Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pop up virus: Error # 0x80072ee7


  • This topic is locked This topic is locked
23 replies to this topic

#1 danilka

danilka

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:37 AM

Posted 10 January 2018 - 11:22 PM

Hi, I get this pop up virus Error # 0x80072ee7. Most likely got it after downloading Babylon software. I've tried all the removal suggestions found online (programs like Hitman Pro, AdwCleaner, Malwarebytes, etc.) but just can't get rid of it. Could you help? 



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,735 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:37 AM

Posted 11 January 2018 - 09:47 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===

Please post the logs for my review.

Please wait for further instructions.

#3 danilka

danilka
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:37 AM

Posted 11 January 2018 - 10:38 AM

Hi, thank you for your help!

Please see both attachments

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,735 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:37 AM

Posted 11 January 2018 - 01:55 PM



Hi,

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.


Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM-x32\...\Run: [] => [X]
SearchScopes: HKLM -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKLM-x32 -> {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPDTDF
SearchScopes: HKLM-x32 -> {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = hxxp://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKLM-x32 -> {ec29edf6-ad3c-4e1c-a087-d6cb81400c43} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPDTDF&pc=HPDTDF&src=IE-SearchBox
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
S3 epmntdrv; \??\C:\Windows\system32\epmntdrv.sys [X]
S3 EsgScanner; system32\DRIVERS\EsgScanner.sys [X]
S3 EuGdiDrv; \??\C:\Windows\system32\EuGdiDrv.sys [X]
S1 ZAM; \??\C:\Windows\System32\drivers\zam64.sys [X]
S1 ZAM_Guard; \??\C:\Windows\System32\drivers\zamguard64.sys [X]
CustomCLSID: HKU\S-1-5-21-287537521-3270100723-2551216227-1001_Classes\CLSID\{162C6FB5-44D3-435B-903D-E613FA093FB5}\InprocServer32 -> C:\Users\Dan\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\amd64\FileCoAuthLib64.dll => No File
ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ContextMenuHandlers1: [BabylonDocTrans] -> {947217BD-E967-400A-B14A-BA851A8EDCBB} =>  -> No File
MSCONFIG\startupreg: Babylon Client => C:\Program Files (x86)\Babylon\Babylon-Pro\Babylon.exe -AutoStart
C:\Program Files (x86)\Babylon

cmd: ipconfig /flushdns
cmd: IPCONFIG /release
cmd: IPCONFIG /renew
Hosts:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please let me know what problem persists with this computer.

#5 danilka

danilka
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:37 AM

Posted 11 January 2018 - 06:43 PM

Thank you for your assistance!

Please see the attached file.

Attached Files



#6 danilka

danilka
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:37 AM

Posted 12 January 2018 - 09:09 AM

The virus pop up just came up again((



#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,735 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:37 AM

Posted 12 January 2018 - 10:00 AM

Hi,

What application is reporting this virus.

Can you give me additional information?

Can you capture the screen and post the image?

#8 danilka

danilka
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:37 AM

Posted 12 January 2018 - 10:25 AM

I've been able to take some pictures from before. Please see 4 of them attached.

 

I believe they're fake pop ups under Microsoft.

Attached Files

  • Attached File  1.jpg   162.2KB   0 downloads
  • Attached File  2.jpg   190.35KB   0 downloads
  • Attached File  3.jpg   199.83KB   0 downloads
  • Attached File  4.jpg   139.91KB   0 downloads


#9 danilka

danilka
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:37 AM

Posted 12 January 2018 - 10:49 AM

This might be another one

Attached Files

  • Attached File  5.jpg   100.82KB   0 downloads


#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,735 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:37 AM

Posted 12 January 2018 - 01:06 PM

Hi,

These are all phishing, scam notices.

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zoek tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyclsid;
emptyffcache;
FFdefaults;
emptyiecache;
iedefaults;
emptychrcache;
CHRdefaults;
emptyalltemp;
emptyfolderscheck;delete
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.
===

Also, please provide an update on how the computer is behaving after running the above script.

===

Reset the browsers that you use and have been compromised.

How To:
https://www.howtogeek.com/171924/how-to-reset-your-web-browser-to-its-default-settings/

Post the Zoek log and let me know of any issues.

#11 danilka

danilka
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:37 AM

Posted 12 January 2018 - 11:13 PM

Please see attached logs (did it twice by accident).

Computer behaves normally even though the virus pop ups might show up later.

I reset IE and Mozilla.

Thanks!

Attached Files



#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,735 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:37 AM

Posted 13 January 2018 - 08:51 AM

Hi,

Sophos Virus Removal Tool

Please download Sophos Virus Removal Tool and save it to your computer's Desktop.
  • Right-click the icon and select Run as administrator.
  • Click Yes to accept any security warnings that may appear.
  • Click the Next button.
  • Select 'I accept the terms in the license agreement', then click Next twice.
  • Click the Install button and wait until the installation is complete.
  • Click the Finish button. The tool created a shortcut icon on the Desktop of your computer.
  • Now, double-click the Sophos Virus Removal Tool shortcut icon to run the tool.
  • Click Yes to accept any security warnings that may appear.
  • After it updates and a "Start Scanning" button appears in the lower right:
    • Disconnect from the Internet or physically unplug your Internet cable connection.
    • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
    • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • Click the "Start Scanning" button in the lower right to start the scan.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, if it detected anything there will be a "Start Clean-up" button, click it and allow it to finish.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
  • If any threats are found click Details, then View Log file (bottom left-hand corner).
  • Copy and paste its contents in your next reply and note any errors encountered.
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup.
  • Click Exit to close the program.
  • If no threats were found, please confirm that result.
Note: Whenever necessary, the log will be in the following location:

Windows Vista and above:
C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs\SophosVirusRemovalTool.log
 
Please post the contents of the log in your next reply and note any errors encountered.
===

In a day or two let me know if you still get these popups.

#13 danilka

danilka
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:37 AM

Posted 13 January 2018 - 03:16 PM

Hi,

 

It found one problem. Please see attached.

 

By the way, there was another pop up scam before I did this scan.

Attached Files



#14 danilka

danilka
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:37 AM

Posted 13 January 2018 - 04:56 PM

Just got redirected to one of the scam pages: exclusiveoffers.org to take some survey



#15 nasdaq

nasdaq

  • Malware Response Team
  • 40,735 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:37 AM

Posted 14 January 2018 - 08:49 AM



Hi,

Reset Internet Explorer:
Menu > Tools > Internet Options > Advanced Tab.
Click the Reset button on the bottom of the pane.
Click the Apply button.
Close IE.


Clean the Internet Explorer Cache.
https://kb.wisc.edu/page.php?id=15141
===

Restart the computer normally.
<<<>>>


If the poblem persists in IE or other browsers reset the browsers.
Reset the browsers that you use and have been compromised.

How To:
https://www.howtogeek.com/171924/how-to-reset-your-web-browser-to-its-default-settings/

====

Here is some reading on these Scams
https://blogs.technet.microsoft.com/mmpc/2017/11/20/new-tech-support-scam-launches-communication-or-phone-call-app/

In any of your browsers are sincing with other devices stop it.

p.s.
If you get the popup again let me know which browser is compromised.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users