Likely infected > unable to open or use any applications

bonoz

New member
Local time
5:01 PM
Messages
11
Hi all - I am having some major issues with my PC and I think I may be infected.

Problem: Two days ago, suddenly all my programs crash and my windows takes me straight to desktop. Then, I am unable to open any programs (such as chrome, IE, Firefox, Spotify, Far cry, etc. etc.) but I am able to open Word and Outlook.

I then get the below errors every other minute, without doing anything. I also noticed that my ‘control panel’ is shows ‘empty’ (see pictures).

When I try to restart the computer, I am greeted with the first image below everytime on start up. And then I get other errors similar to that showing up every other minute or so.
When I try to restart the computer in SAFEMODE, my taskbar or desktop does not appear – just a black screen with a mouse pointer.
I somehow managed to start the computer in SAFEMODE w/ Command Prompt. This allowed me to run Kaspersky virus removal tool, which managed to remove about 22 threats. But the problem persists. I also ran the Microsoft anti-virus software which managed to find nothing on full scan.
I also somehow managed to run a TrendMicro HijackThis (see below).

So the current problems are: Every time I boot, I am presented with below error messages upon log-on. I am also unable to launch any applications such as Chrome, Firefox, IE, Spotify, any video games, or any of the antivirus programs. This makes things difficult as I cannot run any anti-virus stuff without having to go to SAFEMODE WITH COMMAND PROMPT and try to run it from prompt.

Please help. I use my PC for everything so this is obviously causing me a lot of stress. Thanks very much.

Specs:
Windows 7 x64
Thinkpad X220 laptop
12 GB ram
128 GB SSD hard drive
Intel CPU (don’t remember which one)
I’m a fairly typical user: word processing, internet, some graphic design, some gaming, some mathematical analysis.

HijackThis log:

Code:
Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 9:48:53 AM, on 12/4/2014
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v11.0 (11.00.9600.17420)
 
FIREFOX: 32.0.1 (x86 en-US)
Boot mode: Safe mode
 
Running processes:
F:\HijackThis.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [URL="http://go.microsoft.com/fwlink/p/?LinkId=255141"]msn[/URL]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [URL="http://go.microsoft.com/fwlink/?LinkId=54896"]Bing[/URL]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [URL="http://go.microsoft.com/fwlink/?LinkId=54896"]Bing[/URL]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [URL="http://go.microsoft.com/fwlink/p/?LinkId=255141"]msn[/URL]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: ::1 localhost
O1 - Hosts: 195.162.68.60 [URL="http://www.google-analytics.com/"]Google Analytics Official Website â[/URL].
O1 - Hosts: 195.162.68.60 google-analytics.com.
O1 - Hosts: 195.162.68.60 connect.facebook.net.
O1 - Hosts: 192.95.55.228 [URL="http://www.google-analytics.com/"]Google Analytics Official Website â[/URL].
O1 - Hosts: 192.95.55.228 google-analytics.com.
O1 - Hosts: 192.95.55.228 connect.facebook.net.
O1 - Hosts: 192.99.206.114 [URL="http://www.google-analytics.com/"]Google Analytics Official Website â[/URL].
O1 - Hosts: 192.99.206.114 google-analytics.com.
O1 - Hosts: 192.99.206.114 connect.facebook.net.
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: Lync Click to Call BHO - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Microsoft Office\Office15\OCHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
O2 - BHO: Logitech SetPoint - {AF949550-9094-4807-95EC-D1C317803333} - C:\Program Files\Logitech\SetPointP\32-bit\SetPointSmooth.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Microsoft Office\Office15\URLREDIR.DLL
O2 - BHO: Microsoft SkyDrive Pro Browser Helper - {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Microsoft Office\Office15\GROOVEEX.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
O4 - HKLM\..\Run: [RotateImage] C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [BrowserPlugInHelper] C:\Program Files (x86)\Wondershare\Video Converter Ultimate\BrowserPlugInHelper.exe
O4 - HKLM\..\Run: [Syncios device service] C:\Program Files (x86)\Syncios\SynciosDeviceService.exe
O4 - HKLM\..\Run: [PWMTRV] rundll32 "C:\Program Files (x86)\ThinkPad\Utilities\PWMTR64V.DLL",PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [C:\Program Files (x86)\Shutter\Shutter.exe] C:\Program Files (x86)\Shutter\Shutter.exe
O4 - HKLM\..\Run: [TSMResident] "C:\Program Files (x86)\ThinkPad\Tablet Shortcut\TSMRESIDENT.EXE" /r
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Global Startup: Lights-Out Client.lnk = C:\Program Files\Windows Server\Bin\LightsOutClientGui.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Microsoft Office\Office15\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Microsoft Office\Office15\ONBttnIE.dll
O9 - Extra button: Lync Click to Call - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Microsoft Office\Office15\OCHelper.dll
O9 - Extra 'Tools' menuitem: Lync Click to Call - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Microsoft Office\Office15\OCHelper.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Microsoft Office\Office15\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Microsoft Office\Office15\ONBttnIELinkedNotes.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [URL]http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab[/URL]
O17 - HKLM\System\CCS\Services\Tcpip\..\{104BF5F1-4EE4-408F-98FA-E1EC46E52D3A}: NameServer = 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{7980EDBB-5526-4983-AF96-936F7AC77B4D}: NameServer = 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D05486C-1F75-4D1A-8DEA-4B46A06710F8}: NameServer = 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{A1BB2938-61B5-447D-A1DA-09A1EAB4CD29}: NameServer = 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{B5A407C7-6E26-4CFB-93C6-B2E407785A26}: NameServer = 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD102EFB-86FC-4C19-BF94-5D2D8536F565}: NameServer = 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{F2024E1F-B7CD-46F2-96C1-F9E72293ED7A}: NameServer = 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8
O17 - HKLM\System\CS1\Services\Tcpip\..\{104BF5F1-4EE4-408F-98FA-E1EC46E52D3A}: NameServer = 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8
O17 - HKLM\System\CS2\Services\Tcpip\..\{104BF5F1-4EE4-408F-98FA-E1EC46E52D3A}: NameServer = 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8
O18 - Protocol: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Microsoft Office\Office15\MSOSB.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Unknown owner - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: ASR Service (ASRSVC) - Lenovo Group Limited - C:\Program Files (x86)\ThinkPad\Tablet Shortcut\ASR\ASRSVC.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: @C:\Program Files (x86)\Google\Chrome Remote Desktop\39.0.2171.46\remoting_core.dll,-101 (chromoting) - Google Inc. - C:\Program Files (x86)\Google\Chrome Remote Desktop\39.0.2171.46\remoting_host.exe
O23 - Service: Intel(R) Content Protection HECI Service (cphs) - Intel Corporation - C:\Windows\SysWow64\IntelCpHeciSvc.exe
O23 - Service: @C:\Windows\system32\CxAudMsg64.exe,-100 (CxAudMsg) - Unknown owner - C:\Windows\system32\CxAudMsg64.exe (file missing)
O23 - Service: Lenovo Doze Mode Service (DozeSvc) - Lenovo. - C:\Program Files (x86)\ThinkPad\Utilities\DZSVC64.EXE
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Lenovo PM Service (IBMPMSVC) - Unknown owner - C:\Windows\system32\ibmpmsvc.exe (file missing)
O23 - Service: Intel(R) Integrated Clock Controller Service - Intel(R) ICCS (ICCS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe
O23 - Service: @%SystemRoot%\system32\ieetwcollectorres.dll,-1000 (IEEtwCollectorService) - Unknown owner - C:\Windows\system32\IEEtwCollector.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) Identity Protection Technology Host Interface Service (jhi_service) - Intel Corporation - C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe
O23 - Service: Lenovo Camera Mute (LENOVO.CAMMUTE) - Lenovo Group Limited - C:\Program Files\Lenovo\Communications Utility\CAMMUTE.exe
O23 - Service: Lenovo Microphone Mute (LENOVO.MICMUTE) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe
O23 - Service: Lenovo Keyboard Noise Reduction (LENOVO.TPKNRSVC) - Lenovo Group Limited - C:\Program Files\Lenovo\Communications Utility\TPKNRSVC.exe
O23 - Service: Lenovo Auto Scroll (Lenovo.VIRTSCRLSVC) - Lenovo Group Limited - C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe
O23 - Service: Intel(R) Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
O23 - Service: Lights-Out Client Service (LoClntService) - AxoNet Software GmbH - C:\Program Files\Windows Server\bin\LightsOutClientService.exe
O23 - Service: LSCWinService - Unknown owner - C:\Program Files\Lenovo\Lenovo Solution Center\App\LSCWinService.exe
O23 - Service: lxeeCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\x64\3\\lxeeserv.exe
O23 - Service: lxee_device - - C:\Windows\system32\lxeecoms.exe
O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: moodleApache - Unknown owner - C:\BitNami\MOODLE~1.1-0\apache2\bin\httpd.exe (file missing)
O23 - Service: moodleMySQL - Unknown owner - C:\BitNami\moodle-2.6.1-0\mysql\bin\mysqld.exe (file missing)
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NIHardwareService - Native Instruments GmbH - C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe
O23 - Service: Nalpeiron Licensing Service (nlsX86cc) - Nalpeiron Ltd. - C:\Windows\SysWOW64\NLSSRV32.EXE
O23 - Service: Power Manager Service (Power Manager DBC Service) - Lenovo - C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.EXE
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Cisco EnergyWise Enabler (PwmEWSvc) - Lenovo Group Limited - C:\Program Files (x86)\ThinkPad\Utilities\PWMEWSVC.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Conexant SmartAudio service (SAService) - Conexant Systems, Inc. - C:\Windows\system32\SAsrv.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Screen Reading Optimizer Service Program (SROSVC) - Lenovo Group Limited - C:\Program Files (x86)\Lenovo\Screen Reading Optimizer\SROSVC.exe
O23 - Service: System Update (SUService) - Unknown owner - C:\Program Files (x86)\Lenovo\System Update\SUService.exe
O23 - Service: TabletServiceISD - Wacom Technology, Corp. - C:\Program Files\Tablet\ISD\ISD_Tablet.exe
O23 - Service: TABLET Service (TabletSVC) - Lenovo Group Limited - C:\Program Files (x86)\ThinkPad\Tablet Shortcut\TSMService.exe
O23 - Service: TeamViewer 9 (TeamViewer9) - TeamViewer GmbH - C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe
O23 - Service: Wacom ISD Touch Service (TouchServiceISD) - Wacom Technology, Corp. - C:\Program Files\Tablet\ISD\ISD_TouchService.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Unknown owner - C:\Windows\System32\TPHDEXLG64.exe (file missing)
O23 - Service: Lenovo Hotkey Client Loader (TPHKLOAD) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe
O23 - Service: On Screen Display (TPHKSVC) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: Intel(R) Management and Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
 
--
End of file - 16586 bytes



Images of errors and issues:
1.JPG
2.JPG
3.JPG
4.JPG
 
Last edited by a moderator:

My Computer My Computer

At a glance

Microsoft Windows 7 Professional 64-bit 7601 ...Intel(R) Core(TM) i5-2520M CPU @ 2.50GHz12.00 GBIntel(R) HD Graphics 3000
Computer type
Laptop
Computer Manufacturer/Model Number
Lenovo Thinkpad X220
OS
Microsoft Windows 7 Professional 64-bit 7601 Multiprocessor Free Service Pack 1
CPU
Intel(R) Core(TM) i5-2520M CPU @ 2.50GHz
Motherboard
LENOVO 4294CTO
Memory
12.00 GB
Graphics Card(s)
Intel(R) HD Graphics 3000
Sound Card
(1) Intel(R) Display Audio (2) Conexant 20672 SmartAudio H
Screen Resolution
1366 x 768 x 32 bits (4294967296 colors) @ 60 Hz
Hard Drives
(1) HITACHI HTS723232A7A364 (2) OCZ-NOCTI
Hi Boboz,

Can you boot into Safe Mode and see if the problems still persist?
 

My Computer My Computer

At a glance

Dual Boot: Windows 8.1 & Server 2012r2 VMs: K...A10 7700 Kavari SteamRoller8GB DDR3 SDRAM PC3-85001024MB ATI AMD Radeon R7 Graphics
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Custom
OS
Dual Boot: Windows 8.1 & Server 2012r2 VMs: Kali Linux, Backbox, Matriux, Windows 8.1
CPU
A10 7700 Kavari SteamRoller
Motherboard
ASUS A88XM-PLUS (FM2+ )
Memory
8GB DDR3 SDRAM PC3-8500
Graphics Card(s)
1024MB ATI AMD Radeon R7 Graphics
Sound Card
Realtek High Definition Audio
Monitor(s) Displays
Samsung
Hard Drives
SSD Crucial 120gb
WD VelociRaptor 1tb
PSU
Rosewill Gaming 650w
Case
Rosewill Galaxy 2
Internet Speed
55/12
Antivirus
Malwarebytes, MSE, SAS
Browser
FireFox, Chrome
Hi Boboz,

Can you boot into Safe Mode and see if the problems still persist?

Thanks for your message. When I boot into safe mode, I don't get the error messages and I am able to launch applocations that would otherwise not work in normal startup. However, this is only with the command prompt one. Regular safe mode doesn't give me a start menu or a taskbar.
 

My Computer My Computer

At a glance

Microsoft Windows 7 Professional 64-bit 7601 ...Intel(R) Core(TM) i5-2520M CPU @ 2.50GHz12.00 GBIntel(R) HD Graphics 3000
Computer type
Laptop
Computer Manufacturer/Model Number
Lenovo Thinkpad X220
OS
Microsoft Windows 7 Professional 64-bit 7601 Multiprocessor Free Service Pack 1
CPU
Intel(R) Core(TM) i5-2520M CPU @ 2.50GHz
Motherboard
LENOVO 4294CTO
Memory
12.00 GB
Graphics Card(s)
Intel(R) HD Graphics 3000
Sound Card
(1) Intel(R) Display Audio (2) Conexant 20672 SmartAudio H
Screen Resolution
1366 x 768 x 32 bits (4294967296 colors) @ 60 Hz
Hard Drives
(1) HITACHI HTS723232A7A364 (2) OCZ-NOCTI
One of my previous posts would explain why only Safe mode with command prompt works:

Safe Mode doesn't process the Run and RunOnce registry keys. One additional startup method is the Winlogon Shell, but that is also skipped if you choose Safe Mode with Command Prompt. So that's the safest Safe Mode option, but requires the user to know how to start an application.
Since you seem to have a problem with exe files I'm guessing your PC might have been modified to run an additional program every time you try to run an exe file. You can run these commands to check:
reg query "HKLM\Software\Classes\exefile\shell\open\command"
reg query "HKCR\exefile\shell\open\command"
A normal value should be "%1" %* (at the end of the printed lines)

Mine shows:
C:\>reg query "HKLM\Software\Classes\exefile\shell\open\command" HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command (Default) REG_SZ "%1" %* IsolatedCommand REG_SZ "%1" %* C:\>reg query "HKCR\exefile\shell\open\command" HKEY_CLASSES_ROOT\exefile\shell\open\command (Default) REG_SZ "%1" %* IsolatedCommand REG_SZ "%1" %*

If you find anything else there you could use regedit to change the value back to the default value, but it's probably a better idea boot with a USB Flash drive containing malware cleaning software like for example Windows Defender Offline and others, which you'll have to create on a clean computer.
 

My Computer My Computer

At a glance

Windows 7 Pro 32Intel(R) Core(TM) i5 CPU M 540 @ 2.53GHz4,00 GB (Usable 2,98)NVIDIA NVS 5100M
Computer type
Laptop
Computer Manufacturer/Model Number
HP Elitebook 8540p
OS
Windows 7 Pro 32
CPU
Intel(R) Core(TM) i5 CPU M 540 @ 2.53GHz
Motherboard
Hewlett-Packard 1521
Memory
4,00 GB (Usable 2,98)
Graphics Card(s)
NVIDIA NVS 5100M
Sound Card
NVIDIA High Definition Audio
Screen Resolution
1600x900
Hard Drives
INTEL SSDSA2CW120G3
Antivirus
F-Secure Internet Security
Browser
IE, Firefox, Opera
Other Info
Sandboxie,
SRP (Software Restriction Policy),
EMET (Enhanced Mitigation Experience Toolkit),
WFC (Windows Firewall Control by BiniSoft),
Malwarebytes Premium
One of my previous posts would explain why only Safe mode with command prompt works:

Safe Mode doesn't process the Run and RunOnce registry keys. One additional startup method is the Winlogon Shell, but that is also skipped if you choose Safe Mode with Command Prompt. So that's the safest Safe Mode option, but requires the user to know how to start an application.
Since you seem to have a problem with exe files I'm guessing your PC might have been modified to run an additional program every time you try to run an exe file. You can run these commands to check:
reg query "HKLM\Software\Classes\exefile\shell\open\command"
reg query "HKCR\exefile\shell\open\command"
A normal value should be "%1" %* (at the end of the printed lines)

Mine shows:
C:\>reg query "HKLM\Software\Classes\exefile\shell\open\command" HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command (Default) REG_SZ "%1" %* IsolatedCommand REG_SZ "%1" %* C:\>reg query "HKCR\exefile\shell\open\command" HKEY_CLASSES_ROOT\exefile\shell\open\command (Default) REG_SZ "%1" %* IsolatedCommand REG_SZ "%1" %*

If you find anything else there you could use regedit to change the value back to the default value, but it's probably a better idea boot with a USB Flash drive containing malware cleaning software like for example Windows Defender Offline and others, which you'll have to create on a clean computer.

Thanks for your response. My registry entries are all normal (i.e., what you posted).

Any other thoughts?

I am in the process of booting my PC with Hitman Pro.
 

My Computer My Computer

At a glance

Microsoft Windows 7 Professional 64-bit 7601 ...Intel(R) Core(TM) i5-2520M CPU @ 2.50GHz12.00 GBIntel(R) HD Graphics 3000
Computer type
Laptop
Computer Manufacturer/Model Number
Lenovo Thinkpad X220
OS
Microsoft Windows 7 Professional 64-bit 7601 Multiprocessor Free Service Pack 1
CPU
Intel(R) Core(TM) i5-2520M CPU @ 2.50GHz
Motherboard
LENOVO 4294CTO
Memory
12.00 GB
Graphics Card(s)
Intel(R) HD Graphics 3000
Sound Card
(1) Intel(R) Display Audio (2) Conexant 20672 SmartAudio H
Screen Resolution
1366 x 768 x 32 bits (4294967296 colors) @ 60 Hz
Hard Drives
(1) HITACHI HTS723232A7A364 (2) OCZ-NOCTI
bonoz,

There are some strange IP addresses showing there...seem to be originating in Russia.
Malware may be a player in what is going on.

See if you can do the following...

You may want to print these instructions so you can have access to them.
Also, you may want to read them once before you apply them.

Please plug in a USB pen drive into a clean working computer.

Go to the Farbar Recovery Scan Tool Download
Farbar Recovery Scan Tool Download
Select the download that applies to your system: 64-bit
Save the program to the >> USB pen drive.
Remove USB pen drive when done.

Now, go to the problem computer.
Plug in the USB pen drive which has FRST64.

Start the computer, and tap the F8 key until you get to the Advanced Boot Options
Use the arrow keys to select the Repair your computer menu item

From there...
Select your language settings, and click: Next
Select your User account and click: OK (If you did not set a password, leave blank.)

On the System Recovery Options you get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Scan your computer's memory for errors
Command Prompt

Select: Command Prompt

In the Command Prompt window, at the blinking cursor type notepad and press: Enter
In Notepad, under the File menu select: Open
Double-click the Computer icon on the left.
Find the pen drive letter, remember what letter it is, click on it, and press: Open
Close out of Notepad.

Click the Command Prompt window
Type x:\frst64.exe, and press: Enter
Note: Replace the drive letter x with the drive letter of your pen drive!

FRST starts, and prepares to run. Follow the prompts.
Click Yes to the Disclaimer.

Press the Scan button.

The scan runs, and, the program saves the FRST.txt, on the pen drive.

When done, click the Command Prompt window, type exit, and press: Enter

Back at the System Recovery Options, press: Shutdown
Remove the USB pen drive.

Please plug the USB pen drive in the working computer, and please provide the FRST.txt in your reply.


Thanks!


.
 

My Computer My Computer

At a glance

Windows 7 Home Premium
Computer type
PC/Desktop
Computer Manufacturer/Model Number
An ol' eMachines
OS
Windows 7 Home Premium
Internet Speed
Fine for me...I'm retired!

My Computer My Computer

At a glance

Microsoft Windows 7 Professional 64-bit 7601 ...Intel(R) Core(TM) i5-2520M CPU @ 2.50GHz12.00 GBIntel(R) HD Graphics 3000
Computer type
Laptop
Computer Manufacturer/Model Number
Lenovo Thinkpad X220
OS
Microsoft Windows 7 Professional 64-bit 7601 Multiprocessor Free Service Pack 1
CPU
Intel(R) Core(TM) i5-2520M CPU @ 2.50GHz
Motherboard
LENOVO 4294CTO
Memory
12.00 GB
Graphics Card(s)
Intel(R) HD Graphics 3000
Sound Card
(1) Intel(R) Display Audio (2) Conexant 20672 SmartAudio H
Screen Resolution
1366 x 768 x 32 bits (4294967296 colors) @ 60 Hz
Hard Drives
(1) HITACHI HTS723232A7A364 (2) OCZ-NOCTI

My Computer My Computer

At a glance

7 x64 UltimateAMD Ryzen 516GB DDR4Radeon R7 360
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Custom
OS
7 x64 Ultimate
CPU
AMD Ryzen 5
Motherboard
Gigabyte GA-AB350-Gaming
Memory
16GB DDR4
Graphics Card(s)
Radeon R7 360
Monitor(s) Displays
2 x Dell U2518D
Screen Resolution
2560x1440 2560x1440
Hard Drives
WD 500GB x2
Samsung SSD 128MB (OS)
XPG SX8200 Pro M.2 2280 1TB
PSU
Antec 500
Cooling
Hyper 212 EVO
Keyboard
Logitech cordless K800
Mouse
Logitech M510
Antivirus
Avira
bonoz,

There are some 01 and 017 entries showing in the HijackThis log posted earlier.
Ignore these if you knowingly placed these entries in your Hosts file. Some of them point to a Canadian IP, others to Russian IP:

O1 - Hosts: ::1 localhost
O1 - Hosts: 195.162.68.60 Google Analytics Official Website â.
O1 - Hosts: 195.162.68.60 google-analytics.com.
O1 - Hosts: 195.162.68.60 connect.facebook.net.
O1 - Hosts: 192.95.55.228 Google Analytics Official Website â.
O1 - Hosts: 192.95.55.228 google-analytics.com.
O1 - Hosts: 192.95.55.228 connect.facebook.net.
O1 - Hosts: 192.99.206.114 Google Analytics Official Website â.
O1 - Hosts: 192.99.206.114 google-analytics.com.
O1 - Hosts: 192.99.206.114 connect.facebook.net.

If you did not place these entries in your Hosts file, then, run HijckThis, Scan, check box for the entries above, and select: Fix checked


On the 017 entries, they look like Google Public DNS. Is that the case?

O17 - HKLM\System\CCS\Services\Tcpip\..\{104BF5F1-4EE4-408F-98FA-E1EC46E52D3A}: NameServer = 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{7980EDBB-5526-4983-AF96-936F7AC77B4D}: NameServer = 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8. 8.8,8.8.8.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D05486C-1F75-4D1A-8DEA-4B46A06710F8}: NameServer = 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8. 8.8,8.8.8.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{A1BB2938-61B5-447D-A1DA-09A1EAB4CD29}: NameServer = 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8. 8.8,8.8.8.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{B5A407C7-6E26-4CFB-93C6-B2E407785A26}: NameServer = 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8. 8.8,8.8.8.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD102EFB-86FC-4C19-BF94-5D2D8536F565}: NameServer = 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8. 8.8,8.8.8.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{F2024E1F-B7CD-46F2-96C1-F9E72293ED7A}: NameServer = 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8. 8.8,8.8.8.8
O17 - HKLM\System\CS1\Services\Tcpip\..\{104BF5F1-4EE4-408F-98FA-E1EC46E52D3A}: NameServer = 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8
O17 - HKLM\System\CS2\Services\Tcpip\..\{104BF5F1-4EE4-408F-98FA-E1EC46E52D3A}: NameServer = 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8

In this section HijackThis checks various keys in Registry hive [HKEY LOCAL MACHINE] for specific values which help windows to resolve domain names into IP addresses. Hijacking these values can cause the programs which uses the Internet to be redirected to malicious sites. Some versions of malware use this
methodology.

However, these entries may be used by your ISP, your company network, and other legit entities. If that is the case, removing a needed 017 entry may break Internet connectivity.

Is there any reason why you started a new topic?
 

My Computer My Computer

At a glance

Windows 7 Home Premium
Computer type
PC/Desktop
Computer Manufacturer/Model Number
An ol' eMachines
OS
Windows 7 Home Premium
Internet Speed
Fine for me...I'm retired!
On the above (chkdsk), tap the F8 key when the PC starts until the Advanced Boot Options appears

Select: Safe Mode with Command Prompt




Would also consider running System File Checker.

It will run in Safe Mode with Command Prompt also.


Type: sfc/scannow


;)
 
Last edited:

My Computer My Computer

At a glance

Windows 7 Home Premium
Computer type
PC/Desktop
Computer Manufacturer/Model Number
An ol' eMachines
OS
Windows 7 Home Premium
Internet Speed
Fine for me...I'm retired!
Back
Top