Cyber Tech Help Support Forums

Cyber Tech Help Support Forums (https://www.cybertechhelp.com/index.php)
-   Malware Removal (https://www.cybertechhelp.com/forumdisplay.php?f=25)
-   -   Startup Repair pops up on Windows 7 Ultimate PC and then system restore fails...?? (https://www.cybertechhelp.com/showthread.php?t=220646)

ToKoYaMi December 12th, 2012 11:40 AM

Startup Repair pops up on Windows 7 Ultimate PC and then system restore fails...??
 
So my mom opened up her laptop one day and it appeared to be starting up normal, however when it got to the "staring windows" page, the logo didn't pop up.......and then after a short while, this appeared:




Then this:







So after pressing "Don't Send", this appeared:







I clicked the second option; "view advanced....", and this appears:








I selected System Restore, and restored it to the point where she got it, and this appeared:







then finally this:








However when i press restart, after loading normally at first the windows logo again does appear above"starting windows", and then the first image appears again.



Soooo, I'm thinking a critical system file has gone corrupt or is missing, or perhaps Malware.......does anyone know of any fix i can do to resolve the problem, or am i going to have to ask the person who gave this laptop to my mom to give me a new OS disk so that i can reinstall windows from scratch?


Thanks a ton for any help!! xD

schrauber December 12th, 2012 02:10 PM

Hello, ToKoYaMi
Welcome to the CyberTechHelp Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.



Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.





Please use black color for your text instead of red.


  1. Please download Farbar Recovery Scan Tool and save it to a flash drive.

    Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

    Plug the flash drive into the infected PC.
  2. If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

    If you are using Vista or Windows 7 enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
    To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials...sc-create.html


    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
  3. On the System Recovery Options menu you will get the following options:
      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt


        Select Command Prompt

        Once in the Command Prompt:
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

ToKoYaMi December 12th, 2012 11:22 PM

Thanks man.


Here ya go:




Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 11-12-2012
Ran by SYSTEM at 12-12-2012 17:14:40
Running from F:\
Windows 7 Ultimate (X86) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\RunOnce: [*Restore] C:\Windows\system32\rstrui.exe /RUNONCE [262656 2009-07-13] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

==================== Services (Whitelisted) ===================

3 AeLookupSvc; C:\Windows\System32\svchost.exe -k netsvcs [20992 2009-07-13] (Microsoft Corporation)
2 DcomLaunch; C:\Windows\System32\svchost.exe -k DcomLaunch [20992 2009-07-13] (Microsoft Corporation)
3 FontCache; C:\Windows\System32\svchost.exe -k LocalServiceAndNoImpersonation [20992 2009-07-13] (Microsoft Corporation)
3 hidserv; C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)
3 IPBusEnum; C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)
3 KtmRm; C:\Windows\System32\svchost.exe -k NetworkServiceAndNoImpersonation [20992 2009-07-13] (Microsoft Corporation)
2 MMCSS; C:\Windows\System32\svchost.exe -k netsvcs [20992 2009-07-13] (Microsoft Corporation)
3 MSiSCSI; C:\Windows\System32\svchost.exe -k netsvcs [20992 2009-07-13] (Microsoft Corporation)
3 pla; C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork [20992 2009-07-13] (Microsoft Corporation)
2 RpcEptMapper; C:\Windows\System32\svchost.exe -k RPCSS [20992 2009-07-13] (Microsoft Corporation)
2 RpcSs; C:\Windows\System32\svchost.exe -k rpcss [20992 2009-07-13] (Microsoft Corporation)
3 SCardSvr; C:\Windows\System32\svchost.exe -k LocalServiceAndNoImpersonation [20992 2009-07-13] (Microsoft Corporation)
2 Schedule; C:\Windows\System32\svchost.exe -k netsvcs [20992 2009-07-13] (Microsoft Corporation)
3 SCPolicySvc; C:\Windows\System32\svchost.exe -k netsvcs [20992 2009-07-13] (Microsoft Corporation)
3 seclogon; C:\Windows\system32\svchost.exe -k netsvcs [20992 2009-07-13] (Microsoft Corporation)
3 sppuinotify; C:\Windows\System32\svchost.exe -k LocalService [20992 2009-07-13] (Microsoft Corporation)
3 SstpSvc; C:\Windows\System32\svchost.exe -k LocalService [20992 2009-07-13] (Microsoft Corporation)
3 TBS; C:\Windows\System32\svchost.exe -k LocalServiceAndNoImpersonation [20992 2009-07-13] (Microsoft Corporation)
3 W32Time; C:\Windows\System32\svchost.exe -k LocalService [20992 2009-07-13] (Microsoft Corporation)
3 WerSvc; C:\Windows\System32\svchost.exe -k WerSvcGroup [20992 2009-07-13] (Microsoft Corporation)
3 WinHttpAutoProxySvc; C:\Windows\System32\svchost.exe -k LocalService [20992 2009-07-13] (Microsoft Corporation)
2 wuauserv; C:\Windows\System32\svchost.exe -k netsvcs [20992 2009-07-13] (Microsoft Corporation)
3 wudfsvc; C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

1 AFD; C:\Windows\system32\drivers\afd.sys [338944 2009-07-13] ()
3 athr; C:\Windows\System32\DRIVERS\athr.sys [1096704 2009-07-13] ()

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2012-12-12 17:14 - 2012-12-12 17:14 - 00000000 ____D C:\FRST
2012-11-26 10:59 - 2012-11-26 13:01 - 00000000 __SHD C:\found.000
2012-11-26 07:02 - 2012-11-26 07:02 - 00000000 ____D C:\Users\Admin\AppData\Local\bdch
2012-11-26 07:01 - 2012-11-26 07:01 - 00000000 ____D C:\Users\All Users\bdch

==================== One Month Modified Files and Folders ========

2012-12-12 17:14 - 2012-12-12 17:14 - 00000000 ____D C:\FRST
2012-12-10 17:58 - 2012-09-03 06:55 - 00000000 ____D C:\users\Admin
2012-12-10 17:58 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\wfp
2012-12-10 17:58 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\DriverStore
2012-12-10 17:57 - 2012-09-03 11:50 - 00000000 ____D C:\Users\Admin\AppData\Roaming\IMVUClient
2012-12-10 17:57 - 2012-09-03 09:15 - 00000000 ____D C:\Program Files\Microsoft Visual Studio 8
2012-12-10 17:57 - 2012-09-03 09:14 - 00000000 ____D C:\Users\All Users\Microsoft Help
2012-12-10 17:57 - 2012-09-03 07:36 - 00000000 ____D C:\Program Files\WinRAR
2012-12-10 17:57 - 2012-09-03 07:23 - 00000000 ____D C:\Program Files\Mozilla Firefox
2012-12-10 17:57 - 2012-09-03 07:16 - 00000000 ____D C:\Program Files\Realtek
2012-12-10 17:57 - 2009-07-13 23:48 - 00000000 ___RD C:\Users\Public\Recorded TV
2012-12-10 17:57 - 2009-07-13 18:37 - 00000000 __RHD C:\Users\Public\Libraries
2012-12-10 17:57 - 2009-07-13 18:37 - 00000000 ___RD C:\users\Public
2012-12-10 17:57 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\de-DE
2012-12-10 17:57 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\com
2012-12-10 17:57 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\bg-BG
2012-12-10 17:57 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\ar-SA
2012-12-10 17:57 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\AdvancedInstallers
2012-12-10 17:57 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\rescache
2012-12-10 17:57 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\AppCompat
2012-12-10 17:56 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\registration
2012-12-10 17:54 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\Microsoft.NET
2012-12-10 17:54 - 2009-07-13 18:37 - 00000000 ____D C:\Program Files\Common Files\System
2012-11-26 13:47 - 2012-09-03 13:49 - 00000000 ____D C:\Program Files\Zune
2012-11-26 13:01 - 2012-11-26 10:59 - 00000000 __SHD C:\found.000
2012-11-26 13:00 - 2012-09-03 15:46 - 00000000 ___RD C:\Program Files\Skype
2012-11-26 13:00 - 2012-09-03 15:46 - 00000000 ____D C:\Users\All Users\Skype
2012-11-26 13:00 - 2012-09-03 15:46 - 00000000 ____D C:\Users\Admin\AppData\Roaming\Skype
2012-11-26 07:02 - 2012-11-26 07:02 - 00000000 ____D C:\Users\Admin\AppData\Local\bdch
2012-11-26 07:01 - 2012-11-26 07:01 - 00000000 ____D C:\Users\All Users\bdch

==================== Known DLLs (Whitelisted) =================

[2009-07-13 15:38] - [2009-07-13 17:16] - 0268800 ____A () C:\Windows\System32\WLDAP32.dll

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-08-13 15:33:34
Restore point made on: 2012-09-03 07:05:35
Restore point made on: 2012-09-03 07:11:41
Restore point made on: 2012-09-03 07:17:23
Restore point made on: 2012-09-03 07:18:11
Restore point made on: 2012-09-03 07:18:26
Restore point made on: 2012-09-03 07:18:57
Restore point made on: 2012-09-03 09:13:51
Restore point made on: 2012-09-03 13:48:22
Restore point made on: 2012-09-03 13:48:54
Restore point made on: 2012-09-13 16:58:32
Restore point made on: 2012-09-21 16:21:36
Restore point made on: 2012-09-28 20:00:14
Restore point made on: 2012-10-28 10:07:03
Restore point made on: 2012-11-12 10:28:37

==================== Memory info ===========================

Percentage of memory in use: 10%
Total physical RAM: 3834.9 MB
Available physical RAM: 3419.61 MB
Total Pagefile: 3833.18 MB
Available Pagefile: 3415.64 MB
Total Virtual: 2047.88 MB
Available Virtual: 1951.55 MB

==================== Partitions =============================

1 Drive c: (320GBSEAGATE) (Fixed) (Total:298.09 GB) (Free:127.95 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
3 Drive f: () (Removable) (Total:0.93 GB) (Free:0.01 GB) FAT
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 0 B
Disk 1 Online 955 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 298 GB 1024 KB

================================================== =======

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C 320GBSEAGAT NTFS Partition 298 GB Healthy

================================================== =======

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 955 MB 64 KB

================================================== =======

Disk: 1
Partition 1
Type : 06
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 F FAT Removable 955 MB Healthy

================================================== =======

Last Boot: 2012-11-24 21:35

==================== End Of Log ============================

schrauber December 13th, 2012 08:43 AM

Do you have your windows DVD handy?

ToKoYaMi December 13th, 2012 09:35 PM

No, that's why i'm asking if there's anything i can do without a dvd, or if i should ask the person who gave the laptop to my mum if he has the OS disk....and just reinstall windows.

schrauber December 14th, 2012 07:28 AM

It would be good to have a dvd, or borrow one so we can do some repairs.

ToKoYaMi December 16th, 2012 12:37 AM

Okay so the OS my mums laptop is using is Windows 7 Ultimate. I know to do a repair installation i'd have to use a Windows 7 Ultimate disk, but if i did a clean reinstall i could use a home or professional disk right?? (there's not anything on her hdd she's worried about losing.)

schrauber December 16th, 2012 07:12 AM

Yes, you can install whatever you want.


All times are GMT +1. The time now is 09:49 PM.

Copyright © Cyber Tech Help. All rights reserved. All other trademarks are the property of their respective owners.