Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Arestocrat Like Malware [Solved]


  • This topic is locked This topic is locked

#31
FL_Issac

FL_Issac

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Done and Done. I found the OTL log and ran the security check. Here are the logs


----------------------------------------
09112013_210738.txt
----------------------------------------

All processes killed
========== COMMANDS ==========
System Restore Service not available.
========== OTL ==========
Service winmgmt stopped successfully!
Service winmgmt deleted successfully!
File C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ms_Cleaner.exe not found.
winmgmt removed from NetSvcs value successfully!
C:\Documents and Settings\Gateway\Start Menu\Programs\Startup\renaelC_sM.lnk moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: Gateway
->Temp folder emptied: 97373850 bytes
->Temporary Internet Files folder emptied: 29367468 bytes
->Flash cache emptied: 2526 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 23950336 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 7276184 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 159736728 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 303.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 09112013_210738

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...



----------------------------------------
checkup.txt
----------------------------------------

Results of screen317's Security Check version 0.99.73
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
ESET Online Scanner v3
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.75.0.1300
Adobe Flash Player 10 Flash Player out of Date!
Adobe Reader 9 Adobe Reader out of Date!
````````Process Check: objlist.exe by Laurent````````
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 16% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````
  • 0

Advertisements


#32
SleepyDude

SleepyDude

    Trusted Helper

  • Malware Removal
  • 4,401 posts
Hi Issac,

Your logs are looking good, the malware problem seems resolved but there some other issues that we need to address...

Step 1 - Remove AVG traces and Install Antivirus

I notice that your computer doesn't have an Antivirus software installed! To protect the computer from been reinfected you must install an Antivirus program ASAP also the logs show some traces of old AVG installations that we need to remove.

» Remove AVG traces
  • Visit the AVG page and download AVG Remover(32bit) 2014 (avg_remover_stf_x86_2014_4116.exe) to the Desktop
  • Execute the file avg_remover_stf_x86_2014_4116.exe and follow the on-screen instructions.
  • Restart the computer even if the tool does not prompt you to do so
  • After restart you can delete the file avg_remover_stf_x86_2014_4116.exe from the Desktop

» Install Antivirus
My suggestion is to install Avast Antivirus Free, it provides good protection level and is one of the programs we are currently recommending for users that want a free product.

  • Download Avast Antivirus Free here
  • Execute the avast_free_antivirus_setup on the first install screen make sure you uncheck the check box's and click Express Install like on the image:
    Posted Image
  • During install make sure you select the Free version, its enough for most users.
  • You need to provide a valid e-mail address to activate Avast, the program is free but you need to register every year and opt for the free version.

Step 2 - Farbar Service Scanner

Download Farbar Service Scanner (FSS)
  • Run FSS by double clicking the Posted Image icon
    (On Windows Vista or higher right click the file and select Run as Administrator)
    Posted Image
  • Check all the options
  • click Scan
  • Post the generated log on your reply (The FSS.txt log is saved to the same folder where FSS is run from).

Step 3 - OTL Quick Scan

  • Execute OTL by double clicking the icon Posted Image. Make sure all other windows are closed.
    (On Windows Vista or higher right click the file, select Run as Administrator and accept the Security Warning.)
  • Do not change any settings unless otherwise told to do so. Click the Posted Image button. The scan won't take long.
  • When the scan completes, it will open notepad with OTL.Txt. The file is saved on the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the full contents of the file and post in your topic.


Things I would like to see in your next reply:
  • Did you uninstall AVG successfully?
  • The FSS.txt log
  • The new OTL.txt log

  • 0

#33
FL_Issac

FL_Issac

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Hi again!

AVG was successfully uninstalled ande then I downloaded Avast and installed that.

Finally I ran the two scans, here are their logs.


--------------------------------------------
OTL.txt
--------------------------------------------

OTL logfile created on: 9/13/2013 11:00:41 PM - Run 7
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Gateway\Desktop\OTL
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1013.99 Mb Total Physical Memory | 515.75 Mb Available Physical Memory | 50.86% Memory free
2.39 Gb Paging File | 1.98 Gb Available in Paging File | 82.73% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 139.05 Gb Total Space | 112.42 Gb Free Space | 80.85% Space Free | Partition Type: NTFS
Drive D: | 7.45 Gb Total Space | 7.11 Gb Free Space | 95.34% Space Free | Partition Type: NTFS

Computer Name: GATEWAY-PC | User Name: Gateway | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/09/13 22:58:34 | 000,358,923 | ---- | M] (Farbar) -- C:\Documents and Settings\Gateway\Desktop\FSS.exe
PRC - [2013/09/08 19:06:19 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Gateway\Desktop\OTL\OTL.exe
PRC - [2013/08/30 03:47:34 | 004,858,968 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe
PRC - [2013/08/30 03:47:33 | 000,046,808 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe
PRC - [2013/02/01 23:55:48 | 001,155,912 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
PRC - [2013/02/01 22:27:40 | 000,045,056 | ---- | M] (Intuit) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
PRC - [2009/03/16 16:46:56 | 000,036,864 | ---- | M] () -- C:\WINDOWS\WebCam\M3000\M3000Mnt.exe
PRC - [2009/01/17 03:50:56 | 000,862,728 | ---- | M] (Dritek System Inc.) -- C:\Program Files\Launch Manager\LManager.exe
PRC - [2008/11/10 03:43:44 | 000,345,336 | ---- | M] (QUALCOMM, Inc.) -- C:\QUALCOMM\QDLService\QDLService.exe
PRC - [2008/04/15 21:54:42 | 000,354,840 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2008/04/15 21:54:40 | 000,178,712 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2008/04/14 08:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (No Company Name) ==========

MOD - [2013/09/13 19:25:11 | 002,099,200 | ---- | M] () -- C:\Program Files\AVAST Software\Avast\defs\13091303\algo.dll
MOD - [2013/08/14 11:26:10 | 003,194,880 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
MOD - [2013/08/14 11:26:07 | 004,550,656 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
MOD - [2013/08/14 11:26:01 | 000,114,688 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
MOD - [2011/09/27 08:23:00 | 000,087,912 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/09/27 08:22:40 | 001,242,472 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2009/03/16 16:46:56 | 000,036,864 | ---- | M] () -- C:\WINDOWS\WebCam\M3000\M3000Mnt.exe
MOD - [2003/06/07 01:30:08 | 000,057,344 | ---- | M] () -- C:\Program Files\Launch Manager\PowerUtl.dll


========== Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- %SystemRoot%\System32\appmgmts.dll -- (AppMgmt)
SRV - [2013/08/30 03:47:33 | 000,046,808 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV - [2013/02/01 22:27:40 | 000,045,056 | ---- | M] (Intuit) [Auto | Running] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
SRV - [2009/07/23 23:10:38 | 000,061,440 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)
SRV - [2008/11/10 03:43:44 | 000,345,336 | ---- | M] (QUALCOMM, Inc.) [Auto | Running] -- C:\QUALCOMM\QDLService\QDLService.exe -- (QDLService)
SRV - [2008/04/15 21:54:42 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\Rts5161ccid.sys -- (USBCCID)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS -- (SMSIVZAM5)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\Rts516xIR.sys -- (Rts516xIR)
DRV - File not found [Kernel | On_Demand | Stopped] -- System32\Drivers\RTS5121.sys -- (RSUSBSTOR)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - [2013/08/30 03:48:13 | 000,369,584 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2013/08/30 03:48:13 | 000,177,864 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\aswVmm.sys -- (aswVmm)
DRV - [2013/08/30 03:48:13 | 000,056,080 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2013/08/30 03:48:12 | 000,770,344 | ---- | M] (AVAST Software) [File_System | System | Stopped] -- C:\WINDOWS\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2013/08/30 03:48:12 | 000,049,760 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (AswRdr)
DRV - [2013/08/30 03:48:12 | 000,049,376 | ---- | M] () [Kernel | Boot | Stopped] -- C:\WINDOWS\System32\drivers\aswRvrt.sys -- (aswRvrt)
DRV - [2013/08/30 03:48:11 | 000,066,336 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV - [2013/08/30 03:48:11 | 000,029,816 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2009/06/22 00:59:26 | 001,574,112 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\athw.sys -- (AR5416)
DRV - [2009/03/24 04:15:14 | 000,145,152 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\M3000KNT.sys -- (M3000Srv)
DRV - [2009/03/02 01:03:48 | 000,038,912 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\l1c51x86.sys -- (L1c)
DRV - [2009/02/24 04:49:44 | 005,032,448 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService)
DRV - [2008/11/10 03:37:34 | 000,115,200 | ---- | M] (QUALCOMM Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\qcusbnetGAD.sys -- (qcusbnetGAD)
DRV - [2008/11/10 03:37:34 | 000,103,680 | ---- | M] (QUALCOMM Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\qcusbserGAD.sys -- (qcusbserGAD)
DRV - [2008/11/10 03:37:34 | 000,005,248 | ---- | M] (QUALCOMM Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\qcfilterGAD.sys -- (QCFilterGAD)
DRV - [2008/08/05 08:10:12 | 001,684,736 | ---- | M] (Creative) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Ambfilt.sys -- (Ambfilt)
DRV - [2006/11/02 09:27:34 | 000,020,112 | ---- | M] (Dritek System Inc.) [Kernel | System | Running] -- C:\Program Files\Launch Manager\DPortIO.sys -- (DritekPortIO)
DRV - [2006/01/04 03:41:48 | 001,389,056 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Monfilt.sys -- (Monfilt)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {67A2568C-7A0A-4EED-AECC-B5405DE63B64}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}
IE - HKLM\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = http://www.google.co...ng}&rlz=1I7ACGW

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.gate...h&d=0510&m=lt20
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = http://www.google.co...1I7ACGW_enUS413
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8051.1204: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)



O1 HOSTS File: ([2013/06/15 17:00:34 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (avast! Online Security) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (avast! Online Security) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [AzMixerSel] C:\Program Files\Realtek\Audio\Drivers\AzMixerSel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe (Intuit Inc. All rights reserved.)
O4 - HKLM..\Run: [LManager] C:\Program Files\Launch Manager\LManager.exe (Dritek System Inc.)
O4 - HKLM..\Run: [M3000Mnt] Rundll32.exe M3000Rmv.dll ,WinMainRmv /StartStillMnt File not found
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [ROC_roc_dec12] "C:\Program Files\AVG Secure Search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12 File not found
O4 - HKLM..\Run: [ROC_roc_ssl_v12] "C:\Program Files\AVG Secure Search\ROC_roc_ssl_v12.exe" / /PROMPT /CMPID=roc_ssl_v12 File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (OnlineScanner Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{DDBAC713-2FB3-4F91-BD1C-45352DA286D3}: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\intu-help-qb3 {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - C:\Program Files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper:
O24 - Desktop BackupWallPaper:
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/12/10 19:01:16 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2013/09/08 14:19:45 | 000,000,053 | ---- | M] () - D:\AUTORUN.INF -- [ NTFS ]
O33 - MountPoints2\{7adfd72c-1852-11e0-a616-00a0c6000000}\Shell - "" = AutoRun
O33 - MountPoints2\{7adfd72c-1852-11e0-a616-00a0c6000000}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{7adfd72c-1852-11e0-a616-00a0c6000000}\Shell\AutoRun\command - "" = D:\setup.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O35 - HKCU\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2013/09/13 22:58:31 | 000,358,923 | ---- | C] (Farbar) -- C:\Documents and Settings\Gateway\Desktop\FSS.exe
[2013/09/13 22:43:08 | 000,369,584 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2013/09/13 22:43:08 | 000,049,760 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2013/09/13 22:43:08 | 000,029,816 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2013/09/13 22:43:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\avast! Free Antivirus
[2013/09/13 22:43:07 | 000,770,344 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
[2013/09/13 22:43:07 | 000,066,336 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswMonFlt.sys
[2013/09/13 22:43:07 | 000,056,080 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2013/09/13 22:42:11 | 000,041,664 | ---- | C] (AVAST Software) -- C:\WINDOWS\avastSS.scr
[2013/09/13 22:21:40 | 000,229,648 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
[2013/09/13 22:20:02 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
[2013/09/13 22:19:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
[2013/09/11 22:06:23 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2013/09/08 19:20:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Gateway\Desktop\RK_Quarantine
[2013/09/08 19:07:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Gateway\Desktop\OTL

========== Files - Modified Within 30 Days ==========

[2013/09/13 22:58:34 | 000,358,923 | ---- | M] (Farbar) -- C:\Documents and Settings\Gateway\Desktop\FSS.exe
[2013/09/13 22:43:09 | 000,001,691 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2013/09/13 22:43:08 | 000,000,318 | -H-- | M] () -- C:\WINDOWS\tasks\avast! Emergency Update.job
[2013/09/13 22:43:07 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2013/09/13 22:34:35 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013/09/13 22:34:33 | 1063,317,504 | -HS- | M] () -- C:\hiberfil.sys
[2013/09/13 22:10:09 | 131,918,888 | ---- | M] () -- C:\Documents and Settings\Gateway\Desktop\avast_free_antivirus_setup.exe
[2013/09/12 18:19:41 | 000,891,144 | ---- | M] () -- C:\Documents and Settings\Gateway\Desktop\SecurityCheck.exe
[2013/09/11 21:25:55 | 000,918,016 | ---- | M] () -- C:\Documents and Settings\Gateway\Desktop\RogueKiller.exe
[2013/09/11 21:09:37 | 000,263,024 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2013/09/11 21:02:55 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2013/09/07 10:55:51 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/08/30 03:48:13 | 000,369,584 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2013/08/30 03:48:13 | 000,177,864 | ---- | M] () -- C:\WINDOWS\System32\drivers\aswVmm.sys
[2013/08/30 03:48:13 | 000,056,080 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2013/08/30 03:48:12 | 000,770,344 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
[2013/08/30 03:48:12 | 000,049,760 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2013/08/30 03:48:12 | 000,049,376 | ---- | M] () -- C:\WINDOWS\System32\drivers\aswRvrt.sys
[2013/08/30 03:48:11 | 000,066,336 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswMonFlt.sys
[2013/08/30 03:48:11 | 000,029,816 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2013/08/30 03:47:40 | 000,041,664 | ---- | M] (AVAST Software) -- C:\WINDOWS\avastSS.scr
[2013/08/30 03:47:32 | 000,229,648 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
[2013/08/19 11:00:54 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2013/08/15 08:31:49 | 000,443,482 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2013/08/15 08:31:49 | 000,072,582 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

========== Files Created - No Company Name ==========

[2013/09/13 22:43:09 | 000,001,691 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2013/09/13 22:43:08 | 000,000,318 | -H-- | C] () -- C:\WINDOWS\tasks\avast! Emergency Update.job
[2013/09/13 22:43:07 | 000,177,864 | ---- | C] () -- C:\WINDOWS\System32\drivers\aswVmm.sys
[2013/09/13 22:43:07 | 000,049,376 | ---- | C] () -- C:\WINDOWS\System32\drivers\aswRvrt.sys
[2013/09/13 22:10:05 | 131,918,888 | ---- | C] () -- C:\Documents and Settings\Gateway\Desktop\avast_free_antivirus_setup.exe
[2013/09/12 18:19:39 | 000,891,144 | ---- | C] () -- C:\Documents and Settings\Gateway\Desktop\SecurityCheck.exe
[2013/09/08 19:19:21 | 000,918,016 | ---- | C] () -- C:\Documents and Settings\Gateway\Desktop\RogueKiller.exe
[2013/07/11 06:59:42 | 000,334,216 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2013/06/18 07:49:04 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/12/12 15:30:55 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/06/03 23:33:48 | 000,005,120 | ---- | C] () -- C:\Documents and Settings\Gateway\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/04/25 08:40:31 | 000,001,395 | ---- | C] () -- C:\Documents and Settings\Gateway\Application Data\bibstats
[2011/10/25 16:22:11 | 000,057,604 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2011/01/07 11:32:46 | 000,000,412 | ---- | C] () -- C:\Documents and Settings\Gateway\Application Data\wklnhst.dat

========== ZeroAccess Check ==========

[2009/12/10 19:05:03 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008/04/14 08:00:00 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2009/02/09 08:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2008/04/14 08:00:00 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2013/09/13 22:41:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
[2011/07/09 18:06:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\COMMON FILES
[2011/01/06 06:43:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nuance
[2010/05/21 18:07:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\QUALCOMM
[2011/01/06 07:20:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SQL Anywhere 11
[2011/01/04 17:22:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WEngineLite
[2011/01/14 11:19:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WildTangent
[2011/10/25 15:57:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2011/01/13 19:06:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gateway\Application Data\ntr
[2012/09/10 13:50:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gateway\Application Data\Roaming
[2011/01/04 17:17:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gateway\Application Data\Smith Micro
[2011/01/07 11:33:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gateway\Application Data\Template
[2012/10/23 15:18:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gateway\Application Data\TuneUp Software

========== Purity Check ==========



< End of report >


--------------------------------------------
FSS.txt
--------------------------------------------

Farbar Service Scanner Version: 13-09-2013
Ran by Gateway (administrator) on 13-09-2013 at 22:59:58
Running from "C:\Documents and Settings\Gateway\Desktop"
Microsoft Windows XP Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.

winmgmt Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open winmgmt registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open winmgmt registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open winmgmt registry key. The service key does not exist.
Checking LEGACY_winmgmt: ATTENTION!=====> Unable to open LEGACY_winmgmt\0000 registry key. The key does not exist.


Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.

winmgmt Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open winmgmt registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open winmgmt registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open winmgmt registry key. The service key does not exist.
Checking LEGACY_winmgmt: ATTENTION!=====> Unable to open LEGACY_winmgmt\0000 registry key. The key does not exist.


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Other Services:
==============


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
aswTdi(10) Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
0x0A000000040000000100000002000000030000000A0000000900000008000000050000000600000007000000
IpSec Tag value is correct.

**** End of log ****
  • 0

#34
SleepyDude

SleepyDude

    Trusted Helper

  • Malware Removal
  • 4,401 posts
Hi Issac,

AVG was successfully uninstalled ande then I downloaded Avast and installed that.

Good.


Lets see if we can fix some of the services that are missing...

Step 1 - Run OTL Fix

!!! WARNING !!! The following fix is only relevant for this system and no other, running the script on another computer will not work and may cause problems...


ATTENTION: Before running this fix please disable Spybot Search & Destroy the program include some protection modules that prevents many changes to the system and will attempt to undo any fixes we run.
In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable both programs by following the directions on this link.


  • Execute OTL by double clicking the icon Posted Image. Make sure all other windows are closed.
    Do not change any other settings unless otherwise told to do so.
  • Under the Custom Scans/Fixes box at the bottom, paste in the following:
    :OTL
    O4 - HKLM..\Run: [ROC_roc_dec12] "C:\Program Files\AVG Secure Search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12 File not found
    O4 - HKLM..\Run: [ROC_roc_ssl_v12] "C:\Program Files\AVG Secure Search\ROC_roc_ssl_v12.exe" / /PROMPT /CMPID=roc_ssl_v12 File not found
    
    :Reg
    [HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\winmgmt]
    "Type"=dword:00000020
    "Start"=dword:00000002
    "ErrorControl"=dword:00000000
    "ImagePath"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,00,\
      74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
      00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
      6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
    "DisplayName"="Windows Management Instrumentation"
    "DependOnService"=hex(7):52,00,50,00,43,00,53,00,53,00,00,00,00,00
    "DependOnGroup"=hex(7):00,00
    "ObjectName"="LocalSystem"
    "FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,02,00,00,00,03,00,03,\
      00,01,00,00,00,60,ea,00,00,01,00,00,00,60,ea,00,00
    "Description"="Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start."
    
    [HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\winmgmt\Parameters]
    "ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
      00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
      77,00,62,00,65,00,6d,00,5c,00,57,00,4d,00,49,00,73,00,76,00,63,00,2e,00,64,\
      00,6c,00,6c,00,00,00
    "ServiceMain"="ServiceMain"
    
    [HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\winmgmt\Security]
    "Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
      00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
      00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
      05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
      20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
      00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
      00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
    
    [HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\winmgmt\Enum]
    "0"="Root\\LEGACY_WINMGMT\\0000"
    "Count"=dword:00000001
    "NextInstance"=dword:00000001
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_winmgmt]
    "NextInstance"=dword:00000001
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_winmgmt\0000]
    "Service"="winmgmt"
    "Legacy"=dword:00000001
    "ConfigFlags"=dword:00000000
    "Class"="LegacyDriver"
    "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
    "DeviceDesc"="Windows Management Instrumentation"
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_winmgmt\0000\Control]
    "ActiveService"="winmgmt"
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall"=-
    
    :Files
    C:\Program Files\AVG Secure Search
    reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost" /v netsvcs /c
    net start winmgmt /c
    net start sharedaccess /c
    net start wscsvc /c
    
    :Commands
    [Reboot]
    
  • click the Run Fix button at the top. Let the program run uninterrupted.
  • click OK
Notes:
  • When OTL executes the Fix it can shutdown all running processes and you may lose the Desktop and icons, but they will return on reboot
  • OTL may ask to reboot the machine. Please accept right away.
  • The report should appear in Notepad after the reboot. Copy & Paste that report in your next reply and not as attachment.
  • The OTL fix log will be saved in the following location: C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log - where mmddyyy _hhmmss is the date and time when the fix run.

Step 2 - Farbar Service Scanner

  • After the reboot Please generate a new FSS log
  • Run FSS by double clicking the Posted Image icon
    (On Windows Vista or higher right click the file and select Run as Administrator)
    Posted Image
  • Check all the options
  • click Scan
  • Post the generated log on your reply (The FSS.txt log is saved to the same folder where FSS is run from).

Step 3 - OTL Scan

I want to locate good copies of the file appmgmts.dll because it's missing on the system folder...
  • Double click the OTL icon from your Desktop. Make sure all other windows are closed and let it run uninterrupted.
  • Click the Posted Image button. Do not change any other settings unless otherwise told to do so.
  • Under the Custom Scans/Fixes box at the bottom, paste in the following:
    /md5start
    appmgmts.*
    /md5stop
    
  • Then click the Run Scan button at the top. The scan wont take long.
  • When the scan completes, it will open notepad with OTL.Txt. The file is saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of the file and post in your topic


Things I would like to see in your next reply:
  • The OTL Fix log mmddyyyy_hhmmss.log
  • The New FSS.txt log
  • The OTL.txt log

  • 0

#35
FL_Issac

FL_Issac

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Finished, here are the logs you requested


------------------------------------------
09152013_110733.log
------------------------------------------

========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ROC_roc_dec12 deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ROC_roc_ssl_v12 deleted successfully.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\winmgmt\\"Type"|dword:00000020 /E : value set successfully!
HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\winmgmt\\"Start"|dword:00000002 /E : value set successfully!
HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\winmgmt\\"ErrorControl"|dword:00000000 /E : value set successfully!
HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\winmgmt\\"ImagePath"|hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00 /E : value set successfully!
HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\winmgmt\\"DisplayName"|"Windows Management Instrumentation" /E : value set successfully!
HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\winmgmt\\"DependOnService"|hex(7):52,00,50,00,43,00,53,00,53,00,00,00,00,00 /E : value set successfully!
HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\winmgmt\\"DependOnGroup"|hex(7):00,00 /E : value set successfully!
HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\winmgmt\\"ObjectName"|"LocalSystem" /E : value set successfully!
HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\winmgmt\\"FailureActions"|hex:80,51,01,00,00,00,00,00,00,00,00,00,02,00,00,00,03,00,03,00,01,00,00,00,60,ea,00,00,01,00,00,00,60,ea,00,00 /E : value set successfully!
HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\winmgmt\\"Description"|"Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start." /E : value set successfully!
HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\winmgmt\Parameters\\"ServiceDll"|hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,77,00,62,00,65,00,6d,00,5c,00,57,00,4d,00,49,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,00 /E : value set successfully!
HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\winmgmt\Parameters\\"ServiceMain"|"ServiceMain" /E : value set successfully!
HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\winmgmt\Security\\"Security"|hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00 /E : value set successfully!
HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\winmgmt\Enum\\"0"|"Root\\LEGACY_WINMGMT\\0000" /E : value set successfully!
HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\winmgmt\Enum\\"Count"|dword:00000001 /E : value set successfully!
HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\winmgmt\Enum\\"NextInstance"|dword:00000001 /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_winmgmt\\"NextInstance"|dword:00000001 /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_winmgmt\0000\\"Service"|"winmgmt" /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_winmgmt\0000\\"Legacy"|dword:00000001 /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_winmgmt\0000\\"ConfigFlags"|dword:00000000 /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_winmgmt\0000\\"Class"|"LegacyDriver" /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_winmgmt\0000\\"ClassGUID"|"{8ECC055D-047F-11D1-A537-0000F8753ED1}" /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_winmgmt\0000\\"DeviceDesc"|"Windows Management Instrumentation" /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_winmgmt\0000\Control\\"ActiveService"|"winmgmt" /E : value set successfully!
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\\EnableFirewall deleted successfully.
========== FILES ==========
File\Folder C:\Program Files\AVG Secure Search not found.
< reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost" /v netsvcs /c >
! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost
netsvcs REG_MULTI_SZ 6to4\0appmgmt\0audiosrv\0browser\0cryptsvc\0dmserver\0dhcp\0ersvc\0eventsystem\0fastuserswitchingcompatibility\0hidserv\0ias\0iprip\0irmon\0lanmanserver\0lanmanworkstation\0messenger\0netman\0nla\0ntmssvc\0nwcworkstation\0nwsapagent\0rasauto\0rasman\0remoteaccess\0schedule\0seclogon\0sens\0sharedaccess\0srservice\0tapisrv\0themes\0trkwks\0w32time\0wzcsvc\0wmi\0wmdmpmsp\0wscsvc\0xmlprov\0napagent\0hkmsvc\0bits\0wuauserv\0shellhwdetection\0helpsvc\0wmdmpmsn\0\0\0
C:\Documents and Settings\Gateway\Desktop\OTL\cmd.bat deleted successfully.
C:\Documents and Settings\Gateway\Desktop\OTL\cmd.txt deleted successfully.
< net start winmgmt /c >
C:\Documents and Settings\Gateway\Desktop\OTL\cmd.bat deleted successfully.
C:\Documents and Settings\Gateway\Desktop\OTL\cmd.txt deleted successfully.
< net start sharedaccess /c >
C:\Documents and Settings\Gateway\Desktop\OTL\cmd.bat deleted successfully.
C:\Documents and Settings\Gateway\Desktop\OTL\cmd.txt deleted successfully.
< net start wscsvc /c >
C:\Documents and Settings\Gateway\Desktop\OTL\cmd.bat deleted successfully.
C:\Documents and Settings\Gateway\Desktop\OTL\cmd.txt deleted successfully.
========== COMMANDS ==========

OTL by OldTimer - Version 3.2.69.0 log created on 09152013_110733


------------------------------------------
FSS.txt
------------------------------------------

Farbar Service Scanner Version: 13-09-2013
Ran by Gateway (administrator) on 15-09-2013 at 11:18:58
Running from "C:\Documents and Settings\Gateway\Desktop"
Microsoft Windows XP Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.

winmgmt Service is not running. Checking service configuration:
The start type of winmgmt service is OK.
The ImagePath of winmgmt service is OK.
The ServiceDll of winmgmt service is OK.


Firewall Disabled Policy:
==================
"HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\\EnableFirewall" registry value does not exist.


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.

winmgmt Service is not running. Checking service configuration:
The start type of winmgmt service is OK.
The ImagePath of winmgmt service is OK.
The ServiceDll of winmgmt service is OK.


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Other Services:
==============


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
aswTdi(10) Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
0x0A000000040000000100000002000000030000000A0000000900000008000000050000000600000007000000
IpSec Tag value is correct.

**** End of log ****


------------------------------------------
OTL.txt
------------------------------------------

OTL logfile created on: 9/15/2013 11:30:55 AM - Run 8
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Gateway\Desktop\OTL
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1013.99 Mb Total Physical Memory | 570.71 Mb Available Physical Memory | 56.28% Memory free
2.39 Gb Paging File | 2.02 Gb Available in Paging File | 84.79% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 139.05 Gb Total Space | 112.41 Gb Free Space | 80.84% Space Free | Partition Type: NTFS
Drive D: | 7.45 Gb Total Space | 7.10 Gb Free Space | 95.22% Space Free | Partition Type: NTFS

Computer Name: GATEWAY-PC | User Name: Gateway | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

========== Custom Scans ==========

< >

< End of report >
  • 0

#36
SleepyDude

SleepyDude

    Trusted Helper

  • Malware Removal
  • 4,401 posts
Hello Issac,

The last fix corrected the missing service now let's see if we can make it start automatically on boot...

Step 1 - Run OTL Fix

!!! WARNING !!! The following fix is only relevant for this system and no other, running the script on another computer will not work and may cause problems...


ATTENTION: Before running this fix please disable Spybot Search & Destroy the program include some protection modules that prevents many changes to the system and will attempt to undo any fixes we run.
In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable both programs by following the directions on this link.


  • Execute OTL by double clicking the icon Posted Image. Make sure all other windows are closed.
    Do not change any other settings unless otherwise told to do so.
  • Under the Custom Scans/Fixes box at the bottom, paste in the following:
    :Reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
    "netsvcs"=hex(7):36,00,74,00,6f,00,34,00,00,00,41,00,70,00,70,00,4d,00,67,00,\
      6d,00,74,00,00,00,41,00,75,00,64,00,69,00,6f,00,53,00,72,00,76,00,00,00,42,\
      00,72,00,6f,00,77,00,73,00,65,00,72,00,00,00,43,00,72,00,79,00,70,00,74,00,\
      53,00,76,00,63,00,00,00,44,00,4d,00,53,00,65,00,72,00,76,00,65,00,72,00,00,\
      00,44,00,48,00,43,00,50,00,00,00,45,00,52,00,53,00,76,00,63,00,00,00,45,00,\
      76,00,65,00,6e,00,74,00,53,00,79,00,73,00,74,00,65,00,6d,00,00,00,46,00,61,\
      00,73,00,74,00,55,00,73,00,65,00,72,00,53,00,77,00,69,00,74,00,63,00,68,00,\
      69,00,6e,00,67,00,43,00,6f,00,6d,00,70,00,61,00,74,00,69,00,62,00,69,00,6c,\
      00,69,00,74,00,79,00,00,00,48,00,69,00,64,00,53,00,65,00,72,00,76,00,00,00,\
      49,00,61,00,73,00,00,00,49,00,70,00,72,00,69,00,70,00,00,00,49,00,72,00,6d,\
      00,6f,00,6e,00,00,00,4c,00,61,00,6e,00,6d,00,61,00,6e,00,53,00,65,00,72,00,\
      76,00,65,00,72,00,00,00,4c,00,61,00,6e,00,6d,00,61,00,6e,00,57,00,6f,00,72,\
      00,6b,00,73,00,74,00,61,00,74,00,69,00,6f,00,6e,00,00,00,4d,00,65,00,73,00,\
      73,00,65,00,6e,00,67,00,65,00,72,00,00,00,4e,00,65,00,74,00,6d,00,61,00,6e,\
      00,00,00,4e,00,6c,00,61,00,00,00,4e,00,74,00,6d,00,73,00,73,00,76,00,63,00,\
      00,00,4e,00,57,00,43,00,57,00,6f,00,72,00,6b,00,73,00,74,00,61,00,74,00,69,\
      00,6f,00,6e,00,00,00,4e,00,77,00,73,00,61,00,70,00,61,00,67,00,65,00,6e,00,\
      74,00,00,00,52,00,61,00,73,00,61,00,75,00,74,00,6f,00,00,00,52,00,61,00,73,\
      00,6d,00,61,00,6e,00,00,00,52,00,65,00,6d,00,6f,00,74,00,65,00,61,00,63,00,\
      63,00,65,00,73,00,73,00,00,00,53,00,63,00,68,00,65,00,64,00,75,00,6c,00,65,\
      00,00,00,53,00,65,00,63,00,6c,00,6f,00,67,00,6f,00,6e,00,00,00,53,00,45,00,\
      4e,00,53,00,00,00,53,00,68,00,61,00,72,00,65,00,64,00,61,00,63,00,63,00,65,\
      00,73,00,73,00,00,00,53,00,52,00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,\
      00,00,54,00,61,00,70,00,69,00,73,00,72,00,76,00,00,00,54,00,68,00,65,00,6d,\
      00,65,00,73,00,00,00,54,00,72,00,6b,00,57,00,6b,00,73,00,00,00,57,00,33,00,\
      32,00,54,00,69,00,6d,00,65,00,00,00,57,00,5a,00,43,00,53,00,56,00,43,00,00,\
      00,57,00,6d,00,69,00,00,00,57,00,6d,00,64,00,6d,00,50,00,6d,00,53,00,70,00,\
      00,00,77,00,69,00,6e,00,6d,00,67,00,6d,00,74,00,00,00,77,00,73,00,63,00,73,\
      00,76,00,63,00,00,00,78,00,6d,00,6c,00,70,00,72,00,6f,00,76,00,00,00,6e,00,\
      61,00,70,00,61,00,67,00,65,00,6e,00,74,00,00,00,68,00,6b,00,6d,00,73,00,76,\
      00,63,00,00,00,42,00,49,00,54,00,53,00,00,00,77,00,75,00,61,00,75,00,73,00,\
      65,00,72,00,76,00,00,00,53,00,68,00,65,00,6c,00,6c,00,48,00,57,00,44,00,65,\
      00,74,00,65,00,63,00,74,00,69,00,6f,00,6e,00,00,00,68,00,65,00,6c,00,70,00,\
      73,00,76,00,63,00,00,00,57,00,6d,00,64,00,6d,00,50,00,6d,00,53,00,4e,00,00,\
      00,00,00
    
    :Commands
    [Reboot]
    
  • click the Run Fix button at the top. Let the program run uninterrupted.
  • click OK
Notes:
  • When OTL executes the Fix it can shutdown all running processes and you may lose the Desktop and icons, but they will return on reboot
  • OTL may ask to reboot the machine. Please accept right away.
  • The report should appear in Notepad after the reboot. Copy & Paste that report in your next reply and not as attachment.
  • The OTL fix log will be saved in the following location: C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log - where mmddyyy _hhmmss is the date and time when the fix run.

Step 2 - Farbar Service Scanner

  • After the reboot Please generate a new FSS log
  • Run FSS by double clicking the Posted Image icon
    (On Windows Vista or higher right click the file and select Run as Administrator)
    Posted Image
  • Check all the options
  • click Scan
  • Post the generated log on your reply (The FSS.txt log is saved to the same folder where FSS is run from).

Step 3 - Update Programs

From the Security Check log there are some critical programs that you need to update:

» Update Adobe Flash Player
The version you have is outdated! and need to be updated. Open the Adobe page install Flash Player and make sure you uncheck the box to install any extra programs (Google Chrome and Google Toolbar or McAfee Security Scan Plus) before downloading.

» Update Adobe Reader
The Adobe Reader you have is outdated! and vulnerable to security exploits. The version presently installed it's very old, to update you need to Uninstall Adobe Reader. Please open Start > Control Panel > then Add or Remove Programs, locate Adobe Reader 9 on the list and uninstall. Next download and install the most recent version by visiting the Adobe Reader page, make sure you uncheck the box offering any extra programs like the McAfee Security Scan Plus.

Step 4 - Defrag the Hard Disk

The Security Check also shows that you need to Defrag your C: drive if you don't have an SSD disk!.

  • download MyDefrag
  • Install the program MyDefrag-v4.3.1.exe, accept the license agreement and click Next until the screen below
  • on step Select Additional Tasks untick all the check box's except Associate .MyD file with the MyDefrag script interpreter
    Posted Image
  • after install close all the other programs and execute MyDefrag. Select the options according to the following screen:
    Posted Image
  • click Run
  • let the program run until it show Finished.
    Posted Image


Things I would like to see in your next reply:
  • The OTL Fix log mmddyyyy_hhmmss.log
  • The New FSS.txt log
  • Any problem updating the programs?
  • How is the computer running now?

  • 0

#37
FL_Issac

FL_Issac

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Hi Sleepydude,

Finished! The Defrag took quite a long time on this little netbook. Here are the logs you requested.

Also right now the netbook is running the same as it was before the infection, things are looking alright performance wise. Let me know if there is anything else that needs getting done!


-----------------------------------------
OTL.txt
-----------------------------------------

========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\\"netsvcs"|hex(7):36,00,74,00,6f,00,34,00,00,00,41,00,70,00,70,00,4d,00,67,00,6d,00,74,00,00,00,41,00,75,00,64,00,69,00,6f,00,53,00,72,00,76,00,00,00,42,00,72,00,6f,00,77,00,73,00,65,00,72,00,00,00,43,00,72,00,79,00,70,00,74,00,53,00,76,00,63,00,00,00,44,00,4d,00,53,00,65,00,72,00,76,00,65,00,72,00,00,00,44,00,48,00,43,00,50,00,00,00,45,00,52,00,53,00,76,00,63,00,00,00,45,00,76,00,65,00,6e,00,74,00,53,00,79,00,73,00,74,00,65,00,6d,00,00,00,46,00,61,00,73,00,74,00,55,00,73,00,65,00,72,00,53,00,77,00,69,00,74,00,63,00,68,00,69,00,6e,00,67,00,43,00,6f,00,6d,00,70,00,61,00,74,00,69,00,62,00,69,00,6c,00,69,00,74,00,79,00,00,00,48,00,69,00,64,00,53,00,65,00,72,00,76,00,00,00,49,00,61,00,73,00,00,00,49,00,70,00,72,00,69,00,70,00,00,00,49,00,72,00,6d,00,6f,00,6e,00,00,00,4c,00,61,00,6e,00,6d,00,61,00,6e,00,53,00,65,00,72,00,76,00,65,00,72,00,00,00,4c,00,61,00,6e,00,6d,00,61,00,6e,00,57,00,6f,00,72,00,6b,00,73,00,74,00,61,00,74,00,69,00,6f,00,6e,00,00,00,4d,00,65,00,73,00,73,00,65,00,6e,00,67,00,65,00,72,00,00,00,4e,00,65,00,74,00,6d,00,61,00,6e,00,00,00,4e,00,6c,00,61,00,00,00,4e,00,74,00,6d,00,73,00,73,00,76,00,63,00,00,00,4e,00,57,00,43,00,57,00,6f,00,72,00,6b,00,73,00,74,00,61,00,74,00,69,00,6f,00,6e,00,00,00,4e,00,77,00,73,00,61,00,70,00,61,00,67,00,65,00,6e,00,74,00,00,00,52,00,61,00,73,00,61,00,75,00,74,00,6f,00,00,00,52,00,61,00,73,00,6d,00,61,00,6e,00,00,00,52,00,65,00,6d,00,6f,00,74,00,65,00,61,00,63,00,63,00,65,00,73,00,73,00,00,00,53,00,63,00,68,00,65,00,64,00,75,00,6c,00,65,00,00,00,53,00,65,00,63,00,6c,00,6f,00,67,00,6f,00,6e,00,00,00,53,00,45,00,4e,00,53,00,00,00,53,00,68,00,61,00,72,00,65,00,64,00,61,00,63,00,63,00,65,00,73,00,73,00,00,00,53,00,52,00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,00,00,54,00,61,00,70,00,69,00,73,00,72,00,76,00,00,00,54,00,68,00,65,00,6d,00,65,00,73,00,00,00,54,00,72,00,6b,00,57,00,6b,00,73,00,00,00,57,00,33,00,32,00,54,00,69,00,6d,00,65,00,00,00,57,00,5a,00,43,00,53,00,56,00,43,00,00,00,57,00,6d,00,69,00,00,00,57,00,6d,00,64,00,6d,00,50,00,6d,00,53,00,70,00,00,00,77,00,69,00,6e,00,6d,00,67,00,6d,00,74,00,00,00,77,00,73,00,63,00,73,00,76,00,63,00,00,00,78,00,6d,00,6c,00,70,00,72,00,6f,00,76,00,00,00,6e,00,61,00,70,00,61,00,67,00,65,00,6e,00,74,00,00,00,68,00,6b,00,6d,00,73,00,76,00,63,00,00,00,42,00,49,00,54,00,53,00,00,00,77,00,75,00,61,00,75,00,73,00,65,00,72,00,76,00,00,00,53,00,68,00,65,00,6c,00,6c,00,48,00,57,00,44,00,65,00,74,00,65,00,63,00,74,00,69,00,6f,00,6e,00,00,00,68,00,65,00,6c,00,70,00,73,00,76,00,63,00,00,00,57,00,6d,00,64,00,6d,00,50,00,6d,00,53,00,4e,00,00,00,00,00 /E : value set successfully!
========== COMMANDS ==========

OTL by OldTimer - Version 3.2.69.0 log created on 09152013_132004



----------------------------------------------
FSS.txt
----------------------------------------------

Farbar Service Scanner Version: 13-09-2013
Ran by Gateway (administrator) on 15-09-2013 at 13:39:33
Running from "C:\Documents and Settings\Gateway\Desktop"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================
"HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\\EnableFirewall" registry value does not exist.


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Other Services:
==============


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
aswTdi(10) Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
0x0A000000040000000100000002000000030000000A0000000900000008000000050000000600000007000000
IpSec Tag value is correct.

**** End of log ****
  • 0

#38
SleepyDude

SleepyDude

    Trusted Helper

  • Malware Removal
  • 4,401 posts
Hi Issac,

Finally the FSS log show the critical services all up and running.

Now the best part... Your log looks clean to me, good work :thumbsup:

Before you go there are some housekeeping steps I would like you to do and I have also some final recommendations...

Step 1 - Remove Temporary Files and Reset System Restore

  • Execute OTL by double clicking the icon Posted Image. Make sure all other windows are closed.
    Do not change any other settings unless otherwise told to do so.
  • Under the Posted Image box at the bottom, paste in the following:
    :OTL
    
    :Commands
    [ClearAllRestorePoints]
    [EmptyTemp]
    [Reboot]
    
  • click the Posted Image button at the top. Let the program run uninterrupted.
  • click OK
Notes:
  • When OTL executes the Fix it can shutdown all running processes and you may lose the Desktop and icons, but they will return on reboot
  • OTL may ask to reboot the machine. Please accept right away.
  • The report should appear in Notepad after the reboot. Copy & Paste that report in your next reply and not as attachment.
  • The OTL fix log will be saved in the following location: C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log - where mmddyyy _hhmmss is the date and time when the fix run.

Step 2 - Remove the Tools we use

» OTL
  • Execute OTL by double clicking the icon Posted Image
  • click the Posted Image button. Accept the prompt to Reboot.
» Others
  • Delete any .exe, .log, .txt, file created on the Desktop during the cleaning process.
» Uninstall ESET On-line Scanner
  • Please open Start > Control Panel > then Add or Remove Programs, locate ESET On-line Scanner and Uninstall because it's no longer needed.
» On the Other Computer
  • Delete the folder G2G created on the Desktop and Uninstall RMPrepUSB (use the Uninstall option from the RMPrepUSB group created on the Start Menu).

Step 3 - How to prevent new infections

To protect your computer from being infected again its very important to keep Windows Updated and all the programs related with the internet, Web Browser, Flash Player, Adobe Reader and Java only to mention the most targeted by today security exploits. Follow the instructions below to keep these critical programs updated:
  • Windows and Internet Explorer
    To keep Windows and Internet Explorer updated make sure you have Windows Update enabled on the Control Panel applet, follow the instructions for Windows 7 on this MS article How to configure and use Automatic Updates in Windows or use the FixIt tool provided.
  • Antivirus and Antimalware programs
    Make sure you have a Antivirus program always updated and running.
    Sometimes Antivirus can miss some malware, when that happens its good to have Malwarebytes installed like you have, Update and run weekly to keep your system clean. Malwarebytes is also good to revert some system changes made by the malware.
  • Enable the Firewall
    No system can be considered safe if not protected by a Firewall. If you are connected to the Internet by a Router you should check its configuration and make sure the firewall is active.
    If you connect by modem or to a open Local Network you should enable the Windows XP built-in firewall. Because the firewall included on Windows XP isn't very powerful its recommended to install a 3rd party firewall, choose one from this list:
  • Online Armor Free
  • PC Tools Firewall Plus
  • Agnitum - Outpost free
Note: If you have a Netbook type computer running Windows XP, the machine most likely don't have resources needed to run a 3rd party firewall skip that and enable the built-in firewall.

[*]Adobe Flash Player
To update Adobe Flash Player accept any prompt to update or manually initiate the update by opening Start Menu > Settings > Control Panel open the applet called Flash Player, on the Advanced tab click the Check Now button. Accept any prompt to install an updated version.
If the update process redirect you to the Adobe webpage you need to download the latest version of Adobe Flash and install for both Internet Explorer and Firefox if installed, make sure you uncheck the box offering to install any extra programs (Google Chrome and Google Toolbar or McAfee Security Scan Plus) before downloading. If you have Firefox installed you have to use also this browser to visit the link above and follow the steps to update.

[*]Adobe Reader
Adobe Reader, can be updated by opening Adobe Reader from the Start Menu, when the program full load click on the Help menu next click the Check for updates now option. Follow the prompts to install any new update.


[*]Keep Installed Programs Up to Date
It's important to keep all other programs on your computer updated because they can also have security vulnerability explored by the malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications to fix vulnerabilities, this can be done manually by using the Update feature included in most programs or you can use one of the following programs to help you with this task:
[*]Surf the Net with extra Security
Every web browser is a target for malware, the bad guys are always trying to explorer security holes to infect the computers, and this is especially true for Internet Explorer because is one of the most used. Using alternatives like Mozilla Firefox or Google Chrome can help protecting your computer from infections.
And for Firefox and Chrome you can get an extra layer of protection by installing two add-ons AdBlockPlus and Web Of Trust (WOT). WOT can also protect Internet Explorer.
[/list]
::: Some final recommendations :::
Best Regards and have a Safe surfing! :wave:
  • 0

#39
FL_Issac

FL_Issac

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Lifes been busy the last two days D: sorry for the delayed response.

Here's the OTL log generated, though by reading it it sounds like things look good :D

Thanks for the all the help Sleepydude, you did awesomely :)


-------------------------------
OTL.txt
-------------------------------

All processes killed
========== OTL ==========
========== COMMANDS ==========
Restore point Set: OTL Restore Point

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Gateway
->Temp folder emptied: 1806628 bytes
->Temporary Internet Files folder emptied: 11821139 bytes
->Flash cache emptied: 602 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 108172421 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 3386520 bytes

Total Files Cleaned = 119.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 09182013_235356

Files\Folders moved on Reboot...
C:\Documents and Settings\Gateway\Local Settings\Temporary Internet Files\Content.IE5\DLU838AT\page__st__30__gopid__2331481[1].txt moved successfully.
File move failed. C:\WINDOWS\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...
  • 0

#40
SleepyDude

SleepyDude

    Trusted Helper

  • Malware Removal
  • 4,401 posts

Lifes been busy the last two days D: sorry for the delayed response.

No problem.

Here's the OTL log generated, though by reading it it sounds like things look good :D

Yes all good.

Thanks for the all the help Sleepydude, you did awesomely :)

You are welcome. Thank You.

Regards.
  • 0

Advertisements


#41
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP