Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Virus turning off safety tools (Malwarebytes Real-Time Protection)!


  • Please log in to reply

#31
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,001 posts
  • MVP

You probably do not want to check these but the rest are mostly adware and you can let RK remove them..

 

[Suspicious.Path] \{DF220F30-33A2-4EE2-BEC8-701A7D6C4CB6} -- C:\Users\Mathew\AppData\Local\VelvetSundown\VelvetSundown.exe -> Found
[Suspicious.Path] \{F78B9C97-3D06-442A-AF31-B4FC10D07AB0} -- C:\Users\Mathew\AppData\Local\VelvetSundown\VelvetSundown.exe -> Found

 

 

I don't know anything about your chat program.  Just uninstall it and if it leaves the files, delete them.

 

Run VEW and let me see the logs.  Perhaps they will tell us what happened to aswmbr.

1. Please download the Event Viewer Tool by Vino Rosso
http://images.malwar...om/vino/VEW.exe
and save it to your Desktop:
2. Right-click VEW.exe and Run AS Administrator
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning


Then use the 'Number of events' as follows:


1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.


Please post the Output log in your next reply then repeat but select Application.  (Each time you run VEW it overwrites the log so copy the first one to a Reply or rename it before running it a second time.)

 

 


  • 0

Advertisements


#32
MattMMM

MattMMM

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts

VEW.exe does not like my language so I used FullEventLog

 

https://www.mediafir...leventlogs3.txt


  • 0

#33
MattMMM

MattMMM

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts

This stands out.

 

 

Event Time        : 26.11.2017 5:57:22.462
Record ID         : 279544
Event ID          : 55
Level             : Error
Channel           : System
Provider          : Ntfs
Description       : The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume C:.
Opcode            :
Task              : 2
Keywords          : Classic
Process ID        :
Thread ID         :
Computer          : Mathew-PC
User              :


  • 0

#34
MattMMM

MattMMM

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts

Is it a failing hardware issue? It's a very old laptop.


  • 0

#35
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,001 posts
  • MVP

Oops.  Forgot. 

 

Corrupt file structure might explain why aswmbr didn't work.

 

Fix is to run diskcheck:

 

1. Double-click My Computer, and then right-click the hard disk that you want to check. C:
2. Click Properties, and then click Tools.
3. Under Error-checking, click Check Now. A dialog box that shows the Check disk options is displayed,
4. Check both boxes and then click Start.
You will receive the following message:
The disk check could not be performed because the disk check utility needs exclusive access to some Windows files on the disk. These files can be accessed by restarting Windows. Do you want to schedule the disk check to occur the next time you restart the computer?
Click Yes to schedule the disk check, but don't restart yet.

Start, Run, eventvwr.msc, OK to bring up the Event Viewer.  Right click on System and Clear All Events, No (we don't want to save the old log), OK. Repeat for Application.

Reboot.

The disk check will run and will probably take an hour or more to finish.

 

Check your event logs to see if the file system is still corrupt.

 

 


  • 0

#36
MattMMM

MattMMM

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts

After the reboot EventViewer marked these as an Error (under WindowsLogs/System):

 

27.11.2017 22:38:28 A timeout was reached (30000 milliseconds) while waiting for the CyberGhost 5 Client Service service to connect.

 

27.11.2017 22:38:28 The CyberGhost 5 Client Service service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.

 

27.11.2017 22:39:54 The Peer Name Resolution Protocol cloud did not start because the creation of the default identity failed with error code: 0x80630801.

 

27.11.2017 22:39:54 The Peer Networking Grouping service depends on the Peer Name Resolution Protocol service which failed to start because of the following error:
%%-2140993535

 

27.11.2017 22:39:54 The Peer Name Resolution Protocol service terminated with the following error:
%%-2140993535

 

27.11.2017 22:40:05 The Peer Name Resolution Protocol cloud did not start because the creation of the default identity failed with error code: 0x80630801.

 

27.11.2017 22:40:05 The Peer Name Resolution Protocol cloud did not start because the creation of the default identity failed with error code: 0x80630801.

 

27.11.2017 22:40:05 The Peer Networking Grouping service depends on the Peer Name Resolution Protocol service which failed to start because of the following error:
%%-2140993535

 

27.11.2017 22:40:05 The Peer Name Resolution Protocol service terminated with the following error:
%%-2140993535

 

27.11.2017 22:40:05 The Peer Networking Grouping service depends on the Peer Name Resolution Protocol service which failed to start because of the following error:
%%-2140993535

 

27.11.2017 22:40:05 The Peer Name Resolution Protocol service terminated with the following error:
%%-2140993535

 

 

Looks like the Peer Name is still an issue.

CyberGhost5 is another progrem I don't need anymore. Would uninstalling it help the issue?


  • 0

#37
MattMMM

MattMMM

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts

I found this if it helps any: http://troubleshoote...otocol-service/


  • 0

#38
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,001 posts
  • MVP

Uninstall CyberGhost 5.

 

The link you cited looks like a good possibility.  Do you even need the Peer stuff?

https://msdn.microso...2(v=vs.85).aspx

 

Perhaps turning it off would be simpler:

http://computerstepb...ng_service.html


  • 0

#39
MattMMM

MattMMM

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts

Ok I'll uninstall CyberGhost5.

 

And no I don't need the Peer thing. So what method should I follow then?


Edited by MattMMM, 27 November 2017 - 06:17 PM.

  • 0

#40
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,001 posts
  • MVP

To stop peer stuff use the 1st procedure that uses services.msc.  That's the easiest to reverse if you decide you need it later.

 

See if aswMBR will run now.


  • 0

Advertisements


#41
MattMMM

MattMMM

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts

aswMBR ran successfully(without trace IO disk). Here's the log:

 

I also got a MBR.dat file on the destop.

 

aswMBR version 1.0.1.2290 Copyright© 2014 AVAST Software
Run date: 2017-11-28 18:30:57
-----------------------------
18:30:57.211    OS Version: Windows 6.1.7601 Service Pack 1
18:30:57.211    Number of processors: 2 586 0x1706
18:30:57.211    ComputerName: MATHEW-PC  UserName: Mathew
18:31:01.883    Initialize success
18:31:01.943    VM: initialized successfully
18:31:01.953    VM: Intel CPU supported
18:31:06.313    VM: disk I/O iaStorA.sys
18:31:14.703    AVAST engine defs: 17112802
18:31:59.504    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000007b
18:31:59.514    Disk 0 Vendor: ATA_____ C40C Size: 305245MB BusType: 11
18:31:59.514    Disk 1  \Device\Harddisk1\DR1 -> \Device\00000089
18:31:59.524    Disk 1 Vendor: RICOH 01 Size: 305245MB BusType: 0
18:31:59.654    Disk 0 MBR read successfully
18:31:59.654    Disk 0 MBR scan
18:31:59.664    Disk 0 Windows 7 default MBR code
18:31:59.664    Disk 0 Partition 1 00     1C Hidd FAT32 LBA MSDOS5.0    10001 MB offset 63
18:31:59.674    Disk 0 Partition 2 80 (A) 07      HPFS/NTFS NTFS       152617 MB offset 20482875
18:31:59.684    Disk 0 Boot: NTFS     code=2
18:31:59.694    Disk 0 Partition - 00     0F   Extended LBA            142623 MB offset 333043515
18:31:59.734    Disk 0 Partition 3 00     07      HPFS/NTFS NTFS       142623 MB offset 333043578
18:31:59.744    Disk 0 scanning sectors +625137345
18:31:59.814    Disk 0 scanning C:\Windows\system32\drivers
18:32:16.497    Service scanning
18:32:47.213    Modules scanning
18:32:47.837    AVAST engine scan C:\
21:16:10.130    Disk 0 statistics 19795802/0/0 @ 1,25 MB/s
21:16:10.146    Scan finished successfully
21:27:02.944    Disk 0 MBR has been saved successfully to "C:\Users\Mathew\Desktop\MBR.dat"
21:27:02.944    The log file has been saved successfully to "C:\Users\Mathew\Desktop\aswMBR.txt"


  • 0

#42
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,001 posts
  • MVP

Looks clean.  You can submit the MBR.dat file to virustotal.com to make sure that it is safe.

 

Easiest way to submit a file is to copy the path:

C:\Users\Mathew\Desktop\MBR.dat

Then
Go to virustotal.com with your browser.  Click on Choose File then when the file chooser window opens, move down to the File Name: box and then Ctrl + v and the path should appear.  Hit Open and it should return to the main page with sMBR.dat chosen.  Click on Scan it.  If it knows the file already it will tell you it's already been analyzed and offer you a choice of Reanalyze and View Last Analysis.  In that case click on View Last Analysis.  If it doesn't know the file it will take a minute to query 50+ different anti-virus companies.  In either case, If the Detection ratio: is not    0 / 50+ then copy the Analysis page and paste it into the forum.  You can just hit Ctrl + a then Ctrl + c to copy the page then go to a reply and Ctrl + v.

 

You might want to see if MBAM will run now.
 


  • 0

#43
MattMMM

MattMMM

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts

The virustotal.com reports all clear (0/58). Looks like we are good :)


  • 0

#44
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,001 posts
  • MVP

See if MBAR will run:

 

https://www.malwareb...om/antirootkit/


  • 0

#45
MattMMM

MattMMM

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts

Sorry, I was busy yesterday.

 

Malwarebytes AntiRootKit says "Scan finished, no malware found!"


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP