Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Skirrel on June 01, 2011, 08:42:20 PM

Title: Acidentally deleted files with avast, now got blue screen on startup!
Post by: Skirrel on June 01, 2011, 08:42:20 PM

I used avast on a computer yesterday to scan for viruses, and it found a virus on the physical drive or MBR or something, cant remember.  I deleted the file instead of repairing it (yeah dumb mistake I know).  Now i get a blue screen on startup and have even tried using the windows xp home edition cd to repair it, but it was unsucessful. 

Is there a way to fix this?

Title: Re: Acidentally deleted files with avast, now got blue screen on startup!
Post by: essexboy on June 01, 2011, 09:02:43 PM

Hi iot sounds like it was the MBR - although having said that Avast would not have deleted it... Can you get to safe mode with networking ?

What is the make of your computer i.e. Dell etc.

Please print these instruction out so that you know what you are doing

Latest version: v3.1.46.0

OTLPENet.exe
MD5=79209302A1AFB2490808DB890A815CED
Size: 127,222,215b / 121.3MB

• Download the attached scan.txt to a USB drive
• Download OTLPENet.exe  (http://oldtimer.geekstogo.com/OTLPENet.exe) to your desktop
  
• Ensure that you have a blank CD in the drive
• Double click OTLPENet.exe and this will then open imgburn  to burn the file to CD
  
  
• Reboot your system using the boot CD you just created.

Note : If you do not know how to set your computer to boot from CD follow the steps here (http://www.hiren.info/pages/bios-boot-cdrom)

• As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads  :) 
• Your system should now display a Reatogo desktop.

Note : as you are running from CD it is not exactly speedy

• Double-click on the OTLPE icon.
  
• Select the Windows folder of the infected drive if it asks for a location
• When asked "Do you wish to load the remote registry", select Yes
  
• When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  
• Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  
• OTL should now start.
• Double click the Custom scans and fixes box
  
• In the dialogue locate the scan.txt you have on the USB
• Press Run Scan to start the scan.
  
• When finished, the file will be saved  in drive C:\OTL.txt
  
• Copy this file to your USB drive if you do not have internet connection on this system.
• Right click the file and select send to : select the USB drive. 
• Confirm that it has copied to the USB drive by selecting it
• You can backup any files that you wish from this OS
• Please post the contents of the C:\OTL.txt file in your reply.
  

Title: Re: Acidentally deleted files with avast, now got blue screen on startup!
Post by: Skirrel on June 01, 2011, 09:16:27 PM

I could not get onto safe mode with networking.  Also, what attached scan.txt are you referring to?  Excuse me for being such a newbie ;/

edit:  ok i see it.  Also, the computer is not a dell, it was made by a relative from multiple hardware components.

edit2: yes it was an MBR file, that's all i remember

Title: Re: Acidentally deleted files with avast, now got blue screen on startup!
Post by: essexboy on June 01, 2011, 11:51:20 PM

At the bottom of the post is an attachment that is the scan.txt

Title: Re: Acidentally deleted files with avast, now got blue screen on startup!
Post by: Skirrel on June 02, 2011, 06:02:16 AM

Ok so I've just started the scan.  Will this process fix my computer, or will I have to wait until after someone reads my log?

Title: Re: Acidentally deleted files with avast, now got blue screen on startup!
Post by: Skirrel on June 02, 2011, 06:25:36 AM

attached is the OTL.txt file

Title: Re: Acidentally deleted files with avast, now got blue screen on startup!
Post by: SafeSurf on June 02, 2011, 09:48:22 AM

Essexboy will be the person giving your instructions on malware removal and reviewing your logs.

I have a question for you.  When you removed or uninstalled your previous antiviruses, like Kaskpersky (KAV), AVG, and ESET, did you use the vendor's uninstaller tools or do it some other way.  KAV is still showing up in your machine.

Also, with Spyboot, do you use Teatimer (TT)?

Is your SAS the Pro version?

I notice that you also use Adaware.  This has become obsolete and most people have replaced this with MBAM (Malwarebytes), which we will have you put on your machine for better security when we are done with your malware removal and better detection rates.

While you are waiting for Essexboy, please do not make any further changes to your machine or you will have to repeat making logs.  In addition, do not sync your machine with your phone or any other devices.  Try to not use the machine for email or surfing or anything else; use anther machine or your phone if possible.  Essexboy comes on the forum late UK time. 

Let us know if you have any questions.  Thank you.

Title: Re: Acidentally deleted files with avast, now got blue screen on startup!
Post by: Skirrel on June 02, 2011, 06:19:39 PM

Quote from: SafeSurf on June 02, 2011, 09:48:22 AM

Essexboy will be the person giving your instructions on malware removal and reviewing your logs.

I have a question for you.  When you removed or uninstalled your previous antiviruses, like Kaskpersky (KAV), AVG, and ESET, did you use the vendor's uninstaller tools or do it some other way.  KAV is still showing up in your machine.

Also, with Spyboot, do you use Teatimer (TT)?

Is your SAS the Pro version?

I notice that you also use Adaware.  This has become obsolete and most people have replaced this with MBAM (Malwarebytes), which we will have you put on your machine for better security when we are done with your malware removal and better detection rates.

While you are waiting for Essexboy, please do not make any further changes to your machine or you will have to repeat making logs.  In addition, do not sync your machine with your phone or any other devices.  Try to not use the machine for email or surfing or anything else; use anther machine or your phone if possible.  Essexboy comes on the forum late UK time. 

Let us know if you have any questions.  Thank you.

I use teatimer.  superantispyware is free version.  Thanks for the info.

Title: Re: Acidentally deleted files with avast, now got blue screen on startup!
Post by: essexboy on June 02, 2011, 07:39:28 PM

Lots of other programmes run prior to this - did they find anything ?

Lets fix the MBR first

Please start OTLPE
Double-click on the MBRFix icon, a command window will open
(http://www.hdrcgb.org.uk/g2g/mbrfix1.jpg)

In the command window type in the following lines and press enter after each (please be sure you type it right) :

Code: [Select]

MbrFix  /drive  0  savembr  C:\Backup_MBR_0.bin
MbrFix  /drive  0  fixmbr  /yes
THEN

Copy the attached Fix.txt to a USB

• Insert your USB drive with fix.txt on it
• Start OTLPE
• Drag and drop fix.txt into the Custom scans and fixes box
  
• If you cannot drag and drop for some reason.  Then press the Run Fix button and a dialogue box will pop up asking for the location - select the file on your USB drive 
  
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot when it is done to normal mode if possible
• Then post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
  

Title: Re: Acidentally deleted files with avast, now got blue screen on startup!
Post by: Skirrel on June 02, 2011, 10:27:12 PM

ok i've run the fix and rebooted the computer, but still get blue screen.  Now im going back into otlpe to do a scan so i can post another log.

edit:  am i doing this right?  What scan log would I have to use this time?

Title: Re: Acidentally deleted files with avast, now got blue screen on startup!
Post by: Skirrel on June 02, 2011, 10:33:26 PM

attached is the fix log that came out after i ran the fix.

Title: Re: Acidentally deleted files with avast, now got blue screen on startup!
Post by: essexboy on June 02, 2011, 11:12:08 PM

When you get the blue screen what does it state ?

Can you get to safe mode ?

Title: Re: Acidentally deleted files with avast, now got blue screen on startup!
Post by: Skirrel on June 03, 2011, 01:20:20 AM

actually when i try to get on it shows a black screen that says "windows cannot start because the following file is missing or corrupt -\windows\system32\config\SYSTEM".  Earlier it showed blue screen because i didnt run the MBRfix correctly; I didnt type in the code correctly or something.

how would i restore the system file?  I tried repairing it but it wouldnt work.

Title: Re: Acidentally deleted files with avast, now got blue screen on startup!
Post by: Dch48 on June 03, 2011, 01:43:19 AM

I found that file in my repair folder and I made a zip of it. I don't know if you'd be able to put it where it belongs but I can send it if you want. Essexboy would know better than me if it would work or not.

Title: Re: Acidentally deleted files with avast, now got blue screen on startup!
Post by: essexboy on June 03, 2011, 06:17:41 PM

Ah OK that is a corrupt hive in the registry

We will use an mobile operating system called xPUD, and a script called rst.sh to restore your computer.

On the clean computer.

Creating a bootable USB using xPUD

• Please download the following files and save it to the desktop
• Unetbootin.exe (http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe)
  
• xPUD (http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso) latest version is xpud-0.9.2.iso
• Insert the USB device to make bootable to the computer. (Make sure that no other USB's are inserted)
  
• Double-click on unetbootin.exe to run
• Select Disk Image, ISO and in the space provided, enter the path location of xpud-0.9.2.iso (ex. C:\Documents and Settings\yourusername\Desktop\xpud-0.9.2.iso)
  
• Select USB Drive type and the drive letter assigned to your USB stick.
  
• Click "OK" and wait until the program finishes. You now have a bootable xPUD.
  
• Download the following tool and save it inside the bootable USB
• rst.sh (http://noahdfear.net/downloads/rst.sh)

Please note: if you prefer to create a bootable CD using xPUD, you may download the ISO image found here (http://"http://www.xpud.org/download.en.html") and burn it to a CD.



On the infected computer.

• Reboot your system using the xPUD bootable USB you just created.

Note : If you do not know how to set your computer to boot from USB follow the steps here (http://pcsupport.about.com/od/tipstricks/ht/bootusbflash.htm)

• Your system should now display a xPUD desktop.
• Select on the File icon; on the right pane click on the "mnt" folder and highlight "sdb1" - this is your USB device.
  [indent]sda1,2...usually corresponds to your HDD
  sdb1 is likely your USB[/indent]
  
• Click on the "Tool" menu and select Open Terminal
  (http://noahdfear.net/hives.sh_files/image008.jpg)
  
• In the open terminal window, type in the following:

bash rst.sh

• Press "Enter" and let it run uninterrupted.
  (The program lists available Restore Points and will save a report enum.log located in the USB drive.)
  
• The program is finished when it say's "Done".
  
• Type "Exit" to close the terminal window.
  
• Please attached the enum.log file in your reply. (You may remove your USB drive when transferring log to a clean computer).

Please note: If you have an ethernet connection you can access the internet by way of xPUD (Firefox). You can perform all these steps on your sick computer. When you download the download will reside in the Download folder. It can be found under the File tab also. You can similarly access our thread by way of this OS too so you can send the logs that way.

Title: Re: Acidentally deleted files with avast, now got blue screen on startup!
Post by: Skirrel on June 03, 2011, 08:25:28 PM

I cant boot from usb, so i will have to try to boot from cd.  But your link to the xpud bootable CD doesnt work...

Title: Re: Acidentally deleted files with avast, now got blue screen on startup!
Post by: essexboy on June 03, 2011, 08:47:20 PM

There is a new product on the market made by MS - I have yet to have any need to use it.  Would you mind trying it out

Could you go here and download Microsoft System Sweeper from here http://connect.microsoft.com/systemsweeper

Title: Re: Acidentally deleted files with avast, now got blue screen on startup!
Post by: Skirrel on June 04, 2011, 04:07:07 AM

I think I'll try it sometime in the future if a virus takes over my computer and rkill.exe wont work to stop the processes.  Thanks for referring me to it though.

I've found a way to burn xpud onto cd.

heres the enum log
35.0M Jun  3 00:03 /mnt/sda1/WINDOWS/system32/config/software
6.0M Jun  2 18:10 /mnt/sda1/WINDOWS/system32/config/system

33.1M Mar  2 23:50 /sda1/~/RP842/~SOFTWARE
33.1M Mar  3 23:59 /sda1/~/RP843/~SOFTWARE
33.1M Mar  6 02:06 /sda1/~/RP845/~SOFTWARE
33.1M Mar  7 05:39 /sda1/~/RP846/~SOFTWARE
33.1M Mar  8 05:52 /sda1/~/RP847/~SOFTWARE
33.1M Mar  9 06:10 /sda1/~/RP848/~SOFTWARE
33.1M Mar 10 15:43 /sda1/~/RP849/~SOFTWARE
33.1M Mar 11 15:45 /sda1/~/RP850/~SOFTWARE
33.1M Mar 12 17:08 /sda1/~/RP851/~SOFTWARE
33.1M Mar 13 20:36 /sda1/~/RP852/~SOFTWARE
33.1M Mar 15 00:43 /sda1/~/RP853/~SOFTWARE
33.1M Mar 16 03:18 /sda1/~/RP854/~SOFTWARE
33.1M Mar 17 04:45 /sda1/~/RP855/~SOFTWARE
33.1M Mar 18 15:10 /sda1/~/RP856/~SOFTWARE
33.1M Mar 19 15:11 /sda1/~/RP857/~SOFTWARE
33.1M Mar 20 15:38 /sda1/~/RP858/~SOFTWARE
33.1M Mar 21 17:07 /sda1/~/RP859/~SOFTWARE
33.1M Mar 22 19:56 /sda1/~/RP860/~SOFTWARE
33.1M Mar 23 20:54 /sda1/~/RP861/~SOFTWARE
33.1M Mar 24 21:10 /sda1/~/RP862/~SOFTWARE
33.1M Mar 26 02:48 /sda1/~/RP863/~SOFTWARE
33.1M Mar 27 05:02 /sda1/~/RP864/~SOFTWARE
33.1M Mar 29 23:11 /sda1/~/RP866/~SOFTWARE
33.1M Mar 31 02:23 /sda1/~/RP867/~SOFTWARE
33.1M Apr  1 14:40 /sda1/~/RP868/~SOFTWARE
33.4M Apr  3 00:30 /sda1/~/RP869/~SOFTWARE
33.5M Apr  9 15:04 /sda1/~/RP870/~SOFTWARE
33.5M Apr 10 15:08 /sda1/~/RP871/~SOFTWARE
33.5M Apr 16 03:58 /sda1/~/RP872/~SOFTWARE
33.5M Apr 17 14:30 /sda1/~/RP873/~SOFTWARE
33.5M Apr 22 01:21 /sda1/~/RP874/~SOFTWARE
33.5M Apr 23 19:54 /sda1/~/RP875/~SOFTWARE
33.5M Apr 24 20:12 /sda1/~/RP876/~SOFTWARE
33.5M Apr 25 22:24 /sda1/~/RP877/~SOFTWARE
33.5M Apr 26 22:37 /sda1/~/RP878/~SOFTWARE
33.5M Apr 28 00:52 /sda1/~/RP879/~SOFTWARE
33.5M Apr 28 00:52 /sda1/~/RP880/~SOFTWARE
33.5M Apr 28 00:54 /sda1/~/RP881/~SOFTWARE
33.8M Apr 29 00:46 /sda1/~/RP882/~SOFTWARE
33.8M Apr 29 00:50 /sda1/~/RP883/~SOFTWARE
33.8M Apr 30 01:54 /sda1/~/RP884/~SOFTWARE
33.8M May  1 02:10 /sda1/~/RP885/~SOFTWARE
34.6M May  2 02:56 /sda1/~/RP887/~SOFTWARE
34.6M May  6 23:02 /sda1/~/RP888/~SOFTWARE
34.6M May  7 23:04 /sda1/~/RP889/~SOFTWARE
34.6M May  8 23:21 /sda1/~/RP890/~SOFTWARE
34.6M May 10 05:20 /sda1/~/RP891/~SOFTWARE
34.6M May 12 05:20 /sda1/~/RP892/~SOFTWARE
34.6M May 12 19:01 /sda1/~/RP893/~SOFTWARE
34.6M May 13 19:35 /sda1/~/RP894/~SOFTWARE
34.6M May 14 01:02 /sda1/~/RP895/~SOFTWARE
34.6M May 15 03:27 /sda1/~/RP896/~SOFTWARE
34.6M May 16 03:33 /sda1/~/RP897/~SOFTWARE
34.6M May 17 04:05 /sda1/~/RP898/~SOFTWARE
34.6M May 18 09:30 /sda1/~/RP899/~SOFTWARE
34.6M May 20 03:42 /sda1/~/RP900/~SOFTWARE
34.6M May 21 03:49 /sda1/~/RP901/~SOFTWARE
34.6M May 22 04:08 /sda1/~/RP902/~SOFTWARE
34.6M May 23 18:27 /sda1/~/RP903/~SOFTWARE
34.6M May 24 20:13 /sda1/~/RP904/~SOFTWARE
34.6M May 26 01:57 /sda1/~/RP905/~SOFTWARE
34.6M May 27 03:29 /sda1/~/RP906/~SOFTWARE
34.6M May 28 14:56 /sda1/~/RP907/~SOFTWARE
34.6M May 29 15:12 /sda1/~/RP908/~SOFTWARE
34.6M May 29 20:48 /sda1/~/RP909/~SOFTWARE
34.8M May 30 22:17 /sda1/~/RP910/~SOFTWARE
34.8M May 31 18:27 /sda1/~/RP911/~SOFTWARE
33.1M Mar  5 00:33 /sda1/~/RP844/~SOFTWARE
33.1M Mar 28 21:05 /sda1/~/RP865/~SOFTWARE
33.8M May  1 02:56 /sda1/~/RP886/~SOFTWARE
5.6M Mar  2 23:50 /sda1/~/RP842/~SYSTEM
5.6M Mar  3 23:59 /sda1/~/RP843/~SYSTEM
5.6M Mar  6 02:06 /sda1/~/RP845/~SYSTEM
5.6M Mar  7 05:39 /sda1/~/RP846/~SYSTEM
5.6M Mar  8 05:52 /sda1/~/RP847/~SYSTEM
5.6M Mar  9 06:10 /sda1/~/RP848/~SYSTEM
5.6M Mar 10 15:43 /sda1/~/RP849/~SYSTEM
5.6M Mar 11 15:45 /sda1/~/RP850/~SYSTEM
5.6M Mar 12 17:08 /sda1/~/RP851/~SYSTEM
5.6M Mar 13 20:36 /sda1/~/RP852/~SYSTEM
5.6M Mar 15 00:43 /sda1/~/RP853/~SYSTEM
5.6M Mar 16 03:18 /sda1/~/RP854/~SYSTEM
5.6M Mar 17 04:45 /sda1/~/RP855/~SYSTEM
5.6M Mar 18 15:10 /sda1/~/RP856/~SYSTEM
5.6M Mar 19 15:11 /sda1/~/RP857/~SYSTEM
5.6M Mar 20 15:38 /sda1/~/RP858/~SYSTEM
5.6M Mar 21 17:07 /sda1/~/RP859/~SYSTEM
5.6M Mar 22 19:56 /sda1/~/RP860/~SYSTEM
5.6M Mar 23 20:54 /sda1/~/RP861/~SYSTEM
5.6M Mar 24 21:10 /sda1/~/RP862/~SYSTEM
5.6M Mar 26 02:49 /sda1/~/RP863/~SYSTEM
5.6M Mar 27 05:02 /sda1/~/RP864/~SYSTEM
5.6M Mar 29 23:11 /sda1/~/RP866/~SYSTEM
5.6M Mar 31 02:23 /sda1/~/RP867/~SYSTEM
5.6M Apr  1 14:40 /sda1/~/RP868/~SYSTEM
5.7M Apr  3 00:30 /sda1/~/RP869/~SYSTEM
5.7M Apr  9 15:04 /sda1/~/RP870/~SYSTEM
5.7M Apr 10 15:08 /sda1/~/RP871/~SYSTEM
5.7M Apr 16 03:58 /sda1/~/RP872/~SYSTEM
5.7M Apr 17 14:30 /sda1/~/RP873/~SYSTEM
5.7M Apr 22 01:21 /sda1/~/RP874/~SYSTEM
5.7M Apr 23 19:54 /sda1/~/RP875/~SYSTEM
5.7M Apr 24 20:12 /sda1/~/RP876/~SYSTEM
5.7M Apr 25 22:24 /sda1/~/RP877/~SYSTEM
5.7M Apr 26 22:37 /sda1/~/RP878/~SYSTEM
5.7M Apr 28 00:52 /sda1/~/RP879/~SYSTEM
5.7M Apr 28 00:52 /sda1/~/RP880/~SYSTEM
5.7M Apr 28 00:54 /sda1/~/RP881/~SYSTEM
5.8M Apr 29 00:46 /sda1/~/RP882/~SYSTEM
5.8M Apr 29 00:50 /sda1/~/RP883/~SYSTEM
5.8M Apr 30 01:54 /sda1/~/RP884/~SYSTEM
5.8M May  1 02:10 /sda1/~/RP885/~SYSTEM
5.8M May  2 02:56 /sda1/~/RP887/~SYSTEM
5.8M May  6 23:02 /sda1/~/RP888/~SYSTEM
5.8M May  7 23:04 /sda1/~/RP889/~SYSTEM
5.8M May  8 23:21 /sda1/~/RP890/~SYSTEM
5.8M May 10 05:20 /sda1/~/RP891/~SYSTEM
5.8M May 12 05:20 /sda1/~/RP892/~SYSTEM
5.8M May 12 19:01 /sda1/~/RP893/~SYSTEM
5.8M May 13 19:35 /sda1/~/RP894/~SYSTEM
5.8M May 14 01:02 /sda1/~/RP895/~SYSTEM
5.8M May 15 03:27 /sda1/~/RP896/~SYSTEM
5.8M May 16 03:33 /sda1/~/RP897/~SYSTEM
5.8M May 17 04:05 /sda1/~/RP898/~SYSTEM
5.8M May 18 09:30 /sda1/~/RP899/~SYSTEM
5.8M May 20 03:42 /sda1/~/RP900/~SYSTEM
5.8M May 21 03:49 /sda1/~/RP901/~SYSTEM
5.8M May 22 04:08 /sda1/~/RP902/~SYSTEM
5.8M May 23 18:27 /sda1/~/RP903/~SYSTEM
5.8M May 24 20:13 /sda1/~/RP904/~SYSTEM
5.8M May 26 01:57 /sda1/~/RP905/~SYSTEM
5.8M May 27 03:29 /sda1/~/RP906/~SYSTEM
5.8M May 28 14:56 /sda1/~/RP907/~SYSTEM
5.8M May 29 15:12 /sda1/~/RP908/~SYSTEM
5.8M May 29 20:48 /sda1/~/RP909/~SYSTEM
6.0M May 30 22:17 /sda1/~/RP910/~SYSTEM
6.0M May 31 18:27 /sda1/~/RP911/~SYSTEM
5.6M Mar  5 00:33 /sda1/~/RP844/~SYSTEM
5.6M Mar 28 21:05 /sda1/~/RP865/~SYSTEM
5.8M May  1 02:56 /sda1/~/RP886/~SYSTEM

Title: Re: Acidentally deleted files with avast, now got blue screen on startup!
Post by: essexboy on June 04, 2011, 03:01:47 PM

OK lets use this sytem restore first, we have plenty to choose from

• Boot the Sick computer with the USB drive again
• Press File
  
• Expand mnt
  
• Expand your USB (sdb1)
  
• Press Tool at the top
  
• Choose Open Terminal
  
• Type bash rst.sh -r
  
• Type RP910
  
• Press Enter
  
• After it has finished a report will be located at sdb1 named restore.log
  
• Please try to boot into normal Windows now and indicate if you were successful

 
Please note - all text entries are case sensitive
 
Copy and paste the restore.log from your USB drive for my review

Title: Re: Acidentally deleted files with avast, now got blue screen on startup!
Post by: Skirrel on June 04, 2011, 07:25:32 PM

SOFTWARE hive restored from RP910
SYSTEM hive restored from RP910
SECURITY hive restored from RP910
SAM hive restored from RP910

Title: Re: Acidentally deleted files with avast, now got blue screen on startup!
Post by: Skirrel on June 04, 2011, 07:56:55 PM

Ok i've read older posts that say you must remove the RP and type in the number only, which seemed to work.  attached is the restore log.  I've restarted the computer, and theres no blue screen, just a light blue screen that usually comes on asking you to log in, EXCEPT it is stuck that the message"windows is starting up"....

something like this
(http://www.raymond.cc/images/windows-is-starting-up.png)

EDIT:  no longer stuck, logging in.  will give updates later.  I probably should lay off the mocha lol. 

whats with it being slow?  why is it taking a long time to load explorer.exe and the task bar?  Also, on the screen it says "AdobeARM.exe not found- the ordinal 281 could not be located in the dynamic link library msi.dll"
also get this one as well: "Explorer.EXE - Entry Point Not Found - The procedure entry point DecodePointer could not be located in the dynamic link library KERNEL32.dll"

EDIT2: everything on desktop is there. Task bar is missing though.  restarted computer again just to make sure.  takes 30 minutes for it to load everything. same error messages as above come up again.

Title: Re: Acidentally deleted files with avast, now got blue screen on startup!
Post by: essexboy on June 05, 2011, 12:29:35 AM

OK next phase is to run a malware scan

Download ComboFix from one of these locations:


Link 1 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 2 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

(http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif)

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

(http://img.photobucket.com/albums/v706/ried7/whatnext.png)


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

Title: Re: Acidentally deleted files with avast, now got blue screen on startup!
Post by: Skirrel on June 05, 2011, 07:23:28 PM

attached is the log.

Title: Re: Acidentally deleted files with avast, now got blue screen on startup!
Post by: essexboy on June 05, 2011, 07:34:46 PM

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Quote

KillAll::

File::
c:\documents and settings\All Users\Application Data\mL06504KeOdB06504

Folder::
c:\documents and settings\All Users\Application Data\mL06504KeOdB06504

Registry::

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"=-

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below.  This will start ComboFix again.

(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)


6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new OTS log.

Title: Re: Acidentally deleted files with avast, now got blue screen on startup!
Post by: Skirrel on June 05, 2011, 08:02:41 PM

what if im not able to drag and drop?  is there an alternative?  :P

Title: Re: Acidentally deleted files with avast, now got blue screen on startup!
Post by: essexboy on June 05, 2011, 08:28:12 PM

OK we will use OTL instead

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  Quote

  :Reg
  [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
  "3389:TCP"=-
  
  :Files
  ipconfig /flushdns /c
  c:\documents and settings\All Users\Application Data\mL06504KeOdB06504
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [EMPTYFLASH]
  [CREATERESTOREPOINT]
  [Reboot]

  
  
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
  

Title: Re: Acidentally deleted files with avast, now got blue screen on startup!
Post by: Skirrel on June 05, 2011, 09:32:44 PM

attached is otl log

Title: Re: Acidentally deleted files with avast, now got blue screen on startup!
Post by: essexboy on June 06, 2011, 12:07:45 AM

Could you resave the log as ANSI please - also what are your current problems

(http://i1224.photobucket.com/albums/ee362/Essexboy3/Untitled.gif)

Title: Re: Acidentally deleted files with avast, now got blue screen on startup!
Post by: Skirrel on June 06, 2011, 12:35:18 AM

Attached is OTL log in ansi format.  

Problems are:
-computer takes A LOT longer to start.
-recycle bin wont open
-drag/drop will not work
-no start menu/taskbar/system tray
-these error messages:
   -AdobeARM.exe not found- the ordinal 281 could not be located in the dynamic link library msi.dll"
   -"Explorer.EXE - Entry Point Not Found - The procedure entry point DecodePointer could not be located in the dynamic link library KERNEL32.dll"

Title: Re: Acidentally deleted files with avast, now got blue screen on startup!
Post by: essexboy on June 06, 2011, 12:26:07 PM

Sounds a bit corrupted with regards to the system files

Download Dr Web from here (http://"https://www.freedrweb.com/download+cureit+free/?lng=en") Fill in the small form and download
 
It will download as an 8 digit file save it to your desktop

Restart in safe mode and run
Accept the enhanced version
Then run the quick scan
About halfway through you will be prompted to buy - just X the box closed
Once finished it will generate a log please attach that

Title: Re: Acidentally deleted files with avast, now got blue screen on startup!
Post by: Skirrel on June 06, 2011, 07:59:22 PM

Dr. Web only scans for viruses though right?  Before I made this thread, I only had a mebroot/torpig infection that was notified to be by my internet provider.  It seems I have already got rid of it and have no more viruses.  I just need to fix the problems in my earlier post.

Title: Re: Acidentally deleted files with avast, now got blue screen on startup!
Post by: essexboy on June 06, 2011, 11:42:59 PM

Yep it does - and its forte is file infectors - these or the remanants can cause the type of problem you are experiencing

Title: Re: Acidentally deleted files with avast, now got blue screen on startup!
Post by: Skirrel on June 07, 2011, 06:02:43 PM

dr web became stuck scanning one applicatin: matlab2007.exe.  That program has been there for a while and should not be infected as far as i know.  Is there an alternative to dr web?  Also, I dont think Windows Explorer could be accessed with the computer in this state, so there must be another way to get a log.

Title: Re: Acidentally deleted files with avast, now got blue screen on startup!
Post by: essexboy on June 07, 2011, 06:15:37 PM

OK stop the scan - did it find anything ?

Title: Re: Acidentally deleted files with avast, now got blue screen on startup!
Post by: Skirrel on June 07, 2011, 07:05:18 PM

no it didnt find anything.

Title: Re: Acidentally deleted files with avast, now got blue screen on startup!
Post by: essexboy on June 07, 2011, 07:12:59 PM

Is the only problem now a slow start ?

Title: Re: Acidentally deleted files with avast, now got blue screen on startup!
Post by: Skirrel on June 07, 2011, 07:25:38 PM

same problems as above.

Title: Re: Acidentally deleted files with avast, now got blue screen on startup!
Post by: essexboy on June 07, 2011, 07:36:37 PM

Do you have a windows disc to try a repair ?

Title: Re: Acidentally deleted files with avast, now got blue screen on startup!
Post by: Skirrel on June 07, 2011, 08:07:51 PM

yes.  Im repairing it now.  Last time i tried repairing it (~week ago) it was unsuccessful.  I will know if repair works in around 40 minutes

edit  -  its stuck at the 34 minute mark. 

Title: Re: Acidentally deleted files with avast, now got blue screen on startup!
Post by: essexboy on June 07, 2011, 08:41:10 PM

Are you following the steps as described here  http://www.geekstogo.com/forum/topic/138-how-to-repair-windows-xp/

Title: Re: Acidentally deleted files with avast, now got blue screen on startup!
Post by: Skirrel on June 07, 2011, 08:44:16 PM

yes i am.  i googled the problem and it seems that many have it as well. Not sure how to fix it though...

hmm... now its only 33 minutes.

edit: Stuck at 32 minutes

Title: Re: Acidentally deleted files with avast, now got blue screen on startup!
Post by: essexboy on June 07, 2011, 11:36:34 PM

This is an MS recommendation for this problem

Remove any external hardware, such as attached devices that are not required for setup (for example, printers, external serial devices, and Universal Serial Bus [USB] devices other than the primary keyboard).

Remove any internal cards that are not required for setup, such as sound cards.

Disable items in the basic input/output system (BIOS), such as ports or power management features, and on-board devices that are not required for setup to complete, such as modems.

Title: Re: Acidentally deleted files with avast, now got blue screen on startup!
Post by: Skirrel on June 08, 2011, 05:03:55 AM

Ok was able to repair via restarting computer.  I have my task bar now, only these problems exist:
-AdobeARM.exe not found- the ordinal 281 could not be located in the dynamic link library msi.dll"
-computer takes A LOT longer to start than it did before this incident.
-also, on the system tray, there is an icon to safely remove hardware, but there is an option to safely remove my hard drive! lol

thanks essexboy for helping me out and also helping people on other forums as well.  I've seen your name on the geekstogo forums btw. 

Title: Re: Acidentally deleted files with avast, now got blue screen on startup!
Post by: essexboy on June 08, 2011, 12:31:16 PM

OK for Adobe - I would recommend that you uninstall and then re-install

Run a fresh OTS log and I will look at the start areas and see if there is any tweaking that could be done

Title: Re: Acidentally deleted files with avast, now got blue screen on startup!
Post by: Skirrel on June 08, 2011, 07:28:09 PM

I think I will just reformat my hard drive and install a newer OS. 

But before you close this thread, i'd like to know what are some ways i can prevent mebroot/torpig from infecting my computer again, and how can i safely restore a critical file without causing all of this clutter again?

Title: Re: Acidentally deleted files with avast, now got blue screen on startup!
Post by: essexboy on June 08, 2011, 07:38:08 PM

If you get windows 7 then the security on that (especially the 64 bit version) is more robust and all critical files are cached for repair if required

The main thing really is to be aware of what you are doing when online.. The majority of malware is downloaded with the user assistance, via social engineering 

To learn more about how to protect yourself while on the internet read our little guide  How did I get infected in the first place ? (http://www.geekstogo.com/forum/topic/225044-preventing-malware-and-safe-computing/)