Solved Corrupt Files in ProgramData/Microsoft/Network

[Abdsalamah]

Hello There. I'm Just Registered For This... PLEASE READ CAREFULLY
My thing is..
Today. I turned on my pc.. everything went ok. after booting. and playing some games. a message appears down in the taskbar. that says error in system,corrupt files in C:\ProgramData/Microsoft/Network.. and everything gone was in my start menu. system tools etc. (my windows language isn't English, It's Arabic)
My problem isn't this. The problem. I can't install any program download from the internet. also i tried CHKDSK. but it says CHKDSK can't start due to installed packages or programs recently. and can this corrupt my files in the another Drivers like D: or E:.
Please Help me !! because there is so much important and personal files in the another driver and i Won't make them corrupt.
Best Regards
-Abd Salamah

 

[torchwood]

Hi Abd,
I dont see an Anti-virus in your system specs >> YOU NEED ONE.
I suspect you have picked up some malware.
Plrease run Malwarbytes (free), untick the trial, and then in the settings dashboard check the rootkit option.
Then run ESET on-line, dissable any other AV you might have.

After running the above also run from an elevated command mode
sfc /scannow
then
ipconfig /flushdns

Reboot, try a download

Roy

 

[Abdsalamah]

Hi Abd,
I dont see an Anti-virus in your system specs >> YOU NEED ONE.
I suspect you have picked up some malware.
Plrease run Malwarbytes (free), untick the trial, and then in the settings dashboard check the rootkit option.
Then run ESET on-line, dissable any other AV you might have.

After running the above also run from an elevated command mode
sfc /scannow
then
ipconfig /flushdns

Reboot, try a download

Roy

hello. i didn't put my anti-virus program in my specs because it won't run .. and it's turned off. i can't install it again. and it's corrupt as well. and sfc /scannow stuck at 14% and says windows resource could not perform the requested operation and i runned ipconfig /flushdns and it says Windows IP Configration Succesfully flushed the DNS Resolver Cache.. what i will do now ?

 

[torchwood]

Hi Abd,
what AV was it?
Please still run Malwarebytes and ESET.

Roy

 

[Abdsalamah]

Hi Abd,
what AV was it?
Please still run Malwarebytes and ESET.

Roy

Well. I installed MalwareBytes. I'm wondering how it installed. Whatever
It found one virus on KMService.exe
Everything in the pc is ok. but start menu programs gone (and i mean they are GONE)
i need system restore. but it seems to be removed from System32..
what's the solve ? Help me as you can !!!

 

[torchwood]

Hi Adb,
please answer my questions it will help.
Old AV please, what did ESET find.
post a copy of the malwareytes log and the one from ESET.

Roy

 

[Abdsalamah]

oh sorry i forgot. It's Avast! Free antivirus. here is the ESET LOG. 32 virus. all of them are trojan horse
----------------------------------------------------------------------------------------------------------------
<?xml version="1.0" encoding="utf-8" ?>
- <ESET>
- <LOG>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\H\1--3.lnk.vir - LNK/Agent.AK حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\H\1--3.xls.lnk.vir - LNK/Agent.AO حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\H\2016علوم-الفصل-الثاني.docx.lnk.vir - LNK/Agent.AO حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\H\2016علوم-الفصل-الثاني.lnk.vir - LNK/Agent.AK حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\H\Autorun.inf.lnk.vir - LNK/Agent.AO حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\H\kk1.vbs__.vbs.lnk.vir - LNK/Agent.AO حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\H\oEthHdQfxJBasYQ.lnk.vir - LNK/Agent.AK حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\H\System_Volume_Information.lnk.vir - LNK/Agent.AO حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\H\جداول كاملة 2016.lnk.vir - LNK/Agent.AK حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\H\جداول ف222 - 2016.lnk.vir - LNK/Agent.AK حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\H\جداول__ف2_-2015-2016__كامل.lnk.vir - LNK/Agent.AO حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\H\جداول__كاملة_2016.lnk.vir - LNK/Agent.AK حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\H\جداول_ف222__-_2016.lnk.vir - LNK/Agent.AO حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\H\جدول_اول_ج2016_جديد222.lnk.vir - LNK/Agent.AK حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\H\جدول_اول_ج2016_جديد222.xls.lnk.vir - LNK/Agent.AO حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\H\جدول_فارغ_الكامل.lnk.vir - LNK/Agent.AK حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\H\جدول_فارغ_الكامل.xls.lnk.vir - LNK/Agent.AO حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\H\جدول_نموذج_عزمي.lnk.vir - LNK/Agent.AK حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\H\جدول_نموذج_عزمي.xls.lnk.vir - LNK/Agent.AO حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\H\خطة_فصلية_رياضيات_ثاني_أ.docx.lnk.vir - LNK/Agent.AO حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\H\خطة_فصلية_رياضيات_ثاني_أ.lnk.vir - LNK/Agent.AK حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\H\ملفات_مدرسية.lnk.vir - LNK/Agent.AK حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\UpMalware\1--3.xls.lnk - LNK/Agent.AO حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\UpMalware\2016علوم-الفصل-الثاني.docx.lnk - LNK/Agent.AO حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\UpMalware\Autorun.inf.lnk - LNK/Agent.AO حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\UpMalware\System_Volume_Information.lnk - LNK/Agent.AO حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\UpMalware\جداول__ف2_-2015-2016__كامل.lnk - LNK/Agent.AO حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\UpMalware\جداول_ف222__-_2016.lnk - LNK/Agent.AO حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\UpMalware\جدول_اول_ج2016_جديد222.xls.lnk - LNK/Agent.AO حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\UpMalware\جدول_فارغ_الكامل.xls.lnk - LNK/Agent.AO حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\UpMalware\جدول_نموذج_عزمي.xls.lnk - LNK/Agent.AO حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\UpMalware\خطة_فصلية_رياضيات_ثاني_أ.docx.lnk - LNK/Agent.AO حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
</LOG>
</ESET>
---------------------------------------------------------------------------------------------------------
حصان طروادة means trojan horse
السجل means log
تم تنظيفه وحذفه means cleaned and removed

 

[Abdsalamah]

Here is The MalwareBytes Log
-------------------------------------------------------------------------------------------------------
<?xml version="1.0" encoding="UTF-16" ?>
- <mbam-log>
- <header>
<date>2016/07/04 21:49:24 +0300</date>
<logfile>mbam-log-٢٠١٦-٠٧-٠٤ (٢١-٤٧-٣١).xml</logfile>
<isadmin>yes</isadmin>
</header>
- <engine>
<version>2.2.1.1043</version>
<malware-database>v2016.07.04.07</malware-database>
<rootkit-database>v2016.05.27.01</rootkit-database>
<license>trial</license>
<file-protection>enabled</file-protection>
<web-protection>enabled</web-protection>
<self-protection>disabled</self-protection>
</engine>
- <system>
<hostname>ABDSALAMAH-PC</hostname>
<ip>192.168.1.100</ip>
<osversion>Windows 7</osversion>
<arch>x86</arch>
<username>AbdSalamah</username>
<filesys>NTFS</filesys>
</system>
- <summary>
<type>threat</type>
<result>completed</result>
<objects>249857</objects>
<time>334</time>
<processes>0</processes>
<modules>0</modules>
<keys>0</keys>
<values>0</values>
<datas>0</datas>
<folders>0</folders>
<files>1</files>
<sectors>0</sectors>
</summary>
- <options>
<memory>enabled</memory>
<startup>enabled</startup>
<filesystem>enabled</filesystem>
<archives>enabled</archives>
<rootkits>disabled</rootkits>
<deeprootkit>disabled</deeprootkit>
<heuristics>enabled</heuristics>
<pup>enabled</pup>
<pum>enabled</pum>
</options>
- <items>
- <file>
<path>C:\Windows\KMService.exe</path>
<vendor>RiskWare.Tool.CK</vendor> <----------------- this is the virus
<action>success</action>
<hash>1aedab75ecae0531f50da0696f934db3</hash>
</file>
</items>
</mbam-log>
-------------------------------------------------------------------------------------------------

 

[Abdsalamah]

Look at the start menu.. It's almost empty. there is nothing. only my games.. also there is no paint.exe and no system restore. all of them are gone

 

[torchwood]

Hi Abd,
lookin at those logs.
RE-run malwarebytes, in the settings dashboard enable Rootkits, it was off last time.
Set it to auto quarentine.
There appear to be 2 infections, not 1.

Those shortcuts to your programes in the start menu,system restore and paint WERE ALL INFECTED, (anything with ".ink" = shortcut).
They have now been removed by ESET.

Did you only select them to run against the C drive?, if yes you need to select D and E as well.

It would appear that the infections came via an infected USB! device, throw it away

When we have cleared the malware.
We can get back to resetting your comp
(unistall/re-install Avast -- reset IP again -- system repair -- sfc scannow)

Roy

 

[Abdsalamah]

1. Installed Avast Again. Successfully installed
2. Reseted
3. well... system repair caused this problem.. when my pc wasn't booting up.. i went to system repair. i did it. after booting. all problems happend.. this is why i created this thread :shock:
4. sfc scannow get stuck at 14% and says windows resource protection could not perform the requested operation.
my PC is in good condition now.. the problems are just the start menu items gone. and the message appearing down in the taskbar. It's about unreadable and corrupted file in C:\ProgramData.

 

[Abdsalamah]

Here is a picture about the message.. look down at the corner at the left
the translate:
mxup.exe - error in system
(corrupted file) file or registry C:/ProgramData/Microsoft/Network corrupted and unreadable. Please run the helping tool CHKDSK.
(The translate is not 100% but this is what i can)

 

[AddRAM]

So why is it that you can`t do a system restore ? Either from windows or by doing it from the install disc ?

Option 2 step 6

http://www.sevenforums.com/tutorials/668-system-recovery-options.html

You`ve obviously downloaded some garbage which caused the problem