Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Not sure if malware has been removed [Solved]


  • This topic is locked This topic is locked

#46
Jackpine

Jackpine

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 347 posts

Repaired Microsoft Access database engine 2010.  Ran Windows update.  Two Microsoft Office updates downloaded and installed OK.  No errors (Code or KB items).  Will the other stuff now.

 

I copied the command.  Went to cmd as Administrator, pasted, hit Enter.  I got this:

 

[SC] OpenService FAILED 5:

 

Access is denied.

 

(Should there be a space after the = sign?)


Edited by Jackpine, 07 April 2016 - 02:18 PM.

  • 0

Advertisements


#47
SleepyDude

SleepyDude

    Trusted Helper

  • Malware Removal
  • 4,401 posts

Yes the space is needed but the error is not related with that.

 

Lets do it using FRST.

 

Download Attached File  fixlist.txt   119bytes   52 downloads and save it on the Desktop

Run FRST64 and click the button Fix

 

Post the fix log.


  • 0

#48
Jackpine

Jackpine

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 347 posts

Here's the log.

 

Fix result of Farbar Recovery Scan Tool (x64) Version:05-03-2016 01
Ran by Robert (2016-04-07 17:07:28) Run:4
Running from C:\Users\Robert\Desktop
Loaded Profiles: Robert (Available Profiles: Robert)
Boot Mode: Normal
==============================================

fixlist content:
*****************
cmd: sc config WinDefend start= demand
reg: reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinDefend

*****************


=========  sc config WinDefend start= demand =========

[SC] OpenService FAILED 5:

Access is denied.


========= End of CMD: =========


========= reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinDefend =========


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinDefend
    DisplayName    REG_SZ    @%ProgramFiles%\Windows Defender\MpAsDesc.dll,-310
    ErrorControl    REG_DWORD    0x1
    ImagePath    REG_EXPAND_SZ    "%ProgramFiles%\Windows Defender\MsMpEng.exe"
    Start    REG_DWORD    0x2
    Type    REG_DWORD    0x10
    Description    REG_SZ    @%ProgramFiles%\Windows Defender\MpAsDesc.dll,-240
    DependOnService    REG_MULTI_SZ    RpcSs
    ObjectName    REG_SZ    LocalSystem
    ServiceSidType    REG_DWORD    0x1
    RequiredPrivileges    REG_MULTI_SZ    SeLoadDriverPrivilege\0SeImpersonatePrivilege\0SeBackupPrivilege\0SeRestorePrivilege\0SeDebugPrivilege\0SeChangeNotifyPrivilege\0SeSecurityPrivilege\0SeShutdownPrivilege\0SeIncreaseQuotaPrivilege\0SeAssignPrimaryTokenPrivilege\0SeTcbPrivilege\0SeSystemEnvironmentPrivilege
    FailureActions    REG_BINARY    80510100000000000000000003000000140000000100000060EA00000100000060EA00000000000000000000
    LaunchProtected    REG_DWORD    0x3

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinDefend\Security


========= End of Reg: =========


==== End of Fixlog 17:07:29 ====


  • 0

#49
SleepyDude

SleepyDude

    Trusted Helper

  • Malware Removal
  • 4,401 posts

Please try a new fixlist Attached File  fixlist.txt   191bytes   49 downloads


  • 0

#50
Jackpine

Jackpine

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 347 posts

See log.

 

Fix result of Farbar Recovery Scan Tool (x64) Version:05-03-2016 01
Ran by Robert (2016-04-07 17:45:29) Run:5
Running from C:\Users\Robert\Desktop
Loaded Profiles: Robert (Available Profiles: Robert)
Boot Mode: Normal
==============================================

fixlist content:
*****************
unlock: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinDefend
cmd: sc config WinDefend start= demand
reg: reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinDefend

*****************

"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinDefend" => key was unlocked

=========  sc config WinDefend start= demand =========

[SC] OpenService FAILED 5:

Access is denied.


========= End of CMD: =========


========= reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinDefend =========


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinDefend
    DisplayName    REG_SZ    @%ProgramFiles%\Windows Defender\MpAsDesc.dll,-310
    ErrorControl    REG_DWORD    0x1
    ImagePath    REG_EXPAND_SZ    "%ProgramFiles%\Windows Defender\MsMpEng.exe"
    Start    REG_DWORD    0x2
    Type    REG_DWORD    0x10
    Description    REG_SZ    @%ProgramFiles%\Windows Defender\MpAsDesc.dll,-240
    DependOnService    REG_MULTI_SZ    RpcSs
    ObjectName    REG_SZ    LocalSystem
    ServiceSidType    REG_DWORD    0x1
    RequiredPrivileges    REG_MULTI_SZ    SeLoadDriverPrivilege\0SeImpersonatePrivilege\0SeBackupPrivilege\0SeRestorePrivilege\0SeDebugPrivilege\0SeChangeNotifyPrivilege\0SeSecurityPrivilege\0SeShutdownPrivilege\0SeIncreaseQuotaPrivilege\0SeAssignPrimaryTokenPrivilege\0SeTcbPrivilege\0SeSystemEnvironmentPrivilege
    FailureActions    REG_BINARY    80510100000000000000000003000000140000000100000060EA00000100000060EA00000000000000000000
    LaunchProtected    REG_DWORD    0x3

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinDefend\Security


========= End of Reg: =========


==== End of Fixlog 17:45:29 ====


  • 0

#51
SleepyDude

SleepyDude

    Trusted Helper

  • Malware Removal
  • 4,401 posts

Something is blocking access to the service!

 

I adjusted the fixlist again Attached File  fixlist.txt   277bytes   48 downloads before running the fix please disable the ESET NOD32 Antivirus protection.


  • 0

#52
Jackpine

Jackpine

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 347 posts

Disabled ESET NOD32 Antivirus.  Ran fix.  Computer required a reboot.  Rebooted.  Able to open programs right away!!

 

Log below.

 

Fix result of Farbar Recovery Scan Tool (x64) Version:05-03-2016 01
Ran by Robert (2016-04-07 18:07:04) Run:6
Running from C:\Users\Robert\Desktop
Loaded Profiles: Robert (Available Profiles: Robert)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CloseProcesses:
unlock: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinDefend
reg: reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinDefend /v Start /t REG_DWORD /d 0x3 /f
reg: reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinDefend

*****************

Processes closed successfully.
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinDefend" => key was unlocked

========= reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinDefend /v Start /t REG_DWORD /d 0x3 /f =========

The operation completed successfully.



========= End of Reg: =========


========= reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinDefend =========


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinDefend
    DisplayName    REG_SZ    @%ProgramFiles%\Windows Defender\MpAsDesc.dll,-310
    ErrorControl    REG_DWORD    0x1
    ImagePath    REG_EXPAND_SZ    "%ProgramFiles%\Windows Defender\MsMpEng.exe"
    Start    REG_DWORD    0x3
    Type    REG_DWORD    0x10
    Description    REG_SZ    @%ProgramFiles%\Windows Defender\MpAsDesc.dll,-240
    DependOnService    REG_MULTI_SZ    RpcSs
    ObjectName    REG_SZ    LocalSystem
    ServiceSidType    REG_DWORD    0x1
    RequiredPrivileges    REG_MULTI_SZ    SeLoadDriverPrivilege\0SeImpersonatePrivilege\0SeBackupPrivilege\0SeRestorePrivilege\0SeDebugPrivilege\0SeChangeNotifyPrivilege\0SeSecurityPrivilege\0SeShutdownPrivilege\0SeIncreaseQuotaPrivilege\0SeAssignPrimaryTokenPrivilege\0SeTcbPrivilege\0SeSystemEnvironmentPrivilege
    FailureActions    REG_BINARY    80510100000000000000000003000000140000000100000060EA00000100000060EA00000000000000000000
    LaunchProtected    REG_DWORD    0x3

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinDefend\Security


========= End of Reg: =========



The system needed a reboot.

==== End of Fixlog 18:07:04 ====


  • 0

#53
SleepyDude

SleepyDude

    Trusted Helper

  • Malware Removal
  • 4,401 posts

It's possible that Defender is corrupt but it's strange that SFC doesn't report nothing related!

 

If the computer is now running normal make sure you do the updates suggested by the Security Check log (not sure if you already did that or not)


  • 0

#54
Jackpine

Jackpine

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 347 posts

When I went to the Bonjuor update link it brought me to a web page filled with Russian text.  I left.  Do I need Bonjour anyway?  The other updates (7-Zip and Skype) went fine.  The update to Shockwave says I need to first install a 32-bit browser.  Do I need Shockwave?


  • 0

#55
SleepyDude

SleepyDude

    Trusted Helper

  • Malware Removal
  • 4,401 posts

Remove Bonjour and Shockwave, eventually if some program needs Bonjour a repair install should fix it.


  • 0

Advertisements


#56
Jackpine

Jackpine

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 347 posts

OK, will do after getting home from work.  I will also report on how the computer is running.

 

Can I give you one final FRST scan logs to ensure there is no remaining malware and/or remnants?


  • 0

#57
SleepyDude

SleepyDude

    Trusted Helper

  • Malware Removal
  • 4,401 posts

OK, will do after getting home from work.  I will also report on how the computer is running.

 
Ok, Not sure if i will be online later.

 

Can I give you one final FRST scan logs to ensure there is no remaining malware and/or remnants?

 

The last log didn't show any evidence of malware.

 

We can run a last scan if you want...

 

Scan with aswMBR

  • Download aswMBR from here or here and save the file to the Desktop.
  • Double click the aswMBR.exe file to run it.
    (On Windows Vista and above right click the icon and choose Run as Administrator, accept the security warning)
  • If you see the following prompt, click Yes:
    msgbox.png
    aswMBR_Start.png
  • If it asks you if you want to download the latest virus definitions, click Yes
  • Click the "Scan" button to start the scan
    aswMBR_QuickScan.png
  • On completion of the scan (the last line will show "Scan finished successfully") click Save log, save the file aswMBR.txt to the Desktop.
    WARNING: Don't click on the buttons FixMBR and Fix unless instructed to do so.
  • Open the log aswMBR.txt and post the full contents of the file in your next reply.

 

 

Things I would like to see in your next reply:

  • The aswMBR.txt log

 


  • 0

#58
Jackpine

Jackpine

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 347 posts

Programs start properly after booting up.  Previous delays gone.  aswMBR.txt log below.

 

aswMBR version 1.0.1.2290 Copyright© 2014 AVAST Software
Run date: 2016-04-08 16:29:12
-----------------------------
16:29:12.054    OS Version: Windows x64 6.2.9200
16:29:12.054    Number of processors: 4 586 0x1
16:29:12.054    ComputerName: SHADOWFAX  UserName: Robert
16:29:14.601    Initialize success
16:29:14.976    VM: initialized successfully
16:29:14.976    VM: Amd CPU BiosDisabled
16:31:14.580    AVAST engine defs: 16033102
16:32:20.109    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000002b
16:32:20.109    Disk 0 Vendor: HGST_HTS541075A9E680 JA2OA710 Size: 715404MB BusType: 11
16:32:20.297    Disk 0 MBR read successfully
16:32:20.297    Disk 0 MBR scan
16:32:20.328    Disk 0 unknown MBR code
16:32:20.343    Disk 0 Partition 1 00     EE            GPT           2097151 MB offset 1
16:32:20.593    Disk 0 scanning C:\Windows\system32\drivers
16:32:52.964    Service scanning
16:34:24.513    Modules scanning
16:34:24.513    Disk 0 trace - called modules:
16:34:24.544    ntoskrnl.exe CLASSPNP.SYS disk.sys hpdskflt.sys amd_xata.sys storport.sys amd_sata.sys hal.dll
16:34:24.559    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xffffe0002b0cc060]
16:34:24.887    3 CLASSPNP.SYS[fffff80110001f40] -> nt!IofCallDriver -> [0xffffe0002b0cd040]
16:34:24.887    5 hpdskflt.sys[fffff8011029742b] -> nt!IofCallDriver -> [0xffffe0002afdb940]
16:34:24.903    7 amd_xata.sys[fffff8010fb555da] -> nt!IofCallDriver -> \Device\0000002b[0xffffe0002afdb060]
16:34:26.747    AVAST engine scan C:\Windows
16:34:31.726    AVAST engine scan C:\Windows\system32
16:43:17.321    AVAST engine scan C:\Windows\system32\drivers
16:43:54.201    AVAST engine scan C:\Users\Robert
16:52:39.242    AVAST engine scan C:\ProgramData
16:54:31.354    Disk 0 statistics 3750144/0/0 @ 2.86 MB/s
16:54:31.385    Scan finished successfully
16:55:47.455    Disk 0 MBR has been saved successfully to "C:\Users\Robert\Desktop\MBR.dat"
16:55:47.486    The log file has been saved successfully to "C:\Users\Robert\Desktop\aswMBR.txt"

 


  • 0

#59
SleepyDude

SleepyDude

    Trusted Helper

  • Malware Removal
  • 4,401 posts

All good. Time to Cleanup...

 

» Remove other disinfection tools

  • delfix_icon.gifDownload DelFix and save it to your Desktop, execute the tool. (If running on Windows Vista or above accept all the security prompts).
    DelFix-WinXP.png
  • place a checkmark next to:
    • Remove disinfection tools
    • Create registry backup
    • Purge system restore
    • Reset System Settings
  • Click the Run button

When the tool is finished, a log will open in notepad. Please copy and paste the log in your next reply.

» Others

  • Delete any .exe, .log, .txt, file created on the Desktop during the cleaning process.

 

How to prevent new infections

To protect your computer from being infected again its very important to keep Windows Updated and all the programs related with the internet, Web Browser, Flash Player, Adobe Reader and Java only to mention the most targeted by today security exploits.

  • Follow the instructions below to keep these critical programs updated:
    • Windows and Internet Explorer
      To keep Windows and Internet Explorer updated make sure you have Windows Update enabled on the Control Panel applet, follow the instructions for Windows 7 on this MS article How to configure and use Automatic Updates in Windows or use the FixIt tool provided.
    • Antivirus and Antimalware programs
      Make sure you have a Antivirus program always updated and running.
      Sometimes Antivirus can miss some malware, when that happens its good to have Malwarebytes free installed, Update and run weekly to keep your system clean. Malwarebytes is also good to revert some system changes made by the malware.
    • Enable the Windows Firewall
      No system can be considered safe if not protected by a Firewall. If you are connected to the Internet by a Router you should check its configuration and make sure the firewall is active.
      If you connect by modem or to a open Local Network you should enable the Windows 7 built-in firewall.
    • Adobe Flash Player
      To update Adobe Flash Player accept any prompt to update or manually initiate the update by opening Start Menu > Settings > Control Panel open the applet called Flash Player, on the Advanced tab click the Check Now button. Accept any prompt to install an updated version.
    • Adobe Reader
      Adobe Reader, can be updated if you Open Adobe Reader from the Start Menu, when the program full load click on the Help menu next click the Check for updates now option. Follow the prompts to install any new update.
    • Java Runtime
      When java is installed its extremely important to update immediately when you get a notification pop-up from the Java Updater. Or update manually by opening the Start Menu > Settings > Control Panel, open the applet called Java on the Update tab click the Update Now button. The program will prompt you to install any new updated version available.
      Every time you update Java make sure you uncheck the box asking to Install the Ask Toolbar and make Ask my default search provider

      For safety you can have Java installed but disabled in your browsers and only enable it when you need it. You can Enable/Disable Java by executing the following steps:
      Click  Start > Control Panel > Java/Java (32-bit), click the Security tab and uncheck the box Enable Java content in the browser and click OK
      javapanel.jpeg
  • Keep Installed Programs Up to Date
    It's important to keep all other programs on your computer updated because they can also have security vulnerability explored by the malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications to fix vulnerabilities, this can be done manually by using the Update feature included in most programs or you can use one of the following programs to help you with this task:
  • Surf the Net with extra Security
    Every web browser is a target for malware, the bad guys are always trying to explorer security holes to infect the computers, and this is especially true for Internet Explorer because is one of the most used. Using alternatives like Mozilla Firefox or Google Chrome can help protecting your computer from infections.
    And for Firefox and Chrome you can get an extra layer of protection by installing two add-ons uBlock and Web Of Trust (WOT). WOT can also protect Internet Explorer.

031.GIF Security Alert 031.GIF

Eventually you may not know but there are several new threats that's currently doing the rounds, they are particularly nasty piece of work as it scans your files for certain file types (*.doc, *.pdf, *.xls, *.jpg, *.odt, and many more) and encrypts them, rendering the files worthless unless you have a decryption key that is generated by the malware specifically for your computer and sent to the malware creators. This kind of malware is called RansomWare because they hold the key and ask for a ransom (from $300 USD to more) to unlock your files, also there is no warranty that you will actually recover your files!

There is no way to guarantee that you are 100% secure against this type of threats because the malware is constantly evolving. Presently there is a tiny utility that you can install for free to minimize the risk called CryptoPrevent, it will set some windows policy restrictions to block the execution of the malware.

CryptoPrevent.png
The tool can be downloaded here.

::: Some final recommendations :::


Best Regards and have a Safe surfing! :wave:

 


  • 0

#60
Jackpine

Jackpine

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 347 posts

Thank you very much for your time and patience SleepyDude.  The computer is running well now.  I have noted the useful tips in your last post.

 

Have a great weekend!


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP