Jump to content

Windows Explorer and Notepad.exe crashes


Recommended Posts

I am not good at english so please bear with me 'cause i really need some help.

I dont know what happened but im pretty sure my laptop is infected with virus/es.

It just happened that everytime I wanted to open a notepad file, it will not open and rather opens a message box which tells that "Notepad.exe has stopped working" and my laptop begins to lag, making it hard for me to close the message box, and after I close it, my laptop runs again normally. I tried to open notepad and same result... and when I right click on my desktop, a message box shows that "Windows Explorer has stopped working" then my laptop lags, making it also hard for me to click the "restart the program (not exactly the words but same idea)" and when I click it, my laptop runs again normally. I tried to go to C:\windows, since I've read some forums that this may be a result of notepad.exe duplication, but when I scroll and about to see the notepad.exe, the message box "Windows Explorer has stopped working" will appear and etc.

Also, I noticed that I cant even access some of my libraries, such as "My Documents" and "Program Files" since it will make the "Windows Explorer has stopped working" message box appear

I've also tried to fix the problem on my own by with the help of the internet and most of the results suggest that i should do a "sfc /scannow" on cmd. After that, I've found out that, there are some corrupted files on my computer (which the sfc /scannow couldn't fix) that causes this problem, but I cannot distinguish what are those files since I cannot understand the result/log. I've attached the scan log.

 

Please help me with this, 'cause I can't make a backup of my files in my document since I cant access it.

sfcdetails.txt

Link to post
Share on other sites

Hello ikesh and welcome to Malwarebytes,

My screen name is kevinf80, i`m here to help clean up your system. Make sure to run all scans from accounts with Administrator status, continue as follows please:

Anyone other than the original starter of this thread please DO NOT follow the instructions and advice posted as replies here, my help and advice is NOT related to your system and will probably cause more harm than good...

Run the following:

Download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...
 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach those logs to your reply.


Let me see those logs in your reply...

Thank you,

Kevin...
Link to post
Share on other sites

Thanks for those logs, continue please:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Please open Malwarebytes Anti-Malware.
 
  • On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits".
  • Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the Scan is complete Apply Actions to any found entries.
  • Wait for the prompt to restart the computer to appear (if applicable), then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.


To get the log from Malwarebytes do the following:
 
  • Click on the History tab > Application Logs.
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have three options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
    XML file (*.xml) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
     
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


Next,


Download AdwCleaner by Xplode onto your Desktop.
 
  • Double click on Adwcleaner.exe to run the tool.
  • Click on the Scan in the Actions box
  • Please wait fot the scan to finish..
  • When "Waiting for action.Please uncheck elements you want to keep" shows in top line..
  • Click on the Cleaning box.
  • Next click OK on the "Closing Programs" pop up box.
  • Click OK on the Information box & again OK to allow the necessary reboot
  • After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply. Where * is the number relative to list of scans completed...


Next,

Download Sophos Free Virus Removal Tool and save it to your desktop.

If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....
 
  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found please confirm that result....


Let me see those logs, also tell me if there are any remaining issues or concerns...

Thank you,

Kevin...

Fixlist.txt

Link to post
Share on other sites

Here are the logs:

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 11/1/2016
Scan Time: 8:12 PM
Logfile: 
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.11.01.06
Rootkit Database: v2016.10.31.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7
CPU: x86
File System: NTFS
User: Avalon

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 352830
Time Elapsed: 25 min, 22 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 16
PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\APPID\{28FF42B8-A0DA-4BE5-9B81-E26DD59B350A}, , [d54597243862ae882d03729849bc05fb], 
PUP.Optional.Yontoo, HKLM\SOFTWARE\CLASSES\APPID\{a06deb06-a11f-4b8e-92a0-24792bcc7372}, , [8a9022997426b77fea51afc18c76ce32], 
PUP.Optional.Yontoo, HKLM\SOFTWARE\CLASSES\APPID\{bb311e82-638e-4689-b39a-beafc11e3575}, , [a476febd0991330361dcf17f49b907f9], 
PUP.Optional.Reimage, HKU\S-1-5-21-3984370261-2715952794-1954133040-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{10ECCE17-29B5-4880-A8F5-EAD298611484}, , [bf5bc2f90a90a492294d8e6811f3b14f], 
PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\REI_AxControl.ReiEngine, , [bf5bc2f90a90a492294d8e6811f3b14f], 
PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\REI_AxControl.ReiEngine.1, , [bf5bc2f90a90a492294d8e6811f3b14f], 
PUP.Optional.Yontoo, HKU\S-1-5-21-3984370261-2715952794-1954133040-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{B278C3A7-9980-475F-9450-95DF38C6DCD7}, , [56c4cfec4d4d3ef881bb2947d32f7f81], 
PUP.Optional.Yontoo, HKU\S-1-5-21-3984370261-2715952794-1954133040-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{B278C3A7-9980-475F-9450-95DF38C6DCD7}, , [56c4cfec4d4d3ef881bb2947d32f7f81], 
PUP.Optional.SpringFiles, HKLM\SOFTWARE\SrpnFiles, , [ee2cffbc6d2d3afc4e7a9f2a5da5fe02], 
PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\APPID\REI_AxControl.DLL, , [1dfd6c4f3a6014229cce20d6f0148779], 
PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\TYPELIB\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}\1.0, , [61b9219ac2d824128ea7ca40f90c52ae], 
PUP.Optional.Reimage, HKLM\SOFTWARE\REIMAGE\Reimage Repair, , [8c8e3784e5b526105d1436e159ac27d9], 
PUP.Optional.DNSUnlocker.ACMB2, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{E1527582-8509-4011-B922-29E3FB548882}_is1, , [61b9e4d7168493a37b279b5c3ec5a759], 
PUP.Optional.SpyHunter, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\ESGSCANNER, , [4dcde0db4a508aacca7620e7f114748c], 
PUP.Optional.Reimage, HKU\S-1-5-21-3984370261-2715952794-1954133040-1000\SOFTWARE\LOCAL APPWIZARD-GENERATED APPLICATIONS\Reimage - Windows Problem Relief., , [ba60b803bcdea88e591ba94d4fb58e72], 
PUP.Optional.Reimage, HKU\S-1-5-21-3984370261-2715952794-1954133040-1000\SOFTWARE\REIMAGE\PC REPAIR, , [03177942bae0fc3a4035d91d4cb8c13f], 

Registry Values: 3
PUP.Optional.Reimage, HKLM\SOFTWARE\CLASSES\TYPELIB\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}\1.0, REI_AxControl 1.0 Type Library, , [61b9219ac2d824128ea7ca40f90c52ae]
PUP.Optional.SpyHunter, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\ESGSCANNER|ImagePath, system32\DRIVERS\EsgScanner.sys, , [4dcde0db4a508aacca7620e7f114748c]
PUP.Optional.Reimage, HKU\S-1-5-21-3984370261-2715952794-1954133040-1000\SOFTWARE\REIMAGE\PC REPAIR|QuitMessage,  , , [03177942bae0fc3a4035d91d4cb8c13f]

Registry Data: 0
(No malicious items detected)

Folders: 2
PUP.Optional.DNSUnlocker.ACMB2, C:\ProgramData\c1f38efa-4bf5-0, , [d347e5d6a1f9df5753333295788a5aa6], 
PUP.Optional.DNSUnlocker.ACMB2, C:\ProgramData\c1f38efa-5165-1, , [71a93388d5c5132333530bbcbd455ea2], 

Files: 2
PUP.Optional.SpyHunter, C:\Windows\System32\drivers\EsgScanner.sys, , [01ce484ff6d70a39479bc6d619de7ed6], 
PUP.Optional.SpeedItUp, C:\Windows\Reimage.ini, , [1efc6f4c603a94a2f1c4f20ca65ebd43], 

Physical Sectors: 0
(No malicious items detected)


(end)

 

# AdwCleaner v6.030 - Logfile created 01/11/2016 at 21:02:02
# Updated on 19/10/2016 by Malwarebytes
# Database : 2016-11-01.2 [Server]
# Operating System : Windows 7 Ultimate  (X86)
# Username : Avalon - AVALON-PC
# Running from : C:\Users\Avalon\Downloads\AdwCleaner.exe
# Mode: Clean
# Support : hxxps://www.malwarebytes.com/support

***** [ Services ] *****

***** [ Folders ] *****

***** [ Files ] *****

***** [ DLL ] *****

***** [ WMI ] *****

***** [ Shortcuts ] *****

[-] Shortcut disinfected: C:\Users\Marianne\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
[-] Shortcut disinfected: C:\Users\Marianne\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk
[-] Shortcut disinfected: C:\Users\Marianne\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[-] Shortcut disinfected: C:\Users\Marianne\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk
[-] Shortcut disinfected: C:\Users\Marianne\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
[-] Shortcut disinfected: C:\Users\Anthony\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
[-] Shortcut disinfected: C:\Users\Anthony\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk
[-] Shortcut disinfected: C:\Users\Anthony\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[-] Shortcut disinfected: C:\Users\Anthony\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk
[-] Shortcut disinfected: C:\Users\Anthony\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk


***** [ Scheduled Tasks ] *****

***** [ Registry ] *****

[-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}
[-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}
[-] Key deleted: HKLM\SOFTWARE\Classes\TypeLib\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}
[-] Key deleted: HKU\S-1-5-21-3984370261-2715952794-1954133040-1000\Software\Reimage
[#] Key deleted on reboot: HKCU\Software\Reimage
[-] Key deleted: HKLM\SOFTWARE\Reimage
[-] Key deleted: HKLM\SOFTWARE\wondershare
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\11598763487076930564


***** [ Web browsers ] *****

[-] [C:\Users\Marianne\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: aol.com
[-] [C:\Users\Marianne\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: ask.com


*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [2926 Bytes] - [01/11/2016 21:02:02]
C:\AdwCleaner\AdwCleaner[S0].txt - [3978 Bytes] - [01/11/2016 20:59:45]

########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [3072 Bytes] ##########
 

 

For the Sophos, After the scan, it found 1 threat and when I clicked details, a dialog box appears saying "notepad.exe has stopped working" (which is my main problem) and so I clicked start cleanup and close the application, went to the directory":C:\ProgramData\Sophos\Sophos Virus Removal Tool", but can't continue to the logs folder because the same dialog box appears when I double click it. So what I did is, compressed the logs folder so I can attach it to my reply.

Sophos Logs.rar

Link to post
Share on other sites

In addition, I was able to copy the logs of malwarebytes and adwcleaner because I changed their default program as wordpad but I wasn't able to change the default program of the log of Sophos since its .log extension and I can't even go to its directory to right click it and change its default program. I can't even change it in "control panel>default programs>associate a file type or protocol" with a program since whenever I click the "associate a file type or protocol with a program", a dialog box appears saying that "Windows explorer has stopped working" and my laptop starts to lag, making it hard for me to click the "restart the program" option (same thing happens when the "Notepad has stopped working" dialog box appears)

Link to post
Share on other sites

Did you run FRST fix, can I see that log..

Next,

Download RKill from here: http://www.bleepingcomputer.com/download/rkill/

There are three buttons to choose from with different names on, select the first one and save it to your desktop.
 
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7/8/10, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • A log pops up at the end of the run. This log file is located at C:\rkill.log. Please post this in your next reply.
  • If you do not see the black box flash on the screen delete the icon from the desktop and go back to the link for the download, select the next button and try to run the tool again, continue to repeat this process using the remaining buttons until the tool runs. You will find further links if you scroll down the page with other names, try them one at a time.
  • If the tool does not run from any of the links provided, please let me know.

Thanks,

Kevin

 

 

 

Link to post
Share on other sites

Oh, sorry, forgot to include the log of FRST fix, here it is:

 

Fix result of Farbar Recovery Scan Tool (x86) Version: 30-10-2016
Ran by Avalon (01-11-2016 19:52:02) Run:1
Running from C:\Users\Avalon\Downloads
Loaded Profiles: Avalon (Available Profiles: Avalon & Marianne & Anthony)
Boot Mode: Normal

==============================================

fixlist content:
*****************
Start
CreateRestorePoint:
CloseProcesses:
GroupPolicy: Restriction ? <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
ManualProxies:
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3984370261-2715952794-1954133040-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
S3 catchme; \??\C:\Users\Avalon\AppData\Local\Temp\catchme.sys [X]
S3 cpuz134; \??\C:\Users\Avalon\AppData\Local\Temp\cpuz134\cpuz134_x32.sys [X]
ShortcutWithArgument: C:\Users\Avalon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> "hxxp://trustedsurf.com/?ssid=1459548673&a=1026400&src=sh&uuid=0a3b9fe7-1395-4002-8bb4-4ab46a85a7a3"
ShortcutWithArgument: C:\Users\Avalon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome\Chrome App Launcher.lnk -> C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) -> "hxxp://trustedsurf.com/?ssid=1459548673&a=1026400&src=sh&uuid=0a3b9fe7-1395-4002-8bb4-4ab46a85a7a3"
ShortcutWithArgument: C:\Users\Avalon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> "hxxp://trustedsurf.com/?ssid=1459548673&a=1026400&src=sh&uuid=0a3b9fe7-1395-4002-8bb4-4ab46a85a7a3"
ShortcutWithArgument: C:\Users\Avalon\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) -> "hxxp://trustedsurf.com/?ssid=1459548673&a=1026400&src=sh&uuid=0a3b9fe7-1395-4002-8bb4-4ab46a85a7a3"
ShortcutWithArgument: C:\Users\Avalon\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> "hxxp://trustedsurf.com/?ssid=1459548673&a=1026400&src=sh&uuid=0a3b9fe7-1395-4002-8bb4-4ab46a85a7a3"
ShortcutWithArgument: C:\Users\Avalon\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\9501e18d7c2ab92e\Google Chrome.lnk -> C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) -> "hxxp://trustedsurf.com/?ssid=1459548673&a=1026400&src=sh&uuid=0a3b9fe7-1395-4002-8bb4-4ab46a85a7a3"
ShortcutWithArgument: C:\Users\Avalon\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\69639df789022856\Google Chrome.lnk -> C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) -> "hxxp://trustedsurf.com/?ssid=1459548673&a=1026400&src=sh&uuid=0a3b9fe7-1395-4002-8bb4-4ab46a85a7a3"
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) -> "hxxp://trustedsurf.com/?ssid=1459548673&a=1026400&src=sh&uuid=0a3b9fe7-1395-4002-8bb4-4ab46a85a7a3"
AlternateDataStreams: C:\Users\Avalon\Desktop\Security Check.exe:BDU [0]
Hosts:
CMD: ipconfig /flushdns 
RemoveProxy:
EmptyTemp:
end

*****************

Restore point was successfully created.
Processes closed successfully.
C:\Windows\system32\GroupPolicy\Machine => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
"HKLM\SOFTWARE\Policies\Google" => key removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet\ManualProxies\\ => value removed successfully.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully.
"HKU\S-1-5-21-3984370261-2715952794-1954133040-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully.
catchme => service removed successfully.
cpuz134 => service removed successfully.
C:\Users\Avalon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk => Shortcut argument removed successfully..
C:\Users\Avalon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome\Chrome App Launcher.lnk => Shortcut argument removed successfully..
C:\Users\Avalon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk => Shortcut argument restored successfully
C:\Users\Avalon\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk => Shortcut argument removed successfully..
C:\Users\Avalon\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk => Shortcut argument removed successfully..
C:\Users\Avalon\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\9501e18d7c2ab92e\Google Chrome.lnk => Shortcut argument removed successfully..
C:\Users\Avalon\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\69639df789022856\Google Chrome.lnk => Shortcut argument removed successfully..
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk => Shortcut argument removed successfully..
C:\Users\Avalon\Desktop\Security Check.exe => ":BDU" ADS removed successfully..
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.

========= ipconfig /flushdns =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========


========= RemoveProxy: =========

HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully.
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully.
HKU\S-1-5-21-3984370261-2715952794-1954133040-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully.
HKU\S-1-5-21-3984370261-2715952794-1954133040-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully.


========= End of RemoveProxy: =========


=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B
DOMStoree, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 45579542 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 5260702 B
Edge => 0 B
Chrome => 463710502 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 66228 B
Public => 0 B
ProgramData => 0 B
systemprofile => 34884 B
LocalService => 66708 B
NetworkService => 1572954 B
Avalon => 1105095408 B
Marianne => 238161 B
Anthony => 92727 B

RecycleBin => 0 B
EmptyTemp: => 1.5 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 19:52:34 ====

Link to post
Share on other sites

Here's the log of RKill:

Rkill 2.8.4 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2016 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 11/04/2016 02:16:08 PM in x86 mode.
Windows Version: Windows 7 Ultimate 

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * No issues found.

Checking Windows Service Integrity: 

 * No issues found.

Searching for Missing Digital Signatures: 

 * No issues found.

Checking HOSTS File: 

 * No issues found.

Program finished at: 11/04/2016 02:17:10 PM
Execution time: 0 hours(s), 1 minute(s), and 2 seconds(s)
 

Link to post
Share on other sites

Yes, "Windows Explorer has stopped working" dialog box still appears whenever I right click on my desktop and library. "Notepad has stopped working" dialog box still appears also whenever I open a document with it, but I can run it when I type "notepad" on search in windows button and click the first result (since it shows two notepads, and when I try to open the other one, the same dialog box appears)

Link to post
Share on other sites

Please download and run SFCFix from here: www.sysnative.com/niemiro/apps/SFCFix.exe

It will take about 15 minutes to process. You will be prompted to select any key to continue several times, Please do so

Once the scan has completed a notepad file called SFCFix.txt will launch with the results.

Please copy or attach that file to your reply...

 

 

Link to post
Share on other sites

SFCFix version 3.0.0.0 by niemiro.
Start time: 2016-11-05 22:32:48.349
Microsoft Windows 7  - x86
Not using a script file.


AutoAnalysis::
SUMMARY: No corruptions were detected.
AutoAnalysis:: directive completed successfully.


Successfully processed all directives.
SFCFix version 3.0.0.0 by niemiro has completed.
Currently storing 0 datablocks.
Finish time: 2016-11-05 22:33:31.622
----------------------EOF-----------------------

Link to post
Share on other sites

There are some instances wherein "Windows Explorer has stopped working" dialog box appears, one is when I right click on my desktop, the dialog box appears and then I'll click the "restart the program" option, after that, the explorer.exe process will restart (i'm sure about this because the icons and the taskbar disappears and appears again in several seconds making it look that I just logged in). Also, there are some cases that the same dialog box appears when I navigate in my directory wherein I cannot go to that certain folder since when that dialog box appears, it restarts the explorer.exe and therefore restarts also the windows explorer/library.

 

Then, the "Notepad.exe has stopped working" dialog box appears whenever I open a file associated (and by default) run by notepad.

Link to post
Share on other sites

Farbar Recovery Scan Tool (x86) Version: 30-10-2016
Ran by Avalon (07-11-2016 09:14:17)
Running from C:\Users\Avalon\Downloads
Boot Mode: Normal

================== Search Files: "notepad.exe;explorer.exe" =============

C:\Windows\explorer.exe
[2009-07-14 07:41][2009-07-14 09:14] 2613248 ____A (Microsoft Corporation) 15BC38A7492BEFE831966ADB477CF76F [File is digitally signed]

C:\Windows\notepad.exe
[2009-07-14 07:41][2009-07-14 09:14] 0179712 ____A (Microsoft Corporation) D378BFFB70923139D6A4F546864AA61C [File is digitally signed]

C:\Windows\winsxs\x86_microsoft-windows-notepad_31bf3856ad364e35_6.1.7600.16385_none_6ef0e39ed15350e4\notepad.exe
[2009-07-14 07:41][2009-07-14 09:14] 0179712 ____A (Microsoft Corporation) D378BFFB70923139D6A4F546864AA61C [File is digitally signed]

C:\Windows\winsxs\x86_microsoft-windows-notepadwin_31bf3856ad364e35_6.1.7600.16385_none_42a023025c60a33a\notepad.exe
[2009-07-14 07:41][2009-07-14 09:14] 0179712 ____A (Microsoft Corporation) D378BFFB70923139D6A4F546864AA61C [File is digitally signed]

C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_53bc10fdd7fe87ca\explorer.exe
[2016-05-01 13:18][2010-11-20 20:17] 2616320 ____A (Microsoft Corporation) 40D777B7A95E00593EB1568C68514493 [File is digitally signed]

C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_518afd35db100430\explorer.exe
[2009-07-14 07:41][2009-07-14 09:14] 2613248 ____A (Microsoft Corporation) 15BC38A7492BEFE831966ADB477CF76F [File is digitally signed]

C:\Windows\System32\notepad.exe
[2009-07-14 07:41][2009-07-14 09:14] 0179712 ____A () D378BFFB70923139D6A4F546864AA61C [File is digitally signed]

C:\Windows\erdnt\cache\explorer.exe
[2016-04-01 00:48][2009-07-14 09:14] 2613248 ____A (Microsoft Corporation) 15BC38A7492BEFE831966ADB477CF76F [File is digitally signed]

====== End of Search ======

Link to post
Share on other sites

Notepad and Explorer are in the right place and are not corrupt or patched by malware. Run the following and see if there is any improvement....

Click on Start > All Programs > Accessories:

Right-click on the Command Prompt entry

Select "Run as Administrator" accept the UAC prompt - the Elevated Command Prompt window should pop up.

At the Command prompt, type

CHKDSK C: /R

hit the Enter key.

You will get a message that the drive cannot be locked, but that the command can be scheduled to run at the next boot - hit the Y key, press Enter, and then reboot.

The CHKDSK may take a few hours depending on the size of the drive, so be patient!

After the CHKDSK has run use the following instructions to find the log:

Check Disk report:
 
  • Press the WindowsKey + R on your keyboard at the same time. Type eventvwr into the run box and click OK.
  • In the left panel, expand Windows Logs and then click on Application.
  • Now, on the right side, click on Filter Current Log.
  • Under Event Sources, check only Wininit and click OK.
  • You mayl be presented with one or multiple Wininit logs.
  • Click on an entry corresponding to the date and time of the disk check.
  • On the top main menu, click Action > Copy > Copy Details as Text.
  • Paste the contents into your next reply.



Next,

Now run SFC.

SFC -System File Checker - Instructions

Click on Start > All Programs > Accessories

Right-click on the Command Prompt entry

Select "Run as Administrator" accept the UAC prompt - the Elevated Command Prompt window should pop up.

At the Command prompt, type

SFC /SCANNOW

hit the Enter key

Wait for the scan to finish - make a note of any error messages - and then reboot.


Copy the CBS.log file created (C:\Windows\Logs\CBS\CBS.log) to your desktop (you can't manipulate it directly) and then compress the copy and upload the zip file to your reply.

Next,

Zip up and attach the two following files:

C:\Windows\explorer.exe

C:\Windows\notepad.exe

Thank you,

Kevin....

 

Edited by kevinf80
typing errror
Link to post
Share on other sites

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

 

fixlist.txt

Link to post
Share on other sites

Fix result of Farbar Recovery Scan Tool (x86) Version: 30-10-2016
Ran by Avalon (09-11-2016 11:58:00) Run:2
Running from C:\Users\Avalon\Downloads
Loaded Profiles: Avalon (Available Profiles: Avalon & Marianne & Anthony)
Boot Mode: Normal

==============================================

fixlist content:
*****************
Start
Reg: reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager"
end


*****************


========= reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager" =========


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
    CriticalSectionTimeout    REG_DWORD    0x278d00
    GlobalFlag    REG_DWORD    0x0
    HeapDeCommitFreeBlockThreshold    REG_DWORD    0x0
    HeapDeCommitTotalFreeThreshold    REG_DWORD    0x0
    HeapSegmentCommit    REG_DWORD    0x0
    HeapSegmentReserve    REG_DWORD    0x0
    ProcessorControl    REG_DWORD    0x2
    ResourceTimeoutCount    REG_DWORD    0x9e340
    BootExecute    REG_MULTI_SZ    autocheck autochk /p \??\C:\0autocheck autochk *
    ExcludeFromKnownDlls    REG_MULTI_SZ    
    ObjectDirectories    REG_MULTI_SZ    \Windows\0\RPC Control
    ProtectionMode    REG_DWORD    0x1
    NumberOfInitialSessions    REG_DWORD    0x2
    SetupExecute    REG_MULTI_SZ    

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppPatches
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Configuration Manager
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\DOS Devices
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Executive
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\FileRenameOperations
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Power
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Quota System
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\WPA


========= End of Reg: =========


==== End of Fixlog 11:58:00 ====

Link to post
Share on other sites

I have reset the autocheck and scheduled a checkdisk after, but then it still won't do a checkdisk after reboot, and when I checked the bootexecute's value, the value is this "autocheck autochk /r \??\C: autocheck autochk *".

I tried to change again the value, but after I schedule a checkdisk, it goes back to that value.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.