Radical924 Posted October 3, 2013 ID:737206 Share Posted October 3, 2013 Okay so yesterday I unknowingly installed a virus onto my computer... This virus wouldn't allow me to delete it or anything... If I tried it would say "explorer.exe crashed" or something like that... I ended up using a program called Unlocker to delete it and then I scanned my computer twice with Malware Bytes, AVG, and Trend Micro Housecall. I am fairly confident the virus is removed now but what it left me with is very frustrating =( ... Now that the virus is gone I am left with some very concerning problems: 1. My Windows Firewall cannot be enabled, if I try to access it my PC says: "There was an error opening the Windows Firewall with Advanced Security snap-in". "The Windows Firewall with Advanced Security snap-in failed to load. Restart the Windows Firewall service on the computer that you are managing. Error code: 0x6D9". If I go to services.msc the "Windows Firewall" service isn't even listed on the page. 2. My Windows Defender cannot be started/found. 3. There is a problem in Windows Action Center. Now there may be other issues but I am unsure if there is... If someone can please help me out with this it would be very appreciated! If you would like a link to the download page of the virus I could give it to you as it is a RAR file but it will give you a VIRUS so.... I don't think that is such a great idea... Oh and I heard about a program called Sandboxie which I guess I will be using from now on if I ever install anything... Link to post Share on other sites More sharing options...
Radical924 Posted October 3, 2013 Author ID:737207 Share Posted October 3, 2013 Oh yeah I forgot to mention I found another thread with similar Virus aftermath: http://forums.malwarebytes.org/index.php?showtopic=119681 Link to post Share on other sites More sharing options...
kevinf80 Posted October 3, 2013 ID:737215 Share Posted October 3, 2013 Run the following: Download Farbar Recovery Scan Tool and save it to your desktop. Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.Double-click to run it. When the tool opens click Yes to disclaimer.Press Scan button.It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply. Next, Download Farbar Service Scanner from here: http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/ and run it on the computer with the issue.Make sure the following options are checked: Internet ServicesWindows FirewallSystem RestoreSecurity Center/Action CenterWindows UpdateWindows Defender Press "Scan".It will create a log (FSS.txt) in the same directory the tool is run.Please copy and paste the log to your reply. Kevin... Link to post Share on other sites More sharing options...
Radical924 Posted October 4, 2013 Author ID:737618 Share Posted October 4, 2013 Hi thank you for your repsonse! Actually I was lucky enough to have a restore point before I got the virus! So my system is back in working order lol... If you think I should still do the Farbar scan thing then please tell me below. Link to post Share on other sites More sharing options...
kevinf80 Posted October 4, 2013 ID:737632 Share Posted October 4, 2013 Yes run FRST run a Quick scan with Malwarebytes first, post those logs.... If logs are clean we can close out your thread... Link to post Share on other sites More sharing options...
Radical924 Posted October 4, 2013 Author ID:737644 Share Posted October 4, 2013 Yes run FRST run a Quick scan with Malwarebytes first, post those logs.... If logs are clean we can close out your thread...Okay I have all 4 log files attached. I took a look at them and I could see that windows defender says it is not working apparently... Idk if it has always been like this but I am pretty sure it is supposed to work? Link to post Share on other sites More sharing options...
kevinf80 Posted October 4, 2013 ID:737646 Share Posted October 4, 2013 You are running an illegal program on your system originally designed to crack microsoft office, we can offer no further help. 2013-09-17 23:42 - 2013-10-03 12:24 - 00000000 ____D C:\Windows\AutoKMS Please read the following stickie regarding piracy: http://forums.malwarebytes.org/index.php?showtopic=97700 Link to post Share on other sites More sharing options...
Radical924 Posted October 4, 2013 Author ID:737675 Share Posted October 4, 2013 You are running an illegal program on your system originally designed to crack microsoft office, we can offer no further help. 2013-09-17 23:42 - 2013-10-03 12:24 - 00000000 ____D C:\Windows\AutoKMS Please read the following stickie regarding piracy: http://forums.malwarebytes.org/index.php?showtopic=97700Seriously I have never heard of AutoKMS before.... I can delete it if it means you can help me.. All I really wanted to know was if my PC is virus infected or not still and why my Windows Defender says its broke??? and that also explains why microsoft office never expires lol... I knew something must've been up with that... Link to post Share on other sites More sharing options...
kevinf80 Posted October 4, 2013 ID:737676 Share Posted October 4, 2013 I cannot help, you will have to wait for a moderator.... Link to post Share on other sites More sharing options...
Radical924 Posted October 4, 2013 Author ID:737677 Share Posted October 4, 2013 okay... well if there is nothing that can be done for now then we are done for now uz I did solve my issue with the firewall thing and the other stuff cuz of system restore... Thank you for you help so far though! I wouldn't know even where to begin... never used that farbar thing before... Link to post Share on other sites More sharing options...
Maurice Naggar Posted October 4, 2013 ID:737715 Share Posted October 4, 2013 Hello Radical924, Have you deleted the folder C:\Windows\AutoKMS ?Please download CKScanner from >>Here<<Important: - Save it to your desktop.Right-click CKScanner.exe & select Run as administrator to start.then click Search For Files.After a very short time, when the cursor hourglass disappears, click Save List To File.A message box will verify the file saved. Please Run the program only once.Copy/paste the contents of CKFiles.txt in your next reply.We cannot help you further as long as pirated software is on this box. Link to post Share on other sites More sharing options...
Radical924 Posted October 4, 2013 Author ID:737864 Share Posted October 4, 2013 Hello Radical924, Have you deleted the folder C:\Windows\AutoKMS ?Please download CKScanner from >>Here<<Important: - Save it to your desktop.Right-click CKScanner.exe & select Run as administrator to start.then click Search For Files.After a very short time, when the cursor hourglass disappears, click Save List To File.A message box will verify the file saved. Please Run the program only once.Copy/paste the contents of CKFiles.txt in your next reply.We cannot help you further as long as pirated software is on this box. Yup just deleted the folder and the task scheduler task... It said it never ran before lol... So idk where it came from but doesn't matter now it's gone... Below are the contents of CKFiles.txt:CKScanner 2.4 - Additional Security Risks - These are not necessarily badc:\program files\autodesk\3ds max 2013\maps\substance\textures\cracked_plaster.sbsarc:\program files\comicrack\changes.txtc:\program files\comicrack\comicrack.engine.display.forms.dllc:\program files\comicrack\comicrack.engine.dllc:\program files\comicrack\comicrack.exec:\program files\comicrack\comicrack.exe.configc:\program files\comicrack\comicrack.inic:\program files\comicrack\comicrack.plugins.dllc:\program files\comicrack\comicrack.urlc:\program files\comicrack\cyo.common.dllc:\program files\comicrack\cyo.common.presentation.dllc:\program files\comicrack\cyo.common.windows.dllc:\program files\comicrack\defaultlists.txtc:\program files\comicrack\icsharpcode.sharpziplib.dllc:\program files\comicrack\ironpython.dllc:\program files\comicrack\ironpython.modules.dllc:\program files\comicrack\license.txtc:\program files\comicrack\microsoft.dynamic.dllc:\program files\comicrack\microsoft.scripting.dllc:\program files\comicrack\microsoft.scripting.metadata.dllc:\program files\comicrack\microsoft.windowsapicodepack.dllc:\program files\comicrack\microsoft.windowsapicodepack.shell.dllc:\program files\comicrack\mysql.data.dllc:\program files\comicrack\newstemplate.htmlc:\program files\comicrack\readme.txtc:\program files\comicrack\sharpcompress.dllc:\program files\comicrack\sharppdf.dllc:\program files\comicrack\tao.opengl.dllc:\program files\comicrack\tao.platform.windows.dllc:\program files\comicrack\uninst.exec:\program files\comicrack\windows7.multitouch.dllc:\program files\comicrack\help\comicrack introduction.djvuc:\program files\comicrack\help\comicrack introduction.djvu.xmlc:\program files\comicrack\help\comicrack online manual.inic:\program files\comicrack\help\comicrack wiki.inic:\program files\comicrack\help\readme.txtc:\program files\comicrack\languages\cs-cz.zipc:\program files\comicrack\languages\de.zipc:\program files\comicrack\languages\el-gr.zipc:\program files\comicrack\languages\es.zipc:\program files\comicrack\languages\fi.zipc:\program files\comicrack\languages\fr.zipc:\program files\comicrack\languages\hr.zipc:\program files\comicrack\languages\hu.zipc:\program files\comicrack\languages\it.zipc:\program files\comicrack\languages\ja.zipc:\program files\comicrack\languages\nl-be.zipc:\program files\comicrack\languages\pl.zipc:\program files\comicrack\languages\pt-br.zipc:\program files\comicrack\languages\ru.zipc:\program files\comicrack\languages\sk-sk.zipc:\program files\comicrack\languages\tr.zipc:\program files\comicrack\languages\zh-cn.zipc:\program files\comicrack\languages\zh-hans.zipc:\program files\comicrack\languages\zh.zipc:\program files\comicrack\resources\7z.dllc:\program files\comicrack\resources\7z.exec:\program files\comicrack\resources\7z64.dllc:\program files\comicrack\resources\c44.exec:\program files\comicrack\resources\ddjvu.exec:\program files\comicrack\resources\djvm.exec:\program files\comicrack\resources\libdjvulibre.dllc:\program files\comicrack\resources\libjpeg.dllc:\program files\comicrack\resources\libtiff.dllc:\program files\comicrack\resources\libz.dllc:\program files\comicrack\resources\icons\ageratings.zipc:\program files\comicrack\resources\icons\ageratings_australia.zipc:\program files\comicrack\resources\icons\formats.zipc:\program files\comicrack\resources\icons\publishers.zipc:\program files\comicrack\resources\icons\special.zipc:\program files\comicrack\scripts\autonumber.pyc:\program files\comicrack\scripts\commitproposed.pyc:\program files\comicrack\scripts\newcomics.pyc:\program files\comicrack\scripts\otherscripts.pyc:\program files\comicrack\scripts\package.inic:\program files\comicrack\scripts\sample.pyc:\program files\comicrack\scripts\sample.xmlc:\program files\comicrack\scripts\searchandreplace.pyc:\program files (x86)\microsoft directx sdk (june 2010)\samples\c++\direct3d\uvatlas\crackdecl.cppc:\program files (x86)\microsoft directx sdk (june 2010)\samples\c++\direct3d\uvatlas\crackdecl.hscanner sequence 3.ZZ.11.TKAPJ0 ----- EOF ----- Link to post Share on other sites More sharing options...
kevinf80 Posted October 5, 2013 ID:738074 Share Posted October 5, 2013 Thanks for the logs, ok we can continue: Let me know how system is responding, if there are any remaining issues or concerns... Next, Download Farbar Recovery Scan Tool and save it to your desktop. Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.Double-click to run it. When the tool opens click Yes to disclaimer.Press Scan button.It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply. Next, Please download RogueKiller from here: http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe <- 32 bit version http://www.sur-la-toile.com/RogueKiller/RogueKillerX64.exe <- 64 bit version Make sure to get the correct version for your system. Quit all running programs Please disconnect any USB or external drives from the computer before you run this scan! For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe Wait until Prescan has finished... The following EULA will appear, please select accept Ensure MBR scan, Check faked and AntiRootkit are checked Select Scan When the scan completes select Report, copy and paste that to your reply. The log should be found in RKreport[?].txt on your Desktop Exit/Close RogueKiller Post those logs... Link to post Share on other sites More sharing options...
Radical924 Posted October 5, 2013 Author ID:738317 Share Posted October 5, 2013 Okay here is the Roguekiller log... It mentioned something about "Zero Access" and linked me to a webpage: http://www.adlice.com/zeroaccess-removal-with-roguekiller/ Also I already posted the other 2 logs before lol... I still have them saved if you still need them.RogueKiller V8.7.1 _x64_ [Oct 3 2013] by Tigzymail : tigzyRK<at>gmail<dot>comFeedback : http://www.adlice.com/forum/Website : http://www.adlice.com/softwares/roguekiller/Blog : http://tigzyrk.blogspot.com/Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits versionStarted in : Normal modeUser : ******* [Admin rights]Mode : Scan -- Date : 10/05/2013 15:03:15| ARK || FAK || MBR |¤¤¤ Bad processes : 0 ¤¤¤¤¤¤ Registry Entries : 8 ¤¤¤[RUN][ROGUE ST] HKUS\.DEFAULT\[...]\Run : 20090604 (C:\Program Files (x86)\Encore\Hoyle\RegApp\encore_reg.exe /r "C:\Program Files (x86)\Encore\Hoyle\RegApp\encore_reg.rpd") -> FOUND[RUN][ROGUE ST] HKUS\S-1-5-18\[...]\Run : 20090604 (C:\Program Files (x86)\Encore\Hoyle\RegApp\encore_reg.exe /r "C:\Program Files (x86)\Encore\Hoyle\RegApp\encore_reg.rpd") -> FOUND[HJ POL][PUM] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowRun (0) -> FOUND[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_TrackProgs (0) -> FOUND[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND¤¤¤ Scheduled tasks : 0 ¤¤¤¤¤¤ Startup Entries : 0 ¤¤¤¤¤¤ Web browsers : 0 ¤¤¤¤¤¤ Particular Files / Folders: ¤¤¤[ZeroAccess][Junction] en-US : C:\Program Files\Windows Defender\en-US >> \systemroot\system32\config [-] --> FOUND¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤¤¤¤ External Hives: ¤¤¤¤¤¤ Infection : ZeroAccess ¤¤¤¤¤¤ HOSTS File: ¤¤¤--> %SystemRoot%\System32\drivers\etc\hosts¤¤¤ MBR Check: ¤¤¤+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ SCSI) (Standard disk drives) - WDC WD64 00AAKS-22A7B SCSI Disk Device +++++--- User ---[MBR] 18516f6067fcda58ed7c00e2d3df624f[BSP] e10c19537013babe50cba4b90ef42edc : Windows 7/8 MBR CodePartition table:0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 100 Mo1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 208896 | Size: 603207 Mo2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 1235576832 | Size: 4095 Mo3 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 1243963392 | Size: 3073 MoUser = LL1 ... OK!Error reading LL2 MBR!Finished : << RKreport[0]_S_10052013_150315.txt >> Link to post Share on other sites More sharing options...
kevinf80 Posted October 5, 2013 ID:738321 Share Posted October 5, 2013 I need to see a fresh log from FRST, FRST.txt you will not get the second log this time addition.txt Link to post Share on other sites More sharing options...
Radical924 Posted October 6, 2013 Author ID:738430 Share Posted October 6, 2013 I need to see a fresh log from FRST, FRST.txt you will not get the second log this time addition.txtOkay here is the 2nd FRST.txt: http://pastebin.com/raw.php?i=m2gWTU5gWhat should I do about the Zero Access thing? Should I follow the instrucitons on the page that was listed? Link to post Share on other sites More sharing options...
Radical924 Posted October 6, 2013 Author ID:738446 Share Posted October 6, 2013 Okay I followed the video tutorial and removed the Zero Access left over registry keys... Windows Defender works now! Anything else you see that may be a virus? or that I should run before you close this topic? Link to post Share on other sites More sharing options...
kevinf80 Posted October 6, 2013 ID:738497 Share Posted October 6, 2013 FRST.txt is still showing issues that need attention, it would seem that user names have been taken out and replaced with an asterisk, I cannot give a fix list without a full navigational address. If you want me to continue run FRST one more time, copy and paste the log to your reply. Do not strike out user names and do not give links to 3rd party sites... If you do not want to follow that instruction we can close out, your choice... Kevin Link to post Share on other sites More sharing options...
Radical924 Posted October 6, 2013 Author ID:738498 Share Posted October 6, 2013 I replaced the user names with asterisks as that is personal information... I have a right too... I gave you the log so... can you please take a look at it for me? I put it on pastebin as it is a lot easier then for you. Link to post Share on other sites More sharing options...
kevinf80 Posted October 6, 2013 ID:738502 Share Posted October 6, 2013 I do not pick logs from 3rd party sites, I need to see them here. If you take out user names I cannot give the fix. You are correct it is your right to do as you see fit. Ok we will just close out. Thank you for your time and understanding..... Link to post Share on other sites More sharing options...
Radical924 Posted October 6, 2013 Author ID:738650 Share Posted October 6, 2013 Okay... Sorry I didn't know... I don't need any more help anyways though because you ended up removing the Zero Access virus fully and it fixed Windows Defender! I also found a few other programs like TFC (Temp File Cleaner) and Eset Online Scanner! Thank you for your understanding. Link to post Share on other sites More sharing options...
kevinf80 Posted October 6, 2013 ID:738654 Share Posted October 6, 2013 OK, i`ll close out the thread... Link to post Share on other sites More sharing options...
Radical924 Posted October 6, 2013 Author ID:738677 Share Posted October 6, 2013 OK, i`ll close out the thread...Oh yeah 1 last question what is the best free ad aware blocker you can recommend? I scanned with eset online scanner and I had a couple ad aware installers... thanks then feel free to close the thread... Link to post Share on other sites More sharing options...
kevinf80 Posted October 6, 2013 ID:738680 Share Posted October 6, 2013 My own security set up is :- Windows own Firewall, Microsoft Security Essentials and Malwarebytes Pro. Windows FW and MSE are free, MB does also have a free version, however I prefer the pro version as it provides auto updates and realtime protection. Cost is about £20 for a lifetime license. As an extra layer I also use WinPatrol, the free version is adeqaute for general home use. Available here: http://www.winpatrol.com/download.html For my browser I use Firefox with these addons: Web of Trust, Adblock Plus, Flash Block, NoScipt, Ghostery. When Firefox is open select these keys together :- Ctrl - Shift - A that will access Addons manger, this gives access to find addons, use, start, stop or disable those features etc.... Before using NoScript read from this link http://noscript.net/ makes it easy to understand.... Understanding Windows 7 Firewall - http://windows.microsoft.com/en-GB/windows7/Understanding-Windows-Firewall-settings Understanding Microsoft Security Essentials - http://www.microsoft.com/en-gb/security/pc-security/mse.aspx Understanding Malwarebytes, how to create an exclusion in MSE - http://forums.malwarebytes.org/index.php?showtopic=10138&st=0&p=162100entry162100 Understanding WinPatrol - http://www.winpatrol.com/features.html I also use the Professional version of Sandboxie, I believe there is also free version available. Visit this link http://www.sandboxie.com/ for access to d/l, also make sure to use the "Help and FAQ" option to understand its uses, specifically how to run your browser sandboxed!. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 7, 2013 Root Admin ID:738779 Share Posted October 7, 2013 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts