Windows -> classic ( WAM, AERO disabled, taskmgr.exe deleted)

[Castravete]

Hello, 

 

   I have recently been infested with something. One week ago, I couldn't access Task Manager and realized that taskmgr.exe was deleted from System32. Later on, my themes were disabled and the bottom windows 7 taskbar turned into a classic one. All other tabs have a classic frame. Furthermore, strange extensions started to auto-install in both chrome and firefox. In addition, some programs got installed as well on my computer. After scanning the system with malwarebytes and avast, I managed to remove a total of 80 potentially dangerous programs and 7 potential viruses. 

 

   I can't think of anything else, I tried repair function and it revealed the disabled programs. I cannot activate them from registers. 

 

 

   It would be great if someone could help me with some advice as I will soon move to a foreign country and I wouldn't like to worry about a failing computer.

 

 

A million thanks, 

Tudor

[Psychotic]

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

• First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
• Perform everything in the correct order. Sometimes one step requires the previous one.
• If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
• Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
• Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
• If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
• Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
• My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 
 
 
 
You told us that you removed several items with Malwarebytes´ Antimalware. This tool creates a log on every run and we need to see them.

• The logs can be found here:
  C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
• Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
• Zip any and all of these logs and attach the file to your next reply.
  

[Castravete]

Hello Marius, 

 

Thanks for offering me your help.

 

I have attached the logs.

Logs- data x1.rar

[Castravete]

I did this before seeing your reply.

RpgueKiller logs.rar

[Psychotic]

I don´t have any rar support, so please attach zip files.

[Castravete]

Here they are

Logs.zip

RK.zip

[Psychotic]

Scan with Malwarebytes Anti-Rootkit

Please download Malwarebytes Anti-Rootkit from here Malwarebytes : Malwarebytes Anti-Rootkit and save it to your desktop.

Be sure to print out and follow the instructions provided on that same page.

Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.

• Double click the mbar.zip file to open it, then 'Extract all files'.
• Double click the mbar folder to open it, then double click mbar.exe to start the tool.
  

Check for Updates, then Scan your system for malware

If malware is found, do NOT press the Cleanup button yet. Click EXIT.

I'd like to see the log first so I can see what it sees. You'll find the log in that mbar folder as MBAR-log-[date and time]***.txt . Please attach that to your next reply.

[Castravete]

Nothing was found. What should I do next ? 

[Psychotic]

System File Check

For Windows XP:

• Press the Windows- and the R-key simultanously.
• Within the text box that jus opened, write cmd and hit Enter.
  

For Windows Vista/7:

• Press the Windows key to open the start menu.
• Don´t highlight anything, just write cmd.
• The start menu will offer you an entry named cmd.
• Right click it and select "run as administrator"
  

Within the opening window, write the following:

sfc /scannow

(See the blank within).

• Hit enter. Your system will be checked for damaged system files.
• Tell me the result of that scan in here (as the tool produces no log).
  

[Castravete]

"Windows Repair Services could not start the repair service." + Windows Modules installer was then activated ----> CBS.log was produced. 

 

Opened through cmd due to denied access and it looks like this : 

CBS.log

[Psychotic]

looks better.

That should have fixed some issues - what is left?

[Castravete]

The problem with Aero and the disabled desktop windows manager still persist. When i try accessing taskmgr.exe from the windows bar, it says that it cannot be found in system32. I have checked it and it is not there. Something must have deleted it. 

 

Aero Troubleshooter: 

Issues found

The current theme doesn't support Aero

The current theme doesn't support Aero

The current theme ???? (Cherry Blossoms) doesn't support Aero desktop effects such as transparency.

Not fixed

 

Change to a different theme

Completed

Desktop Window Manager is disabled

Desktop Window Manager is disabled

The Desktop Window Manager must be enabled in order to display Aero desktop effects such as transparency.

Detected

 

Enable the Desktop Window Manager

Completed

 

Desktop Windows manager was not enabled even if it appears so in the Services

[Psychotic]

Scan with Farbar´s Service Scanner

Please download Farbar Service Scanner and run it on the computer with the issue.

• Make sure the following options are checked:
  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center
  • Windows Update
  • Windows Defender
  • Other Services
• Add the following to the ext field: UxSms
• Press "Scan".
• It will create a log (FSS.txt) in the same directory the tool is run.
• Please copy and paste the log to your reply.

 

[Castravete]

This is the log. Windows Defender ? 

FSS.txt

[Castravete]

Microsoft® Windows 7 Eternity™ 2009   (X86)

Boot Mode: Normal

****************************************************************

 

Internet Services:

============

 

Connection Status:

==============

Localhost is accessible.

LAN connected.

Google IP is accessible.

Google.com is accessible.

Yahoo.com is accessible.

 

 

Windows Firewall:

=============

 

Firewall Disabled Policy: 

==================

 

 

System Restore:

============

 

System Restore Disabled Policy: 

========================

 

 

Action Center:

============

 

 

Windows Update:

============

 

Windows Autoupdate Disabled Policy: 

============================

 

 

Windows Defender:

==============

WinDefend Service is not running. Checking service configuration:

The start type of WinDefend service is OK.

The ImagePath of WinDefend service is OK.

The ServiceDll of WinDefend service is OK.

 

 

Windows Defender Disabled Policy: 

==========================

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]

"DisableAntiSpyware"=DWORD:1

 

 

Other Services:

==============

 

 

File Check:

========

C:\Windows\system32\nsisvc.dll => MD5 is legit

C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit

C:\Windows\system32\dhcpcore.dll => MD5 is legit

C:\Windows\system32\Drivers\afd.sys => MD5 is legit

C:\Windows\system32\Drivers\tdx.sys => MD5 is legit

C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit

C:\Windows\system32\dnsrslvr.dll => MD5 is legit

C:\Windows\system32\mpssvc.dll => MD5 is legit

C:\Windows\system32\bfe.dll => MD5 is legit

C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit

C:\Windows\system32\SDRSVC.dll => MD5 is legit

C:\Windows\system32\vssvc.exe => MD5 is legit

C:\Windows\system32\wscsvc.dll => MD5 is legit

C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit

C:\Windows\system32\wuaueng.dll => MD5 is legit

C:\Windows\system32\qmgr.dll => MD5 is legit

C:\Windows\system32\es.dll => MD5 is legit

C:\Windows\system32\cryptsvc.dll => MD5 is legit

 

ATTENTION!=====> C:\Program Files\Windows Defender\MpSvc.dll FILE IS MISSING AND SHOULD BE RESTORED.

 

C:\Windows\system32\ipnathlp.dll => MD5 is legit

C:\Windows\system32\iphlpsvc.dll => MD5 is legit

C:\Windows\system32\svchost.exe => MD5 is legit

C:\Windows\system32\rpcss.dll => MD5 is legit

 

 

**** End of log ****

[Psychotic]

Scan with FRST in normal mode

Please download Farbar's Recovery Scan Tool to your desktop: FRST 32bit or FRST 64bit (If not sure: Start --> Computer (right click) --> properties)

• Run FRST.
• Don´t change one of the checkboxes and hit Scan.
• Logfiles are created on your desktop.
• Poste the FRST.txt and (after the first scan only!) the Addition.txt.
  

[Castravete]

After scanning once :

Addition.txt

FRST.txt

[Psychotic]

Fix with FRST (normal mode)

• Open notepad (Start =>All Programs => Accessories => Notepad).
• Please copy the entire contents of the code box below.
  (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste).
• Save it to the same direction as frst.exe (or frst64.exe) as fixlist.txt.
  
  

  HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.privitize.com/?aff=7URLSearchHook: HKLM - Connect DLC 5 Toolbar - {d1b5aad5-d1ae-4b20-88b1-feeaeb4c1ebc} - C:\Program Files\Connect_DLC_5\prxtbConn.dll (Conduit Ltd.)URLSearchHook: HKCU - Connect DLC 5 Toolbar - {d1b5aad5-d1ae-4b20-88b1-feeaeb4c1ebc} - C:\Program Files\Connect_DLC_5\prxtbConn.dll (Conduit Ltd.)SearchScopes: HKLM - DefaultScope {21D5AA1B-0B9B-4475-B0B7-02E9A1F9D5B2} URL =SearchScopes: HKCU - DefaultScope {21D5AA1B-0B9B-4475-B0B7-02E9A1F9D5B2} URL = http://search.condui...ultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3306061&CUI=UN40138600623188910&UM=2SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.privit...e.com/?aff=7&q={searchTerms}SearchScopes: HKCU - {171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E} URL = http://websearch.ask...5443&src=crm&q={searchTerms}&locale=en_EUSearchScopes: HKCU - {21D5AA1B-0B9B-4475-B0B7-02E9A1F9D5B2} URL = http://search.condui...ultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3306061&CUI=UN40138600623188910&UM=2SearchScopes: HKCU - {DF1303B7-AC3E-445C-9BCE-0C0F4A2DDE30} URL = http://search.yahoo....&type=937811&p={searchTerms}BHO: Connect DLC 5 Toolbar - {d1b5aad5-d1ae-4b20-88b1-feeaeb4c1ebc} - C:\Program Files\Connect_DLC_5\prxtbConn.dll (Conduit Ltd.)Toolbar: HKLM - Connect DLC 5 Toolbar - {d1b5aad5-d1ae-4b20-88b1-feeaeb4c1ebc} - C:\Program Files\Connect_DLC_5\prxtbConn.dll (Conduit Ltd.)Toolbar: HKCU - No Name - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} -  No FileToolbar: HKCU - No Name - {472734EA-242A-422B-ADF8-83D1E48CC825} -  No FileToolbar: HKCU - Connect DLC 5 Toolbar - {D1B5AAD5-D1AE-4B20-88B1-FEEAEB4C1EBC} - C:\Program Files\Connect_DLC_5\prxtbConn.dll (Conduit Ltd.)S3 GarenaPEngine; \??\C:\Users\teo\AppData\Local\Temp\TMK72A4.tmp [x]C:\Program Files\Connect_DLC_5C:\Program Files\MyPC BackupC:\Users\teo\AppData\Local\Temp\TMK72A4.tmpC:\ProgramData\ConduitC:\Users\teo\AppData\Local\ConduitC:\Program Files\ConduitC:\ProgramData\Conduitsearch: MpSvc.dll

  NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
• Run frst.exe (on 64bit, run frst64.exe) and press the Fix button just once and wait.
• The tool will make a log (Fixlog.txt) which you find where you saved FRST. Please post it to your reply.
  

[Castravete]

This is the fix log

Fixlog.txt

[Psychotic]

Search for files with FRST (Recovery Environment)


Run FRST.

Type the following in the edit box after "Search:"

MpSvc.dll

Click Search button and post the log (Search.txt) it makes to your reply.

[Castravete]

Farbar Recovery Scan Tool (x86) Version: 31-10-2013
Ran by teo at 2013-11-08 18:51:33
Running from D:\Users\teo\Downloads
Boot Mode: Normal

================== Search: "MpSvc.dll" ===================

=== End Of Search ===

[Castravete]

The problem is with the desktop windows manager. It is disabled and cannot be enabled ( In processes it appears to be Automatic but when troubleshooting it says that it is disabled. ) Aero doesn't work as well. 

 

The windows are looking like windows classic. 

[Psychotic]

That´s another thing we´ll engage later. First we have to repair Windows Defender.

 

Windows Repair (all-in-one)

Please download Windows Repair (all in one) from here.

Install the program then run it.

Go to step 2 and allow it to run Disk check.



Once that is done then go to step 3 and allow it to run SFC by clicking Do it




On the Start Repairs tab, click Start.
Within the opening window, hit unselect all.
Check only the following:

• Reset Registry Permissions
• Reset File Permissions
• Register System Files
• Repair Windows Firewall
• Repair Windows Updates
  

then click on Start

DON'T use the computer while each scan is in progress.

Restart may be needed to finish the repair procedure.

Let me know how that worked out for you.

[Castravete]

Ok, I managed to run through all the repair steps. I cannot see a visible change but it seemed to repair some broken entries and registries.

 

What is next ?

[Psychotic]

Please post a new log of FSS, please