Jump to content

Regenerating strange virus


Go to solution Solved by AdvancedSetup,

Recommended Posts

Hi, I got a strange virus ... when I connect to Internet, I got a black screen and I can do nothing. I reflash windows 10, I format all disk normally and with Aomei partition Assistant, I rebuild the MBR, I do the sfc /safescan and I got many errors, I do the cleanup image, the bootfix I can't do (Permission Denied, I tried many ways but nothing), what can I do? (I flash the w10 from usb burned by rufus, I used also Huion w10 pe). Malwerebytes doesn't recognize it, but some many times the screen became black and I must reflash the os. Thanks you
Link to post
Share on other sites

  • Root Admin

Hello @emanuelenasta

First off, are you trying to save any data or simply trying to wipe the drive and reinstall Windows?

Is your computer a Laptop or Desktop?

What is the Manufacturer name?  HP, Dell, Sony, etc?

What is the Model number?

Are you using an SSD or older mechanical drive  (if you know)

Do you have an 8 GB USB thumb drive that can be formatted and used?

Thanks

 

Link to post
Share on other sites

I have a 2 week ago full backup made with aomei, is a desktop assembled, ssd, yes

5 hours ago, AdvancedSetup said:

Hello @emanuelenasta

First off, are you trying to save any data or simply trying to wipe the drive and reinstall Windows?

Is your computer a Laptop or Desktop?

What is the Manufacturer name?  HP, Dell, Sony, etc?

What is the Model number?

Are you using an SSD or older mechanical drive  (if you know)

Do you have an 8 GB USB thumb drive that can be formatted and used?

Thanks

 

 

Link to post
Share on other sites

  • Root Admin

If the desktop is operational please run the following for me and I'll check back on you tomorrow

 

Did you follow the directions to clean Google Chrome?

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Thank you

 

 

Link to post
Share on other sites

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 14-04-2021
Ran by SYSTEM on MININT-PEQD04 (14-04-2021 17:43:25)
Running from X:\Users\Default\Downloads
Platform: WIN_10 (X64) Language: English (United States)
Boot Mode: Recovery
ATTENTION: Could not load system hive.
ATTENTION: System hive is missing.


==================== Registry (Whitelisted) ===================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

ATTENTION: Software hive is missing.

==================== Scheduled Tasks (Whitelisted) ============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One month (created) (All) =========

(If an entry is included in the fixlist, the file/folder will be moved.)


==================== One month (modified) ==================

(If an entry is included in the fixlist, the file/folder will be moved.)


==================== KnownDLLs (Whitelisted) =========================


==================== SigCheck ============================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe IS MISSING <==== ATTENTION
C:\Windows\System32\wininit.exe IS MISSING <==== ATTENTION
C:\Windows\explorer.exe IS MISSING <==== ATTENTION
C:\Windows\SysWOW64\explorer.exe IS MISSING <==== ATTENTION
C:\Windows\System32\svchost.exe IS MISSING <==== ATTENTION
C:\Windows\SysWOW64\svchost.exe IS MISSING <==== ATTENTION
C:\Windows\System32\services.exe IS MISSING <==== ATTENTION
C:\Windows\System32\User32.dll IS MISSING <==== ATTENTION
C:\Windows\SysWOW64\User32.dll IS MISSING <==== ATTENTION
C:\Windows\System32\userinit.exe IS MISSING <==== ATTENTION
C:\Windows\SysWOW64\userinit.exe IS MISSING <==== ATTENTION
C:\Windows\System32\rpcss.dll IS MISSING <==== ATTENTION
C:\Windows\System32\dnsapi.dll IS MISSING <==== ATTENTION
C:\Windows\SysWOW64\dnsapi.dll IS MISSING <==== ATTENTION
C:\Windows\System32\dllhost.exe IS MISSING <==== ATTENTION
C:\Windows\SysWOW64\dllhost.exe IS MISSING <==== ATTENTION
C:\Windows\System32\Drivers\volsnap.sys IS MISSING <==== ATTENTION
C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} IS MISSING <==== ATTENTION
C:\Windows\System32\InputHost.dll IS MISSING <==== ATTENTION
C:\Windows\System32\winsrv.dll IS MISSING <==== ATTENTION

==================== Restore Points  =========================


==================== Memory info =========================== 

Percentage of memory in use: 10%
Total physical RAM: 32681.12 MB
Available physical RAM: 29290.74 MB
Total Virtual: 32681.12 MB
Available Virtual: 29274.13 MB

==================== Drives ================================

Drive d: () (Removable) (Total:0 GB) (Free:0 GB) 
Drive x: (Boot) (Fixed) (Total:0.32 GB) (Free:0.32 GB) NTFS
Drive y: (HBCD_PE_x64) (Removable) (Total:57.62 GB) (Free:56.19 GB) NTFS


==================== MBR & Partition Table ====================
 Could not read MBR for disk 0.
 Could not read MBR for disk 1.

==========================================================
Disk: 4 (MBR Code: Windows 7/8/10) (Size: 57.6 GB) (Disk ID: 04BCA205)
Partition 1: (Active) - (Size=57.6 GB) - (Type=07 NTFS)
 Could not read MBR for disk 5.
==================== End of FRST.txt ========================

Link to post
Share on other sites

  • Root Admin

Create a Windows 10 installation USB disk to access the Recovery Environment

You will need an 8GB or larger USB thumb drive to create the Windows 10 USB installation disk

Download the Microsoft Windows 10 Media Creation Tool
https://www.microsoft.com/en-us/software-download/windows10

 

The following YouTube video will show you how to use the Media Creation Tool

How to Create Installation Media for Windows 10 | Microsoft

 

If needed you may need to get into the BIOS / UEFI in order to set the boot order to allow booting from the USB thumb drive

How to enter the BIOS or CMOS setup

Check your user manual that came with the computer or the vendor's website if that does not work for you

 

Insert the newly created Windows 10 USB installation disk into the affected computer and set the BIOS / UEFI to boot from it.

The first screen shows the installation version information. If needed you can change the Language

image.png

 

From this screen press, the SHIFT-F10 key combination on your keyboard and it will put you into a Command Prompt

From there please type in the following:  DISKPART

Then the following commands (in most cases, unless there are multiple disks in the computer, 0 will be the correct disk selection choice)

LIST DISK
SELECT DISK 0
DETAIL DISK
LIST PARTITION
LIST VOLUME

 

Here is an example from a Virtual computer

image.png

Please post back your results

Thank you

 

 

 

Link to post
Share on other sites

  • Root Admin
  • Solution

My recommendation is to physically unplug, or remove ALL disks except the one you want to install Windows on.

Then run DISKPART again. Run the LIST DISK and only 1 disk should show up.

Then run SELECT DISK 0 and then issue the command  CLEAN

Then power down the computer. Insert the USB Windows 10 installation disk made FRESH from the Microsoft Media Creation Tool and then install Windows again on that disk.

Once Windows 10 is installed, updated, and secure. Then you can look at connecting other drives

 

Link to post
Share on other sites

Hi, I low level formatted ALL disks and the usb with iso, I flash another usb with rufis, and now seems legit the os... I run the sfc scannow this is a part of the log:

    00000219 Warning: Overlap: Directory \??\C:\Program Files (x86)\ is owned twice or has its security set twice
   Original owner: Microsoft-Windows-shell32, version 10.0.19041.906, arch Host= amd64 Guest= x86, nonSxS, pkt {l:8 b:31bf3856ad364e35}
   New owner: Microsoft-Windows-shell32, version 10.0.19041.906, arch Host= amd64 Guest= x86, nonSxS, pkt {l:8 b:31bf3856ad364e35}
2021-04-14 22:36:10, Info                  CSI    0000021a Warning: Overlap: Directory \??\C:\ProgramData\Microsoft\Windows\Start Menu\ is owned twice or has its security set twice
   Original owner: Microsoft-Windows-shell32, version 10.0.19041.906, arch Host= amd64 Guest= x86, nonSxS, pkt {l:8 b:31bf3856ad364e35}
   New owner: Microsoft-Windows-shell32, version 10.0.19041.906, arch Host= amd64 Guest= x86, nonSxS, pkt {l:8 b:31bf3856ad364e35}
2021-04-14 22:36:10, Info                  CSI    0000021b Warning: Overlap: Directory \??\C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ is owned twice or has its security set twice
   Original owner: Microsoft-Windows-shell32, version 10.0.19041.906, arch Host= amd64 Guest= x86, nonSxS, pkt {l:8 b:31bf3856ad364e35}
   New owner: Microsoft-Windows-shell32, version 10.0.19041.906, arch Host= amd64 Guest= x86, nonSxS, pkt {l:8 b:31bf3856ad364e35}
2021-04-14 22:36:10, Info                  CSI    0000021c Warning: Overlap: Directory \??\C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ is owned twice or has its security set twice
   Original owner: Microsoft-Windows-shell32, version 10.0.19041.906, arch Host= amd64 Guest= x86, nonSxS, pkt {l:8 b:31bf3856ad364e35}
   New owner: Microsoft-Windows-shell32, version 10.0.19041.906, arch Host= amd64 Guest= x86, nonSxS, pkt {l:8 b:31bf3856ad364e35}

CSI    000001e0 Warning: Overlap: Directory \??\C:\WINDOWS\SysWOW64\drivers\en-US\ is owned twice or has its security set twice
   Original owner: Microsoft-Windows-Foundation-Default-Security.Resources, version 10.0.19041.1, arch Host= amd64 Guest= x86, culture [l:5]'en-US', nonSxS, pkt {l:8 b:31bf3856ad364e35}
   New owner: Microsoft-Windows-Foundation-Default-Security.Resources, version 10.0.19041.1, arch Host= amd64 Guest= x86, culture [l:5]'en-US', nonSxS, pkt {l:8 b:31bf3856ad364e35}
2021-04-14 22:36:01, Info                  CSI    000001e1 Warning: Overlap: Directory \??\C:\WINDOWS\SysWOW64\wbem\en-US\ is owned twice or has its security set twice
   Original owner: Microsoft-Windows-Foundation-Default-Security.Resources, version 10.0.19041.1, arch Host= amd64 Guest= x86, culture [l:5]'en-US', nonSxS, pkt {l:8 b:31bf3856ad364e35}
   New owner: Microsoft-Windows-Foundation-Default-Security.Resources, version 10.0.19041.1, arch Host= amd64 Guest= x86, culture [l:5]'en-US', nonSxS, pkt {l:8 b:31bf3856ad364e35}
2021-04-14 22:36:01, Info                  CSI    000001e2 Warning: Overlap: Directory \??\C:\WINDOWS\help\mui\0409\ is owned twice or has its security set twice
   Original owner: Microsoft-Windows-Foundation-Default-Security.Resources, version 10.0.19041.1, arch Host= amd64 Guest= x86, culture [l:5]'en-US', nonSxS, pkt {l:8 b:31bf3856ad364e35}
   New owner: Microsoft-Windows-Foundation-Default-Security.Resources, version 10.0.19041.1, arch Host= amd64 Guest= x86, culture [l:5]'en-US', nonSxS, pkt {l:8 b:31bf3856ad364e35}

 

Link to post
Share on other sites

  • Root Admin

Run the following. Then if that's clean I'll give you a link for things to help prevent future infections

 

Let me have you run a different scanner to double-check. I don't expect it to find anything, but no harm in checking.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

  • It will start a download of "esetonlinescanner.exe"
  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started. 
  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes 
  • When prompted for scan type, Click on Full scan 
  • Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on the Start scan button.
  • Have patience.  The entire process may take an hour or more. There is an initial update download.
  • There is a progress window display.
  • You should ignore all prompts to get the ESET antivirus software program.   ( e.g. their standard program).   You do not need to buy or get or install anything else.
  • When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log.
  • If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
  • Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

 

Link to post
Share on other sites

  • 2 months later...

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.