Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win 10 Startup items


  • Please log in to reply
7 replies to this topic

#1 MetalHead22

MetalHead22

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 31 August 2016 - 04:14 PM

Hi,

Clicked on something that I shouldn't have and spent next 3 hours looking for and deleting suspicious files and run items in the registry.

Malwarebytes removed a bunch of items including one random.exe from //appdata/Roaming.

Neither Malwarebytes nor Sohos free scanner show any threats at present.

However Win 10 Task manager showed one and now two startup items which are unidentified.

 

Name "Program" Publisher is blank. Was enabled, I disabled the first one, now I have two. I've disabled the second one,   I suspect tomorrow I'll have a third.

Right clicking Program gives me no file location and no properties.

I don't have another Win 10 installation to compare this to, and don't know if I should be concerned.

I've searched the registry for every instance of 'run' and find nothing that jumps out at me as suspicious.

Thanks for any help.

 



BC AdBot (Login to Remove)

 


#2 JohnC_21

JohnC_21

  • Members
  • 24,437 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:42 PM

Posted 31 August 2016 - 04:35 PM

You may want to download and run AutoRuns and look for anything suspicious. 

 

https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

 

You can check the items with Virustotal.

 

http://news.thewindowsclub.com/sysinternals-autoruns-introduces-virustotal-integration-71096/

 

Also check out this mini-guide. 

 

http://www.bleepingcomputer.com/forums/t/617232/use-process-explorer-to-identify-malware-infection/



#3 MetalHead22

MetalHead22
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 01 September 2016 - 08:44 AM

Well, that didn't go well.

Downloaded sysinternals and it showed about what I expected.  Lots of stuff I expected, and a few remnants seeming to point to deleted viruses.

However hiding Microsoft stuff, and enabling checking with the 3rd party web site continued to highlight in red a bunch of files with the name wow64.   Well, WOW does sound like some sort of advertising hype, so I started deleting the entries.   But then I noticed that there were some wow files which were considered safe, so I figured that I better further investigate.

OOPS,  Wow64 are files to run 32 bit applications on the 64 bit OS.

Now I've screwed it all up and it won't boot even in safe mode.

Of course since this was an unwanted Win10 upgrade from 7 I have no install discs.  (Came in one day and it was updating on it's own. -  I think Microsoft has since changed the policy on that)

I hope I can recover without much loss.

I'll plug in the OS disk to another system and back up all my documents.   Data is mostly on other discs.

A little knowledge can be dangerous.



#4 JohnC_21

JohnC_21

  • Members
  • 24,437 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:42 PM

Posted 01 September 2016 - 11:22 AM

If you have a Windows 7 install disk then boot it up and select Repair Computer in the lower left. Do a System Restore to a date before you erased the files.

 

If this is an OEM computer and the factory recovery partition is intact you can revert to Windows 7 or do a clean install of Windows 10 using the media creation tool.

 

What is the make and model of the computer? Do you still need data off the computer?

 

A clean install after your infection would be best.


Edited by JohnC_21, 01 September 2016 - 11:24 AM.


#5 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,091 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:10:42 PM

Posted 01 September 2016 - 04:38 PM

You can also attempt to repair W10 using the download of the Media Creation Tool and W10 ISO from this link:  https://www.microsoft.com/en-us/software-download/windows10/

 

Try the repairs in this order:

 

NOTE:  Try a clean boot to see if the problem clears up that way:  http://www.thewindowsclub.com/what-is-clean-boot-state-in-windows
If it does, then different troubleshooting steps are called for.

Here's some repair/recovery/restore options (in this order):

1 - Startup Repair.  Run it 3 times, rebooting in between tries.

2 - System Restore to a point before this started happening.

3 - DISM/SFC repair (DISM doesn't work with W7, although SFC does)  - doesn't work if you're not able to boot to Windows (let me know and I'll post a way to do it from Startup Repair)
    

Then please run the following DISM commands to see if there's any problems with the system (from an elevated (Run as administrator) Command Prompt).  Press Enter after typing it:
   
Dism /Online /Cleanup-Image /RestoreHealth

    FYI - I have repaired systems using the last command even though problems weren't found with the first 2 - so I suggest running them all.

    From this article: http://technet.microsoft.com/en-us/library/hh824869.aspx

    You can also run sfc.exe /scannow from an elevated (Run as administrator) Command Prompt to check for further corruption. Include the CBS log (located at C:\Windows\Logs\CBS\CBS.log) if you'd like to have a Windows Update expert check it (I don't check them because I can't read them)


4 - RESET using the "Keep My Files" option (W8 calls this a REFRESH; W7 and earlier doesn't have this function)

5 - Repair install of the OS (Thanks to FreeBooter!):
   

"How To Perform a Repair Installation For Windows 8, 8.1 and 10"
    https://www.winhelp.us/non-destructive-reinstall-of-windows-8-and-8-1.html

    "How to Do a Repair Install to Fix Windows 7"
    http://www.sevenforums.com/tutorials/3413-repair-install.html

    "How To Perform a Repair Installation For Vista"
    http://www.vistax64.com/tutorials/88236-repair-install-vista.html

    "Non-destructive reinstall of Windows XP"
    https://www.winhelp.us/non-destructive-reinstall-of-windows-xp.html


6 - RESET using the "Remove Everything" option (W8 calls this a RESET; W7 and earlier doesn't have this function)

If using W7 or earlier, this can be accomplished by resetting the system by use of the recovery partition/recovery disks/recovery drive.
If you don't have them, you can usually order them from the OEM manufacturer of your system ( US points of contact here:  http://www.carrona.org/recdisc.html )

7 - Wipe and reinstall from the Recovery Partition (if so equipped)

8 - Wipe and reinstall from Recovery Media - to include deleting all partitions.
If you don't have them, you can usually order them from the OEM manufacturer of your system ( US points of contact here:  http://www.carrona.org/recdisc.html )

My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#6 MetalHead22

MetalHead22
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 01 September 2016 - 10:31 PM

Win 10 attempts to start but never does.  It says that startup files are corrupt and need to be repaired.

It is unable to repair on its own.

Again, what I did was delete some registry items which I should not have done.

Microsoft's own tool Sysinternals flagged the files as unsafe.   I suspect it hasn't been updated for win 10.

I'm hoping just doing a restore from the last restore point will cure it.  But I'm unclear how far back that may take me.

I think I'll install the drive as a slave in another system and copy a bunch of stuff off before I attempt that.

If that doesn't work maybe I'll create the iso, and hope it has a good repair option.   I think that really all is missing is a few

..wow64.dll files

DISM, which I'd never heard of, looks interesting, but the link provided says it is only through Win 8.1

The OS hard disc which is corrupt is a SSD which I just installed a month or so ago.  I ran all day with the original hard drive (Win7)

which I'd kept as back up.

Thanks for the ideas.



#7 opera

opera

  • Members
  • 1,016 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:42 AM

Posted 02 September 2016 - 12:31 AM

 

DISM, which I'd never heard of, looks interesting, but the link provided says it is only through Win 8.1

 

That link was from an old archived page before Win 10 was released.

 

Dism does work for Windows 10.

 

Right click on cmd prompt and run as admin (important that it is run as admin)

 

Dism /Online /Cleanup-Image /RestoreHealth 


Edited by opera, 02 September 2016 - 12:32 AM.


#8 MetalHead22

MetalHead22
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 04 September 2016 - 07:09 PM

So far.

Startup repair multiple times, unable to repair.

Can only get to the dos prompt.  Can't boot any safe mode.

Running from ISO DVD which I created with the Microsoft tool:

DISM /image D:\ /cleanup /scanhealth toils away for 10 minutes or so and returns saying no problems found.

Dism /Online doesn't work, as it seems to be trying to analyze the WIN CE image on the DVD and says that is not a valid task.

Bought another SSD and cloned my bad image.

Did a 'repair install' of Win 10.  That works, but you lose all your installed programs.  All 65 of them in my case.

The other thing it doesn't tell you is that you lose all your /user/... / appdata/ files associated with the installed programs.

So in the case of Thunderbird, you lose all your emails.

I tried copying all the files from the good install to the bad install in the windows/syswow64 directory.  All 3000 of them.

Some of those were ones I deleted using sysinternals.  So it probably won't boot since the registry is screwed up.  The other possibility is that the ISO is a different version than I was running.    I could scan my new good install with sysinternals and write down the 30 or so registry entries that it flags and try to recreate them, but that seems like a lot of work for questionable results.

For now I'm running my old Win7 from a few months ago.  If I copy my email and some documents over I should be about back to where I was.

There are a few things I really liked about Win 10, but as I once read, it isn't an operating system so much as an advertising delivery system.

So I'll see how much I miss.

Thanks for your help.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users