Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

cleaning up the various registry and service settings after remvoing viruses


  • This topic is locked This topic is locked
5 replies to this topic

#1 georgiopizzio

georgiopizzio

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:44 AM

Posted 13 January 2017 - 12:11 AM

So basically I used malwarebytes, adwcleaner and hitman pro to remove the virus that my computer was infected with and it seemed to have removed most of it. However there were still some lingering effects even after all this, when I run Rkill it tells me that there are a bunch of windows services missing and various other things wrong with my computer. Also I noticed that when I trying to change windows defender settings that a message showed up saying that "some settings are being managed by your organization" when my computer is a home computer.  I was just wondering what kind of steps i can take to fix these remaining items?

 

Any help is greatly appreciated! Thank you :love4u: :love4u: :love4u: :love4u:

Attached Files


Edited by georgiopizzio, 13 January 2017 - 12:16 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:44 AM

Posted 14 January 2017 - 11:04 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:


HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-18\...\Run: [] => 0
GroupPolicyScripts: Restriction <======= ATTENTION
GroupPolicyScripts\User: Restriction <======= ATTENTION
S2 GTFAVENUE Updater; C:\Program Files (x86)\GTFAVENUE Updater\GTFAVENUE Updater.exe [X]
S2 NVIDIA Wireless Controller Service; "C:\Program Files\NVIDIA Corporation\GeForce Experience Service\nvwirelesscontroller.exe" [X]
Task: {DA2F17C4-93BA-443E-93EE-A19781E361C6} - System32\Tasks\GTFAVENUE => gtfavenue.exe
C:\Program Files (x86)\GTFAVENUE Updater

Reboot:


End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Also I noticed that when I trying to change windows defender settings that a message showed up saying that "some settings are being managed by your organization"


Try the suggested fix on this page.

https://www.tekrevue.com/tip/some-settings-are-managed-by-your-organization-windows-

===

Any remaining issues?

p.s.
The Rkill reported items are all false positive.
Nothing to worry about.

#3 georgiopizzio

georgiopizzio
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:44 AM

Posted 14 January 2017 - 02:08 PM

Hi nasdaq! Thanks for the help! I've attached the fixlog.txt to this post. Everything seems to be fine except I now seem to have no IPv6 connection to the internet, is that normal? (http://imgur.com/a/kbCcg)

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 14-01-2017
Ran by Victo (14-01-2017 10:50:08) Run:1
Running from C:\Users\Victo\Downloads
Loaded Profiles: Victo (Available Profiles: defaultuser0 & Victo)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:


HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-18\...\Run: [] => 0
GroupPolicyScripts: Restriction <======= ATTENTION
GroupPolicyScripts\User: Restriction <======= ATTENTION
S2 GTFAVENUE Updater; C:\Program Files (x86)\GTFAVENUE Updater\GTFAVENUE Updater.exe [X]
S2 NVIDIA Wireless Controller Service; "C:\Program Files\NVIDIA Corporation\GeForce Experience Service\nvwirelesscontroller.exe" [X]
Task: {DA2F17C4-93BA-443E-93EE-A19781E361C6} - System32\Tasks\GTFAVENUE => gtfavenue.exe
C:\Program Files (x86)\GTFAVENUE Updater

Reboot:


End
*****************

Restore point was successfully created.
Processes closed successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
C:\Windows\system32\GroupPolicy\Machine => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
C:\Windows\system32\GroupPolicy\User => moved successfully
HKLM\System\CurrentControlSet\Services\GTFAVENUE Updater => key removed successfully
GTFAVENUE Updater => service removed successfully
HKLM\System\CurrentControlSet\Services\NVIDIA Wireless Controller Service => key removed successfully
NVIDIA Wireless Controller Service => service removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{DA2F17C4-93BA-443E-93EE-A19781E361C6} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DA2F17C4-93BA-443E-93EE-A19781E361C6} => key removed successfully
C:\Windows\System32\Tasks\GTFAVENUE => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GTFAVENUE => key removed successfully
"C:\Program Files (x86)\GTFAVENUE Updater" => not found.

=========== EmptyTemp: ==========

BITS transfer queue => 586837 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 51316005 B
Java, Flash, Steam htmlcache => 12320206 B
Windows/system/drivers => 11280243 B
Edge => 1545884 B
Chrome => 0 B
Firefox => 383451168 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 128 B
systemprofile32 => 128 B
LocalService => 4160 B
NetworkService => 113408 B
defaultuser0 => 128 B
Victo => 1015420924 B

RecycleBin => 13347695 B
EmptyTemp: => 1.4 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 10:50:58 ====



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:44 AM

Posted 14 January 2017 - 02:16 PM


Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
CloseProcesses:

cmd: ipconfig /flushdns
cmd: IPCONFIG /release
cmd: IPCONFIG /renew
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
CMD: bitsadmin /reset /allusers
Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

How is it now?

#5 georgiopizzio

georgiopizzio
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:44 AM

Posted 14 January 2017 - 03:32 PM

Okay I've tried that, and it seems that I still can't connect. I've posted the new fix log below:

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 14-01-2017
Ran by Victo (14-01-2017 12:28:55) Run:2
Running from C:\Users\Victo\Downloads
Loaded Profiles: Victo (Available Profiles: defaultuser0 & Victo)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start

CreateRestorePoint:
CloseProcesses:

cmd: ipconfig /flushdns
cmd: IPCONFIG /release
cmd: IPCONFIG /renew
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
CMD: bitsadmin /reset /allusers
Reboot:

End
*****************

Restore point was successfully created.
Processes closed successfully.

========= ipconfig /flushdns =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========


========= IPCONFIG /release =========


Windows IP Configuration


Ethernet adapter Hamachi:

   Connection-specific DNS Suffix  . :
   IPv6 Address. . . . . . . . . . . : 2620:9b::196c:1033
   Link-local IPv6 Address . . . . . : fe80::f5fe:3ee9:acc7:1398%14
   Default Gateway . . . . . . . . . : 2620:9b::1900:1
                                       25.0.0.1

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . :
   IPv6 Address. . . . . . . . . . . : fd00:a84e:3f3d:cb82:9137:ba51:aac:49e
   Temporary IPv6 Address. . . . . . : fd00:a84e:3f3d:cb82:b1cc:24c3:227d:ae0
   Link-local IPv6 Address . . . . . : fe80::9137:ba51:aac:49e%15
   Default Gateway . . . . . . . . . :

Tunnel adapter isatap.hitronhub.home:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Tunnel adapter Local Area Connection* 10:

   Connection-specific DNS Suffix  . :
   IPv6 Address. . . . . . . . . . . : 2001:0:9d38:6abd:2c4e:127d:b9bb:4ddd
   Link-local IPv6 Address . . . . . : fe80::2c4e:127d:b9bb:4ddd%7
   Default Gateway . . . . . . . . . :

========= End of CMD: =========


========= IPCONFIG /renew =========


Windows IP Configuration


Ethernet adapter Hamachi:

   Connection-specific DNS Suffix  . :
   IPv6 Address. . . . . . . . . . . : 2620:9b::196c:1033
   Link-local IPv6 Address . . . . . : fe80::f5fe:3ee9:acc7:1398%14
   IPv4 Address. . . . . . . . . . . : 25.108.16.51
   Subnet Mask . . . . . . . . . . . : 255.0.0.0
   Default Gateway . . . . . . . . . : 2620:9b::1900:1
                                       25.0.0.1

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : hitronhub.home
   IPv6 Address. . . . . . . . . . . : fd00:a84e:3f3d:cb82:9137:ba51:aac:49e
   Temporary IPv6 Address. . . . . . : fd00:a84e:3f3d:cb82:b1cc:24c3:227d:ae0
   Link-local IPv6 Address . . . . . : fe80::9137:ba51:aac:49e%15
   IPv4 Address. . . . . . . . . . . : 192.168.0.12
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.0.1

Tunnel adapter isatap.hitronhub.home:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : hitronhub.home

Tunnel adapter Local Area Connection* 10:

   Connection-specific DNS Suffix  . :
   IPv6 Address. . . . . . . . . . . : 2001:0:9d38:6abd:2c4e:127d:b9bb:4ddd
   Link-local IPv6 Address . . . . . : fe80::2c4e:127d:b9bb:4ddd%7
   Default Gateway . . . . . . . . . :

Tunnel adapter isatap.{EFB663AC-6D03-4C4D-B3C1-26659DA47379}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

========= End of CMD: =========


========= netsh advfirewall reset =========

Ok.


========= End of CMD: =========


========= netsh advfirewall set allprofiles state ON =========

Ok.


========= End of CMD: =========


========= netsh winsock reset catalog =========


Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.


========= End of CMD: =========


========= netsh int ip reset c:\resetlog.txt =========

Resetting Global, OK!
Resetting Interface, OK!
Resetting Unicast Address, OK!
Resetting Neighbor, OK!
Resetting Path, OK!
Resetting Route, OK!
Resetting Subinterface, OK!
Resetting , failed.
Access is denied.

Resetting , OK!
Restart the computer to complete this action.


========= End of CMD: =========


========= netsh int ipv4 reset =========

Resetting , failed.
Access is denied.

There's no user specified settings to be reset.


========= End of CMD: =========


========= netsh int ipv6 reset =========

Resetting Interface, OK!
Resetting Unicast Address, OK!
Resetting Neighbor, OK!
Resetting Path, OK!
Resetting Route, OK!
Resetting , failed.
Access is denied.

Resetting , OK!
Resetting , OK!
Restart the computer to complete this action.


========= End of CMD: =========


========= bitsadmin /reset /allusers =========


BITSADMIN version 3.0
BITS administration utility.
© Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

0 out of 0 jobs canceled.

========= End of CMD: =========



The system needed a reboot.

==== End of Fixlog 12:29:24 ====



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:44 AM

Posted 15 January 2017 - 08:50 AM


Try the suggested fix for IPv6 on this article.

https://technet.microsoft.com/en-us/library/cc816716(v=ws.10).aspx

===


If that fails please start a new topic in the Networking Forum.
https://www.bleepingcomputer.com/forums/f/21/networking/

An expert should able to help you better that I can, this is not my forte.

===

I will leave this topic open for 6 days. If you need to return please do.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users