Root Admin AdvancedSetup Posted August 16, 2016 Root Admin ID:1056696 Share Posted August 16, 2016 There is something odd going on with your shortcuts for Internet Explorer, Chrome, and Firefox. I'll try to have this script clean and remove but if it cannot remove them then I'd suggest you manually delete them and create new shortcuts for them. Please download the attached fixlist.txt file and save it to the Desktop.NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system. Run FRST or FRST64 and press the Fix button just once and wait. If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply. Note: If the tool warned you about an outdated version please download and run the updated version. fixlist.txt Thanks Link to post Share on other sites More sharing options...
aliza Posted August 16, 2016 Author ID:1056814 Share Posted August 16, 2016 (edited) I did both and it made no difference. Something I noticed though, is that it doesn't change when I shut my computer down and turn it back on, only on restart. And it's not just the shortcut, it completely uninstalls chrome and it disappears from my computer. Another thing, on that FRST log I saw "premenstrual" which says whitelisted under registry. It was this odd named virus I got that played audio of adware. I got rid of it so why's it in the log? Edited August 16, 2016 by aliza Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted August 17, 2016 Root Admin ID:1056967 Share Posted August 17, 2016 It's not a virus, just Trojan threat we need to track down how it's actually being triggered. Please delete your current FRST logs and then run the following. Please download MiniToolBox save it to your desktop and run it. Checkmark the following check-boxes: Flush DNS Report IE Proxy Settings Reset IE Proxy Settings Report FF Proxy Settings Reset FF Proxy Settings List content of Hosts List IP configuration List Winsock Entries List last 10 Event Viewer log List Installed Programs List Devices List Users, Partitions and Memory size. List Minidump Files Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run. Note: When using Reset FF Proxy Settings option Firefox should be closed. Next, Run FRST again, but make sure you place a check mark in the Additions.txt check box and post back both new logs as attachments. Thanks Link to post Share on other sites More sharing options...
aliza Posted August 18, 2016 Author ID:1057082 Share Posted August 18, 2016 MTB.txt FRST.txt Addition.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted August 18, 2016 Root Admin ID:1057092 Share Posted August 18, 2016 You're having an error that you need to look at correcting. As for what is removing the browsers I'm not seeing anything that would indicate that it's doing it yet. Application errors: ================== Error: (08/16/2016 03:36:01 PM) (Source: Microsoft-Windows-CAPI2) (User: ) Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object. Details: AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol. System Error: Access is denied. . Error: (08/16/2016 03:35:37 PM) (Source: VSS) (User: ) Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005, Access is denied. . This is often caused by incorrect security settings in either the writer or requestor process. Operation: Gathering Writer Data Context: Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220} Writer Name: System Writer Writer Instance ID: {661ca899-8bb9-4a9f-a2b8-a549fac542fa} This repair method was written for Windows 8.1 not Windows 10, I'm sure the fix is very similar on Windows 10 but some listings or methods may be slightly different. Please review and try to repair this service. System State backup using Windows Server Backup fails with error: System writer is not found in the backuphttps://support.microsoft.com/en-us/kb/2009272 Next, You have these Applications crashing. Not sure if they're all crashing on their own or if one of them is crashing causing the other to crash. MBAM is one of them. Error: (08/15/2016 10:46:14 PM) (Source: Application Error) (User: ) Description: Faulting application name: mbam.exe, version: 2.3.173.0, time stamp: 0x56e065b4 Faulting module name: ntdll.dll, version: 10.0.10586.306, time stamp: 0x571afb7f Exception code: 0xc0000374 Fault offset: 0x000dc7c9 Faulting process id: 0x66c Faulting application start time: 0xmbam.exe0 Faulting application path: mbam.exe1 Faulting module path: mbam.exe2 Report Id: mbam.exe3 Faulting package full name: mbam.exe4 Faulting package-relative application ID: mbam.exe5 Error: (08/14/2016 05:27:37 PM) (Source: Application Error) (User: ) Description: Faulting application name: taskhostw.exe, version: 10.0.10586.0, time stamp: 0x5632d756 Faulting module name: ntdll.dll, version: 10.0.10586.306, time stamp: 0x571af2eb Exception code: 0xc0000005 Fault offset: 0x00000000000227d5 Faulting process id: 0x1c60 Faulting application start time: 0xtaskhostw.exe0 Faulting application path: taskhostw.exe1 Faulting module path: taskhostw.exe2 Report Id: taskhostw.exe3 Faulting package full name: taskhostw.exe4 Faulting package-relative application ID: taskhostw.exe5 Error: (08/13/2016 10:34:11 PM) (Source: Application Error) (User: ) Description: Faulting application name: MapleStory.exe, version: 8.175.1.1, time stamp: 0x57873d1c Faulting module name: MapleStory.exe, version: 8.175.1.1, time stamp: 0x57873d1c Exception code: 0xc0000005 Fault offset: 0x0145eb95 Faulting process id: 0x27b8 Faulting application start time: 0xMapleStory.exe0 Faulting application path: MapleStory.exe1 Faulting module path: MapleStory.exe2 Report Id: MapleStory.exe3 Faulting package full name: MapleStory.exe4 Faulting package-relative application ID: MapleStory.exe5 Let me have you run the following please. Please download the attached fixlist.txt file and save it to the Desktop.NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system. Run FRST or FRST64 and press the Fix button just once and wait. If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply. Note: If the tool warned you about an outdated version please download and run the updated version. fixlist.txt Thanks Link to post Share on other sites More sharing options...
aliza Posted August 19, 2016 Author ID:1057354 Share Posted August 19, 2016 Fixlog.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted August 20, 2016 Root Admin ID:1057419 Share Posted August 20, 2016 As you can see from this log. "C:\Users\hannah\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Int?rn?t ??pl?r?r.lnk" => Could not move. "C:\Users\hannah\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\G??gl? ?hr?m?.lnk" => Could not move. "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\??zill? Fir?f??.lnk" => Could not move. Please restart your computer into Safe Mode. Then see if you can find those links for each of the browsers and delete them from there manually. Then restart the computer and let me know if they came back on their own or not. Link to post Share on other sites More sharing options...
aliza Posted August 25, 2016 Author ID:1058370 Share Posted August 25, 2016 How do I find the links? I'm a little confused sorry Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted August 26, 2016 Root Admin ID:1058440 Share Posted August 26, 2016 Copy this and then paste it into your Search or Run line and then hit the Enter key and it should take you to the main folder where the link is. C:\Users\hannah\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories C:\Users\hannah\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch C:\ProgramData\Microsoft\Windows\Start Menu\Programs Then highlight and delete the link for the browser in question. Link to post Share on other sites More sharing options...
aliza Posted August 27, 2016 Author ID:1058716 Share Posted August 27, 2016 I did that but it didn't seem to change anything. Malwarebytes is still crashing and chrome is still deleting anytime I restart my computer, or recently it's went off a few times in short power outages and chrome is gone when I power it on. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted August 30, 2016 Root Admin ID:1059070 Share Posted August 30, 2016 (edited) These instructions are for Windows 7 and 8 but hopefully, you can adapt them to Windows 10, if not then let me know and I'll write up specific to Windows 10 On a clean machine, please download Farbar Recovery Scan Tool and save it to a flash drive.Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. Plug the flash drive into the infected PC. If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt. If you are using Vista or Windows 7 enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options: Restart the computer. As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears. Use the arrow keys to select the Repair your computer menu item. Select US as the keyboard language settings, and then click Next. Select the operating system you want to repair, and then click Next. Select your user account an click Next. Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used. To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.htmlTo enter System Recovery Options by using Windows installation disc: Insert the installation disc. Restart your computer. If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings. Click Repair your computer. Select US as the keyboard language settings, and then click Next. Select the operating system you want to repair, and then click Next. Select your user account and click Next. ==========On the System Recovery Options menu you will get the following options:Startup Repair System Restore Windows Complete PC Restore Windows Memory Diagnostic Tool Command Prompt Select Command Prompt ==========Once in the Command Prompt: In the command window type in notepad and press Enter. The notepad opens. Under File menu select Open. Select "Computer" and find your flash drive letter and close the notepad. In the command window type e:\frst (for x64 bit version type e:\frst64) and press EnterNote: Replace letter e with the drive letter of your flash drive. The tool will start to run. When the tool opens click Yes to disclaimer. Press Scan button. It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply. Edited August 30, 2016 by AdvancedSetup Link to post Share on other sites More sharing options...
aliza Posted August 30, 2016 Author ID:1059270 Share Posted August 30, 2016 I don't have a flash drive. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted August 31, 2016 Root Admin ID:1059300 Share Posted August 31, 2016 Let me see if I can do this another way, if not then you might have to take the computer to a repair shop. I'll try to post back sometime tomorrow. If I've not then send me a PM reminder. Thanks Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted September 6, 2016 Root Admin ID:1060360 Share Posted September 6, 2016 I don't have a good easy way to do this. You'll need to see if you can borrow, or buy a USB stick or you may have to take it in to the shop to have someone look at fixing this for you. The complexity of finding, preventing, and cleanup from malware Link to post Share on other sites More sharing options...
Recommended Posts