Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

DOS/Alureon.A Trojan (and other variants) Infection and possible Maste


  • This topic is locked This topic is locked

#16
CompCav

CompCav

    Member 5k

  • Expert
  • 12,448 posts
Reenable your antivirus, update it, and run security check again.
  • 0

Advertisements


#17
cleftuppercut

cleftuppercut

    Member

  • Topic Starter
  • Member
  • PipPip
  • 60 posts
I re-enabled MSE, but each time I update the definitions, the update fails. I will attempt to post the error message in the next reply.
  • 0

#18
cleftuppercut

cleftuppercut

    Member

  • Topic Starter
  • Member
  • PipPip
  • 60 posts
This is the support information for the error:

Error code: 0x80240022
Error description: Security Essentials couldn't download the definition updates. This might be caused by a missing system file, an incorrect system setting, or a problem with a registry file.
  • 0

#19
CompCav

CompCav

    Member 5k

  • Expert
  • 12,448 posts
Please open up Farbar Services Scan again, tick all boxes, run scan and post the FSS.txt
  • 0

#20
cleftuppercut

cleftuppercut

    Member

  • Topic Starter
  • Member
  • PipPip
  • 60 posts
FSS Log (this was run with MSE real time protection ON):

Farbar Service Scanner Version: 06-08-2012
Ran by Bryan (administrator) on 11-08-2012 at 17:21:03
Running from "C:\Users\Bryan\Desktop"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============
BITS Service is not running. Checking service configuration:
The start type of BITS service is OK.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****
  • 0

#21
CompCav

CompCav

    Member 5k

  • Expert
  • 12,448 posts
If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
To disable MBAM
Open the scanner and select the protection tab
Remove the tick from "Start with Windows"
Reboot and then run OTL
Posted Image




  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.

    :OTL
    
    
    :files
    ipconfig /flushdns /c
    netsh int ip reset c:\resetlog.txt /c
    ipconfig /release /c
    ipconfig /renew /c
    sc create BITS binpath= "c:\windows\system32\svchost.exe -k netsvcs" start= delayed-auto /c
    
    :reg
    
    
    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [createrestorepoint]
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date and the time of the tool run.


Then rerun and post FSS.txt again
  • 0

#22
cleftuppercut

cleftuppercut

    Member

  • Topic Starter
  • Member
  • PipPip
  • 60 posts
Malwarebytes 'Protection' tab displays a 'activate trial' button and a little splash graphic of the benefits of the full service. Do i need to activate the trial in order to proceed with the disabling?
  • 0

#23
CompCav

CompCav

    Member 5k

  • Expert
  • 12,448 posts

Do i need to activate the trial in order to proceed with the disabling?


No as long as you are not using the trial of full version you can skip this step.
  • 0

#24
cleftuppercut

cleftuppercut

    Member

  • Topic Starter
  • Member
  • PipPip
  • 60 posts
The problem is there are no other options under the 'protection' tab except for enable trial. Wait, do you mean skip the entire disabling step?
  • 0

#25
CompCav

CompCav

    Member 5k

  • Expert
  • 12,448 posts
You do not need the trial so do not do anything under that tab, just close the program.
  • 0

Advertisements


#26
cleftuppercut

cleftuppercut

    Member

  • Topic Starter
  • Member
  • PipPip
  • 60 posts
Sorry for my confusion, thank you.

OTL Log:

All processes killed
========== OTL ==========
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Bryan\Desktop\cmd.bat deleted successfully.
C:\Users\Bryan\Desktop\cmd.txt deleted successfully.
< netsh int ip reset c:\resetlog.txt /c >
Reseting Interface, OK!
Restart the computer to complete this action.
C:\Users\Bryan\Desktop\cmd.bat deleted successfully.
C:\Users\Bryan\Desktop\cmd.txt deleted successfully.
< ipconfig /release /c >
Windows IP Configuration
No operation can be performed on Wireless Network Connection while it has its media disconnected.
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::a535:6db3:18b8:f299%12
Default Gateway . . . . . . . . . :
Wireless LAN adapter Wireless Network Connection:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : home
Tunnel adapter isatap.home:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Tunnel adapter Teredo Tunneling Pseudo-Interface:
Connection-specific DNS Suffix . :
IPv6 Address. . . . . . . . . . . : 2001:0:9d38:953c:28f7:3c0f:93d2:73af
Link-local IPv6 Address . . . . . : fe80::28f7:3c0f:93d2:73af%15
Default Gateway . . . . . . . . . : ::
C:\Users\Bryan\Desktop\cmd.bat deleted successfully.
C:\Users\Bryan\Desktop\cmd.txt deleted successfully.
< ipconfig /renew /c >
Windows IP Configuration
No operation can be performed on Wireless Network Connection while it has its media disconnected.
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : home
Link-local IPv6 Address . . . . . : fe80::a535:6db3:18b8:f299%12
IPv4 Address. . . . . . . . . . . : 192.168.1.4
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
Wireless LAN adapter Wireless Network Connection:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : home
Tunnel adapter isatap.home:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Tunnel adapter isatap.{21F3F089-4358-48CF-ABBA-438D6126AACB}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Tunnel adapter Teredo Tunneling Pseudo-Interface:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
C:\Users\Bryan\Desktop\cmd.bat deleted successfully.
C:\Users\Bryan\Desktop\cmd.txt deleted successfully.
< sc create BITS binpath= "c:\windows\system32\svchost.exe -k netsvcs" start= delayed-auto /c >
[SC] CreateService FAILED 1073:
The specified service already exists.
C:\Users\Bryan\Desktop\cmd.bat deleted successfully.
C:\Users\Bryan\Desktop\cmd.txt deleted successfully.
========== REGISTRY ==========
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Bryan
->Temp folder emptied: 7689104 bytes
->Temporary Internet Files folder emptied: 1706420 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 75297533 bytes
->Google Chrome cache emptied: 1905008 bytes
->Flash cache emptied: 1432 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 602896 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 83.00 mb

Restore point Set: OTL Restore Point

OTL by OldTimer - Version 3.2.56.0 log created on 08112012_173543

Files\Folders moved on Reboot...
C:\Users\Bryan\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

PendingFileRenameOperations files...
File C:\Users\Bryan\AppData\Local\Temp\FXSAPIDebugLogFile.txt not found!

Registry entries deleted on Reboot...


FSS Log:

Farbar Service Scanner Version: 06-08-2012
Ran by Bryan (administrator) on 11-08-2012 at 17:40:32
Running from "C:\Users\Bryan\Desktop"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============
BITS Service is not running. Checking service configuration:
The start type of BITS service is OK.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****
  • 0

#27
cleftuppercut

cleftuppercut

    Member

  • Topic Starter
  • Member
  • PipPip
  • 60 posts
Also, after running the OTL, when I went to reopen firefox to check the directions before running FSS, Firefox had a request for permissions, presumably for updates, which i allowed. I'm not sure if that is relevant, but just letting you know.
  • 0

#28
CompCav

CompCav

    Member 5k

  • Expert
  • 12,448 posts
We need to manually start the BITS process.

Click Start >> Run >> type services.msc >> click OK

Now in the list look for Background Intelligent Transfer Service.

Right click on Background Intelligent Transfer Service.
Click on Properties.

In the window that comes up you will see:

Startup type: (Select Automatic (Delayed Start))

Service status is Stopped so click the Start button and Service status: display Started
Click OK to close.


Then rerun Farbar Services with all boxes checked and post the FSS.txt
  • 0

#29
cleftuppercut

cleftuppercut

    Member

  • Topic Starter
  • Member
  • PipPip
  • 60 posts
Attempted to start BITS (in the list, instead of saying 'background intelligent transfer service' it just listed it as 'BITS') as you instructed. When I clicked 'start' on the properties menu, a pop-up showed a loading bar for a few seconds, then I received the following error pop-up:

"Windows could not start the BITS service on Local Computer
Error 126: The Specified module could not be found"

Edited by cleftuppercut, 11 August 2012 - 03:57 PM.

  • 0

#30
CompCav

CompCav

    Member 5k

  • Expert
  • 12,448 posts
OK next we will check the disc and then the file structure

  • On the desktop click the My Computer icon
  • Right click your main drive (I am on C) and select properties
  • Select the tools tab
  • Select error checking
  • Place a tick in both boxes
  • Press start
  • You will get a warning that it needs to reboot to continue
  • Allow it to do so

Posted Image

Once completed

Run an elevated command prompt
Go to Start, All programs, Accessories
Right click command prompt and select run as administrator
Posted Image

In the black box that opens type or copy and paste the following command and press enter:

sfc /scannow

Posted Image

After all this is completed run Farbar Services Scanner and post FSS.txt
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP