[ally1205]

Happy Christmas Day! At least, I hope yours has been better than mine... I'm running Windows 7 and have encountered a major problem. I'm assuming it's a virus but I am not an expert. Can anyone help?

 

The symptoms are as follows:

1) I can't install any new programs (including Geeks to Go's prescribed 'FRST' scan) When I try to run any new new program associated with scanning, antivirus, or other fix-it tools, the 'User Account Control' popup asks me if I want the program to make changes to my computer. When I click the 'yes' button, the screen goes semi-dark and I have to press ctrl-alt-del to cancel. The 'User Account Control' popup-box has a link, bottom-right, that offers to let me "change when these notifications appear", but clicking on the link has no effect.

2) I can't uninstall any programs either. Control Panel tells me to "wait until the current program is finished uninstalling or being changed" (which it never does).

3) I cannot start Windows in any of the Safe modes; when I try that, it hangs on the 'Welcome' screen.

4) I often cannot shut down or restart the computer normally; it hangs - or takes ages lingering on the 'shutting down' screen, and I sometimes have to hold the power button down to shut everything down, rather than waiting indefinitely.

5) Certain Control Panel features no longer work, such as turning firewall off and troubleshooting as administrator.

 

Remedial steps attempted:

1) I ran AVG free antivirus. All it found was some PUPs. It removed them; there was no change.

2) I ran MS Security Essentials scan. It found one "dangerous virus" called Onaha.A  ...The program quarantined it, but the symptoms remain. It was unable to uninstall the offending freeware program.

3) I ran SuperAntiSpyware. It found nothing.

4) I tried running Malware Bytes, but it won't open (like a lot of my programs: the screen goes semi-dark as soon as I try to run them and I have to press ctrl-alt-del)

5) I ran Hirem's rescue CD and one of the antivirus programs found and deleted 3 trojans, but the symptoms remain. Most of the anti-malware programs on the cd don't run. They may be out of date.

6) I tried restoring WIndows to the only previous restore point (one day old) but there was no change. I thought I had other restore points but it seems not. I may have used third-party programs to save backup points had no longer have the programs on my system.

 

I'm assuming this is a malware problem, but I'll leave it to the experts to confirm. Diagnostics found no faults with my HDD or memory.

 

I'd love to run some other scans, but my computer won't currently run any diagnostic programs, and doesn't let run anything from a command prompt as administrator either. I do not have a windows 7 disc image to revert to, and I don't have the Windows 7 installation CD. (One was not supplied with this HP Compaq desktop PC, which I purchased about 5 years ago).

 

Hirem's recue CD can load a Mini-XP OS. I don't know if it would work, but if I downloaded and ran FRST under that OS and ran the scan, would it provide the diagnostic info that's needed?

 

Thank you kindly for any help...

Edited by ally1205, 26 December 2015 - 02:28 AM.

[Advertisements]

Better to run FRST from a USB:  See http://www.geekstogo...l/#entry2151691

[RKinner]

Better to run FRST from a USB:  See http://www.geekstogo...l/#entry2151691

[ally1205]

RK,

Thank you for your help! I ran your FRST fix and I have posted the log below. Unfortunately, the symptoms have not changed. I can run most programs that are already installed on the computer, except for most (not all) utilities that can change Windows system files, such as 'Win Utilities', 'Malware Bytes', 'Quick Startup' etc, and I can't install any new programs - I guess because running an installation requires Windows files to be changed. For some reason, I can run SuperAntiSpyware and CCleaner.

 

I think that 'tc.exe.exe' file you noticed was of my doing: I think it was me changing the name of TrueCrypt.exe a few years ago when I installed it. Here is the new FRST log:

 

++++++++++++++++++++++++++++++++++++++++++++

Fix result of Farbar Recovery Scan Tool (x64) Version:27-12-2015
Ran by SYSTEM (2015-12-28 13:54:52) Run:1
Running from h:\
Boot Mode: Recovery
==============================================

fixlist content:
*****************
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1337000 2015-04-29] (Microsoft Corporation)
HKU\AA\...\Run: [TrueCrypt] => C:\Program Files (x86)\yoyo\tc.exe.exe [1516496 2013-08-24] (TrueCrypt Foundation)
S2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [23816 2015-04-29] (Microsoft Corporation)
S3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [366544 2015-04-29] (Microsoft Corporation)
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [280376 2015-03-04] (Microsoft Corporation)
S3 WiseHDInfo; C:\Windows\WiseHDInfo64.dll [14800 2015-10-30] (wisecleaner.com)
S3 PCDSRVC{F36B3A4C-F95654BD-06000000}_0; \??\c:\program files\pc-doctor for windows\pcdsrvc_x64.pkms [X]
S3 VBoxNetFlt; system32\DRIVERS\VBoxNetFlt.sys [X]
C:\Users\AA\AppData\Local\Application Data
C:\Users\AA\udownload.dat
EmptyTemp:





*****************

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\MSC => value removed successfully
HKU\AA\Software\Microsoft\Windows\CurrentVersion\Run\\TrueCrypt => value removed successfully
MsMpSvc => service removed successfully
NisSrv => service removed successfully
MpFilter => service removed successfully
WiseHDInfo => service removed successfully
PCDSRVC{F36B3A4C-F95654BD-06000000}_0 => service removed successfully
VBoxNetFlt => service removed successfully
Symbolic link found: "C:\Users\AA\AppData\Local\Application Data" => "C:\Users\AA\AppData\Local"
"C:\Users\AA\AppData\Local\Application Data" => Symbolic link removed successfully
C:\Users\AA\AppData\Local\Application Data => moved successfully
C:\Users\AA\udownload.dat => moved successfully
EmptyTemp: => Error: This directive works only outside recovery mode.

==== End of Fixlog 13:54:54 ====

[RKinner]

Once you rerun FRST per the previous instructions

 

then:

 

1. Double-click My Computer, and then right-click the hard disk that you want to check. C:

2. Click Properties, and then click Tools.

3. Under Error-checking, click Check Now. A dialog box that shows the Check disk options is displayed,

4. Check both boxes and then click Start.

You will receive the following message:

The disk check could not be performed because the disk check utility needs exclusive access to some Windows files on the disk. These files can be accessed by restarting Windows. Do you want to schedule the disk check to occur the next time you restart the computer?

Click Yes to schedule the disk check, but don't restart yet.

 

Right click on (My) Computer and select Manage (Continue) Then the Event Viewer. Next select Windows Logs.  Right click on System and Clear Log, Clear. Repeat for Application. Reboot. The disk check will run and will probably take an hour or more to finish.

 

 

Start, All Programs, Accessories then right click on Command Prompt and Run as Administrator.  Then type (with an Enter after each line).

 

sfc /scannow

 

(SPACE after sfc.  This will check your critical system files. Does this finish without complaint?  IF it says it couldn't fix everything then:

 

Copy the next two lines:

 

findstr  /c:"[SR]"  \windows\logs\cbs\cbs.log  >  \windows\logs\cbs\junk.txt 

notepad \windows\logs\cbs\junk.txt 

 

Start, All Programs, Accessories, right click on Command Prompt and Run as Administrator, Continue.  Right click and Paste or Edit then Paste and the copied line should appear.

Hit Enter if notepad does not open.  Copy and paste the text from notepad into a reply.  Close nOtepad.  Close the Command Window.

 

 

1. Please download the Event Viewer Tool by Vino Rosso

http://images.malwar...om/vino/VEW.exe

and save it to your Desktop:

2. Right-click VEW.exe and Run AS Administrator

3. Under 'Select log to query', select:

 

* System

4. Under 'Select type to list', select:

* Error

* Warning

 

 

Then use the 'Number of events' as follows:

 

 

1. Click the radio button for 'Number of events'

Type 20 in the 1 to 20 box

Then click the Run button.

Notepad will open with the output log.

 

 

Please post the Output log in your next reply then repeat but select Application. (Second time you run vew it will overwrite the first log so copy it to a reply or rename it first.)

 

Ron

[ally1205]

Unfortunately, I cannot do this operation from within Windows (due to the fault on the system, I guess); as soon as I try (3) above, the tools/disc-checking utility freezes without producing any results. Can the above be done from the command prompt in advanced boot options (F8)? Please see my newer thread on this fault for my latest FRST log, generated today, after manually cleaning unneeded files from my HDD. I'm thinking of buying an extra HDD to install in the computer as I gather the mobo has a spare SATA socket.

Edited by ally1205, 28 December 2015 - 01:51 PM.

[RKinner]

Are you able to go into the control panel and select User Accounts then Change User Account Settings?  Can you push the slider down to Never Notify and then OK

 

If you can't do that can you make a new user with Admin rights while in user Accounts?  Then login as the new user?

[ally1205]

No, I can't do either. If I click Add new user account, I get an egg-timer that lasts indefinitely. The same happens if I click Change your account type, So I then have to terminate Control Panel in Task Manager. If I click Change User Account Control Settings, it hangs/freezes and I have to end Control Panel in Task Manager and then reboot the system before I can try anything in Control Panel again.

 

I heard there is a portable version of MS Fix-it. Should I try running that from within F8 (advanced boot options) command prompt?

Edited by ally1205, 28 December 2015 - 02:26 PM.

[RKinner]

Let's see if we can turn off UAC with a registry hack.

 

Download the attached uacoff.zip file and save it then right click and extract all.  Right click on uacoff.reg and Merge.  Then reboot and see if that helps.

[ally1205]

I can't see any attachment. Where should I look for it?

[RKinner]

oops

[ally1205]

Thank you. When I click Merge, I get the usual problem: the Windows popup box asks "Do you want to make changes to this computer" and the screen goes halfway dark and all freezes, and I have to click ctrl-alt-del and then cancel Task Manager which then unfreezes the system. So I cannot do the merge using the method you prescribed.

 

I read there is a portable version of MS Fix-it. Should I try running that from within F8 (advanced boot options) command prompt?

Edited by ally1205, 28 December 2015 - 03:15 PM.

[RKinner]

Can you get into regedit.exe?

 

We are just trying to change

 

EnableLUA under
 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

 

from 1 to 0

[ally1205]

I was only able to use regedit via the command prompt within F8 advanced boot options.

 

However. "EnableLUA" is not present in: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

 

Only these 3 things appear there:

Default      RegSZ       (value not set)

EnableMIC    REGDWORD    0x00000000 (0)

EnableUIPI   REGDWORD    0x00000000 (0)

 

I have to quit for the day now, but will look here again in about 10 hrs time. Many thanks for your help with this!

Edited by ally1205, 28 December 2015 - 03:59 PM.

[RKinner]

Perhaps the fact that so much is missing is causing your odd problems.

 

Attached is a screenshot from mine.  Make sure you are in the same area of the registry as two of your items are not in mine.

 

 

[attachment=79710:sys.jpg]

[RKinner]

You can get PC Regedit

from the link on this page:

https://www.raymond....ing-in-windows/

 

 

 

I see he now tells you how to do it from Hiren's so that might be easier for you.