New
#41
PCuser809,
Edit: Please go back to Post #32, and look at the bottom half where Tom982 posted instructions for you.
Since you can go to Safe Mode, restart and try going to Safe Mode with Networking and try downloading from there. Try changing the extension to the SFCFix.exe to .scr, .com, .bat, or .cmd, if you need to, and then follow on with the rest.
Post back on how it goes.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Before plunging into a Repair install of Windows, let's see if we can get the SFCFix.zip provided by Tom982 to work in another way.
SFCFix.zip was uploaded here:
https://dl.dropboxusercontent.com/u/...809/SFCFix.zip
Please download the .zip file and save to your Desktop. Use Safe Mode with Networking if needed.
Create a folder by right-clicking on the Desktop, and selecting: New > Folder
Name the folder: SFCFix
Now, right-click on the downloaded .zip file, and select: Extract all...
Extract the downloaded file to the SFCFix folder on the Desktop.
Open the SFCFix folder on the Desktop, select the SFCFix text document, right-click it and select: Delete
We cannot use the text document because it needs the SFCFix.exe file to work, and you cannot run the .exe file.
The only content of the SFCFix folder is now: autochk.exe
Next, move the SFCFix folder to C:\, so now its path is C:\SFCFix\autochk.exe
Go to Start > All Programs > Accessories > Command Prompt
Right-click the Command Prompt and select: Run as Administrator
At the Command Prompt, copy/paste (with the mouse) the following text inside the code box, and then press: Enter
Once again at the Command Prompt, copy/paste (with the mouse) the following text inside the code box, and then press: EnterCode:takeown /f C:\windows\system32\autochk.exe
Again at the Command Prompt, copy/paste (with the mouse) the following text inside the code box, and then press: EnterCode:icacls C:\windows\system32\autochk.exe /grant administrators:F
This should replace the autochk.exe file in C:\windows\system32\ with a known good copy.Code:copy C:\SFCFix\autochk.exe C:\windows\system32\autochk.exe
Back at the Command Prompt, type in the following, and press: Enter
When done, a file named sfcdetails.txt appears once again.Code:startsfc
Please save the file to the Desktop as sfcdetails3.txt, and attach it to your reply.
By any chance, do you have the Windows 7 installation DVD?
Last edited by cottonball; 30 Jun 2013 at 11:14.
As an alternative, and by-passing the SFC file replacement issue, we can come back to it later, and, for now, let's use HitmanPro.Kickstart to access your computer, scan it for malware, and remove any infection that may still be present and hindering our efforts.
Also, you may want to print these instructions, so they are available to follow.
Now, load a USB flash drive with HitmanPro.Kickstart as follows...
Note: the contents of the USB flash drive are erased during this process!
Use a clean (non-infected) computer, and download:
HitmanPro.Kickstart - Anti ransomware, politievirus, bundestrojaner, Reveton, BKA, GVU - SurfRight
Under Download (on the right) select the program applicable to the system: 64-bit
When HitmanPro opens, click the KickStart icon at the bottom of the screen.
>>Plug in the USB flash drive.
When the USB flash drive is detected, a selection screen is presented.
Select the USB flash drive from the choices, and press: Install Kickstart
A warning that all contents of the selected flash drive will erase is presented.
Press: Yes
As the HitmanPro.Kickstart files are loaded, a progress indicator is shown on the screen.
Once the process is completed a screen is presented with the contents of HitmanPro.Kickstart
Remove the USB flash drive from the clean computer and press: Close
Now, with the problemcomputer shut down, plug the USB flash drive into a USB port, and turn on the power.
When the computer starts, press the key that brings up the Boot Menu. (On some machines its F12, F10, or F2)
From there, select to boot from the USB drive. (It may say 'Removable Drive' in the options.)
Info: How to Remove Ransomware - Select Real Security
Once you select the USB flash drive to boot from, press: Enter
A KickStart prompt with USB boot options appears.
Select: 1 (Bypass the Master Boot Record (Default))
The system continues to boot from the hard drive and starts Windows.
If you get a message stating that Windows failed to start, etc., just select: Start Windows Normally
When Windows boots, you either get a logon screen, or the Desktop is started.
If you see a logon screen with your User name, logon with it.
In the next prompt that appears, to start the program without installing to the local hard disk, select the option to do a: One-time scan to check the computer.
To start scanning for malware press: Next
If malware is detected, the program shows what malware is present on the system using a red framed screen as shown below:
Select Next to quarantine the malware into a secure storage where it can no longer start.
At the next screen, activate the 30-day free license:
After successful activation (30 days), press: Next
A screen indicating that the malware was successfully disabled or removed is presented.
Press: Next
To obtain a report of the scan results, press: Save log
>>Save the Notepad log to the Desktop<<
It has a name such as: HitmanPro_xxxxxxxx_xxxx
Remove the USB drive, and press: Reboot
If no malware is found, press: Close
After HitmanPro.Kickstart is done, you should be back into normal Windows.
Please post the HitmanPro log in your reply. <<Important!
To remove any remnant malicious files...
Download RogueKiller:
Tlcharger RogueKiller (Site Officiel)
When you get to the website, go to where it says:
(Download link) Lien de téléchargement:
Select the version that applies to your system: x64
Click the dark-blue button to download.
Save to the Desktop.
Close all windows and browsers.
Right-click and select: Run as Administrator
At the program console, wait for the prescan to finish. (Under Status, it says: Prescan finished.)
Press: SCAN
When done, a report opens on the Desktop: RKreport.txt
Please provide the RKreport.txt (Mode: Scan) in your reply.
Thanks!
I tried with all the different extensions, and it still doesn't work. A Command Prompt window pops up blank, remains several seconds, and then disappearsSince you can go to Safe Mode, restart and try going to Safe Mode with Networking and try downloading from there. Try changing the extension to the SFCFix.exe to .scr, .com, .bat, or .cmd, if you need to, and then follow on with the rest.
Post back on how it goes.
It all went well until this last step. Command Prompt says it can't find an internal or external file like that.When done, a file named sfcdetails.txt appears once again.
Please save the file to the Desktop as sfcdetails3.txt, and attach it to your reply.
No...Windows 7 came pre-installed in my PC.By any chance, do you have the Windows 7 installation DVD?
Ahhh....it went a little differently for me. It told me it had to restart to completely fix the viruses (it detected +600 threats), so I did. I didn't get the log, I'm sorry If it helps at all, I ran it again and it detected no viruses! And I can open programs again! So that's that issue solved ^^ Thank you!After HitmanPro.Kickstart is done, you should be back into normal Windows.
Please post the HitmanPro log in your reply. <<Important!
Here:Please provide the RKreport.txt (Mode: Scan) in your reply.
RogueKiller V8.6.2 _x64_ [Jul 2 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : hxxp://www.adlice.com/forum/
Website : hxxp://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Katheleen [Admin rights]
Mode : Remove -- Date : 07/04/2013 13:35:13
| ARK || FAK || MBR |
¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH] rpcld.exe -- C:\ProgramData\Rpcnet\Bin\rpcld.exe [-] -> KILLED [TermProc]
¤¤¤ Registry Entries : 2 ¤¤¤
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
¤¤¤ Scheduled tasks : 0 ¤¤¤
¤¤¤ Startup Entries : 0 ¤¤¤
¤¤¤ Web browsers : 0 ¤¤¤
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤
¤¤¤ External Hives: ¤¤¤
¤¤¤ Infection : ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: WDC WD6400BPVT-60HXZT1 +++++
--- User ---
[MBR] c9080537c0bfd459d779a26834eb6cad
[BSP] e1ee19ab36242d613dab29c1e0a8c48c : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 199 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 409600 | Size: 595993 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 1221003264 | Size: 14183 Mo
3 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 1250050048 | Size: 103 Mo
User != LL1 ... KO!
--- LL1 ---
[MBR] 138d77ff717f47a90e30dcd3f9bcdbfa
[BSP] 444ed84f80f4ed260af0872f6286ac7b : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 199 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 409600 | Size: 595993 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 1221003264 | Size: 14183 Mo
3 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 1250050048 | Size: 103 Mo
User != LL2 ... KO!
--- LL2 ---
[MBR] c54a8e6965c6e368351ea61ace2b5b5c
[BSP] e1ee19ab36242d613dab29c1e0a8c48c : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 409600 | Size: 77824 Mo
1 - [XXXXXX] FAT16 (0x06) [VISIBLE] Offset (sectors): 159793152 | Size: 4000 Mo
2 - [ACTIVE] FAT16 (0x06) [VISIBLE] Offset (sectors): 167985152 | Size: 2000 Mo
3 - [XXXXXX] FAT16 (0x06) [VISIBLE] Offset (sectors): 172081152 | Size: 1000 Mo
+++++ PhysicalDrive1: WDC WD6400BPVT-60HXZT1 +++++
--- User ---
[MBR] 5737ffb1e23eb27842199219f8b3971d
[BSP] c3517f2556b8ade55200a6d38cae8e78 : MBR Code unknown
Partition table:
0 - [ACTIVE] FAT32 (0x0b) [VISIBLE] Offset (sectors): 63 | Size: 7828 Mo
User = LL1 ... OK!
Error reading LL2 MBR!
Finished : << RKreport[0]_D_07042013_133513.txt >>
RKreport[0]_S_07042013_130007.txt
PCuser809,
Thanks for the feedback. Good news!!
Can you give us an update of any problems that remain?
Got to go outside and mow for a while, but will be back later...
Have a great 4th of July!!
PCuser809,
On sfc /scannow...
Do you wish to run the above to make sure there is no unresolved issue present with autochk.exe?
If so, to run the program again, open the Command Prompt, right-click and select: Run as Administrator
Type in the following:
Press: EnterCode:startsfc
When done, a file named sfcdetails.txt appears again.
Please save the file to the Desktop as sfcdetails3.txt and attach it to your reply.
Same thing happens as before. :/
Aaaaand, there's a little problem again. Today is about the second day I get to use that PC, and the programs wouldn't open...again. I ran Hitman Pro, and it solved the problem again, but I'm afraid that the fix is always temporary, and that the virus might get my personal info if I get too comfortable...What should I do?
PCuser809,
What comes to mind is a Restore Point re-infecting the computer.
Let's clear out Restore Points following these steps:
Click Start, right-click My Computer, and then click: Properties
Click: System Protection (on the left)
The System Properties screen opens showing the System Protection tab.
In the area labeled Protection Settings, for every drive that is labeled On, do the following:
-Select the drive by clicking on it
-Click Configure, for the System Protection for local disk... screen to show.
-Click Delete and then click continue in the box that appears.
-A message tells you all restore points where deleted.
Click Close.
Please run: aswMBR
http://public.avast.com/~gmerek/aswMBR.exe
Save it to the Desktop.
>>Make sure your AntiVirus is temporarily disabled!!<<
For information on how to disable protective programs, refer to this Info:
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - BleepingComputer.com
Right-click aswMBR and select: Run as Administrator
When promped with: This Application can use the Avast! Free AntiVirus for scanning...etc.
Select: Yes
The last line of the run in progress will provide the status of the Avast! scan.
It will say: Downloading Avast! virus definitiond database, etc.
When the Avast! scan is done, the last line changes to: Avast Engine definitions #####
At this point, click the Scan button on the lower left of the aswMBR screen.
The last line will now say "Scanning" while it is in progress.
Upon completion of the scan, click >Save log< and save it to the Desktop.
Note: Please do NOT attempt to fix anything!!
Exit the program.
Please post the aswMBR log in your reply.
Also, notice that another file is created on the Desktop.
It is named MBR.dat
Please submit MBR.dat for analysis to VirusTotal:
http://www.virustotal.com/
https://www.sevenforums.com/tutorials/277740-online-scanners-scan-suspicious-files-your-pc.html
If you get a message saying: 'File has already been analyzed', click: Reanalyze file
Once scanned, and you see the full results page on your screen, go up to the address bar at the top of the browser, and copy the http:\\etc. address there.
Then, provide the http:\\ address to the results page in your reply.
Run HitmanPro.Kickstart once again.
This time, obtain a report of the scan results (if anything is found), by pressing: Save log
>>Save the Notepad log to the Desktop<<
It has a name such as: HitmanPro_xxxxxxxx_xxxx
Immediately after, go to Start, right-click My Computer, and then click: Properties
Click: System Protection (on the left)
The System Properties screen opens showing the System Protection tab.
In the area labeled Protection Settings, for every drive that is labelled On, do the following:
-Select the drive by clicking on it
-Click: Create
-Give a name to the Restore Point identifying it as clean.
Close the message that shows when the Restore Point is created.
Please provide the MRR.dat http:\\ address to the results page in your reply.
Also provide the results of HitmanPro.KickStart, if any threats were found.
Last edited by cottonball; 10 Jul 2013 at 01:06.
@cottonball
AH, I forgot to check back to see your reply! I just ended up having someone reinstall Windows for me, and my PC works good as new, finally! (and this time, it is permanent) I'm so sorry for wasting your time with this :/ but at the same time, thank you so much for trying to help out! Keep being awesome!