42 replies to this topic

[CorvidMoon]

Malwarebytes log:

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org
Database version: v2012.02.03.11
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
Atani :: ATANI-PC [administrator]
2/3/2012 7:14:38 PM
mbam-log-2012-02-03 (19-14-38).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 191566
Time elapsed: 4 minute(s), 10 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)

[MrCharlie]

Clean....Good!

How is it running?? MrC

[CorvidMoon]

Better than it has for a long time! Am I good to reinstall antivirus?

[MrCharlie]

That's Good News!

Yes reinstall your AV.

----------------------------------

also........

Older versions of Java and Adobe Reader are vulnerable to malware.

Go to your control panels add/remove programs and uninstall these:

Java™ 6 Update 14

Adobe Reader 9.1

---------------------------------

Download and install the latest version of Java: Java™ 6 Update 30

http://www.java.com/...load/manual.jsp <---latest version

http://www.java.com/...d/installed.jsp <---verify your Java

-------------------------------

Install the latest version of Adobe Reader:

http://get.adobe.com/reader/

You can untick this:

Free! McAfee Security Scan Plus

-------------------------------------

Please Uninstall ComboFix:

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /



Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

----------------------------------

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

--------------------------
Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

[CorvidMoon]

Thanks again!

One question though, I can't seem to get windows firewall going again. Should I be concerned?

[MrCharlie]

Yes, that should be working, delete your copy of Farbar Service Scanner and download and run a new one:

Please remove any usb or external drives from the computer before you run these scan!

Please download Farbar Service Scanner and run it on the computer with the issue.

• Make sure the following options are checked:
  
  • Internet Services
    
  • Windows Firewall
    
  • System Restore
    
  • Security Center
    
  • Windows Update
• Press "Scan".
  
• It will create a log (FSS.txt) in the same directory the tool is run.
  
• Please copy and paste the log to your reply.

MrC

[CorvidMoon]

Here ya go!

Farbar Service Scanner Version: 05-02-2012
Ran by Atani (administrator) on 07-02-2012 at 19:24:35
Running from "C:\Users\Atani\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4FWCWMIF"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.

Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.
MpsSvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open MpsSvc registry key. The service key does not exist.

Firewall Disabled Policy:
==================

System Restore:
============
System Restore Disabled Policy:
========================

Security Center:
============
Windows Update:
===========
File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit

**** End of log ****

[MrCharlie]

Make sure the mpsdrv Service is running and set to automatic

mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.

also make sure MpsSvc Service is running and set to automatic.

MpsSvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open MpsSvc registry key. The service key does not exist.


MrC

[CorvidMoon]

How do I do either of those? I'm not sure where to find them. My computer is not letting me change any of the firewall settings.

Here's the message I get:

Windows firewall can't change some of your settings.
Error code 0x80070424

or this one:


The windows firewall with advanced security snap-in failed to load. Restart the windows firewall service on the computer that you are managing.
Error code: 0x6D9

[MrCharlie]

I'm sorry, the link below shows you how to view services:

http://www.sevenforu...rt-disable.html

--------------------------------

We can use Farbar Service Scanner to check them:

Please run Farbar Service Scanner

In the search box enter this:

MPSSVC

now click on Export Service

Notepad will open with the results

Copy and paste it back here.

Repeat the proceedure using

MPSDRV

MrC

[CorvidMoon]

I can seem to find them on the list of services...

Here are the FSS reports

Attached Files

•  FSS-MPSSVC.txt   2.2MB   9 downloads
•  FSS-MPSDRV.txt   2.2MB   3 downloads

[MrCharlie]

For some reason that didn't work right.

Please do this......

Go to the link below and install erunt and create a back-up of the registry:

http://www.geekstogo...ry-using-erunt/

Next......

Download these two files to your desktop:

MpsSvc
mpsdrv

Now right click on each one and choose "merge" allow them to merge into the registry

Reboot the computer and run me another scan with Farbar Service Scanner, post the results

MrC

[CorvidMoon]

Sorry, I've been away.

What scan do you want run with Farbar?

[MrCharlie]

Like this......

Please download Farbar Service Scanner and run it on the computer with the issue.

• Make sure the following options are checked:
  
  • Internet Services
    
  • Windows Firewall
    
  • System Restore
    
  • Security Center
    
  • Windows Update
• Press "Scan".
  
• It will create a log (FSS.txt) in the same directory the tool is run.
  
• Please copy and paste the log to your reply.

MrC

[CorvidMoon]

Alrighty here ya go!

arbar Service Scanner Version: 13-02-2012
Ran by Atani (administrator) on 14-02-2012 at 17:56:41
Running from "C:\Users\Atani\Desktop"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

[MrCharlie]

Looks Good

It should be working now, Let me know....MrC

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

[Swandog46]

Reopened at the request of CorvidMoon.

[CorvidMoon]

Mr. Charlie,

The firewall is working again!!

What's next?

[MrCharlie]

Good

So you're all set now?? MrC