Thridchild Posted November 23, 2012 Posted November 23, 2012 Aftr haing a virus on my pc I canot get Windows Security Center to work so not sure how protected I am. Quote
KenB Posted November 23, 2012 Posted November 23, 2012 Hi and welcome to ExTS Did you have qualified help to get rid of the virus ? One of our security experts should be along soon to help :) Quote There is an email going around offering processed pork - gelatin - and salt in a can ......this is simply SPAM !! MiniToolBoxNetwork TestWireless Test
etavares Posted November 23, 2012 Posted November 23, 2012 Hi Thridchild, That's a common issue. Given this is virus related, I've moved this to the virus removal forum instead of the security questions board. Please follow the instructions in the link below and post the requested logs in reply to this thread. Before posting for Malware Removal help. Next, please also do this given the issues you are experiencing: Please download Farbar Service Scanner and run it on the computer with the issue. Make sure the following options are checked: Internet Services Windows Firewall System Restore Security Center Windows Update [*]Press "Scan". [*]It will create a log (FSS.txt) in the same directory the tool is run. [*]Please copy and paste the log to your reply. Please post all logs in reply to this thread and I'll help you resolve the issues. You can use multiple posts if needed to post all the logs. -etavares Quote etavares is a member of:Alliance of Security Analysis ProfessionalsUnified Network of Instructors and Trained Eliminators
Thridchild Posted November 25, 2012 Author Posted November 25, 2012 Hi etavares Thanks for you reply and help. Have run log but am having problems attaching to thread Quote
etavares Posted November 25, 2012 Posted November 25, 2012 Hi Thridchild, Click "reply" at the bottom right of this post. Then, click Go Advanced button at the bottom right, under the text field that pops up to type your reply. In the advanced editor, you'll see buttons in the gray bar above where you type. Click the paperclip over the piece of paper at the top right in the first row of buttons. A popup window will appear. Click add files and select your log files. They'll appear in the section. Then, drag them into the Attachments area at the bottom. You can also copy/paste the entire contents by opening the log in Notepad, Edit --> Select All, Edit --> Copy, then paste in here. Do one log per post. Did that work? -etavares Quote etavares is a member of:Alliance of Security Analysis ProfessionalsUnified Network of Instructors and Trained Eliminators
Thridchild Posted November 25, 2012 Author Posted November 25, 2012 Log FILE Hi hope this worksFSS.txt Quote
etavares Posted November 27, 2012 Posted November 27, 2012 Hi Thridchild, It did work! It does show some issues we'll have to resolve. Please go through these instructions in the link below and also post the requested logs as you did with the FSS log: Before posting for Malware Removal help. -etavares Quote etavares is a member of:Alliance of Security Analysis ProfessionalsUnified Network of Instructors and Trained Eliminators
Thridchild Posted November 27, 2012 Author Posted November 27, 2012 Log Files as requested Hi Have attached log files from mbam and otl as requestedmbam-log-2012-11-27 (11-17-10).txtOTL.TxtExtras.Txt Quote
etavares Posted November 28, 2012 Posted November 28, 2012 Hello, Thridchild. There are a lot of things going on the log. Nothing appears to be active, but there is remnant damange that needs to be fixed. Let's get to work. P2P Warning and Request The log shows that you have been using so called peer-to-peer or file-sharing programmes (in your case uTorrent). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come a long way and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of their malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it. It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. I recommend that you uninstall this program. That is optional, however. If you decide to not uninstall, please refrain from using it until I let you know your computer is clean. Registry Cleaner Warning I also see that you have a registry cleaner installed (in your case Fix RegCleaner v1.0). Here at BC, we do not recommend using registry cleaners. If you do use it, make sure to use a tool like ERUNT to back up your registry first. Merely backing it up yourself via regedit wont' help you if you can't boot up as a result! See here for more information: http://www.bleepingcomputer.com/forums/index.php?showtopic=238799&st=0&p=1326578entry1326578 Registry Cleaner Warning I also see that you have a Ccleaner installed. It is a great tool that I use. However, be careful of the registry cleaning functionality (versus file cleaning), Here at BC, we do not recommend using registry cleaners as they don't speed up your computer and they can do more harm than good if they remove a legitimate entry. If you do use it, make sure to use a tool like ERUNT to back up your registry first. Merely backing it up yourself via regedit wont' help you if you can't boot up as a result! See here for more information: http://www.bleepingcomputer.com/forums/index.php?showtopic=238799&st=0&p=1326578entry1326578 Step 1 Next, please download ComboFix from one of these locations: Bleepingcomputer InfoSpyware * IMPORTANT !!! Save ComboFix.exe to your Desktop as etavaresCF.exe Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.) Double click on etavaresCF.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: http://img.photobucket.com/albums/v706/ried7/whatnext.png Click on Yes, to continue scanning for malware. When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs. Note: After running Combofix, you may receive an error about "illegal operation on a registry key that has been marked for deletion." If you receive this error, please reboot and it should disappear. Step 2 Download TDSSKiller.exe and save it to your desktop. Double-click TDSSKiller.exe to run it. Under "Objects to scan" ensure both "Services and Drivers" and "Boot Sectors" are checked. Click Start scan and allow it to scan for Malicious objects. If malicious objects are found, the default action will be Cure, ensure Cure is selected then click Continue. If suspicious objects are detected, the default action will be Skip, ensure Skip is selected then click Continue. It may ask you to reboot the computer to complete the process. Click on Reboot Now and allow the computer to reboot. A log will be created on your root (usually C:) drive. The log is like UtilityName.Version_Date_Time_log.txt. for example, C:\TDSSKiller.2.4.1.2_20.04.2010_15.31.43_log.txt If no reboot is required, click on Report. A log file should appear. Please post the contents of the logfile in your next reply Step 3 I don't see an Anti Virus Program running on your machine Download and install an antivirus program, and make sure that you keep it updated New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software. Two good antivirus programs free for non-commercial home use are Avast! and Avira Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC. Note: Avira now includes the Ask.com Toolbar unless you choose not to install it. This means it is pre-checked by default and it is recommended that you uncheck that option during installation. etavares Quote etavares is a member of:Alliance of Security Analysis ProfessionalsUnified Network of Instructors and Trained Eliminators
Thridchild Posted November 28, 2012 Author Posted November 28, 2012 Hi etavares Thanks for your continued support. Have removed utorrent and registry cleaner as recommended. After downloading and running Combofix pc hung after it ran scan and then started to delete files and one folder as below Deleting files C\:Documents and Settings\All Uers\Application Data\Temp\B63300d1.tmp C\:Documents and Settings\paddy\win.qs7jqx C\:Documents and Settings\shaun\Application Data\PCFix\log.dat\unresolvederors.dat C\:WINDOWS\system32\ClientSyncloader.htm C\:WINDOWS\system32\ClientSyncloaderDriver.htm C\:WINDOWS\system32\SET29.tmp C\:WINDOWS\system32\SET39.tmp C\:WINDOWS\system32\SET75.tmp Deleting folder C\:Documents and Settings\All Users\Applicaton Data\TEMP After hanging like this for 15 minutes I closed box and rebooted m/c okay. Run TDSSKILLER scan was clean Have attached report. Will download an anti virus program but have MSE which I thought would be sufficient. Thanks again Shaun(thridchild)TDSSKiller.2.8.15.0_28.11.2012_11.25.26_log.txt Quote
etavares Posted November 28, 2012 Posted November 28, 2012 You're right, I only saw Windows Defender running, but MSE was also running. No need to install another. Does C:\combofix.txt exist? If so, please copy/paste the contents of it here. If not, please let me know. Quote etavares is a member of:Alliance of Security Analysis ProfessionalsUnified Network of Instructors and Trained Eliminators
Thridchild Posted November 28, 2012 Author Posted November 28, 2012 Hi etavares I cannot find the file, when I try and search for it get stuck in a loop during search results? Quote
etavares Posted November 28, 2012 Posted November 28, 2012 Hi Thridchild, No need to search, we know where it is. Try clicking Start --> Computer; navigate to C:\ and see if Combofix.txt is there. -etavares Quote etavares is a member of:Alliance of Security Analysis ProfessionalsUnified Network of Instructors and Trained Eliminators
Thridchild Posted November 28, 2012 Author Posted November 28, 2012 Hi etavares Its not showing in c:\ Quote
etavares Posted November 29, 2012 Posted November 29, 2012 Hello, Thridchild. OK, we'll move on then. Step 1 We need run an OTL ScriptPlease download OTL from one of the following mirrors if you do not still have it. This is first Mirror This is the second mirror [*]Save it to your desktop. [*]Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/OTL/otlDesktopIcon.png icon on your desktop. [*]Paste the following code under the Custom Scans/Fixes box at the bottom. :files C:\WINDOWS\System32\drivers\hfikspxp.dat C:\Documents and Settings\shaun\Local Settings\Application Data\0wdprkm25e4fco8x6pdb468r30 C:\Documents and Settings\All Users\Application Data\0wdprkm25e4fco8x6pdb468r30 C:\WINDOWS\System32\drivers\sfi.dat C:\WINDOWS\System32\drivers\goqcreau.dat C:\WINDOWS\System32\drivers\pnlflccf.dat C:\WINDOWS\System32\drivers\qrwiyyka.dat C:\WINDOWS\System32\epfwdata.bin :OTL DRV - (WDICA) -- File not found DRV - (vvkfpihf) -- C:\WINDOWS\system32\drivers\vvkfpihf.sys File not found DRV - (PDRFRAME) -- File not found DRV - (PDRELI) -- File not found DRV - (PDFRAME) -- File not found DRV - (PDCOMP) -- File not found DRV - (PCIDump) -- File not found DRV - (lbrtfdc) -- File not found DRV - (i2omgmt) -- File not found DRV - (esgiguard) -- C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys File not found DRV - (Changer) -- File not found DRV - (bcqjndro) -- C:\WINDOWS\system32\drivers\bcqjndro.sys File not found IE - HKLM\..\URLSearchHook: {657E195F-066D-435C-92DB-7C261E6FE832} - No CLSID value found IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?} IE - HKCU\..\URLSearchHook: {657E195F-066D-435C-92DB-7C261E6FE832} - No CLSID value found IE - HKCU\..\SearchScopes,DefaultScope = {AB79D3B4-AEDB-428a-B504-BAC00521A1C7} IE - HKCU\..\SearchScopes\{AB79D3B4-AEDB-428a-B504-BAC00521A1C7}: "URL" = http://starwebsearch.com/results.php?q={searchTerms} O20 - Winlogon\Notify\TPSvc: DllName - (TPSvc.dll) - File not found [*]Click the Run Fix button at the top. [*]let the program run unhindered and reboot when it is done. [*]You will get a log when it is done, please post that in your reply. [*]Please then create a new OTL report.... [*]Click the "Scan All Users" checkbox. [*]Push the http://billy-oneal.com/Canned%20Speeches/speechimages/OTL/runscanbutton.png button. [*]A report will open, copy and paste it in a reply here. Step 2 Next, download aswMBR and save it to your desktop. Double click the aswMBR.exe to run it. The latest version gives you the option of adding the latest Avast definitions: http://img.photobucket.com/albums/v708/starbuck50/new/03-07-201116-24-19.png It is recommended at this time to click NO. ( as there is a possibility of crashing the system) Click the Scan button to start scan. http://img.photobucket.com/albums/v708/starbuck50/new/asw1.gif On completion of the scan click Save log and save it to your desktop. http://img.photobucket.com/albums/v708/starbuck50/new/asw2.gif Please post this in your reply. NOTE: aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it. -etavres Quote etavares is a member of:Alliance of Security Analysis ProfessionalsUnified Network of Instructors and Trained Eliminators
Thridchild Posted November 29, 2012 Author Posted November 29, 2012 Hi etavares the is the mbr logaswMBR.txt Quote
Thridchild Posted November 29, 2012 Author Posted November 29, 2012 Hi etavares Have noticed since done the otl fix when opening internet explorer the manage addon screen appears with no default search provider and when i try to select one nothing happens so if i try to do a search using top right field next to spyglass nothing happens. Rgds Thridchild Quote
etavares Posted November 29, 2012 Posted November 29, 2012 Hello, Thridchild. The aswMBR log shows you had a serious infection at one point, but it doesn't appear active. In regards to the IE search provider, try following these instructions to set your default search provider. http://windows.microsoft.com/is-IS/windows-vista/Change-or-choose-a-search-provider-in-Internet-Explorer Step 1 Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it to your desktop (click file, save as) as "fixit.reg" with the quotes. REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore] "DisableSR"=- NOTICE: This file was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Locate fixit.reg on your Desktop and double-click on it. You will receive a prompt similar to: "Do you wish to merge the information into the registry?". Answer "Yes" and wait for a message to appear similar to "Merged Successfully". Please reply back letting me know if it merged correctly. Step 2 Please open Notepad. Copy and paste the text in the box below into Notepad. @ECHO OFF sc config wuauserv start=auto > "%USERPROFILE%\Desktop\Update.log" start "%USERPROFILE%\Desktop\Update.log" del %0 This fix is custom made for this user's computer. Select File-->Save As Select File as Type: All Types (*.*) Save it to your desktop as fixme.bat Double-click fixme.bat on your desktop to run the fix. A window will briefly pop up then close. A log will open, please copy and paste it into your response. Step 3 Please restart your computer. Once that's done, please run Farbar Service Scanner (FSS) again and post the resulting log in your reply. etavares Quote etavares is a member of:Alliance of Security Analysis ProfessionalsUnified Network of Instructors and Trained Eliminators
Thridchild Posted November 30, 2012 Author Posted November 30, 2012 Hi etavares With regards to the fixit.reg got message " info in c:\Documents an Settings\shaun\my documents\fixit.reg successfully entered into the registry". Have attached both fixme log and fss log. Still having problems with default seach provider Regards ThridchildFIXME.txtFSS.2.txt Quote
etavares Posted November 30, 2012 Posted November 30, 2012 Hi Thridchild, OK, I've made a note about the default search provider. We'll come back to that in a bit. Please Click Start --> Run type services.msc and press Enter. The Services window should open. Scroll down to Windows Update, right-click and select Properties. Under Startup Type select Automatic OK your way out of all the menus and close the Services window. Next, click Start --> Run, type firewall.cpl and press Enter. On the General tab click On (recommended) Click OK. Restart your computer. Then, please run FSS and post the resulting log. Quote etavares is a member of:Alliance of Security Analysis ProfessionalsUnified Network of Instructors and Trained Eliminators
Thridchild Posted November 30, 2012 Author Posted November 30, 2012 Hi etavares Thereis no Windows Update in Services. Also when I try firewall.cpl get error message Winodws Firewall settings cannot be displayed because the associated service is not running If i click on the option to start the service get message windows cannot start the Windows Firewall\Internet Connection Sharing (ics) service which is the message I got that made me report the problem in the first place Quote
etavares Posted December 1, 2012 Posted December 1, 2012 Hello, Thridchild. OK, let's query that service then. The display name may be different than Windows Update. Step 1 Please open Notepad. Copy and paste the text in the box below into Notepad. @ECHO OFF sc query wuauserv > "%USERPROFILE%\Desktop\Query.txt" start "%USERPROFILE%\Desktop\Query.txt" del %0 This fix is custom made for this user's computer. Select File-->Save As Select File as Type: All Types (*.*) Save it to your desktop as fixme.bat Double-click fixme.bat on your desktop to run the fix. A window will briefly pop up then close. A log will open, please copy and paste it into your response. etavares Quote etavares is a member of:Alliance of Security Analysis ProfessionalsUnified Network of Instructors and Trained Eliminators
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.