TechSpot

Help with Windows Security Essentials not cleaning trojans

By Martin Johnson
Aug 15, 2012
  1. I am having the same problem that many users have had "windows has encountered a critical error and will be restarted in one minute." I cannot get some of the scanners loaded to my desktop to run. I have run Maleware bytes and it found nothing. I was able to run FRST64 and I will paste the file below.

    Scan result of Farbar Recovery Scan Tool Version: 14-08-2012
    Ran by SYSTEM at 14-08-2012 23:37:37
    Running from H:\
    (X64) OS Language: English(US)
    Attention: Could not load system hive.Attention: System hive is missing.
    ========================== Registry (Whitelisted) =============
    Attention: Software hive is missing.
    HKLM\...\Winlogon: [Userinit]
    HKLM-x32\...\Winlogon: [Userinit] [x]
    HKLM\...\Winlogon: [Shell] [x ] ()
    HKLM-x32\...\Winlogon: [Shell] [x ] ()
    ==================== Services (Whitelisted) ======

    ========================== Drivers (Whitelisted) =============

    ========================== NetSvcs (Whitelisted) ===========

    ============ One Month Created Files and Folders ==============
    2012-08-14 23:33 - 2012-08-14 23:33 - 00000000 ___AD \ProgramData\Recovery
    2012-08-14 23:32 - 2012-08-14 23:32 - 00000000 ___AD \Windows\ServiceProfiles
    2012-08-14 23:32 - 2012-08-14 23:32 - 00000000 ___AD \Windows\debug
    ============ 3 Months Modified Files ========================

    ========================= Known DLLs (Whitelisted) ============

    ========================= Bamital & volsnap Check ============
    C:\Windows\System32\winlogon.exe IS MISSING <==== ATTENTION!.
    C:\Windows\System32\wininit.exe IS MISSING <==== ATTENTION!.
    C:\Windows\SysWOW64\wininit.exe IS MISSING <==== ATTENTION!.
    C:\Windows\explorer.exe IS MISSING <==== ATTENTION!.
    C:\Windows\SysWOW64\explorer.exe IS MISSING <==== ATTENTION!.
    C:\Windows\System32\svchost.exe IS MISSING <==== ATTENTION!.
    C:\Windows\SysWOW64\svchost.exe IS MISSING <==== ATTENTION!.
    C:\Windows\System32\services.exe IS MISSING <==== ATTENTION!.
    C:\Windows\System32\User32.dll IS MISSING <==== ATTENTION!.
    C:\Windows\SysWOW64\User32.dll IS MISSING <==== ATTENTION!.
    C:\Windows\System32\userinit.exe IS MISSING <==== ATTENTION!.
    C:\Windows\SysWOW64\userinit.exe IS MISSING <==== ATTENTION!.
    C:\Windows\System32\Drivers\volsnap.sys IS MISSING <==== ATTENTION!.
    ==================== EXE ASSOCIATION =====================
    HKLM\...\.exe: <===== ATTENTION!
    HKLM\...\exefile\DefaultIcon: <===== ATTENTION!
    HKLM\...\exefile\open\command: <===== ATTENTION!
    ========================= Memory info ======================
    Percentage of memory in use: 14%
    Total physical RAM: 3836.02 MB
    Available physical RAM: 3260.92 MB
    Total Pagefile: 3834.17 MB
    Available Pagefile: 3241.16 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.89 MB
    ======================= Partitions =========================
    2 Drive e: (RECOVERY) (Fixed) (Total:14.5 GB) (Free:2.39 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    3 Drive f: (HP_TOOLS) (Fixed) (Total:0.09 GB) (Free:0.09 GB) FAT32
    4 Drive g: (Repair disc Windows 7 64-bit) (CDROM) (Total:0.16 GB) (Free:0 GB) UDF
    5 Drive h: () (Removable) (Total:7.44 GB) (Free:5.26 GB) FAT32
    6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    7 Drive y: (SYSTEM) (Fixed) (Total:0.19 GB) (Free:0.16 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 298 GB 0 B
    Disk 1 Online 7643 MB 0 B
    Partitions of Disk 0:
    ===============
    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 199 MB 1024 KB
    Partition 2 Primary 283 GB 200 MB
    Partition 3 Primary 14 GB 283 GB
    Partition 4 Primary 101 MB 297 GB
    ==================================================================================
    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 Y SYSTEM NTFS Partition 199 MB Healthy
    ==================================================================================
    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 D RAW Partition 283 GB Healthy
    ==================================================================================
    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: No
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 E RECOVERY NTFS Partition 14 GB Healthy
    ==================================================================================
    Disk: 0
    Partition 4
    Type : 0C
    Hidden: No
    Active: No
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 4 F HP_TOOLS FAT32 Partition 101 MB Healthy
    ==================================================================================
    Partitions of Disk 1:
    ===============
    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 7639 MB 4032 KB
    ==================================================================================
    Disk: 1
    Partition 1
    Type : 0B
    Hidden: No
    Active: No
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 5 H FAT32 Removable 7639 MB Healthy
    ==================================================================================
    ======================= End Of Log ==========================
     
  2. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Hello, and welcome to TechSpot.


    [​IMG] Please see here for the board rules and other FAQ.

    Please feel free to introduce yourself, after you follow the steps below to get started.

    Information
    • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
    • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
    • If you have already asked for help somewhere, please post the link to the topic you were helped.
    • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
    • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

    Are you sure your computer is x64?
     
  3. Martin Johnson

    Martin Johnson TS Rookie Topic Starter

    Yes, I have the OS disk that I used to install it onto my laptop that is having the problem.
     
  4. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    We are going to be using a Windows Recovery Environment to help disinfect the system.

    Download the OTLPE Network REATOGO Windows Recovery Environment.
    • Place a blank CD-R disc in to your CD burning drive.
    • Download OTLPENet.exe and double-click on it to burn to a CD using ISO Burner.
    • Reboot your system using the boot CD you just created.

      Note : If you do not know how to set your computer to boot from CD follow the steps here
    • Your system should now display a REATOGO-X-PE desktop.
    • Double-click on the OTLPE icon.
    • When asked "Do you wish to load the remote registry", select Yes
    • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
    • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
    • OTL should now start. Change the following settings
      • Change Drivers to Non-Microsoft
      • Press Run Scan to start the scan.
      • When finished, the file will be saved in drive C:\_OTL\MovedFiles
      • Copy this file to your USB drive if you do not have internet connection on this system
      • Please post the contents of the OTL.txt file in your reply.
     
  5. Martin Johnson

    Martin Johnson TS Rookie Topic Starter

    After double clicking the OTLPENet.exe icon, a dialog box called Browse for Folder comes up and is asking me to choose Windows Directory.
     
  6. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Don't quite understand. Over here on my PC, it works fine.

    Could you take a screenshot please?
     
  7. Martin Johnson

    Martin Johnson TS Rookie Topic Starter

    I canno find the Windows folder on the c drive. Attached is screenshot
     

    Attached Files:

  8. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Attempt to the select the SYSTEM ( C: ) drive there and see what happens...
     
  9. Martin Johnson

    Martin Johnson TS Rookie Topic Starter

    All I get is " Target is not windows 2000 or later" It is a RunScanner Error.
     
  10. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Ahh mercy. Please run FRST and post a new log.
     
  11. Martin Johnson

    Martin Johnson TS Rookie Topic Starter

    Let me know if I ran it correctly. I ran from inside Reatogo. I ran the 32 bit version.




    Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 18-08-2012
    Ran by SYSTEM at 18-08-2012 13:15:11
    Running from D:\
    (X86) OS Language: English(US)
    Attention: Could not load system hive.Attention: System hive is missing.
    ========================== Registry (Whitelisted) =============
    Attention: Software hive is missing.
    HKLM\...\Winlogon: [Userinit] [x]
    HKLM\...\Winlogon: [Shell] [x ] ()
    ================================ Services (Whitelisted) ==================

    ========================== Drivers (Whitelisted) =============

    ========================== NetSvcs (Whitelisted) ===========

    ============ One Month Created Files and Folders ==============

    ============ 3 Months Modified Files ========================

    ========================= Known DLLs (Whitelisted) ============

    ========================= Bamital & volsnap Check ============
    C:\Windows\explorer.exe IS MISSING <==== ATTENTION!.
    C:\Windows\System32\winlogon.exe IS MISSING <==== ATTENTION!.
    C:\Windows\System32\svchost.exe IS MISSING <==== ATTENTION!.
    C:\Windows\System32\services.exe IS MISSING <==== ATTENTION!.
    C:\Windows\System32\User32.dll IS MISSING <==== ATTENTION!.
    C:\Windows\System32\userinit.exe IS MISSING <==== ATTENTION!.
    C:\Windows\System32\Drivers\volsnap.sys IS MISSING <==== ATTENTION!.
    ==================== EXE ASSOCIATION =====================
    HKLM\...\.exe: <===== ATTENTION!
    HKLM\...\exefile\DefaultIcon: <===== ATTENTION!
    HKLM\...\exefile\open\command: <===== ATTENTION!
    ==================== Restore Points (XP) =====================

    ========================= Memory info ======================
    Percentage of memory in use: 6%
    Total physical RAM: 3579.98 MB
    Available physical RAM: 3362.84 MB
    Total Pagefile: 3401.69 MB
    Available Pagefile: 3342.6 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 2001.02 MB
    ======================= Partitions =========================
    1 Drive b: (RAMDisk) (Fixed) (Total:0.06 GB) (Free:0.06 GB) NTFS
    2 Drive d: () (Removable) (Total:7.44 GB) (Free:5.26 GB) FAT32
    4 Drive f: (RECOVERY) (Fixed) (Total:14.5 GB) (Free:2.39 GB) NTFS
    5 Drive g: (HP_TOOLS) (Fixed) (Total:0.09 GB) (Free:0.09 GB) FAT32
    6 Drive x: (ReatogoPE) (CDROM) (Total:0.43 GB) (Free:0 GB) CDFS
    7 Drive y: (SYSTEM) (Fixed) (Total:0.19 GB) (Free:0.17 GB) NTFS
    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 298 GB 0 B
    Partitions of Disk 0:
    ===============
    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 199 MB 1024 KB
    Partition 2 Primary 283 GB 200 MB
    Partition 3 Primary 14 GB 283 GB
    Partition 4 Primary 101 MB 298 GB
    ==================================================================================
    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 Y SYSTEM NTFS Partition 199 MB Healthy
    ==================================================================================
    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 E Partition 283 GB Healthy
    ==================================================================================
    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: No
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 F RECOVERY NTFS Partition 14 GB Healthy
    ==================================================================================
    Disk: 0
    Partition 4
    Type : 0C
    Hidden: No
    Active: No
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 4 G HP_TOOLS FAT32 Partition 101 MB Healthy
    ==================================================================================
    ======================= End Of Log ==========================
     
  12. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Please boot to Safe Mode and tell me if it stays on (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).
     
  13. Martin Johnson

    Martin Johnson TS Rookie Topic Starter

    No. It does not stay on. I get the same error, " Windows has encountered a critical error and will restart in one minute"
     
  14. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    At this point, seeing that there is high system damage, there is no choice but to reformat your hard drive and reinstall your operating system.

    Do you have your OEM discs such as operating system install, recovery discs, etc?

    If not, what is the make/model of your system?
     
  15. Martin Johnson

    Martin Johnson TS Rookie Topic Starter

    Yes. I have discs
     
  16. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...