emanuelenasta Posted April 14, 2021 ID:1451225 Share Posted April 14, 2021 Hi, I got a strange virus ... when I connect to Internet, I got a black screen and I can do nothing. I reflash windows 10, I format all disk normally and with Aomei partition Assistant, I rebuild the MBR, I do the sfc /safescan and I got many errors, I do the cleanup image, the bootfix I can't do (Permission Denied, I tried many ways but nothing), what can I do? (I flash the w10 from usb burned by rufus, I used also Huion w10 pe). Malwerebytes doesn't recognize it, but some many times the screen became black and I must reflash the os. Thanks you Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted April 14, 2021 Root Admin ID:1451228 Share Posted April 14, 2021 Hello @emanuelenasta First off, are you trying to save any data or simply trying to wipe the drive and reinstall Windows? Is your computer a Laptop or Desktop? What is the Manufacturer name? HP, Dell, Sony, etc? What is the Model number? Are you using an SSD or older mechanical drive (if you know) Do you have an 8 GB USB thumb drive that can be formatted and used? Thanks Link to post Share on other sites More sharing options...
emanuelenasta Posted April 14, 2021 Author ID:1451258 Share Posted April 14, 2021 I have a 2 week ago full backup made with aomei, is a desktop assembled, ssd, yes 5 hours ago, AdvancedSetup said: Hello @emanuelenasta First off, are you trying to save any data or simply trying to wipe the drive and reinstall Windows? Is your computer a Laptop or Desktop? What is the Manufacturer name? HP, Dell, Sony, etc? What is the Model number? Are you using an SSD or older mechanical drive (if you know) Do you have an 8 GB USB thumb drive that can be formatted and used? Thanks Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted April 14, 2021 Root Admin ID:1451267 Share Posted April 14, 2021 If the desktop is operational please run the following for me and I'll check back on you tomorrow Did you follow the directions to clean Google Chrome? Please download Farbar Recovery Scan Tool and save it to your desktop. Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit Double-click to run it. When the tool opens click Yes to disclaimer. Press the Scan button. It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply. The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well. Thank you Link to post Share on other sites More sharing options...
emanuelenasta Posted April 14, 2021 Author ID:1451339 Share Posted April 14, 2021 Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 14-04-2021 Ran by SYSTEM on MININT-PEQD04 (14-04-2021 17:43:25) Running from X:\Users\Default\Downloads Platform: WIN_10 (X64) Language: English (United States) Boot Mode: Recovery ATTENTION: Could not load system hive. ATTENTION: System hive is missing. ==================== Registry (Whitelisted) =================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) ATTENTION: Software hive is missing. ==================== Scheduled Tasks (Whitelisted) ============ (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) (If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.) ==================== NetSvcs (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ==================== One month (created) (All) ========= (If an entry is included in the fixlist, the file/folder will be moved.) ==================== One month (modified) ================== (If an entry is included in the fixlist, the file/folder will be moved.) ==================== KnownDLLs (Whitelisted) ========================= ==================== SigCheck ============================ (There is no automatic fix for files that do not pass verification.) C:\Windows\System32\winlogon.exe IS MISSING <==== ATTENTION C:\Windows\System32\wininit.exe IS MISSING <==== ATTENTION C:\Windows\explorer.exe IS MISSING <==== ATTENTION C:\Windows\SysWOW64\explorer.exe IS MISSING <==== ATTENTION C:\Windows\System32\svchost.exe IS MISSING <==== ATTENTION C:\Windows\SysWOW64\svchost.exe IS MISSING <==== ATTENTION C:\Windows\System32\services.exe IS MISSING <==== ATTENTION C:\Windows\System32\User32.dll IS MISSING <==== ATTENTION C:\Windows\SysWOW64\User32.dll IS MISSING <==== ATTENTION C:\Windows\System32\userinit.exe IS MISSING <==== ATTENTION C:\Windows\SysWOW64\userinit.exe IS MISSING <==== ATTENTION C:\Windows\System32\rpcss.dll IS MISSING <==== ATTENTION C:\Windows\System32\dnsapi.dll IS MISSING <==== ATTENTION C:\Windows\SysWOW64\dnsapi.dll IS MISSING <==== ATTENTION C:\Windows\System32\dllhost.exe IS MISSING <==== ATTENTION C:\Windows\SysWOW64\dllhost.exe IS MISSING <==== ATTENTION C:\Windows\System32\Drivers\volsnap.sys IS MISSING <==== ATTENTION C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} IS MISSING <==== ATTENTION C:\Windows\System32\InputHost.dll IS MISSING <==== ATTENTION C:\Windows\System32\winsrv.dll IS MISSING <==== ATTENTION ==================== Restore Points ========================= ==================== Memory info =========================== Percentage of memory in use: 10% Total physical RAM: 32681.12 MB Available physical RAM: 29290.74 MB Total Virtual: 32681.12 MB Available Virtual: 29274.13 MB ==================== Drives ================================ Drive d: () (Removable) (Total:0 GB) (Free:0 GB) Drive x: (Boot) (Fixed) (Total:0.32 GB) (Free:0.32 GB) NTFS Drive y: (HBCD_PE_x64) (Removable) (Total:57.62 GB) (Free:56.19 GB) NTFS ==================== MBR & Partition Table ==================== Could not read MBR for disk 0. Could not read MBR for disk 1. ========================================================== Disk: 4 (MBR Code: Windows 7/8/10) (Size: 57.6 GB) (Disk ID: 04BCA205) Partition 1: (Active) - (Size=57.6 GB) - (Type=07 NTFS) Could not read MBR for disk 5. ==================== End of FRST.txt ======================== Link to post Share on other sites More sharing options...
emanuelenasta Posted April 14, 2021 Author ID:1451340 Share Posted April 14, 2021 This is after low level formatting hard drive (ssd and hdd and usb flash) Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted April 14, 2021 Root Admin ID:1451380 Share Posted April 14, 2021 Create a Windows 10 installation USB disk to access the Recovery Environment You will need an 8GB or larger USB thumb drive to create the Windows 10 USB installation disk Download the Microsoft Windows 10 Media Creation Toolhttps://www.microsoft.com/en-us/software-download/windows10 The following YouTube video will show you how to use the Media Creation Tool How to Create Installation Media for Windows 10 | Microsoft If needed you may need to get into the BIOS / UEFI in order to set the boot order to allow booting from the USB thumb drive How to enter the BIOS or CMOS setup Check your user manual that came with the computer or the vendor's website if that does not work for you Insert the newly created Windows 10 USB installation disk into the affected computer and set the BIOS / UEFI to boot from it. The first screen shows the installation version information. If needed you can change the Language From this screen press, the SHIFT-F10 key combination on your keyboard and it will put you into a Command Prompt From there please type in the following: DISKPART Then the following commands (in most cases, unless there are multiple disks in the computer, 0 will be the correct disk selection choice) LIST DISK SELECT DISK 0 DETAIL DISK LIST PARTITION LIST VOLUME Here is an example from a Virtual computer Please post back your results Thank you Link to post Share on other sites More sharing options...
emanuelenasta Posted April 14, 2021 Author ID:1451383 Share Posted April 14, 2021 I had reinstalled w10, I'm sending you the new farbar scan and the diskpart Link to post Share on other sites More sharing options...
emanuelenasta Posted April 14, 2021 Author ID:1451385 Share Posted April 14, 2021 First at all, thanks for your time. This is the scan. Addition.txt FRST.txt Link to post Share on other sites More sharing options...
emanuelenasta Posted April 14, 2021 Author ID:1451386 Share Posted April 14, 2021 Link to post Share on other sites More sharing options...
emanuelenasta Posted April 14, 2021 Author ID:1451387 Share Posted April 14, 2021 I insert os disk, Malwarebyte on this os recognizes anything. Link to post Share on other sites More sharing options...
Root Admin Solution AdvancedSetup Posted April 14, 2021 Root Admin Solution ID:1451403 Share Posted April 14, 2021 My recommendation is to physically unplug, or remove ALL disks except the one you want to install Windows on. Then run DISKPART again. Run the LIST DISK and only 1 disk should show up. Then run SELECT DISK 0 and then issue the command CLEAN Then power down the computer. Insert the USB Windows 10 installation disk made FRESH from the Microsoft Media Creation Tool and then install Windows again on that disk. Once Windows 10 is installed, updated, and secure. Then you can look at connecting other drives Link to post Share on other sites More sharing options...
emanuelenasta Posted April 14, 2021 Author ID:1451413 Share Posted April 14, 2021 Hi, I low level formatted ALL disks and the usb with iso, I flash another usb with rufis, and now seems legit the os... I run the sfc scannow this is a part of the log: 00000219 Warning: Overlap: Directory \??\C:\Program Files (x86)\ is owned twice or has its security set twice Original owner: Microsoft-Windows-shell32, version 10.0.19041.906, arch Host= amd64 Guest= x86, nonSxS, pkt {l:8 b:31bf3856ad364e35} New owner: Microsoft-Windows-shell32, version 10.0.19041.906, arch Host= amd64 Guest= x86, nonSxS, pkt {l:8 b:31bf3856ad364e35} 2021-04-14 22:36:10, Info CSI 0000021a Warning: Overlap: Directory \??\C:\ProgramData\Microsoft\Windows\Start Menu\ is owned twice or has its security set twice Original owner: Microsoft-Windows-shell32, version 10.0.19041.906, arch Host= amd64 Guest= x86, nonSxS, pkt {l:8 b:31bf3856ad364e35} New owner: Microsoft-Windows-shell32, version 10.0.19041.906, arch Host= amd64 Guest= x86, nonSxS, pkt {l:8 b:31bf3856ad364e35} 2021-04-14 22:36:10, Info CSI 0000021b Warning: Overlap: Directory \??\C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ is owned twice or has its security set twice Original owner: Microsoft-Windows-shell32, version 10.0.19041.906, arch Host= amd64 Guest= x86, nonSxS, pkt {l:8 b:31bf3856ad364e35} New owner: Microsoft-Windows-shell32, version 10.0.19041.906, arch Host= amd64 Guest= x86, nonSxS, pkt {l:8 b:31bf3856ad364e35} 2021-04-14 22:36:10, Info CSI 0000021c Warning: Overlap: Directory \??\C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ is owned twice or has its security set twice Original owner: Microsoft-Windows-shell32, version 10.0.19041.906, arch Host= amd64 Guest= x86, nonSxS, pkt {l:8 b:31bf3856ad364e35} New owner: Microsoft-Windows-shell32, version 10.0.19041.906, arch Host= amd64 Guest= x86, nonSxS, pkt {l:8 b:31bf3856ad364e35} CSI 000001e0 Warning: Overlap: Directory \??\C:\WINDOWS\SysWOW64\drivers\en-US\ is owned twice or has its security set twice Original owner: Microsoft-Windows-Foundation-Default-Security.Resources, version 10.0.19041.1, arch Host= amd64 Guest= x86, culture [l:5]'en-US', nonSxS, pkt {l:8 b:31bf3856ad364e35} New owner: Microsoft-Windows-Foundation-Default-Security.Resources, version 10.0.19041.1, arch Host= amd64 Guest= x86, culture [l:5]'en-US', nonSxS, pkt {l:8 b:31bf3856ad364e35} 2021-04-14 22:36:01, Info CSI 000001e1 Warning: Overlap: Directory \??\C:\WINDOWS\SysWOW64\wbem\en-US\ is owned twice or has its security set twice Original owner: Microsoft-Windows-Foundation-Default-Security.Resources, version 10.0.19041.1, arch Host= amd64 Guest= x86, culture [l:5]'en-US', nonSxS, pkt {l:8 b:31bf3856ad364e35} New owner: Microsoft-Windows-Foundation-Default-Security.Resources, version 10.0.19041.1, arch Host= amd64 Guest= x86, culture [l:5]'en-US', nonSxS, pkt {l:8 b:31bf3856ad364e35} 2021-04-14 22:36:01, Info CSI 000001e2 Warning: Overlap: Directory \??\C:\WINDOWS\help\mui\0409\ is owned twice or has its security set twice Original owner: Microsoft-Windows-Foundation-Default-Security.Resources, version 10.0.19041.1, arch Host= amd64 Guest= x86, culture [l:5]'en-US', nonSxS, pkt {l:8 b:31bf3856ad364e35} New owner: Microsoft-Windows-Foundation-Default-Security.Resources, version 10.0.19041.1, arch Host= amd64 Guest= x86, culture [l:5]'en-US', nonSxS, pkt {l:8 b:31bf3856ad364e35} Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted April 14, 2021 Root Admin ID:1451416 Share Posted April 14, 2021 Okay, if you say so but then why are you posting if you think all is good now? Is there something going on that makes you think there is an issue still? Link to post Share on other sites More sharing options...
emanuelenasta Posted April 14, 2021 Author ID:1451422 Share Posted April 14, 2021 I'm only paranoic, I fear that it can return lol Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted April 14, 2021 Root Admin ID:1451425 Share Posted April 14, 2021 Run the following. Then if that's clean I'll give you a link for things to help prevent future infections Let me have you run a different scanner to double-check. I don't expect it to find anything, but no harm in checking. I would suggest a free scan with the ESET Online Scanner Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe It will start a download of "esetonlinescanner.exe" Save the file to your system, such as the Downloads folder, or else to the Desktop. Go to the saved file, and double click it to get it started. When presented with the initial ESET options, click on "Computer Scan". Next, when prompted by Windows, allow it to start by clicking Yes When prompted for scan type, Click on Full scan Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on the Start scan button. Have patience. The entire process may take an hour or more. There is an initial update download. There is a progress window display. You should ignore all prompts to get the ESET antivirus software program. ( e.g. their standard program). You do not need to buy or get or install anything else. When the scan is completed, if something was found, it will show a screen with the number of detected items. If so, click the button marked “View detected results”. Click The blue “Save scan log” to save the log. If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files” ( in blue, at the bottom). Press Continue when all done. You should click to off the offer for “periodic scanning”. Note: If you do need to do a File Restore from ESET please follow the directions below [KB2915] Restore files quarantined by the ESET Online Scanner version 3 https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner Link to post Share on other sites More sharing options...
emanuelenasta Posted April 14, 2021 Author ID:1451431 Share Posted April 14, 2021 Thank you man, I'll run and post the results Link to post Share on other sites More sharing options...
Maurice Naggar Posted June 19, 2021 ID:1464248 Share Posted June 19, 2021 Hello @emanuelenasta I hope you are doing well. Are you needing any further help? Are you still with us ? Link to post Share on other sites More sharing options...
Maurice Naggar Posted June 20, 2021 ID:1464432 Share Posted June 20, 2021 Due to the lack of feedback, this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread. Tips to help protect from infection Thanks Link to post Share on other sites More sharing options...
Recommended Posts