Jump to content


Photo
- - - - -

Virus/malware that just wont go away and Google redirecting


  • This topic is locked This topic is locked
42 replies to this topic

#21 CorvidMoon

CorvidMoon

    New Member

  • Members
  • Pip
  • 40 posts

Posted 03 February 2012 - 08:19 PM

Malwarebytes log:

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org
Database version: v2012.02.03.11
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
Atani :: ATANI-PC [administrator]
2/3/2012 7:14:38 PM
mbam-log-2012-02-03 (19-14-38).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 191566
Time elapsed: 4 minute(s), 10 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)

#22 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,168 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 04 February 2012 - 10:08 AM

Clean....Good!

How is it running?? MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#23 CorvidMoon

CorvidMoon

    New Member

  • Members
  • Pip
  • 40 posts

Posted 04 February 2012 - 07:17 PM

Better than it has for a long time! Am I good to reinstall antivirus?

#24 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,168 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 05 February 2012 - 09:21 AM

That's Good News!

Yes reinstall your AV.

----------------------------------

also........

Older versions of Java and Adobe Reader are vulnerable to malware.

Go to your control panels add/remove programs and uninstall these:

Java™ 6 Update 14

Adobe Reader 9.1

---------------------------------

Download and install the latest version of Java: Java™ 6 Update 30

http://www.java.com/...load/manual.jsp <---latest version

http://www.java.com/...d/installed.jsp <---verify your Java

-------------------------------

Install the latest version of Adobe Reader:

http://get.adobe.com/reader/

You can untick this:

Free! McAfee Security Scan Plus

-------------------------------------

Please Uninstall ComboFix:

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Posted Image

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

----------------------------------

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

--------------------------
Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#25 CorvidMoon

CorvidMoon

    New Member

  • Members
  • Pip
  • 40 posts

Posted 05 February 2012 - 09:24 PM

Thanks again!

One question though, I can't seem to get windows firewall going again. Should I be concerned?

#26 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,168 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 06 February 2012 - 08:56 AM

Yes, that should be working, delete your copy of Farbar Service Scanner and download and run a new one:

Please remove any usb or external drives from the computer before you run these scan!

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.
MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#27 CorvidMoon

CorvidMoon

    New Member

  • Members
  • Pip
  • 40 posts

Posted 07 February 2012 - 08:25 PM

Here ya go!

Farbar Service Scanner Version: 05-02-2012
Ran by Atani (administrator) on 07-02-2012 at 19:24:35
Running from "C:\Users\Atani\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4FWCWMIF"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.

Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.
MpsSvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open MpsSvc registry key. The service key does not exist.

Firewall Disabled Policy:
==================

System Restore:
============
System Restore Disabled Policy:
========================

Security Center:
============
Windows Update:
===========
File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit

**** End of log ****

#28 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,168 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 07 February 2012 - 09:04 PM

Make sure the mpsdrv Service is running and set to automatic

mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.


also make sure MpsSvc Service is running and set to automatic.

MpsSvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open MpsSvc registry key. The service key does not exist.



MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#29 CorvidMoon

CorvidMoon

    New Member

  • Members
  • Pip
  • 40 posts

Posted 07 February 2012 - 10:49 PM

How do I do either of those? I'm not sure where to find them. My computer is not letting me change any of the firewall settings.

Here's the message I get:

Windows firewall can't change some of your settings.
Error code 0x80070424

or this one:


The windows firewall with advanced security snap-in failed to load. Restart the windows firewall service on the computer that you are managing.
Error code: 0x6D9

#30 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,168 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 08 February 2012 - 10:02 AM

I'm sorry, the link below shows you how to view services:

http://www.sevenforu...rt-disable.html

--------------------------------

We can use Farbar Service Scanner to check them:

Please run Farbar Service Scanner

In the search box enter this:

MPSSVC

now click on Export Service

Notepad will open with the results

Copy and paste it back here.

Repeat the proceedure using

MPSDRV

MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#31 CorvidMoon

CorvidMoon

    New Member

  • Members
  • Pip
  • 40 posts

Posted 08 February 2012 - 08:59 PM

I can seem to find them on the list of services...

Here are the FSS reports

Attached Files



#32 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,168 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 09 February 2012 - 09:14 AM

For some reason that didn't work right.

Please do this......

Go to the link below and install erunt and create a back-up of the registry:

http://www.geekstogo...ry-using-erunt/

Next......

Download these two files to your desktop:

MpsSvc
mpsdrv

Now right click on each one and choose "merge" allow them to merge into the registry

Reboot the computer and run me another scan with Farbar Service Scanner, post the results

MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#33 CorvidMoon

CorvidMoon

    New Member

  • Members
  • Pip
  • 40 posts

Posted 13 February 2012 - 10:48 PM

Sorry, I've been away.

What scan do you want run with Farbar?

#34 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,168 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 14 February 2012 - 08:25 AM

Like this......

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.
MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#35 CorvidMoon

CorvidMoon

    New Member

  • Members
  • Pip
  • 40 posts

Posted 14 February 2012 - 06:57 PM

Alrighty here ya go!

arbar Service Scanner Version: 13-02-2012
Ran by Atani (administrator) on 14-02-2012 at 17:56:41
Running from "C:\Users\Atani\Desktop"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

#36 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,168 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 14 February 2012 - 07:00 PM

Looks Good :)

It should be working now, Let me know....MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#37 Maurice Naggar

Maurice Naggar

    Staff

  • Moderators
  • PipPipPipPipPipPip
  • 14,550 posts
  • Gender:Male
  • Location:USA
  • Interests:Security, Windows, Windows Update, malware prevention

Posted 18 February 2012 - 09:10 AM

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!
Maurice Naggar
Product Support

staff.png

Follow us: Twitter, Become a fan: Facebook

I close my threads if there is 5 days without a response.

#38 Swandog46

Swandog46

    Elite Member

  • Administrators
  • PipPipPipPipPip
  • 958 posts
  • Gender:Male

Posted 22 February 2012 - 09:30 AM

Reopened at the request of CorvidMoon.
Doug Swanson
Chief Technical Officer

Posted Image

Follow us: Twitter, Become a fan: Facebook

#39 CorvidMoon

CorvidMoon

    New Member

  • Members
  • Pip
  • 40 posts

Posted 26 February 2012 - 10:30 PM

Mr. Charlie,

The firewall is working again!!

What's next?

#40 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,168 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 27 February 2012 - 08:11 AM

Good :)

So you're all set now?? MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users