Author Topic: windows 7 ultimate - after malware, no icons, no right menu, no c-n-p, no profil  (Read 15214 times)

0 Members and 1 Guest are viewing this topic.

Offline obieephyhm

  • Newbie
  • *
  • Join Date: Dec 2020
  • Posts: 13
  • Karma: 0
  • klownwerkz.ink
    • View Profile
The details of how (stupidly) I got in this place aren't particularly relevant.  What's important is that I can't get into my studio computer for the last five days after I (again, stupidly) clicked something without paying attention to it and (according to Malwarebytes) got myself 4 PUMs and PUPs which have neutered my desktop in my profile.  Restoring the registry doesn't appear to help, I can't boot into anything without being forced into a default profile -- EXCEPT when I boot into my primary profile where I get a some sort of group policy error that flashes by; at least, it seems to be happening now where it wasn't at first.

The reason I stopped by here was my first tool of choice was to use Tweaking.com's Windows Repair Pro.   I was able (at first) to start it in my main user profile and then have it reboot into safe mode.  I tried to do a system restore (failed), a Permissions Restore (md4 fail) and a registry restore (didn't fail but didn't seem to do anything positive either.  Now I can't get it to run at all in safe mode because it gives me 'invalid picture' error and terminates.

I can find all my programs and they mostly seem to run -- provided they aren't system tools.  I've run multiple anti-malware tools and the system appear free of the original miscreant but I can't find the key to undo the damage.

At this point, I can's see any of my desktop icons, I can't right click into the menu, I can't search for programs I know I have (but I can get to them, if I know where they reside).  My data appears intact.  I've serially tried different recommended fix programs which either 1) don't run because some asset appears to be blocked from access or 2) run but don't identify a problem in their scan.

I am not a beginner (okay, I've been doing pc stuff for about 40 years) but I'm older and more than a little frustrated at how the world currently is.  Crusty, some might call it.  Crabby might be a better word.  There's a lot of crap going on in my world that is doing a number on my PTSD and being denied access to my one solace left on this blinking planet has me at my wit's end.  If someone can coach me through what I need to do to fix this and get back in the studio to block out all the noise of the idiocracy we've descended in -- I'll be very grateful.

I'll try to attach a couple of logs that came from tools I tried to run after I couldn't work with tweaking.com's windows repair   
the original & oft maligned Retired Village Idiot

Offline Boggin

  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Jul 2014
  • Posts: 10182
  • Location: UK
  • Karma: 122
    • View Profile
As you appear to have access to another machine, can you download and create a Kaspersky Rescue Disk to boot up with. -

https://support.kaspersky.com/viruses/krd18

While AdwCleaner is now part of MBAM and MBAM has found and removed PuPs and PuMs, running a scan with that may help to get your system back up.

https://www.malwarebytes.com/adwcleaner/

Can you boot into Safe Mode with Networking via tapping F8 as you switch on, as I would advise running the scan in that mode.

As you have Win 7 Ultimate, do you also have an Ultimate install disk that you can boot up with ?

If you have, boot up with that and navigate to the Install screen to select Repair your computer.

Select Command Prompt and enter these cmds -

bcdedit |find "osdevice"

For clarity that is a Pipe symbol before find and is the uppercase of \

Using your partition letter instead of the x I have exampled, enter -

dism /image:x: /cleanup-image /revertpendingactions

Enter exit to close the cmd window and reboot.

If that doesn't improve things then reboot with your install disk to select the Command Prompt again and again using your partition letter instead of the x I have exampled, enter -

sfc /scannow /offbootdir=X:\ /offwindir=X:\Windows

to see what that reports.

As a final solution, I don't know if you will be able to do this but with Windows booted up, go Start - click on Computer - insert the install disk and double click on its drive.

This will start the process of a repair install which doesn't affect personal files or installed programs but you will need a valid retail key.

If you are using an OEM machine where Ultimate came pre-installed, then you can use the key on the COA Sticker.
« Last Edit: December 17, 2020, 05:12:40 am by Boggin »

Offline obieephyhm

  • Newbie
  • *
  • Join Date: Dec 2020
  • Posts: 13
  • Karma: 0
  • klownwerkz.ink
    • View Profile
I have already run MBAW it identified and removed four instances of: PUM.OptionDisableRightClick;  I have run it since, several times and also run MSE and Superantispyware and no additional infections have been found.  Removing the infection, however, doesn't appear to have fixed it.  I am downloading krd18 but it is a very slow download for me.  I am also downloading adaware.

I can boot into safe mode with (or without) networking. I have already tried running a system repair and, after several hours, it failed with no particular message as to why. I tried some things in the Repair Windows portion of  When the KSD and adaware get done, I'll put them into play and see what happens and, of course, let you know.  My copy of tweaking.com Windows Repair has ceased running in safe mode on the studio computer (as of yesterday) at least when I ran it through under my primary windows profile but that one no longer lets me log on (generates a Group Policy error).

I'll post an update as soon as possible but it will probably be a couple of hours.
the original & oft maligned Retired Village Idiot

Offline Boggin

  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Jul 2014
  • Posts: 10182
  • Location: UK
  • Karma: 122
    • View Profile
When you say system repair - was that a repair install ?

Does Event Viewer report anything specific ?

Had you downloaded anything else to cause these problems.

When you're done with KRD18 and AdwCleaner, can you go Start - type msconfig and press enter when it comes up.

Under the Startup tab Disable all - Apply - OK - Restart.

If that doesn't improve things then go back into msconfig and under the Services tab, check the box to Hide all Microsoft services.

You must do this before hitting Disable all - Apply - OK -Restart.

With all of those disabled, this is known as a clean boot. although most of those wouldn't be loaded in Safe Mode.

Don't forget to try the sfc/scannow cmd if you have an install disk to boot up with.

Offline obieephyhm

  • Newbie
  • *
  • Join Date: Dec 2020
  • Posts: 13
  • Karma: 0
  • klownwerkz.ink
    • View Profile
When you say system repair - was that a repair install ?

Not an install -- after using windows repair to attempt a restore point and that restore point failed, it came up with an option to attempt to repair the system (I don't remember the precise wording but I believe it is also available with an F8 restart.

Does Event Viewer report anything specific ?

I didn't see anything that appeared significant but I can look again, if you think it will help.

Had you downloaded anything else to cause these problems.

Absolutely not.

I am preparing to go try to follow your earlier instructions now -- it took some time to find the install disk I made some years ago.
the original & oft maligned Retired Village Idiot

Offline Boggin

  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Jul 2014
  • Posts: 10182
  • Location: UK
  • Karma: 122
    • View Profile
If you didn't have an install disk I could have burned you a couple of Universal install disks.

The ISO was originally for Pro but when you remove the eicfg file, it coverts it to an Universal disk which covers from Basic to Ultimate

Offline obieephyhm

  • Newbie
  • *
  • Join Date: Dec 2020
  • Posts: 13
  • Karma: 0
  • klownwerkz.ink
    • View Profile
I did the adaware and ksd. Adaware found and removed several items in the registry but it made no difference to my inability to log on to my profile (still blocked by some sort of group policy failure).  KSD doesn't appear to be doing anything at all -- I boot with the disk I made and do the start up then the screen goes blank and stays that way for hours on end.  I let it go five hours before I forced a reboot.

Windows Repair still errors out with 'invalid picture' -- I looked for a solution to the problem but one doesn't appear to exist.

  I have not yet tried to run my recovery disk from my original install years ago and it's getting late and my frustration index is now off the chart.  Everything I need is there but I can't access it.  I don't have much hope that I'm finding the key to solving this problem.

I booted from my ksd disk and am letting it run overnight.   It doesn't, at the moment, appear that I'm getting anywhere.  If ksd is still blank in the morning, I'll kill it and load my W7 repair disk.  Since that fails when run at the safe-mode startup screen, I have my doubts that it will run with the disk but I could be wrong and it is certainly worth a shot. 

I'm surprised that no one has a quicker fix for this.  But, I'll continue to work the problem tomorrow.
« Last Edit: December 19, 2020, 04:38:07 pm by obieephyhm »
the original & oft maligned Retired Village Idiot

Offline Boggin

  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Jul 2014
  • Posts: 10182
  • Location: UK
  • Karma: 122
    • View Profile
My KRD is v10 as I've had it a while but I've created a new one with v18 and booted with it on my Win 7 laptop.

It seems to work a lot different to v10 as once you have pressed enter on the default language and graphics mode, it loads the files.

Accepting the T&Cs it went into the Initialization mode and has completed the scan with nothing found.

I'm puzzled that you mention safe mode as you shouldn't be anywhere near that when booting up any disk.

Tap F12 as you switch on, use the cursor keys to select the DVD drive, insert the disk and press enter.

Is your Win 7 disk an Ultimate install disk or just a System Repair disk ?

You will need an Ultimate install disk to perform what I've advised.

If your disk is just a system repair disk then private message me with your address and I'll send you a couple of Universal Win 7 x64 or x32 disks.

Let me know if you are using a x64bit or x32bit system.

To see if these cmds will resolve the invalid picture error, run a Command Prompt as an admin by going Start - type cmd then right click on it when it comes up and select Run as administrator then enter chkdsk /r

Follow the prompts and reboot to allow it to run.

When it has rebooted on completion, open Event Viewer by going Start - type event viewer and press enter when it comes up.

When it has read the data, expand Windows Logs - click on Application/Action/Find and type chkdsk into the Find box and press enter.

Cancel the Find box and read the log in the scrollable pane below.

Primarily you are looking to see if it reports any KBs in bad sectors.

If it does then it's advisable to create a system image onto external media immediately in preparation for full HDD failure.

If that comes back clean then run a cmd prompt as an admin again and enter sfc /scannow to see what it reports.

It can either report that it has repaired corrupt files, repaired some but not others or that it found no integrity violations.

If that comes back clean then try the Windows Repair program again, but let me know if the scan reports other that no integrity violations.
« Last Edit: December 20, 2020, 04:06:50 am by Boggin, Reason: Typos »

Offline obieephyhm

  • Newbie
  • *
  • Join Date: Dec 2020
  • Posts: 13
  • Karma: 0
  • klownwerkz.ink
    • View Profile
It is a system repair disk from 2014.  I'm running x64. I have, thus far, been unable to locate either my original install disk or the authorization code (which, if I remember right, I put with the disk).  I can find two unused copies of windows 7 pro which I bought when the world went to W8 then 10 but I was unable to purchase a backup for my ultimate at that time.

I attempted the instructions in your original post but everything ends in an error message so I'm either doing it wrong or it isn't doing what it should.  Either is possible.

I read up on the problem with the group policy error and seemed to have traced it to a corrupt NTuser.dat in the user profile that doesn't work.  I can force the system to rebuild it and when it does, I can log on to my user profile but it's not right.  I can start Windows Repair and it runs but if I boot to safe mode, I can no longer run Windows Repair and then the NTuser.dat get corrupted again.

I will have to come back to this tomorrow as I've been working on it for 10 hours and just keep going in circles.
the original & oft maligned Retired Village Idiot

Offline Boggin

  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Jul 2014
  • Posts: 10182
  • Location: UK
  • Karma: 122
    • View Profile
If you can find your Ultimate disk or product key you can create a copy of the Ultimate install disk by downloading the ISO from - https://www.microsoft.com/en-gb/software-download/windows7

But you would need the product key to authorise the download.

Re, my reply to your private message, I can send you a couple of Universal install disks to perform the dism and sfc cmds.

A repair install may be better but you would need your product key for that.

A repair install doesn't affect your personal files or installed programs.

Offline obieephyhm

  • Newbie
  • *
  • Join Date: Dec 2020
  • Posts: 13
  • Karma: 0
  • klownwerkz.ink
    • View Profile
I'm afraid I have some trouble navigating this forum and it delays my response to you.  It is probably right in front of me but I have been unable to see how to PM you the information you requested.   It may not be entirely necessary but you can decide if you read the following.  I posted the following just moments ago on another site from which I solicited help.  It is the current status of how things are with my DAW. 

---------------

Update:


Over the holiday period, I have worked with BleepingComputer.com and Tweaking.com (author of Windows Repair or WR, for short) attempting to get my beloved (and rapidly becoming necessary) DAW back into production-level capability. There were a lot of frustrating cycles of trying things and basically getting nowhere, doing hours and hours of online searching trying to find a clue and working with suggestions I got here.

There have been partial successes.  After checking for possible disk errors, I located what I believe to have been the primary problem with being unable to log into my preferred Win7 user account as being corrupt natuser.* files.  I do now know that there are no hardware issues on the drives, as I can test them.  I do not know if the corruption is the result of the malware or from various aborted attempts to get the machine/profile operational again -- or some combinstion therein.  In the end I removed these (carefully archiving them before hand just in case) and, after a couple of attemtps got back to being able to log on.  I then set about to restore my icons and arrange my desktop.

This led to the second set of problems involving getting icons to be visible and, after much research and looking at windows explorer settings and registry entries, I went back to my tool of choice, WR but there, again, I ran into problems because the program would periodically fail to run with an error message of 'invalid picture' particularly in either standard or safe mode in my preferred user profile.  Research seemed to indicate this was due to changes made to access rights -- which can be corrected with a repair option inside Windows Repair but I couldn't run it from within my profile.  I could, however, run it from within the administrator or my secondary administrator (created years ago when I had to do repairs from having gotten a root-type virus).  Also, I found that WR would seem to run better from a normal startup than from trying to use it in safe mode.  But most icon's got restored although several of them had their program pointers reset to a disk drive letter that hasn't existed in this system since I upgraded my 'c' drive to being an SSD (four to six years ago?) but I can edit them and they find the right icon.  A bit tedious but at least my desktop begins to get back it's former appearance. 

I may not have done this all as the experts might have preferred but I had to get something going or go into a depression that would make a hurricane look like a spring shower.
In any case, I can routinely log into my preferred profile and most programs appear to run although, my testing hasn't been extensive.   However, not all is yet right with the world because, at this point, the remaining issues are not trivial and could be from either the malware infection, the corrupt ntuser.* issue or things being set back to 'default' (from a Win7 standpoint) which keeps the most pressing problems at hand.  They are:

1) unable to restore from any backups made.
2) unable to make and then reuse a Restore Point
3) unable to update Win7x64 (regardless of profile used to log in)
4) unable to install software (regardless of profile used to log in)
5) unable to update installed software (ditto)

Of these 3, 4 and 5 most concern me but I'm thinking that if I can find what's wrong with the last three, the first two might come along for the ride, so to speak.  Or maybe its the other way round.

So, I put this out here so you know the current status and that those here might be able to make useful suggestions to resolve the remaining issues.
the original & oft maligned Retired Village Idiot

Offline obieephyhm

  • Newbie
  • *
  • Join Date: Dec 2020
  • Posts: 13
  • Karma: 0
  • klownwerkz.ink
    • View Profile
Additional searching and attempting different things finds me scratching my head more and more (as if balding weren't bad enough) --

1) Does anyone know why I would have a file "00000000.0x0" dated 1/11/2060?

2) I have some user names/groups under the securities tab that I don't recognize.  When I attempt to use the MMC to access Local Security Policy, I get a "an attempt was made to reference a token that does not exist".  In searching for ways to fix that, I find basically the same solution everywhere (relink DLL files) doesn't work -- it errors out with a file not found message.  I attempted to dump the dll file listing to a bat file but the file never gets created nor is there any error message that I can find.
the original & oft maligned Retired Village Idiot

Offline obieephyhm

  • Newbie
  • *
  • Join Date: Dec 2020
  • Posts: 13
  • Karma: 0
  • klownwerkz.ink
    • View Profile
Okay, I found the CBS log from running the SFC.  How do I interpret the results -- it does end by saying the it found corrupt files but was unable to fix some of them.
the original & oft maligned Retired Village Idiot

Offline Boggin

  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Jul 2014
  • Posts: 10182
  • Location: UK
  • Karma: 122
    • View Profile
A repair install or clean install would be required to resolve the sfc /scannow report but you will need your Ultimate product key.

If you are still unable to find it then there's a program called Keyfinder Plus.

https://www.top-password.com/knowledge/find-windows-7-ultimate-product-key.html

Keyfinder Plus isn't a free program but this article lists some that are - https://answers.microsoft.com/en-us/windows/forum/windows_7-windows_install/lost-windows-7-ultimate-key/0692e327-2227-44e2-9f42-9f1033ddbe28

Make a note of it.

I've received your PM with your address - do I add USA to the bottom of it ?

I'll burn you a couple of Win 7 x64 Universal install disks and post them to you on Monday.

I don't think booting up with the install disk, navigating to the Install screen to select Repair your computer, selecting Command Prompt and entering these cmds would do it but you could give that a try prior to performing a repair install.

bcdedit |find "osdevice"

For clarity, that is a Pipe symbol before find and is the uppercase of \

Using your partition letter instead of the X I have exampled, enter -

sfc /scannow /offbootdir=X:\ /offwindir=X:\Windows

Enter exit to close the cmd window, remove the install disk and restart.

You could then perform a sfc /scannow in normal mode to see if it still reports the same corruption.

If it does then you would need to perform a repair install.

If your programs still don't work properly after the repair install then you would need to reinstall them.
« Last Edit: January 09, 2021, 03:10:39 pm by Boggin »

Offline obieephyhm

  • Newbie
  • *
  • Join Date: Dec 2020
  • Posts: 13
  • Karma: 0
  • klownwerkz.ink
    • View Profile
truly, a repair install would be the only viable option -- the DAW is a complex intermix of years of accumulated music production/instrument/utility software that takes several months to even begin to re-install and re-integrate from scratch and I've done it too many times over the years when I was far better mentally equipped than I am at my current age/health.   So this is to be vastly preferred, if there is no other way to repair the damage.   I will do my best to give you the information you require but, in the interest of full disclosure, we have a pending death in the family that may intrude on your efforts to help me in the short run.

Bear in mind, regardless of whether I can locate my original W7x64 ultimate key (and, thus far, I've been entirely frustrated in my attempts to find it) I **do have** two unused/uninstalled W7x64 Pro disks with keys that I purchased as backups (being unable at the time to acquire Ultimate disks) which can be used instead (I think; I prefer Ultimate but only because that's what I'm used to) so long as that doesn't interfere with what you intend to send to me.

Yes, USA is the country.

Also, you should pm me about how I can reimburse you for your trouble and expense.
the original & oft maligned Retired Village Idiot

Offline Boggin

  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Jul 2014
  • Posts: 10182
  • Location: UK
  • Karma: 122
    • View Profile
I'm sorry to hear about the pending death in your family - you can carry out your computer repairs whenever it is convenient to you.

I'll still be here for any additional help you may require.

There'll be no charge for the disks as the postage costs are minimal.

The original ISO was for Pro but with the eicfg file removed, it covers from Basic to Ultimate so should pick up your version of Windows and the product key when entered will validate it as Ultimate.

For some reason they fail to complete a repair install on my Toshiba Win 7 x64 Home Premium laptop but other forum members have successfully used the disks to perform a repair install.

There is another free program which may be better to obtain your product key and that is Speccy.

It's listed as Serial Number when you click on Operating System when it has finished analysing.

https://www.ccleaner.com/speccy/download

The alternative to a repair install which may resolve is the sfc /scannow as I've described when you boot up with the install disk.

Offline Boggin

  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Jul 2014
  • Posts: 10182
  • Location: UK
  • Karma: 122
    • View Profile
I was able to perform a repair install on my Win 7 machine yesterday - I think previously I must have been using a pro disk without the eicfg file removed.

On this occasion I was given an option to select the version I wanted to repair.

However, on completion I was prompted to reinstall .NET Framework v4.0 although none of the others who have used my disks had reported any problems.

Don't forget to use the free version of Speccy to obtain your product key.

Offline obieephyhm

  • Newbie
  • *
  • Join Date: Dec 2020
  • Posts: 13
  • Karma: 0
  • klownwerkz.ink
    • View Profile
I forgot about Speccy (smacks forehead) - I have it loaded in my utilities section.  So I have recovered it; although, I still like to know where I put my original disk and key.....

The family death occurred yesterday late afternoon so, by the time I got back it was late and I didn't really feel like working on anything.  I have taken this morning off from my usual routines so I'm going re-try loading the windows disk I have and seeing if the sfc will work (different disk than I tried before, this disk appear to be my original backup clone of the disk I can't find but the notes on it appear to date it to when I would have done something like this before.   In any case, I have a few hours to use before I have to go off and do family stuff.

If anything major happens, I'll drop you a note.
the original & oft maligned Retired Village Idiot

Offline Boggin

  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Jul 2014
  • Posts: 10182
  • Location: UK
  • Karma: 122
    • View Profile
Again, my condolences for your recent bereavement.

I sent those Universal install disks off to you today, but if you already have an Ultimate install disk then you can boot up with it and perform the sfc /scannow cmd as I've described and if that doesn't resolve then perform a repair install.

Offline obieephyhm

  • Newbie
  • *
  • Join Date: Dec 2020
  • Posts: 13
  • Karma: 0
  • klownwerkz.ink
    • View Profile
Okay, things got weirder.  I ran Speccy and it worked but I was pressed for time so didn't bother to copy the output, assuming I could do it the next day when I had more time.   The next day,  the program wouldn't run and I attempted to reinstall it -- which also didn't work.  In your list of key-readers, is there any that can run in a portable fashion? 
the original & oft maligned Retired Village Idiot

Offline Boggin

  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Jul 2014
  • Posts: 10182
  • Location: UK
  • Karma: 122
    • View Profile
Have you received the install disks I've sent you ?

For finding your product key see if you can download the free version of Magic Jelly Bean - https://www.magicaljellybean.com/keyfinder/

I don't know why Speccy should have stopped working as it did.

Have you checked to see if Speccy will work in Safe Mode ?
« Last Edit: January 16, 2021, 03:54:14 pm by Boggin, Reason: Bad Link »

Offline obieephyhm

  • Newbie
  • *
  • Join Date: Dec 2020
  • Posts: 13
  • Karma: 0
  • klownwerkz.ink
    • View Profile
As of yesterday (which was a postal holiday here, I think) I have not.  I have to go out in a bit and will check today's mail.

I now have the jellybean software and am heading into the studio to try it out.

I don't know either -- and I do wish I had taken the time to save the output -- but the safe mode idea didn't occur to me and it's worth a try if the jellybean do it.

One way or another I'm gonna beat this machine back into functioning order . . . I hope . . .
the original & oft maligned Retired Village Idiot

Offline Boggin

  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Jul 2014
  • Posts: 10182
  • Location: UK
  • Karma: 122
    • View Profile
Well hopefully the repair install will resolve.