Jump to content

ransomware makes unable to boot in safe mode


rojon
 Share

Recommended Posts

I am posting from a different computer as my main computer is infected with the (FBI) ransomware virus. I am unable to get into safe mode as it fails, all other such methods have failed. I have been able to boot in by the Hiren's boot cd and it allows me to run and update malwarebytes, which does locate and removes viruses, but then once I reboot the computer, I still get the ransom screen. 

Link to post
Share on other sites

  • Replies 51
  • Created
  • Last Reply

Top Posters In This Topic

When you use the Hiren's boot cd, can you get to a usb flash drive??

If so....download FRST to a usb flash drive, boot up the computer using the Hiren's and navigate to the flash drive:

FRST<---direct download

Now double click on FRST and click scan

When the scan completes it will place the log on the flash drive

Copy and paste it back here.

MrC

Link to post
Share on other sites

Boot back up as before with the usb flash drive

Run FRST and in the Search Box

Type the following in the edit box after "Search:".

user32.dll

It then should look like:

Search: user32.dll

Click Search button and post the log (Search.txt) it makes to your reply.

MrC

Link to post
Share on other sites

thanks, if I did this right then this is the log

---

 

 

Farbar Recovery Scan Tool (x86) Version:17-08-2014 01
Ran by SYSTEM at 2014-08-18 16:58:58
Running from G:\
Boot Mode: Recovery
 
================== Search: "user32.dll" ===================
 
C:\WINDOWS\system32\user32.dll
[2006-02-28 12:00][2009-03-21 14:18] 0616960 ____A (Microsoft Corporation) c1c683966d6d6d2d3bb17b41987224db     
 
C:\WINDOWS\system32\dllcache\user32.dll
[2006-02-28 12:00][2009-03-21 14:18] 0616960 ____A (Microsoft Corporation) f531d909f7e978dd07ed82b438aa1f58     
 
C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\user32.dll
[2008-08-05 00:47][2008-04-14 00:12] 0578560 ____A (Microsoft Corporation) b26b135ff1b9f60c9388b4a7d16f600b     
 
C:\WINDOWS\$NtUninstallKB925902$\user32.dll
[2007-11-08 22:31][2005-03-02 18:09] 0577024 ____C (Microsoft Corporation) de2db164bbb35db061af0997e4499054     
 
C:\WINDOWS\$NtUninstallKB890859$\user32.dll
[2007-11-08 22:27][2006-02-28 12:00] 0577024 ____C (Microsoft Corporation) c72661f8552ace7c5c85e16a3cf505c4     
 
C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
[2007-03-08 15:48][2007-03-08 15:48] 0578048 ____A (Microsoft Corporation) 7aa4f6c00405dfc4b70ed4214e7d687b     
 
C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
[2005-03-02 18:19][2005-03-02 18:19] 0577024 ____A (Microsoft Corporation) 1800f293bccc8ede8a70e12b88d80036     
 
X:\I386\System32\user32.dll
[2012-11-07 00:00][2012-11-07 00:00] 0457728 ____A (Microsoft Corporation) 196ccb3fd6885eea9bfbe5badc62074c     
 
=== End Of Search ===
Link to post
Share on other sites

Download the attched fixlist.txt to the flash drive (only FRST and the fixlist.txt should be on there, delete anything else)

Boot up as before > run FRST > click Fix once and wait > When finished FRST will generate a log on the Flash drive (Fixlog.txt) > post it back here and see if the computer boots now

MrC

Link to post
Share on other sites

below are the results after clicking fix. (also, I have not run malwarebytes during or after any of these steps which I assume you have intended. When I rebooted after all this, I got a blue screen with the following message: STOP: c0000139 {entry point not found} The proceedure entry point GdiGetBitmapBitsSize could not be located in the dynamic link library GDI32.dll

 

---

 

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version:17-08-2014 01

Ran by SYSTEM at 2014-08-18 18:01:06 Run:1

Running from G:\

Boot Mode: Recovery

 

==============================================

 

Content of fixlist:

*****************

HKLM\...99B7938DA9E4}\LocalServer32: [Default-wmiprvse]  

C:\Documents and Settings\Shannon\Local Settings\Temp\First15.exe

C:\Documents and Settings\Shannon\Local Settings\Temp\VP6Install.exe

C:\Documents and Settings\Shannon\Local Settings\Temp\VP6VFW.dll

C:\Windows\Installer\{166ac00e-a9b6-dca3-2d7c-90a787ddce67}

C:\Windows\Installer\{166ac00e-a9b6-dca3-2d7c-90a787ddce67}\@

C:\RECYCLER\S-1-5-18\$166ac00ea9b6dca32d7c90a787ddce67

C:\RECYCLER\S-1-5-21-1409082233-602609370-839522115-1004\$166ac00ea9b6dca32d7c90a787ddce67

C:\Documents and Settings\Jon\Local Settings\Application Data\{166ac00e-a9b6-dca3-2d7c-90a787ddce67}

C:\Documents and Settings\Jon\Local Settings\Application Data\{166ac00e-a9b6-dca3-2d7c-90a787ddce67}\@

C:\Documents and Settings\Shannon\jagex_runescape_preferences.dat

Startup: C:\Documents and Settings\Jon\Start Menu\Programs\Startup\w7heodrj.lnk

ShortcutTarget: w7heodrj.lnk -> C:\DOCUME~1\Jon\LOCALS~1\Temp\jrdoeh7w.cpp (No File)

Replace: C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\user32.dll C:\WINDOWS\system32\user32.dll

Replace: C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\user32.dll C:\WINDOWS\system32\dllcache\user32.dll

 

*****************

 

HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\\Default => Value was restored successfully.

C:\Documents and Settings\Shannon\Local Settings\Temp\First15.exe => Moved successfully.

C:\Documents and Settings\Shannon\Local Settings\Temp\VP6Install.exe => Moved successfully.

C:\Documents and Settings\Shannon\Local Settings\Temp\VP6VFW.dll => Moved successfully.

C:\Windows\Installer\{166ac00e-a9b6-dca3-2d7c-90a787ddce67} => Moved successfully.

"C:\Windows\Installer\{166ac00e-a9b6-dca3-2d7c-90a787ddce67}\@" => File/Directory not found.

C:\RECYCLER\S-1-5-18\$166ac00ea9b6dca32d7c90a787ddce67 => Moved successfully.

C:\RECYCLER\S-1-5-21-1409082233-602609370-839522115-1004\$166ac00ea9b6dca32d7c90a787ddce67 => Moved successfully.

C:\Documents and Settings\Jon\Local Settings\Application Data\{166ac00e-a9b6-dca3-2d7c-90a787ddce67} => Moved successfully.

"C:\Documents and Settings\Jon\Local Settings\Application Data\{166ac00e-a9b6-dca3-2d7c-90a787ddce67}\@" => File/Directory not found.

C:\Documents and Settings\Shannon\jagex_runescape_preferences.dat => Moved successfully.

C:\Documents and Settings\Jon\Start Menu\Programs\Startup\w7heodrj.lnk => Moved successfully.

C:\DOCUME~1\Jon\LOCALS~1\Temp\jrdoeh7w.cpp not found.

C:\WINDOWS\system32\user32.dll => Moved successfully.

C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\user32.dll copied successfully to C:\WINDOWS\system32\user32.dll

C:\WINDOWS\system32\dllcache\user32.dll => Moved successfully.

C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\user32.dll copied successfully to C:\WINDOWS\system32\dllcache\user32.dll

 

==== End of Fixlog ====

Link to post
Share on other sites

well, oddly enough, now it no longer will boot with the hiren's, now even with the boot cd, it starts by saying it is booting from cd but then just goes back to the blue screen with the exact same message as above, 

STOP: c0000139 {entry point not found} The proceedure entry point GdiGetBitmapBitsSize could not be located in the dynamic link library GDI32.dll

 

I cant seem to get anything else now

Link to post
Share on other sites

sorry strike the above, slight update... it did boot to hirens after a full powerdown. (I never had to do that before, would always boot better on restart but anyway...) here is the search log

 

 

Farbar Recovery Scan Tool (x86) Version:17-08-2014 01
Ran by SYSTEM at 2014-08-18 18:50:18
Running from G:\
Boot Mode: Recovery
 
================== Search: "gdi32.dll" ===================
 
C:\WINDOWS\system32\gdi32.dll
[2006-02-28 12:00][2008-10-23 13:01] 0283648 ____A (Microsoft Corporation) 0c07b16769e579f78c541773d0a2e7e0     
 
C:\WINDOWS\system32\dllcache\gdi32.dll
[2006-02-28 12:00][2008-10-23 13:01] 0283648 ___AC (Microsoft Corporation) 0c07b16769e579f78c541773d0a2e7e0     
 
C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\gdi32.dll
[2008-08-05 00:45][2008-04-14 00:11] 0285184 ____A (Microsoft Corporation) b015b9134dad7e29e7d2d6b5f5c8c2fc     
 
C:\WINDOWS\$NtUninstallKB956802$\gdi32.dll
[2008-12-11 08:02][2008-02-20 06:51] 0282624 ____C (Microsoft Corporation) 011fc443e31e3d51b238564bc499b9b1     
 
C:\WINDOWS\$NtUninstallKB948590$\gdi32.dll
[2008-04-09 07:02][2007-06-19 13:31] 0282112 ____C (Microsoft Corporation) 3a0d35e8fb2ab3273558adaf92fc2f90     
 
C:\WINDOWS\$NtUninstallKB938829$\gdi32.dll
[2007-11-08 22:32][2007-03-08 15:36] 0281600 ____C (Microsoft Corporation) 9da47be6d59fd06a922dcba6739bdd2e     
 
C:\WINDOWS\$NtUninstallKB925902$\gdi32.dll
[2007-11-08 22:31][2006-02-28 12:00] 0278016 ____C (Microsoft Corporation) f5aee133bf44521852819c2202d82453     
 
C:\WINDOWS\$hf_mig$\KB956802\SP3QFE\gdi32.dll
[2008-10-23 12:43][2008-10-23 12:43] 0286720 ____A (Microsoft Corporation) 1c0d6c10f3e6b8ec4938ecf2aba862ed     
 
C:\WINDOWS\$hf_mig$\KB956802\SP3GDR\gdi32.dll
[2008-10-23 12:36][2008-10-23 12:36] 0286720 ____A (Microsoft Corporation) 8b1f3320aebb536e021a5014409862de     
 
C:\WINDOWS\$hf_mig$\KB956802\SP2QFE\gdi32.dll
[2008-10-23 12:51][2008-10-23 12:51] 0284160 ____A (Microsoft Corporation) 6052410cb57d5522574e8ddaefbc9d87     
 
C:\WINDOWS\$hf_mig$\KB948590\SP2QFE\gdi32.dll
[2008-02-20 06:52][2008-02-20 06:52] 0282624 ____A (Microsoft Corporation) 8da53c92956db86c6fb3ec87a25ba013     
 
C:\WINDOWS\$hf_mig$\KB938829\SP2QFE\gdi32.dll
[2007-06-19 13:37][2007-06-19 13:37] 0282112 ____A (Microsoft Corporation) b05ce14f2aa6c22a5807f1df2524fcb1     
 
C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\gdi32.dll
[2007-03-08 15:48][2007-03-08 15:48] 0282112 ____A (Microsoft Corporation) 40da54425e8857195e2e68c7fe67cc6e     
 
X:\I386\System32\gdi32.dll
[2012-11-07 00:00][2012-11-07 00:00] 0285184 ____A (Microsoft Corporation) b015b9134dad7e29e7d2d6b5f5c8c2fc     
 
=== End Of Search ===
Link to post
Share on other sites

ok, new scan

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:17-08-2014 01
Ran by SYSTEM on MiniXP on 18-08-2014 19:44:23
Running from G:\
Platform: Microsoft Windows XP (X86) OS Language: English (United States)
Internet Explorer Version 8
Boot Mode: Recovery
 
The current controlset is ControlSet013
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.
 
 
The only official download link for FRST:
Download link from any site other than Bleeping Computer is unpermitted or outdated.
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...99B7938DA9E4}\LocalServer32: [Default-wmiprvse]  <==== ATTENTION!
HKU\Administrator\...\RunOnce: [NeroHomeFirstStart] => C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe [10752 2006-12-23] (Nero AG)
HKU\Cindy\...\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] => C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe [143360 2006-12-23] (Nero AG)
HKU\Cindy\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\qttask.exe [421888 2013-05-01] (Apple Inc.)
HKU\Default User\...\RunOnce: [NeroHomeFirstStart] => C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe [10752 2006-12-23] (Nero AG)
HKU\Guest\...\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] => C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe [143360 2006-12-23] (Nero AG)
HKU\Guest\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\qttask.exe [421888 2013-05-01] (Apple Inc.)
HKU\Jon\...\Run: [swg] => C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2011-03-17] (Google Inc.)
HKU\Shannon\...\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] => C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe [143360 2006-12-23] (Nero AG)
HKU\Shannon\...\Run: [DAEMON Tools Lite] => C:\Program Files\DAEMON Tools Lite\daemon.exe [486856 2008-01-17] (DT Soft Ltd)
HKU\Shannon\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\qttask.exe [421888 2013-05-01] (Apple Inc.)
HKU\Shannon\...\Run: [swg] => C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2011-03-17] (Google Inc.)
 
========================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 AffinegyService; C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe [566688 2011-02-25] (Affinegy, Inc.)
S4 LexBceS; C:\WINDOWS\system32\LEXBCES.EXE [311296 2004-05-24] (Lexmark International, Inc.)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.0.313\McCHSvc.exe [234776 2012-10-26] (McAfee, Inc.)
S2 N360; C:\Program Files\Norton Security Suite\Engine\20.5.0.28\ccSvcHst.exe [144368 2013-05-21] (Symantec Corporation)
S3 usprserv; C:\Windows\System32\svchost.exe [14336 2006-02-28] (Microsoft Corporation)
S2 Viewpoint Manager Service; C:\Program Files\Viewpoint\Common\ViewpointService.exe [24652 2007-01-04] (Viewpoint Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 AFGSp50; C:\Windows\System32\Drivers\AFGSp50.sys [27072 2011-02-15] (Printing Communications Assoc., Inc. (PCAUSA))
S3 AnyDVD; C:\Windows\System32\Drivers\AnyDVD.sys [97216 2008-03-07] (SlySoft, Inc.)
S1 BHDrvx86; C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\BASHDefs\20140718.001\BHDrvx86.sys [1101616 2014-05-10] (Symantec Corporation)
S1 ccSet_N360; C:\Windows\system32\drivers\N360\1405000.01C\ccSetx86.sys [134744 2013-04-16] (Symantec Corporation)
S1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [377648 2014-07-09] (Symantec Corporation)
S1 ElbyCDIO; C:\Windows\System32\Drivers\ElbyCDIO.sys [25160 2007-08-07] (Elaborate Bytes AG)
S3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [109872 2014-06-11] (Symantec Corporation)
S3 IDSxpx86; C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\IPSDefs\20140728.001\IDSxpx86.sys [383120 2014-03-26] (Symantec Corporation)
S3 irsir; C:\Windows\System32\DRIVERS\irsir.sys [18688 2001-08-17] (Microsoft Corporation)
S3 L6UX1; C:\Windows\System32\Drivers\L6UX1.sys [571008 2010-03-25] (Line 6)
S3 NAVENG; C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\VirusDefs\20140729.004\NAVENG.SYS [93272 2014-07-09] (Symantec Corporation)
S3 NAVEX15; C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\VirusDefs\20140729.004\NAVEX15.SYS [1612376 2014-07-09] (Symantec Corporation)
S3 NCHSSVAD; C:\Windows\System32\drivers\nchssvad.sys [27136 2008-12-04] (NCH Swift Sound)
S3 P17; C:\Windows\System32\drivers\P17.sys [1389056 2005-07-07] (Creative Technology Ltd.)
S3 Rasirda; C:\Windows\System32\DRIVERS\rasirda.sys [19584 2001-08-17] (Microsoft Corporation)
S3 rtl8139; C:\Windows\System32\DRIVERS\RTL8139.SYS [20992 2004-08-03] (Realtek Semiconductor Corporation)
S0 sptd; C:\Windows\System32\Drivers\sptd.sys [716272 2008-01-24] (Duplex Secure Ltd.)
S3 SRTSP; C:\Windows\System32\Drivers\N360\1405000.01C\SRTSP.SYS [603224 2013-05-16] (Symantec Corporation)
S1 SRTSPX; C:\Windows\system32\drivers\N360\1405000.01C\SRTSPX.SYS [32344 2013-03-05] (Symantec Corporation)
S0 SymDS; C:\Windows\System32\drivers\N360\1405000.01C\SYMDS.SYS [367704 2013-05-21] (Symantec Corporation)
S0 SymEFA; C:\Windows\System32\drivers\N360\1405000.01C\SYMEFA.SYS [934488 2013-05-23] (Symantec Corporation)
S3 SymEvent; C:\WINDOWS\system32\Drivers\SYMEVENT.SYS [142496 2013-07-16] (Symantec Corporation)
S1 SymIRON; C:\Windows\system32\drivers\N360\1405000.01C\Ironx86.SYS [175264 2012-07-28] (Symantec Corporation)
S1 SYMTDI; C:\Windows\System32\Drivers\N360\1405000.01C\SYMTDI.SYS [396760 2013-04-25] (Symantec Corporation)
S0 videX32; C:\Windows\System32\DRIVERS\videX32.sys [9728 2006-02-23] (VIA Technologies, Inc.)
S0 xfilt; C:\Windows\System32\DRIVERS\xfilt.sys [11264 2006-02-23] (VIA Technologies,Inc)
S3 YMIDUSBW; C:\Windows\System32\drivers\ymidusbw.sys [36040 2011-11-01] (Yamaha Corporation)
S3 AFGMp50; System32\Drivers\AFGMp50.sys [X]
S3 EagleNT; \??\C:\WINDOWS\system32\drivers\EagleNT.sys [X]
S3 FXDrv32; \??\D:\FXDrv32.sys [X]
S4 IntelIde; No ImagePath
S2 npkcrypt; \??\C:\Nexon\MapleStory\npkcrypt.sys [X]
S1 WS2IFSL; 
S3 XDva273; \??\C:\WINDOWS\system32\XDva273.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-08-18 15:45 - 2014-08-18 18:44 - 00000000 ____D () C:\FRST
2014-08-01 15:28 - 2004-08-04 04:56 - 00021504 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\hidserv.dll
2014-08-01 15:28 - 2004-08-04 04:56 - 00021504 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\hidserv.dll
2014-08-01 15:28 - 2004-08-04 04:56 - 00021504 _____ (Microsoft Corporation) C:\Windows\System32\hidserv.dll
2014-08-01 15:27 - 2004-08-04 02:58 - 00014848 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\kbdhid.sys
2014-08-01 15:27 - 2004-08-04 02:58 - 00014848 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\kbdhid.sys
2014-08-01 15:27 - 2004-08-04 02:58 - 00014848 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\kbdhid.sys
2014-07-21 13:01 - 2014-07-21 13:02 - 01677928 _____ (Skype Technologies S.A.) C:\Documents and Settings\Jon\Desktop\SkypeSetup.exe
2014-07-21 12:18 - 2014-07-21 12:18 - 00000000 ____D () C:\Program Files\Common Files\Skype
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-08-18 19:44 - 2014-08-18 15:45 - 00000000 ____D () C:\FRST
2014-08-18 19:38 - 2007-11-08 14:34 - 00000049 _____ () C:\Windows\wiaservc.log
2014-08-18 19:38 - 2006-02-28 12:00 - 00002422 _____ () C:\Windows\System32\wpa.dbl
2014-08-18 18:01 - 2007-11-10 07:28 - 00000000 ____D () C:\Documents and Settings\Shannon\Local Settings\Temp
2014-08-01 23:44 - 2007-12-12 08:00 - 00002368 _____ () C:\Windows\setupact.log
2014-08-01 23:44 - 2007-11-21 22:25 - 00455626 _____ () C:\Windows\setupapi.log
2014-08-01 23:44 - 2007-11-08 20:19 - 00088723 _____ () C:\Windows\System32\nvapps.xml
2014-08-01 23:43 - 2007-11-08 14:34 - 00000159 _____ () C:\Windows\wiadebug.log
2014-08-01 22:18 - 2007-11-08 20:03 - 00000178 ___SH () C:\Documents and Settings\Jon\ntuser.ini
2014-08-01 22:18 - 2007-11-08 19:55 - 00032552 _____ () C:\Windows\SchedLgU.Txt
2014-08-01 22:18 - 2007-11-08 19:50 - 01331409 _____ () C:\Windows\WindowsUpdate.log
2014-08-01 22:17 - 2007-11-08 20:03 - 00000000 ____D () C:\Documents and Settings\Jon\Local Settings\Temp
2014-07-29 17:40 - 2010-04-17 06:18 - 00000000 ____D () C:\Documents and Settings\Shannon\Local Settings\Application Data\Google
2014-07-26 18:35 - 2010-03-23 03:09 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Norton
2014-07-26 15:05 - 2008-02-08 15:21 - 00000000 _____ () C:\Windows\COOLSYS.INI
2014-07-26 15:05 - 2008-02-08 15:19 - 00000000 ____D () C:\Program Files\Cool2000
2014-07-26 15:05 - 2008-02-07 23:03 - 00010677 _____ () C:\Windows\coolkb2k.ini
2014-07-26 15:05 - 2008-02-07 23:02 - 00023037 _____ () C:\Windows\COOL.INI
2014-07-26 14:57 - 2009-12-21 06:11 - 00000027 _____ () C:\Windows\winzip32.ini
2014-07-26 14:57 - 2006-02-28 12:00 - 00000536 _____ () C:\Windows\win.ini
2014-07-26 14:50 - 2007-12-01 03:13 - 00111404 _____ () C:\Windows\wmsetup.log
2014-07-25 11:59 - 2014-06-17 17:53 - 00001813 _____ () C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
2014-07-22 19:22 - 2013-08-25 05:57 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Skype
2014-07-21 20:00 - 2007-11-14 18:50 - 00000000 ____D () C:\Documents and Settings\Jon\Application Data\BitTorrent
2014-07-21 13:02 - 2014-07-21 13:01 - 01677928 _____ (Skype Technologies S.A.) C:\Documents and Settings\Jon\Desktop\SkypeSetup.exe
2014-07-21 12:18 - 2014-07-21 12:18 - 00000000 ____D () C:\Program Files\Common Files\Skype
2014-07-21 12:18 - 2013-08-25 06:16 - 00000000 ___RD () C:\Program Files\Skype
2014-07-21 12:17 - 2013-08-25 06:17 - 00000000 ____D () C:\Documents and Settings\Jon\Application Data\Skype
 
==================== Known DLLs (Whitelisted) ============
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\explorer.exe
[2006-02-28 12:00] - [2007-06-13 10:23] - 1033216 ____A (Microsoft Corporation) 97bd6515465659ff8f3b7be375b2ea87     
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2006-02-28 12:00] - [2009-02-09 10:20] - 0399360 ____A (Microsoft Corporation) 01095febf33beea00c2a0730b9b3ec28     
 
 ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== Restore Points (XP) =====================
 
RP: -> 2014-07-29 00:38 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2203 
 
RP: -> 2014-07-27 15:13 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2202 
 
RP: -> 2014-07-25 03:38 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2200 
 
RP: -> 2014-07-22 20:19 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2198 
 
RP: -> 2014-07-21 19:01 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2197 
 
RP: -> 2014-07-20 15:38 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2196 
 
RP: -> 2014-07-19 15:03 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2195 
 
RP: -> 2014-07-16 17:35 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2194 
 
RP: -> 2014-07-15 14:46 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2193 
 
RP: -> 2014-07-13 17:52 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2192 
 
RP: -> 2014-07-12 14:37 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2191 
 
RP: -> 2014-07-11 02:32 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2190 
 
RP: -> 2014-07-09 12:24 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2189 
 
RP: -> 2014-07-07 23:18 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2188 
 
RP: -> 2014-07-06 22:10 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2187 
 
RP: -> 2014-07-05 21:11 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2186 
 
RP: -> 2014-07-04 17:41 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2185 
 
RP: -> 2014-07-03 17:17 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2184 
 
RP: -> 2014-07-02 15:08 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2183 
 
RP: -> 2014-07-01 05:32 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2182 
 
RP: -> 2014-06-30 03:49 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2181 
 
RP: -> 2014-06-28 20:50 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2180 
 
RP: -> 2014-06-27 17:31 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2179 
 
RP: -> 2014-06-26 15:41 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2178 
 
RP: -> 2014-06-25 14:50 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2177 
 
RP: -> 2014-06-24 14:49 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2176 
 
RP: -> 2014-06-22 20:55 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2175 
 
RP: -> 2014-06-21 19:40 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2174 
 
RP: -> 2014-06-20 12:06 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2173 
 
RP: -> 2014-06-22 00:34 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2172 
 
RP: -> 2014-06-20 21:08 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2171 
 
RP: -> 2014-06-17 20:00 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2170 
 
RP: -> 2014-06-15 16:53 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2169 
 
RP: -> 2014-06-14 16:27 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2168 
 
RP: -> 2014-06-12 00:47 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2167 
 
RP: -> 2014-06-10 15:12 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2166 
 
RP: -> 2014-06-08 17:45 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2165 
 
 
==================== Memory info =========================== 
 
Percentage of memory in use: 29%
Total physical RAM: 1022.43 MB
Available physical RAM: 720.77 MB
Total Pagefile: 847.18 MB
Available Pagefile: 503.26 MB
Total Virtual: 2047.88 MB
Available Virtual: 2007.47 MB
 
==================== Drives ================================
 
Drive b: (RamDrive) (Fixed) (Total:0.25 GB) (Free:0.25 GB) NTFS
Drive c: () (Fixed) (Total:149.04 GB) (Free:36.62 GB) NTFS ==>[Drive with boot components (Windows XP)]
Drive d: () (Fixed) (Total:38.33 GB) (Free:13.25 GB) NTFS
Drive e: (HBCD 15.2) (CDROM) (Total:0.58 GB) (Free:0 GB) CDFS
Drive g: (HP v165w) (Fixed) (Total:3.73 GB) (Free:3.73 GB) FAT32
Drive x: (Mini Xp) (Fixed) (Total:0.23 GB) (Free:0.23 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 149.1 GB) (Disk ID: BFCABFCA)
Partition 1: (Active) - (Size=149 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 38.3 GB) (Disk ID: 83048304)
Partition 1: (Not Active) - (Size=38.3 GB) - (Type=07 NTFS)
 
========================================================
Disk: 2 (MBR Code: Windows XP) (Size: 3.7 GB) (Disk ID: C3072E18)
Partition 1: (Active) - (Size=3.7 GB) - (Type=0C)
 
==================== End Of Log ============================
Link to post
Share on other sites

This one is back or never got fixed, lets try it again:

HKLM\...99B7938DA9E4}\LocalServer32: [Default-wmiprvse]  <==== ATTENTION!

Delete the other fixlist.txt off the flash drive and use the attached one as before to run the fix.

Post back the log.

Let me know, MrC

Link to post
Share on other sites

ok, the log after running the new fixlist, and you previously had asked me to reboot after running the fix, so I did that also this time...still get the blue screen with the same message about the gdi32.dll

 

--

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version:17-08-2014 01
Ran by SYSTEM at 2014-08-18 20:29:58 Run:2
Running from G:\
Boot Mode: Recovery
 
==============================================
 
Content of fixlist:
*****************
HKLM\...99B7938DA9E4}\LocalServer32: [Default-wmiprvse]  <==== ATTENTION!
 
*****************
 
HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\\Default => Value was restored successfully.
 
==== End of Fixlog ====
Link to post
Share on other sites

same result, same blue screen, same message after boot, new fixlog info. and just to reiterate, I updated that computer to the service pack 2 but not to service pack 3

 

 

 

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version:17-08-2014 01
Ran by SYSTEM at 2014-08-18 21:27:01 Run:3
Running from G:\
Boot Mode: Recovery
 
==============================================
 
Content of fixlist:
*****************
Replace: C:\WINDOWS\ServicePackFiles\i386\gdi32.dll C:\WINDOWS\system32\gdi32.dll
*****************
 
Could not find C:\WINDOWS\ServicePackFiles\i386\gdi32.dll
 
==== End of Fixlog ====
Link to post
Share on other sites

These are your system restore points.

The last one was on 2014-07-29

We can try and use of the early ones like the 27 or 25 or even 22.

It won't do a complete system restore if it works but only restore the registry to that date.

Hopefully after that the computer will boot.

Let me know...MrC

 

RP: -> 2014-07-29 00:38 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2203

RP: -> 2014-07-27 15:13 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2202

RP: -> 2014-07-25 03:38 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2200

RP: -> 2014-07-22 20:19 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2198

RP: -> 2014-07-21 19:01 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2197

RP: -> 2014-07-20 15:38 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2196

RP: -> 2014-07-19 15:03 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2195

RP: -> 2014-07-16 17:35 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2194

RP: -> 2014-07-15 14:46 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2193

RP: -> 2014-07-13 17:52 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2192

RP: -> 2014-07-12 14:37 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2191

RP: -> 2014-07-11 02:32 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2190

RP: -> 2014-07-09 12:24 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2189

RP: -> 2014-07-07 23:18 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2188

RP: -> 2014-07-06 22:10 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2187

RP: -> 2014-07-05 21:11 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2186

RP: -> 2014-07-04 17:41 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2185

RP: -> 2014-07-03 17:17 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2184

RP: -> 2014-07-02 15:08 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2183

RP: -> 2014-07-01 05:32 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2182

RP: -> 2014-06-30 03:49 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2181

RP: -> 2014-06-28 20:50 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2180

RP: -> 2014-06-27 17:31 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2179

RP: -> 2014-06-26 15:41 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2178

RP: -> 2014-06-25 14:50 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2177

RP: -> 2014-06-24 14:49 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2176

RP: -> 2014-06-22 20:55 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2175

RP: -> 2014-06-21 19:40 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2174

RP: -> 2014-06-20 12:06 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2173

RP: -> 2014-06-22 00:34 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2172

RP: -> 2014-06-20 21:08 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2171

RP: -> 2014-06-17 20:00 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2170

RP: -> 2014-06-15 16:53 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2169

RP: -> 2014-06-14 16:27 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2168

RP: -> 2014-06-12 00:47 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2167

RP: -> 2014-06-10 15:12 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2166

RP: -> 2014-06-08 17:45 - 028672 _restore{560D211B-82B8-4AE9-AF55-179851E8FE4A}\RP2165

Link to post
Share on other sites

I am unsure how to restore using your suggested dates. f8 does get me to the screen with safe mode and I tried the last known good configuration option, but that option doesn't allow me to pick dates and  just sent me back to the screen that says, "STOP: c0000139 {entry point not found} The proceedure entry point GdiGetBitmapBitsSize could not be located in the dynamic link library GDI32.dll"

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.