Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

virus please help [Solved]


  • This topic is locked This topic is locked

#1
[email protected]

[email protected]

    Member

  • Member
  • PipPip
  • 24 posts

G'day, I'm pretty sure I have a virus. it started with Defender turning off, but I can't turn it back on unless I update it, but it won't update. I then started getting the 'internet has stopped working' 'checking for solution message. I then tried using removal programs (I think the virus knows the programs by name) but they won't run.

it really went off once I logged onto your site and would only give me a few seconds logged in before running the error message (internet not working) and dropping me out, even started removing the history of pages I had visited on your site. I had to edit my messages to be able type something in them, even in safe mode.

please help if you can.

 

couldn't paste from farbar 

Attached Files

  • Attached File  FRST.txt   58.27KB   150 downloads

Edited by [email protected], 11 October 2015 - 05:05 AM.

  • 0

Advertisements


#2
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Could you let me know if defender starts after this reboot

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

CreateRestorePoint:
HKU\S-1-5-21-1981917376-2246582273-1654750903-1000\...\Run: [BackUp3492448012] => C:\Users\martin\AppData\Roaming\BackUp3492448012.exe
Toolbar: HKU\S-1-5-21-1981917376-2246582273-1654750903-1000 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
S3 BS3492448012; \??\C:\Users\martin\AppData\Local\Temp\NTFS.sys [X]
2015-09-17 18:12 - 2015-10-10 19:08 - 00000446 _____ C:\Users\martin\AppData\LocalLow\L3492448012
2015-09-17 18:12 - 2015-09-17 18:12 - 00479232 _____ C:\Users\martin\AppData\LocalLow\1240660.tmp.exe
2015-09-17 18:12 - 2015-09-17 18:12 - 00003758 _____ C:\Users\martin\AppData\LocalLow\1236775.tmp
2015-09-17 18:12 - 2015-09-17 18:12 - 00000440 _____ C:\Users\martin\AppData\LocalLow\1254294.tmp
2015-09-17 18:12 - 2015-09-17 18:12 - 00000432 _____ C:\Users\martin\AppData\LocalLow\1250675.tmp
2015-09-17 18:12 - 2015-09-17 18:12 - 00000371 _____ C:\Users\martin\AppData\LocalLow\1239225.tmp
2015-09-17 18:12 - 2015-09-17 18:12 - 00000028 _____ C:\Users\martin\AppData\LocalLow\1233858.tmp
2015-09-17 18:03 - 2015-05-02 11:29 - 00000000 __SHD C:\Users\martin\AppData\Local\EmieBrowserModeList
2015-09-17 18:03 - 2014-05-24 13:57 - 00000000 __SHD C:\Users\martin\AppData\Local\EmieUserList
2015-09-17 18:03 - 2014-05-24 13:57 - 00000000 __SHD C:\Users\martin\AppData\Local\EmieSiteList
2015-09-17 18:02 - 2015-05-02 11:25 - 00000000 __SHD C:\Users\martin\AppData\LocalLow\EmieBrowserModeList
2015-09-17 18:02 - 2014-05-24 13:57 - 00000000 __SHD C:\Users\martin\AppData\LocalLow\EmieUserList
2015-09-17 18:02 - 2014-05-24 13:55 - 00000000 __SHD C:\Users\martin\AppData\LocalLow\EmieSiteList
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
C:\Users\martin\AppData\Roaming\BackUp3492448012.exe
C:\Users\martin\AppData\Local\Temp\NTFS.sys
RemoveProxy:
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: ipconfig /release
CMD: ipconfig /renew
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
EmptyTemp:
CMD: bitsadmin /reset /allusers


Save this as fixlist.txt, in the same location as FRST.exe
FRSTfix.JPG
Run FRST and press Fix
On completion a log will be generated please post that
  • 0

#3
[email protected]

[email protected]

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts

G'day,

defender wouldn't start, came up with error message but not update message. can't get notepad to copy here though?


Edited by [email protected], 11 October 2015 - 12:14 PM.

  • 0

#4
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Attach any logs it is no problem to me .. What error does defender give when you try to start it

Download AVZ tool from here to your desktop
Unzip all files to a folder on your desktop
Open the folder and double click the AVZ icon avz.JPG
When the tool opens select "File" > "Standards scripts"
avz1.jpg

Place a tick in :


5. Update signature database

Then press "Execute selected scripts"
avz2.JPG

Once that has execute then
select "File" > "Standards scripts"
Place a tick in :

3. Advanced System Analysis with malware removal mode enabled


When finished look in the folder AVZ4 on your desktop
Open the LOG folder
Attach virusinfo_syscure to your next post
vz3.JPG
  • 0

#5
[email protected]

[email protected]

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts

G'day again. defender error code is 0x800106ba. i'll do the other stuff now 

I don't know what I've done, but I can't paste anything on this Post. I did another one, which has disappeared, and I could do it there, but this one won't let me, doesn't give me the option to paste. can select all, but no paste??

do you want me to start another post to try and get around this problem?


Edited by [email protected], 12 October 2015 - 03:54 AM.

  • 0

#6
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Nope attachment works for me :)

Could you run this MSFixit here and let me know if defender starts https://support.micr...en-gb/kb/931849
  • 0

#7
[email protected]

[email protected]

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts

Hey mate, no luck, tried to run fix it but got a message about, 'script required to install could not run'


  • 0

#8
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Is AVZ running ?
  • 0

#9
[email protected]

[email protected]

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts

yeah, it worked, I just can't seem to be able to paste on this post. it has the log file in XML doc, and a quarantine folder and syscure folder


  • 0

#10
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Attach the entire zip folder, you will be unable to copy and paste as it is rather large :)
  • 0

Advertisements


#11
[email protected]

[email protected]

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts

is there a special way of attaching folders as i didn't notice an attach file button?

Hey worked it out. wingnut wasn't using full editor. attaching these files I get a

iexplore.exe - application error, the instruction at 0x766dde70 reference memory at 0x00000000. the memory could not be read. click on OK to terminate the program.

I did as instructed and it shut me out of the post. I then ingnored it and I could type here while message was still showing

Attached Files


Edited by [email protected], 13 October 2015 - 04:05 AM.

  • 0

#12
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Two quick jobs and then theoretically all should work properly

FIX

Open AVZ as before
Click "File" > "Custom scripts"
avzfix1.png

A dialogue will open
Copy and paste the following script into the marked space then press run
avzfix2.JPG

Script for insertion :
 
begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
 DelBHO('{92780B25-18CC-41C8-B9BE-3C9C571A8263}');
 DelBHO('{2670000A-7350-4f3c-8081-5663EE0C6C49}');
 DelBHO('{219C3416-8CB2-491a-A3C7-D9FCDDC9D600}');
 QuarantineFile('C:\Users\martin\AppData\Local\Temp\T3492448012\Tor\SSLEAY32.dll','');
 QuarantineFile('C:\Users\martin\AppData\Local\Temp\T3492448012\Tor\LIBEAY32.dll','');
 DeleteFile('C:\Users\martin\AppData\Local\Temp\T3492448012\Tor\LIBEAY32.dll','32');
 BC_DeleteFile('C:\Users\martin\AppData\Local\Temp\T3492448012\Tor\LIBEAY32.dll');
 DeleteFile('C:\Users\martin\AppData\Local\Temp\T3492448012\Tor\SSLEAY32.dll','32');
 BC_DeleteFile('C:\Users\martin\AppData\Local\Temp\T3492448012\Tor\SSLEAY32.dll');
BC_ImportDeletedList;
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
Ensure that you copy from begin to end

THEN

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

CreateRestorePoint:
C:\Users\martin\AppData\Local\Temp\T3492448012
EmptyTemp:
CMD: bitsadmin /reset /allusers


Save this as fixlist.txt, in the same location as FRST.exe
FRSTfix.JPG
Run FRST and press Fix
On completion a log will be generated please post that

Then download and run MSE from here http://windows.micro...ntials-download
  • 0

#13
[email protected]

[email protected]

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts

thanks mate, does it matter if all this is done on safe mode? should have ask earlier, but in normal mode I couldn't get around the message box. thanks for all your time too 

 

Fix result of Farbar Recovery Scan Tool (x64) Version:12-10-2015
Ran by martin (2015-10-14 03:24:09) Run:2
Running from C:\Users\martin\Desktop\Dads
Loaded Profiles: martin (Available Profiles: martin)
Boot Mode: Safe Mode (with Networking)
==============================================

fixlist content:
*****************
CreateRestorePoint:
C:\Users\martin\AppData\Local\Temp\T3492448012
EmptyTemp:
CMD: bitsadmin /reset /allusers

*****************

Error: Restore point can only be created in normal mode.
C:\Users\martin\AppData\Local\Temp\T3492448012 => moved successfully

=========  bitsadmin /reset /allusers =========

BITSADMIN version 3.0 [ 7.5.7601 ]
BITS administration utility.
© Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

Unable to connect to BITS - 0x8007042c

========= End of CMD: =========

EmptyTemp: => 56.7 MB temporary data Removed.

The system needed a reboot.

==== End of Fixlog 03:24:14 ====


  • 0

#14
[email protected]

[email protected]

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts

I downloaded MSE, well I thought I did, but after the security check box disappeared I couldn't find MSE. I downloaded it again and while it was doing the security check I viewed the downloads, it showed that only 99% of installation was complete and then just disappeared from the box?


  • 0

#15
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hmm nothing is now showing on the logs so where is the miscreant hiding

Download aswMBR.exe ( 4.5mb ) to your desktop.
Double click the aswMBR.exe to run it.
You may be offered the option of using virtualisation, accept that
When it offers to download the virus database allow that as well
Click the "Scan" button to start scan

AswMBR%20scan.JPG


On completion of the scan click save log, save it to your desktop and post in your next reply
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP