Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

BRANDONN2008

22 Posts

4316

December 12th, 2008 20:00

Will Restoring My PC to Factory Settings Remove Virus?

A few days ago on my PC (I'm using another right now) my internet started freezing up, then my ctrl, alt, del would not work or freeze, and or my cursor would freeze. I had to reboot the computer several times but a virus scan turned up nothing. Now it happens after a few minutes and everything freezes up. A scan with AVG Free detected some virus but the scan froze and I didn't record the virus' name, because I knew I could check the scan log and delete it, but the scan log was corrupted. Now it can't get through one scan. I tried a restore point to before it started acting up but it didn't work. I have run out of options except taking it in to a shop to get it removed for money, restoring it to factory settings, or reinstalling Vista, which I've had to do twice for non-viral problems with Vista. Can anyone tell me if restoring to factory settings will guarantee the removal of the virus?

BRANDONN2008

22 Posts

December 12th, 2008 20:00

I can't download it. It loads much slower than it should, and when it finishes, the dialog box freezes so it doesn't finish downloading to my desktop. Running it instead of saving it didn't give enough time because it froze mid installation.

Here are 3 error messages that popped up when things really got bad:

Error message 1: eplorer.exe-Application Error

The instruction at 0x75f686b4 referenced memory at 0x7350b938. The required data was not placed into memory because of an I/O error status of 0xc0000056

Error message 2: ::{26EE0668-A00A-44D7-9371-BEB064C98683}

::{26EE0668-A00A-44D7-9371-BEB064C98683} application not found

Error message 3: Logon process has failed to create the security options dialog

Failure-Security options

 

Also, it freezes in safe mode

Bugbatter

20.5K Posts

December 12th, 2008 20:00

The way I'm reading this is that, AVG found some virus and now will not do a complete scan. Have you tried anything besides  AVG?

How about MBAM?  See if you can download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates,
  • manually download them from here
    and just double-click on mbam-rules.exe to install.
    Alternatively, you can update through MBAM's interface from a clean computer,
    copy the definitions (rules.ref) located in
    C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes'
    Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.

On the Scanner tab:

  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top.
  • It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully.
  • Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report along with a fresh HijackThis log into your next reply and exit MBAM.

Note:-- If MBAM encounters a file that is difficult to remove,
you may be asked to reboot your computer so it can proceed with the disinfection process.
Regardless if prompted to restart the computer or not, please do so immediately.
Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

-- MBAM may make changes to your registry as part of its disinfection routine.
If you're using other security programs that detect registry changes (like Spybot's Teatimer),
they may interfere with the fix or alert you after scanning with MBAM.
Please disable such programs until disinfection is complete or permit them to allow the changes.

* If you are unable to download or install MBAM on your computer, see if you can use a friend's or family member's computer to download MBAM. Use the update link mentioned above to manually update. Once downloaded, rename the program installer "mbam-setup.exe" file to something else like "lookinhere.exe". Copy the installer file and the update file to a CD or flash drive. Transfer the file to the infected computer. Install the "lookinhere.exe" file, then run the update so that you will have the current definitions. After that, run a full system scan and select to have the program REMOVE whatever it finds.

BRANDONN2008

22 Posts

December 12th, 2008 21:00

I'll try the DDS thing but first I wanted you to know I got the malwarebytes thing to install but it freezes after about 12,000 files, and the computer restarts on its own unsuccessfully. Also, how do I disable script blocking protection?

Bugbatter

20.5K Posts

December 12th, 2008 21:00


See if you can download DDS and save it to your desktop.

  • Disable any script blocking protection
  • Double click dds.scr to run the tool.
  • When done, DDS.txt will open.
  • Click Yes at the next prompt for Optional Scan.
  • Save both reports to your desktop.

---------------------------------------------------
Please include the contents of the following logs by copying and pasting the text of each into your next reply:

DDS.txt
Attach.txt

Bugbatter

20.5K Posts

December 13th, 2008 06:00

If you are using Symantec's (which runs even in Safemode):

1. Start Norton AntiVirus.
If Norton AntiVirus is installed as part of Norton SystemWorks or Norton Internet Security, then start that program.
2. Click Options.
If you see a menu, click Norton AntiVirus.
3. In the left pane, click Script Blocking.
4. In the right pane, uncheck Enable Script Blocking (recommended).
5. Click OK.

BRANDONN2008

22 Posts

December 17th, 2008 15:00

I got the scan log from the DDS but I can't attach it because the file type isn't supported. I could email it possibly. Also, I noticed a lot of new threads say their PC has been hijacked. I know my scanner found a virus but could I be hijacked?

BRANDONN2008

22 Posts

December 17th, 2008 16:00

Here's the DDS file:

DDS (Version 1.0.1) - NTFSx86 
Run by Brandon at 16:40:32.22 on Wed 12/17/2008
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium   6.0.6001.1.1252.1.1033.18.3069.1921 [GMT -8:00]

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\ZoneLabs\vsmon.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Brandon\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - c:\program files\avg\avg8\avgssie.dll
BHO: {A057A204-BACC-4D26-9990-79A187E2698E} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
AppInit_DLLs: avgrsstx.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-9-20 97928]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-9-20 875288]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-9-20 231704]
R3 AvgWfpX;AVG8 Firewall Driver x86;c:\windows\system32\drivers\avgwfpx.sys [2008-9-20 69128]
R3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2006-11-2 987648]
R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2006-11-2 251904]
S3 Agmksvr;Agmksvr;c:\windows\system32\drivers\msdsm.sys [2006-11-2 80488]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys [2008-12-12 38496]

=============== Created Last 30 ================

2008-12-12 21:13 

 --d----- c:\users\brandon\appdata\roaming\Malwarebytes
2008-12-12 21:13 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-12 21:13 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-12 21:13   --d----- c:\programdata\Malwarebytes
2008-12-12 21:13   --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-12 21:13   --d----- c:\progra~2\Malwarebytes
2008-12-10 17:56 170,496 a------- c:\windows\system32\tcpipcfg.dll
2008-12-10 17:56 22,528 a------- c:\windows\system32\netiougc.exe
2008-12-10 17:55 1,221,008 a------- c:\windows\system32\zpeng25.dll
2008-12-10 17:54 348,371 a---h--- c:\windows\system32\drivers\vsconfig.xml
2008-12-10 17:54 293,776 a------- c:\windows\system32\drivers\vsdatant.sys
2008-12-10 17:54   --d----- c:\windows\system32\ZoneLabs
2008-12-10 16:54   --d----- c:\windows\Registration
2008-12-10 15:56   --d----- c:\program files\Zone Labs
2008-12-10 15:54   --d----- c:\programdata\CheckPoint
2008-12-10 15:54   --d----- c:\progra~2\CheckPoint
2008-12-10 15:54   --d----- c:\windows\Internet Logs

==================== Find3M  ====================

2008-12-10 17:54 86,016 a------- c:\windows\inf\infstrng.dat
2008-12-10 17:54 51,200 a------- c:\windows\inf\infpub.dat
2008-12-10 17:54 86,016 a------- c:\windows\inf\infstor.dat
2008-10-18 17:29 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_xusb21_01005.Wdf
2008-10-16 14:08 162,064 a------- c:\windows\system32\wuwebv.dll
2008-10-16 13:56 31,232 a------- c:\windows\system32\wuapp.exe
2008-10-16 12:56 1,524,736 a------- c:\windows\system32\wucltux.dll
2008-10-16 12:55 83,456 a------- c:\windows\system32\wudriver.dll
2008-10-01 19:49 827,392 a------- c:\windows\system32\wininet.dll
2008-09-21 10:19 10,520 a------- c:\windows\system32\avgrsstx.dll
2008-09-20 16:30 174 a--sh--- c:\program files\desktop.ini
2008-09-20 16:20 665,600 a------- c:\windows\inf\drvindex.dat
2008-09-20 15:38 101,888 a------- c:\windows\system32\ifxcardm.dll
2008-09-20 15:38 82,432 a------- c:\windows\system32\axaltocm.dll
2008-09-20 13:37 2,048 a------- c:\windows\system32\tzres.dll
2008-09-20 13:36 269,312 a------- c:\windows\system32\es.dll
2008-09-20 13:36 303,616 a------- c:\windows\system32\wmpeffects.dll
2008-09-20 13:18 361,984 a------- c:\windows\system32\IPSECSVC.DLL
2008-09-20 13:18 272,896 a------- c:\windows\system32\polstore.dll
2008-09-20 13:18 61,440 a------- c:\windows\system32\winipsec.dll
2008-09-20 13:18 28,672 a------- c:\windows\system32\FwRemoteSvr.dll
2008-09-20 13:16 28,160 a------- c:\windows\system32\Apphlpdm.dll
2008-09-20 13:16 2,560 a------- c:\windows\apppatch\AcRes.dll
2008-09-20 13:16 2,154,496 a------- c:\windows\apppatch\AcGenral.dll
2008-09-20 13:16 541,696 a------- c:\windows\apppatch\AcLayers.dll
2008-09-20 13:16 460,288 a------- c:\windows\apppatch\AcSpecfc.dll
2008-09-20 13:16 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2008-09-20 13:16 1,695,744 a------- c:\windows\system32\gameux.dll
2008-09-20 13:16 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2008-09-20 12:56 6,656 a------- c:\windows\system32\kbd106n.dll
2008-09-20 12:56 988,216 a------- c:\windows\system32\winload.exe
2008-09-20 12:56 927,288 a------- c:\windows\system32\winresume.exe
2008-09-20 12:56 378,368 a------- c:\windows\system32\srcore.dll
2008-09-20 12:56 318,464 a------- c:\windows\system32\rstrui.exe
2008-09-20 12:56 46,592 a------- c:\windows\system32\setbcdlocale.dll
2008-09-20 12:56 40,960 a------- c:\windows\system32\srclient.dll
2008-09-20 12:56 19,000 a------- c:\windows\system32\kd1394.dll
2008-09-20 12:56 14,848 a------- c:\windows\system32\srdelayed.exe
2008-09-20 12:56 615,992 a------- c:\windows\system32\ci.dll
2008-09-20 12:54 295,936 a------- c:\windows\system32\gdi32.dll
2008-09-20 12:52 14,848 a------- c:\windows\system32\wshrm.dll
2008-09-20 12:51 738,304 a------- c:\windows\system32\inetcomm.dll
2008-09-20 12:51 84,480 a------- c:\windows\system32\INETRES.dll
2008-09-20 12:51 1,314,816 a------- c:\windows\system32\quartz.dll
2006-11-02 04:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 04:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 04:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 04:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 01:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 01:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 01:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 01:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 16:41:53.03 ===============

Bugbatter

20.5K Posts

December 17th, 2008 18:00

Are you able to run MBAM in Safemode?  If not, restoring to factory settings just may be something to consider. I've been having a problem posting on these forums without getting errors, so if I don't reply, that is why. Hopefully, Dell will fix the posting problem soon.  Perhaps another helper will pick up this thread if I am unable to reply.

BRANDONN2008

22 Posts

December 17th, 2008 19:00

I also noticed the scan froze on two different registry keys on two scans. They were in a place called HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

I don't know if that helps at all. I couldn't find the specific folder.

BRANDONN2008

22 Posts

December 17th, 2008 19:00

I just tried a quick scan again. It froze after 29 seconds at 12160 files which has happened before. The computer restarted on its own. Is it a guarantee restoring to factory settings will cure it or will the restored factory copy of Vista be corrupted too? Thanks a lot. I don't have too much to lose by resetting to factory.

Bugbatter

20.5K Posts

December 17th, 2008 21:00

The problem with MBAM will probably be fixed in the next version. I cannot guarantee that a factory restore will help, but if I were you, and Vista was installed by Dell, I'd give it a try. I do not work for Dell.  This is a user to user forum. Considering your many errors, restoring might be the way to go.

BRANDONN2008

22 Posts

December 19th, 2008 14:00

For some reason, my advanced boot menu doesn't have a repair computer option needed to restore to factory settings. I thought about reinstalling the OS but wouldn't the virus be stored in a Windows.old folder on my D drive?

View More

View All

No Events found!

Top