Jump to content
grumpyDave

Can't run anything that will reset or restore windows, etc

Recommended Posts

Hello, I've cleaned my PC with MB, but the computer is obviously still infected. I cannot run neither the "reset PC" in settings nor system restore. I've tried running them in safe mode, same thing. I just click the buttons but nothing happens. Cannot turn on Real-time protection of Windows Defender as well. It seems that something is preventing me from acting as administrator, but not completely, if that makes sense. Im still able to run programs and such, but cannot do some crucial operations like creating restore points, removing paired devices, etc. My firewall is also disabled and cannot be turned on. I've tried disabling group policy service, as it was running for no reason (Windows 10 Home), because I thought that somehow the virus restricted my permissions through that, but the problem persists... I've tried everything and I don't know what to do anymore, to be honest. Seeking help from the professionals!

Addition.txt

FRST.txt

MBscan2-23-2019.txt

Share this post


Link to post
Share on other sites

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

I need to see the  FRST.TXT log run with the latest version of the program.

Delete your copy.
Download and run this latest version.

Download the Farbar Recovery Scan Tool (FRST).
Choose the 32 or 64 bit version for your system.

Post only the FRST.TXT log.

Share this post


Link to post
Share on other sites

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

I see some error about Avira in your Addition.txt logs.

I suggest you run their uninstaller to remove all traces of it.

Avira
Download and run their uninstaller tool from this site.
https://www.avira.com/en/downloads-paid

Restart the computer when the removal is completed.
<<<>>>

Please post the Fixlog.txt and let me know what problem persists.

fixlist.txt

Share this post


Link to post
Share on other sites

I'm sure I uninstalled Avira before scanning. I don't know why there are still traces of it on my PC. 

I will run the log as soon as I get home! thanks

Share this post


Link to post
Share on other sites

Hi,

This look link a bad infection.

Please run the Farbar program. It will possibly update it's self. Let it finish.

Run the updated version and post fresh logs for my review.

I want to see what is still around.

Share this post


Link to post
Share on other sites

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Nothing as changed.

--RogueKiller--

  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED  
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.


=======

We may need to do the fix in the Recovery Environment.

I need to know if you have access to the Recovery Environment.

Open FRST on the compromised computer:

copy/paste the following inside the text area of FRST. Once done, click on the Fix button. A file called fixlog.txt should appear on your desktop. Attach it in your next reply.

Start::
CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
CMD: bcdedit.exe /set {default} recoveryenabled yes
End::

http://i121.photobucket.com/albums/o239/kevinf80/Farbar%20Tools/frst%20b.jpg&key=98f8e4fa906452a8ed54423fd0407a3d120fe6064437244ca29c06ed5f968755]

On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad
Copy and paste its content in your next reply.

Wait for further instructions.
<<<>>>

Share this post


Link to post
Share on other sites

RogueKiller crashes every time after like 3 seconds after I start the scan. Maybe it reaches the cause of all this nonsense, and it doesn't let it go through.. Attaching screenshot and frst fixlog. Thanks for all your help thus far!!

 

rogue.PNG

Fixlog.txt

Share this post


Link to post
Share on other sites

Hi,

Please refer to post no. 12

Follow the instructions after this section.
We may need to do the fix in the Recovery Environment.

Share this post


Link to post
Share on other sites

By recovery environment, you mean Safe mode?
I've done the steps after the "We may need to do the fix in the Recovery Environment" part. 

Share this post


Link to post
Share on other sites

Oh, if you want the content just pasted, here:

Fix result of Farbar Recovery Scan Tool (x64) Version: 28.02.2019 01
Ran by Dave (28-02-2019 17:27:32) Run:5
Running from C:\Users\Dave\Desktop\frst
Loaded Profiles: Dave &  (Available Profiles: Dave & Artur)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
CMD: bcdedit.exe /set {default} recoveryenabled yes

*****************


========= bcdedit.exe /set {bootmgr} displaybootmenu yes =========

The operation completed successfully.

========= End of CMD: =========


========= bcdedit.exe /set {default} recoveryenabled yes =========

The operation completed successfully.

========= End of CMD: =========


==== End of Fixlog 17:27:32 ====

Share this post


Link to post
Share on other sites

Hi,

You will need access to a spare PC and a USB flash drive that has not been in contact with the sick PC...
If you do not at this time have this access stop right now.

When you do then you can follow these directives otherwise the fix will not work.

===

Proceed when you are ready.

Read all the instructions before proceeding.
Take your time and all should be well.

Preparing the USB Flash Drive

Boot up your spare PC:
Plug in the flash drive, navigate to that drive, right click on it direct and select format. Quick option is adequate.

Next,

On that same PC download the right version of Farbar program for your system to Desktop or the Flash drive.
Download the Farbar Recovery Scan Tool (FRST).
Choose the 32 or 64 bit version for your system.

If the file was saved on the Desktop Move the executable (FRST.exe or FRST64.exe) to your USB Flash Drive 
 


How to determine whether a computer is running a 32-bit version or 64-bit version of the Windows operating system.
https://support.microsoft.com/en-us/help/827218/how-to-determine-whether-a-computer-is-running-a-32-bit-version-or-64

Do not plug the Flash Drive into the sick PC until booted to Recovery Environment.

Boot the compromised PC to Recovery Environment, if you are unsure of that action have a read at the following link, maybe bookmark for future reference...

To enter the Recovery Environment with Windows 10, follow the instructions in this tutorial on TenForums https://www.tenforums.com/tutorials/2294-boot-advanced-startup-options-windows-10-a.html

From the Windows 10 Tutorial you should get access to the Advanced Startup Options at boot for Windows 10

Select in this order
"Troubleshoot" > "Advance Options" > "Command Prompt"

Once in the command prompt

Plug your USB Flash Drive in the infected computer

In the command prompt, type notepad and press on Enter
Notepad will open. Click on the File menu and select Open
Click on Computer/This PC, find the letter for your USB Flash Drive, then close the window and Notepad
In the command prompt, type e:\frst.exe (for the x64 version, type e:\frst64.exe and press on Enter
Note: Replace the letter e with the drive letter of your USB Flash Drive
FRST will open
Click on Yes to accept the disclaimer
Click on the Scan button and wait for the scan to complete
A log called FRST.txt will be saved on your USB Flash Drive. Attach it in your next reply.

p.s.
If at any time you need additional information please ask before proceeding.

Wait for further instructions.

Share this post


Link to post
Share on other sites

Hi,

In normal mode, please run Malwarebytes and delete all entries found.

Run the Farbar program and post fresh FRST.TXT and addition.txt logs.

Make sure the box to create the Addition.txt log is checked.

Let me know what problem persists.

 

Share this post


Link to post
Share on other sites

Alright, I'm able to enable windows real-time protection, create restore points and remove paired devices. Reset this PC function also works! Created a restore point just in case. 

I still cannot turn on my firewall, however! Attaching screenshot and logs. Thanks!!!!!!

Addition.txt

FRST.txt

firewall.PNG

Share this post


Link to post
Share on other sites

Perhaps this is the result of me meddling with group policy settings? I've disabled the service, but it seems that whatever group policy rules the virus set up are still active as far as firewall settings go. Windows defender real-time protection used to say the same "This setting is managed by your administrator" before you guys helped me fix it. 

Share this post


Link to post
Share on other sites

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

I found some restrictions that will be removed.

Your Firewall is shown as running in the Addition.txt log.
Strange!

Please post the Fixlog.txt and let me know what problem persists.

Share this post


Link to post
Share on other sites

Hi,

The only important thing is that Windows defender is disabled.

The fix will change that.

Let me know if the problem persists.

fixlist.txt

Share this post


Link to post
Share on other sites

Still cannot turn on the firewall... Maybe it just shows it like that, but it's actually turned on, as you said, because I've run a couple games and firewall message showed up to allow or not allow them through it.

Fixlog.txt

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.