Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Black screen with cursor after running Combofix


  • Please log in to reply
8 replies to this topic

#1 syverttan

syverttan

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 12 March 2016 - 07:36 AM

Hello,
 
I have a problem with my computer after running combofix. It was able to finish its scanning and rebooted afterwards. After it rebooted, the black screen came out with a movable cursor. I tried pressing ctrl+alt+delete and tried to run explorer.exe, it responds I don't have permission. I also tried running with safemode and its still the same. There is a black screen. Also tried system restore but I get errors due to some files deleted.
 
I am running a Windows 7 Ultimate (x86)
 
This is the result of FRST
 
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:05-03-2016 01
Ran by SYSTEM on MININT-IS4167T (12-03-2016 20:25:33)
Running from f:\
Platform: Windows 7 Ultimate (X86) Language: English (United States)
Internet Explorer Version 8
Boot Mode: Recovery
Default: ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.
 
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [GrooveMonitor] => C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [31016 2006-10-27] (Microsoft Corporation)
HKLM\...\Run: [StartCCC] => C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [336384 2011-05-24] (Advanced Micro Devices, Inc.)
HKLM\...\Run: [egui] => C:\Program Files\ESET\ESET Smart Security\egui.exe [5078504 2013-03-04] (ESET)
HKLM\...\Run: [USB Security] => C:\Program Files\USB Disk Security\USBGuard.exe [658632 2012-07-31] (Zbshareware Lab)
HKLM\...\Run: [HP Software Update] => C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-08-21] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe Acrobat Speed Launcher] => C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe [41360 2014-09-04] (Adobe Systems Incorporated)
HKLM\...\Run: [Acrobat Assistant 8.0] => C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe [840592 2014-09-04] (Adobe Systems Inc.)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [152392 2014-07-08] (Apple Inc.)
HKLM\...\Run: [UsbKey] => "C:\Users\Public\Local Settings\Microsoft\UsbKey\rusbmon.exe" Embedding
HKLM\...\Run: [UsbKeydog] => rundll32.exe "C:\Users\Public\Local Settings\Microsoft\UsbKey\rusbmon.dll", Embedding
HKLM\...\Run: [GoPro Studio Importer] => C:\Users\LIZA\Desktop\GoPro\Tools\Importer\GoPro Importer.exe [3217672 2015-07-02] (GoPro)
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\QTTask.exe [421888 2015-08-06] (Apple Inc.)
HKLM\...\Run: [combofix] => C:\ComboFix\Combobatch.bat [8272 2016-03-12] ()
HKLM\...\RunOnce: [combofix] => C:\ComboFix\CF15900.3XE /c C:\ComboFixCombobatch.bat
HKLM\...\RunOnce: [*Restore] => C:\Windows\system32\rstrui.exe [262656 2009-07-13] (Microsoft Corporation)
HKLM\...\runonceex: [flags] => 8
Winlogon\Notify\DfLogon: LogonDll.dll [X]
HKU\LIZA\...\Run: [iFunBox Price Watch] => C:\Program Files\iFunbox 2014\iFunBox2014.exe [7748096 2013-11-26] (i-Funbox.com)
HKU\LIZA\...\Run: [Adobe Acrobat Synchronizer] => C:\Program Files\Adobe\Acrobat 10.0\Acrobat\AdobeCollabSync.exe [1104288 2014-09-04] (Adobe Systems Incorporated)
HKU\LIZA\...\Run: [iCloudServices] => C:\Program Files\Common Files\Apple\Internet Services\iCloudServices.exe [43816 2015-04-26] (Apple Inc.)
HKU\LIZA\...\Run: [ApplePhotoStreams] => C:\Program Files\Common Files\Apple\Internet Services\ApplePhotoStreams.exe [43816 2015-04-26] (Apple Inc.)
HKU\LIZA\...\Run: [{719565BB-88E7-496E-970E-4B6DAE00A22D}] => powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\ILOWXFCO').VZIZKKBUEVEQG)));
BootExecute: autocheck autochk /k:C /k:D * 
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [294400 2011-05-24] (Advanced Micro Devices, Inc.)
S2 Autorun CDROM Monitor; C:\Windows\system32\SupportAppXL\cdrom_mon.exe [81920 2008-11-25] ()
S2 DFServ; C:\Program Files\Faronics\Deep Freeze\Install C-0\DFServ.exe [1092096 2012-09-04] (Faronics Corporation)
S2 ekrn; C:\Program Files\ESET\ESET Smart Security\ekrn.exe [1341664 2013-03-04] (ESET)
S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2009-07-13] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S0 DeepFrz; C:\Windows\System32\Drivers\DeepFrz.sys [151640 2012-09-04] (Faronics Corporation)
S0 DfDiskLow; C:\Windows\System32\Drivers\DfDiskLow.sys [29912 2012-09-04] (Faronics Corporation)
S1 eamonm; C:\Windows\System32\DRIVERS\eamonm.sys [171680 2013-02-20] (ESET)
S1 ehdrv; C:\Windows\System32\DRIVERS\ehdrv.sys [122240 2013-01-10] (ESET)
S2 epfw; C:\Windows\System32\DRIVERS\epfw.sys [150080 2013-01-10] (ESET)
S1 EpfwLWF; C:\Windows\System32\DRIVERS\EpfwLWF.sys [46056 2013-01-10] (ESET)
S0 epfwwfp; C:\Windows\System32\DRIVERS\epfwwfp.sys [47568 2013-02-20] (ESET)
S3 catchme; \??\C:\Users\LIZA\AppData\Local\Temp\catchme.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-03-12 20:24 - 2016-03-12 20:25 - 00000000 ____D C:\FRST
2016-03-12 20:15 - 2016-03-12 20:15 - 00003552 ____N C:\bootsqm.dat
2016-03-12 18:42 - 2016-03-12 19:28 - 00000000 ___SD C:\ComboFix
2016-03-12 18:42 - 2016-03-12 18:42 - 00000000 ____D C:\Qoobox
2016-03-12 18:42 - 2011-06-25 22:45 - 00256000 _____ C:\Windows\PEV.exe
2016-03-12 18:42 - 2010-11-07 09:20 - 00208896 _____ C:\Windows\MBR.exe
2016-03-12 18:42 - 2009-04-19 20:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2016-03-12 18:42 - 2000-08-30 16:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2016-03-12 18:42 - 2000-08-30 16:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2016-03-12 18:42 - 2000-08-30 16:00 - 00098816 _____ C:\Windows\sed.exe
2016-03-12 18:42 - 2000-08-30 16:00 - 00080412 _____ C:\Windows\grep.exe
2016-03-12 18:42 - 2000-08-30 16:00 - 00068096 _____ C:\Windows\zip.exe
2016-03-12 18:41 - 2016-03-12 19:28 - 00000000 ___SD C:\32788R22FWJFW
2016-03-12 18:41 - 2016-03-12 19:28 - 00000000 ____D C:\Windows\erdnt
2016-03-12 18:39 - 2016-03-12 18:40 - 05658088 ____R (Swearware) C:\Users\LIZA\Downloads\ComboFix.exe
2016-03-12 10:11 - 2016-03-12 10:11 - 00252732 _____ C:\Users\LIZA\Downloads\1651069312.pdf
2016-03-10 03:56 - 2016-03-10 03:56 - 00191616 _____ C:\Users\LIZA\Downloads\V7QQ8F-08Mar2016.pdf
2016-03-10 03:52 - 2016-03-10 03:52 - 00191615 _____ C:\Users\LIZA\Downloads\JHZ9UH-08Mar2016.pdf
2016-03-10 03:46 - 2016-03-10 03:46 - 00192512 _____ C:\Users\LIZA\Downloads\GGFTJH-09Mar2016.pdf
2016-03-08 19:45 - 2016-03-08 19:46 - 00000000 ____D C:\Users\LIZA\Documents\DENICE
2016-03-06 22:22 - 2016-03-06 22:22 - 00191862 _____ C:\Users\LIZA\Downloads\Y7QQRI-06Mar2016.pdf
2016-03-06 22:19 - 2016-03-06 22:19 - 00191853 _____ C:\Users\LIZA\Downloads\Y46BPE-06Mar2016.pdf
2016-03-05 11:25 - 2016-03-04 22:54 - 100127496 _____ C:\Users\LIZA\Desktop\GREETINGS.m4v
2016-03-05 11:25 - 2016-03-04 22:47 - 113457291 _____ C:\Users\LIZA\Desktop\PAST2PRESENT.m4v
2016-03-05 11:20 - 2016-03-05 10:54 - 99733114 _____ C:\Users\LIZA\Desktop\FRIENDS.m4v
2016-03-05 09:20 - 2016-03-05 09:20 - 00012545 _____ C:\Users\LIZA\Desktop\guestlist.xlsx
2016-03-05 08:15 - 2016-03-05 08:15 - 00010972 _____ C:\Users\LIZA\Downloads\By-Table (1).xlsx
2016-03-05 08:14 - 2016-03-05 08:14 - 00010972 _____ C:\Users\LIZA\Downloads\By-Table.xlsx
2016-03-01 22:09 - 2016-03-01 22:09 - 00143016 _____ C:\Windows\Minidump\030116-21840-01.dmp
2016-03-01 21:51 - 2016-03-01 21:51 - 00000000 ____D C:\Users\LIZA\Desktop\vid
2016-02-29 17:09 - 2016-02-29 17:09 - 00000000 ____H C:\Users\LIZA\Desktop\~WRL2315.tmp
2016-02-29 14:58 - 2016-02-29 14:58 - 04481057 _____ C:\Users\LIZA\Desktop\n2crop.psd
2016-02-29 14:47 - 2016-02-29 14:48 - 15718047 _____ C:\Users\LIZA\Downloads\N_2.psd
2016-02-29 08:05 - 2016-02-29 08:05 - 04869909 _____ C:\Users\LIZA\Downloads\nnn.psd
2016-02-29 07:52 - 2016-02-29 08:05 - 04869045 _____ C:\Users\LIZA\Downloads\N.psd
2016-02-24 20:48 - 2016-02-23 09:50 - 139430382 ____N C:\Users\LIZA\Desktop\IMG_1447.mov
2016-02-24 16:13 - 2016-02-24 16:14 - 00885656 _____ C:\Users\LIZA\Desktop\pflowers.psd
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-03-12 20:20 - 2009-07-13 20:34 - 00016816 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-03-12 20:20 - 2009-07-13 20:34 - 00016816 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-03-12 19:32 - 2013-03-07 21:17 - 00345530 _____ C:\Windows\ntbtlog.txt
2016-03-12 19:28 - 2013-03-07 20:58 - 00000000 ____D C:\users\LIZA
2016-03-12 19:28 - 2009-07-13 23:48 - 00000000 ___RD C:\Users\Public\Recorded TV
2016-03-12 19:28 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\inf
2016-03-12 19:28 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\AppCompat
2016-03-12 19:00 - 2009-07-13 18:03 - 46923776 _____ C:\Windows\System32\config\SOFTWARE.bak
2016-03-12 19:00 - 2009-07-13 18:03 - 21495808 _____ C:\Windows\System32\config\SYSTEM.bak
2016-03-12 19:00 - 2009-07-13 18:03 - 00262144 _____ C:\Windows\System32\config\SECURITY.bak
2016-03-12 19:00 - 2009-07-13 18:03 - 00262144 _____ C:\Windows\System32\config\SAM.bak
2016-03-12 19:00 - 2009-07-13 18:03 - 00262144 _____ C:\Windows\System32\config\DEFAULT.bak
2016-03-12 18:57 - 2009-07-13 15:31 - 77381632 _____ C:\ProgramData\msollju.exe
2016-03-05 09:19 - 2009-07-13 20:52 - 00000000 ____D C:\Windows\System32\FxsTmp
2016-03-02 15:59 - 2016-01-28 10:39 - 00000000 ____D C:\Users\LIZA\Desktop\mama
2016-03-01 22:09 - 2014-04-23 22:34 - 196874027 _____ C:\Windows\MEMORY.DMP
2016-03-01 22:09 - 2014-04-23 22:34 - 00000000 ____D C:\Windows\Minidump
2016-03-01 22:06 - 2013-03-07 21:03 - 00781298 _____ C:\Windows\System32\PerfStringBackup.INI
2016-02-24 21:32 - 2013-04-06 15:31 - 00000000 ____D C:\Users\LIZA\AppData\Roaming\uTorrent
2016-02-24 20:46 - 2013-04-10 13:58 - 00000000 ____D C:\Users\LIZA\AppData\Roaming\vlc
2016-02-21 07:14 - 2013-03-13 00:05 - 00002362 _____ C:\Users\LIZA\Desktop\Google Chrome.lnk
 
Files to move or delete:
====================
C:\ProgramData\msollju.exe
 
 
==================== Known DLLs (Whitelisted) =========================
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\dnsapi.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== EXE Association (Whitelisted) =============
 
 
==================== Restore Points  =========================
 
Restore point date: 2016-03-02 17:32
Restore point date: 2016-03-12 18:43
Restore point date: 2016-03-12 19:23
 
==================== Memory info =========================== 
 
Percentage of memory in use: 24%
Total physical RAM: 1642.9 MB
Available physical RAM: 1235.66 MB
Total Virtual: 1642.9 MB
Available Virtual: 1236.46 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:81.69 GB) (Free:40.87 GB) NTFS
Drive d: () (Fixed) (Total:216.3 GB) (Free:171.26 GB) NTFS
Drive f: (Porkchop) (Removable) (Total:7.45 GB) (Free:7.39 GB) NTFS
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: () (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from drive)]
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298.1 GB) (Disk ID: E5E81A19)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=81.7 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=216.3 GB) - (Type=OF Extended)
 
========================================================
Disk: 1 (Size: 7.5 GB) (Disk ID: 00000000)
 
Partition: GPT.
 
 
LastRegBack: 2016-02-29 02:33
 
==================== End of FRST.txt ============================


Edited by hamluis, 12 March 2016 - 07:48 AM.
Merged posts, moved from Win 7 to Malware Removal Logs - Hamluis.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,188 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:55 AM

Posted 12 March 2016 - 09:39 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.
 
If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===
 
Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
 
Please copy the entire contents of the code box below to the a new file.
 
 
Start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
HKLM\...\Run: [combofix] => C:\ComboFix\Combobatch.bat [8272 2016-03-12] ()
HKLM\...\RunOnce: [combofix] => C:\ComboFix\CF15900.3XE /c C:\ComboFixCombobatch.bat
HKLM\...\runonceex: [flags] => 8
Winlogon\Notify\DfLogon: LogonDll.dll [X]
S3 catchme; \??\C:\Users\LIZA\AppData\Local\Temp\catchme.sys [X]
C:\ComboFix\Combobatch.bat
C:\ComboFix
C:\Users\LIZA\Downloads\ComboFix.exe
C:\Windows\PEV.exe
C:\Windows\MBR.exe
C:\Windows\NIRCMD.exe
C:\Windows\SWREG.exe
C:\Windows\SWSC.exe
C:\Windows\sed.exe
C:\Windows\grep.exe
C:\Windows\zip.exe
C:\ProgramData\msollju.exe
C:\Windows\MEMORY.DMP
 
End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.
 
Run FRST and click Fix only once and wait.
 
Restart the computer normally to reset the registry.
 
The tool will create a log (Fixlog.txt) please post it to your reply.
===
 
You should now be able to run the Farbar tool in normal mode.
 
Please post a fresh FRST log and include the Addition.txt file that was also created.
 
Please let me know what problem persists with this computer.
 
 
 
 
 


#3 syverttan

syverttan
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 12 March 2016 - 10:28 AM

Hello nasdaq,

 

thank you for the fast reply. After doing it and restarting the computer. The problem is still the same.

 

This is the fixlog.txt

 

Fix result of Farbar Recovery Scan Tool (x86) Version:05-03-2016 01
Ran by SYSTEM (2016-03-12 23:20:31) Run:1
Running from f:\
Boot Mode: Recovery
 
==============================================
 
fixlist content:
*****************
Start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
HKLM\...\Run: [combofix] => C:\ComboFix\Combobatch.bat [8272 2016-03-12] ()
HKLM\...\RunOnce: [combofix] => C:\ComboFix\CF15900.3XE /c C:\ComboFixCombobatch.bat
HKLM\...\runonceex: [flags] => 8
Winlogon\Notify\DfLogon: LogonDll.dll [X]
S3 catchme; \??\C:\Users\LIZA\AppData\Local\Temp\catchme.sys [X]
C:\ComboFix\Combobatch.bat
C:\ComboFix
C:\Users\LIZA\Downloads\ComboFix.exe
C:\Windows\PEV.exe
C:\Windows\MBR.exe
C:\Windows\NIRCMD.exe
C:\Windows\SWREG.exe
C:\Windows\SWSC.exe
C:\Windows\sed.exe
C:\Windows\grep.exe
C:\Windows\zip.exe
C:\ProgramData\msollju.exe
C:\Windows\MEMORY.DMP
 
End
*****************
 
Error: Restore point can only be created in normal mode.
EmptyTemp: => Error: This directive works only outside recovery mode.
CloseProcesses: => Error: This directive works only outside recovery mode.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\combofix => value removed successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\\combofix => value removed successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\runonceex\\flags => value removed successfully.
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\DfLogon" => key removed successfully.
catchme => service removed successfully.
C:\ComboFix\Combobatch.bat => moved successfully
C:\ComboFix => moved successfully
C:\Users\LIZA\Downloads\ComboFix.exe => moved successfully
C:\Windows\PEV.exe => moved successfully
C:\Windows\MBR.exe => moved successfully
C:\Windows\NIRCMD.exe => moved successfully
C:\Windows\SWREG.exe => moved successfully
C:\Windows\SWSC.exe => moved successfully
C:\Windows\sed.exe => moved successfully
C:\Windows\grep.exe => moved successfully
C:\Windows\zip.exe => moved successfully
C:\ProgramData\msollju.exe => moved successfully
C:\Windows\MEMORY.DMP => moved successfully
 
==== End of Fixlog 23:20:33 ====


#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,188 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:55 AM

Posted 12 March 2016 - 01:42 PM

What is the same problem, unable to get to normal mode or the problem you had before you ran the ComboFix?

 

Was there an Addition.txt file that was created by the Farbar tool.

 

Post it if you have it.



#5 syverttan

syverttan
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 12 March 2016 - 01:58 PM

There is still the black screen with cursor when i startup, I can't get in normal mode. There is no Addition.txt file. What should i do next?



#6 syverttan

syverttan
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 12 March 2016 - 02:00 PM

Isn't "C:\ProgramData\msollju.exe" a virus?



#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,188 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:55 AM

Posted 12 March 2016 - 02:47 PM

Isn't "C:\ProgramData\msollju.exe" a virus?
 
Possibly. I removed it.
 
C:\ProgramData\msollju.exe => moved successfully
 
===
 
Temporarily disable your AV program so it does not interfere.
 
Download Zeok tool from here
 
When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator 
(Give it a few seconds to appear.)
 
Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyalltemp;
ipconfig /flushdns;b
process; 
startupall; 
installedprogs;
firefoxlook; 
chromelook;  
srinfo; 
 
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.
 
When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.
 
Please attach the zoek-results.log in your reply.
 
Also, please provide an update on how the computer is behaving after running the above script.
 
===
 
It might be some help to me if you tell me why you executed the Combofix.
What was the problem?


#8 syverttan

syverttan
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 12 March 2016 - 10:21 PM

Hello nasdaq,

 

The problem is I can't get into the desktop. It just stops after the windows logo. I can't run the program since I cannot go to the desktop. After the windows logo, it's just a black screen with a cursor, when I open task manager. There are only a few programs. Even explorer.exe isnt running. When I try to run explorer.exe, it says I dont have permission.

 

I ran combofix.exe to scan my laptop for possible viruses/malware/trojan.



#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,188 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:55 AM

Posted 13 March 2016 - 08:26 AM

Try to restore your computer to the last good configuration.
 
Power of the computer.
 
Power ON THE COMPUTER AND Hold the F8 key as your computer restarts
 
On the Advanced Boot Options screen, use the arrow keys to highlight Last Known Good Configuration (advanced), and then press Enter.
 
Not sure if you need this information
If your computer has more than one operating system installed, use the arrow keys to highlight the operating system that you want to start by using Last Known Good Configuration, and then press Enter. Windows will then resume starting normally.
 
How is the computer now?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users