HELP !!!!! URGENT HELP REQUIRED !

[karthik0812]

BLUE SCREEN windows & startup error:
STOP : c000021a {fatal system error}
the intial session process or systemprocess terminated with a status of 0x00000000 (0xc0000001 0x001005e8).
the system has been shut down.
on running system recovery it says can't repair, so i got FRST and scanned it, the log is as below:

---------------------------------scan log-------------------------------------------------------------------------------------------------

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:25-05-2016 01
Ran by SYSTEM on MININT-OF1S3GP (26-05-2016 15:57:57)
Running from H:\
Platform: WIN_7 (X64) Language: English (United States)
Internet Explorer Version 9
Boot Mode: Recovery
Default: ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.
==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [2264168 2011-07-12] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2785064 2011-05-05] (Synaptics Incorporated)
HKLM\...\Run: [SynAsusAcpi] => C:\Program Files\Synaptics\SynTP\SynAsusAcpi.exe [97064 2011-05-05] (Synaptics Incorporated)
HKLM\...\Run: [AtherosBtStack] => C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe [617120 2011-03-12] (Atheros Commnucations)
HKLM\...\Run: [AthBtTray] => C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe [379552 2011-03-12] (Atheros Commnucations)
HKLM\...\Run: [IntelTBRunOnce] => wscript.exe //b //nologo "C:\Program Files\Intel\TurboBoost\RunTBGadgetOnce.vbs"
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [170256 2015-12-17] (Apple Inc.)
HKLM\...\Winlogon: [Userinit]
HKLM-x32\...\Winlogon: [Userinit]  [X]
HKLM\...\Winlogon: [Shell]  [0 ] () <=== ATTENTION
HKLM-x32\...\Winlogon: [Shell]  [0 ] () <=== ATTENTION
HKLM\...\InprocServer32: [Default-wbemess]  <==== ATTENTION
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox]  <==== ATTENTION
HKLM\...26dfa299cadb\InprocServer32: [Authentication UI Logon UI]  <==== ATTENTION
HKU\Default\Control Panel\Desktop\\SCRNSAVE.EXE ->
HKU\Default User\Control Panel\Desktop\\SCRNSAVE.EXE ->
HKU\karthik\...\Run: [PowerGramo] => C:\Program Files (x86)\Freebird\PowerGramo\PGStarter.exe [126976 2013-02-01] ()
HKU\karthik\...\Run: [NextLive] => C:\Windows\SysWOW64\rundll32.exe ",EntryPoint -m l
HKU\karthik\...\Run: [Spotify Web Helper] => C:\Users\karthik\AppData\Roaming\Spotify\SpotifyWebHelper.exe [1525360 2016-04-15] (Spotify Ltd)
HKU\karthik\...\Run: [iCloudServices] => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe [60688 2015-11-30] (Apple Inc.)
HKU\karthik\...\Run: [ApplePhotoStreams] => C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe [61200 2015-11-30] (Apple Inc.)
HKU\karthik\Control Panel\Desktop\\SCRNSAVE.EXE ->
HKU\UpdatusUser\Control Panel\Desktop\\SCRNSAVE.EXE ->

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S4 AntiVirMailService; C:\Program Files (x86)\Avira\AntiVir Desktop\avmailc7.exe [955736 2016-03-08] (Avira Operations GmbH & Co. KG)
S2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [466504 2016-03-08] (Avira Operations GmbH & Co. KG)
S2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [466504 2016-03-08] (Avira Operations GmbH & Co. KG)
S4 AntiVirWebService; C:\Program Files (x86)\Avira\AntiVir Desktop\avwebg7.exe [1424880 2016-03-08] (Avira Operations GmbH & Co. KG)
S2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77104 2015-10-06] (Apple Inc.)
S2 Atheros Bt&Wlan Coex Agent; C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe [138400 2011-03-12] (Atheros)
S2 Avira.ServiceHost; C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe [280008 2016-04-24] (Avira Operations GmbH & Co. KG)
S3 Blackberry Device Manager; C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe [577536 2013-01-18] (Research In Motion Limited)
S2 c2cautoupdatesvc; C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1433216 2016-01-07] (Microsoft Corporation)
S2 c2cpnrsvc; C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1773696 2016-01-07] (Microsoft Corporation)
S2 i2p; C:\Program Files (x86)\i2p\I2Psvc.exe [389632 2014-09-19] (Tanuki Software, Ltd.)
S2 NitroDriverReadSpool8; C:\Program Files\Common Files\Nitro\Pro\8.0\NitroPDFDriverService8x64.exe [230408 2013-01-13] (Nitro PDF Software)
S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-13] (Microsoft Corporation)
S2 Change Modem Device Service; "C:\ProgramData\ChgService.exe" -service [X]
S2 UDisk Monitor; E:\Program Files\Reliance Netconnect+\bin\MonServiceUDisk.exe [X]

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 androidusb; C:\Windows\System32\Drivers\wsadb.sys [40736 2013-10-24] (Google Inc)
S2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [154816 2016-03-08] (Avira Operations GmbH & Co. KG)
S1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [133168 2016-03-08] (Avira Operations GmbH & Co. KG)
S1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2014-07-22] (Avira Operations GmbH & Co. KG)
S2 avnetflt; C:\Windows\System32\DRIVERS\avnetflt.sys [69888 2016-03-08] (Avira Operations GmbH & Co. KG)
S3 BthMtpEnum; C:\Windows\System32\DRIVERS\BthMtpEnum.sys [64512 2009-07-13] (Microsoft Corporation)
S3 cmnsusbser; C:\Windows\System32\DRIVERS\cmnsusbser.sys [126080 2011-08-03] (QUALCOMM Incorporated)
S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
S3 kbfiltr; C:\Windows\System32\DRIVERS\kbfiltr.sys [15416 2009-07-20] ( )
S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [78336 2013-01-03] (Research In Motion Limited)
S3 RimVSerPort; C:\Windows\System32\DRIVERS\RimSerial_AMD64.sys [44544 2012-12-10] (Research in Motion Ltd)
S0 sptd; C:\Windows\System32\Drivers\sptd.sys [871408 2013-02-04] (Duplex Secure Ltd.)
S2 TurboB; C:\Windows\System32\DRIVERS\TurboB.sys [13832 2010-04-16] ()
S3 ztemtusbser; C:\Windows\System32\DRIVERS\CT_ZTEMT_U_USBSER.sys [120704 2010-11-03] (ZTEMT Incorporated)
S4 bdselfpr; no ImagePath
S2 BstHdDrv; \??\C:\Program Files (x86)\BlueStacks\HD-Hypervisor-amd64.sys [X]
S3 ew_hwusbdev; system32\DRIVERS\ew_hwusbdev.sys [X]
S3 huawei_enumerator; system32\DRIVERS\ew_jubusenum.sys [X]
S3 hwdatacard; system32\DRIVERS\ewusbmdm.sys [X]
S3 hwusbdev; system32\DRIVERS\ewusbdev.sys [X]
S3 iSafeKrnlBoot; system32\DRIVERS\iSafeKrnlBoot.sys [X]
S3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys [X]
S4 vsserv; no ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-05-26 15:57 - 2016-05-26 15:57 - 00000000 ____D C:\FRST
2016-05-26 02:07 - 2016-05-26 02:07 - 00291256 _____ C:\Windows\ntbtlog.txt
2016-05-22 09:58 - 2016-05-22 09:58 - 00041549 _____ C:\Users\karthik\Downloads\63F5B1F1E420CE576443D3B29E6CF247ADF5080B.torrent
2016-05-21 12:38 - 2016-05-21 12:38 - 00109840 _____ C:\Users\karthik\AppData\Local\GDIPFONTCACHEV1.DAT
2016-05-21 10:37 - 2016-05-21 11:50 - 705592853 _____ C:\Users\karthik\Downloads\xart.15.12.07.lily.ivy.like.the.first.time.mp4
2016-05-21 10:36 - 2016-05-21 10:36 - 00054479 _____ C:\Users\karthik\Downloads\[kat.cr]x.art.2015.12.07.lily.ivy.like.the.first.time.mp4.1920x1080.torrent
2016-05-07 00:01 - 2016-05-07 00:01 - 00056836 _____ C:\Users\karthik\Downloads\[kat.cr]captain.america.civil.war.2016.english.700mb.hdcam.x264.downloadhub.torrent
2016-05-06 12:30 - 2016-05-06 12:30 - 00037014 _____ C:\Users\karthik\Downloads\[kat.cr]lemonade.hdtv.x264.esc.torrent

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-05-23 18:49 - 2012-09-21 07:43 - 00000000 ____D C:\Users\karthik\AppData\Roaming\uTorrent
2016-05-23 18:07 - 2014-07-15 21:04 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-05-23 15:59 - 2012-12-05 06:54 - 00000936 _____ C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3225296214-181210767-3777732035-1000UA.job
2016-05-23 11:09 - 2014-09-19 03:44 - 00000000 ____D C:\ProgramData\i2p
2016-05-23 11:09 - 2012-12-05 06:54 - 00000914 _____ C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3225296214-181210767-3777732035-1000Core.job
2016-05-23 02:07 - 2014-07-15 21:04 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-05-22 22:33 - 2013-02-16 21:41 - 00000244 _____ C:\Windows\Tasks\AutoKMSDaily.job
2016-05-21 12:35 - 2013-07-18 21:25 - 00000000 ____D C:\Users\karthik\AppData\Roaming\vlc
2016-05-20 22:12 - 2012-09-24 09:15 - 00000000 ____D C:\Users\karthik\Downloads\Video
2016-05-18 21:49 - 2012-09-24 09:15 - 00000000 ____D C:\Users\karthik\Downloads\Compressed
2016-05-18 06:05 - 2009-07-13 20:45 - 00022080 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-05-18 06:05 - 2009-07-13 20:45 - 00022080 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-05-18 05:41 - 2013-05-25 12:29 - 00000000 ____D C:\Users\karthik\AppData\Roaming\IDM
2016-05-18 05:41 - 2012-10-12 01:24 - 00000000 ____D C:\Users\karthik\AppData\Local\CrashDumps
2016-05-18 05:41 - 2012-09-18 12:47 - 00000000 ____D C:\Users\karthik\AppData\Roaming\Media Player Classic
2016-05-18 05:41 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\inf
2016-05-17 10:45 - 2012-09-24 09:15 - 00000000 ____D C:\Users\karthik\AppData\Roaming\DMCache
2016-05-17 10:15 - 2013-03-20 07:14 - 00003428 _____ C:\Windows\System32\Tasks\Apple Diagnostics
2016-05-17 02:09 - 2014-07-15 21:08 - 00002143 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-05-17 02:02 - 2014-07-15 21:04 - 00003894 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2016-05-17 02:02 - 2014-07-15 21:04 - 00003642 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2016-05-17 01:31 - 2015-08-31 05:38 - 00001094 _____ C:\Users\Public\Desktop\Avira Launcher.lnk
2016-05-17 01:31 - 2015-03-25 21:25 - 00000000 ____D C:\ProgramData\Package Cache
2016-05-17 01:27 - 2013-02-16 21:41 - 00000244 _____ C:\Windows\Tasks\AutoKMS.job
2016-05-17 01:27 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-05-10 20:28 - 2012-09-22 20:19 - 00045056 _____ C:\Windows\System32\acovcnt.exe

Some files in TEMP:
====================
C:\Users\karthik\AppData\Local\Temp\avgnt.exe


==================== Known DLLs (Whitelisted) =========================


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\dnsapi.dll => MD5 is legit
C:\Windows\SysWOW64\dnsapi.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== Association (Whitelisted) =============

HKLM\...\.exe:  =>  <===== ATTENTION
HKLM\...\exefile\DefaultIcon:  <===== ATTENTION
HKLM\...\exefile\shell\open\command:  <===== ATTENTION

==================== Restore Points =========================


==================== Memory info ===========================

Percentage of memory in use: 10%
Total physical RAM: 8102.7 MB
Available physical RAM: 7258.76 MB
Total Virtual: 8100.84 MB
Available Virtual: 7254.14 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:244.04 GB) (Free:25.35 GB) NTFS
Drive e: () (Fixed) (Total:244.14 GB) (Free:52.86 GB) NTFS
Drive f: () (Fixed) (Total:210.35 GB) (Free:27.87 GB) NTFS
Drive h: (VENKY_DRIVE) (Removable) (Total:3.65 GB) (Free:3.64 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[system with boot components (obtained from drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 698.6 GB) (Disk ID: 7C12E647)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=244 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=244.1 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=210.4 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 3.7 GB) (Disk ID: C3072E18)
Partition 1: (Active) - (Size=3.7 GB) - (Type=0B)


LastRegBack: 2015-04-23 14:45

==================== End of FRST.txt ============================

all my data is on this laptop and my exams are coming up, i'm in desperate need for help, a fix list or a solution will be really appreciated, thanks in advance.

 

[TwinHeadedEagle]

Hello,



Download attached fixlist.txt and save it to your USB flashdrive as fixlist.txt

>> Boot into Recovery Environment


Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....

• Press the Fix button once and wait.
• FRST will process fixlist.txt
• When finished, it will produce a log fixlog.txt on your USB flashdrive.

>> Exit out of Recovery Environment and post me the log please.



Try to boot Windows normally...

 

[karthik0812]

thank you for responding, i've doe what you asked, and the fix log is as follows :

Fix result of Farbar Recovery Scan Tool (x64) Version:25-05-2016 01
Ran by SYSTEM (2016-05-29 12:39:01) Run:2
Running from H:\
Boot Mode: Recovery
==============================================

fixlist content:
*****************
createrestorepoint:
closeprocesses:
emptytemp:
C:\WINDOWS\AutoKMS
HKLM-x32\...\Winlogon: [Userinit]  [X]
HKLM\...\InprocServer32: [Default-wbemess]  <==== ATTENTION
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox]  <==== ATTENTION
HKLM\...26dfa299cadb\InprocServer32: [Authentication UI Logon UI]  <==== ATTENTION
S2 Change Modem Device Service; "C:\ProgramData\ChgService.exe" -service [X]
S2 UDisk Monitor; E:\Program Files\Reliance Netconnect+\bin\MonServiceUDisk.exe [X]
S4 bdselfpr; no ImagePath
S2 BstHdDrv; \??\C:\Program Files (x86)\BlueStacks\HD-Hypervisor-amd64.sys [X]
S3 ew_hwusbdev; system32\DRIVERS\ew_hwusbdev.sys [X]
S3 huawei_enumerator; system32\DRIVERS\ew_jubusenum.sys [X]
S3 hwdatacard; system32\DRIVERS\ewusbmdm.sys [X]
S3 hwusbdev; system32\DRIVERS\ewusbdev.sys [X]
S3 iSafeKrnlBoot; system32\DRIVERS\iSafeKrnlBoot.sys [X]
S3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys [X]
S4 vsserv; no ImagePath
2016-05-22 22:33 - 2013-02-16 21:41 - 00000244 _____ C:\Windows\Tasks\AutoKMSDaily.job
2016-05-17 01:27 - 2013-02-16 21:41 - 00000244 _____ C:\Windows\Tasks\AutoKMS.job
HKLM\...\.exe:  =>  <===== ATTENTION
HKLM\...\exefile\DefaultIcon:  <===== ATTENTION
HKLM\...\exefile\shell\open\command:  <===== ATTENTION
HKU\karthik\...\Run: [NextLive] => C:\Windows\SysWOW64\rundll32.exe ",EntryPoint -m l

*****************

Error: Restore point can only be created in normal mode.
closeprocesses: => Error: This directive works only outside recovery mode.
emptytemp: => Error: This directive works only outside recovery mode.
C:\WINDOWS\AutoKMS => moved successfully
HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\\Userinit => value restored successfully
HKLM\Software\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32\\Default => value restored successfully
HKLM\Software\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default => value restored successfully
HKLM\Software\Classes\CLSID\{7986d495-ce42-4926-8afc-26dfa299cadb}\InprocServer32\\Default => value restored successfully
Change Modem Device Service => service removed successfully
UDisk Monitor => service removed successfully
bdselfpr => service removed successfully
BstHdDrv => service removed successfully
ew_hwusbdev => service removed successfully
huawei_enumerator => service removed successfully
hwdatacard => service removed successfully
hwusbdev => service removed successfully
iSafeKrnlBoot => service removed successfully
MBAMSwissArmy => service removed successfully
vsserv => service removed successfully
C:\Windows\Tasks\AutoKMSDaily.job => moved successfully
C:\Windows\Tasks\AutoKMS.job => moved successfully
HKLM\Software\Classes\.exe\\Default => value restored successfully
HKLM\Software\Classes\exefile\DefaultIcon\\Default => value restored successfully
HKLM\Software\Classes\exefile\shell\open\command\\Default => value restored successfully
HKU\karthik\Software\Microsoft\Windows\CurrentVersion\Run\\NextLive => value removed successfully

==== End of Fixlog 12:39:04 ====

i tried to boot normally, but it still shows the same blue screen error, i really don't wanna lose my data..what do i do now ?

 

[TwinHeadedEagle]

How did this happen?

 

[karthik0812]

i really have no clue, it worked fine earlier that day, my brother borrowed it in between, but i doubt if he could've done something to cause this, why ? is it that bad ?

 

[TwinHeadedEagle]

Yes, it looks bad. I am not sure if we can fix it.

Run FRST scan again and attach fresh report.

 

[karthik0812]

okay, but can you tell me what do you think might have caused this in the first place ??

 

[karthik0812]

here is the fresh frst report :

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:25-05-2016 01
Ran by SYSTEM on MININT-P4PTHGJ (30-05-2016 15:41:18)
Running from H:\
Platform: WIN_7 (X64) Language: English (United States)
Internet Explorer Version 9
Boot Mode: Recovery
Default: ControlSet001
[b]ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.[/b]



==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [2264168 2011-07-12] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2785064 2011-05-05] (Synaptics Incorporated)
HKLM\...\Run: [SynAsusAcpi] => C:\Program Files\Synaptics\SynTP\SynAsusAcpi.exe [97064 2011-05-05] (Synaptics Incorporated)
HKLM\...\Run: [AtherosBtStack] => C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe [617120 2011-03-12] (Atheros Commnucations)
HKLM\...\Run: [AthBtTray] => C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe [379552 2011-03-12] (Atheros Commnucations)
HKLM\...\Run: [IntelTBRunOnce] => wscript.exe //b //nologo "C:\Program Files\Intel\TurboBoost\RunTBGadgetOnce.vbs"
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [170256 2015-12-17] (Apple Inc.)
HKLM\...\Winlogon: [Userinit] 
HKLM\...\Winlogon: [Shell]  [0 ] () <=== ATTENTION
HKLM-x32\...\Winlogon: [Shell]  [0 ] () <=== ATTENTION
HKU\Default\Control Panel\Desktop\\SCRNSAVE.EXE -> 
HKU\Default User\Control Panel\Desktop\\SCRNSAVE.EXE -> 
HKU\karthik\...\Run: [PowerGramo] => C:\Program Files (x86)\Freebird\PowerGramo\PGStarter.exe [126976 2013-02-01] ()
HKU\karthik\...\Run: [Spotify Web Helper] => C:\Users\karthik\AppData\Roaming\Spotify\SpotifyWebHelper.exe [1525360 2016-04-15] (Spotify Ltd)
HKU\karthik\...\Run: [iCloudServices] => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe [60688 2015-11-30] (Apple Inc.)
HKU\karthik\...\Run: [ApplePhotoStreams] => C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe [61200 2015-11-30] (Apple Inc.)
HKU\karthik\Control Panel\Desktop\\SCRNSAVE.EXE -> 
HKU\UpdatusUser\Control Panel\Desktop\\SCRNSAVE.EXE -> 

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S4 AntiVirMailService; C:\Program Files (x86)\Avira\AntiVir Desktop\avmailc7.exe [955736 2016-03-08] (Avira Operations GmbH & Co. KG)
S2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [466504 2016-03-08] (Avira Operations GmbH & Co. KG)
S2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [466504 2016-03-08] (Avira Operations GmbH & Co. KG)
S4 AntiVirWebService; C:\Program Files (x86)\Avira\AntiVir Desktop\avwebg7.exe [1424880 2016-03-08] (Avira Operations GmbH & Co. KG)
S2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77104 2015-10-06] (Apple Inc.)
S2 Atheros Bt&Wlan Coex Agent; C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe [138400 2011-03-12] (Atheros)
S2 Avira.ServiceHost; C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe [280008 2016-04-24] (Avira Operations GmbH & Co. KG)
S3 Blackberry Device Manager; C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe [577536 2013-01-18] (Research In Motion Limited)
S2 c2cautoupdatesvc; C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1433216 2016-01-07] (Microsoft Corporation)
S2 c2cpnrsvc; C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1773696 2016-01-07] (Microsoft Corporation)
S2 i2p; C:\Program Files (x86)\i2p\I2Psvc.exe [389632 2014-09-19] (Tanuki Software, Ltd.)
S2 NitroDriverReadSpool8; C:\Program Files\Common Files\Nitro\Pro\8.0\NitroPDFDriverService8x64.exe [230408 2013-01-13] (Nitro PDF Software)
S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-13] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 androidusb; C:\Windows\System32\Drivers\wsadb.sys [40736 2013-10-24] (Google Inc)
S2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [154816 2016-03-08] (Avira Operations GmbH & Co. KG)
S1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [133168 2016-03-08] (Avira Operations GmbH & Co. KG)
S1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2014-07-22] (Avira Operations GmbH & Co. KG)
S2 avnetflt; C:\Windows\System32\DRIVERS\avnetflt.sys [69888 2016-03-08] (Avira Operations GmbH & Co. KG)
S3 BthMtpEnum; C:\Windows\System32\DRIVERS\BthMtpEnum.sys [64512 2009-07-13] (Microsoft Corporation)
S3 cmnsusbser; C:\Windows\System32\DRIVERS\cmnsusbser.sys [126080 2011-08-03] (QUALCOMM Incorporated)
S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
S3 kbfiltr; C:\Windows\System32\DRIVERS\kbfiltr.sys [15416 2009-07-20] ( )
S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [78336 2013-01-03] (Research In Motion Limited)
S3 RimVSerPort; C:\Windows\System32\DRIVERS\RimSerial_AMD64.sys [44544 2012-12-10] (Research in Motion Ltd)
S0 sptd; C:\Windows\System32\Drivers\sptd.sys [871408 2013-02-04] (Duplex Secure Ltd.)
S2 TurboB; C:\Windows\System32\DRIVERS\TurboB.sys [13832 2010-04-16] ()
S3 ztemtusbser; C:\Windows\System32\DRIVERS\CT_ZTEMT_U_USBSER.sys [120704 2010-11-03] (ZTEMT Incorporated)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-05-26 15:57 - 2016-05-30 15:41 - 00000000 ____D C:\FRST
2016-05-26 02:07 - 2016-05-26 02:07 - 00291256 _____ C:\Windows\ntbtlog.txt
2016-05-22 09:58 - 2016-05-22 09:58 - 00041549 _____ C:\Users\karthik\Downloads\63F5B1F1E420CE576443D3B29E6CF247ADF5080B.torrent
2016-05-21 12:38 - 2016-05-21 12:38 - 00109840 _____ C:\Users\karthik\AppData\Local\GDIPFONTCACHEV1.DAT
2016-05-21 10:37 - 2016-05-21 11:50 - 705592853 _____ C:\Users\karthik\Downloads\xart.15.12.07.lily.ivy.like.the.first.time.mp4
2016-05-21 10:36 - 2016-05-21 10:36 - 00054479 _____ C:\Users\karthik\Downloads\[kat.cr]x.art.2015.12.07.lily.ivy.like.the.first.time.mp4.1920x1080.torrent
2016-05-07 00:01 - 2016-05-07 00:01 - 00056836 _____ C:\Users\karthik\Downloads\[kat.cr]captain.america.civil.war.2016.english.700mb.hdcam.x264.downloadhub.torrent
2016-05-06 12:30 - 2016-05-06 12:30 - 00037014 _____ C:\Users\karthik\Downloads\[kat.cr]lemonade.hdtv.x264.esc.torrent

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-05-23 18:49 - 2012-09-21 07:43 - 00000000 ____D C:\Users\karthik\AppData\Roaming\uTorrent
2016-05-23 18:07 - 2014-07-15 21:04 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-05-23 15:59 - 2012-12-05 06:54 - 00000936 _____ C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3225296214-181210767-3777732035-1000UA.job
2016-05-23 11:09 - 2014-09-19 03:44 - 00000000 ____D C:\ProgramData\i2p
2016-05-23 11:09 - 2012-12-05 06:54 - 00000914 _____ C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3225296214-181210767-3777732035-1000Core.job
2016-05-23 02:07 - 2014-07-15 21:04 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-05-21 12:35 - 2013-07-18 21:25 - 00000000 ____D C:\Users\karthik\AppData\Roaming\vlc
2016-05-20 22:12 - 2012-09-24 09:15 - 00000000 ____D C:\Users\karthik\Downloads\Video
2016-05-18 21:49 - 2012-09-24 09:15 - 00000000 ____D C:\Users\karthik\Downloads\Compressed
2016-05-18 06:05 - 2009-07-13 20:45 - 00022080 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-05-18 06:05 - 2009-07-13 20:45 - 00022080 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-05-18 05:41 - 2013-05-25 12:29 - 00000000 ____D C:\Users\karthik\AppData\Roaming\IDM
2016-05-18 05:41 - 2012-10-12 01:24 - 00000000 ____D C:\Users\karthik\AppData\Local\CrashDumps
2016-05-18 05:41 - 2012-09-18 12:47 - 00000000 ____D C:\Users\karthik\AppData\Roaming\Media Player Classic
2016-05-18 05:41 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\inf
2016-05-17 10:45 - 2012-09-24 09:15 - 00000000 ____D C:\Users\karthik\AppData\Roaming\DMCache
2016-05-17 10:15 - 2013-03-20 07:14 - 00003428 _____ C:\Windows\System32\Tasks\Apple Diagnostics
2016-05-17 02:09 - 2014-07-15 21:08 - 00002143 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-05-17 02:02 - 2014-07-15 21:04 - 00003894 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2016-05-17 02:02 - 2014-07-15 21:04 - 00003642 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2016-05-17 01:31 - 2015-08-31 05:38 - 00001094 _____ C:\Users\Public\Desktop\Avira Launcher.lnk
2016-05-17 01:31 - 2015-03-25 21:25 - 00000000 ____D C:\ProgramData\Package Cache
2016-05-17 01:27 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-05-10 20:28 - 2012-09-22 20:19 - 00045056 _____ C:\Windows\System32\acovcnt.exe

Some files in TEMP:
====================
C:\Users\karthik\AppData\Local\Temp\avgnt.exe


==================== Known DLLs (Whitelisted) =========================


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\dnsapi.dll => MD5 is legit
C:\Windows\SysWOW64\dnsapi.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== Association (Whitelisted) =============


==================== Restore Points =========================


==================== Memory info =========================== 

Percentage of memory in use: 10%
Total physical RAM: 8102.7 MB
Available physical RAM: 7259.87 MB
Total Virtual: 8100.84 MB
Available Virtual: 7254.88 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:244.04 GB) (Free:25.35 GB) NTFS
Drive e: () (Fixed) (Total:244.14 GB) (Free:52.86 GB) NTFS
Drive f: () (Fixed) (Total:210.35 GB) (Free:27.87 GB) NTFS
Drive h: (VENKY_DRIVE) (Removable) (Total:3.65 GB) (Free:3.64 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[system with boot components (obtained from drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 698.6 GB) (Disk ID: 7C12E647)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=244 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=244.1 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=210.4 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 3.7 GB) (Disk ID: C3072E18)
Partition 1: (Active) - (Size=3.7 GB) - (Type=0B)


LastRegBack: 2015-04-23 14:45

==================== End of FRST.txt ============================

 

[TwinHeadedEagle]

I am not sure. I didn't spot obvious signs of malware.

It is probably due to malfunctioned hard drive. Do you know what is your hard drive manufacturer?

Let me know if you can open CMD again in recovery again. We can try something.

 

[karthik0812]

what sould i do on command prompt ?
i've tried chkdsk, shows all disks are fine, can you please give me step by step instructions on what to try ?

 

[TwinHeadedEagle]

Can you try these two commands within Command Prompt?

bootrec.exe /fixmbr

bootrec.exe /fixboot

 

[karthik0812]

It's says "the operation completed successfully " for both commands, I tried to boot normally after, but the error still exists

 

[TwinHeadedEagle]

Do you know what is your hard drive manufacturer?

 

[karthik0812]

I don't

 

[karthik0812]

Is there a way by which I can find out ?

 

[TwinHeadedEagle]

For this operation you'll need to obtain USB Flash drive. Please download the following tools to your Desktop:

• ViVARD
• Rufus

Now we need to install hard drive test tool to your USB Flash device. Plug it into your PC and make sure to save all content from it because it will be deleted.

• Unpack ViVARD archive to your Desktop and start the Rufus tool.
• Under Device make sure that your USB Flash drive is selected.
• Beside Create a bootable disk using, you need to choose DD Image and next to it click on cd icon.
• Now navigate to extracted ViVARD folder and select image.img

• Click Start, and click OK. In few seconds the operation will be completed and you should see READY.

Next thing we need to do is to boot your USB device.

• Restart your PC and keep pressing F12 until you are presented with Boot Menu.
• Now you need to select your USB device by pressing the Enter button, something similar like on the image below:

• In the next window where it shows you 3 options, just press the Enter button.
• Now ViVARD will search for your hard drive:

• When it finds your hard drive you should see window like this. Use keyboard arrows to select your hard drive with red rectangle and press the Enter button. You should see Selected disk windows on the right.

• Again by using keyboard arrows navigate down, select Surface test with remap and press Enter

• Then you can choose to test a range of sectors on your hard disk. To fully test your hard drive, simply press 2 times the Enter button.
• ViVARD will now test your hard drive and attempt to "repair" bad sectors. It should take couple of hours to complete.
• Once the test is complete, the percentage (Percent) will be 100% and the line "Log file is Kept in report.txt" will be displayed in green at the top of the screen.

• You can now simply restart your computer by holding Ctrl + Alt + Delete buttons.
• When you get back to Windows, open your USB Flash device and VIVARD folder you should see REPORT.TXT document. Please attach it into your next reply.

 

[karthik0812]

i have attached the report, the error still persists

 

[TwinHeadedEagle]

Your hard is damaged as I suspected. You need to replace it and install new operating system.

 

[karthik0812]

Is there anyway that I can do this without losing my data ?? All of it is in there, I'll be in deep ##### if I lose it !

 

[TwinHeadedEagle]

It can be saved by booting some live Linux distribution and extracting your files to external hard drive. If you need help for it open your topic in other forum area, this one is dedicated only for malware removal.