48 replies to this topic

[Maniac]

Please start the following services: Dnscache Service and Srservice Service
http://www.microsoft...e.mspx?mfr=true

Next, reboot and generate a new fresh Farbar Service Scanner log. Then let me know how is your system.

[SMiller]

Did as instructed.

- DNS Client (no option for DNS Cache) is now set to "MANUAL" and is "STARTED".
- SRService (for System Restore) is set to "AUTO" and is "STARTED".

Here is the new FSS Log:

Farbar Service Scanner Version: 19-06-2012
Ran by Rob (administrator) on 21-06-2012 at 14:53:57
Running from "C:\Documents and Settings\Rob\Desktop"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is set to Demand. The default start type is Auto.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Google.com returned error: Other errors
Attempt to access Yahoo IP returned error: Yahoo IP is unreachable
Attempt to access Yahoo.com returned error: Other errors

Windows Firewall:
=============
Firewall Disabled Policy:
==================

System Restore:
============
Srservice Service is not running. Checking service configuration:
The start type of Srservice service is OK.
The ImagePath of Srservice service is OK.
The ServiceDll of Srservice service is OK.
sr Service is not running. Checking service configuration:
The start type of sr service is set to Disabled. The default start type is Boot.
The ImagePath of sr: "\SystemRoot\system32\DRIVERS\sr.sys".

System Restore Disabled Policy:
========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR"=DWORD:1

Security Center:
============
Windows Update:
============
Windows Autoupdate Disabled Policy:
============================

File Check:
========
C:\windows\system32\dhcpcsvc.dll => MD5 is legit
C:\windows\system32\Drivers\afd.sys => MD5 is legit
C:\windows\system32\Drivers\netbt.sys => MD5 is legit
C:\windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\windows\system32\Drivers\ipsec.sys => MD5 is legit
C:\windows\system32\dnsrslvr.dll => MD5 is legit
C:\windows\system32\ipnathlp.dll => MD5 is legit
C:\windows\system32\netman.dll => MD5 is legit
C:\windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\windows\system32\srsvc.dll => MD5 is legit
C:\windows\system32\Drivers\sr.sys => MD5 is legit
C:\windows\system32\wscsvc.dll => MD5 is legit
C:\windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\windows\system32\wuauserv.dll => MD5 is legit
C:\windows\system32\qmgr.dll => MD5 is legit
C:\windows\system32\es.dll => MD5 is legit
C:\windows\system32\cryptsvc.dll => MD5 is legit
C:\windows\system32\svchost.exe => MD5 is legit
C:\windows\system32\rpcss.dll => MD5 is legit
C:\windows\system32\services.exe => MD5 is legit

**** End of log ****

[Maniac]

How are things now?

[SMiller]

Yesterday was the first day back on my computer. It was the first time I went on the internet. Everything seemed to be fine until I got a warning from "Windows Antivirus 2012" that my computer was infected. I know this must be another virus so I immediately shut my computer off. I am now running Malwarebytes to see what it shows.

Am I infected again? Or is this something left over from the last one?

[Maniac]

Post the log file when you are ready and let me know if you still see Windows Antivirus 2012.

[SMiller]

Here is the MBAM log:

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org
Database version: v2012.06.27.01
Windows XP Service Pack 3 x86 FAT32
Internet Explorer 8.0.6001.18702
Rob :: ROB-CCA219EB460 [administrator]
6/26/2012 19:12:51
mbam-log-2012-06-26 (21-11-00).txt
Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 355739
Time elapsed: 1 hour(s), 47 minute(s), 21 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 13
C:\Program Files\STUFF\Casinos\mhvpoker.dll (Adware.Casino) -> No action taken.
C:\Program Files\STUFF\Casinos\baccarat.dll (Adware.Casino) -> No action taken.
C:\Program Files\STUFF\Casinos\bj.dll (Adware.Casino) -> No action taken.
C:\Program Files\STUFF\Casinos\casino.exe (Adware.Casino) -> No action taken.
C:\Program Files\STUFF\Casinos\directsound.dll (Adware.Casino) -> No action taken.
C:\Program Files\STUFF\Casinos\extgame.dll (Adware.Casino) -> No action taken.
C:\Program Files\STUFF\Casinos\lbyinst.exe (Adware.Casino) -> No action taken.
C:\Program Files\STUFF\Casinos\miniprocess.exe (Adware.Casino) -> No action taken.
C:\Program Files\STUFF\Casinos\plibc32.dll (Adware.Casino) -> No action taken.
C:\Program Files\STUFF\Casinos\winsound.dll (Adware.Casino) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\Installer\{d7655630-ff5f-d0fc-3b68-e13b8d1ad877}\U\00000008.@.vir (Trojan.Dropper.BCMiner) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\Installer\{d7655630-ff5f-d0fc-3b68-e13b8d1ad877}\U\80000000.@.vir (Trojan.Sirefef) -> No action taken.
C:\WINDOWS\assembly\GAC\Desktop.ini (Trojan.0access) -> No action taken.
(end)

BTW, this last situation happened when I clicked on a picture on Google. I think that is how I have gotten my last two viruses. Would the PRO version of Malwarebytes prevent that from happening?

I haven't been back on the internet since this last thing happened. Let me know if you want other test results.

Thanks.

[Maniac]

These things have already removed from OTL.

Quote

C:\Qoobox\Quarantine\C\WINDOWS\Installer\{d7655630-ff5f-d0fc-3b68-e13b8d1ad877}\U\00000008.@.vir (Trojan.Dropper.BCMiner) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\Installer\{d7655630-ff5f-d0fc-3b68-e13b8d1ad877}\U\80000000.@.vir (Trojan.Sirefef) -> No action taken.

About other things, please run Malwarebytes' Anti-Malware scan and repeat, but this time remove them.

Yes, PRO version is a good way to prevent these attacks.

Monitor your system and let me know too.

[screen317]

Are you still with us? This topic will be closed in a few days if we do not hear back from you.

[Maurice Naggar]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!