Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Win64-Sirefef (Windows 7 - 64bit) [Solved]


  • This topic is locked This topic is locked

#31
WhiteHat

WhiteHat

    Trusted Helper

  • Retired Staff
  • 1,925 posts
Hi,

Sorry, I made a little mistake. Let's try again.

Please reopen Posted Image on your desktop.
  • Under the Posted Image box at the bottom, paste in the following

    :Reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
    "DisableAntiSpyware"=DWORD:0
    
    :Files
    Net Start WinDefend /c
    
    :Commands
    [CREATERESTOREPOINT]
    [EMPTYTEMP]
    
  • Then click the Posted Image button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
NEXT

Run Farbar Service Scanner and post the log.
  • 0

Advertisements


#32
AnthonyOhio

AnthonyOhio

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
No problem WhiteHat,

OTL Results:


All processes killed
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\\"DisableAntiSpyware"|DWORD:0 /E : value set successfully!
========== FILES ==========
< Net Start WinDefend /c >
The Windows Defender service is starting.
C:\Users\A\Desktop\cmd.bat deleted successfully.
C:\Users\A\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
Restore point Set: OTL Restore Point

[EMPTYTEMP]

User: A
->Temp folder emptied: 2331671 bytes
->Temporary Internet Files folder emptied: 33350 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 16739806 bytes
->Flash cache emptied: 456 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1824 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 18.00 mb


OTL by OldTimer - Version 3.2.59.1 log created on 09082012_005743

Files\Folders moved on Reboot...
C:\Users\A\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...
  • 0

#33
AnthonyOhio

AnthonyOhio

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
FSS Results:

Farbar Service Scanner Version: 06-08-2012
Ran by A (administrator) on 08-09-2012 at 01:02:42
Running from "G:\"
Microsoft Windows 7 Professional Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****
  • 0

#34
WhiteHat

WhiteHat

    Trusted Helper

  • Retired Staff
  • 1,925 posts
Hi,

Please, hold on the Windows + R on your keyboard. This will display the run dialogue box.

Type cmd and press [ENTER]

Type Net Start WinDefend and tell me the result.
  • 0

#35
AnthonyOhio

AnthonyOhio

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
Thank You WhiteHat,

The results are below:

Microsoft Windows [Version 6.1.7601]
Copyright © 2009 Microsoft Corporation. All rights reserved.

C:\Users\A>net start windefend
The Windows Defender service is starting.
The Windows Defender service could not be started.

The service did not report an error.

More help is available by typing NET HELPMSG 3534.


C:\Users\A>net helpmsg 3534

The service did not report an error.


C:\Users\A>


  • 0

#36
WhiteHat

WhiteHat

    Trusted Helper

  • Retired Staff
  • 1,925 posts
I know you already did these instructions below but try again.

Download Windows Repair (all in one) from this site

Install the program then run

Posted Image

Go to step 3 and allow it to run SFC
Posted Image


On the start repairs tab click start
Posted Image

Select the following items and tick restart system when finished
Posted Image
  • 0

#37
AnthonyOhio

AnthonyOhio

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
I completed the repair.
  • 0

#38
AnthonyOhio

AnthonyOhio

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
Here are the FSS results:

Thank you.

Farbar Service Scanner Version: 06-08-2012
Ran by A (administrator) on 11-09-2012 at 08:32:24
Running from "C:\Users\A\Desktop"
Microsoft Windows 7 Professional Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****
  • 0

#39
WhiteHat

WhiteHat

    Trusted Helper

  • Retired Staff
  • 1,925 posts
  • Run OTL
  • Copy the lines under the Code
    HKEY_Local_Machine\System\CurrentcontrolSet\Services\WinDefend /s
    HKEY_Local_Machine\System\CurrentcontrolSet\Services\RpcLocator /s
  • Back to the program and paste the text in red in the text box "Custom Scan / Fixes"
  • Click in the button Posted Image
  • Click on Run Scan button
  • The examination takes a while, be patient.
  • Copy the entire contents of the log OTL.txt and post in your next reply

NEXT:

Please reopen Posted Image on your desktop.
  • Under the Posted Image box at the bottom, paste in the following

    :Files
    Net Start RpcLocator /c
    Net Start WinDefend /c
    
    :Commands
    [CREATERESTOREPOINT]
    [EMPTYTEMP]
    
  • Then click the Posted Image button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

  • 0

#40
AnthonyOhio

AnthonyOhio

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
Thank you WhiteHat.

I just returned from a trip and tried the repair.

Results are below

Error: Unable to interpret <HKEY_Local_Machine\System\CurrentcontrolSet\Services\WinDefend /s > in the current context!
Error: Unable to interpret <HKEY_Local_Machine\System\CurrentcontrolSet\Services\RpcLocator /s> in the current context!

OTL by OldTimer - Version 3.2.59.1 log created on 09132012_180310
  • 0

Advertisements


#41
AnthonyOhio

AnthonyOhio

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
All processes killed
========== FILES ==========
< Net Start RpcLocator /c >
The Remote Procedure Call (RPC) Locator service is starting.
The Remote Procedure Call (RPC) Locator service was started successfully.
C:\Users\A\Desktop\cmd.bat deleted successfully.
C:\Users\A\Desktop\cmd.txt deleted successfully.
< Net Start WinDefend /c >
The Windows Defender service is starting.
C:\Users\A\Desktop\cmd.bat deleted successfully.
C:\Users\A\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
Restore point Set: OTL Restore Point

[EMPTYTEMP]

User: A
->Temp folder emptied: 22022 bytes
->Temporary Internet Files folder emptied: 1946176 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 16745880 bytes
->Flash cache emptied: 456 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1216 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 18.00 mb


OTL by OldTimer - Version 3.2.59.1 log created on 09132012_180551

Files\Folders moved on Reboot...
C:\Users\A\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...
  • 0

#42
WhiteHat

WhiteHat

    Trusted Helper

  • Retired Staff
  • 1,925 posts
Hi,

Results are below

Error: Unable to interpret <HKEY_Local_Machine\System\CurrentcontrolSet\Services\WinDefend /s > in the current context!
Error: Unable to interpret <HKEY_Local_Machine\System\CurrentcontrolSet\Services\RpcLocator /s> in the current context!

You clicked in the wrong button and I need to you repeat the instructions. Keep in mind that the button you need to click is Run Scan

  • Run OTL
  • Copy the lines under the Code
    HKEY_Local_Machine\System\CurrentcontrolSet\Services\WinDefend /s
    HKEY_Local_Machine\System\CurrentcontrolSet\Services\RpcLocator /s
  • Back to the program and paste the text in red in the text box "Custom Scan / Fixes"
  • Click in the button Posted Image
  • Click on Run Scan button
  • The examination takes a while, be patient.
  • Copy the entire contents of the log OTL.txt and post in your next reply


NEXT:

Run Farbar Service Scanner again and send me the log.
  • 0

#43
AnthonyOhio

AnthonyOhio

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
Thank You, WhiteHat.

I completed the OTL scan correctly this time.

OTL logfile created on: 9/14/2012 8:19:43 AM - Run 3
OTL by OldTimer - Version 3.2.59.1 Folder = C:\Users\A\Desktop
64bit- Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

7.98 Gb Total Physical Memory | 6.16 Gb Available Physical Memory | 77.25% Memory free
15.95 Gb Paging File | 13.93 Gb Available in Paging File | 87.31% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 450.21 Gb Total Space | 341.73 Gb Free Space | 75.91% Space Free | Partition Type: NTFS
Drive D: | 698.63 Gb Total Space | 20.77 Gb Free Space | 2.97% Space Free | Partition Type: NTFS
Drive G: | 7.59 Gb Total Space | 7.53 Gb Free Space | 99.24% Space Free | Partition Type: FAT32

Computer Name: A-QOSMIO | User Name: A | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

========== Custom Scans ==========

< HKEY_Local_Machine\System\CurrentcontrolSet\Services\WinDefend /s >
"DisplayName" = @%ProgramFiles%\Windows Defender\MsMpRes.dll,-103
"ErrorControl" = 1
"ImagePath" = %SystemRoot%\System32\svchost.exe -k secsvcs -- [2011/03/01 04:05:31 | 000,021,504 | ---- | M] (Microsoft Corporation)
"Start" = 3
"Type" = 32
"Description" = @%ProgramFiles%\Windows Defender\MsMpRes.dll,-1176
"DependOnService" = RpcSs [binary data]
"ObjectName" = LocalSystem
"ServiceSidType" = 1
"RequiredPrivileges" = [Binary data over 100 bytes]
"DelayedAutoStart" = 0
"FailureActions" = 80 51 01 00 00 00 00 00 00 00 00 00 03 00 00 00 14 00 00 00 01 00 00 00 60 EA 00 00 01 00 00 00 60 EA 00 00 00 00 00 00 00 00 00 00 [binary data]
[HKEY_LOCAL_MACHINE\System\CurrentcontrolSet\Services\WinDefend\Parameters]
"ServiceDllUnloadOnStop" = 1
"ServiceDll" = %ProgramFiles%\Windows Defender\mpsvc.dll
[HKEY_LOCAL_MACHINE\System\CurrentcontrolSet\Services\WinDefend\Security]
"Security" = [Binary data over 100 bytes]
[HKEY_LOCAL_MACHINE\System\CurrentcontrolSet\Services\WinDefend\TriggerInfo]
[HKEY_LOCAL_MACHINE\System\CurrentcontrolSet\Services\WinDefend\TriggerInfo\0]
"Type" = 5
"Action" = 1
"GUID" = E6 CA 9F 65 DB 5B A9 4D B1 FF CA 2A 17 8D 46 E0 [binary data]

< HKEY_Local_Machine\System\CurrentcontrolSet\Services\RpcLocator /s >
"DisplayName" = @%systemroot%\system32\Locator.exe,-2
"ImagePath" = %SystemRoot%\system32\locator.exe
"Description" = @%systemroot%\system32\Locator.exe,-3
"ObjectName" = NT AUTHORITY\NetworkService
"ErrorControl" = 1
"Start" = 3
"Type" = 16
"RequiredPrivileges" = SeChangeNotifyPrivilege [binary data]
"FailureActions" = 84 03 00 00 00 00 00 00 00 00 00 00 03 00 00 00 14 00 00 00 01 00 00 00 C0 D4 01 00 01 00 00 00 E0 93 04 00 00 00 00 00 00 00 00 00 [binary data]

< End of report >
  • 0

#44
AnthonyOhio

AnthonyOhio

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
FSS scan results:

Farbar Service Scanner Version: 06-08-2012
Ran by A (administrator) on 14-09-2012 at 08:25:07
Running from "C:\Users\A\Desktop"
Microsoft Windows 7 Professional Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys
[2012-09-13 18:20] - [2012-08-22 14:12] - 1913200 ____A (Microsoft Corporation) F782CAD3CEDBB3F9FFE3BF2775D92DDC

C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****
  • 0

#45
WhiteHat

WhiteHat

    Trusted Helper

  • Retired Staff
  • 1,925 posts
Everything seems fine. Let me check if you still infected.

  • Run OTL
  • Select All Users
  • Copy the lines under the Code.
    netsvcs
    msconfig
    %SYSTEMDRIVE%\*.*
    %systemdrive%\drivers\*.exe
    %systemroot%\system32\drivers\*.* /90
    %PROGRAMFILES%\*.*
    /md5start
    explorer.exe
    winlogon.exe
    Userinit.exe
    svchost.exe
    /md5stop
    %systemdrive%\$Recycle.Bin|@;true;true;true
    HKLM\SOFTWARE\CLIENTS\Startmenuinternet|command /rs
    HKLM\SOFTWARE\CLIENTS\Startmenuinternet|command /64 /rs
    CREATERESTOREPOINT
    
  • Back to the program and paste the text in red in the text box "Custom Scan / Fixes"
  • Click on Run Scan button
  • The examination takes a while, be patient.
  • Copy the entire contents of the log OTL.txt and post in your next reply

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP