HELP !!!!! URGENT HELP REQUIRED !

[L00pht]

Hello I have a same problem but on virtual windows 7. It cannot boot, and there is no way to fix it with windows repair.
This is a FRST.txt which i got. Can any one make me fixlist from this?

Thanks in advance.

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 23-02-2017 01
Ran by SYSTEM on MININT-S6VRG12 (24-02-2017 11:49:12)
Running from C:\
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11
Boot Mode: Recovery
Default: ControlSet001
[b]ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.[/b]

Tutorial for Farbar Recovery Scan Tool: [URL="http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/"]FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials[/URL]

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)


==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 ftpsvc; C:\Windows\system32\inetsrv\ftpsvc.dll [350720 2012-05-31] (Microsoft Corporation)
S2 IISADMIN; C:\Windows\system32\inetsrv\inetinfo.exe [15872 2010-11-20] (Microsoft Corporation)
S2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4355024 2017-01-19] (Malwarebytes)
S2 MSSQL$SQLEXPRESS; c:\Program Files\Microsoft SQL Server\MSSQL11.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [191064 2012-02-10] (Microsoft Corporation)
S2 NMSAccess; C:\Windows\SysWOW64\NMSAccessU.exe [71096 2009-01-11] ()
S4 SQLAgent$SQLEXPRESS; c:\Program Files\Microsoft SQL Server\MSSQL11.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [597080 2012-02-10] (Microsoft Corporation)
S2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [5702416 2015-09-11] (TeamViewer GmbH)
S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)
S2 WISSync; C:\WISApp\WISSvc.exe [7168 2015-05-13] ()
S3 WMSVC; C:\Windows\system32\inetsrv\wmsvc.exe [10752 2009-07-13] (Microsoft Corporation)
S4 aspnet_state; %SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe [X]
S2 clr_optimization_v4.0.30319_32; C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [X]
S2 clr_optimization_v4.0.30319_64; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [X]
S4 NetMsmqActivator; "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe" -NetMsmqActivator [X]
S4 NetPipeActivator; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [X]
S4 NetTcpActivator; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [X]
S4 NetTcpPortSharing; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [X]
S2 NoIPDUCService4; C:\ha\remote\remote\ducservice.exe [X]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S1 ESProtectionDriver; C:\Windows\system32\drivers\mbae64.sys [77416 2017-01-19] ()
S1 MBAMChameleon; C:\Windows\system32\drivers\MBAMChameleon.sys [176584 2017-02-13] (Malwarebytes)
S3 MBAMFarflt; C:\Windows\system32\drivers\farflt.sys [110536 2017-02-19] (Malwarebytes)
S3 MBAMProtection; C:\Windows\system32\drivers\mbam.sys [43968 2017-02-19] (Malwarebytes)
S0 MBAMSwissArmy; C:\Windows\System32\drivers\MBAMSwissArmy.sys [251848 2017-02-19] (Malwarebytes)
S3 MBAMWebProtection; C:\Windows\system32\drivers\mwac.sys [81696 2017-02-23] (Malwarebytes)
S4 RsFx0200; C:\Windows\System32\DRIVERS\RsFx0200.sys [334936 2012-02-10] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-02-24 11:44 - 2017-02-24 11:44 - 00000856 _____ C:\Fixlog.txt
2017-02-24 09:30 - 2017-02-24 11:49 - 00000000 ____D C:\FRST
2017-02-24 09:30 - 2017-02-24 11:49 - 00000000 _____ C:\FRST.txt
2017-02-24 00:00 - 2017-02-23 23:59 - 02423296 _____ (Farbar) C:\FRST64.exe
2017-02-23 05:19 - 2017-02-23 05:19 - 00000020 ___SH C:\Users\backup.WIS-PC\ntuser.ini
2017-02-23 05:19 - 2017-02-23 05:19 - 00000000 _SHDL C:\Users\backup.WIS-PC\My Documents
2017-02-23 05:19 - 2017-02-23 05:19 - 00000000 _SHDL C:\Users\backup.WIS-PC\Documents\My Videos
2017-02-23 05:19 - 2017-02-23 05:19 - 00000000 _SHDL C:\Users\backup.WIS-PC\Documents\My Pictures
2017-02-23 05:19 - 2017-02-23 05:19 - 00000000 _SHDL C:\Users\backup.WIS-PC\Documents\My Music
2017-02-23 05:19 - 2017-02-23 05:19 - 00000000 ____D C:\Users\backup.WIS-PC\AppData\Roaming\Adobe
2017-02-23 05:19 - 2017-02-23 05:19 - 00000000 ____D C:\Users\backup.WIS-PC\AppData\Local\VirtualStore
2017-02-23 05:19 - 2017-02-23 05:19 - 00000000 ____D C:\users\backup.WIS-PC
2017-02-23 05:19 - 2010-11-20 23:16 - 00000000 ____D C:\Users\backup.WIS-PC\AppData\Roaming\Media Center Programs
2017-02-23 05:13 - 2016-08-24 01:34 - 00036864 _____ C:\Users\WIS\AppData\Roaming\AdobeART.exe
2017-02-23 04:35 - 2017-02-23 04:35 - 00000000 ____D C:\Users\Administrator.WIS-PC\AppData\Local\2BrightSparks
2017-02-23 00:31 - 2017-02-23 00:47 - 00000000 ____D C:\ne diraj
2017-02-20 10:03 - 2017-02-20 10:03 - 00000000 ____D C:\Users\WIS\AppData\Local\Vitalwerks
2017-02-13 00:27 - 2017-02-13 00:27 - 00176584 _____ (Malwarebytes) C:\Windows\System32\Drivers\MBAMChameleon.sys
2017-02-13 00:26 - 2017-02-23 05:05 - 00081696 _____ (Malwarebytes) C:\Windows\System32\Drivers\mwac.sys
2017-02-13 00:26 - 2017-02-19 23:04 - 00110536 _____ (Malwarebytes) C:\Windows\System32\Drivers\farflt.sys
2017-02-13 00:26 - 2017-02-19 23:04 - 00043968 _____ (Malwarebytes) C:\Windows\System32\Drivers\mbam.sys
2017-02-13 00:10 - 2017-02-19 23:04 - 00251848 _____ (Malwarebytes) C:\Windows\System32\Drivers\MBAMSwissArmy.sys
2017-02-13 00:10 - 2017-02-13 00:10 - 00001867 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2017-02-13 00:10 - 2017-02-13 00:10 - 00000000 ____D C:\ProgramData\Malwarebytes
2017-02-13 00:10 - 2017-02-13 00:10 - 00000000 ____D C:\Program Files\Malwarebytes
2017-02-13 00:10 - 2017-01-19 22:47 - 00077416 _____ C:\Windows\System32\Drivers\mbae64.sys
2017-02-13 00:08 - 2017-02-13 00:07 - 55566792 _____ (Malwarebytes ) C:\Users\Administrator.WIS-PC\Downloads\mb3-setup-consumer-3.0.6.1469.exe
2017-02-13 00:03 - 2017-02-13 00:03 - 00245568 _____ C:\Users\Administrator.WIS-PC\Downloads\Firefox Setup Stub 51.0.1.exe
2017-02-09 23:48 - 2017-02-09 23:48 - 00000880 _____ C:\Users\WIS\Desktop\_Sava_OC - Shortcut.lnk
2017-02-09 23:48 - 2017-02-09 23:48 - 00000000 ____D C:\ProgramData\Oracle
2017-02-09 23:47 - 2017-02-09 23:47 - 00000000 ____D C:\Users\WIS\Desktop\sava_ffws
2017-02-09 07:26 - 2017-02-09 07:26 - 00000000 ____D C:\ProgramData\Vitalwerks
2017-02-09 07:22 - 2017-02-09 07:22 - 00058016 _____ C:\Users\backup\AppData\Local\GDIPFONTCACHEV1.DAT
2017-02-09 07:22 - 2017-02-09 07:22 - 00000000 ____D C:\Users\backup\AppData\Local\Vitalwerks
2017-02-09 07:14 - 2017-02-09 07:14 - 00000000 ____D C:\Users\backup\AppData\Local\TeamViewer
2017-02-09 07:12 - 2017-02-09 07:12 - 00000020 ___SH C:\Users\backup\ntuser.ini
2017-02-09 07:12 - 2017-02-09 07:12 - 00000000 _SHDL C:\Users\backup\My Documents
2017-02-09 07:12 - 2017-02-09 07:12 - 00000000 _SHDL C:\Users\backup\Documents\My Videos
2017-02-09 07:12 - 2017-02-09 07:12 - 00000000 _SHDL C:\Users\backup\Documents\My Pictures
2017-02-09 07:12 - 2017-02-09 07:12 - 00000000 _SHDL C:\Users\backup\Documents\My Music
2017-02-09 07:12 - 2017-02-09 07:12 - 00000000 ____H C:\Users\backup\Documents\Default.rdp
2017-02-09 07:12 - 2017-02-09 07:12 - 00000000 ____D C:\Users\backup\AppData\Roaming\Adobe
2017-02-09 07:12 - 2017-02-09 07:12 - 00000000 ____D C:\Users\backup\AppData\Local\VirtualStore
2017-02-09 07:12 - 2017-02-09 07:12 - 00000000 ____D C:\users\backup
2017-02-09 07:12 - 2010-11-20 23:16 - 00000000 ____D C:\Users\backup\AppData\Roaming\Media Center Programs

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-02-24 11:44 - 2009-07-13 19:20 - 00000000 ___HD C:\Windows\System32\GroupPolicy
2017-02-23 12:59 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\inetsrv
2017-02-23 05:26 - 2009-07-13 21:32 - 00000000 ____D C:\Windows\System32\FxsTmp
2017-02-23 05:22 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\inf
2017-02-23 05:22 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\Help
2017-02-23 05:21 - 2009-07-13 19:20 - 00000000 __RSD C:\Windows\Media
2017-02-23 05:21 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\Registration
2017-02-23 05:21 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\PLA
2017-02-23 05:21 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\AppCompat
2017-02-23 05:19 - 2009-07-13 20:45 - 00022208 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-02-23 05:19 - 2009-07-13 20:45 - 00022208 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-02-22 07:50 - 2015-08-11 23:42 - 00000000 ____D C:\Program Files (x86)\TeamViewer
2017-02-19 23:07 - 2009-07-13 21:13 - 00991984 _____ C:\Windows\System32\PerfStringBackup.INI
2017-02-19 23:01 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-02-12 23:12 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF

==================== Known DLLs (Whitelisted) =========================


==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe
[2016-10-12 00:29] - [2016-08-29 07:04] - 3229696 ____A (Microsoft Corporation) 38AE1B3C38FAEF56FE4907922F0385BA

C:\Windows\SysWOW64\explorer.exe
[2016-10-12 00:29] - [2016-08-29 06:55] - 2972672 ____A (Microsoft Corporation) 6DDCA324434FFA506CF7DC4E51DB7935

C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll
[2016-12-13 14:13] - [2016-11-10 08:32] - 1009152 ____A (Microsoft Corporation) 34BA256FBF83457F9D5E51A56DB54542

C:\Windows\SysWOW64\User32.dll
[2016-12-13 14:13] - [2016-11-10 08:19] - 0833024 ____A (Microsoft Corporation) 3CB074875AC88A7C1010A2A7F9881A8C

C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\dnsapi.dll => MD5 is legit
C:\Windows\SysWOW64\dnsapi.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== Association (Whitelisted) =============


==================== Restore Points =========================

Restore point date: 2017-01-16 03:02
Restore point date: 2017-01-17 12:54
Restore point date: 2017-01-24 04:47
Restore point date: 2017-01-24 17:03
Restore point date: 2017-01-27 10:55
Restore point date: 2017-01-28 21:03
Restore point date: 2017-01-29 19:03
Restore point date: 2017-02-02 21:03
Restore point date: 2017-02-07 10:12
Restore point date: 2017-02-14 14:39
Restore point date: 2017-02-14 15:01
Restore point date: 2017-02-21 05:40
Restore point date: 2017-02-24 07:41

==================== BCD ================================

Windows Boot Manager
--------------------
identifier              {bootmgr}
device                  partition=Y:
path                    \bootmgr
description             Windows Boot Manager
locale                  en-US
inherit                 {globalsettings}
default                 {default}
resumeobject            {aa5aad3a-7f03-11e4-835d-c58457326f39}
displayorder            {default}
toolsdisplayorder       {memdiag}
timeout                 30

Windows Boot Loader
-------------------
identifier              {default}
device                  partition=C:
path                    \Windows\system32\winload.exe
description             Windows 7
locale                  en-US
inherit                 {bootloadersettings}
recoverysequence        {current}
recoveryenabled         Yes
osdevice                partition=C:
systemroot              \Windows
resumeobject            {aa5aad3a-7f03-11e4-835d-c58457326f39}
nx                      OptIn

Windows Boot Loader
-------------------
identifier              {current}
device                  ramdisk=[C:]\Recovery\aa5aad3c-7f03-11e4-835d-c58457326f39\Winre.wim,{aa5aad3d-7f03-11e4-835d-c58457326f39}
path                    \windows\system32\winload.exe
description             Windows Recovery Environment
inherit                 {bootloadersettings}
osdevice                ramdisk=[C:]\Recovery\aa5aad3c-7f03-11e4-835d-c58457326f39\Winre.wim,{aa5aad3d-7f03-11e4-835d-c58457326f39}
systemroot              \windows
nx                      OptIn
winpe                   Yes

Resume from Hibernate
---------------------
identifier              {aa5aad3a-7f03-11e4-835d-c58457326f39}
device                  partition=C:
path                    \Windows\system32\winresume.exe
description             Windows Resume Application
locale                  en-US
inherit                 {resumeloadersettings}
filedevice              partition=C:
filepath                \hiberfil.sys
debugoptionenabled      No

Windows Memory Tester
---------------------
identifier              {memdiag}
device                  partition=Y:
path                    \boot\memtest.exe
description             Windows Memory Diagnostic
locale                  en-US
inherit                 {globalsettings}
badmemoryaccess         Yes

EMS Settings
------------
identifier              {emssettings}
bootems                 Yes

Debugger Settings
-----------------
identifier              {dbgsettings}
debugtype               Serial
debugport               1
baudrate                115200

RAM Defects
-----------
identifier              {badmemory}

Global Settings
---------------
identifier              {globalsettings}
inherit                 {dbgsettings}
                        {emssettings}
                        {badmemory}

Boot Loader Settings
--------------------
identifier              {bootloadersettings}
inherit                 {globalsettings}
                        {hypervisorsettings}

Hypervisor Settings
-------------------
identifier              {hypervisorsettings}
hypervisordebugtype     Serial
hypervisordebugport     1
hypervisorbaudrate      115200

Resume Loader Settings
----------------------
identifier              {resumeloadersettings}
inherit                 {globalsettings}

Device options
--------------
identifier              {aa5aad3d-7f03-11e4-835d-c58457326f39}
description             Ramdisk Options
ramdisksdidevice        partition=C:
ramdisksdipath          \Recovery\aa5aad3c-7f03-11e4-835d-c58457326f39\boot.sdi


==================== Memory info ===========================

Percentage of memory in use: 10%
Total physical RAM: 8191.55 MB
Available physical RAM: 7340.29 MB
Total Virtual: 8189.75 MB
Available Virtual: 7318.38 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:159.9 GB) (Free:97.48 GB) NTFS
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.02 GB) NTFS ==>[system with boot components (obtained from drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 160 GB) (Disk ID: E3C085C4)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=159.9 GB) - (Type=07 NTFS)

LastRegBack: 2017-02-21 15:09

==================== End of FRST.txt ============================

 

[TwinHeadedEagle]

Hello,

How this problem happened? Can you boot to recovery options?

 

[L00pht]

Hello,

How this problem happened? Can you boot to recovery options?

Hello,

I find some trojan file on my computer (Adobeart.exe) which I was cleaned with malwarebytes. Also I find user created with name backup, and I was delete this user, because it was not created by me. Same day at night I saw that I can not connect to my computer through the RDP connection. (RDP connection through the VPN). After i restart my virtual machine there is no way to boot normally again. I was try to boot in safe mode, or to make a restore to early date, but when I try this it said that can not doing restore because protection is not on on disk, or something like that (can`t remember ATM). Then I was rebot to recovery options and I try to scan with FRST. I find some atentions about exe association and with some policy group, which I was fix with my own fixlist. Still there is no changes during boot. Maybe I can`t see more iregular thing in my FRST report, so I`m asking can any one help me to fix it if is problem visible in report. Thanks for fast respond mate.

 

[TwinHeadedEagle]

Try to perform a System Restore from Recovery options.

 

[L00pht]

Try to perform a System Restore from Recovery options.

I did it already but there is no way to make a system restore. Like I said on my forst post I have an error when I try to restore system on earlier period.

 

[TwinHeadedEagle]

In that case, you will need to reinstall your system.

 

[L00pht]

In that case, you will need to reinstall your system.

Thanks. I did it before I post my problem. I`m trying to recover system just because of some programs, for which I don`t have an installation any more. I was saved data from disk, because I have an backup of data, and I can mount virtual disk, but just can not boot from disk. Any way thanks once more for your time. If I find any solution I will shere with comunity.
Regards!