• Hi there and welcome to PC Help Forum (PCHF), a more effective way to get the Tech Support you need!
    We have Experts in all areas of Tech, including Malware Removal, Crash Fixing and BSOD's , Microsoft Windows, Computer DIY and PC Hardware, Networking, Gaming, Tablets and iPads, General and Specific Software Support and so much more.

    Why not Click Here To Sign Up and start enjoying great FREE Tech Support.

    This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Closed/Inactive DUMB hard virus removal, need help

Status
Not open for further replies.

U$erNAM

PCHF Member
Jun 30, 2019
5
0
34
My gf was using my pc to game, came home from work and there’s a Trojan installed. I’ve been able to delete the Trojan from my hard drives but the effects are still there and are as follows:
There’s a Hidden Admin account I can’t see
My Antivirus was removed
Can’t download any files
portable USB files won’t install any software
Windows Defenders whitelist is blocked from editing
Force reset is disabled
Any Security audit is disabled
Updating windows through any means is disabled
Can’t connect to update repositories


Basically to get the virus off I made a little batch file to commandeer the infected files and take ownership of them then promptly delete. But if I try to do anything to revert the virus havoc I’m met by a lack of admin privileges or windows just won’t do it. Any ideas on my next step?
 
From Safe Mode with Networking.

Please download the FRST 32 bit or FRST 64bit version to suit your operating system. It is important FRST is downloaded to your desktop.

If you are unsure if your operating system is 32 or 64 Bit please go HERE.

Once downloaded right click the FRST desktop icon and select "Run as administrator" from the menu"


icon2.jpg



If you receive any security warnings, or the User Account Control warning opens at any time whilst using FRST you can safely allow FRST to proceed.
FRST will open with two dialogue boxes, accept the disclaimer.


frst disclaimer.jpg



  1. Accept the default whitelist options,
  2. If the additions.txt options box is not checked please select it.
  3. Then select Scan


frst.jpg



Frst will take a few minutes to scan your computer, and when finished will produce two log files on your desktop, FRST.txt, and Addition.txt. They will display immediately on the desktop, but can be reopened later as a notepad file.


2016-08-12_152002.jpg



Please Copy and Paste the contents of these logs in your next post for review by our Security Team
 
Boot in the Recovery Environment

  • To enter the Recovery Environment with Windows Vista and Windows 7, follow the instructions below:
  • Restart the computer
  • Once you've seen your BIOS splashscreen (the computer manufacturer logo), tap the F8 key repeatedly until the Advanced Boot Options menu appears
  • Use the arrow keys to select Repair your computer, and press on Enter
  • Select your keyboard layout (US, French, etc.) and click on Next
  • Click on Command Prompt to open the command prompt
    Note: If you can't access the Recovery Environment using the F8 method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial on SevenForums.
    • To enter the Recovery Environment with Windows 8 or Windows 8.1, follow the instructions in this tutorial on EightForums
    • Note: If you can't access the Recovery Environment using the method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on.
      • To enter the Recovery Environment with Windows 10, follow the instructions in this tutorial on TenForums
      • Note: If you can't access the Recovery Environment using the method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial on TenForums
      • After any of these actions is performed, all user sessions are signed off and the Boot Options menu is displayed. The PC will restart into the WinRE and the selected feature is launched.
      • On the boot options, select Troubleshooting > Advanced Options > Command prompt.
Once in the command prompt

  • Plug your USB Flash Drive in the infected computer
  • In the command prompt, type notepad and press on Enter
  • Notepad will open. Click on the File menu and select Open
  • Click on Computer/This PC, find the letter for your USB Flash Drive, then close the window and Notepad
  • In the command prompt, type e:\frst.exe (for the x64 version, type e:\frst64.exe and press on Enter
  • Note: Replace the letter e with the drive letter of your USB Flash Drive
  • FRST will open
  • Click on Yes to accept the disclaimer
  • First press the Scan button.
  • These actions will produce a log, Please copy and paste them in your reply
 
Another trick you may be able to do...

Open the command prompt and type hh h (or Do this from the start search bar)
Hit enter.
Click on the question mark in the top left of the user interface.
Click on Jump to URL
Type in this URL https://toolslib.net/downloads/viewdownload/85-processclose/
Save Process Close to your desktop.
Make sure that you have FRST on the desktop as well.
Right click Process close run as admin. ( in your case double click as you may not have admin privilege )
Select [...] Browse.
Go to the users folder, double click it.
Then select your user id
Then select Desktop
Right click FRST and run as admin.
 
Last edited:
I tried all the steps you recommended, I run into a pack of admin privileges or windows won’t do anything. I think a hard reset is in order. How do I go about doing that knowing my situation?
 
Have you tried the steps in my other post involving the hh h browser and process close?
windows doesn’t do anything, I get no error yet it doesn’t start anything. I somehow completed a sfc /scannow and have the logs for it. You want to see the cbs.log?
 
See if you are able to run one of these versions of Rkill
 

Attachments

  • iExplore.zip
    823.9 KB · Views: 8
  • rkill.zip
    823.9 KB · Views: 7
  • rkill-unsigned.zip
    812.9 KB · Views: 8
Also, since you were able to pull off a sfc /scannow I think you might be able to enable the built in admin account or create a new account through the command prompt; then use the Bootsafe tool to enable safe mode so we can get a FRST scan from the infected account.



Once you have created the new account log out of the infected account and run the bootsafe tool from the new account.


Once in safe mode run a FRST scan on the infected account.
 
Status
Not open for further replies.