Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

OTL Tutorial over my head: Sirefef-PL, Win32Dloader & Win32Malware


  • Please log in to reply

#16
3mateo

3mateo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
WH-
MSFixIt found no threats, thus no fixes.
I restarted the computer and
here's the FUNBAR Log:
TDhanks again!
-M


Farbar Service Scanner Version: 04-08-2012 01
Ran by Jim (administrator) on 06-08-2012 at 11:34:22
Running from "C:\Documents and Settings\Jim\Local Settings\Temporary Internet Files\Content.IE5\WI9M8R58"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============
BITS Service is not running. Checking service configuration:
The start type of BITS service is OK.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.


Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
0x080000000400000001000000020000000300000005000000060000000700000008000000
IpSec Tag value is correct.

**** End of log ****
  • 0

Advertisements


#17
WhiteHat

WhiteHat

    Trusted Helper

  • Retired Staff
  • 1,925 posts
Download Windows Repair (all in one) from this site

Install the programme then run

Posted Image

Go to step 3 and allow it to run SFC
Posted Image

On the start repairs tab click start
Posted Image

Select the following items and tick restart system when finished
Posted Image
  • 0

#18
3mateo

3mateo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
WH-
I installed Windows Repair, ran the SFC, ran the Start Repairs, then restarted.
What next?
Thanks again!!
-M
  • 0

#19
WhiteHat

WhiteHat

    Trusted Helper

  • Retired Staff
  • 1,925 posts
Hi,

How is your computer?

Please, run Farbar Service Scanner again and post the log. (FSS.txt) :thumbsup:
  • 0

#20
3mateo

3mateo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
'alo WhiteHat-
The comp is running very well; I don't notice any problems.
QUESTION: Should I run one of the other scaners I have? eg, Avast, SpyBot, etc.?
And if i should, is it best to delete or vault any findings?

Muchisimas gracias!!
-M




Farbar Service Scanner Version: 06-08-2012
Ran by Jim (administrator) on 08-08-2012 at 11:07:05
Running from "C:\Documents and Settings\Jim\Local Settings\Temporary Internet Files\Content.IE5\UIWPYCA4"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
0x080000000400000001000000020000000300000005000000060000000700000008000000
IpSec Tag value is correct.

**** End of log ****
  • 0

#21
WhiteHat

WhiteHat

    Trusted Helper

  • Retired Staff
  • 1,925 posts

QUESTION: Should I run one of the other scaners I have? eg, Avast, SpyBot, etc.?
And if i should, is it best to delete or vault any findings?

It's not necessary.

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

The following will implement some cleanup procedures as well as reset System Restore points:

Remove ComboFix

  • Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
  • In the Run box, type in ComboFix /Uninstall (Notice the space between the "x" and "/") then click OK

    Posted Image
  • Follow the prompts on the screen
  • A message should appear confirming that ComboFix was uninstalled

Remove OTL

Run OTL and hit the Posted Image cleanup button. It will remove all the programmes we have used plus itself.

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:
  • Go to this site and click Do I have Java
  • It will check your current version and then offer to update to the latest version

SPRING CLEAN

To manually create a new Restore Point
  • (If you use Windows 7/Vista)
  • Go to Control Panel and select System
  • Select System
  • On the left select System Protection and accept the warning if you get one
  • Select System Protection Tab
  • Select Create at the bottom
  • Type in a name i.e. Clean
  • Select Create

  • (If you use Windows XP)
  • Go to Start > All Programs > Acessories > System Tools > System Restore.
  • Select the option Create a restore point and click in Next.
  • Type in a name i.e. Clean
  • Select Create

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
Posted Image Malwarebytes. Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place??

Keep safe.
  • 0

#22
3mateo

3mateo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
WH-
Everything runs fine, but all free virus scans are turning up items.
Below are 1) the only virus that Avast free ed. found, followed by 2) the MBAM Log, and then 3) a funbar scan (cuz it seems like it provides you info.)
Is there anything to worry about or do; or are those false positives, or changes we have made during the cleaning process?
The only change I've made since your insturctions is to add PeerBlock.

Thanks as always!
-M


1) ####################

AVAST found 1 virus:
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP7\A0000399.exe|>nsis.hdr

Avast called it: NSIS:Zugo-A[Adw]
(ps, i typed all of this out so it might be slightly off.)



2) ######################
Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.08.11

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Jim :: BOSS [administrator]

8/9/2012 4:50:51 PM
mbam-log-2012-08-09 (17-26-54).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 247233
Time elapsed: 33 minute(s), 14 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (PUP.MyWebSearch) -> No action taken.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Documents and Settings\Jim\Favorites\Antivirus scan for at UTC - VirusTotal.url (Rogue.Link) -> No action taken.

(end)




3) ### FUNBAR ###

Farbar Service Scanner Version: 06-08-2012
Ran by Jim (administrator) on 09-08-2012 at 17:36:33
Running from "C:\Documents and Settings\Jim\Local Settings\Temporary Internet Files\Content.IE5\202BA4CM"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
0x080000000400000001000000020000000300000005000000060000000700000008000000
IpSec Tag value is correct.

**** End of log ****
  • 0

#23
WhiteHat

WhiteHat

    Trusted Helper

  • Retired Staff
  • 1,925 posts
Hi,

You can delete all of those items detected by MBAM and Avast.

Download OTL to your Desktop
Please reopen Posted Image on your desktop.
  • Under the Posted Image box at the bottom, paste in the following

    :Commands
    [CLEARALLRESTOREPOINTS]
    [CREATERESTOREPOINT]
    [EMPTYTEMP]
    
  • Then click the Posted Image button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post

  • 0

#24
3mateo

3mateo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
WH-
I've been out of town for 2 weeks.
My girlfriend did a few things on my comp including downloading a Bing Toolbar, deleting a number of programs.
I don't know if it affected things or not, but the OTL report looks odd.
Thanks as always!
-M


All processes killed
Error: Unable to interpret <[CLEARALLRESTOREPOINTS] > in the current context!
Error: Unable to interpret <[CREATERESTOREPOINT] > in the current context!
Error: Unable to interpret <[EMPTYTEMP]> in the current context!

OTL by OldTimer - Version 3.2.59.1 log created on 08272012_095603

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...
  • 0

#25
WhiteHat

WhiteHat

    Trusted Helper

  • Retired Staff
  • 1,925 posts
Please, repeat the procedure with the OTL. You need to copy the entire fix.

Download OTL to your Desktop
Please reopen Posted Image on your desktop.
  • Under the Posted Image box at the bottom, paste in the following.

    :Commands
    [CLEARALLRESTOREPOINTS]
    [EMPTYTEMP]
    Make sure you copied everything, including the: commands
  • Then click the Posted Image button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post

  • 0

Advertisements


#26
3mateo

3mateo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
WH-
Gotcha, I see my mistake; thanks!
Here it is:




All processes killed
========== COMMANDS ==========
Restore point Set: OTL Restore Point

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Jim
->Temp folder emptied: 4837679 bytes
->Temporary Internet Files folder emptied: 9662638 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 506 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 32902 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 4753764864 bytes

Total Files Cleaned = 4,548.00 mb


OTL by OldTimer - Version 3.2.59.1 log created on 08272012_212148

Files\Folders moved on Reboot...
C:\Documents and Settings\Jim\Local Settings\Temporary Internet Files\Content.IE5\XJGZ50X7\fastbutton[2].htm moved successfully.
C:\Documents and Settings\Jim\Local Settings\Temporary Internet Files\Content.IE5\XJGZ50X7\page__st__15[1].htm moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...
  • 0

#27
WhiteHat

WhiteHat

    Trusted Helper

  • Retired Staff
  • 1,925 posts
How is your computer?
  • 0

#28
3mateo

3mateo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
It is -- and has been running very well since we got into the clean-up process (thanks).
Also, the Malware scan came up clean.
(Again, just in case, see the Funbar scan below.)
Thanks again,
-M






FUNBAR LOG:


Farbar Service Scanner Version: 06-08-2012
Ran by Jim (administrator) on 28-08-2012 at 20:42:56
Running from "C:\Documents and Settings\Jim\Local Settings\Temporary Internet Files\Content.IE5\VO21KJ0L"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
0x080000000400000001000000020000000300000005000000060000000700000008000000
IpSec Tag value is correct.

**** End of log ****
  • 0

#29
WhiteHat

WhiteHat

    Trusted Helper

  • Retired Staff
  • 1,925 posts
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

The following will implement some cleanup procedures as well as reset System Restore points:

Remove ComboFix

  • Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
  • In the Run box, type in ComboFix /Uninstall (Notice the space between the "x" and "/") then click OK

    Posted Image
  • Follow the prompts on the screen
  • A message should appear confirming that ComboFix was uninstalled

Remove OTL

Run OTL and hit the Posted Image cleanup button. It will remove all the programmes we have used plus itself.

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:
  • Go to this site and click Do I have Java
  • It will check your current version and then offer to update to the latest version

SPRING CLEAN

To manually create a new Restore Point
  • (If you use Windows 7/Vista)
  • Go to Control Panel and select System
  • Select System
  • On the left select System Protection and accept the warning if you get one
  • Select System Protection Tab
  • Select Create at the bottom
  • Type in a name i.e. Clean
  • Select Create

  • (If you use Windows XP)
  • Go to Start > All Programs > Acessories > System Tools > System Restore.
  • Select the option Create a restore point and click in Next.
  • Type in a name i.e. Clean
  • Select Create

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
Posted Image Malwarebytes. Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place??

Keep safe.


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP