Jump to content

Change Mode

Another 'someprogram.exe bad image' issue, please help!


Jetboy
 Share

Recommended Posts

Hi. So a couple of days ago my laptop wouldn't boot to windows, after a load of times using the repair environments I got to the login screen but keyboard wouldnt work. Kept powering off and on again, and now I can get onto windows but I'm getting the bad image errors, beginning with a startup.exe bad image error, and one saying that my recycle bin is corrupted, do I want to empty it.

I can't run any program now because of the error, such as my antivirus, and I can't access the net.

I downloaded Malwarebytes and FRST on another device and was able to run them...

Any help would be appreciated as I'm currently on a web design course and stuck without my laptop!

Thanks in advance....

Edited by Jetboy
Link to comment
Share on other sites

I downloaded Malwarebytes and FRST on another device and was able to run them.

Can you provide these logs?

 

Malwarebytes' Anti-Malware

Click on the History tab > Application Logs.

Double click on the scan log which shows the Date and time of the scan just performed.

Click 'Copy to Clipboard'

Paste the contents of the clipboard into your reply.

 

~~~~~

Farbar Recovery Scan Tool

Two logs (FRST.txt & Addition.txt)

Link to comment
Share on other sites

Firstly thanks for the reply. Bare with me here as im having to copy the logs from my laptop, to a hard drive to paste onto my tablet, as the laptop won't connect to the internet!

Malwarebytes Anti-Malware

www.malwarebytes.org

 

Scan Date: 31/03/2016

Scan Time: 12:44

Logfile:

Administrator: Yes

 

Version: 2.2.1.1043

Malware Database: v2016.02.16.06

Rootkit Database: v2016.02.08.01

License: Free

Malware Protection: Disabled

Malicious Website Protection: Disabled

Self-protection: Disabled

 

OS: Windows 7 Service Pack 1

CPU: x64

File System: NTFS

User: James

 

Scan Type: Threat Scan

Result: Completed

Objects Scanned: 344089

Time Elapsed: 10 min, 52 sec

 

Memory: Enabled

Startup: Enabled

Filesystem: Enabled

Archives: Enabled

Rootkits: Disabled

Heuristics: Enabled

PUP: Enabled

PUM: Enabled

 

Processes: 0

(No malicious items detected)

 

Modules: 0

(No malicious items detected)

 

Registry Keys: 0

(No malicious items detected)

 

Registry Values: 0

(No malicious items detected)

 

Registry Data: 0

(No malicious items detected)

 

Folders: 0

(No malicious items detected)

 

Files: 0

(No malicious items detected)

 

Physical Sectors: 0

(No malicious items detected)

 

 

(end)

Link to comment
Share on other sites

These things I post to do will have to be transferred using a USB drive only if after we run this fix and the infected computer still doesn't work.

 

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:

To do this highlight the contents of the box and right click on it and select copy.

Paste this into the open notepad. save it to the Desktop as fixlist.txt

NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)

 

 

FRSTfix.JPG

 

 

start

CreateRestorePoint:

CloseProcesses:

ShortcutWithArgument: C:\Users\James\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Ruby 2.2.4-p230-x64\Start Command Prompt with Ruby.lnk -> C:\Windows\System32\cmd.exe (Microsoft Corporation) -> /E:ON /K C:\Ruby22-x64\bin\setrbvars.bat

ShortcutWithArgument: C:\Users\James\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Ruby 2.1.7-p400\Start Command Prompt with Ruby.lnk -> C:\Windows\System32\cmd.exe (Microsoft Corporation) -> /E:ON /K C:\Program Files (x86)\Heroku\ruby-2.1.7\bin\setrbvars.bat

ShortcutWithArgument: C:\Users\James\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\RailsInstaller\Command Prompt with Ruby and Rails.lnk -> C:\Windows\System32\cmd.exe (Microsoft Corporation) -> /E:ON /K C:\RailsInstaller\Ruby2.2.0\setup_environment.bat C:\RailsInstaller

SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox

SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox

SearchScopes: HKU\S-1-5-21-2059866349-3918318577-506309803-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox

CHR HKU\S-1-5-21-2059866349-3918318577-506309803-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [apdfllckaahabafndbhieahigkjlhalf] - C:\Users\James\AppData\Local\Google\Drive\user_default\apdfllckaahabafndbhieahigkjlhalf_live.crx [2016-03-07]

U3 BcmSqlStartupSvc; no ImagePath

U2 CLKMSVC10_3A60B698; no ImagePath

U2 CLKMSVC10_C3B3B687; no ImagePath

U2 DriverService; no ImagePath

U2 iATAgentService; no ImagePath

U2 idealife Update Service; no ImagePath

U3 IGRS; no ImagePath

U2 IviRegMgr; no ImagePath

U2 nvUpdatusService; no ImagePath

U2 Oasis2Service; no ImagePath

U2 PCCarerService; no ImagePath

U2 ReadyComm.DirectRouter; no ImagePath

U2 RichVideo; no ImagePath

U2 RtLedService; no ImagePath

U2 SeaPort; no ImagePath

U2 SoftwareService; no ImagePath

U3 SQLWriter; no ImagePath

C:\Users\James\AppData\Local\Temp\converter.exe

C:\Users\James\AppData\Local\Temp\libeay32.dll

C:\Users\James\AppData\Local\Temp\MSETUP4.EXE

C:\Users\James\AppData\Local\Temp\msvcr120.dll

C:\Users\James\AppData\Local\Temp\Opt_USB_Driver_32.exe

C:\Users\James\AppData\Local\Temp\Opt_USB_Driver_64.exe

C:\Users\James\AppData\Local\Temp\ose00000.exe

C:\Users\James\AppData\Local\Temp\sqlite-3.7.151-x86-sqlitejdbc.dll

C:\Users\James\AppData\Local\Temp\sqlite3.dll

CMD: ipconfig /flushdns

CMD: netsh winsock reset all

CMD: netsh int ipv4 reset

CMD: netsh int ipv6 reset

CMD: bitsadmin /reset /allusers

Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f

Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f

 

Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f

Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f

EmptyTemp:

Hosts:

End

Open FRST/FRST64 and press the > Fix < button just once and wait.

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.

When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

~~~~~~~~~~~~~~~~~``

 

BY4dvz9.pngAdwCleaner

  • Please download AdwCleaner and save the file to your Desktop.
  • Right-Click AdwCleaner.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Follow the prompts.
  • Click Scan.
  • Upon completion, click Report. A log (AdwCleaner[sX].txt) will open. Briefly check the log for anything you know to be legitimate.
  • Ensure anything you know to be legitimate does not have a checkmark, and click Clean.
  • Follow the prompts and allow your computer to reboot.
  • After rebooting, a log (AdwCleaner[sX].txt) will open. Copy the contents of the log and paste in your next reply.
-- File and registry key backups are made for anything removed using this tool. Should a legitimate entry be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the entry. Please do not overly concern yourself with the contents of AdwCleaner[R0].txt.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

 

Please download Junkware Removal Tool

or from here http://downloads.malwarebytes.org/file/jrt

to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
~~~~

please post

Fixlog.txt

AdwCleaner[C1].txt

JRT.txt

Link to comment
Share on other sites

 

Heres what you asked for....

 

Fix result of Farbar Recovery Scan Tool (x64) Version:05-03-2016 01

Ran by James (2016-04-01 09:51:59) Run:2

Running from C:\Users\James\Desktop

Loaded Profiles: James (Available Profiles: James)

Boot Mode: Normal

==============================================

 

fixlist content:

*****************

start

CreateRestorePoint:

CloseProcesses:

ShortcutWithArgument: C:\Users\James\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Ruby 2.2.4-p230-x64\Start Command Prompt with Ruby.lnk -> C:\Windows\System32\cmd.exe (Microsoft Corporation) -> /E:ON /K C:\Ruby22-x64\bin\setrbvars.bat

ShortcutWithArgument: C:\Users\James\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Ruby 2.1.7-p400\Start Command Prompt with Ruby.lnk -> C:\Windows\System32\cmd.exe (Microsoft Corporation) -> /E:ON /K C:\Program Files (x86)\Heroku\ruby-2.1.7\bin\setrbvars.bat

ShortcutWithArgument: C:\Users\James\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\RailsInstaller\Command Prompt with Ruby and Rails.lnk -> C:\Windows\System32\cmd.exe (Microsoft Corporation) -> /E:ON /K C:\RailsInstaller\Ruby2.2.0\setup_environment.bat C:\RailsInstaller

SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox

SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox

SearchScopes: HKU\S-1-5-21-2059866349-3918318577-506309803-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox

CHR HKU\S-1-5-21-2059866349-3918318577-506309803-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [apdfllckaahabafndbhieahigkjlhalf] - C:\Users\James\AppData\Local\Google\Drive\user_default\apdfllckaahabafndbhieahigkjlhalf_live.crx [2016-03-07]

U3 BcmSqlStartupSvc; no ImagePath

U2 CLKMSVC10_3A60B698; no ImagePath

U2 CLKMSVC10_C3B3B687; no ImagePath

U2 DriverService; no ImagePath

U2 iATAgentService; no ImagePath

U2 idealife Update Service; no ImagePath

U3 IGRS; no ImagePath

U2 IviRegMgr; no ImagePath

U2 nvUpdatusService; no ImagePath

U2 Oasis2Service; no ImagePath

U2 PCCarerService; no ImagePath

U2 ReadyComm.DirectRouter; no ImagePath

U2 RichVideo; no ImagePath

U2 RtLedService; no ImagePath

U2 SeaPort; no ImagePath

U2 SoftwareService; no ImagePath

U3 SQLWriter; no ImagePath

C:\Users\James\AppData\Local\Temp\converter.exe

C:\Users\James\AppData\Local\Temp\libeay32.dll

C:\Users\James\AppData\Local\Temp\MSETUP4.EXE

C:\Users\James\AppData\Local\Temp\msvcr120.dll

C:\Users\James\AppData\Local\Temp\Opt_USB_Driver_32.exe

C:\Users\James\AppData\Local\Temp\Opt_USB_Driver_64.exe

C:\Users\James\AppData\Local\Temp\ose00000.exe

C:\Users\James\AppData\Local\Temp\sqlite-3.7.151-x86-sqlitejdbc.dll

C:\Users\James\AppData\Local\Temp\sqlite3.dll

CMD: ipconfig /flushdns

CMD: netsh winsock reset all

CMD: netsh int ipv4 reset

CMD: netsh int ipv6 reset

CMD: bitsadmin /reset /allusers

Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f

Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f

 

Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f

Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f

EmptyTemp:

Hosts:

End

*****************

 

Restore point was successfully created.

Processes closed successfully.

C:\Users\James\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Ruby 2.2.4-p230-x64\Start Command Prompt with Ruby.lnk => Shortcut argument removed successfully.

C:\Users\James\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Ruby 2.1.7-p400\Start Command Prompt with Ruby.lnk => Shortcut argument removed successfully.

C:\Users\James\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\RailsInstaller\Command Prompt with Ruby and Rails.lnk => Shortcut argument removed successfully.

HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found.

HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found.

HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found.

HKCR\Wow6432Node\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found.

HKU\S-1-5-21-2059866349-3918318577-506309803-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found.

HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found.

HKU\S-1-5-21-2059866349-3918318577-506309803-1000\SOFTWARE\Google\Chrome\Extensions\apdfllckaahabafndbhieahigkjlhalf => key not found.

"C:\Users\James\AppData\Local\Google\Drive\user_default\apdfllckaahabafndbhieahigkjlhalf_live.crx" => not found.

BcmSqlStartupSvc => service not found.

CLKMSVC10_3A60B698 => service not found.

CLKMSVC10_C3B3B687 => service not found.

DriverService => service not found.

iATAgentService => service not found.

idealife Update Service => service not found.

IGRS => service not found.

IviRegMgr => service not found.

nvUpdatusService => service not found.

Oasis2Service => service not found.

PCCarerService => service not found.

ReadyComm.DirectRouter => service not found.

RichVideo => service not found.

RtLedService => service not found.

SeaPort => service not found.

SoftwareService => service not found.

SQLWriter => service not found.

"C:\Users\James\AppData\Local\Temp\converter.exe" => not found.

"C:\Users\James\AppData\Local\Temp\libeay32.dll" => not found.

"C:\Users\James\AppData\Local\Temp\MSETUP4.EXE" => not found.

"C:\Users\James\AppData\Local\Temp\msvcr120.dll" => not found.

"C:\Users\James\AppData\Local\Temp\Opt_USB_Driver_32.exe" => not found.

"C:\Users\James\AppData\Local\Temp\Opt_USB_Driver_64.exe" => not found.

"C:\Users\James\AppData\Local\Temp\ose00000.exe" => not found.

"C:\Users\James\AppData\Local\Temp\sqlite-3.7.151-x86-sqlitejdbc.dll" => not found.

"C:\Users\James\AppData\Local\Temp\sqlite3.dll" => not found.

 

========= ipconfig /flushdns =========

 

 

Windows IP Configuration

 

Could not flush the DNS Resolver Cache: Function failed during execution.

 

 

========= End of CMD: =========

 

 

========= netsh winsock reset all =========

 

 

Sucessfully reset the Winsock Catalog.

You must restart the computer in order to complete the reset.

 

 

========= End of CMD: =========

 

 

========= netsh int ipv4 reset =========

 

There's no user specified settings to be reset.

 

 

========= End of CMD: =========

 

 

========= netsh int ipv6 reset =========

 

There's no user specified settings to be reset.

 

 

========= End of CMD: =========

 

 

========= bitsadmin /reset /allusers =========

 

 

BITSADMIN version 3.0 [ 7.5.7601 ]

BITS administration utility.

© Copyright 2000-2006 Microsoft Corp.

 

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.

Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

 

Unable to connect to BITS - 0x80080005

 

========= End of CMD: =========

 

 

========= reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========

 

The operation completed successfully.

 

 

 

========= End of Reg: =========

 

 

========= reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========

 

The operation completed successfully.

 

 

 

========= End of Reg: =========

 

 

========= reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========

 

The operation completed successfully.

 

 

 

========= End of Reg: =========

 

 

========= reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========

 

The operation completed successfully.

 

 

 

========= End of Reg: =========

 

C:\Windows\System32\Drivers\etc\hosts => moved successfully

Hosts restored successfully.

EmptyTemp: => 38.8 MB temporary data Removed.

 

 

The system needed a reboot.

 

==== End of Fixlog 09:54:35 ====

 

 

 

# AdwCleaner v5.108 - Logfile created 31/03/2016 at 15:24:15

# Updated 30/03/2016 by Xplode

# Database : 1984.9 [Local]

# Operating system : Windows 7 Home Premium Service Pack 1 (x64)

# Username : James - JAMES-PC

# Running from : C:\Users\James\Desktop\adwcleaner_5.108(0).exe

# Option : Clean

# Support : http://toolslib.net/forum

 

***** [ Services ] *****

 

 

***** [ Folders ] *****

 

[-] Folder Deleted : C:\ProgramData\Partner

[-] Folder Deleted : C:\Users\James\AppData\Local\Google\Chrome\User Data\Default\Extensions\oadboiipflhobonjjffjbfekfjcgkhco

 

***** [ Files ] *****

 

[-] File Deleted : C:\Users\James\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_d3l3lkinz3f56t.cloudfront.net_0.localstorage

[-] File Deleted : C:\Users\James\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_d3l3lkinz3f56t.cloudfront.net_0.localstorage-journal

 

***** [ DLLs ] *****

 

 

***** [ Shortcuts ] *****

 

 

***** [ Scheduled tasks ] *****

 

 

***** [ Registry ] *****

 

[-] Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.Protector

[-] Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.Protector.1

[-] Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.ProtectorBho

[-] Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.ProtectorBho.1

[-] Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.ProtectorLib

[-] Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.ProtectorLib.1

 

***** [ Web browsers ] *****

 

[-] [C:\Users\James\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : oadboiipflhobonjjffjbfekfjcgkhco

 

*************************

 

:: "Tracing" keys deleted

:: Winsock settings cleared

 

*************************

 

C:\AdwCleaner\AdwCleaner[C1].txt - [1724 bytes] - [31/03/2016 15:24:15]

C:\AdwCleaner\AdwCleaner[s1].txt - [1721 bytes] - [31/03/2016 15:21:21]

 

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [1870 bytes] ##########

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Malwarebytes

Version: 8.0.4 (03.14.2016)

Operating System: Windows 7 Home Premium x64

Ran by James (Limited) on 01/04/2016 at 10:23:45.30

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

 

 

File System: 1

 

Successfully deleted: C:\Windows\prefetch\GOOGLETOOLBARUSER_32.EXE-66EEE4D2.pf (File)

 

 

 

Registry: 1

 

Successfully deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\GoogleChromeAutoLaunch_6B06BCEFC97BCF192292AD16DB5D7A73 (Registry Value)

 

 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Scan was completed on 01/04/2016 at 10:27:52.34

End of JRT log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Link to comment
Share on other sites

Also please download Windows Repair (all in one) from here

 

step-4-tab.jpg

Install the program then go to step 4 and create a new system restore point and new registry backup.

 

Go to Step 2 and allow it to run CheckDisk by clicking on Do It button:

p22001645.gif

 

 

 

NEXT

On the the Start Repairs tab => Click the Start

start-repairs-tab.jpg

 

 

Please ensure that ONLY items seen in the image below are ticked as indicated (they're all checked by default):

p22001647.gif

 

Click on box next to the Restart System when Finished. Then click on Start.

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~``

 

 

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

 

How to use ComboFix

 

Download ComboFix from here:

Link 1

Link 2

Link 3

 

Place ComboFix.exe on your Desktop <--Important

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.

    * Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

     

     

     

    You can get help on disabling your protection programs here

  • Double click on ComboFix.exe & follow the prompts.
  • You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. Combofix may need to reboot your computer more than once to do its job this is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

     

    Note:

    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

     

    Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

     

    ---------------------------------------------------------------------------------------------

  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

     

    Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

    Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

    ---------------------------------------------------------------------------------------------

  • If there are Internet issues after running ComboFix:

    Internet Explorer:

    Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" and check to "Automatically detect settings". Also clear any proxy address and port. ok, apply (only if applicable), ok.

    Firefox:

    Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection. "No Proxy" should be selected, unless you have one set up yourself.

    Chrome:

    Select -> Tools menu -> then "Options", then go to "Change Proxy Settings", then "LAN Settings" , then take out the check mark for "Use a proxy server for your LAN" if set, unless you set this up yourself.

     

     

Link to comment
Share on other sites

Installed Windows repair successfully, but when I try to open it I get 'windows repair has stopped working', problem event name, APPCRASH.

Just running ComboFix....

Edited by Jetboy
Link to comment
Share on other sites

Run ESET Services repair tool

  • Please download ESET Services Repair Tool and save it to your Desktop;
  • Right click and choose Run as administrator;
  • If security notifications appear, click Continue or Run and then click Yes when asked if you want to proceed;
  • Once the tool has finished, you will be prompted to restart your computer. Click Yes to restart.
  • ~~~~~~~~~~~~~~~~~~~~~~~~~~`

     

    icon11.gif Please download FixExec and save it to your desktop.

  • Important: Boot your computer into the account that has trouble running exe files.
  • Run the tool.
  • When FixExec has finished running it will create a log on your Windows desktop called FixExec.txt. Please post that for me.
  • ~~~~~~~~~~~~~~~~~~~~~~~~~~

     

    bullseye_zpse9eaf36e.gifMalwarebytes Anti-Rootkit

  • Download Malwarebytes Anti-Rootkit
  • Once the file has been downloaded, right click on the downloaded file and select the Extract all menu option.
  • Follow the instructions to extract the ZIP file to a folder called mbar-versionnumber on your desktop.
  • Once the ZIP file has been extracted, open the folder and when that folder opens, double-click on the mbar folder.
  • Double-click on the mbar.exe file to launch Malwarebytes Anti-Rootkit.
  • After you double-click on the mbar.exe file, you may receive a User Account Control (UAC) message if you are sure you wish to allow the program to run. Please allow to start Malwarebytes Anti-Rootkit correctly.
  • Malwarebytes Anti-Rootkit will now install necessary drivers that are required for the program to operate correctly.
  • If you receive a DDA driver message like could not load DDA driver, click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer and will start automatically.
  • MBAMAnti-Rootkit1_zps4613be8c.png
  • Please click by the introduction screen on the Next button to continue.
  • MBAMAnti-Rootkit2update_zpsf85fca28.png
  • Next you will see the Update Database screen.
  • Click on the Update button so Malwarebytes Anti-Rootkit can download the latest definition updates.
  • MBAMAnti-Rootkitupdatecomplete_zpscf9f4c
  • When the update has finished, click on the Next button.
  • MBAMAnti-Rootkitscan_zps9b346fe7.png
  • Next you can select some basic scanning options. Make sure the Drivers, Sectors, and System scan targets are selected before you click on the Scan button.
  • Malwarebytes Anti-Rootkit will now start scanning your computer for rootkits. This scan can take some time, so please be patient.
  • MBAMAnti-Rootkitscan-results_zps9f0fdf8e
  • When the scan with Malwarebytes Anti-Rootkit is finished, the program will display a screen with the results from the scan.
  • Make sure everything is selected and that the option to create a restore point is checked.
  • Next click on the Cleanup button. Malwarebytes Anti-Rootkit will then prompt you to reboot your computer.
  • Click on Yes button to restart your computer.
  • There will now be two log files created in the mbar folder called system-log.txt and one that starts with mbar-log.
  • The mbar-log file will always start with mbar-log, but the rest will be named using a timestamp indicating the time it was run.
  • For example, mbar-log-2012-11-12 (19-13-32).txt corresponds to mbar-log-year-month-day (hour-minute-second).txt.
  • The system-log.txt contains information about each time you have run MBAR and contains diagnostic information from the program.
  • ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~``

     

Link to comment
Share on other sites

ESET tool done, and Fixexec log below. Can't do the Malware Anti root kit, as it needs internet, which this bug has stopped me using! Is it looking like a clean install of Windows? Desperately hope not....

 

 

 

 

 

 

FixExec by Lawrence Abrams (Grinler)

http://www.bleepingcomputer.com/

Copyright 2008-2016 BleepingComputer.com

More Information about FixExec can be found at this link:

http://www.bleepingcomputer.com/download/windows/utilities/fixexec

 

Program started at: 04/01/2016 05:32:48 PM in x64 mode.

Windows Version: Windows 7

 

Checking for processes to terminate before fixing executable associations.

* No processes found to kill.

 

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

 

* HKLM\Software\Classes\.com\\@ has been changed to ComFile!

* HKLM\Software\Classes\.com\\@ was reset to comfile!

 

 

Program finished at: 04/01/2016 05:32:52 PM

Execution time: 0 hours(s), 0 minute(s), and 4 seconds(s)

Link to comment
Share on other sites

Don't give up on me yet.

 

Try this on the computer that has no internet

 

Let's flush the DNS cache first:

 

Copy and paste these lines in Note pad.

 

 

 

@Echo on

pushd\windows\system32\drivers\etc

attrib -h -s -r hosts

echo 127.0.0.1 localhost>HOSTS

attrib +r +h +s hosts

popd

ipconfig /release

ipconfig /renew

ipconfig /flushdns

netsh winsock reset all

netsh int ip reset all

shutdown -r -t 1

del %0

 

 

 

Save as flush.bat to your desktop.

Right click on the flush.bat file to run it as Administrator. Your computer will reboot.

 

~~~~~~~~~~~~~~~~~~~~`

 

Run FRST one more time:

 

 

Type the following in the edit box after "Search:" netman.dll

 

Click Search button and post the log (Search.txt) it makes to your reply.

Link to comment
Share on other sites

Don't give up on me yet.

 

Try this on the computer that has no internet

 

Let's flush the DNS cache first:

 

Copy and paste these lines in Note pad.

 

 

 

@Echo on

pushd\windows\system32\drivers\etc

attrib -h -s -r hosts

echo 127.0.0.1 localhost>HOSTS

attrib +r +h +s hosts

popd

ipconfig /release

ipconfig /renew

ipconfig /flushdns

netsh winsock reset all

netsh int ip reset all

shutdown -r -t 1

del %0

 

 

 

Save as flush.bat to your desktop.

Right click on the flush.bat file to run it as Administrator. Your computer will reboot.

 

~~~~~~~~~~~~~~~~~~~~`

 

Run FRST one more time:

 

 

Type the following in the edit box after "Search:" netman.dll

 

Click Search button and post the log (Search.txt) it makes to your reply.

Work on this and let's see how it goes from there.

 

Something I forgot to ask, cause it slipped my mind, have you tried any of this things I've listed in safe mode and also, will internet connect in safe mode with networking?

Link to comment
Share on other sites

Here's the search files, did file and registry search.

Safe mode with networking still has no Internet access.

Tried safe mode for the things that didn't work, like Malware bytes antirootkit and windows repair, but still nothing!

 

 

 

 

Farbar Recovery Scan Tool (x64) Version:05-03-2016 01

Ran by James (2016-04-01 21:00:21)

Running from C:\Users\James\Desktop

Boot Mode: Normal

 

================== Search Files: "netman.dll

" =============

 

C:\Windows\winsxs\amd64_microsoft-windows-netman_31bf3856ad364e35_6.1.7600.16385_none_6bb20d3d6b80d9da\netman.dll

[2009-07-14 01:08][2009-07-14 02:41] 0360448 ____A (Microsoft Corporation) 6AE2EDA4E602D09EACDF634C06832D09 [File not signed]

 

C:\Windows\System32\netman.dll

[2009-07-14 01:08][2009-07-14 02:41] 0360448 ____A (Microsoft Corporation) 6AE2EDA4E602D09EACDF634C06832D09 [File not signed]

 

====== End of Search ======

 

 

Farbar Recovery Scan Tool (x64) Version:05-03-2016 01

Ran by James (2016-04-01 21:04:32)

Running from C:\Users\James\Desktop

Boot Mode: Normal

 

================== Search Registry: "netman.dll" ===========

 

[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\amd64_microsoft-windows-netman-mui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e2e92f6ebddc013f]

"f!netman.dll.mui"="0x6E00650074006D0061006E002E0064006C006C002E006D0075006900"

[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\amd64_microsoft-windows-netman_31bf3856ad364e35_6.1.7600.16385_none_6bb20d3d6b80d9da]

"f!netman.dll"="0x6E00650074006D0061006E002E0064006C006C00"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Netman]

"DisplayName"="@%SystemRoot%\system32\netman.dll,-109"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Netman]

"Description"="@%SystemRoot%\system32\netman.dll,-110"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Netman\Parameters]

"ServiceDll"="%SystemRoot%\System32\netman.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\Netman]

"DisplayName"="@%SystemRoot%\system32\netman.dll,-109"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\Netman]

"Description"="@%SystemRoot%\system32\netman.dll,-110"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\Netman\Parameters]

"ServiceDll"="%SystemRoot%\System32\netman.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Netman]

"DisplayName"="@%SystemRoot%\system32\netman.dll,-109"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Netman]

"Description"="@%SystemRoot%\system32\netman.dll,-110"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Netman\Parameters]

"ServiceDll"="%SystemRoot%\System32\netman.dll"

[HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\123\52C64B7E]

"@%SystemRoot%\system32\netman.dll,-109"="Network Connections"

[HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\123\52C64B7E]

"@%SystemRoot%\system32\netman.dll,-110"="Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections."

[HKEY_USERS\S-1-5-18\Software\Classes\Local Settings\MuiCache\123\52C64B7E]

"@%SystemRoot%\system32\netman.dll,-109"="Network Connections"

[HKEY_USERS\S-1-5-18\Software\Classes\Local Settings\MuiCache\123\52C64B7E]

"@%SystemRoot%\system32\netman.dll,-110"="Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections."

 

====== End of Search ======

Link to comment
Share on other sites

Please remove any usb or external drives from the computer before you run this scan!

(after you have transferred it to the non working computer)

 

 

Please download RogueKiller and save it to your desktop.(Just before you save it, please rename it to RogueKiller.com)

 

You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Download RogueKiller to your desktop.
  • Quit all running programs.
  • For Windows XP, double-click to start.
  • For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
  • Read and accept the EULA (End User Licene Agreement)
  • Click Scan to scan the system.
  • When the scan completes Close the program > Don't Fix anything!
  • Don't run any other options, they're not all bad!!
  • Post back the report which should be located on your desktop.
Link to comment
Share on other sites

Gonna smash up the laptop soon!

Thats two of us

 

Please download the Event Viewer Tool by Vino Rosso

http://images.malwareremoval.com/vino/VEW.exe

and save it to your Desktop:

2. Double-click VEW.exe

3. Under 'Select log to query', select:

 

* System

4. Under 'Select type to list', select:

* Error

* Warning

 

 

Then use the 'Number of events' as follows:

 

 

1. Click the radio button for 'Number of events'

Type 20 in the 1 to 20 box

Then click the Run button.

Notepad will open with the output log.

 

 

Please post the Output log in your next reply then repeat but select Application.

```````````````````````````

Got a question

 

Have you tried a system restore point before all this crud started happening?

Or Last Known good configuration?

Link to comment
Share on other sites

Would had been nice if RogueKiller could had run

 

 

aswMBR Log

 

Important! Please do NOT perform any fix options offered in aswMBR, we just need to see the report.

 

Please download aswMBR to your desktop.

  • Double click the aswMBR icon to run it.
  • If a prompt stating: The computer supports "Virtualization Technology" appears select Yes
  • Click the Scan button to start scan.
  • If you are asked to update the Avast Virus database please allow it to do so.
  • When it finishes, press the Save Log button, save the logfile to your desktop and post its contents in your reply
~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Let's look at a new FRST log

  • Right-Click FRST.exe / FRST64.exe and select AVOiBNU.jpgRun as administrator to run the programme.
  • Click Yes to the disclaimer.
  • Ensure the Addition.txt box is checked.
  • Click the Scan button and let the programme run.
  • Upon completion, click OK, then OK on the Addition.txt pop up screen.
  • Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply.

     

Link to comment
Share on other sites

So got the same, not a valid Win32 application.

All my restore points have gone.

Think it's that time to clean install?

You've been so patient!

Thats not good.

 

That might be next

 

I feel in this situation a repair/install will be the best option, that way you will loose no data. The OS will be reloaded over the top.

 

 

Follow the instructions Here Does that help.

http://www.sevenforums.com/tutorials/681-startup-repair.html

Link to comment
Share on other sites

That might be next

 

I feel in this situation a repair/install will be the best option, that way you will loose no data. The OS will be reloaded over the top.

 

 

Follow the instructions Here Does that help.

http://www.sevenforums.com/tutorials/681-startup-repair.html

Theres to much corruption to fiddle here and there especially when nothing can run that normally should under these conditions.
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

×
×
  • Create New...