[2troubled]

Am I to run Farbar before I shut down or after? Or do I just shut down and then just attach the log? Also what am I to do with the Kaspersky Window that showed the results of the scan?

[Crag_Hack]

Please run farbar after you restart then post the log. For Kaspersky you can close it. Are you sure you went to the right folder to find the Kaspersky log? It will be here: C:\ProgramData\Kaspersky Lab\KSS2\DataRoot
So go to that folder then right-click on the HtmlReport folder, click Send to, then click Compressed (zipped) folder in order to zip it. Then attach the HtmlReport zipped folder to your next post.

Let me know if you have any problems. If you can't find the right folder and attach it we can use a different scanner. Tomorrow I head back to my house so I might not have time to get back to you tomorrow. I will definitely be able to Monday though.

[2troubled]

I am sorry but I followed the "tree" to that folder and it just isn't there. I had my husband double check what I did and he said it wasn't there. I will now shut down and restart and run Farbar and send the report.

[2troubled]

I shut the computer down, restarted and ran Farbar. Here is the report. I DID NOT shut off AVAST!

Attached File(s)

•  FSS.txt (2.72K)
  Number of downloads: 12

[Crag_Hack]

I figured out what was wrong with Kaspersky Security Scan... it does not generate a report in the htmlreport folder unless you click the Details button in the Problems Found window that appears upon completion of the scan. Please redo the scan (sorry about this taking so much time KSS seems a little silly not to create the report regardless) then when the scan is done the Problems found window will appear, after it appears click the Details button to view the report which will then create the report in the HtmlReport folder. Zip the HtmlReport folder and attach it to your post. I will then take a look at it. Let me know if you run into any problems - I'm pretty confident I pinned down the problem however. I will get back to you tomorrow hopefully but if not then then definitely on Monday.

[2troubled]

Ok I got it done. We were at church this morning and then had lunch with a friend. Here is the Html report.

Attached File(s)

•  HtmlReport.zip (318.09K)
  Number of downloads: 5

[Crag_Hack]

Hi 2troubled. Your Windows Defender servicedll path is incorrect. We need to run another registry file to fix it. Then we'll check if the fix worked. As long as this works then we are done and I will give you my cleanup speech. Please do the following:

Step 1

• Download and run  WinDefend.reg (7.41K)
  Number of downloads: 4
  
• Answer yes in the registry editor dialog box

Step 2

• run farbar service scanner
  
  
  
  
• Tick All options.
  
• Press Scan.
  
• It will create a log (FSS.txt) in the same directory the tool is run.
  
• Please copy and paste the log to your reply.

Things to see in your next post:
FSS.txt

[2troubled]

Farbar Service Scanner Version: 06-08-2012
Ran by Becky (administrator) on 20-08-2012 at 18:45:52
Running from "C:\Users\Becky\Downloads"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is OK.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend: "%ProgramFiles(x86)%\Windows Defender\mpsvc.dll".


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

[2troubled]

I wasn't sure if I was to shut down before running Farbar. The first log I posted was before shut down. This log is after a shut down.


Farbar Service Scanner Version: 06-08-2012
Ran by Becky (administrator) on 20-08-2012 at 18:50:56
Running from "C:\Users\Becky\Downloads"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is OK.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend: "%ProgramFiles(x86)%\Windows Defender\mpsvc.dll".


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

[Crag_Hack]

Hi 2troubled. Unfortunately the registry file did not fix the Windows Defender registry data. We will now try to fix it using a manual technique. Please do the following:

• Press the Windows key
  
• Type regedit.exe and press Enter
  
• Navigate to the following key (using the tree on the left side of the Registry Editor window)
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\windefend\Parameters
  
• Right click the Servicedll value (it will be on the right side of the Registry Editor window) and select modify
  
• In the box that opens remove the (x86) part only
  
• You should be left with %ProgramFiles%\Windows Defender\mpsvc.dll
  
• Click OK
  
• Close out of regedit
  
• Restart twice
  
• Run Farbar Service Scanner again:

• run farbar service scanner
  
  
  
  
• Tick All options.
  
• Press Scan.
  
• It will create a log (FSS.txt) in the same directory the tool is run.
  
• Please copy and paste the log to your reply.

Things to see in your next post:
FSS.txt

[2troubled]

Here you go. I did the manual changes and shut down twice. Then ran Farbar

Farbar Service Scanner Version: 06-08-2012
Ran by Becky (administrator) on 21-08-2012 at 21:51:11
Running from "C:\Users\Becky\Downloads"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is OK.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

[Crag_Hack]

Hi 2troubled. Your Windows Update and Action Center services are not running right now. We need to investigate this to determine if anything is wrong. This is the final step I promise! Please do the following:

• Press the Windows Key
  
• Type services.msc and press enter to open the Services window
  
• Scroll to the Security Center service
  
• Double-click its name
  
• Press the Start button and let me know what happens - if you get any errors let me know also let me know if the Service status: shows Started afterwards
  
• Repeat steps 3-5 for the Windows Udpate Service

Please run FSS again (do not restart):

• run farbar service scanner
  
  
  
  
• Tick All options.
  
• Press Scan.
  
• It will create a log (FSS.txt) in the same directory the tool is run.
  
• Please copy and paste the log to your reply.

Things to see in your next post:
Service troubleshooting results
FSS.txt

[2troubled]

When I clicked on security center the "start" button was not an option but it did say services started

When I clicked on Windows Defender I got the following message"

"The windows defender service on Local computer started and then stopped. Some services stop automatically if tehy are not in use by other service or programs."

here is the Farbar log:
Farbar Service Scanner Version: 06-08-2012
Ran by Becky (administrator) on 22-08-2012 at 17:11:53
Running from "C:\Users\Becky\Downloads"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

[Crag_Hack]

Now that we're done scanning for and disinfecting malware it's time to clean up. I noticed you have outdated java and adobe reader apps. You will want to upgrade these to prevent possible infection through these apps in the future.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older versions of Java components and upgrade the application.

Upgrading Java :
Please download JavaRa to your desktop and unzip it to its own folder

• Run JavaRa.exe, then click Remove JRE.
  
• Run the built-in uninstallers for all copies of java listed
  
• Click the Next button
  
• Click the Next button again
  
• Click the Java Manual Download link
  
• A browser window will open with the Java download page
  
• Click the Windows Offline (32-bit) or Windows Offline (64-bit) link to download Java (based on your browser type)
  
• Run the installer
  
• Close JavaRa

Upgrading Adobe Reader:

• Go to Start Menu --> Control Panel --> Programs and Features
  
• Scroll to and select the Adobe Reader entry
  
• Click Remove or Uninstall
  
• Follow the instructions
  
• Go to this site: http://get.adobe.com/reader/ or http://www.foxitsoft...ure_PDF_Reader/ for Foxit Reader (I prefer Foxit - it is less targeted by malware and allows pdf form editing)
  
• Download and install the newest Adobe Reader (or Foxit)

Please use your computer a couple hours at least and make sure there are no remaining symptoms. Try Windows Update and see if it works. If there are no symptoms proceed with the following instructions. One final step to take in disinfecting your computer is to purge all system restore points. This ensures that you will not get reinfected by files hiding in the system restore points. To do this follow these instructions:

• Run OTL
  
• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :Commands
  [ClearAllRestorePoints]

  
  
  
• Then click the Run Fix button at the top
  
• OTL may ask to reboot the machine. Please do so if asked.
  
• Post the log it produces in your next reply.
  
• If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run. Make sure to grab the contents of this file before following the cleanup procedure described next.

We will now clean up Combofix.
Press the Windows key and the R key at the same time
Copy/paste the following bolded text into the Run box and click OK:
ComboFix /Uninstall

You can now remove all the tools that were used to disinfect your computer by running OTL and clicking the CleanUp button.

Now that your computer is disinfected it is important to keep it that way. What follows are guidelines to keeping your computer malware-free.

You absolutely must have an antivirus program installed. This is important because the antivirus program runs in the background of the computer and prevents viruses from both infecting the computer and doing malicious things to the computer. This can prevent many infections in the first place. Just as a city without police would be chaotic so would a computer with an anti-virus program. I recommend the free programs Avira AntiVir Personal and avast! Free Anti-Virus . Also make absolutely sure to only have one anti-virus installed as more than one can slow your computer, create software conflicts, and increase your vulnerability to viruses and malware.

It is also advised to have an anti-spyware program as well. I recommend the paid version of Malwarebytes' Anti-Malware. This program complementing your anti-virus can protect your computer from most infections out there. Make absolutely sure to only have one anti-spyware installed as more than one can slow your computer, create software conflicts, and increase your vulnerability to viruses and malware.

A program to complement your anti-virus and anti-spyware with passive protection is SpywareBlaster. SpywareBlaster is not a malware scanner or removal tool and uses no system resources except a little disk space. It does a great job of preventing malware from being installed in the first place! It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them from malicious websites. You can download it here. To use it to protect your computer install it then do the following regularly at your concenience (once a week is adequate):

• Run SpywareBlaster
  
• Click Updates on the left of the screen
  
• Click the 'Check for Updates' button and let the program update
  
• Click 'Protection Status' on the left of the screen
  
• Click 'Enable All Protection' on the bottom of the screen and SpywareBlaster will implement its protection
  
• Exit the program

Another program to add additional protection is Spybot Search and Destroy. It works similar to SpywareBlaster by providing passive protection. You can download it here. To use it to protect your computer install it then do the following regularly at your concenience (once a week is adequate):

• Run Spybot S&D
  
• Click "Search for Updates"
  
• Click "Continue"
  
• Click "Download" - ignore if it says "please select some update files from the list first"
  
• Click "OK" in update window if it prompts you
  
• Click "Exit" in update window when update finishes or if Spybot said "please select some update files from the list first"
  
• Go back to Spybot main window
  
• Close Internet Explorer/Firefox/Chrome if they are open
  
• Click "Immunize"
  
• Wait for the progress meter to complete
  
• Click the "Immunize" button with the plus sign next to it towards the top of the window
  
• Wait for the progress meter to complete
  
• Close the program

And one last program to add additional protection is Panda USB vaccine. This program disables the autorun rile on removable devices. You can vaccinate both a computer and a removable device. To download and run refer to here.

Another important thing to have installed is a firewall to secure communications to and from your computer. The firewall prevents inbound communications from the Internet to your computer that could be malicious in nature. Some firewalls also regulate outbound communications from your computer to the Internet that could be malicious as well. Inbound communications can take advantage of security holes in software running on your computer to gain control of your computer and infect you with malware. Outbound communications can be from malware on your computer to malicious websites on the Internet, containing information about your computer usage and even your passwords. For these reasons it is essential to the security of your computer to install a firewall. Make sure to only install one firewall as any more than that would prove to be redundant - one firewall is just as effective as multiple ones. Also more than one firewall could cause software conflicts. This applies to the Windows firewall as well - if you use a third-party firewall make sure to disable the Windows firewall. I recommend ZoneAlarm Free Firewall or Comodo Firewall.

Besides these measures, an equally important step to take to protect your computer from malware is to update all programs regularly including Windows Updates. Windows, Java, Adobe Flash, PDF readers, and other programs have security holes in them that leave your computer vulnerable to malicious code from hackers that could infect your computer with malware when taken advantage of. Updates close these holes. For this reason it is important to always update programs when prompted. Windows Updates is enabled by default in Windows and Java, Flash, and others have auto-update programs enabled by default as well. You will not have to worry about setting up the auto-update feature for these programs unless you altered the settings to begin with. Make sure as well to never update a program via e-mail - companies will never send e-mails to update their products. In order to help you update programs you might want to download and run FileHippo.com Update Checker from here. This program will tell you which programs need to be updated.

One last thing to consider is to exercise caution when browsing the web and viewing e-mails. Try to stay away from non-reputable websites including websites for software piracy and pornography. By staying away from these websites you decrease your chances of malware infection significantly. To help you exercise caution in your browsing habits you can download and install Web of Trust into your web browser here. This program will install in your browser and color code the website you are viewing to inform you if it is safe or not; green means safe, yellow means proceed with caution, and red means danger. Viewing e-mails should also be done with caution. If you don't recognize an email as one from a known or requested source then you will be safer to avoid opening it. File attachments should be opened only with extreme caution as they can contain files that exploit security holes on your computer and infect you with malware. Never open an attachment unless you are expecting it or you verify that the sender intended to send it to you. Also make sure to scan the attachment before opening it.

You might want to use an alternate browser than Internet Explorer. Firefox and Google Chrome are excellent candidates. They are more secure than Internet Explorer and are just as functional. You can download Google Chrome here and Firefox here.

Something just as important as preventing infection by malware is to backup your data. You can read about different methods here.

Some articles you might be interested in reading to reiterate points I have addressed in this post as well as make new points follow:

• How to prevent malware by miekiemoes
  
• Preventing Malware and Safe Computing by Rorschach112
  
• PC Safety and Security--What Do I Need?
  
• How did I get infected in the first place?

By following these steps you should ensure that you most likely will never get infected with malware again. Good luck and safe browsing!

-Josh

[Crag_Hack]

By the way ... forgot to mention ... we are done! Infection all gone. Let me know if you have any questions/problems.