Solved virus seems to reinstall itself during boot into shell

[TwinHeadedEagle]

Hmm, I will need another set of FRST reports, I think I have an idea:

Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Make sure that Addition.txt option is checked.
  
  
  
  
  
• Press Scan button and wait.
• The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please attach report into your next reply.

 

[KennyGordacki]

first and addition

 

[TwinHeadedEagle]

Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.

Running it on another one may cause damage and render the system unstable.

​

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finishes FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

 

[KennyGordacki]

This is unbeliveable now I am getting the dreaded "some settings are being managed by your administrator in the Internet explorer "options" advanced tab. I know its a registry setting but it makes me wonder if there is software some where that is setting and resetting it. Also Internet explorer will not render a google webpage.

 

[KennyGordacki]

OMG its back! I am getting this as my internet explorer start page after I changed it to google.com h t t p://go.microsoft.com/fwlink/p/?LinkId=619797 &pc=UE09&ocid=UE09DHP its the same page that I was getting before. I will look in the registry right now but it was being stored in the registry as the first link to microsoft starting with go and ending in 619797 and it was being added to another link in the registry that was & all the way to 9dhP.

 

[KennyGordacki]

frst

 

[TwinHeadedEagle]

You didn't do what I asked you to do.

 

[KennyGordacki]

let me go back and do what you told me to do.

 

[KennyGordacki]

i downloaded your fix file to my deskptop and then ran it. Here are the results.

 

[TwinHeadedEagle]

These are scan reports, I need Fixlog.txt report.

 

[KennyGordacki]

My apologies, I am not usually this spacey but my 80 year old mom broke her foot in an auto accident. She will be fine but I have been up early all mornings and getting to bed late and living at the orthopedic doctors office.

Here is the Fixlog.txt.

 

[TwinHeadedEagle]

How is your PC behaving now?

 

[KennyGordacki]

Great except two issues that I can see. It is either still affecting Ie because it is blank all the time and it constantly says that it closed down incorrectly last time and do I want to start on the page that I left when it closed down incorrectly. The virus changed security settings so that I"Internet options" in ie is grayed out and I cannot access it. Possibly the virus is there and it is keeping it grayed out. Also it somehow messed with the settings in plug and play. I know that plug and play is integral to windows validation. Plug and play keeps track of the hardware on the machine. If a certain number of pieces of hardware change or if the motherboard changes windows validation says that this copy is no longer registered. I get an error message saying that it is no longer validated. when I run windows validation as an administrator I get an error message that tells me that I need to get a higher security status in order to run the windows 7.1 validation system.

 

[TwinHeadedEagle]

You can reset Internet Explorer settings to what they were when Internet Explorer was first installed on your PC. This can be useful for troubleshooting problems that may be caused by settings changed after installation. Note that resetting Internet Explorer isn't reversible, and all previous settings are lost after reset.

1. Close all Internet Explorer windows. Select the Tools button, and then select Internet options.
2. Select the Advanced tab, and then select Reset.
3. In the Reset Internet Explorer Settings dialog box, select Reset.
4. When Internet Explorer finishes applying default settings, select Close, and then select OK. Restart your PC to apply changes.

About Windows validation, it would be nice if your could make a picture.

 

[KennyGordacki]

prior to executing these instructions I was able to remove 5 copies of open candy which amazes me.

 

[KennyGordacki]

i have been resetting internet explorer about once a day and then shutting down with a restart. It hasnt helped until now. It seems like it is running ok so far. I am sending you more money. I think that I will be back with this issue but it seems to be working now. Thank you. Would someone be able to help me with the error message (syntphelpoer.exe 0x0000142 ) and (0x80070005 windows is not genuine) in one of the other areas?

 

[KennyGordacki]

when you say *windows validation"make a picture" what are you saying. Do you want me to do a screen capture of the screen?

 

[KennyGordacki]

Ill attach photos of the error messages.

 

[KennyGordacki]

The issue is that I have a Toshiba Laptop manufactured in 2009? It came with windows 7.1 x64 pre installed. The operating system was keyed to the bios. Every certain number of times I dont remember the exact number but lets say every 10th time you boot your system the computer communicateds with the server in order to continue to be sure that the software is running on a system that meets their requirments. If I were to change the bios or the mother board I would be out of compliance and I would get the message that I am getting but it would say that I added too many pieces of hardware or i changed the bios or the motherboard. I did not change any parts. I have read and worked with this enough to wknow that there are a couple of possibilities that have happened associated with this issue. The error code that comes up on everything related to the problem is 0x800070005. When I attempt to reinstall the key it gives an error message which says the number above and that I need to elevate my privileges in order to re-install the key. I dont see how I can elevate my priovileges if I am already an administrator. I cannot remember for sure but in the past I believe that this computer has re read the installation key in the bios and activated the operating system again. I read somewhere else that the system monitors the hardware on the computer. If the security settings of plug and play have issues plug and play will not report to the windows validation system and it will think that a bunch of new hardware has been added to the computer or it may think that the operating system has been added to a new computer. Both issues would cause the windows not genuine issue. I called Microsoft and they referred me to Toshiba for service. Toshiba knows that it is an issue but they "need to sell me a new operating system disk to repair the issue. I know that I dont need that I can do an inplace install to get it from windows x64 7.1 to windows 64 7.1 to get it to work. I lost some data last time I did that and want to avoid doing it again.

 

[TwinHeadedEagle]

Yes, it does look like some kind of Windows activation problem. However, I cannot help you with this one, you will need to speak with Toshiba support and follow their inputs.

Let me know if you have more questions for me.