Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BSOD-Virus? Help Please.


  • This topic is locked This topic is locked
28 replies to this topic

#1 Atlantic33

Atlantic33

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:02:42 AM

Posted 31 March 2017 - 08:55 AM

Greetings all, first I just want to thank this site for their past help, they have been a great help to my computer.

 

I have an HP probook with Windows 7 Professional, 64 bit operating system. I have a Norton Anti-virus I run on a regular basis. (I like windows 7 and prefer to keep it over the updated windows 10)

 

The Problem: The computer has been running very slow recently, usually when trying to use the internet, takes forever to load pages etc. The next thing that scared me was the other night while online , the computer all of the sudden went to the "blue screen of death." It was too fast so I couldn't read what it said. I have been able to start and use the computer since. I wonder if this is a virus and not a mechanical error  with the computer. The workings of the computer seem in order, fan etc.

 

My question is , is there a virus scan tool that will search and remove a potential virus that causes this slowness and Blue screen of death? 

 

And is my current Norton Anti Virus potentially not able to detect it? It is constantly removing the usual tracking cookies. Thanks all- Atlantic 33 



BC AdBot (Login to Remove)

 


#2 Atlantic33

Atlantic33
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:02:42 AM

Posted 31 March 2017 - 12:24 PM

Also Just wanted to add, I did a custom hard drive scan with Norton and it shows the following infection:

 

It's W64.viknok.B!nf

 

And Norton cannot get rid of it.



#3 nasdaq

nasdaq

  • Malware Response Team
  • 38,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:42 AM

Posted 01 April 2017 - 08:03 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===


Please post the logs.

Wait for further instructions.

#4 Atlantic33

Atlantic33
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:02:42 AM

Posted 01 April 2017 - 10:55 AM

Hi there thank you for your help, I attempted to download it but my Norton pops up saying FRST64.exe is not safe and the publisher cannot be verified.

 

A message box with a red  X from windows also pops up saying windows cannot find c:/users.....etc make you sure you typed the right name etc....



#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:42 AM

Posted 01 April 2017 - 01:07 PM

TRust the Downloaded file.

You will find it in the Quarantine folder of Norton.

How To:
https://support.norton.com/sp/en/us/home/current/solutions/v54276523_nis_mac_retail_6_en_us

#6 Atlantic33

Atlantic33
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:02:42 AM

Posted 01 April 2017 - 02:38 PM

Hi here are the logs resulting from the scan. I hope I did them right for you.

Attached Files



#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:42 AM

Posted 02 April 2017 - 06:51 AM

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM-x32\...\Run: [] => [X]
GroupPolicy: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3984708552-4041334046-2540603348-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
SearchScopes: HKLM -> {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=CMNTDF
SearchScopes: HKLM-x32 -> {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=CMNTDF
SearchScopes: HKU\S-1-5-21-3984708552-4041334046-2540603348-1001 -> {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=CMNTDF
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 NAVENG; \??\C:\Program Files (x86)\Norton Internet Security\NortonData\22.8.1.14\Definitions\SDSDefs\20161211.001\ENG64.SYS [X]
S3 NAVEX15; \??\C:\Program Files (x86)\Norton Internet Security\NortonData\22.8.1.14\Definitions\SDSDefs\20161211.001\EX64.SYS [X]
AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxldtlfudivq`qsp`27hfm [0]
() C:\ProgramData\SPL1075.tmp
2015-06-06 19:27 - 2015-06-06 19:27 - 1495070 _____ () C:\ProgramData\SPL121D.tmp
2015-03-28 16:27 - 2015-03-28 16:27 - 1062888 _____ () C:\ProgramData\SPL623B.tmp
2015-04-14 13:14 - 2015-04-14 13:14 - 17414170 _____ () C:\ProgramData\SPL62BB.tmp
2015-06-07 18:28 - 2015-06-07 18:28 - 1495070 _____ () C:\ProgramData\SPL64E9.tmp
2015-05-04 12:39 - 2015-05-04 12:40 - 17585191 _____ () C:\ProgramData\SPL75EA.tmp
2015-04-08 16:19 - 2015-04-08 16:19 - 0966087 _____ () C:\ProgramData\SPL7953.tmp
2014-12-06 12:23 - 2014-12-06 12:23 - 1650310 _____ () C:\ProgramData\SPL8729.tmp
2014-12-18 13:34 - 2014-12-18 13:34 - 0553259 _____ () C:\ProgramData\SPL8AFF.tmp
2014-12-05 15:31 - 2014-12-05 15:31 - 1650310 _____ () C:\ProgramData\SPL99BF.tmp
2014-12-05 12:21 - 2014-12-05 12:21 - 1650310 _____ () C:\ProgramData\SPL9A6A.tmp
2015-04-16 12:12 - 2015-04-16 12:12 - 17414170 _____ () C:\ProgramData\SPLA073.tmp
2014-12-06 23:00 - 2014-12-06 23:00 - 1650310 _____ () C:\ProgramData\SPLA1CA.tmp
2015-05-05 10:26 - 2015-05-05 10:26 - 17585191 _____ () C:\ProgramData\SPLA6E8.tmp
2015-03-28 18:16 - 2015-03-28 18:16 - 2852209 _____ () C:\ProgramData\SPLC5FE.tmp
2015-11-30 17:28 - 2015-11-30 17:28 - 0925848 _____ () C:\ProgramData\SPLC968.tmp
2014-12-24 13:57 - 2014-12-24 13:57 - 0473118 _____ () C:\ProgramData\SPLCEC3.tmp
2014-12-18 13:44 - 2014-12-18 13:44 - 0553259 _____ () C:\ProgramData\SPLDFD3.tmp
2015-03-28 16:08 - 2015-03-28 16:08 - 0193918 _____ () C:\ProgramData\SPLEF0F.tmp
2014-12-05 00:54 - 2014-12-05 00:54 - 1650310 _____ () C:\ProgramData\SPLF23A.tmp
2014-12-17 22:57 - 2014-12-17 22:57 - 0553259 _____ () C:\ProgramData\SPLF320.tmp

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===


Please Download Tweaking.com - Windows Repair from Here

  • Install and then run the program
  • Execute the instructions on Step 1 Important
  • Click Next on Step 2 Optional, do the Pre Scan skip Step 3 and 4 Optional for now.
  • On Step 5 Backup System Restore Do a Registry backup. When you have completed this click Next
  • Click Repairs - Open Repairs in the bottom right corner
  • Uncheck the All repair button then select just the item(s) listed below

  • 01 - Repair Registry Permissions
    03 - Reset Service permissions
    04 - Register System Files
    05 - Repair WMI
    10 - Remove Policies Set By Infections
    17 - Repair Windows Updates
    21 - Repair MSI (Windows Installer)
    26 - Restore Important Windows Services
    27 - Set Windows Service to Default Startup
    
  • Click the Start button and let the process run to completion. Copy any error messages into Notepad, Save it on your Desktop. ( Reboot if asked to do so)
  • Please copy and paste the Contents of this file on your next reply.

  • ===

    Restart the computer normally.

    How is the computer running now?

    =======================

    When all is well update your Java.


    Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

    You can manually check your present version and update as recommended.
    https://www.java.com/en/download/installed.jsp

    Be careful not to install malware posing as Java update!
    Important read this blog.
    http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

    Quoted from the page.
    "In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
    http://www.oracle.com/technetwork/java/javase/downloads/index.html

    How to disable Java in your browsers
    http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

    If still present after the update you can remove the old versions of Java via the Control Panel > Programs > Programs and Features.
    Java 8 Update 77 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218077F0}) (Version: 8.0.770.3 - Oracle Corporation)

    Please let me know what problem persists with this computer.


#8 Atlantic33

Atlantic33
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:02:42 AM

Posted 02 April 2017 - 12:23 PM

Ok thank you, I will try those steps and let you know what happens.



#9 Atlantic33

Atlantic33
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:02:42 AM

Posted 02 April 2017 - 01:16 PM

As I work my way through the tasks you sent me , Attached is the Fixlog.txt. log 

Attached Files



#10 Atlantic33

Atlantic33
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:02:42 AM

Posted 02 April 2017 - 01:25 PM

My next step is downloading Tweaking computer Windows Repair, however I am not sure which option it is to click for the download. There seem to be many options, so I am not sure which one it is , please advise.

 

Thanks again your help, it has been appreciated as I continue to get rid of this virus



#11 nasdaq

nasdaq

  • Malware Response Team
  • 38,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:42 AM

Posted 03 April 2017 - 06:18 AM

download the installer from the Direct Download site.

#12 Atlantic33

Atlantic33
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:02:42 AM

Posted 03 April 2017 - 08:05 PM

Hi nasdaq, in short it seems the steps I followed did not work to resolve the virus W64.viknok.B!nf . I ran a Norton custom scan after completing the steps I followed and the virus still shows up in the C drive. The computer is still sluggish as well. Last we talked I was able to download the windows repair from tweaking computer and followed the steps 1, 2, and 5 (skipping 3,4 as instructed) For the windows repair when I ran step 2 there were options at the end to fix the results found? But all I did was run the scan as instructed and moved on to step 5.  After the 5th step I was instructed to print out the log from that scan and I was not able to do that because an option came up to restart the computer-so I did that and there was no log to print out to send to you. The computer restarted and then the virus was still present.

 

Sorry to sound confusing. Do you have another resolution to get rid of this virus? Should I repeat the steps?

 

Thanks for your help-



#13 nasdaq

nasdaq

  • Malware Response Team
  • 38,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:42 AM

Posted 04 April 2017 - 07:45 AM


Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zoek tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyclsid;
emptyffcache;
FFdefaults;
emptyiecache;
iedefaults;
emptychrcache;
CHRdefaults;
emptyalltemp;
emptyfolderscheck;delete
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.
===

Also, please provide an update on how the computer is behaving after running the above script.
===


If the problem persists please run this tool.

Please download Sophos Virus Removal Tool and save it to your computer's Desktop.
  • Right-click the icon and select Run as administrator.
  • Click Yes to accept any security warnings that may appear.
  • Click the Next button.
  • Select 'I accept the terms in the license agreement', then click Next twice.
  • Click the Install button and wait until the installation is complete.
  • Click the Finish button. The tool created a shortcut icon on the Desktop of your computer.
  • Now, double-click the Sophos Virus Removal Tool shortcut icon to run the tool.
  • Click Yes to accept any security warnings that may appear.
  • After it updates and a "Start Scanning" button appears in the lower right:
    • Disconnect from the Internet or physically unplug your Internet cable connection.
    • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
    • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • Click the "Start Scanning" button in the lower right to start the scan.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, if it detected anything there will be a "Start Clean-up" button, click it and allow it to finish.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
  • If any threats are found click Details, then View Log file (bottom left-hand corner).
  • Copy and paste its contents in your next reply and note any errors encountered.
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup.
  • Click Exit to close the program.
  • If no threats were found, please confirm that result.
Note: Whenever necessary, the log will be in the following location:

Windows Vista and above:
C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs\SophosVirusRemovalTool.log
 
Windows XP:
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Virus Removal Tool\Logs\SophosVirusRemovalTool.log
 
Please post the contents of the log in your next reply and note any errors encountered.
===

p.s.
The Notification is only Enabled if you Get a Personal Message, not a new post to your topic.

#14 Atlantic33

Atlantic33
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:02:42 AM

Posted 05 April 2017 - 03:08 PM

Hi nasdaq, here are the log results from the zoek results log. I am looking through my computer now to see if the results are any more positive ...

Attached Files



#15 Atlantic33

Atlantic33
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:02:42 AM

Posted 05 April 2017 - 09:12 PM

Just finished up the download and scan of the Sophos Virus removal as instructed and after the scan it showed zero threats found :-\

 

Yet earlier Norton had still showed the virus in the custom scan I ran...






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users