Jetboy Posted March 31, 2016 Share Posted March 31, 2016 (edited) Hi. So a couple of days ago my laptop wouldn't boot to windows, after a load of times using the repair environments I got to the login screen but keyboard wouldnt work. Kept powering off and on again, and now I can get onto windows but I'm getting the bad image errors, beginning with a startup.exe bad image error, and one saying that my recycle bin is corrupted, do I want to empty it. I can't run any program now because of the error, such as my antivirus, and I can't access the net. I downloaded Malwarebytes and FRST on another device and was able to run them... Any help would be appreciated as I'm currently on a web design course and stuck without my laptop! Thanks in advance.... Edited March 31, 2016 by Jetboy Link to comment Share on other sites More sharing options...
Juliet Posted March 31, 2016 Share Posted March 31, 2016 I downloaded Malwarebytes and FRST on another device and was able to run them. Can you provide these logs? Malwarebytes' Anti-Malware Click on the History tab > Application Logs. Double click on the scan log which shows the Date and time of the scan just performed. Click 'Copy to Clipboard' Paste the contents of the clipboard into your reply. ~~~~~ Farbar Recovery Scan Tool Two logs (FRST.txt & Addition.txt) Link to comment Share on other sites More sharing options...
Jetboy Posted March 31, 2016 Author Share Posted March 31, 2016 Firstly thanks for the reply. Bare with me here as im having to copy the logs from my laptop, to a hard drive to paste onto my tablet, as the laptop won't connect to the internet! Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 31/03/2016 Scan Time: 12:44 Logfile: Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.02.16.06 Rootkit Database: v2016.02.08.01 License: Free Malware Protection: Disabled Malicious Website Protection: Disabled Self-protection: Disabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: James Scan Type: Threat Scan Result: Completed Objects Scanned: 344089 Time Elapsed: 10 min, 52 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 0 (No malicious items detected) Registry Values: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Folders: 0 (No malicious items detected) Files: 0 (No malicious items detected) Physical Sectors: 0 (No malicious items detected) (end) Link to comment Share on other sites More sharing options...
Jetboy Posted March 31, 2016 Author Share Posted March 31, 2016 (edited) Had to send these via Dropbox as I can't copy/paste the entire .txt file! Aaaaargh! Hope you can access them... https://www.dropbox.com/s/zxwd4qgu3bp0277/Addition.txt?dl=0 https://www.dropbox.com/s/dm301pvktxkv5rm/FRST_31-03-2016_16-36-22.txt?dl=0 Fingers crossed something makes sense to you! Edited March 31, 2016 by Jetboy Link to comment Share on other sites More sharing options...
Juliet Posted March 31, 2016 Share Posted March 31, 2016 These things I post to do will have to be transferred using a USB drive only if after we run this fix and the infected computer still doesn't work. Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below: To do this highlight the contents of the box and right click on it and select copy. Paste this into the open notepad. save it to the Desktop as fixlist.txt NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work. It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow) start CreateRestorePoint: CloseProcesses: ShortcutWithArgument: C:\Users\James\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Ruby 2.2.4-p230-x64\Start Command Prompt with Ruby.lnk -> C:\Windows\System32\cmd.exe (Microsoft Corporation) -> /E:ON /K C:\Ruby22-x64\bin\setrbvars.bat ShortcutWithArgument: C:\Users\James\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Ruby 2.1.7-p400\Start Command Prompt with Ruby.lnk -> C:\Windows\System32\cmd.exe (Microsoft Corporation) -> /E:ON /K C:\Program Files (x86)\Heroku\ruby-2.1.7\bin\setrbvars.bat ShortcutWithArgument: C:\Users\James\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\RailsInstaller\Command Prompt with Ruby and Rails.lnk -> C:\Windows\System32\cmd.exe (Microsoft Corporation) -> /E:ON /K C:\RailsInstaller\Ruby2.2.0\setup_environment.bat C:\RailsInstaller SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox SearchScopes: HKU\S-1-5-21-2059866349-3918318577-506309803-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox CHR HKU\S-1-5-21-2059866349-3918318577-506309803-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [apdfllckaahabafndbhieahigkjlhalf] - C:\Users\James\AppData\Local\Google\Drive\user_default\apdfllckaahabafndbhieahigkjlhalf_live.crx [2016-03-07] U3 BcmSqlStartupSvc; no ImagePath U2 CLKMSVC10_3A60B698; no ImagePath U2 CLKMSVC10_C3B3B687; no ImagePath U2 DriverService; no ImagePath U2 iATAgentService; no ImagePath U2 idealife Update Service; no ImagePath U3 IGRS; no ImagePath U2 IviRegMgr; no ImagePath U2 nvUpdatusService; no ImagePath U2 Oasis2Service; no ImagePath U2 PCCarerService; no ImagePath U2 ReadyComm.DirectRouter; no ImagePath U2 RichVideo; no ImagePath U2 RtLedService; no ImagePath U2 SeaPort; no ImagePath U2 SoftwareService; no ImagePath U3 SQLWriter; no ImagePath C:\Users\James\AppData\Local\Temp\converter.exe C:\Users\James\AppData\Local\Temp\libeay32.dll C:\Users\James\AppData\Local\Temp\MSETUP4.EXE C:\Users\James\AppData\Local\Temp\msvcr120.dll C:\Users\James\AppData\Local\Temp\Opt_USB_Driver_32.exe C:\Users\James\AppData\Local\Temp\Opt_USB_Driver_64.exe C:\Users\James\AppData\Local\Temp\ose00000.exe C:\Users\James\AppData\Local\Temp\sqlite-3.7.151-x86-sqlitejdbc.dll C:\Users\James\AppData\Local\Temp\sqlite3.dll CMD: ipconfig /flushdns CMD: netsh winsock reset all CMD: netsh int ipv4 reset CMD: netsh int ipv6 reset CMD: bitsadmin /reset /allusers Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f EmptyTemp: Hosts: End Open FRST/FRST64 and press the > Fix < button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run. When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply. ~~~~~~~~~~~~~~~~~`` AdwCleaner Please download AdwCleaner and save the file to your Desktop. Right-Click AdwCleaner.exe and select Run as administrator to run the programme. Follow the prompts. Click Scan. Upon completion, click Report. A log (AdwCleaner[sX].txt) will open. Briefly check the log for anything you know to be legitimate. Ensure anything you know to be legitimate does not have a checkmark, and click Clean. Follow the prompts and allow your computer to reboot. After rebooting, a log (AdwCleaner[sX].txt) will open. Copy the contents of the log and paste in your next reply. -- File and registry key backups are made for anything removed using this tool. Should a legitimate entry be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the entry. Please do not overly concern yourself with the contents of AdwCleaner[R0].txt. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Please download Junkware Removal Tool or from here http://downloads.malwarebytes.org/file/jrt to your desktop. Shut down your protection software now to avoid potential conflicts. Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator". The tool will open and start scanning your system. Please be patient as this can take a while to complete depending on your system's specifications. On completion, a log (JRT.txt) is saved to your desktop and will automatically open. Post the contents of JRT.txt into your next message. ~~~~ please post Fixlog.txt AdwCleaner[C1].txt JRT.txt Link to comment Share on other sites More sharing options...
Jetboy Posted April 1, 2016 Author Share Posted April 1, 2016 Heres what you asked for.... Fix result of Farbar Recovery Scan Tool (x64) Version:05-03-2016 01 Ran by James (2016-04-01 09:51:59) Run:2 Running from C:\Users\James\Desktop Loaded Profiles: James (Available Profiles: James) Boot Mode: Normal ============================================== fixlist content: ***************** start CreateRestorePoint: CloseProcesses: ShortcutWithArgument: C:\Users\James\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Ruby 2.2.4-p230-x64\Start Command Prompt with Ruby.lnk -> C:\Windows\System32\cmd.exe (Microsoft Corporation) -> /E:ON /K C:\Ruby22-x64\bin\setrbvars.bat ShortcutWithArgument: C:\Users\James\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Ruby 2.1.7-p400\Start Command Prompt with Ruby.lnk -> C:\Windows\System32\cmd.exe (Microsoft Corporation) -> /E:ON /K C:\Program Files (x86)\Heroku\ruby-2.1.7\bin\setrbvars.bat ShortcutWithArgument: C:\Users\James\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\RailsInstaller\Command Prompt with Ruby and Rails.lnk -> C:\Windows\System32\cmd.exe (Microsoft Corporation) -> /E:ON /K C:\RailsInstaller\Ruby2.2.0\setup_environment.bat C:\RailsInstaller SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox SearchScopes: HKU\S-1-5-21-2059866349-3918318577-506309803-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox CHR HKU\S-1-5-21-2059866349-3918318577-506309803-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [apdfllckaahabafndbhieahigkjlhalf] - C:\Users\James\AppData\Local\Google\Drive\user_default\apdfllckaahabafndbhieahigkjlhalf_live.crx [2016-03-07] U3 BcmSqlStartupSvc; no ImagePath U2 CLKMSVC10_3A60B698; no ImagePath U2 CLKMSVC10_C3B3B687; no ImagePath U2 DriverService; no ImagePath U2 iATAgentService; no ImagePath U2 idealife Update Service; no ImagePath U3 IGRS; no ImagePath U2 IviRegMgr; no ImagePath U2 nvUpdatusService; no ImagePath U2 Oasis2Service; no ImagePath U2 PCCarerService; no ImagePath U2 ReadyComm.DirectRouter; no ImagePath U2 RichVideo; no ImagePath U2 RtLedService; no ImagePath U2 SeaPort; no ImagePath U2 SoftwareService; no ImagePath U3 SQLWriter; no ImagePath C:\Users\James\AppData\Local\Temp\converter.exe C:\Users\James\AppData\Local\Temp\libeay32.dll C:\Users\James\AppData\Local\Temp\MSETUP4.EXE C:\Users\James\AppData\Local\Temp\msvcr120.dll C:\Users\James\AppData\Local\Temp\Opt_USB_Driver_32.exe C:\Users\James\AppData\Local\Temp\Opt_USB_Driver_64.exe C:\Users\James\AppData\Local\Temp\ose00000.exe C:\Users\James\AppData\Local\Temp\sqlite-3.7.151-x86-sqlitejdbc.dll C:\Users\James\AppData\Local\Temp\sqlite3.dll CMD: ipconfig /flushdns CMD: netsh winsock reset all CMD: netsh int ipv4 reset CMD: netsh int ipv6 reset CMD: bitsadmin /reset /allusers Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f EmptyTemp: Hosts: End ***************** Restore point was successfully created. Processes closed successfully. C:\Users\James\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Ruby 2.2.4-p230-x64\Start Command Prompt with Ruby.lnk => Shortcut argument removed successfully. C:\Users\James\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Ruby 2.1.7-p400\Start Command Prompt with Ruby.lnk => Shortcut argument removed successfully. C:\Users\James\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\RailsInstaller\Command Prompt with Ruby and Rails.lnk => Shortcut argument removed successfully. HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found. HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found. HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found. HKCR\Wow6432Node\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found. HKU\S-1-5-21-2059866349-3918318577-506309803-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found. HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found. HKU\S-1-5-21-2059866349-3918318577-506309803-1000\SOFTWARE\Google\Chrome\Extensions\apdfllckaahabafndbhieahigkjlhalf => key not found. "C:\Users\James\AppData\Local\Google\Drive\user_default\apdfllckaahabafndbhieahigkjlhalf_live.crx" => not found. BcmSqlStartupSvc => service not found. CLKMSVC10_3A60B698 => service not found. CLKMSVC10_C3B3B687 => service not found. DriverService => service not found. iATAgentService => service not found. idealife Update Service => service not found. IGRS => service not found. IviRegMgr => service not found. nvUpdatusService => service not found. Oasis2Service => service not found. PCCarerService => service not found. ReadyComm.DirectRouter => service not found. RichVideo => service not found. RtLedService => service not found. SeaPort => service not found. SoftwareService => service not found. SQLWriter => service not found. "C:\Users\James\AppData\Local\Temp\converter.exe" => not found. "C:\Users\James\AppData\Local\Temp\libeay32.dll" => not found. "C:\Users\James\AppData\Local\Temp\MSETUP4.EXE" => not found. "C:\Users\James\AppData\Local\Temp\msvcr120.dll" => not found. "C:\Users\James\AppData\Local\Temp\Opt_USB_Driver_32.exe" => not found. "C:\Users\James\AppData\Local\Temp\Opt_USB_Driver_64.exe" => not found. "C:\Users\James\AppData\Local\Temp\ose00000.exe" => not found. "C:\Users\James\AppData\Local\Temp\sqlite-3.7.151-x86-sqlitejdbc.dll" => not found. "C:\Users\James\AppData\Local\Temp\sqlite3.dll" => not found. ========= ipconfig /flushdns ========= Windows IP Configuration Could not flush the DNS Resolver Cache: Function failed during execution. ========= End of CMD: ========= ========= netsh winsock reset all ========= Sucessfully reset the Winsock Catalog. You must restart the computer in order to complete the reset. ========= End of CMD: ========= ========= netsh int ipv4 reset ========= There's no user specified settings to be reset. ========= End of CMD: ========= ========= netsh int ipv6 reset ========= There's no user specified settings to be reset. ========= End of CMD: ========= ========= bitsadmin /reset /allusers ========= BITSADMIN version 3.0 [ 7.5.7601 ] BITS administration utility. © Copyright 2000-2006 Microsoft Corp. BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows. Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets. Unable to connect to BITS - 0x80080005 ========= End of CMD: ========= ========= reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f ========= The operation completed successfully. ========= End of Reg: ========= ========= reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f ========= The operation completed successfully. ========= End of Reg: ========= ========= reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f ========= The operation completed successfully. ========= End of Reg: ========= ========= reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f ========= The operation completed successfully. ========= End of Reg: ========= C:\Windows\System32\Drivers\etc\hosts => moved successfully Hosts restored successfully. EmptyTemp: => 38.8 MB temporary data Removed. The system needed a reboot. ==== End of Fixlog 09:54:35 ==== # AdwCleaner v5.108 - Logfile created 31/03/2016 at 15:24:15 # Updated 30/03/2016 by Xplode # Database : 1984.9 [Local] # Operating system : Windows 7 Home Premium Service Pack 1 (x64) # Username : James - JAMES-PC # Running from : C:\Users\James\Desktop\adwcleaner_5.108(0).exe # Option : Clean # Support : http://toolslib.net/forum ***** [ Services ] ***** ***** [ Folders ] ***** [-] Folder Deleted : C:\ProgramData\Partner [-] Folder Deleted : C:\Users\James\AppData\Local\Google\Chrome\User Data\Default\Extensions\oadboiipflhobonjjffjbfekfjcgkhco ***** [ Files ] ***** [-] File Deleted : C:\Users\James\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_d3l3lkinz3f56t.cloudfront.net_0.localstorage [-] File Deleted : C:\Users\James\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_d3l3lkinz3f56t.cloudfront.net_0.localstorage-journal ***** [ DLLs ] ***** ***** [ Shortcuts ] ***** ***** [ Scheduled tasks ] ***** ***** [ Registry ] ***** [-] Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.Protector [-] Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.Protector.1 [-] Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.ProtectorBho [-] Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.ProtectorBho.1 [-] Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.ProtectorLib [-] Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.ProtectorLib.1 ***** [ Web browsers ] ***** [-] [C:\Users\James\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : oadboiipflhobonjjffjbfekfjcgkhco ************************* :: "Tracing" keys deleted :: Winsock settings cleared ************************* C:\AdwCleaner\AdwCleaner[C1].txt - [1724 bytes] - [31/03/2016 15:24:15] C:\AdwCleaner\AdwCleaner[s1].txt - [1721 bytes] - [31/03/2016 15:21:21] ########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [1870 bytes] ########## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Junkware Removal Tool (JRT) by Malwarebytes Version: 8.0.4 (03.14.2016) Operating System: Windows 7 Home Premium x64 Ran by James (Limited) on 01/04/2016 at 10:23:45.30 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ File System: 1 Successfully deleted: C:\Windows\prefetch\GOOGLETOOLBARUSER_32.EXE-66EEE4D2.pf (File) Registry: 1 Successfully deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\GoogleChromeAutoLaunch_6B06BCEFC97BCF192292AD16DB5D7A73 (Registry Value) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Scan was completed on 01/04/2016 at 10:27:52.34 End of JRT log ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Link to comment Share on other sites More sharing options...
Juliet Posted April 1, 2016 Share Posted April 1, 2016 update me, whats the computer doing now? Link to comment Share on other sites More sharing options...
Jetboy Posted April 1, 2016 Author Share Posted April 1, 2016 The same...on startup I'm getting the same 'startup.exe-Bad Image' error as I login, and the same 'Recycle bin on C:\ is corrupted' error. Link to comment Share on other sites More sharing options...
Juliet Posted April 1, 2016 Share Posted April 1, 2016 Also please download Windows Repair (all in one) from here Install the program then go to step 4 and create a new system restore point and new registry backup. Go to Step 2 and allow it to run CheckDisk by clicking on Do It button: NEXT On the the Start Repairs tab => Click the Start Please ensure that ONLY items seen in the image below are ticked as indicated (they're all checked by default): Click on box next to the Restart System when Finished. Then click on Start. ~~~~~~~~~~~~~~~~~~~~~~~~~`` Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them. How to use ComboFix Download ComboFix from here: Link 1 Link 2 Link 3 Place ComboFix.exe on your Desktop <--Important Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix. * Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. You can get help on disabling your protection programs here Double click on ComboFix.exe & follow the prompts. You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this) Your desktop may go blank. This is normal. It will return when ComboFix is done. Combofix may need to reboot your computer more than once to do its job this is normal. When finished, it shall produce a log for you. Post that log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall. Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer --------------------------------------------------------------------------------------------- Ensure your AntiVirus and AntiSpyware applications are re-enabled. Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. --------------------------------------------------------------------------------------------- If there are Internet issues after running ComboFix: Internet Explorer: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" and check to "Automatically detect settings". Also clear any proxy address and port. ok, apply (only if applicable), ok. Firefox: Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection. "No Proxy" should be selected, unless you have one set up yourself. Chrome: Select -> Tools menu -> then "Options", then go to "Change Proxy Settings", then "LAN Settings" , then take out the check mark for "Use a proxy server for your LAN" if set, unless you set this up yourself. Link to comment Share on other sites More sharing options...
Jetboy Posted April 1, 2016 Author Share Posted April 1, 2016 (edited) Installed Windows repair successfully, but when I try to open it I get 'windows repair has stopped working', problem event name, APPCRASH. Just running ComboFix.... Edited April 1, 2016 by Jetboy Link to comment Share on other sites More sharing options...
Jetboy Posted April 1, 2016 Author Share Posted April 1, 2016 (edited) Combofix log; https://www.dropbox.com/s/7hizcnbqzuy8oz6/combofix%20log.txt?dl=0 Thanks for your continued patience. Edited April 1, 2016 by Jetboy Link to comment Share on other sites More sharing options...
Juliet Posted April 1, 2016 Share Posted April 1, 2016 Run ESET Services repair tool Please download ESET Services Repair Tool and save it to your Desktop; Right click and choose Run as administrator; If security notifications appear, click Continue or Run and then click Yes when asked if you want to proceed; Once the tool has finished, you will be prompted to restart your computer. Click Yes to restart. ~~~~~~~~~~~~~~~~~~~~~~~~~~` Please download FixExec and save it to your desktop. Important: Boot your computer into the account that has trouble running exe files. Run the tool. When FixExec has finished running it will create a log on your Windows desktop called FixExec.txt. Please post that for me. ~~~~~~~~~~~~~~~~~~~~~~~~~~ Malwarebytes Anti-Rootkit Download Malwarebytes Anti-Rootkit Once the file has been downloaded, right click on the downloaded file and select the Extract all menu option. Follow the instructions to extract the ZIP file to a folder called mbar-versionnumber on your desktop. Once the ZIP file has been extracted, open the folder and when that folder opens, double-click on the mbar folder. Double-click on the mbar.exe file to launch Malwarebytes Anti-Rootkit. After you double-click on the mbar.exe file, you may receive a User Account Control (UAC) message if you are sure you wish to allow the program to run. Please allow to start Malwarebytes Anti-Rootkit correctly. Malwarebytes Anti-Rootkit will now install necessary drivers that are required for the program to operate correctly. If you receive a DDA driver message like could not load DDA driver, click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer and will start automatically. Please click by the introduction screen on the Next button to continue. Next you will see the Update Database screen. Click on the Update button so Malwarebytes Anti-Rootkit can download the latest definition updates. When the update has finished, click on the Next button. Next you can select some basic scanning options. Make sure the Drivers, Sectors, and System scan targets are selected before you click on the Scan button. Malwarebytes Anti-Rootkit will now start scanning your computer for rootkits. This scan can take some time, so please be patient. When the scan with Malwarebytes Anti-Rootkit is finished, the program will display a screen with the results from the scan. Make sure everything is selected and that the option to create a restore point is checked. Next click on the Cleanup button. Malwarebytes Anti-Rootkit will then prompt you to reboot your computer. Click on Yes button to restart your computer. There will now be two log files created in the mbar folder called system-log.txt and one that starts with mbar-log. The mbar-log file will always start with mbar-log, but the rest will be named using a timestamp indicating the time it was run. For example, mbar-log-2012-11-12 (19-13-32).txt corresponds to mbar-log-year-month-day (hour-minute-second).txt. The system-log.txt contains information about each time you have run MBAR and contains diagnostic information from the program. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`` Link to comment Share on other sites More sharing options...
Jetboy Posted April 1, 2016 Author Share Posted April 1, 2016 ESET tool done, and Fixexec log below. Can't do the Malware Anti root kit, as it needs internet, which this bug has stopped me using! Is it looking like a clean install of Windows? Desperately hope not.... FixExec by Lawrence Abrams (Grinler) http://www.bleepingcomputer.com/ Copyright 2008-2016 BleepingComputer.com More Information about FixExec can be found at this link: http://www.bleepingcomputer.com/download/windows/utilities/fixexec Program started at: 04/01/2016 05:32:48 PM in x64 mode. Windows Version: Windows 7 Checking for processes to terminate before fixing executable associations. * No processes found to kill. Resetting .EXE, .COM, & .BAT associations in the Windows Registry. * HKLM\Software\Classes\.com\\@ has been changed to ComFile! * HKLM\Software\Classes\.com\\@ was reset to comfile! Program finished at: 04/01/2016 05:32:52 PM Execution time: 0 hours(s), 0 minute(s), and 4 seconds(s) Link to comment Share on other sites More sharing options...
Juliet Posted April 1, 2016 Share Posted April 1, 2016 Don't give up on me yet. Try this on the computer that has no internet Let's flush the DNS cache first: Copy and paste these lines in Note pad. @Echo on pushd\windows\system32\drivers\etc attrib -h -s -r hosts echo 127.0.0.1 localhost>HOSTS attrib +r +h +s hosts popd ipconfig /release ipconfig /renew ipconfig /flushdns netsh winsock reset all netsh int ip reset all shutdown -r -t 1 del %0 Save as flush.bat to your desktop. Right click on the flush.bat file to run it as Administrator. Your computer will reboot. ~~~~~~~~~~~~~~~~~~~~` Run FRST one more time: Type the following in the edit box after "Search:" netman.dll Click Search button and post the log (Search.txt) it makes to your reply. Link to comment Share on other sites More sharing options...
Jetboy Posted April 1, 2016 Author Share Posted April 1, 2016 Definitely won't give up as long as you are happy helping! Link to comment Share on other sites More sharing options...
Juliet Posted April 1, 2016 Share Posted April 1, 2016 Don't give up on me yet. Try this on the computer that has no internet Let's flush the DNS cache first: Copy and paste these lines in Note pad. @Echo on pushd\windows\system32\drivers\etc attrib -h -s -r hosts echo 127.0.0.1 localhost>HOSTS attrib +r +h +s hosts popd ipconfig /release ipconfig /renew ipconfig /flushdns netsh winsock reset all netsh int ip reset all shutdown -r -t 1 del %0 Save as flush.bat to your desktop. Right click on the flush.bat file to run it as Administrator. Your computer will reboot. ~~~~~~~~~~~~~~~~~~~~` Run FRST one more time: Type the following in the edit box after "Search:" netman.dll Click Search button and post the log (Search.txt) it makes to your reply. Work on this and let's see how it goes from there. Something I forgot to ask, cause it slipped my mind, have you tried any of this things I've listed in safe mode and also, will internet connect in safe mode with networking? Link to comment Share on other sites More sharing options...
Jetboy Posted April 1, 2016 Author Share Posted April 1, 2016 Here's the search files, did file and registry search. Safe mode with networking still has no Internet access. Tried safe mode for the things that didn't work, like Malware bytes antirootkit and windows repair, but still nothing! Farbar Recovery Scan Tool (x64) Version:05-03-2016 01 Ran by James (2016-04-01 21:00:21) Running from C:\Users\James\Desktop Boot Mode: Normal ================== Search Files: "netman.dll " ============= C:\Windows\winsxs\amd64_microsoft-windows-netman_31bf3856ad364e35_6.1.7600.16385_none_6bb20d3d6b80d9da\netman.dll [2009-07-14 01:08][2009-07-14 02:41] 0360448 ____A (Microsoft Corporation) 6AE2EDA4E602D09EACDF634C06832D09 [File not signed] C:\Windows\System32\netman.dll [2009-07-14 01:08][2009-07-14 02:41] 0360448 ____A (Microsoft Corporation) 6AE2EDA4E602D09EACDF634C06832D09 [File not signed] ====== End of Search ====== Farbar Recovery Scan Tool (x64) Version:05-03-2016 01 Ran by James (2016-04-01 21:04:32) Running from C:\Users\James\Desktop Boot Mode: Normal ================== Search Registry: "netman.dll" =========== [HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\amd64_microsoft-windows-netman-mui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e2e92f6ebddc013f] "f!netman.dll.mui"="0x6E00650074006D0061006E002E0064006C006C002E006D0075006900" [HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\amd64_microsoft-windows-netman_31bf3856ad364e35_6.1.7600.16385_none_6bb20d3d6b80d9da] "f!netman.dll"="0x6E00650074006D0061006E002E0064006C006C00" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Netman] "DisplayName"="@%SystemRoot%\system32\netman.dll,-109" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Netman] "Description"="@%SystemRoot%\system32\netman.dll,-110" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Netman\Parameters] "ServiceDll"="%SystemRoot%\System32\netman.dll" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\Netman] "DisplayName"="@%SystemRoot%\system32\netman.dll,-109" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\Netman] "Description"="@%SystemRoot%\system32\netman.dll,-110" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\Netman\Parameters] "ServiceDll"="%SystemRoot%\System32\netman.dll" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Netman] "DisplayName"="@%SystemRoot%\system32\netman.dll,-109" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Netman] "Description"="@%SystemRoot%\system32\netman.dll,-110" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Netman\Parameters] "ServiceDll"="%SystemRoot%\System32\netman.dll" [HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\123\52C64B7E] "@%SystemRoot%\system32\netman.dll,-109"="Network Connections" [HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\123\52C64B7E] "@%SystemRoot%\system32\netman.dll,-110"="Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections." [HKEY_USERS\S-1-5-18\Software\Classes\Local Settings\MuiCache\123\52C64B7E] "@%SystemRoot%\system32\netman.dll,-109"="Network Connections" [HKEY_USERS\S-1-5-18\Software\Classes\Local Settings\MuiCache\123\52C64B7E] "@%SystemRoot%\system32\netman.dll,-110"="Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections." ====== End of Search ====== Link to comment Share on other sites More sharing options...
Juliet Posted April 1, 2016 Share Posted April 1, 2016 Please remove any usb or external drives from the computer before you run this scan! (after you have transferred it to the non working computer) Please download RogueKiller and save it to your desktop.(Just before you save it, please rename it to RogueKiller.com) You can check here if you're not sure if your computer is 32-bit or 64-bit Download RogueKiller to your desktop. Quit all running programs. For Windows XP, double-click to start. For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run. Read and accept the EULA (End User Licene Agreement) Click Scan to scan the system. When the scan completes Close the program > Don't Fix anything! Don't run any other options, they're not all bad!! Post back the report which should be located on your desktop. Link to comment Share on other sites More sharing options...
Jetboy Posted April 1, 2016 Author Share Posted April 1, 2016 Got....Roguekiller.exe is not a valid Win32 application... Gonna smash up the laptop soon! Link to comment Share on other sites More sharing options...
Juliet Posted April 1, 2016 Share Posted April 1, 2016 Gonna smash up the laptop soon!Thats two of us Please download the Event Viewer Tool by Vino Rosso http://images.malwareremoval.com/vino/VEW.exe and save it to your Desktop: 2. Double-click VEW.exe 3. Under 'Select log to query', select: * System 4. Under 'Select type to list', select: * Error * Warning Then use the 'Number of events' as follows: 1. Click the radio button for 'Number of events' Type 20 in the 1 to 20 box Then click the Run button. Notepad will open with the output log. Please post the Output log in your next reply then repeat but select Application. ``````````````````````````` Got a question Have you tried a system restore point before all this crud started happening? Or Last Known good configuration? Link to comment Share on other sites More sharing options...
Jetboy Posted April 1, 2016 Author Share Posted April 1, 2016 So got the same, not a valid Win32 application. All my restore points have gone. Think it's that time to clean install? You've been so patient! Link to comment Share on other sites More sharing options...
Juliet Posted April 1, 2016 Share Posted April 1, 2016 Would had been nice if RogueKiller could had run aswMBR Log Important! Please do NOT perform any fix options offered in aswMBR, we just need to see the report. Please download aswMBR to your desktop. Double click the aswMBR icon to run it. If a prompt stating: The computer supports "Virtualization Technology" appears select Yes Click the Scan button to start scan. If you are asked to update the Avast Virus database please allow it to do so. When it finishes, press the Save Log button, save the logfile to your desktop and post its contents in your reply ~~~~~~~~~~~~~~~~~~~~~~~~~~ Let's look at a new FRST log Right-Click FRST.exe / FRST64.exe and select Run as administrator to run the programme. Click Yes to the disclaimer. Ensure the Addition.txt box is checked. Click the Scan button and let the programme run. Upon completion, click OK, then OK on the Addition.txt pop up screen. Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply. Link to comment Share on other sites More sharing options...
Juliet Posted April 1, 2016 Share Posted April 1, 2016 So got the same, not a valid Win32 application. All my restore points have gone. Think it's that time to clean install? You've been so patient! Thats not good. That might be next I feel in this situation a repair/install will be the best option, that way you will loose no data. The OS will be reloaded over the top. Follow the instructions Here Does that help. http://www.sevenforums.com/tutorials/681-startup-repair.html Link to comment Share on other sites More sharing options...
Jetboy Posted April 1, 2016 Author Share Posted April 1, 2016 Not a Win32 application. Grrrrrrrrrr Link to comment Share on other sites More sharing options...
Juliet Posted April 1, 2016 Share Posted April 1, 2016 That might be next I feel in this situation a repair/install will be the best option, that way you will loose no data. The OS will be reloaded over the top. Follow the instructions Here Does that help. http://www.sevenforums.com/tutorials/681-startup-repair.html Theres to much corruption to fiddle here and there especially when nothing can run that normally should under these conditions. Link to comment Share on other sites More sharing options...
Recommended Posts