Everytime I try to download a file I get a message that the file “contained a virus and was deleted”. Also, I can not access Windows Defender or Firewall. I am running in Safe Mode now. Can you help with this? Thank you.
attach the requested logs (not copy and paste) http://forum.avast.com/index.php?topic=53253.0
run in order listed
AdwCleaner / Malwarebytes / OTL / aswMBR
when done removal experts will be notified and check the logs fore infections…
and tools can be run from safe mode if you need to
Monitoring
Ran in safe mode. Had to transfer programs from another computer since infected system will not let me download anything.
Last of files.
On completion of the OTL run you should be able to download files
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
https://dl.dropbox.com/u/73555776/OTL_Fix.GIF
:Commands
[CREATERESTOREPOINT]
:Files
fsutil reparsepoint delete "C:\Program Files\Windows Defender\en-US" /c
fsutil reparsepoint delete "C:\Program Files\Windows Defender\MpAsDesc.dll" /c
fsutil reparsepoint delete "C:\Program Files\Windows Defender\MpClient.dll" /c
fsutil reparsepoint delete "C:\Program Files\Windows Defender\MpCmdRun.exe" /c
fsutil reparsepoint delete "C:\Program Files\Windows Defender\MpSoftEx.dll" /c
fsutil reparsepoint delete "C:\Program Files\Windows Defender\MpEvMsg.dll" /c
fsutil reparsepoint delete "C:\Program Files\Windows Defender\MpOAV.dll" /c
fsutil reparsepoint delete "C:\Program Files\Windows Defender\MpRtMon.dll " /c
fsutil reparsepoint delete "C:\Program Files\Windows Defender\MpSvc.dll" /c
fsutil reparsepoint delete "C:\Program Files\Windows Defender\MSASCui.exe" /c
fsutil reparsepoint delete "C:\Program Files\Windows Defender\MsMpCom.dll" /c
fsutil reparsepoint delete "C:\Program Files\Windows DefenderMsMpLics.dll" /c
fsutil reparsepoint delete "C:\Program Files\Windows Defender\MsMpRes.dll" /c
fsutil reparsepoint delete "C:\Program Files\Windows Defender\MpRtPlug.dll" /c
fsutil reparsepoint delete "C:\Program Files\Windows Defender\MpSigDwn.dll" /c
:Commands
[resethosts]
[emptytemp]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1
Link 2
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
- IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks
http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png
http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png
[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.
Notes:
- Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
- Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
- If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
Logs attached. I was able to download Combofix on the infected system. My Windows Defender icon is now “showing” again but error message when I tried to click on it. Says program failed to initialize.
Sorry, also, I can now access Windows Firewall. Thank you.
How is the computer now, any problems ?
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
https://dl.dropbox.com/u/73555776/OTL_Fix.GIF
:Commands
[CREATERESTOREPOINT]
:Reg
[-HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
:Files
C:\$RECYCLE.BIN\S-1-5-18\$4cf4b66411809b83677488561b2659d8
:Commands
[resethosts]
[emptytemp]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
OTL Log Attached. I tried to access Windows Defender again but it still will not open. Still says that it “failed to initialize”.
You will need to re-install windows defender than as it has been damaged
Download link http://www.microsoft.com/en-gb/download/windows-defender-details.aspx
Let me know how that goes, then when you are happy I will tidy up
Ok, I got Windows Defender working and did a scan. I rebooted and it would not work again. Through Security Center I was able to turn it back on again and it worked. Rebooted…and it would not access again. For some reason it is not staying enabled and I seem to have to turn it on manually through Security Center each time system is booted up. Not sure why this is.
Besides that system seems to be working.
Also, through MSCONFIG, what is the preferred setting for startup? At a previous date this was altered when working through a different system problem. Just curious. Thank you.
Ensure that defender is enabled in MSconfig startup
Then lets have a quick shufti at the services
Download and run farbar service scanner
http://i1224.photobucket.com/albums/ee362/Essexboy3/Farbar/FSS-1.jpg
Tick “All” options.
Press “Scan”.
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.
Msconfig services tab has Windows Defender “checked” but status is “Stopped”.
Farbar log attached.
OK the malware deleted a reg key I will need to find out what was contained within that key to replace it
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjects{FD6905CE-952F-41F1-9A6F-135D9C6622CC}
I am not sure if I am supposed to do something with the text in your prior post…sorry.
Also, now the browsing history on IE will not delete. It was working before.
Thank you.
That is the reg key that was deleted ( a reminder to myself really ) unfortunately I only have XP and windows 8 on my system
Could you download and run this small programme please and after a reboot let me know if it cures the problem
http://www.tweaking.com/content/page/restore_important_windows_services.html
Question…downloaded Tweaking and it started…said total repair time 6 seconds…a little after that I hit stop and said stopping but waiting for current repair to finish.
Been running for about 45 minutes now. Sould I leave it alone or could it be hung up?
What stage does it state that it is at in the report column ?
I do not see a report column. If it is “Status” then nothing has ever appeared. This is version 1.9.13.