TechSpot

Hi - TrojanZeroAccessinf - please bail me out!

Solved
By Tobydog
Sep 9, 2012
  1. Tobydog

    Tobydog TS Rookie Topic Starter Posts: 44

    Hi Broni

    Here's the checkup.txt log

    I did get the following message when I ran it:

    AutoIt Error
    Line 1
    Error: Variable must be of the type "Object"

    After acknowledging the error by clicking ok Security Check ran fine

    FSS.txt log coming next

    Results of screen317's Security Check version 0.99.51
    Windows Vista Service Pack 2 x86 (UAC is enabled)
    Internet Explorer 9
    ``````````````Antivirus/Firewall Check:``````````````
    WMI entry may not exist for antivirus; attempting automatic update.
    `````````Anti-malware/Other Utilities Check:`````````
    Ad-Aware
    Java(TM) 6 Update 31
    Java(TM) SE Runtime Environment 6 Update 1
    Java version out of Date!
    Adobe Flash Player 11.3.300.271
    Adobe Reader X (10.1.4)
    Mozilla Firefox (for.)
    Google Chrome 21.0.1180.83
    Google Chrome 21.0.1180.89
    ````````Process Check: objlist.exe by Laurent````````
    Ad-Aware AAWService.exe is disabled!
    Ad-Aware AAWTray.exe is disabled!
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C: 0 %
    ````````````````````End of Log``````````````````````
  2. Tobydog

    Tobydog TS Rookie Topic Starter Posts: 44

    Hi Broni

    Here's the FSS.txt log

    Entries in the checkup.txt log above turned red by themselves !

    AdwCleaner[R1].txt log coming next

    Farbar Service Scanner Version: 06-08-2012
    Ran by Mark (administrator) on 17-09-2012 at 10:11:39
    Running from "C:\Users\Mark\Downloads"
    Windows Vista (TM) Home Premium Service Pack 2 (X86)
    Boot Mode: Normal
    ****************************************************************
    Internet Services:
    ============
    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo IP is accessible.
    Yahoo.com is accessible.

    Windows Firewall:
    =============
    MpsSvc Service is not running. Checking service configuration:
    The start type of MpsSvc service is OK.
    The ImagePath of MpsSvc service is OK.
    The ServiceDll of MpsSvc service is OK.

    Firewall Disabled Policy:
    ==================

    System Restore:
    ============
    System Restore Disabled Policy:
    ========================

    Security Center:
    ============
    Windows Update:
    ============
    wuauserv Service is not running. Checking service configuration:
    Checking Start type: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
    Checking ImagePath: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
    Checking ServiceDll: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
    BITS Service is not running. Checking service configuration:
    Checking Start type: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
    Checking ImagePath: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
    Checking ServiceDll: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.

    Windows Autoupdate Disabled Policy:
    ============================

    Windows Defender:
    ==============
    WinDefend Service is not running. Checking service configuration:
    Checking Start type: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
    Checking ImagePath: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
    Checking ServiceDll: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.

    Other Services:
    ==============
    Checking Start type of SharedAccess: ATTENTION!=====> Unable to retrieve start type of SharedAccess. The value does not exist.
    Checking ImagePath of SharedAccess: ATTENTION!=====> Unable to retrieve ImagePath of SharedAccess. The value does not exist.
    Checking ServiceDll of SharedAccess: ATTENTION!=====> Unable to retrieve ServiceDll of SharedAccess. The value does not exist.

    File Check:
    ========
    C:\Windows\system32\nsisvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\afd.sys => MD5 is legit
    C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
    C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\system32\dnsrslvr.dll => MD5 is legit
    C:\Windows\system32\mpssvc.dll => MD5 is legit
    C:\Windows\system32\bfe.dll => MD5 is legit
    C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\system32\SDRSVC.dll => MD5 is legit
    C:\Windows\system32\vssvc.exe => MD5 is legit
    C:\Windows\system32\wscsvc.dll => MD5 is legit
    C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\system32\wuaueng.dll => MD5 is legit
    C:\Windows\system32\qmgr.dll => MD5 is legit
    C:\Windows\system32\es.dll => MD5 is legit
    C:\Windows\system32\cryptsvc.dll => MD5 is legit
    C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
    C:\Windows\system32\svchost.exe => MD5 is legit
    C:\Windows\system32\rpcss.dll => MD5 is legit

    **** End of log ****
  3. Tobydog

    Tobydog TS Rookie Topic Starter Posts: 44

    Hi Broni

    Here's the AdwCleaner(R1).txt log

    Will run TFC next - no log?

    # AdwCleaner v2.002 - Logfile created 09/17/2012 at 10:18:08
    # Updated 16/09/2012 by Xplode
    # Operating system : Windows Vista (TM) Home Premium Service Pack 2 (32 bits)
    # User : Mark - MARK-PC
    # Boot Mode : Normal
    # Running from : C:\Users\Mark\Downloads\adwcleaner.exe
    # Option [Search]

    ***** [Services] *****

    ***** [Files / Folders] *****
    Folder Found : C:\Program Files\Viewpoint
    Folder Found : C:\ProgramData\Viewpoint
    ***** [Registry] *****
    Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40B7-AC73-056A5EBA4A7E}
    Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{CD95D125-2992-4858-B3EF-5F6FB52FBAD6}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ViewpointMediaPlayer
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-6E41-4FD3-8538-502F5495E5FC}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{03F998B2-0E00-11D3-A498-00104B6EB52E}
    Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
    Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
    Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
    Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
    Key Found : HKLM\SOFTWARE\Classes\S
    Key Found : HKLM\Software\Freeze.com
    Key Found : HKLM\Software\MetaStream
    Key Found : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
    Key Found : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
    Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer
    Key Found : HKLM\SOFTWARE\MozillaPlugins\@viewpoint.com/VMP
    Key Found : HKLM\SOFTWARE\Software
    Key Found : HKLM\Software\Viewpoint
    Key Found : HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}
    Key Found : HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}
    Key Found : HKU\S-1-5-21-802167735-3406490535-3852651081-1000\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40B7-AC73-056A5EBA4A7E}
    Key Found : HKU\S-1-5-21-802167735-3406490535-3852651081-1000\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}
    ***** [Internet Browsers] *****
    -\\ Internet Explorer v9.0.8112.16421
    [OK] Registry is clean.
    -\\ Google Chrome v21.0.1180.89
    File : C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Preferences
    [OK] File is clean.
    *************************
    AdwCleaner[R1].txt - [2929 octets] - [17/09/2012 10:18:08]
    ########## EOF - C:\AdwCleaner[R1].txt - [2989 octets] ##########
  4. Tobydog

    Tobydog TS Rookie Topic Starter Posts: 44

    Hi Broni

    Ran TFC

    My side bar has disappeared ( clock and calendar ) but they will be easy to restore

    I did get the following message when I closed AdwCleaner:

    'By only using Search Mode AdwCleaner has not removed detected items. To perform the deletion of items found, restart AdwCleaner and then click on 'Delete', unless you were asked to use only the search mode'.

    I accepted the message as I was using search mode only

    ESET Online Scanner next
  5. Tobydog

    Tobydog TS Rookie Topic Starter Posts: 44

    Hi Broni

    Here's the ESETScan log

    C:\TDSSKiller_Quarantine\08.09.2012_17.15.34\zasubsys0000\file0000\tsk0000.dta Win32/Sirefef.FB.Gen trojan deleted - quarantined
    C:\Users\Mark\Documents\IWONGlobal.exe Win32/Toolbar.MyWebSearch application deleted - quarantined
  6. Tobydog

    Tobydog TS Rookie Topic Starter Posts: 44

    Hi Broni

    Computer definitely running faster, but...

    a) cannot find side bar - clock, calendar etc

    b) no sound - no response to mute, volume up / down buttons on keyboard, no sound through headphones
  7. Broni

    Broni Malware Annihilator Posts: 46,775   +254

    Is your Norton 360 in working condition?
    I don't see it listed by Security Check.

    ================================

    1. Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    2. Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it.
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.
    • Do NOT post JavaRa log.

    ===================================

    • Close all open programs and internet browsers.
    • Double click on adwcleaner.exe to run the tool.
    • Click on Delete.
    • Confirm each time with Ok.
    • Your computer will be rebooted automatically. A text file will open after the restart.
    • Please post the contents of that logfile with your next reply.
    • You can find the logfile at C:\AdwCleaner[S1].txt as well.

    Next...

    • Double click on adwcleaner.exe to run the tool.
    • Click on Uninstall.
    • Confirm with yes.

    ====================================

    We have some registry keys missing so...

    Download Windows Repair (all in one) from this site

    Install the program then run it.

    Go to Step 2 and allow it to run CheckDisk by clicking on Do It button:

    [​IMG]



    Once that is done then go to Step 3 and allow it to run System File Check by clicking on Do It button:

    [​IMG]


    Go to Step 4 and under "System Restore" click on Create button:

    [​IMG]


    Go to Start Repairs tab and click Start button.

    [​IMG]


    Please ensure that ONLY items seen in the image below are ticked as indicated (they're all checked by default):

    [​IMG]

    Click on box next to the Restart System when Finished. Then click on Start.

    Post new FSS log.
  8. Tobydog

    Tobydog TS Rookie Topic Starter Posts: 44

    Hi Broni - many thanks

    Here's the AdwCleaner(S1).txt.log

    I uninstalled Norton 360 - I think it was causing the computer to be unstable, continually shutting down / restarting. The error message I kept getting pointed to a fault with Norton itself, so I uninstalled it - computer stabilised immediately. I had only installed it a week last Friday - it detected the zeroaccess trojan, but appeared to be problematic since, so I decided Norton had to go

    # AdwCleaner v2.002 - Logfile created 09/17/2012 at 17:58:15
    # Updated 16/09/2012 by Xplode
    # Operating system : Windows Vista (TM) Home Premium Service Pack 2 (32 bits)
    # User : Mark - MARK-PC
    # Boot Mode : Normal
    # Running from : C:\Users\Mark\Downloads\adwcleaner.exe
    # Option [Delete]

    ***** [Services] *****

    ***** [Files / Folders] *****
    Folder Deleted : C:\Program Files\Viewpoint
    Folder Deleted : C:\ProgramData\Viewpoint
    ***** [Registry] *****
    Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40B7-AC73-056A5EBA4A7E}
    Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{CD95D125-2992-4858-B3EF-5F6FB52FBAD6}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ViewpointMediaPlayer
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-6E41-4FD3-8538-502F5495E5FC}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{03F998B2-0E00-11D3-A498-00104B6EB52E}
    Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
    Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
    Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
    Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
    Key Deleted : HKLM\SOFTWARE\Classes\S
    Key Deleted : HKLM\Software\Freeze.com
    Key Deleted : HKLM\Software\MetaStream
    Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer
    Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@viewpoint.com/VMP
    Key Deleted : HKLM\SOFTWARE\Software
    Key Deleted : HKLM\Software\Viewpoint
    Key Deleted : HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}
    ***** [Internet Browsers] *****
    -\\ Internet Explorer v9.0.8112.16421
    Restored : [HKCU\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
    Restored : [HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
    Restored : [HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
    Restored : [HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
    Restored : [HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
    -\\ Google Chrome v21.0.1180.89
    File : C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Preferences
    [OK] File is clean.
    *************************
    AdwCleaner[R1].txt - [3058 octets] - [17/09/2012 10:18:08]
    AdwCleaner[S1].txt - [3037 octets] - [17/09/2012 17:58:15]
    ########## EOF - C:\AdwCleaner[S1].txt - [3097 octets] ##########
  9. Broni

    Broni Malware Annihilator Posts: 46,775   +254

  10. Tobydog

    Tobydog TS Rookie Topic Starter Posts: 44

    Hi Broni

    Here's the Windows Repair log

    Starting Repairs...
    Start (17/09/2012 19:31:26)
    Reset Registry Permissions 01/03
    HKEY_CURRENT_USER & Sub Keys
    Start (17/09/2012 19:31:26)
    Done (17/09/2012 19:31:33)
    Reset Registry Permissions 02/03
    HKEY_LOCAL_MACHINE & Sub Keys
    Start (17/09/2012 19:31:33)
    Done (17/09/2012 19:34:49)
    Reset Registry Permissions 03/03
    HKEY_CLASSES_ROOT & Sub Keys
    Start (17/09/2012 19:34:49)
    Done (17/09/2012 19:35:15)
    Reset File Permissions 01/18
    C:\Boot & Sub Folders
    Start (17/09/2012 19:35:15)
    Done (17/09/2012 19:35:17)
    Reset File Permissions 02/18
    C:\DKMM & Sub Folders
    Start (17/09/2012 19:35:17)
    Done (17/09/2012 19:35:20)
    Reset File Permissions 03/18
    C:\Games & Sub Folders
    Start (17/09/2012 19:35:20)
    Done (17/09/2012 19:35:22)
    Reset File Permissions 04/18
    C:\hiberfil.sys & Sub Folders
    Start (17/09/2012 19:35:22)
    Done (17/09/2012 19:35:28)
    Reset File Permissions 05/18
    C:\hp & Sub Folders
    Start (17/09/2012 19:35:28)
    Done (17/09/2012 19:35:47)
    Reset File Permissions 06/18
    C:\MMAPP & Sub Folders
    Start (17/09/2012 19:35:47)
    Done (17/09/2012 19:35:49)
    Reset File Permissions 07/18
    C:\NBRT & Sub Folders
    Start (17/09/2012 19:35:49)
    Done (17/09/2012 19:35:52)
    Reset File Permissions 08/18
    C:\PerfLogs & Sub Folders
    Start (17/09/2012 19:35:52)
    Done (17/09/2012 19:35:54)
    Reset File Permissions 09/18
    C:\Program Files & Sub Folders
    Start (17/09/2012 19:35:54)
    Done (17/09/2012 19:45:05)
    Reset File Permissions 10/18
    C:\ProgramData & Sub Folders
    Start (17/09/2012 19:45:05)
    Done (17/09/2012 19:46:03)
    Reset File Permissions 11/18
    C:\Qoobox & Sub Folders
    Start (17/09/2012 19:46:03)
    Done (17/09/2012 19:46:06)
    Reset File Permissions 12/18
    C:\Setup & Sub Folders
    Start (17/09/2012 19:46:06)
    Done (17/09/2012 19:46:08)
    Reset File Permissions 13/18
    C:\TDSSKiller_Quarantine & Sub Folders
    Start (17/09/2012 19:46:08)
    Done (17/09/2012 19:46:11)
    Reset File Permissions 14/18
    C:\temp & Sub Folders
    Start (17/09/2012 19:46:11)
    Done (17/09/2012 19:46:13)
    Reset File Permissions 15/18
    C:\Tweaking.com_Windows_Repair_Logs & Sub Folders
    Start (17/09/2012 19:46:13)
    Done (17/09/2012 19:46:15)
    Reset File Permissions 16/18
    C:\Windows & Sub Folders
    Start (17/09/2012 19:46:15)
    Done (17/09/2012 19:53:32)
    Reset File Permissions 17/18
    C:\_OTL & Sub Folders
    Start (17/09/2012 19:53:32)
    Done (17/09/2012 19:53:34)
    Reset File Permissions 18/18
    C:\_torrents & Sub Folders
    Start (17/09/2012 19:53:34)
    Done (17/09/2012 19:53:59)
    Register System Files
    Start (17/09/2012 19:53:59)
    Done (17/09/2012 19:54:10)
    Repair WMI
    Start (17/09/2012 19:54:10)
    Step 01/03 - Deleting WMI Repository...
    The system cannot find the path specified.
    Step 02/03 - Rebuilding WMI Repository...
    Step 03/03 - Registering WMI...
    Invalid Global Switch.
    Done (17/09/2012 19:54:52)
    Repair Windows Firewall
    Start (17/09/2012 19:54:52)
    The Windows Firewall service is not started.
    More help is available by typing NET HELPMSG 3521.
    System error 1060 has occurred.
    The specified service does not exist as an installed service.
    The service name is invalid.
    More help is available by typing NET HELPMSG 2185.
    Done (17/09/2012 19:55:04)
    Repair Internet Explorer
    Start (17/09/2012 19:55:04)
    Done (17/09/2012 19:55:11)
    Remove Policies Set By Infections
    Start (17/09/2012 19:55:11)
    Done (17/09/2012 19:55:13)
    Repair Winsock & DNS Cache
    Start (17/09/2012 19:55:13)
    Done (17/09/2012 19:55:20)
    Repair Proxy Settings
    Start (17/09/2012 19:55:20)
    Done (17/09/2012 19:55:22)
    Repair Windows Updates
    Start (17/09/2012 19:55:22)
    System error 1060 has occurred.
    The specified service does not exist as an installed service.
    The Windows Update service is not started.
    More help is available by typing NET HELPMSG 3521.
    The process cannot access the file because it is being used by another process.
    The process cannot access the file because it is being used by another process.
    The process cannot access the file because it is being used by another process.
    C:\Windows\system32\catroot2\edb.log - The process cannot access the file because it is being used by another process.
    C:\Windows\system32\catroot2\{127D0~1\catdb - The process cannot access the file because it is being used by another process.
    C:\Windows\system32\catroot2\{F750E~1\catdb - The process cannot access the file because it is being used by another process.
    'proxycfg.exe' is not recognized as an internal or external command,
    operable program or batch file.
    The service name is invalid.
    More help is available by typing NET HELPMSG 2185.
    Done (17/09/2012 19:55:28)
    Set Windows Services To Default Startup
    Start (17/09/2012 19:55:28)
    Done (17/09/2012 19:55:31)
    Repair MSI (Windows Installer)
    Start (17/09/2012 19:55:31)
    The Windows Installer service is not started.
    More help is available by typing NET HELPMSG 3521.
    Done (17/09/2012 19:55:35)
    Cleaning up empty logs...
    All Selected Repairs Done.
    Done (17/09/2012 19:55:35)
    Total Repair Time: 00:24:09

    ...YOU MUST RESTART YOUR SYSTEM...
  11. Tobydog

    Tobydog TS Rookie Topic Starter Posts: 44

    Hi Broni

    I've run Norton Removal Tool

    Should I uninstall FSS, OTL, TFC, Tweaking, AdwCleaner etc before I install Avast! free antivirus or Microsoft Security Essentials or Comodo Antivirus ?
     
  12. Broni

    Broni Malware Annihilator Posts: 46,775   +254

    You can install it right now.

    I still need fresh FSS log.
  13. Tobydog

    Tobydog TS Rookie Topic Starter Posts: 44

    Hi Broni

    Do I need to run FSS again to get a fresh log ?
  14. Broni

    Broni Malware Annihilator Posts: 46,775   +254

  15. Tobydog

    Tobydog TS Rookie Topic Starter Posts: 44

    Thanks Broni

    Here's a fresh FSS log

    Farbar Service Scanner Version: 06-08-2012
    Ran by Mark (administrator) on 17-09-2012 at 20:41:02
    Running from "C:\Users\Mark\Downloads"
    Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)
    Boot Mode: Normal
    ****************************************************************
    Internet Services:
    ============
    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo IP is accessible.
    Yahoo.com is accessible.

    Windows Firewall:
    =============
    Firewall Disabled Policy:
    ==================

    System Restore:
    ============
    System Restore Disabled Policy:
    ========================

    Security Center:
    ============
    Windows Update:
    ============
    BITS Service is not running. Checking service configuration:
    Checking Start type: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
    Checking ImagePath: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
    Checking ServiceDll: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.

    Windows Autoupdate Disabled Policy:
    ============================

    Windows Defender:
    ==============
    WinDefend Service is not running. Checking service configuration:
    Checking Start type: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
    Checking ImagePath: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
    Checking ServiceDll: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.

    Other Services:
    ==============

    File Check:
    ========
    C:\Windows\system32\nsisvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\afd.sys => MD5 is legit
    C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
    C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\system32\dnsrslvr.dll => MD5 is legit
    C:\Windows\system32\mpssvc.dll => MD5 is legit
    C:\Windows\system32\bfe.dll => MD5 is legit
    C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\system32\SDRSVC.dll => MD5 is legit
    C:\Windows\system32\vssvc.exe => MD5 is legit
    C:\Windows\system32\wscsvc.dll => MD5 is legit
    C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\system32\wuaueng.dll => MD5 is legit
    C:\Windows\system32\qmgr.dll => MD5 is legit
    C:\Windows\system32\es.dll => MD5 is legit
    C:\Windows\system32\cryptsvc.dll => MD5 is legit
    C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
    C:\Windows\system32\svchost.exe => MD5 is legit
    C:\Windows\system32\rpcss.dll => MD5 is legit

    **** End of log ****
  16. Broni

    Broni Malware Annihilator Posts: 46,775   +254

    We still have couple of registry keys missing.

    Following steps involve registry editing. Please create new restore point before proceeding!!!
    How to:
    XP - http://support.microsoft.com/kb/948247
    Vista and Seven - http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/


    Download Vista.zip file from here: http://www.smartestcomputing.us.com/files/download/9-registry-network-keys/
    Unzip the file.
    You'll find several files inside.

    Double click on windefend.reg file and confirm the prompt.
    Double click on bits.reg file and confirm the prompt.

    Restart computer.
    Post new FSS log.
  17. Tobydog

    Tobydog TS Rookie Topic Starter Posts: 44

    Hi Broni

    Here's a fresh FSS log


    Farbar Service Scanner Version: 06-08-2012

    Ran by Mark (administrator) on 17-09-2012 at 21:26:21

    Running from "C:\Users\Mark\Downloads"

    Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)

    Boot Mode: Normal

    ****************************************************************

    Internet Services:

    ============

    Connection Status:

    ==============

    Localhost is accessible.

    LAN connected.

    Google IP is accessible.

    Google.com is accessible.

    Yahoo IP is accessible.

    Yahoo.com is accessible.

     

    Windows Firewall:

    =============

    Firewall Disabled Policy:

    ==================

     

    System Restore:

    ============

    System Restore Disabled Policy:

    ========================

     

    Security Center:

    ============

    Windows Update:

    ============

    BITS Service is not running. Checking service configuration:

    The start type of BITS service is OK.

    The ImagePath of BITS service is OK.

    The ServiceDll of BITS service is OK.

     

    Windows Autoupdate Disabled Policy:

    ============================

     

    Windows Defender:

    ==============

    WinDefend Service is not running. Checking service configuration:

    The start type of WinDefend service is set to Disabled. The default start type is Auto.

    The ImagePath of WinDefend service is OK.

    The ServiceDll of WinDefend service is OK.

     

    Other Services:

    ==============

     

    File Check:

    ========

    C:\Windows\system32\nsisvc.dll => MD5 is legit

    C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit

    C:\Windows\system32\dhcpcsvc.dll => MD5 is legit

    C:\Windows\system32\Drivers\afd.sys => MD5 is legit

    C:\Windows\system32\Drivers\tdx.sys => MD5 is legit

    C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit

    C:\Windows\system32\dnsrslvr.dll => MD5 is legit

    C:\Windows\system32\mpssvc.dll => MD5 is legit

    C:\Windows\system32\bfe.dll => MD5 is legit

    C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit

    C:\Windows\system32\SDRSVC.dll => MD5 is legit

    C:\Windows\system32\vssvc.exe => MD5 is legit

    C:\Windows\system32\wscsvc.dll => MD5 is legit

    C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit

    C:\Windows\system32\wuaueng.dll => MD5 is legit

    C:\Windows\system32\qmgr.dll => MD5 is legit

    C:\Windows\system32\es.dll => MD5 is legit

    C:\Windows\system32\cryptsvc.dll => MD5 is legit

    C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit

    C:\Windows\system32\svchost.exe => MD5 is legit

    C:\Windows\system32\rpcss.dll => MD5 is legit

     

    **** End of log ****
  18. Broni

    Broni Malware Annihilator Posts: 46,775   +254

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [emptyjava]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any trojans, rootkits or bootkits were listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. (Windows XP only) Run defrag at your convenience.

    11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

    12. Read:
    How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html
    Simple and easy ways to keep your computer safe and secure on the Internet: http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

    13. Please, let me know, how your computer is doing.
  19. Tobydog

    Tobydog TS Rookie Topic Starter Posts: 44

    Hi Broni - thanks a million :)

    Here's the OTL log

    All processes killed
    ========== OTL ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Mark
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 214489655 bytes
    ->Java cache emptied: 1878 bytes
    ->Google Chrome cache emptied: 6987897 bytes
    ->Apple Safari cache emptied: 0 bytes
    ->Flash cache emptied: 706 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 27135 bytes
    RecycleBin emptied: 283683 bytes

    Total Files Cleaned = 212.00 mb
  20. Tobydog

    Tobydog TS Rookie Topic Starter Posts: 44

    Hi Broni - thank you

    We're looking good (y)

    a) computer running faster than Usain Bolt

    b) sidebar back - with Avast! in pole position

    c) sound back to normal

    d) Internet running fine

    Besides installing Avast! I also installed Secunia PSI

    I have changed all important passwords

    Read the Bleeping Computer advice on how I got infected and how to practise safe Internet

    Please advise:

    I had a look in Windows Updates in Control Panel and can see there are 12 important updates waiting to be installed - these are:

    Cumulative Security Update for Internet Explorer 9 for Windows Vista (KB2722913)
    Download size: 11.3 MB

    Security Update for Microsoft Office 2007 suites (KB2596615)
    Download size: 7.4 MB

    Security Update for Microsoft Office 2007 suites (KB2596856)
    Download size: 1.3 MB

    Security Update for Windows Vista (KB2655992)
    Download size: 1.2 MB


    Security Update for Windows Vista (KB2691442)
    Download size: 4.0 MB

    Security Update for Windows Vista (KB2698365)
    Download size: 875 KB

    Security Update for Windows Vista (KB2705219)
    Download size: 220 KB


    Security Update for Windows Vista (KB2712808)
    Download size: 1.5 MB

    Security Update for Windows Vista (KB2719985)
    Download size: 950 KB

    Security Update for Windows Vista (KB2731847)
    Download size: 1.0 MB

    Update Rollup for ActiveX Killbits for Windows Vista (KB2736233)
    Download size: 48 KB

    Windows Malicious Software Removal Tool - September 2012 (KB890830)
    Download size: 16.1 MB

    There are also 5 Optional updates available:

    HP - Display - HP w2408 Wide LCD Monitor
    Download size: 59 KB

    Intel - Storage - Intel(R) ICH8R/ICH9R/ICH10R/DO SATA RAID Controller
    Download size: 178 KB

    nVidia - Display, Other hardware - NVIDIA GeForce 8600 GT
    Download size: 165.2 MB

    Realtek Semiconductor Corp. - Audio - Realtek High Definition Audio
    Download size: 11.2 MB

    Update for Windows Vista - English (KB937286)
    Download size: 24.0 MB
  21. Broni

    Broni Malware Annihilator Posts: 46,775   +254

    Install them.

    Way to go!! [​IMG]
    Good luck and stay safe :)


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.