[manager1996]

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 24-11-2013
Ran by lane at 2013-11-24 20:46:15 Run:2
Running from J:\
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
Start
Unlock: HKLM\SYSTEM\CurrentControlSet\Services\mpsdrv
Unlock: HKLM\SYSTEM\CurrentControlSet\Services\MpsSvc
Unlock: HKLM\SYSTEM\CurrentControlSet\Services\bfe
Unlock: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Unlock: HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Unlock: HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Unlock: HKLM\SYSTEM\CurrentControlSet\Services\BITS
Unlock: HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent
Unlock: HKLM\SYSTEM\CurrentControlSet\Services\RemoteAccess
Folder: c:\programdata\qtoenam
Folder: c:\programdata\atkisx
Folder: c:\programdata\nvhrasu
Folder: c:\programdata\aaodcif
Folder: c:\programdata\vdmers
End
*****************

"HKLM\SYSTEM\CurrentControlSet\Services\mpsdrv" => Key unlocked successfully.
"HKLM\SYSTEM\CurrentControlSet\Services\MpsSvc" => Key unlocked successfully.
"HKLM\SYSTEM\CurrentControlSet\Services\bfe" => Key unlocked successfully.
"HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" => Key unlocked successfully.
"HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" => Key unlocked successfully.
"HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" => Key unlocked successfully.
"HKLM\SYSTEM\CurrentControlSet\Services\BITS" => Key unlocked successfully.
"HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent" => Key unlocked successfully.
"HKLM\SYSTEM\CurrentControlSet\Services\RemoteAccess" => Key unlocked successfully.

========================= Folder: c:\programdata\qtoenam ========================

2013-11-12 17:41 - 2013-11-12 17:41 - 0535721 ____A () c:\programdata\qtoenam\pvahp.ghj

====== End of Folder: ======


========================= Folder: c:\programdata\atkisx ========================

2013-11-12 17:41 - 2013-11-12 17:49 - 0043782 ____A () c:\programdata\atkisx\jpllcq.oay
2013-11-12 17:40 - 2013-11-12 17:54 - 0009091 ____A () c:\programdata\atkisx\jvknj.aix
2013-11-12 17:41 - 2013-11-12 17:41 - 0199432 ____A () c:\programdata\atkisx\pbad.gwh
2013-11-12 17:48 - 2013-11-12 17:48 - 0012749 ____A () c:\programdata\atkisx\wlfi.xvb
2013-11-12 17:41 - 2013-11-12 19:19 - 0011487 ____A () c:\programdata\atkisx\yyym.lvm

====== End of Folder: ======


========================= Folder: c:\programdata\nvhrasu ========================


====== End of Folder: ======


========================= Folder: c:\programdata\aaodcif ========================

2013-11-12 17:41 - 2013-11-12 17:41 - 0475837 ____A () c:\programdata\aaodcif\wtff.fmi
2013-11-12 17:40 - 2013-11-12 19:20 - 0538506 ____A () c:\programdata\aaodcif\yufa.pit

====== End of Folder: ======


========================= Folder: c:\programdata\vdmers ========================

2013-11-12 17:40 - 2013-11-12 19:20 - 0076508 ____A () c:\programdata\vdmers\bmajmgj.sfb
2013-11-12 17:41 - 2013-11-12 17:41 - 0044370 ____A () c:\programdata\vdmers\ikxnesv.acq
2013-11-12 17:40 - 2013-11-12 17:40 - 0567424 ____A () c:\programdata\vdmers\oatyc.pbf

====== End of Folder: ======


==== End of Fixlog ====

[Advertisements]

I need to see the Farbar Service Scanner.

[JSntgRvr]

I need to see the Farbar Service Scanner.

[JSntgRvr]

Download the enclosed file.

Save it in the same location FRST is.

Run FRST and click on the Fix button. Wait until finished.

The tool will make a log in the flashdrive (Fixlog.txt) please post it to your reply.

Rn Farbar Service Scanner and post also its report.

[manager1996]

Farbar Service Scanner Version: 23-11-2013
Ran by lane (administrator) on 24-11-2013 at 21:54:22
Running from "J:\"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
The start type of MpsSvc service is OK.
The ImagePath of MpsSvc service is OK.
The ServiceDll of MpsSvc service is OK.

bfe Service is not running. Checking service configuration:
The start type of bfe service is OK.
The ImagePath of bfe service is OK.
The ServiceDll of bfe service is OK.


Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.

Action Center Notification Icon =====> HKLM\...\ShellServiceObjects\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\\"AutoStart" value does not exist.


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Other Services:
==============
Checking ServiceDll of RemoteAccess: ATTENTION!=====> Unable to open RemoteAccess registry key. The service key does not exist.



File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

[JSntgRvr]

Now that the BFE key is unlocked, please download and run Restore BFE. Let me know of any errors.

I am enclosing a file with an entry you need in the registry.

Extract its contents to the desktop. Right click the .reg file and select Merge.

How is the computer doing?

[manager1996]

its doing fine

[JSntgRvr]

Congratulations.

Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

The following will implement some cleanup procedures as well as reset System Restore points:

• Press the Windows key + R. At the Run command type or copy and paste the following:
  
  

  Combofix /uninstall

Remove the C:\FRST folder

Run and uninstall AdwCleaner

Manually remove any tool left.

Here are some suggestions.

• Always keep your JAVA updated. Older versions will make your computer vulnerable.
  
• Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  
• ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Miekiemoes.

Best wishes!

[manager1996]

a message came up saying windows couldn't find 'Combofix'
and a message said that I require permission from administrators to make changes/delete to FRST

[JSntgRvr]

If for some reason Combofix is having difficulty carrying out the uninstall command, there is a stand alone uninstaller available.



In regard to FRST, Download the enclosed file.

Save it in the same location FRST it.

Run Frst and click on the Fix button.

After done, attempt to remove FRST.

[manager1996]

thank you

[JSntgRvr]

You are welcome.

[JSntgRvr]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.