Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

reopen of a previous topic

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: reopen of a previous topic

Unread postby anniyan » June 12th, 2014, 9:20 am

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8 ) (Size: 699 GB) (Disk ID: 4A73C3CB)
Partition 1: (Active) - (Size=199 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=673 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=21 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=4 GB) - (Type=0C)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 7 GB) (Disk ID: C3072E18)
Partition 1: (Not Active) - (Size=7 GB) - (Type=0B)

========================================================
Disk: 2 (MBR Code: Windows XP) (Size: 931 GB) (Disk ID: E9C43BC7)
Partition 1: (Not Active) - (Size=931 GB) - (Type=07 NTFS)


LastRegBack: 2014-06-07 15:14
==================== End Of Log ============================

[UPDATE]: i found that some browsers worked and i was able to download files when i was logged into the admin account in windows. so i logged into that and downloaded the latest FRST64 and ran it thrice - 1. in recovery environment mode as described by you
rec.zip
; 2. in safe mode with networking with internet turned ON
with net.zip
; 3. in safe mode with networking with internet turned OFF
net off.zip
. i dunno if posting all those logs too will make this thread lengthier and mix up all the logs. so i am attaching them appropriately after zipping. (sorry that i did not know which one to post; please select whatever is needed and delete the rest).
You do not have the required permissions to view the files attached to this post.
anniyan
Regular Member
 
Posts: 19
Joined: May 6th, 2014, 12:49 pm
Advertisement
Register to Remove

Re: reopen of a previous topic

Unread postby nunped » June 12th, 2014, 5:01 pm

Hi anniyan,

No worries. I'm happy to help.
I'm a bit overwhelmed with my job these next days. Hopefully, I will be able to post a new set of instructions next Saturday.

Regards,
nunped
User avatar
nunped
MRU Honors Grad Emeritus
 
Posts: 1210
Joined: August 17th, 2011, 5:03 pm
Location: Portugal

Re: reopen of a previous topic

Unread postby nunped » June 14th, 2014, 9:07 am

Hi anniyan,

From my initial post:
DO NOT run any other fix or removal tools unless instructed to do so!
DO NOT install any other software (or hardware) during the cleaning process. This adds more items to be researched.

Please refrain from downloading or running any tools unless I instruct you to. Working distantly on a computer is hard enough without constant changes to the system that we can't control.

Tell me if the following fix with FRST helps restoring the permissions back
  • Click Start
  • Type notepad.exe in the search programs and files box and click Enter.
  • A blank Notepad page should open.
    • Copy/Paste the contents of the code box below into Notepad.
Code: Select all
GroupPolicyUsers\S-1-5-21-606511456-1437241303-3617233354-1000\User: Group Policy restriction detected <======= ATTENTION
C:\Users\NAVEEN\AppData\Roaming\Network Meter_Usage.ini
C:\ProgramData\PKP_DLdu.DAT
C:\ProgramData\PKP_DLer.DAT
SetDefaultFilePermissions: C:\Program Files (x86)\Internet Explorer\iexplore.exe

    • Save it to the same folder/directory that FRST.exe is in, naming it as fixlist.txt

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

  • Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....
    • Press the Fix button once and wait.
    • FRST will process fixlist.txt
    • When finished, it will produce a log fixlog.txt in the same folder/directory as FRST64.exe
    • Please post me the log


If after this fix you have access to the files you need to backup, please proceed with that and the repave process.

If not, are you able to list me the paths of all the files you need to backup?
User avatar
nunped
MRU Honors Grad Emeritus
 
Posts: 1210
Joined: August 17th, 2011, 5:03 pm
Location: Portugal

Re: reopen of a previous topic

Unread postby anniyan » June 16th, 2014, 2:56 pm

sir, i apologize. i assure you about this for the future. BTW, i ran FRST fix as you had instructed. the log below:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 12-06-2014 01
Ran by Naveen Admin at 2014-06-16 00:49:09 Run:1
Running from H:\
Boot Mode: Safe Mode (minimal)
==============================================

Content of fixlist:
*****************
GroupPolicyUsers\S-1-5-21-606511456-1437241303-3617233354-1000\User: Group Policy restriction detected <======= ATTENTION
C:\Users\NAVEEN\AppData\Roaming\Network Meter_Usage.ini
C:\ProgramData\PKP_DLdu.DAT
C:\ProgramData\PKP_DLer.DAT
SetDefaultFilePermissions: C:\Program Files (x86)\Internet Explorer\iexplore.exe
*****************

C:\Windows\system32\GroupPolicyUsers\S-1-5-21-606511456-1437241303-3617233354-1000\User => Moved successfully.
C:\Windows\system32\GroupPolicy\GPT.ini => Moved successfully.
C:\Users\NAVEEN\AppData\Roaming\Network Meter_Usage.ini => Moved successfully.
C:\ProgramData\PKP_DLdu.DAT => Moved successfully.
C:\ProgramData\PKP_DLer.DAT => Moved successfully.
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" => Set default permissions successfully.

The system needed a reboot.
==== End of Fixlog ====

BTW,is it ok that
C:\Windows\system32\GroupPolicyUsers\S-1-5-21-606511456-1437241303-3617233354-1000\
has a GPT.INI now whose content is:

[General]
gPCFunctionalityVersion=2
gPCUserExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{7A3368D8-0D3F-46FA-9EA1-D00209BB83EC}]
Version=65536

http://imgur.com/pmp6Xz0

BTW, since folder/file permissions remain the stubborn same, problems remain the same about executing executables in my standard account. IE still remains the same (navigation denied to particular websites; a message box tells that the search engine is changed when i open IE). IMHO, the 2nd virus is active still [ https://www.virustotal.com/en/file/2da5 ... 402835721/ ]. but opening folders and navigating inside of them is possible now, after the FRST fix.

BTW, is
C:\Windows\\system32\svchost.exe
a legitimate file? (note the double slash) this process supervises the group policies in my PC.
anniyan
Regular Member
 
Posts: 19
Joined: May 6th, 2014, 12:49 pm

Re: reopen of a previous topic

Unread postby nunped » June 16th, 2014, 6:12 pm

Hi anniyan,

I think that the gpt.ini file is OK.
I don't understand the question about the svchost file. Does the file path contain double slash? Where did you see it?

The priority is still to repave, so you can have a fully functional and secure system. Are you now able to backup the files you need? If not, can you tell me the specific paths of those files?
User avatar
nunped
MRU Honors Grad Emeritus
 
Posts: 1210
Joined: August 17th, 2011, 5:03 pm
Location: Portugal

Re: reopen of a previous topic

Unread postby anniyan » June 18th, 2014, 6:28 pm

i saw it when i was using some taskmanager type of portable program, i forgot its name and i am still trying to recollect it. and i am in the process of backing up ASAP. on a side note, would it be necessary to reinstall the BIOS and MODEM-ROUTER firmware when i repave? coz i dont wanna leave any loose-ends.
anniyan
Regular Member
 
Posts: 19
Joined: May 6th, 2014, 12:49 pm

Re: reopen of a previous topic

Unread postby nunped » June 18th, 2014, 6:53 pm

Hi anniyan,

Not the BIOS, but if you can reset your router, that would be a good idea!
User avatar
nunped
MRU Honors Grad Emeritus
 
Posts: 1210
Joined: August 17th, 2011, 5:03 pm
Location: Portugal

Re: reopen of a previous topic

Unread postby anniyan » June 21st, 2014, 8:31 am

is resetting the router the same as re-installing its firmware? and can i know why not the BIOS? it may not have malware infection? anyways i wont do it myself, i will ask a paid technician to re-install the BIOS, if you deem it necessary.
anniyan
Regular Member
 
Posts: 19
Joined: May 6th, 2014, 12:49 pm

Re: reopen of a previous topic

Unread postby nunped » June 22nd, 2014, 7:27 pm

Hi anniyan,

I don't find necessary to reinstall the BIOS, because formating your computer should get rid of all the infections. Infections that resist such procedure, are exceedingly rare. I advise you to format and reassess your computer performance.

Reseting the router is easier than reinstalling the firmware and should do the trick. Each model as its own set of instructions to do the reset. You shall find the instructions with your router's documentation.
User avatar
nunped
MRU Honors Grad Emeritus
 
Posts: 1210
Joined: August 17th, 2011, 5:03 pm
Location: Portugal

Re: reopen of a previous topic

Unread postby Cypher » June 27th, 2014, 1:09 pm

Due to a lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 15148
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns
Advertisement
Register to Remove

Previous

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 238 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware