocking started.
    "C:\Program Files\Microsoft Security Client\Backup" => Deleting reparse point and unlocking done.
    "C:\Program Files\Microsoft Security Client\DbgHelp.dll" => Deleting reparse point and unlocking done.
    "C:\Program Files\Microsoft Security Client\Drivers" => Deleting reparse point and unlocking done.
    "C:\Program Files\Microsoft Security Client\en-us" => Deleting reparse point and unlocking done.
    "C:\Program Files\Microsoft Security Client\EppManifest.dll" => Deleting reparse point and unlocking done.
    "C:\Program Files\Microsoft Security Client\MpAsDesc.dll" => Deleting reparse point and unlocking done.
    "C:\Program Files\Microsoft Security Client\MpClient.dll" => Deleting reparse point and unlocking done.
    "C:\Program Files\Microsoft Security Client\MpCmdRun.exe" => Deleting reparse point and unlocking done.
    "C:\Program Files\Microsoft Security Client\MpCommu.dll" => Deleting reparse point and unlocking done.
    "C:\Program Files\Microsoft Security Client\mpevmsg.dll" => Deleting reparse point and unlocking done.
    "C:\Program Files\Microsoft Security Client\MpOAv.dll" => Deleting reparse point and unlocking done.
    "C:\Program Files\Microsoft Security Client\MpRTP.dll" => Deleting reparse point and unlocking done.
    "C:\Program Files\Microsoft Security Client\MpSvc.dll" => Deleting reparse point and unlocking done.
    "C:\Program Files\Microsoft Security Client\MSESysprep.dll" => Deleting reparse point and unlocking done.
    "C:\Program Files\Microsoft Security Client\MsMpCom.dll" => Deleting reparse point and unlocking done.
    "C:\Program Files\Microsoft Security Client\MsMpEng.exe" => Deleting reparse point and unlocking done.
    "C:\Program Files\Microsoft Security Client\MsMpLics.dll" => Deleting reparse point and unlocking done.
    "C:\Program Files\Microsoft Security Client\MsMpRes.dll" => Deleting reparse point and unlocking done.
    "C:\Program Files\Microsoft Security Client\msseces.exe" => Deleting reparse point and unlocking done.
    "C:\Program Files\Microsoft Security Client\msseoobe.exe" => Deleting reparse point and unlocking done.
    "C:\Program Files\Microsoft Security Client\msseooberes.dll" => Deleting reparse point and unlocking done.
    "C:\Program Files\Microsoft Security Client\MsseWat.dll" => Deleting reparse point and unlocking done.
    "C:\Program Files\Microsoft Security Client\NisIpsPlugin.dll" => Deleting reparse point and unlocking done.
    "C:\Program Files\Microsoft Security Client\NisLog.dll" => Deleting reparse point and unlocking done.
    "C:\Program Files\Microsoft Security Client\NisSrv.exe" => Deleting reparse point and unlocking done.
    "C:\Program Files\Microsoft Security Client\NisWFP.dll" => Deleting reparse point and unlocking done.
    "C:\Program Files\Microsoft Security Client\Setup.exe" => Deleting reparse point and unlocking done.
    "C:\Program Files\Microsoft Security Client\SetupRes.dll" => Deleting reparse point and unlocking done.
    "C:\Program Files\Microsoft Security Client\shellext.dll" => Deleting reparse point and unlocking done.
    "C:\Program Files\Microsoft Security Client\sqmapi.dll" => Deleting reparse point and unlocking done.
    "C:\Program Files\Microsoft Security Client\SymSrv.dll" => Deleting reparse point and unlocking done.
    "C:\Program Files\Microsoft Security Client\SymSrv.yes" => Deleting reparse point and unlocking done.
    "C:\Program Files\Microsoft Security Client" => Deleting reparse point and unlocking completed.

    ==== End of Fixlog 19:02:48 ====
     
  19. 2015/02/27
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Re-run FRST scan and give me fresh log.
     
  20. 2015/02/27
    jharry

    jharry Inactive Thread Starter

    Joined:
    2008/12/07
    Messages:
    106
    Likes Received:
    1
    Here is the fresh log after runing FRST64:
    Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 25-02-2015 01
    Ran by SYSTEM on MININT-HR4ALGK on 27-02-2015 20:07:18
    Running from H:\
    Platform: WIN_7 (X64) OS Language: English (United States)
    Internet Explorer Version 10
    Boot Mode: Recovery

    The current controlset is ControlSet002
    ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.

    Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

    ==================== Registry (Whitelisted) ==================

    (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

    HKLM\...\Run: [IAAnotif] => C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-06-04] (Intel Corporation)
    HKLM\...\Run: [cAudioFilterAgent] => C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe [508472 2009-10-09] (Conexant Systems, Inc.)
    HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1842472 2009-09-17] (Synaptics Incorporated)
    HKLM\...\Run: [Acer ePower Management] => C:\Program Files\Gateway\Gateway Power Management\ePowerTray.exe [823840 2009-09-30] (Acer Incorporated)
    HKLM\...\Run: [Microsoft Pinyin IME Migration] => C:\Program Files\Common Files\Microsoft Shared\IME12\IMESC\IMSCMIG.EXE [59248 2011-05-25] (Microsoft Corporation)
    HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [169768 2015-01-27] (Apple Inc.)
    HKLM\...\Winlogon: [Userinit]
    HKLM\...\Policies\Explorer: [EnableShellExecuteHooks] 1
    HKU\Default\...\RunOnce: [ScrSav] => C:\Program Files (x86)\Gateway\Screensaver\run_Gateway.exe [162336 2009-07-21] ()
    HKU\Default User\...\RunOnce: [ScrSav] => C:\Program Files (x86)\Gateway\Screensaver\run_Gateway.exe [162336 2009-07-21] ()
    HKU\fbwuser\...\RunOnce: [ScrSav] => C:\Program Files (x86)\Gateway\Screensaver\run_Gateway.exe [162336 2009-07-21] ()
    HKU\owner\...\Run: [Google Update] => C:\Users\owner\AppData\Local\Google\Update\GoogleUpdate.exe [116648 2012-12-10] (Google Inc.)

    ==================== Services (Whitelisted) =================

    (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

    S2 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)
    S2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77128 2015-01-19] (Apple Inc.)
    S2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2014-07-08] (AVAST Software)
    S2 CAJ Service Host; C:\Program Files (x86)\TTKN\CAJVD\CAJSHost.exe [69040 2012-05-29] (Tongfang Knowledge Network Technology(Beijing) Co., Ltd.)
    S2 Capture Device Service; C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe [198168 2007-03-05] (InterVideo Inc.)
    S4 FoxitCloudUpdateService; C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe [263232 2014-01-09] ()
    S4 hshld; C:\Program Files (x86)\Hotspot Shield\bin\cmw_srv.exe [919040 2014-05-16] (AnchorFree Inc.)
    S3 HssTrayService; C:\Program Files (x86)\Hotspot Shield\bin\HssTrayService.EXE [78512 2014-05-16] ()
    S4 HssWd; C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe [430344 2014-05-16] ()
    S2 KMService; C:\Windows\SysWOW64\srvany.exe [8192 2003-04-18] ()
    S4 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-11-21] (Malwarebytes Corporation)
    S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [969016 2014-11-21] (Malwarebytes Corporation)
    S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22056 2013-01-27] (Microsoft Corporation)
    S4 ngSlotD; C:\Program Files (x86)\ngsrv\ngslotd.exe [181624 2012-06-13] (Feitian)
    S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [379360 2013-01-27] (Microsoft Corporation)
    S2 NitroReaderDriverReadSpool; C:\Program Files\Common Files\Nitro PDF\Reader\1.0\NitroPDFReaderDriverServicex64.exe [341296 2011-01-28] (Nitro PDF Software)
    S4 pcas; C:\Program Files (x86)\alipay\aliedit\5.0.0.3597\pcas.exe [581920 2014-12-03] (Alipay.com Inc. )
    S2 PSI_SVC_2; c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe [277360 2013-09-13] (arvato digital services llc)
    S2 RealNetworks Downloader Resolver Service; C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [39568 2014-04-06] ()
    S2 RealPlayer Cloud Service; c:\program files (x86)\real\realplayer\RPDS\Bin\rpdsvc.exe [1141848 2014-04-15] (RealNetworks, Inc.)
    S2 RealPlayerUpdateSvc; C:\Program Files (x86)\Real\UpdateService\RealPlayerUpdateSvc.exe [23552 2014-04-06] ()
    S3 rpcapd; C:\Program Files (x86)\WinPcap\rpcapd.exe [117264 2010-06-25] (CACE Technologies, Inc.)
    S4 secbizsrv; C:\Program Files (x86)\alipay\aliedit\5.0.0.3597\secbizsrv.exe [590112 2014-12-03] (Alipay.com Inc. )
    S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-13] (Microsoft Corporation)

    ==================== Drivers (Whitelisted) ====================

    (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

    S2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [29208 2014-07-08] ()
    S2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [79184 2014-07-08] (AVAST Software)
    S1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93568 2014-07-08] (AVAST Software)
    S0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65776 2014-07-08] ()
    S1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1041168 2014-11-21] (AVAST Software)
    S1 aswSP; C:\Windows\system32\drivers\aswSP.sys [427360 2014-07-08] (AVAST Software)
    S2 aswStm; C:\Windows\system32\drivers\aswStm.sys [92008 2014-07-08] (AVAST Software)
    S0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [224896 2014-07-08] ()
    S3 CXIR; C:\Windows\System32\drivers\cxcir.sys [43520 2011-02-15] (Conexant Systems, Inc.)
    S3 CXPOLARIS; C:\Windows\System32\drivers\GTATSC.sys [231808 2011-02-13] (Geniatech Systems, Inc.)
    S3 ewusbnet; C:\Windows\System32\DRIVERS\ewusbnet.sys [243200 2009-10-21] (Huawei Technologies Co., Ltd.)
    S1 HssDRV6; C:\Windows\System32\DRIVERS\hssdrv6.sys [44744 2014-05-16] (AnchorFree Inc.)
    S3 hwusbdev; C:\Windows\System32\DRIVERS\ewusbdev.sys [114304 2009-10-12] (Huawei Technologies Co., Ltd.)
    S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2014-11-21] (Malwarebytes Corporation)
    S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2014-11-21] (Malwarebytes Corporation)
    S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [230320 2013-01-20] (Microsoft Corporation)
    S2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [130008 2013-01-20] (Microsoft Corporation)
    S3 NPF; C:\Windows\System32\drivers\npf.sys [35344 2010-06-25] (CACE Technologies, Inc.)
    S2 PECKbdProtector; C:\Windows\system32\drivers\PECKP_x64.SYS [53088 2014-12-13] (CSII)
    S3 ProtectorA; C:\Windows\system32\drivers\ProtectorA.sys [22672 2012-01-11] (www.ISRA.org.cn)
    S3 ProtectorA; C:\Windows\SysWOW64\drivers\ProtectorA.sys [20112 2010-12-16] (www.ISRA.org.cn)
    S3 R6BaseSmc; C:\Windows\System32\DRIVERS\smccarda.sys [24360 2012-06-13] (OEM)
    S3 R6BaseSmc; C:\Windows\SysWOW64\DRIVERS\smccarda.sys [14464 2011-05-28] (OEM)
    S2 ROCKEYNT; C:\Windows\SysWOW64\drivers\Rockeynt.sys [18223 2012-12-31] (FeiTian Tech Co.,Ltd)
    S3 taphss6; C:\Windows\System32\DRIVERS\taphss6.sys [42184 2014-05-16] (Anchorfree Inc.)

    ==================== NetSvcs (Whitelisted) ===================

    (If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


    ==================== One Month Created Files and Folders ========

    (If an entry is included in the fixlist, the file\folder will be moved.)

    2015-02-26 21:57 - 2015-02-27 20:07 - 00000000 ____D () C:\FRST
    2015-02-22 22:57 - 2015-02-22 22:57 - 00024576 _____ () C:\BCD_Backup
    2015-02-22 22:57 - 2015-02-22 22:57 - 00021504 ___SH () C:\BCD_Backup.LOG
    2015-02-01 12:40 - 2015-02-01 12:40 - 00001720 _____ () C:\Users\Public\Desktop\iTunes.lnk
    2015-02-01 12:39 - 2015-02-01 12:40 - 00000000 ____D () C:\ProgramData\E1864A66-75E3-486a-BD95-D1B7D99A84A7
    2015-02-01 12:39 - 2015-02-01 12:40 - 00000000 ____D () C:\Program Files\iTunes
    2015-02-01 12:39 - 2015-02-01 12:39 - 00000000 ____D () C:\Program Files\iPod
    2015-02-01 12:39 - 2015-02-01 12:39 - 00000000 ____D () C:\Program Files (x86)\iTunes
    2015-01-30 17:15 - 2015-01-30 17:15 - 00000000 _____ () C:\Windows\WindowsUpdate.log
    2015-01-29 19:17 - 2015-02-03 22:00 - 00000672 _____ () C:\Windows\setupact.log
    2015-01-29 19:17 - 2015-01-29 19:17 - 00000000 _____ () C:\Windows\setuperr.log
    2015-01-29 19:16 - 2015-01-29 19:16 - 00000376 _____ () C:\Windows\PFRO.log
    2015-01-29 16:24 - 2015-01-29 22:42 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\MBAMSwissArmy.sys
    2015-01-29 16:24 - 2015-01-29 16:24 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
    2015-01-29 16:24 - 2014-11-21 06:14 - 00093400 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamchameleon.sys
    2015-01-29 16:24 - 2014-11-21 06:14 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mwac.sys

    ==================== One Month Modified Files and Folders =======

    (If an entry is included in the fixlist, the file\folder will be moved.)

    2015-02-03 22:37 - 2012-12-10 21:54 - 00003878 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-669636167-3881197016-1759864487-1000UA
    2015-02-03 22:37 - 2012-12-10 21:54 - 00003482 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-669636167-3881197016-1759864487-1000Core
    2015-02-03 22:37 - 2012-12-10 21:54 - 00000908 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-669636167-3881197016-1759864487-1000UA.job
    2015-02-03 22:37 - 2012-12-10 21:54 - 00000856 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-669636167-3881197016-1759864487-1000Core.job
    2015-02-03 22:15 - 2014-12-05 18:38 - 00000456 _____ () C:\Windows\Tasks\微软设备健康助手自动更新.job
    2015-02-03 22:14 - 2012-04-07 06:57 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
    2015-02-03 22:08 - 2009-07-13 20:45 - 00025840 _____ () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2015-02-03 22:08 - 2009-07-13 20:45 - 00025840 _____ () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2015-02-03 22:04 - 2009-07-13 21:13 - 00726270 _____ () C:\Windows\System32\PerfStringBackup.INI
    2015-02-03 22:00 - 2014-12-08 18:20 - 00000440 _____ () C:\Windows\Tasks\微软设备健康助手开机检测.job
    2015-02-03 22:00 - 2013-09-12 16:15 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2015-02-03 22:00 - 2009-07-13 21:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
    2015-02-03 18:00 - 2010-02-28 16:47 - 00000466 _____ () C:\Windows\Tasks\ParetoLogic Registration.job
    2015-02-03 17:54 - 2010-01-06 21:22 - 00008456 ___SH () C:\ProgramData\KGyGaAvL.sys
    2015-02-03 17:46 - 2013-09-12 16:15 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2015-02-03 17:42 - 2010-03-07 11:32 - 00000000 ____D () C:\Users\owner\AppData\Roaming\HaoZip
    2015-02-03 17:38 - 2011-04-22 00:15 - 00000000 ____D () C:\Users\owner\AppData\Roaming\vlc
    2015-02-03 16:53 - 2014-12-21 22:45 - 00003370 _____ () C:\Windows\System32\Tasks\RealDownloaderRealUpgradeScheduledTaskS-1-5-21-669636167-3881197016-1759864487-1000
    2015-02-03 16:53 - 2014-12-21 22:45 - 00003236 _____ () C:\Windows\System32\Tasks\RealDownloaderRealUpgradeLogonTaskS-1-5-21-669636167-3881197016-1759864487-1000
    2015-02-03 16:37 - 2009-12-18 16:43 - 00000000 ____D () C:\Users\owner\AppData\Roaming\Mozilla
    2015-02-03 16:11 - 2013-07-09 20:06 - 00004182 _____ () C:\Windows\System32\Tasks\avast! Emergency Update
    2015-02-02 18:49 - 2012-02-20 15:19 - 00000000 ____D () C:\Users\owner\Documents\temp
    2015-02-02 18:47 - 2014-06-08 10:16 - 00003214 _____ () C:\Windows\System32\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-669636167-3881197016-1759864487-1000
    2015-02-02 18:47 - 2014-04-21 18:35 - 00003348 _____ () C:\Windows\System32\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-669636167-3881197016-1759864487-1000
    2015-02-01 12:56 - 2010-09-21 20:47 - 00000000 ____D () C:\Users\owner\AppData\Roaming\FreeVideoConverter
    2015-02-01 12:55 - 2010-09-21 20:47 - 00001108 _____ () C:\Users\owner\Desktop\Free Video Converter.lnk
    2015-02-01 12:55 - 2010-09-21 20:47 - 00000000 ____D () C:\Program Files (x86)\Free Video Converter
    2015-02-01 12:39 - 2010-10-15 06:23 - 00000000 ____D () C:\Program Files\Common Files\Apple
    2015-02-01 10:54 - 2010-06-25 07:27 - 00000000 ____D () C:\Users\owner\AppData\Roaming\Ulead Systems
    2015-02-01 10:52 - 2010-06-02 06:08 - 00000000 ____D () C:\Users\owner\AppData\Roaming\dvdcss
    2015-01-30 17:10 - 2011-10-18 00:50 - 00000000 ____D () C:\Users\owner\Documents\accounts
    2015-01-29 19:18 - 2009-12-18 14:55 - 00133024 _____ () C:\Users\owner\AppData\Local\GDIPFONTCACHEV1.DAT
    2015-01-29 19:17 - 2009-07-13 20:45 - 00501024 _____ () C:\Windows\System32\FNTCACHE.DAT
    2015-01-29 16:24 - 2013-07-09 14:08 - 00001069 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2015-01-29 16:24 - 2012-05-22 22:20 - 00000000 ____D () C:\Users\owner\AppData\Roaming\Malwarebytes
    2015-01-29 16:24 - 2012-05-22 22:20 - 00000000 ____D () C:\ProgramData\Malwarebytes
    2015-01-29 16:24 - 2012-05-22 22:20 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2015-01-29 09:36 - 2011-10-15 04:04 - 00000000 ____D () C:\Users\owner\Documents\wusimei
    2015-01-29 00:27 - 2014-08-28 13:56 - 00000191 _____ () C:\Users\owner\AppData\Roaming\WB.CFG
    2015-01-29 00:26 - 2010-02-28 16:47 - 00000440 _____ () C:\Windows\Tasks\ParetoLogic Update Version2.job
    2015-01-28 16:32 - 2011-10-12 15:58 - 00000000 ____D () C:\Users\owner\Documents\worldschool

    ==================== Known DLLs (Whitelisted) ================


    ==================== Bamital & volsnap Check =================

    (There is no automatic fix for files that do not pass verification.)

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\rpcss.dll => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== Restore Points =========================

    Restore point made on: 2014-12-05 21:09:20
    Restore point made on: 2014-12-19 20:23:47
    Restore point made on: 2015-01-19 17:48:37
    Restore point made on: 2015-01-19 17:49:14
    Restore point made on: 2015-01-19 18:09:57

    ==================== Memory info ===========================

    Percentage of memory in use: 18%
    Total physical RAM: 4024.93 MB
    Available physical RAM: 3262.48 MB
    Total Pagefile: 4023.08 MB
    Available Pagefile: 3257.87 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.9 MB

    ==================== Drives ================================

    Drive c: (Gateway) (Fixed) (Total:453.94 GB) (Free:27.13 GB) NTFS
    Drive e: (PQSERVICE) (Fixed) (Total:11.72 GB) (Free:2.57 GB) NTFS
    Drive h: (KINGSTON U3) (Removable) (Total:1.9 GB) (Free:1.39 GB) FAT32
    Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

    ==================== MBR & Partition Table ==================

    ========================================================
    Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: 52D952D9)
    Partition 1: (Not Active) - (Size=11.7 GB) - (Type=27)
    Partition 2: (Active) - (Size=100 MB) - (Type=07 NTFS)
    Partition 3: (Not Active) - (Size=453.9 GB) - (Type=07 NTFS)

    ========================================================
    Disk: 1 (Size: 1.9 GB) (Disk ID: 9B9E7A1B)
    Partition 1: (Active) - (Size=1.9 GB) - (Type=0B)


    LastRegBack: 2014-12-19 20:16

    ==================== End Of Log ============================
     
  21. 2015/02/27
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    The infection is gone.
    Let's try one more fix.

    Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    On Vista or Windows 7/8: Now please enter System Recovery Options.
    On Windows XP: Now please boot into the OTLPE CD.
    Run [color= "#0000FF"]FRST(FRST64)[/color] and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.
     

    Attached Files:

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.