Need assistance with removal Ukash virus or malware

[chris]

Can someone please help me?
I got hit with a Ukash virus and I was not able to boot into safe mode. I tried using HITMAN PRO and that did not help because after I booted up, my computer would not allow me to type any key and when I do, it would beep. The next thing I tried was the Kaspersky recovery disc and it quarantined 2 infections but when I rebooted, it took me to the Window login screen without the login icon so I rebooted and then I ended up with constant rebooting of BSOD with some error code. I did not try the OTL LOG and aswMBR LOG because I cannot install on my computer.
Any help is much appreciated.

 

[Fiery]

RE: Ukash virus or malware

Hi chris and welcome to MalwareTips!

I'm Fiery and I would gladly assist you in removing the malware on your computer.

PLEASE NOTE: The first 3 posts of ALL new members require approval by mods/admins. Please be patient if you don't see your post immediately after submitting it.

Before we start:

• Note that the removal process is not immediate. Depending on the severity of your infection, it could take a long time.
• Malware removal can be dangerous. I cannot guarantee the safety of your system as malware can be unpredictable. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system. Therefore, I would advise you to backup all your important files before we start.
• Please be patient and stay with me until I give you the green lights and inform you that your PC is clean.
• Some tools may be flagged by your antivirus as harmful. Rest assure that ALL the tools we use are safe, the detections are false positives.
• The absence of symptoms does not mean your PC is fully disinfected.
• If you are unclear about the instructions, please stop and ask. Following the steps in the order that I post them in is vital.
• Lastly, if you have requested help on other sites, that will delay and hinder the removal process. Please only stick to one site.

<hr>
Download Farbar Recovery Scan Tool from the below link:
<ul><li>For 64 bit systems download <a title="External link" href="http://download.bleepingcomputer.com/farbar/FRST64.exe" rel="nofollow external"><>Farbar Recovery Scan Tool x64</></a> and save it to a USB/flash drive.</li>

<li>Plug the flashdrive into the infected PC.</li>

<li>Enter <>System Recovery Options</>.</li>

<>To enter System Recovery Options from the Advanced Boot Options:</>
<ul>
<li>Restart the computer.</li>
<li>As soon as the BIOS is loaded begin tapping the<> F8</> key until Advanced Boot Options appears.</li>
<li>Use the arrow keys to select the <>Repair your computer</> menu item.</li>
<li>Select <>US</> as the keyboard language settings, and then click <>Next</>.</li>
<li>Select the operating system you want to repair, and then click <>Next</>.</li>
<li>Select your user account an click <>Next</>.</li>
</ul>

<li>On the System Recovery Options menu you will get the following options:</span>
<pre>Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt</pre>
<ol>
<li>Select <>Command Prompt</></li>
<li>In the command window type in <>notepad</> and press <>Enter</>.</li>
<li>The notepad opens. Under File menu select <>Open</>.</li>
<li>Select "Computer" and find your flash drive letter and close the notepad.</li>
<li>In the command window type <><span style="color: #ff0000;">e</span>:\frst64</> and press <>Enter</>
<>Note:</><span style="color: #ff0000;"> Replace letter <>e</> with the drive letter of your flash drive.</span></li>
<li>The tool will start to run.</li>
<li>When the tool opens click <>Yes</> to disclaimer.</li>
<li>Press <>Scan</> button.</li>
<li><>FRST</> will let you know when the scan is complete and has written the <>FRST.txt</> to file, close the message.
<li>Type exit</li>
<li>Please copy and paste FRST.txt in your next reply</li></li>
</ol>
</ul>

 

[chris]

Hi Fiery, please see the log.

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 14-05-2013
Ran by SYSTEM on 15-05-2013 22:20:22
Running from H:\
Windows 7 Professional (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery
The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\RunOnce: [*Restore] C:\Windows\system32\rstrui.exe /RUNONCE [296960 2010-11-20] (Microsoft Corporation)
HKLM-x32\...\Winlogon: [Userinit] [x]
HKLM-x32\...\Winlogon: [Shell] [x ] ()
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$ddd85ca5843ad1758edfaf3b85a27c37\n. ATTENTION! ====> ZeroAccess
HKU\Chris\...\Run: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [2736128 2010-06-16] (Hewlett-Packard Company)
Lsa: [Notification Packages] DPPassFilter scecli
Startup: C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
BootExecute: autocheck autochk * C:\PROGRA~2\AVG\AVG2012\avgrsa.exe /sync /restart

==================== Services (Whitelisted) =================

S2 ac.sharedstore; C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe [277032 2009-06-03] (ActivIdentity)
S2 avgfws; C:\Program Files (x86)\AVG\AVG2012\avgfws.exe [2321560 2012-12-05] (AVG Technologies CZ, s.r.o.)
S2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2012\avgidsagent.exe [5174392 2012-11-02] (AVG Technologies CZ, s.r.o.)
S2 avgwd; C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe [193288 2012-02-14] (AVG Technologies CZ, s.r.o.)
S2 DpHost; C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DpHostW.exe [462088 2009-11-13] (DigitalPersona, Inc.)
S3 FLCDLOCK; C:\Windows\SysWOW64\flcdlock.exe [362040 2009-11-17] (Hewlett-Packard Ltd)
S2 HP ProtectTools Service; C:\Program Files (x86)\Hewlett-Packard\2009 Password Filter for HP ProtectTools\PTChangeFilterService.exe [36864 2009-09-11] (Hewlett-Packard Development Company, L.P)
S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
S2 Mcx2Svc; C:\Windows\SysWOW64\Mcx2Svc.dll [1873408 2012-12-13] ()
S2 pdfcDispatcher; C:\Program Files (x86)\PDF Complete\pdfsvc.exe [635416 2009-10-23] (PDF Complete Inc)
S2 ServicepointService; C:\Program Files (x86)\Bell\Internet Service Advisor\ServicepointService.exe [689464 2011-01-06] (Radialpoint Inc.)
S2 tvnserver; C:\Program Files\TightVNC\tvnserver.exe [1696824 2012-11-20] (GlavSoft LLC.)
S2 vToolbarUpdater14.2.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\14.2.0\ToolbarUpdater.exe [968880 2013-02-18] ()
S4 RemoteAccess; %SystemRoot%\SysWOW64\mpreim.dll [x]

==================== Drivers (Whitelisted) ====================

S1 Avgfwfd; C:\Windows\System32\DRIVERS\avgfwd6a.sys [48992 2011-05-22] (AVG Technologies CZ, s.r.o.)
S3 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [127328 2012-12-10] (AVG Technologies CZ, s.r.o. )
S3 AVGIDSFilter; C:\Windows\System32\DRIVERS\avgidsfiltera.sys [29776 2011-12-23] (AVG Technologies CZ, s.r.o. )
S0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [28480 2012-04-19] (AVG Technologies CZ, s.r.o. )
S1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [307040 2012-11-08] (AVG Technologies CZ, s.r.o.)
S1 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [47696 2011-12-23] (AVG Technologies CZ, s.r.o.)
S0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [36944 2012-01-31] (AVG Technologies CZ, s.r.o.)
S1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [384800 2013-04-10] (AVG Technologies CZ, s.r.o.)
S1 avgtp; C:\Windows\system32\drivers\avgtpx64.sys [39768 2013-02-18] (AVG Technologies)
S3 DAMDrv; C:\Windows\System32\DRIVERS\DAMDrv64.sys [40760 2009-10-21] (Hewlett-Packard Development Company L.P.)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [74752 2011-07-25] (Research In Motion Limited)
S3 RimVSerPort; C:\Windows\System32\DRIVERS\RimSerial_AMD64.sys [44032 2011-07-20] (Research in Motion Ltd)

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-05-15 22:20 - 2013-05-15 22:20 - 00000000 ____D C:\FRST
2013-05-12 03:11 - 2013-05-12 03:11 - 00000069 ____A C:\.directory
2013-05-12 03:11 - 2013-05-12 03:11 - 00000068 ____A C:\Program Files\.directory
2013-05-11 10:42 - 2013-05-11 09:45 - 00000000 ___AD C:\Users\Chris\Desktop\mbam-chameleon-1.62.1.1000
2013-05-11 10:39 - 2013-05-11 14:46 - 331023414 ____A C:\Windows\MEMORY.DMP
2013-05-09 20:05 - 2013-05-09 20:05 - 71565312 ____A C:\Windows\System32\config\SOFTWARE.bhv
2013-05-09 20:05 - 2013-05-09 20:05 - 21757952 ____A C:\Windows\System32\config\SYSTEM.bhv
2013-05-09 20:05 - 2013-05-09 20:05 - 00262144 ____A C:\Windows\System32\config\SECURITY.bhv
2013-05-09 20:05 - 2013-05-09 20:05 - 00262144 ____A C:\Windows\System32\config\SAM.bhv
2013-05-09 20:05 - 2013-05-09 20:05 - 00262144 ____A C:\Windows\System32\config\DEFAULT.bhv
2013-05-09 19:36 - 2013-05-09 19:36 - 00000000 ___AD C:\$Anvi Rescue Disk$
2013-05-08 18:41 - 2013-05-08 18:41 - 00147791 ____A C:\ProgramData\2433f433
2013-05-08 18:41 - 2013-05-08 18:41 - 00147761 ____A C:\Users\Chris\AppData\Local\2433f433
2013-05-08 18:41 - 2013-05-08 18:41 - 00147755 ____A C:\Users\Chris\AppData\Roaming\2433f433
2013-04-23 19:34 - 2013-04-12 06:45 - 01656680 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys
2013-04-17 17:08 - 2013-04-17 17:08 - 00000000 ____D C:\Windows\System32\appmgmt

==================== One Month Modified Files and Folders =======

2013-05-15 22:20 - 2013-05-15 22:20 - 00000000 ____D C:\FRST
2013-05-12 03:11 - 2013-05-12 03:11 - 00000069 ____A C:\.directory
2013-05-12 03:11 - 2013-05-12 03:11 - 00000068 ____A C:\Program Files\.directory
2013-05-12 03:10 - 2012-08-15 18:30 - 00000000 ____D C:\Program Files\Hewlett-Packard
2013-05-11 14:46 - 2013-05-11 10:39 - 331023414 ____A C:\Windows\MEMORY.DMP
2013-05-11 14:37 - 2012-10-14 08:51 - 00000000 ____D C:\Users\Chris\AppData\Local\Nero_AG
2013-05-11 14:37 - 2012-09-06 10:22 - 00000000 ____D C:\Users\Chris\AppData\Roaming\Azureus
2013-05-11 14:37 - 2012-09-06 10:20 - 00000000 ____D C:\Users\Chris\AppData\Local\Conduit
2013-05-11 14:37 - 2012-09-04 13:16 - 00000000 ____D C:\ProgramData\Skype
2013-05-11 14:37 - 2012-08-16 19:46 - 00000000 ____D C:\Users\Chris\AppData\Roaming\vlc
2013-05-11 14:37 - 2012-08-16 18:39 - 00000000 ____D C:\Users\Chris\AppData\Roaming\AVG2012
2013-05-11 14:37 - 2012-08-16 18:37 - 00000000 ____D C:\Windows\System32\Drivers\AVG
2013-05-11 14:37 - 2012-08-15 18:40 - 00000000 ____D C:\users\Chris
2013-05-11 14:37 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
2013-05-11 14:36 - 2012-09-04 13:16 - 00000000 ___RD C:\Program Files (x86)\Skype
2013-05-11 14:36 - 2012-08-19 18:49 - 00000000 __RHD C:\MSOCache
2013-05-11 10:24 - 2009-07-13 23:45 - 00000000 ___RD C:\Users\Public\Recorded TV
2013-05-11 09:45 - 2013-05-11 10:42 - 00000000 ___AD C:\Users\Chris\Desktop\mbam-chameleon-1.62.1.1000
2013-05-10 21:26 - 2012-09-04 17:25 - 00000000 ____D C:\ProgramData\HPQLOG
2013-05-10 21:07 - 2012-08-15 21:26 - 00000000 ____D C:\ProgramData\PDFC
2013-05-09 20:05 - 2013-05-09 20:05 - 71565312 ____A C:\Windows\System32\config\SOFTWARE.bhv
2013-05-09 20:05 - 2013-05-09 20:05 - 21757952 ____A C:\Windows\System32\config\SYSTEM.bhv
2013-05-09 20:05 - 2013-05-09 20:05 - 00262144 ____A C:\Windows\System32\config\SECURITY.bhv
2013-05-09 20:05 - 2013-05-09 20:05 - 00262144 ____A C:\Windows\System32\config\SAM.bhv
2013-05-09 20:05 - 2013-05-09 20:05 - 00262144 ____A C:\Windows\System32\config\DEFAULT.bhv
2013-05-09 19:36 - 2013-05-09 19:36 - 00000000 ___AD C:\$Anvi Rescue Disk$
2013-05-08 18:41 - 2013-05-08 18:41 - 00147791 ____A C:\ProgramData\2433f433
2013-05-08 18:41 - 2013-05-08 18:41 - 00147761 ____A C:\Users\Chris\AppData\Local\2433f433
2013-05-08 18:41 - 2013-05-08 18:41 - 00147755 ____A C:\Users\Chris\AppData\Roaming\2433f433
2013-05-01 20:13 - 2013-04-10 16:49 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-05-01 19:42 - 2012-08-16 19:56 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-05-01 15:19 - 2012-08-15 18:29 - 01260133 ____A C:\Windows\WindowsUpdate.log
2013-05-01 02:42 - 2012-08-16 19:56 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-04-30 19:22 - 2009-07-13 21:13 - 00730320 ____A C:\Windows\System32\PerfStringBackup.INI
2013-04-26 08:16 - 2012-08-24 19:55 - 00000052 ____A C:\Windows\SysWOW64\DOErrors.log
2013-04-25 07:47 - 2009-07-13 20:45 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-04-25 07:47 - 2009-07-13 20:45 - 00009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-04-23 23:16 - 2009-07-13 21:08 - 00032612 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2013-04-23 23:16 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-04-23 23:16 - 2009-07-13 20:51 - 00046538 ____A C:\Windows\setupact.log
2013-04-23 10:02 - 2012-08-24 21:48 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-04-20 06:24 - 2012-08-17 13:48 - 00000000 ____D C:\Users\Chris\AppData\Roaming\dvdcss
2013-04-17 17:08 - 2013-04-17 17:08 - 00000000 ____D C:\Windows\System32\appmgmt
2013-04-17 17:01 - 2012-08-15 18:34 - 00054066 ____A C:\Windows\PFRO.log
2013-04-17 05:23 - 2012-08-16 18:34 - 00000000 ____D C:\ProgramData\MFAData
2013-04-17 05:22 - 2012-08-16 18:38 - 00000967 ____A C:\Users\Public\Desktop\AVG 2012.lnk

ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-601097968-3376715065-3952815089-1001\$ddd85ca5843ad1758edfaf3b85a27c37

ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$ddd85ca5843ad1758edfaf3b85a27c37

==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-04-08 19:40:40
Restore point made on: 2013-04-10 16:39:08
Restore point made on: 2013-04-15 21:10:27
Restore point made on: 2013-04-17 17:09:29
Restore point made on: 2013-04-23 23:00:20
Restore point made on: 2013-05-01 20:27:17
Restore point made on: 2013-05-10 14:48:29

==================== Memory info ===========================

Percentage of memory in use: 9%
Total physical RAM: 12087.25 MB
Available physical RAM: 10972.74 MB
Total Pagefile: 12085.4 MB
Available Pagefile: 10969.18 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:97.66 GB) (Free:26.87 GB) NTFS (Disk=0 Partition=2)
Drive e: (Data) (Fixed) (Total:143.59 GB) (Free:103.81 GB) NTFS (Disk=0 Partition=3)
Drive f: (Chris) (Fixed) (Total:54.84 GB) (Free:24.42 GB) NTFS (Disk=0 Partition=4)
Drive h: (KINGSTON) (Removable) (Total:15.01 GB) (Free:15.01 GB) FAT32 (Disk=1 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (SYSTEM) (Fixed) (Total:2 GB) (Free:1.46 GB) NTFS (Disk=0 Partition=1) ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298 GB) (Disk ID: CF95AB5F)
Partition 1: (Active) - (Size=2 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=98 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=144 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=55 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 15 GB) (Disk ID: 04030201)
Partition 1: (Active) - (Size=15 GB) - (Type=0C)


Last Boot: 2013-05-03 20:17

==================== End Of Log ============================

 

[chris]

[attachment=4517]Hi Fiery, I am not sure if the log got posted but I am reposting as an attachment.

 

[Fiery]

Hi,

Open notepad and copy & paste the following:

HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$ddd85ca5843ad1758edfaf3b85a27c37\n. ATTENTION! ====> ZeroAccess
C:\$Recycle.Bin\S-1-5-18\$ddd85ca5843ad1758edfaf3b85a27c37\
2013-05-08 18:41 - 2013-05-08 18:41 - 00147791 ____A C:\ProgramData\2433f433
2013-05-08 18:41 - 2013-05-08 18:41 - 00147761 ____A C:\Users\Chris\AppData\Local\2433f433
2013-05-08 18:41 - 2013-05-08 18:41 - 00147755 ____A C:\Users\Chris\AppData\Roaming\2433f433
ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-601097968-3376715065-3952815089-1001\$ddd85ca5843ad1758edfaf3b85a27c37
ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$ddd85ca5843ad1758edfaf3b85a27c37

and save it as fixlist.txt onto your flash drive.

Then, boot to system recovery, plug in your flash drive, open FRST and click fix. Post the generated log.

Attempt to reboot your PC normally. If successful,

Download TDSSkiller from here

• Double-Click on TDSSKiller.exe to run the application
• When TDSSkiller opens, click change parameters , check the box next to Loaded modules . A reboot will be required.
• After reboot, TDSSKiller will run again. Click Change parameters again and make sure everything is checked.
  
  
• click Start scan .
  
• If a suspicious object is detected, the default action will be Skip, click on Continue. (If it saids TDL4/TDSS file system, select delete)
• If malicious objects are found, ensure Cure (default) is selected, then click Continue and Reboot now to finish the cleaning process.

Post the log after (usually C:\ folder in the form of TDSSKiller.[Version]_[Date]_[Time]_log.txt

Download Malwarebytes Anti-Rootkit from here to your Desktop

• Unzip the contents to a folder on your Desktop.
• Open the folder where the contents were unzipped and run mbar.exe
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
• Make sure there is a check next to Create Restore Point and click the Cleanup button to remove any threats. Reboot if prompted to do so.
• After the reboot, perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If there are threats, click Cleanup once more and reboot.
• When done, please post the two logs in the MBAR folder(mbar-log.txt and system-log.txt)

 

[chris]

hi Fiery,
I ran the fixlist and then rebooted the computer normally but I was still getting the BSOD.

here is the log for the fixlist:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 14-05-2013
Ran by SYSTEM at 2013-05-16 19:50:54 Run:1
Running from H:\
Boot Mode: Recovery
==============================================

HKLM\Software\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default => Value was restored successfully.
C:\$Recycle.Bin\S-1-5-18\$ddd85ca5843ad1758edfaf3b85a27c37\ => Moved successfully.
C:\ProgramData\2433f433 => Moved successfully.
C:\Users\Chris\AppData\Local\2433f433 => Moved successfully.
C:\Users\Chris\AppData\Roaming\2433f433 => Moved successfully.
C:\$Recycle.Bin\S-1-5-21-601097968-3376715065-3952815089-1001\$ddd85ca5843ad1758edfaf3b85a27c37 => Moved successfully.
C:\$Recycle.Bin\S-1-5-18\$ddd85ca5843ad1758edfaf3b85a27c37 => File/Directory not found.

==== End of Fixlog ====

 

[Fiery]

Hi,

can you do another FRST scan please?

 

[chris]

hi Fiery,
please see the attached log for the 2nd scan of FRST.

 

[kuttus]

Hi,

I will be taking over your thread as Fiery will be away for a next couple of days.

Are you able to boot the computer in safe mode with networking?

 

[chris]

No, I cannot boot up into any safe mode.

 

[kuttus]

Shall we try a system restore on your computer now?

1. Turn on or restart the computer.
2. Press and tap the F8 key about every second until you see the Advanced Boot Options.
3. Select Repair your computer and press Enter.
4. Select your keyboard language preferences and click on Next.
5. Select your user name and type in the password, and then click on OK.
6. Select the option system restore.
   
   

Now Select one restore point where the computer was working fine and restore the computer to that date...

 

[chris]

I ran restore point but still giving me BSOD.

 

[kuttus]

Try start up repair also...

 

[chris]

Still giving me BSOD

 

[kuttus]

What is the error message you are getting in BSOD?

 

[chris]

When I boot up, it loads all the drivers in system32 like a dos message. Then it show for a split second the progress bar before the window7 login screen. After that the bsod occurs with a standard message and ¨Technical information¨ of STOP 0x000000F4 before rebooting again.

 

[kuttus]

Do you have the CD for your Windows 7 Professional (X64) ?

 

[chris]

Hi Kuttus,
It is a Windows 7 Recovery Media for Windows 7 products by HP. It says HP Restore Plus. It comes with 4 disks, HP Restore Plus, Operating System DVD, Language Pack and HP Security Software Suite. I tried using the disk but it wants to reformat my drive which at this point, I am unwilling but if I have no choice then I will have to reformat.

 

[kuttus]

Okay. No need to reformat now...

 

[chris]

so what is the next step?