Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Probably infection - unknown malware


  • This topic is locked This topic is locked
25 replies to this topic

#1 SMS18

SMS18

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:45 AM

Posted 05 August 2017 - 01:58 PM

Kaspersky identified a HerdProtect file that it identified as a worm.Win32.debris.aesa and deleted it. I ran Kaspersky recover disk, MalwareBytes, KVRT, and no malware was found.

 

After a day, Adobe products (admittedly old and out of date) started to misbehave (PDF files taking more than an hour to create). After restarting my computer, Services indicated that Kaspersky was running Firewall and Virus Protection and also Win Defender and Firewall were running, however the Security notification indicated that no firewall was running.

 

I attempted to fix this by shutting down and restarting but this did not correct the issue.

 

I was unable to fix Kaspersky by running troubleshooter.

 

I then downloaded and ran multiple times the following:

 

rKill64

ADWCleaner_7.0.1.0

MalwareBytes

IObit Malware Fighter
Zemana

JRT

Spybotsd162

 

Aside from coupon bars, which I deleted, the only other file that was flagged was an Adobe dll.

I also ran Bleeping Computer Windows all in one fix because I could not restore to a previous restore point or reinstall Windows from Windows 10 interface.

This system was upgraded from Windows 7 to Windows 10 last summer and then upgraded to Windows 10 Creative about two weeks ago.

Now Services and other admin features do not work in normal setting however, I can run them in SafeMode. I uninstalled Kaspersky hoping reinstalling would correct the issue. Now I cannot reinstall Kaspersky but Security indicates the Windows Firewall is running and so does Services in SafeMode with Networking.

 

I would like to make sure the files on my system are not infected. I don't expect to use this 2006 HP computer much longer, but I do need to recover the files for work.

 

Thanks in advance for your help.

Attached Files


Edited by SMS18, 05 August 2017 - 02:01 PM.


BC AdBot (Login to Remove)

 


#2 RayS

RayS

  • Malware Study Hall Senior
  • 2,373 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:45 AM

Posted 05 August 2017 - 03:39 PM

Hello SMS18,

My name is Ray and I'll be assisting you with your issue. Please give me a day or two to review your logs and prepare a reply. Since I'm still a trainee, all my posts have to be reviewed by my instructor prior to being posted to make sure that you receive the best assistance possible.

Thank you for your understanding, I'll be with you shortly!

Ray


I don't accept payment for my help, but it would please me if you perform a kindness for your neighbor. You might also contact your local animal shelter. They can always use a bag of kibble or a few cans of pet food. Who knows... you might even find a life-long furry friend there.


#3 SMS18

SMS18
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:45 AM

Posted 08 August 2017 - 10:01 AM

Thank you, Ray. I appreciate you for helping me. No worries regarding delays. I understand this takes time. Members of your staff have been very helpful to me in the past, and I am very grateful for the talented individuals who dedicate themselves and their skills in this forum.

 

I apologize for the delay in my reply. I didn't receive your updated comment. I'll check to ensure the messages are coming in to my Inbox.

 

Have a great day!

SMS18



#4 RayS

RayS

  • Malware Study Hall Senior
  • 2,373 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:45 AM

Posted 10 August 2017 - 04:36 AM

Hello again SMS18, and welcome to Bleeping Computer.

Please call me "Ray". Do you have a short nickname I can use?

I will be helping you with your computer problem.
 

  • Please do not attach any log files to your replies unless specifically requested. Instead, please copy and paste the entire text of the logs into the body of your reply. Use separate consecutive posts if that's easier for you.
  • Please do not try to fix anything or run (or re-run) any tools without being advised to do so.
  • Always read my entire message before you begin to follow my instructions.
  • It may be helpful for you to print my instructions for easy reference.
  • Perform my instructions in the order as given.
  • Click More Reply Options and then Preview Post before you post a reply. Be sure your message addresses all the issues I raise.
  • Any fixes I provide are for this specific problem on this machine only.
  • Removing malware is hazardous. I will not knowingly advise actions that will damage your computer, but it is impossible to guarantee the safety of your system. It may even become necessary to re-format and re-install your operating system. Before we proceed, you should back up all your data -- preferably to a different computer or to off-line storage.


Preliminary Questions



Now Services and other admin features do not work in normal setting...
  • What "Services and other admin features" are inop?
  • Is that the Services and Applications desktop App snap-in (also accessible under Computer Management)?
  • How are you invoking "Services and other admin features"?
  • What reaction do you see when you try to invoke "Services and other admin features"?

... however, I can run them in SafeMode. Now I cannot reinstall Kaspersky but Security indicates the Windows Firewall is running
  • What Kaspersky tool(s) cannot be reinstalled?
  • Are they just the free tools such as Kaspersky Cleaner, Kaspersky Security Scan, etc?
  • Or is it the Kaspersky Antivirus (newly available free version or the paid version)?
  • What reaction do you see when you try to install the Kaspersky tool(s)?

 

 

Do the following conditions still exist:

 
Adobe products (admittedly old and out of date) started to misbehave (PDF files taking more than an hour to create).
  • Do PDF files still take over an hour to create? What application are you using for creating PDF files?

Aside from coupon bars, which I deleted, the only other file that was flagged was an Adobe dll.
  • How did you dispose of the "Adobe.dll" that was detected? What is the name and file location of that "Adobe.dll"?

I could not restore to a previous restore point or reinstall Windows from Windows 10 interface.
  • Why are you attempting to reinstall Windows?
  • What "Windows 10 interface" are you using for reinstalling Windows?
  • Drive D contains a FACTORY_IMAGE. Are you using that to reinstall Windows?
  • Do you have Windows installation media from Microsoft on some external device like DVD or USB drive?

I don't expect to use this 2006 HP computer much longer, but I do need to recover the files for work.
  • When you start in Normal boot, what prevents you from accessing your files?
  • Are the files hidden or encrypted?
  • Do you see error messages saying you lack permissions?


Summary


  • Did you back up your important files? If not, please tell me what prevents you from doing so.
  • Copy all of my questions and paste them into your reply. Then intersperse detailed responses under each question. Include verbatim error messages if any.
  • How is your PC running now? Any changes from your previous report?

Thank you,


Ray


I don't accept payment for my help, but it would please me if you perform a kindness for your neighbor. You might also contact your local animal shelter. They can always use a bag of kibble or a few cans of pet food. Who knows... you might even find a life-long furry friend there.


#5 SMS18

SMS18
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:45 AM

Posted 10 August 2017 - 08:02 AM

Hi Ray,

 

Thank you so much for your very thorough evaluation of my initial report. I realize from your questions that my message was too vague, and I apologize for that. I will proceed through each of your questions and reply with more complete descriptions of the status on my system. This may take some time since we've had an family emergency. Please don't give up on me if you don't hear from me for a week or so. I will reply as soon as I can with the answers to your questions.

 

In the meantime, please know how deeply grateful I am for your help. I am looking forward to getting my computer back to workable condition, or at the very least, I would like to get my work files off the system and know they are clean and malware free.

Thank you for your time, your expertise, and your willingness to help me.

Sam


Edited by SMS18, 10 August 2017 - 08:03 AM.


#6 RayS

RayS

  • Malware Study Hall Senior
  • 2,373 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:45 AM

Posted 10 August 2017 - 02:00 PM

Hi Sam,

 

I'm sorry to hear you are having a family emergency. As always, issues like that have top priority.

 

Don't worry about this topic. Reply to my previous questions any time convenient for you. This topic will remain open for at least seven more days. If I don't hear from you by August 17th, I'll send you another note. Meanwhile, I will be helping other users, so, when you do get back, I may need a bit of extra time in working with you.

 

I'm hoping for the best for you.

 

Ray


I don't accept payment for my help, but it would please me if you perform a kindness for your neighbor. You might also contact your local animal shelter. They can always use a bag of kibble or a few cans of pet food. Who knows... you might even find a life-long furry friend there.


#7 RayS

RayS

  • Malware Study Hall Senior
  • 2,373 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:45 AM

Posted 17 August 2017 - 11:19 PM

Hi Sam,

 

I assume you are still having a family emergency because you haven't replied since August 10th. I can leave the topic open for another three days until Sunday, August 20th. If you don't reply by then, the topic will be closed. If it is closed, we will provide a way for you to reopen it when you are ready.

 

Wishing the best for you,

 

Ray


I don't accept payment for my help, but it would please me if you perform a kindness for your neighbor. You might also contact your local animal shelter. They can always use a bag of kibble or a few cans of pet food. Who knows... you might even find a life-long furry friend there.


#8 SMS18

SMS18
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:45 AM

Posted 17 August 2017 - 11:37 PM

Thank you, Ray. Yes. The family situation is not resolved. My mom is experiencing significant health issue following a fall.

I will touch base with you next week. Thank you for you patience. I really appreciate you for keeping me in the queue.

Sam

#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:45 PM

Posted 21 August 2017 - 07:57 AM

I am really sorry to hear about this Sam. I will close the topic for now, if you need it reopened, please send me a personal message. 


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:45 PM

Posted 23 August 2017 - 01:43 AM

This topic has been re-opened at the request of the person who originally posted.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 SMS18

SMS18
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:45 AM

Posted 24 August 2017 - 12:16 AM

Hi Ray,

 

Following your instructions, I have copied your questions and responded to each of them in this message. Thank you in advance for your thorough and thoughtful review of the issues outlined below.

 

Sam

______________________

 

Preliminary Questions

 

Quote: Now Services and other admin features do not work in normal setting...

 

§ What "Services and other admin features" are inop?

 

I am unable to run the Services desktop app.

 

When I go to Windows Start, click Search, type Services and the Services app link appears, I can right click the link to run as administrator; however, when I do so, the User Account Control message appears and the headline message reads, “This app has been blocked for your protection.” The body of the message reads:

 

“An administrator has blocked you from running this app. For more information, contact the administrator.

 

Mmc.exe

 

Publisher: Unknown

File origin: Hard drive on this computer Program location: “C:\Windows\System32\mmc.exe” “C:\Window\System32\services.mcs”

 

“Show information about the publisher’s certificate” is highlighted as a link but it does not open anything. The bottom of the dialog box includes the Close button.

 

 

§ Is that the Services and Applications desktop App snap-in (also accessible under Computer Management)?

 

I am unable to locate Services and Applications in the Windows Search system. When I search for Computer Management, I locate the Control Panel> All Control Panel Items> Administrative Tools folder and Services is included in that folder. If I click Services in that folder, the same error message appears.

 

 

§ How are you invoking "Services and other admin features"?

 

By right-clicking the Services desktop link in the Start/Search menu and choosing Run as administrator.

 

From the Control Panel> All Control Panel Items> Administrative Tools folder, the icon is faded, but if I right click the icon, the error message appears. If I right-click and choose Run As, the error message appears. If I right-click and choose Properties, the Properties dialog box appears, and I can click the Advanced button to open the Advanced Properties box and choose Run as Administrator, but when I click OK and the dialog box closes, if I click the OK button in the Services Properties dialog box, then Windows issues an error message titled, “Access Denied” that reads, “You will need to provide administrator permission to change these settings. Click Continue to complete this operation.” And when I click the Continue button, another error message appears titled “Shortcut” with the message “Unable to save changes to ‘services.Ink’. Access denied.” My only option is to click the Ok button to dismiss the message.

 

 

§ What reaction do you see when you try to invoke "Services and other admin features"?

 

Please see above description for Services.

 

If I try to Reset this PC, I can choose the option to Keep my files but the Getting things ready dialog displays the spinner without stopping. If I click Cancel, then an error message titled, “systemreset.exe – Bad Image” produces the following text, “C:\Windows32\Dos,\FfiProvider.dll is either not designed to run on Windows or it contains and error. Try installing the program again using the original installation media or contact your system administrator or the software vendor for support. Error status 0xc0000020”

 

 

Quote: ... however, I can run them in SafeMode. Now I cannot reinstall Kaspersky but Security indicates the Windows Firewall is running

 

§ What Kaspersky tool(s) cannot be reinstalled?

 

Kaspersky Total Security 17.0.0.611 (g).

 

Here is what happened:

 

After restarting my computer, Windows indicated that the Windows Firewall was off. Kaspersky Total Security was not listed as running in the Control Panel>All Control Panel Items> Security and Maintenance Settings, however it was listed as running in Services (this was before I updated Windows using Tweaking.com Windows Repair 2018).

 

Services also indicated that Windows Firewall and Defender were running.

 

If I manually turned off Kaspersky Total Security in Services, then Control Panel>All Control Panel Items> Security and Maintenance Settings showed Windows Firewall working.

 

I attempted to fix this by restarting the computer in regular and safe modes. I also attempted to fix the issue by running Windows Troubleshooting and then uninstalling Kaspersky Total Security. Now I am unable to reinstall it in regular or safe mode.

 

 

§ Are they just the free tools such as Kaspersky Cleaner, Kaspersky Security Scan, etc?

 

No. I have a two-year subscription for three devices for the KAS Total Security software.

 

Note: I am able to run the free downloadable KVRT and the Kaspersky Rescue Disk, and neither of these scanners identify any viruses.

 

I uninstalled KAS Total Security in Safe Mode when it kept interfering with the Windows Firewall. Following uninstallation, I am unable to reinstall it in either safe mode or regular mode.

 

At this time, Control Panel>All Control Panel Items> Security and Maintenance Settings indicates that Windows Firewall and Defender are operating, however, I cannot confirm this since I can no longer run the Windows Services app.

 

 

§ Or is it the Kaspersky Antivirus (newly available free version or the paid version)?

 

This is a paid version (two-year subscription for three devices)

 

 

§ What reaction do you see when you try to install the Kaspersky tool(s)?

 

When I attempt to install the software, the Welcome dialog appears, and I can click the Install button; however, after I click to allow the installation to make changes to my computer and the Downloading Application progress bar appears, after the program downloads 196.5 MB of the files and begins the installation process, the installation fails at the About 2 minutes left level and the program issues a message that reads, Error occurred during application installation. If I click Learn More, I can download another version. If I click Cancel, the installer indicates that the installation was not completed. When I click OK, another message appears that reads, “Kaspersky Total Security” “This application was not installed. Your computer may be infected with viruses. We recommend you use one of the free Kaspersky Lab utilities to disinfect your computer, and then restart the application installation. You can select and download the utility that suits you best on the web page that opens by clicking the ‘Learn More’ button.”

 

I can download the latest version KTS 17.0.0.611.abcden_12124, but when I attempt to install it, the same thing occurs.

 

 

Do the following conditions still exist:

Quote: Adobe products (admittedly old and out of date) started to misbehave (PDF files taking more than an hour to create).

 

§ Do PDF files still take over an hour to create?

 

Not all. Only one large Word file, so this probably isn’t an issue, other than the long creation process prompted me to investigate the issue and the Kaspersky/Windows Firewall issue then developed after I restarted my system.

 

 

§ What application are you using for creating PDF files?

 

I was printing a Word file as an Adobe PDF with settings specifically selected for high quality press printing. This file is 38 MB and includes graphics, and the print settings include custom options.

 

 

Quote: Aside from coupon bars, which I deleted, the only other file that was flagged was an Adobe dll.

 

§ How did you dispose of the "Adobe.dll" that was detected? What is the name and file location of that "Adobe.dll"?

 

Advanced Spyware Remover identified the file as

PSW.OnlineGames – Quarantined, File, C:\Program Files (x86x)\Adobe\Acrobat 9.0\/acrobat\CoolType.dll, 11-6750

 

The file was quarantined, and after it was, Adobe 9.0 would not run. I unquarantined the file so that I could provide you with answers to these questions.

 

 

Quote: I could not restore to a previous restore point or reinstall Windows from Windows 10 interface.

 

§ Why are you attempting to reinstall Windows?

 

I attempted to reinstall Windows because the following files were flagged as corrupt or missing digital signatures before I used Tweaking.com Windows Repair 2018:

 

C:\Windows\servicing\Packages \Microsoft-OneCore-DebugCore-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat

 

C:\Windows\servicing\Packages \Microsoft-Windows-BootEnvironment-DVD-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat

 

C:\Windows\servicing\Packages \Microsoft-Windows-Common-Drivers-minio-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat

 

C:\Windows\servicing\Packages \Microsoft-OneCore-DebugCore-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.mum

 

C:\Windows\servicing\Packages \Microsoft-Windows-BootEnvironment-Dvd-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.mum

 

C:\Windows\servicing\Packages \Microsoft-Windows-Common-Drivers-minio-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.mum

 

C:\Windows\servicing\Packages \Microsoft-Windows-TestRoot-and-FlightSigning-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.mum

 

7 Combined Problems were found with the packages files, these files need to be replaced (These mainly only effect installing Windows Updates.)

 

The SFC (System File Checker) doesn’t scan and replace some of these files, so you may need to replace them manually.

 

THESE FILES DO NOT KEEP THE REPAIRS FROM WORKING; YOU MAY NEED TO RUN THE REPAIS IN THE PROGRAM.

 

Files Checked and Verified: 5,050

 

Done Scanning Windows Packages Files. (8/2/2017 1:06:26 PM)

 

-------------------------------------

Scanning Reparse Points.

Started at 8/2/2017 1:06:26 PM)

 

Note that after I used Tweaking.com Windows Repair 2018, the following files were identified with issues by Rkill 2.9.1:

 

Terminated processes:

 

C:\Windows\System32\sihost.exe (PID: 2804) [WD-Heur]

C:\Windows\HelpPane.exe (PID: 3436) [WD-Heur]

C:\Windows\System32\notepad.exe (PID: 204) [WD-Heur]

C:\Windows\System32\smartscreen.exe (PID: 1604) [WD-Heur]

 

Possibly Patched Files:

 

C:\Windows\System32\winlogon.exe

C:\Windows\System32\dwm.exe

C:\Windows\System32\ctfmon.exe

C:\Windows\System32\ctfmon.exe (this is listed twice, not a typo)

C:\Windows\System32\conhost.exe

 

While no issues were identified in the Registry, while resetting the .EXE, COM, & BAT files, the Rkill identified missing digital signatures for 315 files including drivers, dlls, SYSWow64 file, infs, etc.

 

§ What "Windows 10 interface" are you using for reinstalling Windows?

 

I attempted to use RESET Windows and also use the downloaded USB files for reinstalling

 

§ Drive D contains a FACTORY_IMAGE. Are you using that to reinstall Windows?

 

No. I created a Rescue Disk when I installed Windows 7 Pro, and that does not work. Presumably because I updated to Windows 10 last summer and then Windows 10 Creative version since. Windows 10 Creative did not create a restore point, and so I am unable to revert to either the original Win 10 or Win 7 or reinstall Win 7.

 

 

§ Do you have Windows installation media from Microsoft on some external device like DVD or USB drive?

 

I have Windows 7 Rescue Disk. It does not work. When I insert it in the DVD drive and restart my computer, the CD runs, Windows starts loading, and the blue installer screen appears, but then it throws an error message that reads, “The system recovery discs do not support this computer. You are not able to restore his system with these discs.”

 

I can exit Recovery Manager and reboot.

 

I cannot restore or reinstall Windows.

 

 

Quote: I don't expect to use this 2006 HP computer much longer, but I do need to recover the files for work.

 

§ When you start in Normal boot, what prevents you from accessing your files?

 

Nothing prevents me from accessing my program files other than the some of the Windows program apps such as Services. I can run msconfig, but I can no longer confirm that Windows Firewall and Defender are actually running in Services.

 

 

§ Are the files hidden or encrypted?

 

No.

 

 

§ Do you see error messages saying you lack permissions?

 

Only for Windows program apps.

 

 

Summary

 

§ Did you back up your important files? If not, please tell me what prevents you from doing so.

 

My important files are backed up.

 

 

§ How is your PC running now? Any changes from your previous report?

 

It is the same since I submitted my original inquiry.

 

I am mainly interested in making sure the system doesn’t have any viruses so I can be confident that my backup files are also clean. This is particularly important regarding the large Word file that I converted to a PDF. That file is on a backup drive, and I need to ensure it is safe to use on another computer.


Edited by SMS18, 24 August 2017 - 12:17 AM.


#12 SMS18

SMS18
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:45 AM

Posted 24 August 2017 - 04:30 PM

Ray, my apologies for this addition to the comments posted above, especially if you are proceeding through the documentation I presented. I discovered today that indeed, some issues have arisen regarding the following question:

 

§ When you start in Normal boot, what prevents you from accessing your files?

 

Original reply: Nothing prevents me from accessing my program files other than the some of the Windows program apps such as Services. I can run msconfig, but I can no longer confirm that Windows Firewall and Defender are actually running in Services.

 

Additional informations:

 

1. Screensaver no longer works. If I have not interacted with the computer for a time, the screen goes to blue or black instead of the screensaver, and I cannot get it to return to the Desktop view using the mouse. If I press CTRL+ALT+DEL, the following error appears, "The sign-in process couldn't display security and sign-in options when Ctrl+Alt+Del was pressed. If Windows does not respond, press Esc, or use the power switch to restart." When I click OK, the Desktop does display.

 

2. Search this PC no longer works in any program windows. When I attempt to perform a search, there is no response.

 

3. Backing out of directories no longer works. For example, if I have This PC>Desktop>Docs open, I cannot click Desktop or This PC and return to a higher level directory. The back arrow button does work, but clicking the title of a directory no longer navigates up and out of the currently viewed directory.

 

I haven't attempted to use the sound or any other features, so there may be more issues that I've reported here.



#13 RayS

RayS

  • Malware Study Hall Senior
  • 2,373 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:45 AM

Posted 25 August 2017 - 06:36 AM

Hi Sam,

Welcome back!

I hope you and your mom are coping well.

Thank you for comprehensive answers to my questions about your PC. That is a big help.
 

I am mainly interested in making sure the system doesn’t have any viruses so I can be confident that my backup files are also clean. This is particularly important regarding the large Word file that I converted to a PDF. That file is on a backup drive, and I need to ensure it is safe to use on another computer.

Where is that backup drive? Is it on a different computer? In an external enclosure? Is it a USB thumb drive? Does it have enough space for all your important files that are now on the sick PC?


Overview

In view of the multiple problems exhibited by this PC and the questionable state of the Operating System (OS) and your comment when you said, "I don't expect to use this 2006 HP computer much longer", I recommend that we scan all your important data files and folders in-place on this PC. Then, after I have reviewed the logs, if no threats are detected in your files, we will move them to another computer or other safe place off this PC. Today, let's also capture the Product IDs, the Product Keys of your OS, and the license info of other important apps and save this info in a safe place off this PC. Finally, if all goes well, next time we will do a clean installation of 64x Windows 10 Pro Version 1703. This may be an old and slow PC, but, after it is cleaned, it can be a valuable place on which to store backups as long as the hard drive holds up.


Scan with Malwarebytes Antimalware (MBAM)

  • Launch the copy of MBAM that is already installed on your PC.
  • After MBAM opens, if it says Your databases are out of date, click Fix Now (yellow button in upper right of MBAM window).
  • Click the Settings tab at the top, and then in the left column, select Detections and Protections, and remove the checkmark in the selection box for Scan for rootkits.
  • Click the Scan tab at the top of the program window, select Threat Scan and click Scan Now.
  • If you receive a message that updates are available, click Update Now (the update will be downloaded, installed, and the scan will start).
  • When MBAM is finished scanning, it will display any detected threats.
  • Click Remove Selected.
  • MBAM will move infected files and registry keys into quarantine. If MBAM displays a message stating that it needs to reboot, please allow it to do so after the next three steps.
  • Don't click Finish yet.
  • While still on the Scan tab, click Save Results in lower right corner, and, in the window that opens, click Text file (*.txt), and save the log to your Desktop. Send the log to me in your next reply.
  • Go back to Scan tab and click Finish.
  • An abbreviated log is automatically saved by MBAM and can also be viewed by clicking the History tab > Application Logs > Export.

 

 

 

ESET Online Scanner

Note: You will need to disable your currently installed Anti-Virus. How to do so can be found here.
 
Note: If MBAM and/or ESET will not run successfully in Normal boot, please enter Safe Mode and run MBAM and ESET that way. If you need it, you can see an illustrated guide at How to Start Windows 10 in Safe Mode with Networking.

  • Click this link to open ESET Online Scanner.
  • Click SCAN NOW.
  • esetonlinescanner_enu.exe will be downloaded to your PC. Take note of the folder to which it is downloaded.
  • Double-click on esetonlinescanner_enu.exe. If you see a Security Warning pop-up, click Run.
  • On the Terms of Use pop-up, click Accept.
  • In the new window that opens, click Advanced settings, and make sure there is a checkmark next to the following two items (uncheck everything else):
    • Scan archives
    • Enable Anti-Stealth technology
  • Then click Scan. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click Save to text file... (only if anything is found) and give it a unique name, such as ESETScan.txt. Include the contents of this report in your next reply.
  • Click Finish to exit ESET Online Scanner.
  • Don't forget to re-enable your antivirus when finished!

Mark your important data files

Please don't be concerned about threats found by MBAM or ESET except for detections that explicitly name any of your files. If any of your files are named, please mark them in the logs or give me a separate list. Be sure to include full path (for example, C:\Users\SMS\Documents\your_file.doc).



Capture Product IDs and Product Keys

  • Visit this page at nirsoft.net and scroll to the bottom.
  • Click Download ProduKey for x64.
  • Navigate using Windows Explorer to where produkey-x64.zip is downoaded on your PC and click the Extract menu item.
  • In the extracted folder, double-click produkey-x64.exe.
  • In the ProduKey window, select all (Ctrl+A) and Copy selected (Ctrl+C).
  • Paste the result into Notepad and print the document.

Among other info, be sure you have obtained the 25-character Product Key for Windows 10 Pro. It has a form like this: AAAAA-AAAAA-AAAAA-AAAAA-AAAAA (where "A" is a numeral or a capital letter). You will need this key when you reinstall the Windows OS. Please don't publish any keys. Save this document on a different computer.
 
 
Document your installed software

  • Carefully examine all software you have installed on this PC.
  • Manually copy full name, version, and license numbers.
  • Paste the result into Notepad and print the document.
  • Save this document on a different computer.

 

 

Summary

  • Did MBAM and ESET run successfully? Did you use normal boot or Safe Mode?
  • Provide full copies of the MBAM and ESET logs in the body of your reply.
  • Mark detections in the logs or provide separate listings of any important data files that are explicitly named in the logs.
  • Please confirm that you have printed and saved product documentation for all your software; especially the Product Key for Windows 10 Pro.
  • Tell me about problems you encountered, if any.

Thank you,

Ray

 

Edit typo


Edited by RayS, 25 August 2017 - 06:39 AM.

I don't accept payment for my help, but it would please me if you perform a kindness for your neighbor. You might also contact your local animal shelter. They can always use a bag of kibble or a few cans of pet food. Who knows... you might even find a life-long furry friend there.


#14 SMS18

SMS18
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:45 AM

Posted 25 August 2017 - 10:31 AM

Thank you, Ray, for your detailed instructions. I will proceed to follow them and reply after I have completed all of the steps you outlined for me.

 

Briefly, to answer your first question regarding the backup drive: I have multiple exterior hard drives and several flash drives. Most of my files -- and all of my important files -- have been backed up via a formal backup (about 12 months ago) and by copying individual files directly to exterior drives. I also have some important completed projects backed up on an off-site server and CDs.

 

I do have enough available memory to store all the important files from the sick PC. My computer has a 1 terabyte hard disk, and two of my backup exterior drives have 2 terabytes of available space.

 

I will proceed with capturing product IDs, OS keys and license information. Fortunately, I do have installation discs for many of my software applications as well. The system came originally with Windows 7 Home and I upgraded via Windows Anytime Upgrade to Win 7 Pro...and sadly, that provided an upgrade product key but no discs ( :) ).

 

I am deeply grateful for your assistance, Ray, and I will be back with the rest of the information you have requested as soon as I have completed the steps. We are expecting some heavy rain this weekend (due to a hurricane), so if you don't hear from me for a day or so, it may be weather issues, not computer issues, preventing a prompt reply.

 

Also, Ray, thank you for your kind expression regarding my mom.


Edited by SMS18, 25 August 2017 - 10:33 AM.


#15 SMS18

SMS18
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:45 AM

Posted 25 August 2017 - 06:46 PM

Hi Ray!

 

Following are responses to the instructions you last provided. Scan logs for Malwarebytes and ESET are in the next message.

Thank you for your help!

S

 

Scan with Malwarebytes Antimalware (MBAM)

 

§  Launch the copy of MBAM that is already installed on your PC.

 

Malwarebytes | Free scan settings: (updates were current) Interface is slightly different than you described:

 

·         Settings: Protection tab—Scan Options—I turned off Scan for rootkits

 

·         Scan: Threat Scan—enabled

 

Scan initiated 8/25/17 at 12:04 pm (Note: system had automatically restarted on its own overnight).

 

Scan Summary:

 

Time to complete scan: 00:26:48

Items scanned: 479,686

Threats detected: 0

Threats quarantined: 0

 

Exported summary saved as Malwarebytes scan 8_25_17_bleepingcomputer.txt file. (Log information is pasted into the next message.)

 

 

ESET Online Scanner

 

Note: You will need to disable your currently installed Anti-Virus. How to do so can be found here.—Verified in Safe Mode with Networking

 

ESET Online Scanner (downloaded from link after restarting computer in Safe Mode with Networking)

 

Scan settings:

§  Detect Potentially Unwanted Programs radio button checked

§  Advanced settings

o    Scan archives―checkbox checked

o    Enable Anti-Stealth technology―checkbox checked

 

Scan Summary:

 

Files scanned: 492,174

Infected files: 19

Total scan time: approx. 4 hours

Program closed after creating text file listing issues.

Saved summary is ESET_Scan_8-25-17_19items_for_bleepingcomputer.txt  (Log information is pasted into the next message.)

Note: I did not remove any of these files or quarantine them.

NONE of my files were included in this list. All were PUPs.

 

I restarted my computer in Normal mode. Checked to confirm that Windows Defender and Windows Firewall are running (Kaspersky has not been reinstalled yet)

 

Capture Product IDs and Product Keys

 

§  Visit this page at nirsoft.net and scroll to the bottom.

§  Click Download ProduKey for x64.

§  Navigate using Windows Explorer to where produkey-x64.zip is downoaded on your PC and click the Extract menu item.

§  In the extracted folder, double-click produkey-x64.exe.

§  In the ProduKey window, select all (Ctrl+A) and Copy selected (Ctrl+C).

§  Paste the result into Notepad and print the document.

 

All of these steps were completed.

 

Document your installed software

 

§  Carefully examine all software you have installed on this PC.

Done

 

§  Manually copy full name, version, and license numbers.

Done. I have installation discs for most important software, too.

 

§  Paste the result into Notepad and print the document.

Done

 

§  Save this document on a different computer.

Saved to CD for now.

 

Summary

 

§  Did MBAM and ESET run successfully?

Yes.

 

§  Did you use normal boot or Safe Mode?

Malwarebytes ran in Normal mode.

I was unable to locate ESET using the link you provided, so I restarted in Save Mode with Networking, thinking that was the problem. I attempted to locate ESET using Microsoft Edge and then Chrome; however, the link produces a 404 Page not found error.

 

When I backed off the end of the address (“/popup”), the correct page appeared and I was able to perform the online ESET scan in Safe Mode with Networking.

 

§  Provide full copies of the MBAM and ESET logs in the body of your reply.

Please see next message for log details on both Malwarebytes and ESET scans.

 

§  Mark detections in the logs or provide separate listings of any important data files that are explicitly named in the logs.

No important data was identified in the scans.

 

§  Please confirm that you have printed and saved product documentation for all your software; especially the Product Key for Windows 10 Pro.

Confirmed.

 

Oddly, Windows seems to be performing a little better today. I can access Services now via Task Manager (but not via the Windows command key+R) and the screensaver is working again in Normal Mode.

 

§  Tell me about problems you encountered, if any.

 

One unusual behavior occurred at the conclusion of today’s Malwarebytes scan: I received a notification that Skype was now enabled and I was connected via my email address. I also got a message two minutes later from 28: conceierge that read, “(hi) Hello! Skype here. Did you know that Skype is already on your computer and ready to go? We’d like to send  you tips and hints so you can…”

 

When I updated to Windows 10, I never enabled Skype. It is not on my taskbar or my taskview button popup menu, and when I checked Processes, it was not listed. Also, in Services it is listed as disabled. Note that after I restarted in Safe Mode with Networking and then restarted in Normal mode after the ESET scan, I do not see Skype listed any longer. My suspicion is that this occurred as a result of using the Tweaking.com Windows repair kit. I have had my system mostly unplugged from the internet until today when I performed the scans and downloaded the ProductKey software, and so it is possible that Skype had enough online time to set itself up.


Edited by SMS18, 25 August 2017 - 06:51 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users