How do I get rid of weird virus? (Programs won't open in Windows 7)

PCuser809,

Edit: Please go back to Post #32, and look at the bottom half where Tom982 posted instructions for you.

Since you can go to Safe Mode, restart and try going to Safe Mode with Networking and try downloading from there. Try changing the extension to the SFCFix.exe to .scr, .com, .bat, or .cmd, if you need to, and then follow on with the rest.

Post back on how it goes.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Before plunging into a Repair install of Windows, let's see if we can get the SFCFix.zip provided by Tom982 to work in another way.

SFCFix.zip was uploaded here:
https://dl.dropboxusercontent.com/u/...809/SFCFix.zip

Please download the .zip file and save to your Desktop. Use Safe Mode with Networking if needed.
Create a folder by right-clicking on the Desktop, and selecting: New > Folder
Name the folder: SFCFix
Now, right-click on the downloaded .zip file, and select: Extract all...
Extract the downloaded file to the SFCFix folder on the Desktop.

Open the SFCFix folder on the Desktop, select the SFCFix text document, right-click it and select: Delete
We cannot use the text document because it needs the SFCFix.exe file to work, and you cannot run the .exe file.
The only content of the SFCFix folder is now: autochk.exe

Next, move the SFCFix folder to C:\, so now its path is C:\SFCFix\autochk.exe

Go to Start > All Programs > Accessories > Command Prompt
Right-click the Command Prompt and select: Run as Administrator

At the Command Prompt, copy/paste (with the mouse) the following text inside the code box, and then press: Enter

Code:

takeown /f C:\windows\system32\autochk.exe

Once again at the Command Prompt, copy/paste (with the mouse) the following text inside the code box, and then press: Enter

Code:

icacls C:\windows\system32\autochk.exe /grant administrators:F

Again at the Command Prompt, copy/paste (with the mouse) the following text inside the code box, and then press: Enter

Code:

copy C:\SFCFix\autochk.exe C:\windows\system32\autochk.exe

This should replace the autochk.exe file in C:\windows\system32\ with a known good copy.

Back at the Command Prompt, type in the following, and press: Enter

Code:

startsfc

When done, a file named sfcdetails.txt appears once again.
Please save the file to the Desktop as sfcdetails3.txt, and attach it to your reply.


By any chance, do you have the Windows 7 installation DVD?

As an alternative, and by-passing the SFC file replacement issue, we can come back to it later, and, for now, let's use HitmanPro.Kickstart to access your computer, scan it for malware, and remove any infection that may still be present and hindering our efforts.

Also, you may want to print these instructions, so they are available to follow.


Now, load a USB flash drive with HitmanPro.Kickstart as follows...
Note: the contents of the USB flash drive are erased during this process!


Use a clean (non-infected) computer, and download:
HitmanPro.Kickstart - Anti ransomware, politievirus, bundestrojaner, Reveton, BKA, GVU - SurfRight


Under Download (on the right) select the program applicable to the system: 64-bit

When HitmanPro opens, click the KickStart icon at the bottom of the screen.

>>Plug in the USB flash drive.

When the USB flash drive is detected, a selection screen is presented.
Select the USB flash drive from the choices, and press: Install Kickstart
A warning that all contents of the selected flash drive will erase is presented.
Press: Yes

As the HitmanPro.Kickstart files are loaded, a progress indicator is shown on the screen.
Once the process is completed a screen is presented with the contents of HitmanPro.Kickstart

Remove the USB flash drive from the clean computer and press: Close


Now, with the problemcomputer shut down, plug the USB flash drive into a USB port, and turn on the power.

When the computer starts, press the key that brings up the Boot Menu. (On some machines its F12, F10, or F2)

From there, select to boot from the USB drive. (It may say 'Removable Drive' in the options.)
Info: How to Remove Ransomware - Select Real Security


Once you select the USB flash drive to boot from, press: Enter


A KickStart prompt with USB boot options appears.
Select: 1 (Bypass the Master Boot Record (Default))

The system continues to boot from the hard drive and starts Windows.

If you get a message stating that Windows failed to start, etc., just select: Start Windows Normally

When Windows boots, you either get a logon screen, or the Desktop is started.
If you see a logon screen with your User name, logon with it.


In the next prompt that appears, to start the program without installing to the local hard disk, select the option to do a: One-time scan to check the computer.

To start scanning for malware press: Next


If malware is detected, the program shows what malware is present on the system using a red framed screen as shown below:


Select Next to quarantine the malware into a secure storage where it can no longer start.


At the next screen, activate the 30-day free license:

After successful activation (30 days), press: Next

A screen indicating that the malware was successfully disabled or removed is presented.
Press: Next

To obtain a report of the scan results, press: Save log
>>Save the Notepad log to the Desktop<<
It has a name such as: HitmanPro_xxxxxxxx_xxxx


Remove the USB drive, and press: Reboot
If no malware is found, press: Close

After HitmanPro.Kickstart is done, you should be back into normal Windows.

Please post the HitmanPro log in your reply. <<Important!



To remove any remnant malicious files...

Download RogueKiller:
Tlcharger RogueKiller (Site Officiel)

When you get to the website, go to where it says:
(Download link) Lien de téléchargement:

Select the version that applies to your system: x64
Click the dark-blue button to download.
Save to the Desktop.

Close all windows and browsers.

Right-click and select: Run as Administrator

At the program console, wait for the prescan to finish. (Under Status, it says: Prescan finished.)

Press: SCAN

When done, a report opens on the Desktop: RKreport.txt

Please provide the RKreport.txt (Mode: Scan) in your reply.


Thanks!

PCuser809,

Thanks for the feedback. Good news!!

Can you give us an update of any problems that remain?

Got to go outside and mow for a while, but will be back later...

Have a great 4th of July!!

PCuser809,

On sfc /scannow...

Do you wish to run the above to make sure there is no unresolved issue present with autochk.exe?

If so, to run the program again, open the Command Prompt, right-click and select: Run as Administrator

Type in the following:

Code:

startsfc

Press: Enter

When done, a file named sfcdetails.txt appears again.

Please save the file to the Desktop as sfcdetails3.txt and attach it to your reply.

PCuser809,

What comes to mind is a Restore Point re-infecting the computer.

Let's clear out Restore Points following these steps:

Click Start, right-click My Computer, and then click: Properties
Click: System Protection (on the left)

The System Properties screen opens showing the System Protection tab.
In the area labeled Protection Settings, for every drive that is labeled On, do the following:
-Select the drive by clicking on it
-Click Configure, for the System Protection for local disk... screen to show.
-Click Delete and then click continue in the box that appears.
-A message tells you all restore points where deleted.
Click Close.


Please run: aswMBR
http://public.avast.com/~gmerek/aswMBR.exe
Save it to the Desktop.

>>Make sure your AntiVirus is temporarily disabled!!<<

For information on how to disable protective programs, refer to this Info:
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - BleepingComputer.com

Right-click aswMBR and select: Run as Administrator

When promped with: This Application can use the Avast! Free AntiVirus for scanning...etc.
Select: Yes

The last line of the run in progress will provide the status of the Avast! scan.
It will say: Downloading Avast! virus definitiond database, etc.

When the Avast! scan is done, the last line changes to: Avast Engine definitions #####

At this point, click the Scan button on the lower left of the aswMBR screen.
The last line will now say "Scanning" while it is in progress.

Upon completion of the scan, click >Save log< and save it to the Desktop.
Note: Please do NOT attempt to fix anything!!
Exit the program.

Please post the aswMBR log in your reply.


Also, notice that another file is created on the Desktop.
It is named MBR.dat

Please submit MBR.dat for analysis to VirusTotal:
http://www.virustotal.com/
https://www.sevenforums.com/tutorials/277740-online-scanners-scan-suspicious-files-your-pc.html

If you get a message saying: 'File has already been analyzed', click: Reanalyze file

Once scanned, and you see the full results page on your screen, go up to the address bar at the top of the browser, and copy the http:\\etc. address there.

Then, provide the http:\\ address to the results page in your reply.


Run HitmanPro.Kickstart once again.

This time, obtain a report of the scan results (if anything is found), by pressing: Save log
>>Save the Notepad log to the Desktop<<
It has a name such as: HitmanPro_xxxxxxxx_xxxx


Immediately after, go to Start, right-click My Computer, and then click: Properties
Click: System Protection (on the left)

The System Properties screen opens showing the System Protection tab.
In the area labeled Protection Settings, for every drive that is labelled On, do the following:
-Select the drive by clicking on it
-Click: Create
-Give a name to the Restore Point identifying it as clean.
Close the message that shows when the Restore Point is created.


Please provide the MRR.dat http:\\ address to the results page in your reply.
Also provide the results of HitmanPro.KickStart, if any threats were found.