Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows 10 Desktop infected with virus that survives reformat!


  • This topic is locked This topic is locked
14 replies to this topic

#1 adameast9000

adameast9000

  • Members
  • 17 posts
  • OFFLINE
  •  

Posted 28 January 2016 - 07:19 PM

I have a custom desktop with an ssd. Windows 10 was installed however I think I got a virus from some online game. Anyway now mbam won't install (svchost.exe access denied), sfc is saying there's corruption, and rkill is saying that there's missing services and incorrect imagepaths. I decide to just completely format the drive (using the windows 10 installer, i removed all partitions until it was all unallotocated space and then created a new partition). Then I installed win10 fresh, and the first thing I try to do is run rkill, which shows the SAME services are missing and the same incorrect imagepaths. Also mbam wont install with the same error as earlier. I'm baffled by this. Thanks in advance for advice.

******

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:27-01-2016
Ran by Adam (administrator) on DESKTOP-HVDDIQS (28-01-2016 19:16:40)
Running from C:\Users\Adam\Downloads
Loaded Profiles: Adam (Available Profiles: defaultuser0 & Adam)
Platform: Windows 10 Education Version 1511 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Edge)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
(Microsoft Corporation) C:\Windows\System32\browser_broker.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MpCmdRun.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(Broadcom Corporation.) C:\Windows\System32\BtwRSupportService.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe
 

==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [1795728 2015-07-13] (NVIDIA Corporation)
HKLM-x32\...\Run: [StereoLinksInstall] => C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvstlink.exe [1064592 2015-07-13] (NVIDIA Corporation)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{47a25546-315b-4faa-930b-560af75e8606}: [DhcpNameServer] 192.168.1.1
 
Internet Explorer:
==================
 
FireFox:
========
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2015-07-13] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2015-07-13] (NVIDIA Corporation)
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 asComSvc; C:\Program Files (x86)\ASUS\AXSP\1.01.02\atkexComSvc.exe [936728 2013-07-04] ()
R2 BcmBtRSupport; C:\Windows\system32\BtwRSupportService.exe [2278152 2015-07-28] (Broadcom Corporation.)
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [364464 2015-10-30] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [24864 2015-10-30] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [15232 2013-07-04] ()
R3 bcbtums; C:\Windows\system32\drivers\bcbtums.sys [199472 2015-07-28] (Broadcom Corporation.)
R3 BCM43XX; C:\Windows\system32\DRIVERS\bcmwl63a.sys [7585280 2015-10-30] (Broadcom Corporation)
R3 MEIx64; C:\Windows\System32\drivers\TeeDriverW8x64.sys [202032 2016-01-19] (Intel Corporation)
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [44568 2015-10-30] (Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [293216 2015-10-30] (Microsoft Corporation)
R3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [118112 2015-10-30] (Microsoft Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 

==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-01-28 22:07 - 2016-01-28 22:07 - 00000020 ___SH C:\Users\defaultuser0\ntuser.ini
2016-01-28 22:07 - 2016-01-28 22:07 - 00000000 _SHDL C:\Users\Public\Documents\My Videos
2016-01-28 22:07 - 2016-01-28 22:07 - 00000000 _SHDL C:\Users\Public\Documents\My Pictures
2016-01-28 22:07 - 2016-01-28 22:07 - 00000000 _SHDL C:\Users\Public\Documents\My Music
2016-01-28 22:07 - 2016-01-28 22:07 - 00000000 _SHDL C:\Users\defaultuser0\My Documents
2016-01-28 22:07 - 2016-01-28 22:07 - 00000000 _SHDL C:\Users\defaultuser0\Documents\My Videos
2016-01-28 22:07 - 2016-01-28 22:07 - 00000000 _SHDL C:\Users\defaultuser0\Documents\My Pictures
2016-01-28 22:07 - 2016-01-28 22:07 - 00000000 _SHDL C:\Users\defaultuser0\Documents\My Music
2016-01-28 22:07 - 2016-01-28 22:07 - 00000000 _SHDL C:\Users\Default\My Documents
2016-01-28 22:07 - 2016-01-28 22:07 - 00000000 _SHDL C:\Users\Default\Documents\My Videos
2016-01-28 22:07 - 2016-01-28 22:07 - 00000000 _SHDL C:\Users\Default\Documents\My Pictures
2016-01-28 22:07 - 2016-01-28 22:07 - 00000000 _SHDL C:\Users\Default\Documents\My Music
2016-01-28 22:07 - 2016-01-28 22:07 - 00000000 _SHDL C:\Users\Default User\Documents\My Videos
2016-01-28 22:07 - 2016-01-28 22:07 - 00000000 _SHDL C:\Users\Default User\Documents\My Pictures
2016-01-28 22:07 - 2016-01-28 22:07 - 00000000 _SHDL C:\Users\Default User\Documents\My Music
2016-01-28 22:07 - 2016-01-28 22:07 - 00000000 _SHDL C:\Documents and Settings
2016-01-28 22:07 - 2016-01-28 22:07 - 00000000 ____D C:\Users\defaultuser0
2016-01-28 22:07 - 2016-01-28 19:09 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-01-28 22:06 - 2016-01-28 22:07 - 00000000 ____D C:\Windows\Panther
2016-01-28 22:06 - 2016-01-28 22:06 - 00189240 _____ C:\Windows\system32\FNTCACHE.DAT
2016-01-28 22:06 - 2016-01-28 22:06 - 00000000 ____H C:\Windows\system32\Drivers\Msft_User_WpdFs_01_11_00.Wdf
2016-01-28 22:06 - 2016-01-28 22:06 - 00000000 ____D C:\Windows\ServiceProfiles
2016-01-28 19:16 - 2016-01-28 19:16 - 02370560 _____ (Farbar) C:\Users\Adam\Downloads\FRST64.exe
2016-01-28 19:16 - 2016-01-28 19:16 - 00004734 _____ C:\Users\Adam\Downloads\FRST.txt
2016-01-28 19:16 - 2016-01-28 19:16 - 00000000 ____D C:\Users\Adam\AppData\Roaming\Macromedia
2016-01-28 19:16 - 2016-01-28 19:16 - 00000000 ____D C:\FRST
2016-01-28 19:14 - 2016-01-28 19:14 - 02032072 _____ (Bleeping Computer, LLC) C:\Users\Adam\Downloads\rkill (1).exe
2016-01-28 19:13 - 2016-01-28 19:15 - 00834360 _____ C:\Windows\system32\PerfStringBackup.INI
2016-01-28 19:13 - 2016-01-28 19:13 - 02032072 _____ (Bleeping Computer, LLC) C:\Users\Adam\Downloads\rkill.exe
2016-01-28 19:13 - 2016-01-28 19:13 - 00002864 _____ C:\Users\Adam\Desktop\Rkill.txt
2016-01-28 19:13 - 2016-01-28 19:13 - 00000000 ____H C:\Windows\system32\Drivers\Msft_User_ASMBSW_01_11_00.Wdf
2016-01-28 19:13 - 2016-01-28 19:13 - 00000000 ____D C:\ProgramData\NVIDIA
2016-01-28 19:13 - 2016-01-28 19:13 - 00000000 ____D C:\Program Files\ASUS
2016-01-28 19:13 - 2016-01-28 19:13 - 00000000 ____D C:\Program Files (x86)\ASUS
2016-01-28 19:13 - 2015-07-13 12:37 - 06873744 _____ (NVIDIA Corporation) C:\Windows\system32\nvcpl.dll
2016-01-28 19:13 - 2015-07-13 12:37 - 03493008 _____ (NVIDIA Corporation) C:\Windows\system32\nvsvc64.dll
2016-01-28 19:13 - 2015-07-13 12:37 - 02558792 _____ (NVIDIA Corporation) C:\Windows\system32\nvsvcr.dll
2016-01-28 19:13 - 2015-07-13 12:37 - 00937616 _____ (NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
2016-01-28 19:13 - 2015-07-13 12:37 - 00385168 _____ (NVIDIA Corporation) C:\Windows\system32\nvmctray.dll
2016-01-28 19:13 - 2015-07-13 12:37 - 00062792 _____ (NVIDIA Corporation) C:\Windows\system32\nvshext.dll
2016-01-28 19:13 - 2015-07-13 12:17 - 00572048 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvStreaming.exe
2016-01-28 19:13 - 2015-07-13 11:28 - 05096627 _____ C:\Windows\system32\nvcoproc.bin
2016-01-28 19:13 - 2013-07-04 03:32 - 00028672 _____ (ASUSTek Computer Inc.) C:\Windows\SysWOW64\AsIO.dll
2016-01-28 19:13 - 2013-07-04 03:32 - 00015232 _____ C:\Windows\SysWOW64\Drivers\AsIO.sys
2016-01-28 19:12 - 2016-01-28 19:13 - 00000000 ____D C:\ProgramData\NVIDIA Corporation
2016-01-28 19:12 - 2016-01-28 19:13 - 00000000 ____D C:\Program Files\NVIDIA Corporation
2016-01-28 19:12 - 2016-01-28 19:13 - 00000000 ____D C:\Program Files (x86)\NVIDIA Corporation
2016-01-28 19:12 - 2016-01-28 19:12 - 00000000 ____D C:\Users\Adam\AppData\Local\MicrosoftEdge
2016-01-28 19:12 - 2015-07-13 20:45 - 00112784 _____ (Khronos Group) C:\Windows\system32\OpenCL.dll
2016-01-28 19:11 - 2016-01-28 19:11 - 00002360 _____ C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2016-01-28 19:11 - 2016-01-28 19:11 - 00000000 ___RD C:\Users\Adam\OneDrive
2016-01-28 19:11 - 2016-01-28 19:11 - 00000000 ____D C:\Users\Adam\AppData\Local\ActiveSync
2016-01-28 19:11 - 2016-01-28 19:11 - 00000000 ____D C:\ProgramData\Microsoft OneDrive
2016-01-28 19:10 - 2016-01-28 19:10 - 00000000 ____D C:\ProgramData\USOShared
2016-01-28 19:09 - 2016-01-28 19:11 - 00000000 ____D C:\Users\Adam
2016-01-28 19:09 - 2016-01-28 19:10 - 00000000 ____D C:\Users\Adam\AppData\Local\Packages
2016-01-28 19:09 - 2016-01-28 19:09 - 00000020 ___SH C:\Users\Adam\ntuser.ini
2016-01-28 19:09 - 2016-01-28 19:09 - 00000000 _SHDL C:\Users\Adam\My Documents
2016-01-28 19:09 - 2016-01-28 19:09 - 00000000 _SHDL C:\Users\Adam\Documents\My Videos
2016-01-28 19:09 - 2016-01-28 19:09 - 00000000 _SHDL C:\Users\Adam\Documents\My Pictures
2016-01-28 19:09 - 2016-01-28 19:09 - 00000000 _SHDL C:\Users\Adam\Documents\My Music
2016-01-28 19:09 - 2016-01-28 19:09 - 00000000 __RHD C:\Users\Public\AccountPictures
2016-01-28 19:09 - 2016-01-28 19:09 - 00000000 ____D C:\Users\defaultuser0\AppData\Local\VirtualStore
2016-01-28 19:09 - 2016-01-28 19:09 - 00000000 ____D C:\Users\defaultuser0\AppData\Local\TileDataLayer
2016-01-28 19:09 - 2016-01-28 19:09 - 00000000 ____D C:\Users\defaultuser0\AppData\Local\Packages
2016-01-28 19:09 - 2016-01-28 19:09 - 00000000 ____D C:\Users\Adam\AppData\Roaming\Adobe
2016-01-28 19:09 - 2016-01-28 19:09 - 00000000 ____D C:\Users\Adam\AppData\Local\VirtualStore
2016-01-28 19:09 - 2016-01-28 19:09 - 00000000 ____D C:\Users\Adam\AppData\Local\TileDataLayer
2016-01-28 19:09 - 2016-01-28 19:09 - 00000000 ____D C:\Users\Adam\AppData\Local\Publishers
2016-01-28 19:07 - 2016-01-28 19:07 - 00000000 ____D C:\Windows\CSC
2016-01-28 19:07 - 2015-10-30 02:17 - 02718208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\PrintConfig.dll
2016-01-19 22:50 - 2016-01-19 22:50 - 00202032 _____ (Intel Corporation) C:\Windows\system32\Drivers\TeeDriverW8x64.sys
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-01-28 22:07 - 2015-10-30 01:28 - 00000000 ____D C:\Windows\system32\Sysprep
2016-01-28 22:06 - 2015-10-30 02:24 - 00028672 _____ C:\Windows\system32\config\BCD-Template
2016-01-28 19:15 - 2015-10-30 02:21 - 00000000 ____D C:\Windows\INF
2016-01-28 19:13 - 2015-10-30 02:24 - 00000000 ____D C:\Windows\Help
2016-01-28 19:10 - 2015-10-30 02:24 - 00000000 ___HD C:\Program Files\WindowsApps
2016-01-28 19:10 - 2015-10-30 02:24 - 00000000 ____D C:\Windows\AppReadiness
2016-01-28 19:10 - 2015-10-30 02:24 - 00000000 ____D C:\ProgramData\USOPrivate
2016-01-28 19:09 - 2015-10-30 02:24 - 00000000 ___RD C:\Windows\PurchaseDialog
2016-01-28 19:09 - 2015-10-30 02:24 - 00000000 ___RD C:\Windows\PrintDialog
2016-01-28 19:09 - 2015-10-30 02:24 - 00000000 ___RD C:\Windows\MiracastView
2016-01-28 19:09 - 2015-10-30 02:24 - 00000000 ___RD C:\Windows\ImmersiveControlPanel
2016-01-28 19:08 - 2015-10-30 02:24 - 00000000 ____D C:\Windows\system32\oobe
2016-01-28 19:08 - 2015-10-30 02:11 - 00000000 ____D C:\Windows\CbsTemp
2016-01-28 19:08 - 2015-10-30 01:28 - 00131072 ___SH C:\Windows\system32\config\BBI
2016-01-28 19:07 - 2015-10-30 02:24 - 00000000 ____D C:\Windows\system32\spool
2016-01-28 19:07 - 2015-10-30 02:24 - 00000000 ____D C:\Windows\system32\FxsTmp
2016-01-28 19:07 - 2015-10-30 01:28 - 00032768 ___SH C:\Windows\system32\config\ELAM
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
C:\Windows\system32\codeintegrity\Bootcat.cache IS MISSING <==== ATTENTION
 

LastRegBack: 2016-01-28 22:06
 
==================== End of FRST.txt ============================

 

Attached Files



BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:14 PM

Posted 29 January 2016 - 09:57 PM

Hi adameast9000 :)

My name is Aura and I'll be assisting you with your issue. Please give me a few hours to review your logs, and work on a reply.

Thank you!

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:14 PM

Posted 30 January 2016 - 04:15 PM

Hi adameast9000 :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.
  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens;
  • As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you;
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system;
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!;
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced;
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against BleepingComputer's rules;
  • Finally, in the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process;
  • Since I'm still a trainee, all my posts have to be reviewed by an instructor prior to be posted to make sure that you receive the best assistance possible. Sorry for the inconvenience;
This being said, it's time to clean-up some malware, so let's get started, shall we? :)

I see that you have Windows 10 Education installed. Did you buy it, or did your school, College, University, etc. provide it to you?
 

Then I installed win10 fresh, and the first thing I try to do is run rkill, which shows the SAME services are missing and the same incorrect imagepaths.


This is a known issue with RKill under Windows 10 right now. These are false positives. Grinler said that he'll adjust these detections on Monday (hopefully), so you can ignore them. They aren't malicious, dangerous nor do they cause harm to your system in any way. See the thread below for more information.

http://www.bleepingcomputer.com/forums/t/308364/rkill-what-it-does-and-what-it-doesnt-a-brief-introduction-to-the-program/page-61#entry3887035

Now, I would like to see your CBS.log after running SFC, just to make sure that no system files are corrupt. If there are, that would explain why SFC fails to install.

EndqYRa.pngSystem File Checker (SFC)
Follow the instructions below to run a SFC scan on your system and to provide the CBS log in your next reply;
  • On Windows Vista & 7, click on the Windows Start Menu, then enter cmd in the search box, right-click on the cmd icon and select Spcusrh.pngRun as Administrator
  • On Windows 8, drag your cursor in the bottom-left corner, and right-click on the metro menu preview, then select Command Prompt (Admin);
  • On Windows 8.1, right click on the Windows logo in the bottom-left corner and select Command Prompt (Admin);
  • Enter the command below and press on Enter;
    sfc /scannow
    Note: There's a space between "sfc" and "/scannow";
  • Once the scan is complete, enter the command below and press on Enter
    copy %windir%\logs\cbs\cbs.log "%userprofile%\Desktop\cbs.txt"
  • A file called cbs.txt will have appeared on your Desktop. Upload the file on Dropbox, Google Drive or OneDrive and post the download URL for it here;
    Note: Please note that the CBS.log is volatile, which means that if you don't upload it after the SFC scan is completed, it won't have the information from the scan anymore. So archive it and upload it as soon as you can.
Your next reply should include:
  • Download URL to the cbs.txt file obtained after running SFC;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#4 adameast9000

adameast9000
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  

Posted 30 January 2016 - 05:57 PM

https://onedrive.live.com/redir?resid=D102F9A0DB5A2968!22860&authkey=!ABzUg7WS4Db6Nog&ithint=file%2ctxt

 

Windows 10 education product key was provided by university



#5 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:14 PM

Posted 30 January 2016 - 06:17 PM

Thank you for the log.

Here are the main issues reported in the CBS.log following your SFC scan.

2016-01-28 23:10:57, Info                  CSI    000049dc [SR] Cannot repair member file [l:9]"csrss.exe" of Microsoft-Windows-Csrss, version 10.0.10586.0, arch amd64, nonSxS, pkt {l:8 b:31bf3856ad364e35} in the store, file cannot be checked
2016-01-28 23:10:57, Info                  CSI    000049dd [SR] Cannot repair member file [l:12]"explorer.exe" of Microsoft-Windows-explorer, version 10.0.10586.0, arch amd64, nonSxS, pkt {l:8 b:31bf3856ad364e35} in the store, file cannot be checked
2016-01-28 23:10:57, Info                  CSI    000049de [SR] Cannot repair member file [l:9]"lsass.exe" of Microsoft-Windows-LSA-MinWin, version 10.0.10586.0, arch amd64, nonSxS, pkt {l:8 b:31bf3856ad364e35} in the store, file cannot be checked
2016-01-28 23:10:57, Info                  CSI    000049df [SR] Cannot repair member file [l:12]"services.exe" of Microsoft-Windows-Services-ServiceController-MinWin, version 10.0.10586.0, arch amd64, nonSxS, pkt {l:8 b:31bf3856ad364e35} in the store, file cannot be checked
2016-01-28 23:10:57, Info                  CSI    000049e0 [SR] Cannot repair member file [l:11]"svchost.exe" of Microsoft-Windows-Services-Svchost, version 10.0.10586.0, arch amd64, nonSxS, pkt {l:8 b:31bf3856ad364e35} in the store, file cannot be checked
2016-01-28 23:10:57, Info                  CSI    000049e1 [SR] Cannot repair member file [l:8]"smss.exe" of Microsoft-Windows-Smss-MinWin, version 10.0.10586.0, arch amd64, nonSxS, pkt {l:8 b:31bf3856ad364e35} in the store, file cannot be checked
2016-01-28 23:10:57, Info                  CSI    000049e2 [SR] Cannot repair member file [l:10]"ctfmon.exe" of Microsoft-Windows-TextServicesFramework-CtfMon, version 10.0.10586.0, arch amd64, nonSxS, pkt {l:8 b:31bf3856ad364e35} in the store, file cannot be checked
2016-01-28 23:10:57, Info                  CSI    000049e3 [SR] Cannot repair member file [l:12]"winlogon.exe" of Microsoft-Windows-Winlogon, version 10.0.10586.0, arch amd64, nonSxS, pkt {l:8 b:31bf3856ad364e35} in the store, file cannot be checked
2016-01-28 23:10:57, Info                  CSI    000049e4 [SR] Cannot repair member file [l:12]"explorer.exe" of Microsoft-Windows-explorer, version 10.0.10586.0, arch Host= amd64 Guest= x86, nonSxS, pkt {l:8 b:31bf3856ad364e35} in the store, file cannot be checked
2016-01-28 23:10:57, Info                  CSI    000049e5 Hashes for file member \SystemRoot\WinSxS\wow64_microsoft-windows-r..xwddmdriver-wow64-c_31bf3856ad364e35_10.0.10586.0_none_3dae054b56911c22\opencl.dll do not match actual file [l:10]"opencl.dll" :
  Found: {l:32 Ui1iPYLRlrK/KdPVb2btwB5JqasIeak0eCk42vnG8bQ=} Expected: {l:32 9rnAnuwzPjMQA7sW63oNAVhckspIngsqJXKYSUeQ5Do=}
2016-01-28 23:10:57, Info                  CSI    000049e6 [SR] Cannot repair member file [l:10]"opencl.dll" of microsoft-windows-RemoteFX-clientVM-RemoteFXWDDMDriver-WOW64-C, version 10.0.10586.0, arch Host= amd64 Guest= x86, nonSxS, pkt {l:8 b:31bf3856ad364e35} in the store, hash mismatch
The opencl.dll file can be safely ignored. It's a known issue under Windows 10 TH2, and it doesn't affect the system at all. In fact, I wrote a guide about that corruption and also posted a fix over at Sysnative. You are free to follow the instructions in it to replace your corrupt opencl.dll file if you wish.

https://www.sysnative.com/forums/windows-update/18121-guide-opencl-dll-corruption-sfc-dism-windows-10-update-1511-th2.html

Usually, a file cannot be checked error means that the file simply cannot be accessed by SFC, and therefore it have less chance to be corrupt in that situation. However, since a lot of critical system files return that error, I'm curious to see what a DISM scan will return.

EndqYRa.pngDISM - Fixing Component Store Corruption
Follow the instructions below to run a DISM operation on your system.
  • On Windows 8, drag your cursor in the bottom-left corner, and right-click on the metro menu preview, then select Command Prompt (Admin);
  • On Windows 8.1, right click on the Windows logo in the bottom-left corner and select Command Prompt (Admin);
  • Enter the command below and press on Enter;
    DISM /Online /Cleanup-Image /RestoreHealth
  • Let the scan run until the end (100%). Depending on your system, it can take some time;
  • Copy the C:\Windows\Logs\DISM folder and C:\Windows\Logs\CBS\CBS.log file on your Desktop, then right-click on it, go to Send to... and select Compressed .zip archive;
  • Upload the file on Dropbox, Google Drive or OneDrive and post the download URL for it here;
Note: Please note that the CBS.log is volatile, which means that if you don't upload it after the DISM scan is completed, it won't contains the information from the scan anymore. So archive it and upload it as soon as you can.


(using the windows 10 installer, i removed all partitions until it was all unallotocated space and then created a new partition)


By Windows 10 installer, are you referring to the Windows 10 Media Creation Tool that you can download from Microsoft.com at the link below?

https://www.microsoft.com/en-ca/software-download/windows10

If so, did you download the .iso, and then make a USB bootable with it, or burn it to DVD so you could boot from that device? If you made a bootable USB, what program did you use to accomplish that? Same if you burnt it to a DVD, what program did you use in order to accomplish that?

Your next reply should include:
  • Download URL to a .zip archive containing the CBS.log and DISM.log after running DISM;
  • Answer to my questions about how you downloaded and prepared your installation media for Windows 10;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#6 adameast9000

adameast9000
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  

Posted 30 January 2016 - 08:03 PM

After running DISM: Error 3017

The Requested Operation Failed. A system reboot is required to roll back changes made.

 

Link to logs:

https://onedrive.live.com/redir?resid=D102F9A0DB5A2968!22861&authkey=!AMl1ZJIfcPxp5GY&ithint=file%2czip

 

I downloaded the win10 education iso from microsoft using my product key. I used rufus2.6 to make a bootable usb from it, using all default settings (it changes some automatically when it detects a windows install iso i think). When i say i reformatted the drive, i mean that when i booted into the iso, when windows gives you the option to choose which partition/hdd to install windows to, i deleted all partitions on the drive and made a new one from the unallocated space. Windows of course makes a system partition in addition to the one I made.



#7 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:14 PM

Posted 31 January 2016 - 10:55 AM

Can you restart your computer, then following the instructions in my previous post, run DISM again and .zip the CBS.log and DISM.log for me after the scan? If DISM still gives you an error message saying that a restart is required to rollback pending changes, we'll have to deal with this next if we want to move forward.

And the way you created your bootable USB is good. I also use RUFUS and never had an issue with it.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#8 adameast9000

adameast9000
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  

Posted 31 January 2016 - 05:04 PM

Different error this time.

Thanks for your help so far.

************************

***********************

 

 

 

Microsoft Windows [Version 10.0.10586]
© 2016 Microsoft Corporation. All rights reserved.
 
C:\Windows\system32>DISM /Online /Cleanup-Image /RestoreHealth
 
Deployment Image Servicing and Management tool
Version: 10.0.10586.0
 
Image Version: 10.0.10586.0
 
[==========================100.0%==========================]
 
Error: 0x800f081f
 
The source files could not be found.
Use the "Source" option to specify the location of the files that are required to restore the feature. For more information on specifying a source location, see http://go.microsoft.com/fwlink/?LinkId=243077.
 
The DISM log file can be found at C:\Windows\Logs\DISM\dism.log
 
C:\Windows\system32>

 

Attached Files

  • Attached File  logs.zip   802.27KB   1 downloads


#9 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:14 PM

Posted 31 January 2016 - 05:15 PM

DISM fails to succeed because it cannot interact with the files it needs to repair/replace, caused by insufficient access. In order to solve this, you should run Windows Repair All-In-One, using the Reset File Permissions on your C: drive.

zImGw67.pngWindows Repair All-In-One
NOTE: Before following to step below, please disable your Antivirus software or any other real-time security software that you have enabled.
  • Boot in Safe Mode with Networking;
  • Download the portable version of Windows Repair All-In-One;
  • Move the file (archive) on your Desktop, and extract it there;
  • Go in the tweaking.com_windows_repair_aio folder, then Tweaking.com - Windows Repair folder, right-click on Repair_Windows.exe and select Run as Administrator;
  • From there, click on the Next button until you are presented with an Open Repairs button and click on it;
  • Let the Registry back up complete, and move on to the check-list window;
  • Click on the Unselect All button at the bottom, then check the following items:
    • Reset File Permissions - Make sure that your C: drive is checked under that option;
  • Once done, click on the Start Repairs button and let the scan execute;
  • If you are being prompted with a Security Warning, allow it to go through;
  • Once the repair is complete, it'll ask you to restart your computer, please do it;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#10 adameast9000

adameast9000
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  

Posted 31 January 2016 - 06:41 PM

The program ran successfully. I'm assuming you want me to run DISM again?



#11 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:14 PM

Posted 31 January 2016 - 07:43 PM

Before we run DISM again, we'll run SFC once more, to see if it still returns "cannot verify file" errors in the CBS.log. Since this is usually an error caused by insufficient permissions, if Windows Repair AIO really did manage to reset the permissions on the file system, we shouldn't see them anymore.

EndqYRa.pngSystem File Checker (SFC)
Follow the instructions below to run a SFC scan on your system and to provide the CBS log in your next reply;
  • On Windows Vista & 7, click on the Windows Start Menu, then enter cmd in the search box, right-click on the cmd icon and select Spcusrh.pngRun as Administrator
  • On Windows 8, drag your cursor in the bottom-left corner, and right-click on the metro menu preview, then select Command Prompt (Admin);
  • On Windows 8.1, right click on the Windows logo in the bottom-left corner and select Command Prompt (Admin);
  • Enter the command below and press on Enter;
    sfc /scannow
    Note: There's a space between "sfc" and "/scannow";
  • Once the scan is complete, enter the command below and press on Enter
    copy %windir%\logs\cbs\cbs.log "%userprofile%\Desktop\cbs.txt"
  • A file called cbs.txt will have appeared on your Desktop. Upload the file on Dropbox, Google Drive or OneDrive and post the download URL for it here;
Note: Please note that the CBS.log is volatile, which means that if you don't upload it after the SFC scan is completed, it won't have the information from the scan anymore. So archive it and upload it as soon as you can.

Your next reply should include:
  • Download URL to the cbs.txt file obtained after running SFC;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#12 adameast9000

adameast9000
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  

Posted 31 January 2016 - 08:29 PM

Same message. New CBS attached. DCIM now?

Microsoft Windows [Version 10.0.10586]
© 2016 Microsoft Corporation. All rights reserved.
 
C:\Windows\system32>sfc /scannow
 
Beginning system scan.  This process will take some time.
 
Beginning verification phase of system scan.
Verification 100% complete.
 
Windows Resource Protection found corrupt files but was unable to fix some
of them. Details are included in the CBS.Log windir\Logs\CBS\CBS.log. For
example C:\Windows\Logs\CBS\CBS.log. Note that logging is currently not
supported in offline servicing scenarios.
 
The system file repair changes will take effect after the next reboot.
 
C:\Windows\system32>

 

Attached Files

  • Attached File  CBS.log   5.9MB   3 downloads


#13 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:14 PM

Posted 01 February 2016 - 02:52 PM

It seems like running Windows Repair AIO didn't correct your file permissions. The same errors are showing up in your CBS.log (cannot verify file). If the system cannot access svchost.exe, chances are that Malwarebytes won't be able either to install itself. The issue here is a damaged/corrupt Windows 10 installation, and not malware related. Therefore, what I can suggest you to do is to head over the Windows 10 Support section for a more appropriate assistance. Personally, I would suggest you to Reset your Windows 10, and see where this leads you.

Windows 10 Reset - http://www.tenforums.com/tutorials/4130-reset-windows-10-a.html

In the end, since there's no traces of malware on your system, and the issue is due to a damaged Windows 10 installation, there's nothing I can do here, in this section, to assist you.

Tips, tricks, advices and recommendations

Now that your system is clean, it's time to give you some tips, tricks, advices and recommendations on how to protect your system and prevents you from being infected in the future. Every program recommended below is free to use and therefore you don't have to pay for anything. You are free to follow these recommendations or to ignore them, however for the safety of your system, I strongly suggest you to read all my recommendations and to install the software/program that I recommend below. If you have any questions about one of the points covered in that speech below, feel free to ask me your questions here directly so I can answer them and guide you.

Turning On Automatic Windows Updates

Keeping Windows up to date is one of the first step in having a secure and safe system. The Security Updates that Windows receives are meant to fix exploits and flaws in it that makes it more secure and not exploitable by hackers. In order to do that, you should always install the Security Updates, known as "Important Updates" on your Windows system. These updates are released on the second Tuesday of every month, but some are also released before if they are emergency/critical Security Updates. Let's make sure that you have all your Important Updates and Recommended Updates installed and that your Windows Updates are set to be installed automatically.

Check if there's any Important Updates available
  • Click on your Windows Start Menu then on Control Panel;
  • Click on System and Security then on Windows Update;
  • In the left pane, click on "Check for updates" and wait for the scan to complete;
  • If any Important Updates are available, click on "X Important Updates are available", make sure that they are all checked and click on "Install updates" (Please follow the same steps for the "Recommended Updates" if any are found);
  • Depending on how many updates you have to install and how big they are, that process can take a while. You'll most likely be asked to restart your computer once they are all installed to finish the installation, please do so;
To turn On Automatic Windows Updates
  • Click on your Windows Start Menu then on Control Panel;
  • Click on System and Security then on Windows Update;
  • In the left pane, click on "Change settings";
  • Now you have the choice to select between
    • Install updates automatically (recommended);
    • Download updates but let me choose whether to install them;
    • Check for updates but let me choose whether to download and install them;
  • The best choice in this situation is to pick the first option, "Install updates automatically (recommended)". This will automatically download and install Windows Updates whenever there's new ones without you having to do it manually. When these Windows Updates are installed, if they require a restart, a pop-up box will pop out in the bottom right-corner of your screen telling you to restart your computer now or it will be automatically restarted soon. You can however postpone that restart if you're already working on something else;
  • Make sure to check the "Give me recommended updates the same way I receive important updates" option so Windows Updates will install the Recommended Updates at the same time as your Important Updates;
Other recommendations

Even if you follow every recommendation that I listed here, in the end, it's also your job to be careful when browsing the web and downloading files if you don't want to get infected. Therefore, if you use your brain (common sense) when browsing the web, downloading programs and files, etc., you have far less chances to get infected by a malware. If for example you're not sure if a website is legitimate or not, or if a file is safe to download and execute, or if a program looks "too good" to be free, I suggest you to avoid going to that website, downloading that file or using that program.

Here's a few guides, tutorials, articles, etc. that you could read in order to learn more about computer protection and security to improve your current computer protection setup but also improve your good web browsing and computer usage practices :The End!

And that's it! Now that you know more about how to protect your computer and secure it, you're good to go back to your online activities, but in a safe and secure way! You are also free to stay on BleepingComputer and ask for help in different topics if you ever need to. Just make sure that you post your question/issue in the right section to get the best assistance possible. And if you ever get infected again (which I hope you wont!), you can always comeback in this section to get another checkup with one of our trained malware removal member.

Do you have any questions before I close this thread? :)

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#14 adameast9000

adameast9000
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  

Posted 01 February 2016 - 03:21 PM

This is the second time I installed windows 10 education fresh with a reformat as i've described. I can do a reset, I'll see where that goes. thanks for your help.



#15 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:14 PM

Posted 01 February 2016 - 03:34 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users