Jump to content
MysticCobra

Can't launch MB or FRST...how to get started?

Recommended Posts

While browsing BBC.com on my Win10 64-bit laptop and watching some videos in Chrome, I ran across some old ones that required Flash, so I switched to IE to watch them.  Along the way, I got a popup telling me I needed a Flash upgrade, and clicked on it (looked just like a normal Adobe window).  Then it popped up a weird DOS window with "ping localhost -n" or something like that in the window title, and a text-based installation progress bar.  Looking back at the original Adobe window, I noticed a bogus URL--they got me, good.  Argh.

So I immediately came here to download MBAM (or now MB3, I guess).  I can install it, and I see it in the tray, but when I pick "Open Malwarebytes" from that tray icon, nothing happens.

I tried following the instructions here:  

However, when I try to visit the website to download FRST64.exe, my browser immediately closes (happens whether using IE, Chrome, or Edge).  I was able to download the tool via another machine and move it over to the infected one, but when I try to run it, the user interface flashes on the screen for a few milliseconds and disappears.

So I can't even seem to get started in removing this malware.  It looks pretty nasty.

I have not rebooted the infected machine yet, for whatever that's worth.

What do I do, now?

 

Share this post


Link to post
Share on other sites

Hello MysticCobra and welcome to Malwarebytes,

Please download Farbar Recovery Scan Tool from here:

http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

save it to a USB flash drive. Ensure to get the correct version for your system, 32 bit or 64 bit...

Next,

From your Desktop select the start Flag (bottom lefthand corner of screen)

Hold down the "Shift key" of your keyboard, keep it down and select "Restart"


user posted image


Your PC should open to the "Choose an Option" window.... release shift key.


user posted image


From that window select "Troubleshoot"


user posted image


From the next window select "Advance Options"


user posted image


From that Window select "Command Prompt"

Ensure to plug the flash drive into a USB port... You should now be in Recovery Environment with the Command Prompt Window open......

Continue with the following:
 
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type E:\frst64 or E:\frst depending on your version. Press Enter
  • Note: Replace letter E with the drive letter of your flash drive. <<<----vey important
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. You will need to boot back to Normal windows to post the log, or if applicable do that action from a spare PC...
  • To boot back to windows, type exit at the prompt and hit enter
  • Please copy and paste or attach FRST log to your reply.


Thanks,

Kevin...

Share this post


Link to post
Share on other sites

Save the attached file fixlist.txt to your flash drive, same place as FRST.
Now please enter System Recovery Options as you did to get the log.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Next,

Boot back to normal windows, see if Malwarebytes will run....

Thanks,

Kevin

fixlist.txt

Share this post


Link to post
Share on other sites

I was able to run FRST with the fixlist file you provided.  The resulting log file is attached.

However, I was unable to run Malwarebytes after rebooting.  The application did not autostart, and when I tried to launch it manually, I got an error that it was "Unable to connect the Service".  I did some Googling and followed the instructions to manually start the service via Services.msc applet.  In the Services list, "Malwarebytes Service" is listed with "Startup Type" = Automatic, but the Status field is blank.   When I right-click and try to "Start" the service, I get an error that Windows could not start the service on the Local Computer because the service did not respond in a timely fashion (Error 1053).

New fixlog file is attached.

Fixlog.txt

Share this post


Link to post
Share on other sites

I assume you can boot normally, is that correct. If so do the following:

Totally Remove Malwarebytes from your system:

Download the latest version of Malwarebytes cleanup tool from here: https://downloads.malwarebytes.com/file/mb_clean and save to your Desktop..

If applicable, backup your Malwarebytes license key information and deactivate the product.

Close all open applications and deactivate Malwarebytes <---- Very important, do not miss that step

To deactivate Malwarebytes:

Right click on tray icon, from the opened list select "Quit Malwarebytes" an UAC alert will open, select "Yes" to deactivate Malwarebytes...
 
  • Double-click mb-clean.exe to run it
  • A prompt to confirm the cleanup will appear, select Yes or No
  • Yes - will proceed with the cleanup process <---- Select this option to start the tool
  • No - will exit the utility
  • The Utility will launch a Command Prompt window which will disappear once the the cleanup process completes.
  • Once completed, a log file ("mb-cleanresult.txt") will be on your desktop and you'll be prompted to reboot
  • We recommend an immediate reboot <--- Do Not miss out this step
  • Suppressing the reboot may result in an incomplete cleanup
  • Upon reboot Malwarebytes will be totally removed from your system


To re-install Malwarebytes:

Download Malwarebytes version 3 from the following link:

https://www.malwarebytes.com/mwb-download/thankyou/
 
  • Double click on the installer and follow the prompts. If necessary select the Blue Help tab for video instructions....
  • When the install completes and is updated do the following:
  • Open Malwarebytes, select > "settings" > "protection tab"
  • Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....
  • Go back to "DashBoard" select the Blue "Scan Now" tab......



When the scan completes deal with any found entries... Then select "Export Summary" then "Text File (*.txt)" name that log and save , you can copy or attach that to your reply...

Does Malwarebytes run ok....?

Share this post


Link to post
Share on other sites

Thank you again, Kevin.  I was able to successfully uninstall and reinstall Malwarebytes, then subsequently perform a scan per your instructions.  It identified and quarantined the following threats:

  • Rootkit.Fileless.MTGen (Registry Value)  (ID 1384)
  • Rootkit.Fileless.MTGen (Registry Key)  (ID 1384)
  • Trojan.Fileless.MTGen (Registry Value)  (ID 367)
  • Trojan.Kovter (File) (ID 47)

 

One hiccup:  When the scan completed, it prompted me to restart, which I confirmed.  During the process, Windows froze on the "Restarting" screen (with the spinny-dot-circle icon frozen).  Cursor locked up and everything.  Never seen that before.  I waited several minutes to see if it would recover, but it didn't, so I eventually held down the power button to get it to shut down, then powered it back on.

I will perform another scan to confirm no additional threats found, but I am cautiously optimistic that this has resolved my infection.

Many thanks for the help!

Share this post


Link to post
Share on other sites

Thanks for the update, post the log from Malwarebytes when complete:

To get the log from Malwarebytes do the following:

  • Click on the Reports tab > from main interface.
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options: > From export you have two options:

      Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
      Text file (*.txt)        - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
     

  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…

Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status...
 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.

Let me see those logs in your reply...

Thanks,

Kevin...

Share this post


Link to post
Share on other sites

Hmm.  I have run two Malwarebytes scans now.  The first found the four items mentioned in my last post.  The second found 16 PUPs.  After each scan completed, I quarantined all threats found, and allowed Malwarebytes to initiate a reboot.

Both times, the computer froze while on the "Restarting" screen.  Is this common?

I found your latest post while waiting for the second Malwarebytes scan to complete.  After forcing a power cycle to complete the reboot after that scan, I ran FRST as indicated.

The log files from both Malwarebytes scans and the two log files generated by the FRST scan are attached.

Malwarebytes log 2.txt

Addition.txt

FRST.txt

Malwarebytes log 1.txt

Share this post


Link to post
Share on other sites

Freezing is not expected after a reboot initiated by Malwarebytes... continue as follows:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Please download Zemana AntiMalware and save it to your Desktop.
 
  • Install the program and once the installation is complete it will start automatically.
  • Without changing any options, press Scan to begin.
  • After the short scan is finished, if threats are detected press Next to remove them.
    Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please re-boot your computer manually.
     
  • Open Zemana AntiMalware again.
  • Click on user posted image icon and double click the latest report.
  • Now click File > Save As and choose your Desktop before pressing Save.
  • Attach saved report in your next message.


Next,

Download Sophos Free Virus Removal Tool and save it to your desktop.

If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....

Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...
 
  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found please confirm that result....



The Virus Removal Tool scans the following areas of your computer:
  • Memory, including system memory on 32-bit (x86) versions of Windows
  • The Windows registry
  • All local hard drives, fixed and removable
  • Mapped network drives are not scanned.


Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

Let me see those logs, also let me know if there are any remaining issues or concerns....

Thank you,

Kevin...

fixlist.txt

Share this post


Link to post
Share on other sites

Kevin, I performed the steps as you listed them.  The FRST log and Zemana log are attached.  Sophos reported no threats found:  "Your computer is clean."

Regarding remaining issues/concerns, I do have some Win10 behavior changes after all this that are surprising to me.  The behavior of the toolbar has changed:  Left-clicking the Windows icon in the lower left has no effect, whereas that used to be how I could get to my installed applications, access the logout / reboot functions, etc.  If I right-click that icon, I can get access to a number of systems management functions (Device Manager, Network Connections, Windows PowerShell, etc.), and also the "Shut down or sign out" menu.  Do you have any suggestions for how I can restore the "Start menu"-type functionality I used to have via left-click, or shall I go figure that out on my own?  Similarly, my quick-launch icons in the toolbar behave differently.  Left-clicking still launches these apps, but right-clicking no longer brings up the context menu I'm used to.  For instance, I can't right-click the Windows folder icon to bring up a menu from which to open additional Windows Explorer windows--I can only left-click on this icon and open one window, and then subsequent left-clicks will toggle between minimizing it and bringing it to the foreground.  Similarly for Chrome, I can left-click the icon to launch the app, but right-clicking will not bring up the context menu that used to allow me to open multiple instances of Chrome, or open an Incognito instance, etc.

Any pointers in how to restore that previous toolbar functionality would be appreciated, but I understand if that's beyond the scope of this forum.  Thank you very much for your help with my virus removal!

Fixlog.txt

Zemana 2017.11.17-15.48.35-i0-t92-d4.txt

Share this post


Link to post
Share on other sites

Thanks for the logs and the concise update, much appreciated. Run the following Windows repair tool, when complete let me know if what you dscribe has been fixed...

Download Portable Windows Repair (all in one) from one of the following:

www.tweaking.com/files/setups/tweaking.com_windows_repair_aio.zip

http://www.majorgeeks.com/mg/getmirror/tweaking_com_windows_repair_portable,1.html

https://www.bleepingcomputer.com/download/windows-repair-all-in-one/

Unzip the contents into a newly created folder on your desktop.

Boot your system to Safe mode, instructions here: https://support.microsoft.com/en-gb/help/12376/windows-10-start-your-pc-in-safe-mode

Open the Tweaking.com folder, run the tool by right click on Repair_Windows (icon with red briefcase) select "Run as Administrator"

From the main GUI do the following:

Select Tab 5 to make Registry backup, use the recommended option...

user posted image

When complete select "Repairs" tab, from there select "Open Repairs" tab..

From that window select the default option and checkmarck "Select All" box. When ready select "Start Repairs" tab....

user posted image

When complete re-boot your system to Normal mode, see if there is any improvement...

Logs are saved to the Tweaking.com folder on your Desktop, the one to post is _Windows_Repair_Log.txt
 
Let me see that log... Also tell me if there are any remaining issues or concerns...
 
Thank you,
 
Kevin....

Share this post


Link to post
Share on other sites

I was able to follow your instructions, downloading from majorgeeks, extracting, then rebooting to Safe Mode (choice 4, without networking).  However, when I right-clicked on Repair_Windows and chose "Run as Administrator"...

...nothing happened.  I tried this repeatedly, and monitored via the Task Manager, and never saw any attempt for the app to launch.  I also tried launching just by double-clicking, also with no effect.

I don't think I've ever seen this particular behavior before.  I've seen apps launch and immediately halt, but this is like Windows is completely ignoring my launch request.  I don't even get a blue spinning circle or any indication that any attempt to launch is occurring.

Share this post


Link to post
Share on other sites

(BTW, I will be traveling for the next few days and will only have sporadic access to the internet.  I am still very interested in pursuing this, and will be checking in as frequently as I can, so please don't think I've lost interest.  Thank you very much for your prompt responses as we have worked through this issue!)

Share this post


Link to post
Share on other sites

This sounds to me that maybe there is registry damage to either services, settings, or possibly both... The best way forward is to "REFRESH" your operating system. That option will reinstall Windows without losing  personal files, folders, data, etc... You will however have to reinstall any 3rd party software you have previously installed yourself..

Go to this ink:  https://www.tenforums.com/tutorials/4090-refresh-windows-10-a.html 

Follow the options to "REFRESH" Windows, do not use "RESET" or you will make a complete fresh install and lose all personal stuff..

Let me know if that helps....

Thanks,

Kevin

Share this post


Link to post
Share on other sites

Thank you for this recommendation, Kevin.  Of course, I would prefer to avoid the hassle of reinstalling all of my applications, so I am trying to see if there are any other options.  

I have seen suggestions to try using Windows Power Shell to perform various scans and repairs, but so far my attempts to follow those instructions have failed with errors.

I have also attempted to reinstall Windows using the "upgrade" option, which will preserve all installed applications as well as personal data.  However, that has also failed with errors.

I may be just about out of ideas, though, so it might not be long before I bite the bullet and resort to your suggestion.

Share this post


Link to post
Share on other sites

Hello MysticCobra,

As the windows repair tool by Tweaking.com failed the only recommendation I can advise is to use the Windows "REFRESH" option...

Thank you,

Kevin...

Share this post


Link to post
Share on other sites

After much messing around with other repair options, I returned to the Tweaking.com tool and tried to run it again, and this time it was successful.

I'm not sure which of the 46 things it did that contributed to restoring my toolbar behavior to normal, but it did indeed do that, which is huge!  I really did not want to do a Windows Reset and reinstall all my applications.  Looks like I have some settings that I'll need to go clean up, but that's a small issue now that the machine appears to be fully restored.

The repair log you requested is attached.

_Windows_Repair_Log.txt

Share this post


Link to post
Share on other sites

Hello MysticCobra,

That is really odd, Tweaking tool misses out first run and makes the fix on the same second run. Not sure whey that should happen, but very pleased with the end result....

If you have no remaining issues or concerns i guess we can clean up.

Uninstall Sophos AV and Zemana http://www.askvg.com/how-to-completely-uninstall-remove-a-software-program-in-windows-without-using-3rd-party-software/

Also delete this folder if still present: C:\ProgramData\Sophos

Next,

Download "Delfix by Xplode" and save it to your desktop.

Or use the following if first link is down:

"Delfix link mirror"

If your security program alerts to Delfix either, accept the alert or turn your security off.

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

Make Sure the following items are checked:

 
  • Remove disinfection tools <----- this will remove tools we may have used.
  • Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created.
  • Reset system settings <--- this will reset any system settings back to default that were changed either by us during cleansing or malware/infection


Now click on "Run" and wait patiently until the tool has completed.

The tool will create a log when it has completed. We don't need you to post this.

Any remnant files/logs from tools we have used can be deleted…

Next,

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin... user posted image

 

Share this post


Link to post
Share on other sites

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.