[WhiteHat]

Hi,

Sorry, I made a little mistake. Let's try again.

Please reopen on your desktop.

• Under the box at the bottom, paste in the following
  
  

  :Reg
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
  "DisableAntiSpyware"=DWORD:0
  
  :Files
  Net Start WinDefend /c
  
  :Commands
  [CREATERESTOREPOINT]
  [EMPTYTEMP]
  

• Then click the button at the top
• Let the program run unhindered, reboot the PC when it is done
• Navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

NEXT

Run Farbar Service Scanner and post the log.

[Advertisements]

No problem WhiteHat,

OTL Results:


All processes killed
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\\"DisableAntiSpyware"|DWORD:0 /E : value set successfully!
========== FILES ==========
< Net Start WinDefend /c >
The Windows Defender service is starting.
C:\Users\A\Desktop\cmd.bat deleted successfully.
C:\Users\A\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
Restore point Set: OTL Restore Point

[EMPTYTEMP]

User: A
->Temp folder emptied: 2331671 bytes
->Temporary Internet Files folder emptied: 33350 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 16739806 bytes
->Flash cache emptied: 456 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1824 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 18.00 mb


OTL by OldTimer - Version 3.2.59.1 log created on 09082012_005743

Files\Folders moved on Reboot...
C:\Users\A\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

[AnthonyOhio]

No problem WhiteHat,

OTL Results:


All processes killed
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\\"DisableAntiSpyware"|DWORD:0 /E : value set successfully!
========== FILES ==========
< Net Start WinDefend /c >
The Windows Defender service is starting.
C:\Users\A\Desktop\cmd.bat deleted successfully.
C:\Users\A\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
Restore point Set: OTL Restore Point

[EMPTYTEMP]

User: A
->Temp folder emptied: 2331671 bytes
->Temporary Internet Files folder emptied: 33350 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 16739806 bytes
->Flash cache emptied: 456 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1824 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 18.00 mb


OTL by OldTimer - Version 3.2.59.1 log created on 09082012_005743

Files\Folders moved on Reboot...
C:\Users\A\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

[AnthonyOhio]

FSS Results:

Farbar Service Scanner Version: 06-08-2012
Ran by A (administrator) on 08-09-2012 at 01:02:42
Running from "G:\"
Microsoft Windows 7 Professional Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

[WhiteHat]

Hi,

Please, hold on the Windows + R on your keyboard. This will display the run dialogue box.

Type cmd and press [ENTER]

Type Net Start WinDefend and tell me the result.

[AnthonyOhio]

Thank You WhiteHat,

The results are below:

Microsoft Windows [Version 6.1.7601]
Copyright © 2009 Microsoft Corporation. All rights reserved.

C:\Users\A>net start windefend
The Windows Defender service is starting.
The Windows Defender service could not be started.

The service did not report an error.

More help is available by typing NET HELPMSG 3534.


C:\Users\A>net helpmsg 3534

The service did not report an error.


C:\Users\A>

[WhiteHat]

I know you already did these instructions below but try again.

Download Windows Repair (all in one) from this site

Install the program then run



Go to step 3 and allow it to run SFC



On the start repairs tab click start


Select the following items and tick restart system when finished

[AnthonyOhio]

I completed the repair.

[AnthonyOhio]

Here are the FSS results:

Thank you.

Farbar Service Scanner Version: 06-08-2012
Ran by A (administrator) on 11-09-2012 at 08:32:24
Running from "C:\Users\A\Desktop"
Microsoft Windows 7 Professional Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

[WhiteHat]

• Run OTL
• Copy the lines under the Code
  

  HKEY_Local_Machine\System\CurrentcontrolSet\Services\WinDefend /s
  HKEY_Local_Machine\System\CurrentcontrolSet\Services\RpcLocator /s

• Back to the program and paste the text in red in the text box "Custom Scan / Fixes"
• Click in the button
• Click on Run Scan button
• The examination takes a while, be patient.
• Copy the entire contents of the log OTL.txt and post in your next reply

NEXT:

Please reopen on your desktop.

• Under the box at the bottom, paste in the following
  
  

  :Files
  Net Start RpcLocator /c
  Net Start WinDefend /c
  
  :Commands
  [CREATERESTOREPOINT]
  [EMPTYTEMP]
  

• Then click the button at the top
• Let the program run unhindered, reboot the PC when it is done
• Navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

[AnthonyOhio]

Thank you WhiteHat.

I just returned from a trip and tried the repair.

Results are below

Error: Unable to interpret <HKEY_Local_Machine\System\CurrentcontrolSet\Services\WinDefend /s > in the current context!
Error: Unable to interpret <HKEY_Local_Machine\System\CurrentcontrolSet\Services\RpcLocator /s> in the current context!

OTL by OldTimer - Version 3.2.59.1 log created on 09132012_180310

[AnthonyOhio]

All processes killed
========== FILES ==========
< Net Start RpcLocator /c >
The Remote Procedure Call (RPC) Locator service is starting.
The Remote Procedure Call (RPC) Locator service was started successfully.
C:\Users\A\Desktop\cmd.bat deleted successfully.
C:\Users\A\Desktop\cmd.txt deleted successfully.
< Net Start WinDefend /c >
The Windows Defender service is starting.
C:\Users\A\Desktop\cmd.bat deleted successfully.
C:\Users\A\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
Restore point Set: OTL Restore Point

[EMPTYTEMP]

User: A
->Temp folder emptied: 22022 bytes
->Temporary Internet Files folder emptied: 1946176 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 16745880 bytes
->Flash cache emptied: 456 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1216 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 18.00 mb


OTL by OldTimer - Version 3.2.59.1 log created on 09132012_180551

Files\Folders moved on Reboot...
C:\Users\A\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

[WhiteHat]

Hi,

Results are below

Error: Unable to interpret <HKEY_Local_Machine\System\CurrentcontrolSet\Services\WinDefend /s > in the current context!
Error: Unable to interpret <HKEY_Local_Machine\System\CurrentcontrolSet\Services\RpcLocator /s> in the current context!

You clicked in the wrong button and I need to you repeat the instructions. Keep in mind that the button you need to click is Run Scan

• Run OTL
• Copy the lines under the Code
  

  HKEY_Local_Machine\System\CurrentcontrolSet\Services\WinDefend /s
  HKEY_Local_Machine\System\CurrentcontrolSet\Services\RpcLocator /s

• Back to the program and paste the text in red in the text box "Custom Scan / Fixes"
• Click in the button
• Click on Run Scan button
• The examination takes a while, be patient.
• Copy the entire contents of the log OTL.txt and post in your next reply

NEXT:

Run Farbar Service Scanner again and send me the log.

[AnthonyOhio]

Thank You, WhiteHat.

I completed the OTL scan correctly this time.

OTL logfile created on: 9/14/2012 8:19:43 AM - Run 3
OTL by OldTimer - Version 3.2.59.1 Folder = C:\Users\A\Desktop
64bit- Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

7.98 Gb Total Physical Memory | 6.16 Gb Available Physical Memory | 77.25% Memory free
15.95 Gb Paging File | 13.93 Gb Available in Paging File | 87.31% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 450.21 Gb Total Space | 341.73 Gb Free Space | 75.91% Space Free | Partition Type: NTFS
Drive D: | 698.63 Gb Total Space | 20.77 Gb Free Space | 2.97% Space Free | Partition Type: NTFS
Drive G: | 7.59 Gb Total Space | 7.53 Gb Free Space | 99.24% Space Free | Partition Type: FAT32

Computer Name: A-QOSMIO | User Name: A | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

========== Custom Scans ==========

< HKEY_Local_Machine\System\CurrentcontrolSet\Services\WinDefend /s >
"DisplayName" = @%ProgramFiles%\Windows Defender\MsMpRes.dll,-103
"ErrorControl" = 1
"ImagePath" = %SystemRoot%\System32\svchost.exe -k secsvcs -- [2011/03/01 04:05:31 | 000,021,504 | ---- | M] (Microsoft Corporation)
"Start" = 3
"Type" = 32
"Description" = @%ProgramFiles%\Windows Defender\MsMpRes.dll,-1176
"DependOnService" = RpcSs [binary data]
"ObjectName" = LocalSystem
"ServiceSidType" = 1
"RequiredPrivileges" = [Binary data over 100 bytes]
"DelayedAutoStart" = 0
"FailureActions" = 80 51 01 00 00 00 00 00 00 00 00 00 03 00 00 00 14 00 00 00 01 00 00 00 60 EA 00 00 01 00 00 00 60 EA 00 00 00 00 00 00 00 00 00 00 [binary data]
[HKEY_LOCAL_MACHINE\System\CurrentcontrolSet\Services\WinDefend\Parameters]
"ServiceDllUnloadOnStop" = 1
"ServiceDll" = %ProgramFiles%\Windows Defender\mpsvc.dll
[HKEY_LOCAL_MACHINE\System\CurrentcontrolSet\Services\WinDefend\Security]
"Security" = [Binary data over 100 bytes]
[HKEY_LOCAL_MACHINE\System\CurrentcontrolSet\Services\WinDefend\TriggerInfo]
[HKEY_LOCAL_MACHINE\System\CurrentcontrolSet\Services\WinDefend\TriggerInfo\0]
"Type" = 5
"Action" = 1
"GUID" = E6 CA 9F 65 DB 5B A9 4D B1 FF CA 2A 17 8D 46 E0 [binary data]

< HKEY_Local_Machine\System\CurrentcontrolSet\Services\RpcLocator /s >
"DisplayName" = @%systemroot%\system32\Locator.exe,-2
"ImagePath" = %SystemRoot%\system32\locator.exe
"Description" = @%systemroot%\system32\Locator.exe,-3
"ObjectName" = NT AUTHORITY\NetworkService
"ErrorControl" = 1
"Start" = 3
"Type" = 16
"RequiredPrivileges" = SeChangeNotifyPrivilege [binary data]
"FailureActions" = 84 03 00 00 00 00 00 00 00 00 00 00 03 00 00 00 14 00 00 00 01 00 00 00 C0 D4 01 00 01 00 00 00 E0 93 04 00 00 00 00 00 00 00 00 00 [binary data]

< End of report >

[AnthonyOhio]

FSS scan results:

Farbar Service Scanner Version: 06-08-2012
Ran by A (administrator) on 14-09-2012 at 08:25:07
Running from "C:\Users\A\Desktop"
Microsoft Windows 7 Professional Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys
[2012-09-13 18:20] - [2012-08-22 14:12] - 1913200 ____A (Microsoft Corporation) F782CAD3CEDBB3F9FFE3BF2775D92DDC

C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

[WhiteHat]

Everything seems fine. Let me check if you still infected.

• Run OTL
• Select All Users
• Copy the lines under the Code.
  

  netsvcs
  msconfig
  %SYSTEMDRIVE%\*.*
  %systemdrive%\drivers\*.exe
  %systemroot%\system32\drivers\*.* /90
  %PROGRAMFILES%\*.*
  /md5start
  explorer.exe
  winlogon.exe
  Userinit.exe
  svchost.exe
  /md5stop
  %systemdrive%\$Recycle.Bin|@;true;true;true
  HKLM\SOFTWARE\CLIENTS\Startmenuinternet|command /rs
  HKLM\SOFTWARE\CLIENTS\Startmenuinternet|command /64 /rs
  CREATERESTOREPOINT
  

• Back to the program and paste the text in red in the text box "Custom Scan / Fixes"
• Click on Run Scan button
• The examination takes a while, be patient.
• Copy the entire contents of the log OTL.txt and post in your next reply