Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

FRST Problem


  • Please log in to reply

#31
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,701 posts
  • MVP

Try it again.  Does it still say Start Pending?


  • 0

Advertisements


#32
cassyb

cassyb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts

OTL log included

 

 

 

I'm still getting a \iernonce.dll   error on starup

Attached Files

  • Attached File  OTL.Txt   133.65KB   165 downloads

  • 0

#33
cassyb

cassyb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts

Yes it thus

 

 

I think my registry is just corrupt beyond repair


  • 0

#34
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,701 posts
  • MVP
I think I see the \iernonce.dll  error.  Copy the text in the code box by highlighting and Ctrl + c
 
 
:OTL
O4:[b]64bit:[/b] - HKLM..\RunOnceEx: [flags] Reg Error: Invalid data type. File not found
 
 
:Commands
[EMPTYFLASH]
[EMPTYJAVA]
[purity]
[Reboot]
 
 
then Double on OTL to start. Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the RUN FIX button (NOT THE QUICK SCAN button!) at the top
Let the program run unhindered, OTL will reboot the PC when it is done. Save the log and copy and paste it into a reply. 
 
 
So far we haven't gotten a single scan to run completely.  Have you tried Combofix since we replace the missing file?
 
 
 
Are you brave enough to run a FRST scan again?  Let's start from scratch as there may be something wrong with your copy:
 

 
Please download Farbar Recovery Scan Tool and save it to your Desktop. 
 
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.   You need the 64 bit version.
 
  •  
  • Right click to run as administrator  When the tool opens click Yes to disclaimer.  Check the Additions box 
  • Press Scan button. 
  • It will produce a log called FRST.txt in the same directory the tool is run from.  
  • Please copy and paste log back here. 
  • The  tool should generate another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply. 
  •  
     
    Let's see if the hard drive is healthy (if we haven't already done that)
     

    1. Double-click My Computer, and then right-click the hard disk that you want to check. C:
    2. Click Properties, and then click Tools.
    3. Under Error-checking, click Check Now. A dialog box that shows the Check disk options is displayed,
    4. Check both boxes and then click Start.
    You will receive the following message:
    The disk check could not be performed because the disk check utility needs exclusive access to some Windows files on the disk. These files can be accessed by restarting Windows. Do you want to schedule the disk check to occur the next time you restart the computer?
    Click Yes to schedule the disk check,
     
     
    Test your RAM:
     
     
     

    • 0

    #35
    cassyb

    cassyb

      Member

    • Topic Starter
    • Member
    • PipPip
    • 34 posts

    logs attached

    Attached Files


    • 0

    #36
    RKinner

    RKinner

      Malware Expert

    • Expert
    • 24,701 posts
    • MVP

    You have this turned off in msconfig:

     

    MSCONFIG\startupreg: combofix => C:\ComboFix\CF12078.3XE /c C:\ComboFix\Combobatch.bat

     

    Can you right click on Combobatch.bat (in C:|Combofix) and select Edit (notepad) then copy and paste the text into a reply?

     

    Do the same for C:\Users\cass\AppData\Local\Temp\launchie.vbs

     

     

     

    Copy the text in the code box by highlighting and Ctrl + c 

     
     
    /md5start
    mshtml.dll
    pcalua.exe
    iexplore.exe
    ActiveSetupN_2.exe
    setup.exe
     /md5stop
     
    
    then run OTL and Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text.  Verify that you got it all and Then click the Run SCAN button at the top
    Let the program run unhindered, OTL will not reboot the PC when it is done.  Save the log and copy and paste it to a reply.

    • 0

    #37
    cassyb

    cassyb

      Member

    • Topic Starter
    • Member
    • PipPip
    • 34 posts

    The launchie.vbs  not found

    Attached Files


    • 0

    #38
    RKinner

    RKinner

      Malware Expert

    • Expert
    • 24,701 posts
    • MVP

    Not sure if this will work but let's try it.

    Copy the next two lines

    copy C:\Windows\winsxs\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_11.2.9600.17239_none_f5b0b0ea3726a4ff\mshtml.dll c:\windows\system32\mshtml.dll
    copy C:\Windows\winsxs\wow64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_11.2.9600.17239_none_00055b3c6b8766fa\mshtml.dll c:\Windows\syswow64\mshtml.dll
    Start, All Programs, Accessories, right click on Command Prompt and Run as Administrator, Continue.  Right click and Paste or Edit then Paste and the copied line should appear.
    Hit Enter.   Do you see an error message or does it say it copied the files?
     
    IF it says it copied the files then try IE now. Run OTL just like you did last time and post the log
     
    If it says it can't copy the files then we will try something else.

    • 0

    #39
    cassyb

    cassyb

      Member

    • Topic Starter
    • Member
    • PipPip
    • 34 posts

    it copied the files, but  IE still did'nt open

     

    There is another error message: Error reading cmdI.Image.Data.Invalid operation

    Attached Files

    • Attached File  OTL.Txt   140.51KB   166 downloads
    • Attached File  Extras.Txt   132.31KB   179 downloads

    • 0

    #40
    RKinner

    RKinner

      Malware Expert

    • Expert
    • 24,701 posts
    • MVP

    Uninstall

     

    Reimage Repair

     

    This is some kind of Registry cleaner which you don't need.

     

    Ditto for 

     

    TuneUp Utilities 2013

     

    Snake oil which can cause more damage than it fixes.

     

    Clear the Java Cache by following the instructions on
     
    You do not have the latest Java.
    First go into Control Panel, Add/Remove Software (XP) or Programs and Features (Vista/Win 7) and remove any old versions (which may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE, J2SE)
    I see:
    Java 7 Update 40
    Java 7 Update 40(x64)
     
    Java has been very vulnerable to infection so unless you absolutely need it you should not reinstall it.
     
    If you feel you must have Java:
    Get the latest Java at:
     
    Save it to your PC then close all browsers and install it.  Do not let it install the yahoo toolbar or other foistware.
    Once installed, go into Control Panel, Java, Security and set the slider to the Highest then OK.
     
    (If you also want the 64 bit version then use the 64 bit version of IE to get it.)
     
     

     

    Since Norton is not working for you let's replace it with the free Avast (you can go back to Norton later if you must)

     

     
    Download and Save the free Avast installer.
    Download and save the norton removal tool
    Uninstall Symantec (save the product license key in case you decide to reinstall it:http://us.norton.com...b/web_view.jsp?
     
    wv_type=public_web&docurl=20080710133834EN&ln=en_US)
     
    Run the Norton Removal tool.  (Right click and Run As Admin)
     
    Reboot
     
    Install Avast. (Right click and Run As Admin) (Register when it asks you - they will try to talk you in to buying the full product but the free version is what we 
     
    want.)
     
    Once you get it installed and it updates let's have it run a full boot-time scan tonight while you sleep:
     
     
    First mute the speakers so it won't wake you up when Windows loads.  Click on the Orange ball.  Click on Scans.  Change Quickscan to 
     
    Boot-time Scan.  Click on Settings.  Where it says Heuristic Sensitivity click on the last rectangle so that all of them are  orange 
     
    and it says High.  Check both boxes.  Then change When a threat is found ... to:  Move to Chest.  OK.  Now click on Start.  Close the 
     
    Avast window and then reboot.  The scan will start.  It will tell you where it will save the report.  Usually it's 
    C:\ProgramData\AVAST Software\Avast\report\aswBoot.txt but it might change so verify the location.  When Windows loads Click on the 
     
    Orange Ball then Scan, Then Scan History (at the bottom of the page). Click on the last scan and then Detailed Report.  If it found 
     
    anything then open the aswBoot.txt file and copy and paste it. 

    • 0

    Advertisements


    #41
    cassyb

    cassyb

      Member

    • Topic Starter
    • Member
    • PipPip
    • 34 posts

    log

    Attached Files


    • 0

    #42
    RKinner

    RKinner

      Malware Expert

    • Expert
    • 24,701 posts
    • MVP

    I usually go back and manually delete the corrupt archives or files that it finds.  The actual file name stops at the | so the third one is:

    C:\Users\cass\Desktop\desktop shorts\Ava Gray - Skin series\fixed.MBSS.rar

     

    You might want to manually delete this one too:

     

    C:\Users\Public\Documents\Wondershare\mobilego_full818.exe

     

    or at least submit it to virustotal.com and see what the other anti-virus companies think about it.

     

     

     

    I assume since you got a full scan that Avast is running OK?  If you really want to you can download a new copy of your Norton/Symantec, uninstall Avast, reboot and install Norton/Symantec.  Expect it will work OK now.

     

     

     

    Let's try and uninstall Combofix then download and install a new copy:

     

    Go in to msconfig and recheck the combofix line. OK and reboot.

     

    copy the next line:
     
    "C:\Users\cass\Desktop\ComboFix.exe" /Uninstall
     
    Start, All Programs, Accessories then right click on Command Prompt and Run As Administrator.
    then right click, Paste, then hit Enter.
     
    This should remove combofix.  Now try downloading it again:
     
     
    ComboFix
     
    :!: It must be saved to your desktop, do not run it from your browser:!:
     
    :!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well.  See: http://www.bleepingc...opic114351.html
     
    :!: Turn off your screen saver so you can see what is going on
     
    Download and Save this file --  to your Desktop -- from either of these two sources:
     
    Rightclick on ComboFix and select Run As Administrator to start the program.  
     
     
     
        * :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
        
        
        * A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.  
     
    Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.
    You should get a log when it finishes.  If not this may mean you have the new version of Zero Access malware so run Combofix a second time.
    If you still don't get a log search for Combofix.txt.  It is usually at => C:\Combofix\Combofix.txt. I'll need to see that in your reply.
    If you get an error about a registry value when you try to run a program, then just reboot to clear it.
     

    • 0

    #43
    cassyb

    cassyb

      Member

    • Topic Starter
    • Member
    • PipPip
    • 34 posts

    combofix log

    Attached Files

    • Attached File  log.txt   34.47KB   157 downloads

    • 0

    #44
    RKinner

    RKinner

      Malware Expert

    • Expert
    • 24,701 posts
    • MVP
     
    Copy the text between the lines of stars by highlighting and Ctrl + c.
     
    ******************************************
     
     
    DirLook::
    C:\Program Files\Common
    %user%\library
     
    File::
    c:\windows\system32\drivers\AntiLog64.sys
     
    Driver::
    AntiLog32
     
    RegLock::
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
    [HKEY_USERS\S-1-5-21-3204655562-3042467115-2064883207-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
    [HKEY_USERS\S-1-5-21-3204655562-3042467115-2064883207-1001_Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
    [HKEY_USERS\S-1-5-21-3204655562-3042467115-2064883207-1001_Classes\Wow6432Node\CLSID\{86de48a1-56e2-452d-8836-39fe506b9a10}]
    [HKEY_USERS\S-1-5-21-3204655562-3042467115-2064883207-1001_Classes\Wow6432Node\CLSID\{be216d00-e7ac-40fc-a4e3-b9a0caef853b}]
     
    ******************************************
     
    Now open notepad (Start, Run, notepad, OK) and Ctrl + V to paste the text into Notepad. Make sure you got it all then File, SAVE AS, (to your Desktop), CFScript , OK. Close notepad. (Overwrite the old one if it's still there.) You should see a file CFScript.txt on your desktop.
     
    Pause your anti-virus.
     
    Drag CFScript.txt over to Combofix and let go Combofix should start on its own.
     
    Post the new log.
     
     
    If you go into Control Panel, Internet Options does the window open for you?

    • 0

    #45
    cassyb

    cassyb

      Member

    • Topic Starter
    • Member
    • PipPip
    • 34 posts

    After draging CFScript.txt to combofix it ran but there was no log I ran combofix again then there was a log

     

     

    Control Panel, Internet Options is working fine.

    Attached Files


    • 0






    Similar Topics

    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users

    As Featured On:

    Microsoft Yahoo BBC MSN PC Magazine Washington Post HP