raken

CLOSED After Emsisoft Malware installed 10-26-2017 BSOD every reboot no exe or admin rights (for days)

Recommended Posts

After quarantining items found during scan the computer shut down.  I was able after hours to reboot into safe mode with networking.  Following a reboot after hours and hours the sign in screen appeared.  I signed in and attempted to view logs etc.  I continuously received file system error 1073741819 errors and rundll32exe 0xc0000005 errors.  Obviously nothing worked.  After attempting to utilize control panel everything hung....  I hit the escape button and the computer went to bsod.  I left it on and went to bed....  after multiple attempts to access I was eventually able to sign in and everything appeared to be back to normal.  No more error codes etc.  After shutting it off I am back to square one.  I have no exe, error code 1073741819 etc. and am now afraid to shut it off.  In looking at Emsisoft logs it was running the entire time and doing frequent updates which I had to shut off.  My D drive seemed to be gaining a lot of data.  I can't 100% guarantee the chronological order of these events as it has been days this has been going on.  I have an HP Pavilion P7-1414PC  Next Gen AMD Quad Core AB5500 Accelerated Processor 64 bit.  This taken from the tag on the tower.  No access to info in control panel.  I cannot attach the logs as they won't export nor can I copy & paste them.  If you know of an alternative...  I believe the issue lies somewhere with HKey Users S-1-15-21 3931398849...software Microsoft Windows which it originally quarantined and then released.  I am at a loss and certainly afraid to do anything at this point.  It has become way beyond my level of expertise or comfort.  According to logs 10/26 @ 10:01 Protection Started, at 10:27 Shutdown received.  Nowhere throughout the rest of the logs does it note any further shutdowns though there have been more and emsisoft has continued to run while nothing else does.  

Share this post


Link to post
Share on other sites

What other AntiVirus software is installed?

Restore the system to an earlier date.  There should be a restore point that was created at the time Emsisoft was installed.

Share this post


Link to post
Share on other sites

Malwarebytes and avast.  I am unable to access the control panel to look at system restore.  
I receive the following error "app was unable to start correctly (0xc0000005)"  I'm not sure how to proceed so I am open to suggestions.

Share this post


Link to post
Share on other sites

EAM and AVAST are not compatible.  In fact our installer warns when other AVs are installed and that installing EAM alongside another AV can lead to problems.

Uninstall EAM.

Share this post


Link to post
Share on other sites

If the uninstall fails to remove the drivers.  I can attempt to remove them manually.

To do that I would need logs from FRST.

Download Farbar Recovery Scan Tool and save it to your desktop.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to your desktop.
For x64 (x64) bit systems download Farbar Recovery Scan Tool x64 and save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to the disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Share this post


Link to post
Share on other sites

I am waiting.  I did the uninstall and received no prompt to confirm.  After clicking again a prompt saying this action can't be completed it may have already been uninstalled. I hit restart and am looking at blue screen now. Giving it some time....

 

Share this post


Link to post
Share on other sites

Everything appears to be working....  Here are the Farbar Reports you requested.  There are a lot of things there that have never showed on any of my scans.  It is rather intimidating as there are programs there I never knew.  The games came preloaded when I purchased along with Norton trial.  I had downloaded Nortons removal tool and yet it still shows up.  I am baffled how so much stuff made it past the scans I do.  I have no idea what Bonjour  is or where it came from, I'm guessing Searchscopes is some type of adware.  Quite intimidating really.....  I'll wait for your response.... Thank you.

FRST.txt

Addition.txt

Share this post


Link to post
Share on other sites

I apologize.  Another look and I realized EAM is still installed.  I am in the process of uninstalling and I did receive a confirmation prompt.  It is rebooting now.  I will rerun farbar and post logs thereafter.  I normally don't miss the obvious but I seem to be excelling in that area.... Thanks for your patience and my apologies once again.

Share this post


Link to post
Share on other sites

Addition.txtIt still took some time to reboot.  Initially the computer was very slow.  It took 3 minutes to sign in but everything seems to be working well.... I re-ran the Farbar Scans and will attach below.  It still looks like there are some nasties floating but I don't fully understand the reports.  I hate to think after all of this that is so.... but they get meaner all the time I guess.  I will check back late morning.

FRST.txt

Share this post


Link to post
Share on other sites

Nothing malicious in the logs.  Several orphaned items and some leftovers from EAM, NIS, and Spybot.

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

HKU\S-1-5-21-3931398849-2409981081-523692491-1001\...\Run: [SpybotPostWindows10UpgradeReInstall] => C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe [1011200 2015-07-28] (Safer-Networking Ltd.)
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
FF ProfilePath: C:\Users\karen\AppData\Roaming\Profiles\k534z5jq.default [2013-03-09] <==== ATTENTION
2017-10-30 21:44 - 2017-10-30 21:44 - 000000000 ____D C:\Users\karen\AppData\Local\{6CA19E2D-207B-4D81-82BD-B13B1B89BCBC}
2017-10-26 02:51 - 2015-03-24 00:17 - 000135800 _____ (Emsisoft GmbH) C:\WINDOWS\system32\Drivers\epp64.sys
2017-10-30 23:27 - 2015-11-18 18:58 - 000000000 ____D C:\Program Files (x86)\Emsisoft Anti-Malware
2017-10-30 23:26 - 2015-11-18 23:52 - 000000000 ____D C:\ProgramData\Emsisoft
CustomCLSID: HKU\S-1-5-21-3931398849-2409981081-523692491-1001_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32 -> C:\Users\karen\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\amd64\FileSyncShell64.dll => No File
CustomCLSID: HKU\S-1-5-21-3931398849-2409981081-523692491-1001_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32 -> C:\Users\karen\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\amd64\FileSyncShell64.dll => No File
CustomCLSID: HKU\S-1-5-21-3931398849-2409981081-523692491-1001_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32 -> C:\Users\karen\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\amd64\FileSyncShell64.dll => No File
Task: {0D8A891D-890C-4808-84D8-2F436AB14653} - \Microsoft\Windows\Application Experience\AitAgent -> No File <==== ATTENTION
Task: {1274336E-AB06-46B6-A48C-0671C5557CC6} - \Microsoft\Windows\TaskScheduler\Maintenance Configurator -> No File <==== ATTENTION
Task: {1687544D-7247-4F5A-965A-A6E920E55278} - \Microsoft\Windows\TaskScheduler\Manual Maintenance -> No File <==== ATTENTION
Task: {40525C58-79C2-47A1-9AA2-F1D7FC4F0691} - \Microsoft\Windows\WindowsBackup\ConfigNotification -> No File <==== ATTENTION
Task: {6F02587F-8A2B-4552-97F6-DEEF229E335B} - \Microsoft\Windows\TaskScheduler\Idle Maintenance -> No File <==== ATTENTION
Task: {8560DC3C-BDDB-45C9-B976-3E5FFAA203AB} - System32\Tasks\Norton WSC Integration => C:\Program Files (x86)\Norton Internet Security\Engine\20.3.0.36\WSCStub.exe
Task: {B7992938-01F1-4F40-A0EC-0D23D2F0F152} - \Microsoft\Windows\TaskScheduler\Regular Maintenance -> No File <==== ATTENTION
Task: {CFD7C21A-808B-487B-A6EC-8A10E44E8360} - \Microsoft\Windows\SettingSync\BackupTask -> No File <==== ATTENTION
Task: {DD73E366-DC9D-426E-B2C6-57E2BA471095} - System32\Tasks\Norton Internet Security\Norton Error Analyzer => C:\Program Files (x86)\Norton Internet Security\Engine\20.3.0.36\SymErr.exe
HKU\S-1-5-21-3931398849-2409981081-523692491-1001\...\StartupApproved\Run: => "SpybotPostWindows10UpgradeReInstall"

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Share this post


Link to post
Share on other sites

I apologize for the lack of response.  Had a family emergency.  Everything seems to be running fine.  I thank you for your assistance, particularly since the issue was created by my own error.  I greatly appreciate the time you invested in my assistance.  Thank you and my apologies for the operator error.  

Share this post


Link to post
Share on other sites

You are welcome.

Now to remove most of the tools that we have used in fixing your machine:

Download Delfix from here and save it to your desktop.

  • Ensure Remove disinfection tools is checked.
  • Also place a checkmark next to:
    • Create registry backup
    • Purge system restore
  • Click the Run button.

When the tool is finished, a log will open in notepad. I do not need the log. You can close Notepad.

Empty the Recycle Bin

You can delete and uninstall any programs I had you download, that you do not wish to keep on the system.

To Remove EEK simple delete the EEK for in the of your System Drive, normally C:\EEK

Run Windows Update and update your Windows Operating System.

Articles to Read:
How to Protect Your Computer From Malware
How to keep you and your Windows PC happy
Web, email, chat, password and kids safety
How Did I Get Infected?

That should take care of everything.

Safe Surfing!

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.