Jump to content

Error Code while updating 80070216 windows 7


Recommended Posts

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 17-04-2014 01
Ran by April Bowers Agency at 2014-04-18 11:44:58 Run:2
Running from C:\Users\April Bowers Agency\Downloads
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start
SearchScopes: HKCU - 197F8597FDE1425FA34FE4EB92076F5B URL = http://mysearch.avg....pr&d=2014-04-08 15:49:18&v=18.0.5.292&pid=safeguard&sg=&sap=dsp&q={searchTerms}
2014-04-17 17:35 - 2014-04-18 09:25 - 00000086 _____ () C:\Windows\system32\tuflbf.xus
2014-04-17 17:28 - 2014-04-18 09:16 - 00037888 _____ () C:\Windows\system32\qjkhykp.ldz
2014-04-17 17:25 - 2014-04-18 09:16 - 00000109 _____ () C:\Windows\system32\uyhkvj.mnr
2014-04-17 17:25 - 2014-04-17 17:25 - 00000064 _____ () C:\Windows\system32\liroxn.ase
2014-04-17 17:09 - 2014-04-17 17:09 - 00301959 ____S () C:\Windows\system32\jvfaz.ofr
2014-04-17 17:09 - 2014-04-17 17:09 - 00245760 _____ (Applied Systems) C:\Users\April Bowers Agency\AppData\Roaming\yxxqj.dll
Replace: C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d\rpcss.dll C:\Windows\System32\rpcss.dll
Reboot:
end
*****************

HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\197F8597FDE1425FA34FE4EB92076F5B => Key deleted successfully.
HKCR\CLSID\197F8597FDE1425FA34FE4EB92076F5B => Key deleted successfully.
C:\Windows\system32\tuflbf.xus => Moved successfully.
C:\Windows\system32\qjkhykp.ldz => Moved successfully.
Could not move "C:\Windows\system32\uyhkvj.mnr" => Scheduled to move on reboot.
C:\Windows\system32\liroxn.ase => Moved successfully.
Could not move "C:\Windows\system32\jvfaz.ofr" => Scheduled to move on reboot.
C:\Users\April Bowers Agency\AppData\Roaming\yxxqj.dll => Moved successfully.
C:\Windows\System32\rpcss.dll => Moved successfully.
C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d\rpcss.dll copied successfully to C:\Windows\System32\rpcss.dll

=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2014-04-18 11:53:40)<=

C:\Windows\system32\uyhkvj.mnr => Is moved successfully.
C:\Windows\system32\jvfaz.ofr => Is moved successfully.

==== End of Fixlog ====

Link to post
Share on other sites

Hello,

 

Thank you for the beers, infected files and detailed explanation on how you got hit by this new version of the infection. :)

 

You can read more information about it here:

 

https://blog.avast.com/2014/01/15/win3264blackbeard-pigeon-stealthiness-techniques-in-64-bit-windows-part-1/

https://blog.avast.com/2014/01/22/win3264blackbeard-pigeon-stealthiness-techniques-in-64-bit-windows-part-2/

 

 

Before I give you my final recommendations I'd like us to scan your machine with ESET OnlineScan and avast:

 

 

STEP 1
 

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Run ESET Online Scanner button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.
  • Check esetAcceptTerms.png
  • Click the esetStart.png button.
  • Accept any security warnings from your browser.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is  checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push esetListThreats.png
  • Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the esetBack.png button.
  • Push esetFinish.png

 

 

 

STEP 2

 

 

Please download aswMBR.exe to your desktop.
 

  • Double click the aswMBR.exe icon to run it.
  • The program will offers to download the latest antivirus definitions from Avast servers. Click YES to agree.
  • When it's done in the AV Scan drop down options choose C:\
    unledyfm.png
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Note - do NOT press Fix or FixMBR buttons!

 

 

 

Regards,

Georgi

Link to post
Share on other sites

C:\FRST\Quarantine\C.zip Win64/Patched.H trojan
C:\FRST\Quarantine\C\Windows\system32\rpcss.dll.xBAD Win64/Patched.H trojan
C:\Program Files (x86)\ScanPoint\ScanPoint Viewer\PDFCreatorSetup.exe Win32/Toolbar.Widgi potentially unwanted application
C:\Program Files (x86)\ScanPoint\ScanPoint Viewer\scanpointviewer.msi Win32/Toolbar.Widgi potentially unwanted application
C:\Users\April Bowers Agency\AppData\Roaming\0S1F1O2Z0S2Y1H1T\OpenOffice Packages\uninstaller.exe Win32/InstallCore.AZ potentially unwanted application
C:\Users\April Bowers Agency\Downloads\scanpointviewer.zip Win32/Toolbar.Widgi potentially unwanted application
C:\Windows\Installer\1e1af0.msi Win32/Toolbar.Widgi potentially unwanted application
 

<_<

still working on asw... i will post that when done

Link to post
Share on other sites

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2014-04-18 17:40:43
-----------------------------
17:40:43.993    OS Version: Windows x64 6.1.7601 Service Pack 1
17:40:43.993    Number of processors: 2 586 0x603
17:40:43.993    ComputerName: APRILBOWERSINS2  UserName:
17:40:47.191    Initialize success
17:42:10.589    AVAST engine defs: 14041802
17:42:24.321    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000055
17:42:24.336    Disk 0 Vendor: WDC_WD64 01.0 Size: 610480MB BusType: 11
17:42:24.477    Disk 0 MBR read successfully
17:42:24.477    Disk 0 MBR scan
17:42:24.508    Disk 0 unknown MBR code
17:42:24.523    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS          100 MB offset 2048
17:42:24.539    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       598025 MB offset 206848
17:42:24.586    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS        12353 MB offset 1224962048
17:42:24.695    Disk 0 scanning C:\Windows\system32\drivers
17:42:42.357    Service scanning
17:43:08.521    Modules scanning
17:43:08.537    Disk 0 trace - called modules:
17:43:08.552    ntoskrnl.exe CLASSPNP.SYS disk.sys amdxata.sys storport.sys hal.dll amdsata.sys
17:43:08.568    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80029de2e0]
17:43:08.568    3 CLASSPNP.SYS[fffff880010a143f] -> nt!IofCallDriver -> [0xfffffa80029cfa50]
17:43:08.568    5 amdxata.sys[fffff880011407a8] -> nt!IofCallDriver -> \Device\00000055[0xfffffa800289b8b0]
17:43:11.475    AVAST engine scan C:\
19:39:32.031    Disk 0 MBR has been saved successfully to "C:\Users\April Bowers Agency\Desktop\MBR.dat"
19:39:32.234    The log file has been saved successfully to "C:\Users\April Bowers Agency\Desktop\aswMBR.txt"

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2014-04-18 17:40:43
-----------------------------
17:40:43.993    OS Version: Windows x64 6.1.7601 Service Pack 1
17:40:43.993    Number of processors: 2 586 0x603
17:40:43.993    ComputerName: APRILBOWERSINS2  UserName:
17:40:47.191    Initialize success
17:42:10.589    AVAST engine defs: 14041802
17:42:24.321    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000055
17:42:24.336    Disk 0 Vendor: WDC_WD64 01.0 Size: 610480MB BusType: 11
17:42:24.477    Disk 0 MBR read successfully
17:42:24.477    Disk 0 MBR scan
17:42:24.508    Disk 0 unknown MBR code
17:42:24.523    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS          100 MB offset 2048
17:42:24.539    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       598025 MB offset 206848
17:42:24.586    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS        12353 MB offset 1224962048
17:42:24.695    Disk 0 scanning C:\Windows\system32\drivers
17:42:42.357    Service scanning
17:43:08.521    Modules scanning
17:43:08.537    Disk 0 trace - called modules:
17:43:08.552    ntoskrnl.exe CLASSPNP.SYS disk.sys amdxata.sys storport.sys hal.dll amdsata.sys
17:43:08.568    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80029de2e0]
17:43:08.568    3 CLASSPNP.SYS[fffff880010a143f] -> nt!IofCallDriver -> [0xfffffa80029cfa50]
17:43:08.568    5 amdxata.sys[fffff880011407a8] -> nt!IofCallDriver -> \Device\00000055[0xfffffa800289b8b0]
17:43:11.475    AVAST engine scan C:\
19:39:32.031    Disk 0 MBR has been saved successfully to "C:\Users\April Bowers Agency\Desktop\MBR.dat"
19:39:32.234    The log file has been saved successfully to "C:\Users\April Bowers Agency\Desktop\aswMBR.txt"
19:43:04.431    Disk 0 MBR has been saved successfully to "C:\Users\April Bowers Agency\Desktop\MBR.dat"
19:43:04.447    The log file has been saved successfully to "C:\Users\April Bowers Agency\Desktop\aswMBR.txt"

 

 

I am not sure if it was done.. but it was sitting on same thing for over 30 minutes with no change.. so i saved log..... Scan option was not highlighted.. so .. let me know if you need me to redo it..

 

ENJOY EASTER BREAK!!!!!!    WOOHOO :lol: 
 

Link to post
Share on other sites

Hello,

 

I think that additional actions are needed anymore. smile.png

 

The following files are bundled with adware and if you don't use them, then you can delete them:

 

C:\Program Files (x86)\ScanPoint\ScanPoint Viewer\PDFCreatorSetup.exe
C:\Program Files (x86)\ScanPoint\ScanPoint Viewer\scanpointviewer.msi
C:\Users\April Bowers Agency\AppData\Roaming\0S1F1O2Z0S2Y1H1T\OpenOffice Packages\uninstaller.exe
C:\Users\April Bowers Agency\Downloads\scanpointviewer.zip
C:\Windows\Installer\1e1af0.msi

 

You can see more about PUP here => What are the 'PUP' detections, are they threats and should they be deleted?

 

 

And here are my final recommendations to you:

 

 

Nicely done ! icon_bananas.gif This is the end of our journey if you don't have any more questions.

Thank you for following my instructions perfectly. :)
I have some final words for you.
All Clean !
Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it Clean.

 

 

 

STEP 1 CLEANUP

 

 

 

To remove all of the tools we used and the files and folders they created, please do the following:

 

 

Download the following file => fixlist.txt and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST/FRST64 and press the Fix button just once and wait.
It's no needed to post the log this time.

 

 

 

Please download OTC.exe by OldTimer and save it to your desktop.
 

  • Right-click the OTC.exe and choose Run as Administrator.
  • Click on CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

 

  • Next please download Delfix.exe by Xplode and save it to your desktop.
  • Please start it and check the box next to "Remove disinfection tools" and click on the run button.
  • The tool will delete itself once it finishes.

 

Note: If any tool, file, log file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

 

 

 

STEP 2 SECURITY ADVICES
 

 

Change all your passwords !


Since your computer was infected for peace of mind, I would however advise you that all your passwords be changed immediately including those for bank accounts, credit cards and home loans, PIN codes etc)!! (just in case).

If you're storing password in the browser to access websites than they are non encrypted well (only if you use Firefox with master password protection activated provide better security). So I strongly recommend to change as much password as possible. Many of the modern malware samples have backdoor abilities and can steal confidential information from the compromised computer. Also you should check for any suspicious transactions if such occur. If you find out that you have been victim to fraud contact your bank or the appropriate institution for assistance.

Use different passwords for all your accounts. Also don't use easy passwords such as your favorite teams, bands or pets because this will allow people to guess your password.
You can use PC Tools Password Generator to create random passwords and then install an application like KeePass Password Safe to store them for easy access.If you do Online Banikng please read this article: Online Banking Protection Against Identity Theft

 

 

Keep your antivirus software turned on and up-to-date

 

  • Make sure your antivirus software is turned on and up-to-date.
  • New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    Note:
  • You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
  • You should scan your computer with an AntiSpyware program like Malwarebytes' Anti-Malware on a regular basis just as you would an antivirus software.
  • Be sure to check for and download any definition updates prior to performing a scan.
  • Also keep in mind that MBAM is not a replacement for antivirus software, it is meant to complement the protection provided by a full antivirus product and is designed to detect the threats that are missed by most antivirus software.

 

Make sure that you use all useful features offered by McAfee

 

  1. Click Start, Programs, McAfee, VirusScan Console.
  2. Make sure that all shields are enabled.

5nrLvqm.png

  1. Usually they are well configured by default and and customizable is not needed but if you want you can check their settings by right-click each of them (one by one) and select Properties.

 

 

Install HIPS based software if needed (or use Limited Account with UAC enabled)

 

I usually recommend to users to install HIPS based software but this type software is only effective in the right hands since it require from the users to take the right decisions.

 

HIPS based software controls what an application is allowed to do and not allowed to do.
It monitors what each application tries to do, how it use the internet and give you the ability to block any suspicious activity occurring on your computer.
In my opinion the best way to prevent an unknown malware from gaining access is to use some HIPS programs (like COMODO Firewall, PrivateFirewall, Online Armor etc.) to control the access rights of legitimate applications, although this would only be advisable for experienced users. (so if you don't feel comfortable using such software then you can skip this advice)

 

However, you should be aware though that (if you install Comodo Firewall and not the whole package Comodo Internet Security) this is not an replacement for a standard antivirus application. It's a great tool to add another layer of protection to your existent antivirus application. Also note that if you have an antivirus installed then you should install Comodo Firewall (and not Comodo Internet Security to avoid conflicts).

 

It takes some time and knowledge to configure it for individual purposes but once done, you should not have a problems with it.
There are so many reviews on YouTube and blogs about all these programs.
Keep in mind to choose carefully in order to avoid conflicts or instability caused by incompatible security programs.
Also having more than one "real-time" program can be a drain on your PC's efficiency so please refrain doing so.

More information about HIPS can be found here: What is Host Intrusion Prevention System (HIPS) and how does it work?

 

If you like Comodo you should choose for yourself which version of Comodo you will use 5 or 7. Personally I stick to version 5 at least for now.

 

However keep in mind that Comodo may be non compatible with McAfee because virusscan enterprise has some built in firewall features to block some ports so if you decide to use HIPS based software then you should uninstall McAfee and install another antivirus package.

 

If these kind of programs are difficult for you to use then you can use a standard user account with UAC enabled. If you need administrative privileges to perform some tasks, then you can use Run As or log on as the administrator account for that specific task.

 

 

Be prepared for CryptoLocker:

 

 

CryptoLocker Ransomware Information Guide and FAQ

Cryptolocker Ransomware: What You Need To Know

New CryptoLocker Ransomware Variant Spread Through Yahoo Messenger

CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ

 

 

Since the prevention is better than cure you can use gpedit built-in Windows or CryptoPrevent (described in the first link) to secure the PC against this locker.

Another way is to use Comodo Firewall and to add all local disks to Protected Files and Folders

You may want to check HitmanPro.Alert.CryptoGuard and add install it to be safe when surfing the net.

 

 

Practice Safe Internet


One of the main reasons people get infected in the first place is that they are not practicing Safe Internet. You practice Safe Internet when you educate yourself on how to properly use the Internet through the use of security tools and good practice. Knowing how you can get infected and what types of files and sites to avoid will be the most crucial step in keeping your computer malware free. The reality is that the majority of people who are infected with malware are ones who click on things they shouldn't be clicking on. Whether these things are files or sites it doesn't really matter. If something is out to get you, and you click on it, it most likely will.  Below are a list of simple precautions to take to keep your computer clean and running securely:
 

  • If you receive an attachment from someone you do not know, DO NOT OPEN IT! Simple as that.  Opening attachments from people you do not know is a very common method for viruses or worms to infect your computer.
  • .exe, .com, .bat, .pif, .scr or .cmd do not open the attachment unless you know for a fact that it is clean.  For the casual computer user, you will almost never receive a valid attachment of this type.
  • If you receive an attachment from someone you know, and it looks suspicious, then it probably is.  The email could be from someone you know infected with a malware that is trying to infect everyone in their address book.
  • If you are browsing the Internet and a popup appears saying that you are infected, ignore it!. These are, as far as I am concerned, scams that are being used to scare you into purchasing a piece of software. For an example of these types of popups, or Foistware, you should read this article:
    Foistware, And how to avoid it. There are also programs that disguise themselves as Anti-Spyware or security products but are instead scams.  For a list of these types of programs we recommend you visit this link: About Malwares, Rogues, Scarewares, SmitfraudFix
  • Another tactic to fool you on the web is when a site displays a popup that looks like a normal Windows message  or alert. When you click on them, though, they instead bring you to another site that is trying to push a product on you.  We suggest that you close these windows by clicking on the X instead of the OK button. Alternatively, you can check to see if it's a real alert by right-clicking on the window.  If there is a menu that comes up saying Add to Favorites... you know it's a fake.
  • Do not go to adult sites. I know this may bother some of you, but the fact is that a large amount of malware is pushed through these types of sites. I am not saying all adult sites do this, but a lot do.
  • When using an Instant Messaging program be cautious about clicking on links people send to you. It is not uncommon for infections to send a message to everyone in the infected person's contact list that contains a link to an infection. Instead when you receive a message that contains a link, message back to the person asking if it is legit before you click on it.
  • Stay away from Warez and Crack sites! In addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections. Avoid using cracks and unknown programs from sources you don't trust. There are MANY alternative open-source applications. Malware writers just love cracks and keygens, and will often attach malicious code into them. By using cracks and/or keygens, you are asking for problems. So my advice is - stay away from them!
  • Be careful of what you download off of web sites and Peer-2-Peer networks. Some sites disguise malware as legitimate software to trick you into installing them and Peer-2-Peer networks are crawling with it. If you want to download a piece of software a from a site, and are not sure if they are legitimate, you can use McAfee Siteadvisor to look up info on the site. Note: skip this advice if your antivirus have a Web Guard.
  • DO NOT INSTALL any software without first reading the End User License Agreement, otherwise known as the EULA. A tactic that some developers use is to offer their software for free, but have spyware and other programs you do not want bundled with it. This is where they make their money. By reading the agreement there is a good chance you can spot this and not install the software.

 

 

Tweak your browsers
 

 

MOZILLA FIREFOX


To prevent further infections be sure to install the following add-ons NoScript and AdBlock Plus

 

Adblock Plus hides all those annoying (and potentially dangerous) advertisements on websites that try and tempt you to buy or download something. AdBlock not only speeds up your browsing and makes it easier on your eyes, but also makes it safer.

 

Adblock Plus can be found here.

 

Do not add to many filters subscriptions because it will slow down your browser startup time.

 

erfxUim.jpg

 

NoScript is only for advanced users as it blocks all the interactive parts of a webpage, such as login options. Obviously you wouldn’t want to block your ability to log on to your internet banking or your webmail, but thankfully you can tell NoScript to allow certain websites and block others. This is very useful to ensure that the website you’re visiting is not trying to tempt you to interact with another, more dangerous website.

 

NoScript can be found here

 

You can find the optimal settings here
A tutorial on how to use it can be found here

 

 

 

Google Chrome

 
If you like Google Chrome there are many similar extensions for this browser as well. Since I am not a Google Chrome user I can't tell you which of them are good and how they work. You should find out by yourself.

However Google Chrome can block a lot of unknown malware because of his sandbox.Beware of the fact that Google Chrome doesn't provide master password protection for your saved in the browser passwords. Check this out: Google Chrome security flaw offers unrestricted password access

 

 

 

For Internet Explorer 9/10 read the articles below:
 

Security and privacy features in Internet Explorer 9

Enhanced Protected Mode
Use Tracking Protection in Internet Explorer

Security in Internet Explorer 10

 

Immunize your browsers with SpywareBlaster 5 and Spybot Search and Destroy 1.6

Also MBAM acquired the following software Malwarebytes Anti-Exploit and it should work with the most popular browsers. Beware the product is in beta stage.

Changelog can be seen here and known issues here.

 

 
Make the extensions for known file types visible:
 

Be wary of files with a double extension such as jpg.exe. As a default setting, Windows often hides common file extensions, meaning that a program like image.jpg.exe will appear to you as simply image.jpg. Double extensions exploit this by hiding the second, dangerous extension and reassuring you with the first one.Check this out - Show or hide file name extensions.

 

 

Disable Autorun:

 

It's a good idea to disable the autorun functionality using the following tool to prevent spreading of the infections from USB flash drives.

 

 

Create an image of your system (you can use the built-in Windows software as well if you prefer)

 

  • Now when your pc is malware free it is a good idea to do a backup of all important files just in case something happens it.
  • Macrium Reflect is very good choice that enables you to create an image of your system drive which can be restored in case of problems.
  • The download link is here.
  • The tutorial on how to create an system image can be found here.
  • The tutorial on how to restore an system image can be found here.
  • Be sure to read the tutorial first.

 

 

Follow this list and your potential for being infected again will reduce dramatically.

Safe Surfing and happy Easter holidays! easter4.gif

 

 

Regards,

Georgi

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.