Author Topic: Acidentally deleted files with avast, now got blue screen on startup!  (Read 17671 times)

0 Members and 1 Guest are viewing this topic.

Offline Skirrel

  • Jr. Member
  • **
  • Posts: 24
Re: Acidentally deleted files with avast, now got blue screen on startup!
« Reply #15 on: June 03, 2011, 08:25:28 PM »
I cant boot from usb, so i will have to try to boot from cd.  But your link to the xpud bootable CD doesnt work...

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40627
  • Dragons by Sasha
    • Malware fixes
Re: Acidentally deleted files with avast, now got blue screen on startup!
« Reply #16 on: June 03, 2011, 08:47:20 PM »
There is a new product on the market made by MS - I have yet to have any need to use it.  Would you mind trying it out

Could you go here and download Microsoft System Sweeper from here http://connect.microsoft.com/systemsweeper

Offline Skirrel

  • Jr. Member
  • **
  • Posts: 24
Re: Acidentally deleted files with avast, now got blue screen on startup!
« Reply #17 on: June 04, 2011, 04:07:07 AM »
I think I'll try it sometime in the future if a virus takes over my computer and rkill.exe wont work to stop the processes.  Thanks for referring me to it though.

I've found a way to burn xpud onto cd.

heres the enum log
35.0M Jun  3 00:03 /mnt/sda1/WINDOWS/system32/config/software
6.0M Jun  2 18:10 /mnt/sda1/WINDOWS/system32/config/system

33.1M Mar  2 23:50 /sda1/~/RP842/~SOFTWARE
33.1M Mar  3 23:59 /sda1/~/RP843/~SOFTWARE
33.1M Mar  6 02:06 /sda1/~/RP845/~SOFTWARE
33.1M Mar  7 05:39 /sda1/~/RP846/~SOFTWARE
33.1M Mar  8 05:52 /sda1/~/RP847/~SOFTWARE
33.1M Mar  9 06:10 /sda1/~/RP848/~SOFTWARE
33.1M Mar 10 15:43 /sda1/~/RP849/~SOFTWARE
33.1M Mar 11 15:45 /sda1/~/RP850/~SOFTWARE
33.1M Mar 12 17:08 /sda1/~/RP851/~SOFTWARE
33.1M Mar 13 20:36 /sda1/~/RP852/~SOFTWARE
33.1M Mar 15 00:43 /sda1/~/RP853/~SOFTWARE
33.1M Mar 16 03:18 /sda1/~/RP854/~SOFTWARE
33.1M Mar 17 04:45 /sda1/~/RP855/~SOFTWARE
33.1M Mar 18 15:10 /sda1/~/RP856/~SOFTWARE
33.1M Mar 19 15:11 /sda1/~/RP857/~SOFTWARE
33.1M Mar 20 15:38 /sda1/~/RP858/~SOFTWARE
33.1M Mar 21 17:07 /sda1/~/RP859/~SOFTWARE
33.1M Mar 22 19:56 /sda1/~/RP860/~SOFTWARE
33.1M Mar 23 20:54 /sda1/~/RP861/~SOFTWARE
33.1M Mar 24 21:10 /sda1/~/RP862/~SOFTWARE
33.1M Mar 26 02:48 /sda1/~/RP863/~SOFTWARE
33.1M Mar 27 05:02 /sda1/~/RP864/~SOFTWARE
33.1M Mar 29 23:11 /sda1/~/RP866/~SOFTWARE
33.1M Mar 31 02:23 /sda1/~/RP867/~SOFTWARE
33.1M Apr  1 14:40 /sda1/~/RP868/~SOFTWARE
33.4M Apr  3 00:30 /sda1/~/RP869/~SOFTWARE
33.5M Apr  9 15:04 /sda1/~/RP870/~SOFTWARE
33.5M Apr 10 15:08 /sda1/~/RP871/~SOFTWARE
33.5M Apr 16 03:58 /sda1/~/RP872/~SOFTWARE
33.5M Apr 17 14:30 /sda1/~/RP873/~SOFTWARE
33.5M Apr 22 01:21 /sda1/~/RP874/~SOFTWARE
33.5M Apr 23 19:54 /sda1/~/RP875/~SOFTWARE
33.5M Apr 24 20:12 /sda1/~/RP876/~SOFTWARE
33.5M Apr 25 22:24 /sda1/~/RP877/~SOFTWARE
33.5M Apr 26 22:37 /sda1/~/RP878/~SOFTWARE
33.5M Apr 28 00:52 /sda1/~/RP879/~SOFTWARE
33.5M Apr 28 00:52 /sda1/~/RP880/~SOFTWARE
33.5M Apr 28 00:54 /sda1/~/RP881/~SOFTWARE
33.8M Apr 29 00:46 /sda1/~/RP882/~SOFTWARE
33.8M Apr 29 00:50 /sda1/~/RP883/~SOFTWARE
33.8M Apr 30 01:54 /sda1/~/RP884/~SOFTWARE
33.8M May  1 02:10 /sda1/~/RP885/~SOFTWARE
34.6M May  2 02:56 /sda1/~/RP887/~SOFTWARE
34.6M May  6 23:02 /sda1/~/RP888/~SOFTWARE
34.6M May  7 23:04 /sda1/~/RP889/~SOFTWARE
34.6M May  8 23:21 /sda1/~/RP890/~SOFTWARE
34.6M May 10 05:20 /sda1/~/RP891/~SOFTWARE
34.6M May 12 05:20 /sda1/~/RP892/~SOFTWARE
34.6M May 12 19:01 /sda1/~/RP893/~SOFTWARE
34.6M May 13 19:35 /sda1/~/RP894/~SOFTWARE
34.6M May 14 01:02 /sda1/~/RP895/~SOFTWARE
34.6M May 15 03:27 /sda1/~/RP896/~SOFTWARE
34.6M May 16 03:33 /sda1/~/RP897/~SOFTWARE
34.6M May 17 04:05 /sda1/~/RP898/~SOFTWARE
34.6M May 18 09:30 /sda1/~/RP899/~SOFTWARE
34.6M May 20 03:42 /sda1/~/RP900/~SOFTWARE
34.6M May 21 03:49 /sda1/~/RP901/~SOFTWARE
34.6M May 22 04:08 /sda1/~/RP902/~SOFTWARE
34.6M May 23 18:27 /sda1/~/RP903/~SOFTWARE
34.6M May 24 20:13 /sda1/~/RP904/~SOFTWARE
34.6M May 26 01:57 /sda1/~/RP905/~SOFTWARE
34.6M May 27 03:29 /sda1/~/RP906/~SOFTWARE
34.6M May 28 14:56 /sda1/~/RP907/~SOFTWARE
34.6M May 29 15:12 /sda1/~/RP908/~SOFTWARE
34.6M May 29 20:48 /sda1/~/RP909/~SOFTWARE
34.8M May 30 22:17 /sda1/~/RP910/~SOFTWARE
34.8M May 31 18:27 /sda1/~/RP911/~SOFTWARE
33.1M Mar  5 00:33 /sda1/~/RP844/~SOFTWARE
33.1M Mar 28 21:05 /sda1/~/RP865/~SOFTWARE
33.8M May  1 02:56 /sda1/~/RP886/~SOFTWARE
5.6M Mar  2 23:50 /sda1/~/RP842/~SYSTEM
5.6M Mar  3 23:59 /sda1/~/RP843/~SYSTEM
5.6M Mar  6 02:06 /sda1/~/RP845/~SYSTEM
5.6M Mar  7 05:39 /sda1/~/RP846/~SYSTEM
5.6M Mar  8 05:52 /sda1/~/RP847/~SYSTEM
5.6M Mar  9 06:10 /sda1/~/RP848/~SYSTEM
5.6M Mar 10 15:43 /sda1/~/RP849/~SYSTEM
5.6M Mar 11 15:45 /sda1/~/RP850/~SYSTEM
5.6M Mar 12 17:08 /sda1/~/RP851/~SYSTEM
5.6M Mar 13 20:36 /sda1/~/RP852/~SYSTEM
5.6M Mar 15 00:43 /sda1/~/RP853/~SYSTEM
5.6M Mar 16 03:18 /sda1/~/RP854/~SYSTEM
5.6M Mar 17 04:45 /sda1/~/RP855/~SYSTEM
5.6M Mar 18 15:10 /sda1/~/RP856/~SYSTEM
5.6M Mar 19 15:11 /sda1/~/RP857/~SYSTEM
5.6M Mar 20 15:38 /sda1/~/RP858/~SYSTEM
5.6M Mar 21 17:07 /sda1/~/RP859/~SYSTEM
5.6M Mar 22 19:56 /sda1/~/RP860/~SYSTEM
5.6M Mar 23 20:54 /sda1/~/RP861/~SYSTEM
5.6M Mar 24 21:10 /sda1/~/RP862/~SYSTEM
5.6M Mar 26 02:49 /sda1/~/RP863/~SYSTEM
5.6M Mar 27 05:02 /sda1/~/RP864/~SYSTEM
5.6M Mar 29 23:11 /sda1/~/RP866/~SYSTEM
5.6M Mar 31 02:23 /sda1/~/RP867/~SYSTEM
5.6M Apr  1 14:40 /sda1/~/RP868/~SYSTEM
5.7M Apr  3 00:30 /sda1/~/RP869/~SYSTEM
5.7M Apr  9 15:04 /sda1/~/RP870/~SYSTEM
5.7M Apr 10 15:08 /sda1/~/RP871/~SYSTEM
5.7M Apr 16 03:58 /sda1/~/RP872/~SYSTEM
5.7M Apr 17 14:30 /sda1/~/RP873/~SYSTEM
5.7M Apr 22 01:21 /sda1/~/RP874/~SYSTEM
5.7M Apr 23 19:54 /sda1/~/RP875/~SYSTEM
5.7M Apr 24 20:12 /sda1/~/RP876/~SYSTEM
5.7M Apr 25 22:24 /sda1/~/RP877/~SYSTEM
5.7M Apr 26 22:37 /sda1/~/RP878/~SYSTEM
5.7M Apr 28 00:52 /sda1/~/RP879/~SYSTEM
5.7M Apr 28 00:52 /sda1/~/RP880/~SYSTEM
5.7M Apr 28 00:54 /sda1/~/RP881/~SYSTEM
5.8M Apr 29 00:46 /sda1/~/RP882/~SYSTEM
5.8M Apr 29 00:50 /sda1/~/RP883/~SYSTEM
5.8M Apr 30 01:54 /sda1/~/RP884/~SYSTEM
5.8M May  1 02:10 /sda1/~/RP885/~SYSTEM
5.8M May  2 02:56 /sda1/~/RP887/~SYSTEM
5.8M May  6 23:02 /sda1/~/RP888/~SYSTEM
5.8M May  7 23:04 /sda1/~/RP889/~SYSTEM
5.8M May  8 23:21 /sda1/~/RP890/~SYSTEM
5.8M May 10 05:20 /sda1/~/RP891/~SYSTEM
5.8M May 12 05:20 /sda1/~/RP892/~SYSTEM
5.8M May 12 19:01 /sda1/~/RP893/~SYSTEM
5.8M May 13 19:35 /sda1/~/RP894/~SYSTEM
5.8M May 14 01:02 /sda1/~/RP895/~SYSTEM
5.8M May 15 03:27 /sda1/~/RP896/~SYSTEM
5.8M May 16 03:33 /sda1/~/RP897/~SYSTEM
5.8M May 17 04:05 /sda1/~/RP898/~SYSTEM
5.8M May 18 09:30 /sda1/~/RP899/~SYSTEM
5.8M May 20 03:42 /sda1/~/RP900/~SYSTEM
5.8M May 21 03:49 /sda1/~/RP901/~SYSTEM
5.8M May 22 04:08 /sda1/~/RP902/~SYSTEM
5.8M May 23 18:27 /sda1/~/RP903/~SYSTEM
5.8M May 24 20:13 /sda1/~/RP904/~SYSTEM
5.8M May 26 01:57 /sda1/~/RP905/~SYSTEM
5.8M May 27 03:29 /sda1/~/RP906/~SYSTEM
5.8M May 28 14:56 /sda1/~/RP907/~SYSTEM
5.8M May 29 15:12 /sda1/~/RP908/~SYSTEM
5.8M May 29 20:48 /sda1/~/RP909/~SYSTEM
6.0M May 30 22:17 /sda1/~/RP910/~SYSTEM
6.0M May 31 18:27 /sda1/~/RP911/~SYSTEM
5.6M Mar  5 00:33 /sda1/~/RP844/~SYSTEM
5.6M Mar 28 21:05 /sda1/~/RP865/~SYSTEM
5.8M May  1 02:56 /sda1/~/RP886/~SYSTEM
« Last Edit: June 04, 2011, 04:55:24 AM by Skirrel »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40627
  • Dragons by Sasha
    • Malware fixes
Re: Acidentally deleted files with avast, now got blue screen on startup!
« Reply #18 on: June 04, 2011, 03:01:47 PM »
OK lets use this sytem restore first, we have plenty to choose from
  • Boot the Sick computer with the USB drive again
  • Press File
  • Expand mnt
  • Expand your USB (sdb1)
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash rst.sh -r
  • Type RP910
  • Press Enter
  • After it has finished a report will be located at sdb1 named restore.log
  • Please try to boot into normal Windows now and indicate if you were successful

 
Please note - all text entries are case sensitive
 
Copy and paste the restore.log from your USB drive for my review

Offline Skirrel

  • Jr. Member
  • **
  • Posts: 24
Re: Acidentally deleted files with avast, now got blue screen on startup!
« Reply #19 on: June 04, 2011, 07:25:32 PM »
SOFTWARE hive restored from RP910
SYSTEM hive restored from RP910
SECURITY hive restored from RP910
SAM hive restored from RP910
« Last Edit: June 04, 2011, 08:04:01 PM by Skirrel »

Offline Skirrel

  • Jr. Member
  • **
  • Posts: 24
Re: Acidentally deleted files with avast, now got blue screen on startup!
« Reply #20 on: June 04, 2011, 07:56:55 PM »
Ok i've read older posts that say you must remove the RP and type in the number only, which seemed to work.  attached is the restore log.  I've restarted the computer, and theres no blue screen, just a light blue screen that usually comes on asking you to log in, EXCEPT it is stuck that the message"windows is starting up"....

something like this


EDIT:  no longer stuck, logging in.  will give updates later.  I probably should lay off the mocha lol. 

whats with it being slow?  why is it taking a long time to load explorer.exe and the task bar?  Also, on the screen it says "AdobeARM.exe not found- the ordinal 281 could not be located in the dynamic link library msi.dll"
also get this one as well: "Explorer.EXE - Entry Point Not Found - The procedure entry point DecodePointer could not be located in the dynamic link library KERNEL32.dll"

EDIT2: everything on desktop is there. Task bar is missing though.  restarted computer again just to make sure.  takes 30 minutes for it to load everything. same error messages as above come up again.
« Last Edit: June 04, 2011, 08:19:51 PM by Skirrel »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40627
  • Dragons by Sasha
    • Malware fixes
Re: Acidentally deleted files with avast, now got blue screen on startup!
« Reply #21 on: June 05, 2011, 12:29:35 AM »
OK next phase is to run a malware scan

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

Offline Skirrel

  • Jr. Member
  • **
  • Posts: 24
Re: Acidentally deleted files with avast, now got blue screen on startup!
« Reply #22 on: June 05, 2011, 07:23:28 PM »
attached is the log.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40627
  • Dragons by Sasha
    • Malware fixes
Re: Acidentally deleted files with avast, now got blue screen on startup!
« Reply #23 on: June 05, 2011, 07:34:46 PM »
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

Quote
KillAll::

File::
c:\documents and settings\All Users\Application Data\mL06504KeOdB06504

Folder::
c:\documents and settings\All Users\Application Data\mL06504KeOdB06504

Registry::

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"=-


3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below.  This will start ComboFix again.




6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new OTS log.

Offline Skirrel

  • Jr. Member
  • **
  • Posts: 24
Re: Acidentally deleted files with avast, now got blue screen on startup!
« Reply #24 on: June 05, 2011, 08:02:41 PM »
what if im not able to drag and drop?  is there an alternative?  :P

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40627
  • Dragons by Sasha
    • Malware fixes
Re: Acidentally deleted files with avast, now got blue screen on startup!
« Reply #25 on: June 05, 2011, 08:28:12 PM »
OK we will use OTL instead

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    Quote
    :Reg
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"=-

    :Files
    ipconfig /flushdns /c
    c:\documents and settings\All Users\Application Data\mL06504KeOdB06504

    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [EMPTYFLASH]
    [CREATERESTOREPOINT]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Offline Skirrel

  • Jr. Member
  • **
  • Posts: 24
Re: Acidentally deleted files with avast, now got blue screen on startup!
« Reply #26 on: June 05, 2011, 09:32:44 PM »
attached is otl log

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40627
  • Dragons by Sasha
    • Malware fixes
Re: Acidentally deleted files with avast, now got blue screen on startup!
« Reply #27 on: June 06, 2011, 12:07:45 AM »
Could you resave the log as ANSI please - also what are your current problems


Offline Skirrel

  • Jr. Member
  • **
  • Posts: 24
Re: Acidentally deleted files with avast, now got blue screen on startup!
« Reply #28 on: June 06, 2011, 12:35:18 AM »
Attached is OTL log in ansi format.  

Problems are:
-computer takes A LOT longer to start.
-recycle bin wont open
-drag/drop will not work
-no start menu/taskbar/system tray
-these error messages:
   -AdobeARM.exe not found- the ordinal 281 could not be located in the dynamic link library msi.dll"
   -"Explorer.EXE - Entry Point Not Found - The procedure entry point DecodePointer could not be located in the dynamic link library KERNEL32.dll"
« Last Edit: June 06, 2011, 12:38:56 AM by Skirrel »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40627
  • Dragons by Sasha
    • Malware fixes
Re: Acidentally deleted files with avast, now got blue screen on startup!
« Reply #29 on: June 06, 2011, 12:26:07 PM »
Sounds a bit corrupted with regards to the system files

Download Dr Web from here Fill in the small form and download
 
It will download as an 8 digit file save it to your desktop

Restart in safe mode and run
Accept the enhanced version
Then run the quick scan
About halfway through you will be prompted to buy - just X the box closed
Once finished it will generate a log please attach that