Avast WEBforum
Other => Viruses and worms => Topic started by: zlimrida on September 01, 2012, 03:58:54 PM
-
Hello..
My services.exe is infected with Sirefef-AHF [trj] which AVG picks up but not possible to remove.
Had at least for 3 weeks now, and this thing shut down my computer couple of times which one time
i had to run system recovery too be able to boot up the laptop.
Since i am a complete amateur, i got no idea what to do. Please help.
-
Hello and welcome to avast. ;)
http://forum.avast.com/index.php?topic=53253.0
Please read this guide. I need log reports from Malwarebytes, OTL and aswMBR.
-
Malwarebytes: Came out in norwegian, google translate workes on it
Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org
Databaseversjon: v2012.09.01.03
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Zlim :: ZLIM-HP [administrator]
01.09.2012 16:16:56
mbam-log-2012-09-01 (16-16-56).txt
Skanntype: Hurtigsøk
Aktiverte skanningsinnstillinger: Minne | Oppstart | Register | Filsystem | Heuristikk/Ekstra | Heuristikk/Shuriken | PUP | PUM
Deaktiverte skanninnstillinger: P2P
Objekter skannet: 196969
Tid tilbakelagt: 3 minutt(er), 41 sekund(er)
Minneprosesser oppdaget: 0
(Ingen skadelige objekter funnet)
Minnemoduler oppdaget: 0
(Ingen skadelige objekter funnet)
Registernøkler oppdaget: 0
(Ingen skadelige objekter funnet)
Registerverdier oppdaget: 0
(Ingen skadelige objekter funnet)
Registerfiler oppdaget: 0
(Ingen skadelige objekter funnet)
Mapper oppdaget: 0
(Ingen skadelige objekter funnet)
Filer oppdaget 6
C:\$Recycle.Bin\S-1-5-21-1008104762-4221902305-1862361787-1000\$RWTUJJ3\epicbot_520(1).exe (PUP.BundleOffers.IIQ) -> Satt i karantene og slettet vellykket.
C:\Users\Zlim\Downloads\epicbot_520.exe (PUP.BundleOffers.IIQ) -> Satt i karantene og slettet vellykket.
C:\Windows\Installer\{7ba12d95-5a21-c945-9f55-8c43c32cc061}\n (Rootkit.0Access) -> Satt i karantene og slettet vellykket.
C:\Windows\Installer\{7ba12d95-5a21-c945-9f55-8c43c32cc061}\L\00000008.@ (Trojan.BitMiner) -> Satt i karantene og slettet vellykket.
C:\Windows\Installer\{7ba12d95-5a21-c945-9f55-8c43c32cc061}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Satt i karantene og slettet vellykket.
C:\Windows\Installer\{7ba12d95-5a21-c945-9f55-8c43c32cc061}\U\000000cb.@ (Rootkit.0Access) -> Satt i karantene og slettet vellykket.
(klar)
OTL. in attachment
MBR:
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-09-01 17:01:22
-----------------------------
17:01:22.493 OS Version: Windows x64 6.1.7601 Service Pack 1
17:01:22.493 Number of processors: 4 586 0x2A07
17:01:22.493 ComputerName: ZLIM-HP UserName: Zlim
17:01:24.642 Initialize success
17:01:24.736 AVAST engine defs: 12090100
17:01:55.000 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
17:01:55.000 Disk 0 Vendor: TOSHIBA_ GT00 Size: 715404MB BusType: 3
17:01:55.047 Disk 0 MBR read successfully
17:01:55.047 Disk 0 MBR scan
17:01:55.047 Disk 0 Windows 7 default MBR code
17:01:55.062 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 199 MB offset 2048
17:01:55.093 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 692042 MB offset 409600
17:01:55.125 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 19099 MB offset 1417711616
17:01:55.156 Disk 0 Partition 4 00 0C FAT32 LBA MSDOS5.0 4062 MB offset 1456826368
17:01:55.187 Disk 0 scanning C:\Windows\system32\drivers
17:02:03.627 Service scanning
17:02:36.574 Modules scanning
17:02:36.590 Disk 0 trace - called modules:
17:02:37.136 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
17:02:37.136 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8008ada060]
17:02:37.151 3 CLASSPNP.SYS[fffff88001a0143f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8007859050]
17:02:38.040 AVAST engine scan C:\Windows
17:02:40.677 AVAST engine scan C:\Windows\system32
17:03:28.217 File: C:\Windows\system32\services.exe **INFECTED** Win32:Patched-AKC [Trj]
17:03:47.024 File: C:\Windows\assembly\GAC_32\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
17:03:48.604 File: C:\Windows\assembly\GAC_64\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
17:04:39.571 AVAST engine scan C:\Windows\system32\drivers
17:04:49.917 AVAST engine scan C:\Users\Zlim
17:11:40.604 AVAST engine scan C:\ProgramData
17:13:15.751 Scan finished successfully
17:14:58.119 Disk 0 MBR has been saved successfully to "C:\Users\Zlim\Desktop\MBR.dat"
17:14:58.123 The log file has been saved successfully to "C:\Users\Zlim\Desktop\aswMBR.txt"
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-09-01 17:01:22
-----------------------------
17:01:22.493 OS Version: Windows x64 6.1.7601 Service Pack 1
17:01:22.493 Number of processors: 4 586 0x2A07
17:01:22.493 ComputerName: ZLIM-HP UserName: Zlim
17:01:24.642 Initialize success
17:01:24.736 AVAST engine defs: 12090100
17:01:55.000 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
17:01:55.000 Disk 0 Vendor: TOSHIBA_ GT00 Size: 715404MB BusType: 3
17:01:55.047 Disk 0 MBR read successfully
17:01:55.047 Disk 0 MBR scan
17:01:55.047 Disk 0 Windows 7 default MBR code
17:01:55.062 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 199 MB offset 2048
17:01:55.093 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 692042 MB offset 409600
17:01:55.125 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 19099 MB offset 1417711616
17:01:55.156 Disk 0 Partition 4 00 0C FAT32 LBA MSDOS5.0 4062 MB offset 1456826368
17:01:55.187 Disk 0 scanning C:\Windows\system32\drivers
17:02:03.627 Service scanning
17:02:36.574 Modules scanning
17:02:36.590 Disk 0 trace - called modules:
17:02:37.136 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
17:02:37.136 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8008ada060]
17:02:37.151 3 CLASSPNP.SYS[fffff88001a0143f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8007859050]
17:02:38.040 AVAST engine scan C:\Windows
17:02:40.677 AVAST engine scan C:\Windows\system32
17:03:28.217 File: C:\Windows\system32\services.exe **INFECTED** Win32:Patched-AKC [Trj]
17:03:47.024 File: C:\Windows\assembly\GAC_32\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
17:03:48.604 File: C:\Windows\assembly\GAC_64\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
17:04:39.571 AVAST engine scan C:\Windows\system32\drivers
17:04:49.917 AVAST engine scan C:\Users\Zlim
17:11:40.604 AVAST engine scan C:\ProgramData
17:13:15.751 Scan finished successfully
17:14:58.119 Disk 0 MBR has been saved successfully to "C:\Users\Zlim\Desktop\MBR.dat"
17:14:58.123 The log file has been saved successfully to "C:\Users\Zlim\Desktop\aswMBR.txt"
17:26:46.081 Disk 0 MBR has been saved successfully to "C:\Users\Zlim\Desktop\MBR.dat"
17:26:46.102 The log file has been saved successfully to "C:\Users\Zlim\Desktop\aswMBR.txt"
-
Ok
-
Vi trenger aswMBR.txt ikke dat filen
-
Vi trenger aswMBR.txt ikke dat filen
ja fiksa det nå :P
-
Multiple Antivirus Programs
You are running more than 1 Antivirus program!
AV: AVAST Software
AV: AVG Technologies CZ
Running - more than one - antivirus program is not recommended because:[list=1]
- They can conflict with each other.
- Report the other antivirus software as malicious.
- Antivirus programs use an enormous amount of computer's resources... actively scanning your computer.
- Can cause your computer to become unstable...run slowly and even, in rare cases, BSOD crash...etc
I strongly suggest you uninstall one of them.
Which one, is your decision.
************************
Step#1
> Temporarily disable your AntiVirus&AntiMalware program.
If you are unsure how to do this please read this (http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.html) or this (http://www.bleepingcomputer.com/forums/topic114351.html) Instruction.
Re-run OTL.exe.
- Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
:processes
killallprocesses
:OTL
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}: "URL" = http://eu.ask.com/web?q={searchterms}&l=dis&o=HPNTDF
IE - HKLM\..\URLSearchHook: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll (Conduit Ltd.)
IE - HKLM\..\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}: "URL" = http://eu.ask.com/web?q={searchterms}&l=dis&o=HPNTDF
IE - HKU\S-1-5-21-1008104762-4221902305-1862361787-1000\..\URLSearchHook: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll (Conduit Ltd.)
IE - HKU\S-1-5-21-1008104762-4221902305-1862361787-1000\..\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}: "URL" = http://eu.ask.com/web?q={searchterms}&l=dis&o=HPNTDF
CHR - Extension: uTorrentBar = C:\Users\Zlim\AppData\Local\Google\Chrome\User Data\Default\Extensions\bejbohlohkkgompgecdcbbglkpjfjgdj\2.3.15.10_0\
O2 - BHO: (uTorrentBar Toolbar) - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (uTorrentBar Toolbar) - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll (Conduit Ltd.)
O3 - HKU\S-1-5-21-1008104762-4221902305-1862361787-1000\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
[2012/09/01 16:37:41 | 000,232,960 | ---- | C] () -- C:\Windows\Installer\{7ba12d95-5a21-c945-9f55-8c43c32cc061}\U\00000008.@
[2012/07/16 13:52:06 | 000,000,804 | ---- | C] () -- C:\Windows\Installer\{7ba12d95-5a21-c945-9f55-8c43c32cc061}\L\00000004.@
[2012/07/16 13:52:05 | 000,002,048 | ---- | C] () -- C:\Windows\Installer\{7ba12d95-5a21-c945-9f55-8c43c32cc061}\U\00000004.@
[2012/01/16 15:37:11 | 000,002,048 | -HS- | C] () -- C:\Windows\Installer\{7ba12d95-5a21-c945-9f55-8c43c32cc061}\@
[2012/01/16 15:37:11 | 000,002,048 | -HS- | C] () -- C:\Users\Zlim\AppData\Local\{7ba12d95-5a21-c945-9f55-8c43c32cc061}\@
:files
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
C:\Users\Zlim\AppData\Roaming\mozilla\Firefox\Profiles\jq9aom5h.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}
C:\Users\Zlim\AppData\Roaming\Mozilla\Firefox\Profiles\jq9aom5h.default\searchplugins\askcom.xml
ipconfig /flushdns /c
netsh int ip reset c:\resetlog.txt /c
ipconfig /release /c
ipconfig /renew /c
recycler /alldrives
sc create BITS binpath= "c:\windows\system32\svchost.exe -k netsvcs" start= delayed-auto /c
C:\Windows\SysNative\services.exe|C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe /replace
:commands
[purity]
[CREATERESTOREPOINT]
[emptytemp]
- Then click the Run Fix button at the top.
- Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.
************************
Step#2
.
- Re-run OTL. Make sure all other windows are closed and to let it run uninterrupted.
- Click on Scan All Users
- Paste this into Custom Scans/Fixes box at the bottom
drives
/md5start
services.exe
/md5stop
%systemroot%\assembly\GAC_32\*.* /S /MD5
%systemroot%\assembly\GAC_64\*.* /S /MD5
%systemroot%\Tasks\*.job /lockedfiles
c:\windows\installer\@ /s
c:\windows\installer\*.@ /s
dir /s /a "C:\Windows\Installer\{7ba12d95-5a21-c945-9f55-8c43c32cc061}" /c
>C:\commands.txt echo list vol /raw /hide /c
/wait
>C:\DiskReport.txt diskpart /s C:\commands.txt /raw /hide /c
/wait
type c:\diskreport.txt /c
/wait
erase c:\commands.txt /hide /c
/wait
erase c:\diskreport.txt /hide /c
CREATERESTOREPOINT
- Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Please attach them in this thread.
-
Oh didnt notice the antiviruses, forgot the laptop did a system recovery to its previous state. But fixed now.
here are the reports:
-
Scan
-
it is recomended to run the vendors removal tool to clear any leftover files that may conflict ......da går alt så mye bedre ;)
found here http://singularlabs.com/uninstallers/security-software/
-
Hi,
We need to use a higher power.
> Download ComboFix from here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) and save it to your Desktop.
If you are unsure how ComboFix works please read this guide (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) carefully.
note: ComboFix must be downloaded to your Desktop.
> Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this (http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.html) or this (http://www.bleepingcomputer.com/forums/topic114351.html) Instruction.
How to disable avast:
- Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
- In the window that opens on the top right corner, click Settings.
- In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.
- Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
- In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.
Note: Do not forget to turn on this option after the cleaning.
> Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix's window while it is running.
If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart computer once more.
> When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
Attach log reports ( ComboFix.txt) back to topic.
-
i Get an error with combifix :
Incompatible OS , combofix only works for workstations with windows 2000 and exp,
i have windows 7
-
i Get an error with combifix :
Incompatible OS , combofix only works for workstations with windows 2000 and exp,
i have windows 7
That's fresh copy of Combofix?
-Delete current Combofix.
-Restart your computer.
-Download fresh Combofix and try to run.
-If it fails to run, then again delete old Combofix, download fresh one and try to run in safe mode.
-
Does not work, and i assume its fresh yeah, i used the link you gave, not sure whats wrong
Deleted combofix, restarted ,downloaded, tried to run , same error
Deleted combofix, downloaded, ran in safe mode, same error
Deleted combofix, ran safemode, downloaded in safemode, tried to run same error.
-
... not sure whats wrong
neither do I ;D
-----------------------------------
Step#1.1
We need to use the RKill Tool by Grinler
> Download and run rKill. rKill will try to Kill all malicious processes. Do not reboot your computer. Then you try immediately to re-run Combofix.
Here is full guide and download links:
Rkill.com <--- Download site (http://download.bleepingcomputer.com/grinler/rkill.com) BleepingComputer (http://www.bleepingcomputer.com/download/rkill)
- Please Download Rkill.com. Save it to your Desktop.
- Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page (http://www.bleepingcomputer.com/forums/index.php?showtopic=114351&view=findpost&p=649847) if you are not sure how.
- NOTE: If you are unable to connect to the site to download rkill, then you should download it to a clean computer and copy it to the infected one via a USB flash drive or CDROM.
- Once it is downloaded, double-click on the rkill.com in order to automatically attempt to stop any processes associated with Rogue programs.
- Please be patient while the program looks for various malware programs and ends them.
- When it has finished, the black window will automatically close and you can continue with the next step.
NOTE: If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by the rogue program, when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate the rogue program. So, please try running Rkill until the malware is no longer running. You will then be able to proceed with the rest of the steps.
If you continue having problems running rkill.com, you can download:
iExplore.exe (http://download.bleepingcomputer.com/grinler/iExplore.exe) or eXplorer.exe (http://download.bleepingcomputer.com/grinler/eXplorer.exe)
which are renamed copies of rkill.com, and try them instead.
Step#1.2
>> Do not reboot your computer. Try now to run Combofix.
********************************
Step#2
> If all fails...
Let's use different approach to all of this. 8)
- Download FRST64 (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/) to a USB flash drive.
- Plug the USB drive into the infected machine.
Boot your computer into Recovery Environment
- Restart the computer and press F8 repeatedly until the Advanced Options Menu appears.
- Select Repair your computer.
- Select Language and click Next
- Enter password (if necessary) and click OK, you should now see the screen below ...
(http://i1090.photobucket.com/albums/i366/garyr56/W7InstallDisk2.png)
- Select the Command Prompt option.
- A command window will open.
- Type notepad then hit Enter.
- Notepad will open.
- Click File > Open then select Computer.
- Note down the drive letter for your USB Drive.
- Close Notepad.
- Back in the command window ....
- Type e:/frst64.exe and hit Enter (where e: is replaced by the drive letter for your USB drive)
- FRST will start to run.
- When the tool opens click Yes to disclaimer.
- Press Scan button.
- When finished scanning it will make a log FRST.txt on the flash drive.
- Next
- Type Explorer.exe;Services.exe into the Search: field in FRST then click the Search File(s) button.
- FRST will search your computer for files and when finished it will produce a log Search.txt on the flash drive.
- Exit FRST.
- Close the command window.
- Boot back into normal mode and post me the FRST.txt and Search.txt logs please.
-
Frst Logs
PS: Avast stopped spamming me about threats btw, but when i scan i can still see the virus. Not sure if this is relevant, but just
feel i had to say :)
-
Step#1.1
-Delete FRST.txt (notepad) from your USB flash drive if you have it.
Open new notepad.
- Click Start
- Type notepad.exe in the search programs and files box and click Enter.
- A blank Notepad page should open.
- Copy/Paste the contents of the code box below into Notepad.
Start
Replace: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe C:\Windows\System32\services.exe
HKU\Zlim\...\Policies\system: [DisableLockWorkstation] 0
HKU\Zlim\...\Policies\system: [DisableChangePassword] 0
C:\Windows\Installer\{7ba12d95-5a21-c945-9f55-8c43c32cc061}
C:\Users\Zlim\AppData\Local\{7ba12d95-5a21-c945-9f55-8c43c32cc061}
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
end
- Save it to your USB flashdrive as fixlist.txt
>> Boot into Recovery Environment
Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....
- Press the Fix button once and wait.
- FRST will process fixlist.txt
- When finished, it will produce a log fixlog.txt on your USB flashdrive.
Step#1.2
While you still there...
>> - - Click on Scan button to run a fresh FRST.txt scan.
- - When finished, it will produce a fresh log FRST.txt on your USB flashdrive.
>> Exit out of Recovery Environment and post me the log please.
>> Attach fresh FRST.txt log.
************************
Step#2
Download TDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.exe) and save it to your desktop
Execute TDSSKiller.exe by doubleclicking on it.
- Press Start Scan
- If Suspicious object is detected, the default action will be Skip, click on Continue.
- If Malicious objects are found, select Cure.
Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt
Please post the contents of that log in your next reply.
************************
Step#3
- Re-run OTL. Make sure all other windows are closed and to let it run uninterrupted.
- Click on Scan All Users
- Paste this into Custom Scans/Fixes box at the bottom
drives
/md5start
services.exe
/md5stop
%systemroot%\assembly\GAC_32\*.ini /S /MD5
%systemroot%\assembly\GAC_64\*.ini /S /MD5
%systemroot%\Installer|@;true;true;true
%systemdrive%\$Recycle.Bin|@;true;true;true
%systemdrive%\$Recycle.Bin|n;true;true;true
C:\$Recycle.Bin\S-1-5-18 /s
C:\$Recycle.Bin\S-1-5-21-1862684139-277524484-329249885-1000 /s
c:\windows\installer\@ /s
c:\windows\installer\*.@ /s
dir /s /a "C:\Windows\Installer\{7ba12d95-5a21-c945-9f55-8c43c32cc061}" /c
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS /s
- Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Please attach them in this thread.
-
FRST logs
-
OTL and tds logs
-
Nice, logs looks good. I will remove some registry entries leftovers related to AVG.
Step#1
Re-run OTL.exe.
- Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
:OTL
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}: "URL" = http://eu.ask.com/web?q={searchterms}&l=dis&o=HPNTDF
IE - HKU\S-1-5-21-1008104762-4221902305-1862361787-1000\..\SearchScopes\{FFF4641F-23D0-49B4-BE7E-36D4F871C109}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=&src=kw&q={searchTerms}&locale=&apn_ptnrs=&apn_dtid=OSJ000&apn_uid=89891337-95F1-401B-96F5-C4E83130DE16&apn_sauid=80968523-5D33-4E3F-BDF6-1DBD0AD08FD2
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{F53C93F1-07D5-430c-86D4-C9531B27DFAF}: C:\Program Files (x86)\AVG\AVG2012\Firefox\DoNotTrack\ [2012/09/02 00:19:01 | 000,000,000 | ---D | M]
O2:[b]64bit:[/b] - BHO: (AVG Do Not Track) - {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files (x86)\AVG\AVG2012\avgdtiea.dll File not found
O2:[b]64bit:[/b] - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O2 - BHO: (AVG Do Not Track) - {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll File not found
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O3 - HKU\S-1-5-21-1008104762-4221902305-1862361787-1000\..\Toolbar\WebBrowser: (no name) - {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - No CLSID value found.
O9 - Extra Button: AVG Do Not Track - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll File not found
:files
sc create BITS binpath= "c:\windows\system32\svchost.exe -k netsvcs" start= delayed-auto /c
:commands
[CREATERESTOREPOINT]
[emptytemp]
[purity]
[EMPTYFLASH]
[EMPTYJAVA]
[Reboot]
- Then click the Run Fix button at the top.
- Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.
*****************
Step#2
Download Farbar Service Scanner (http://download.bleepingcomputer.com/farbar/FSS.exe) (FSS) and run it on the computer with the issue.
- Check the following options:
- Internet Services
- Windows Update
- Other Services
- Press "Scan" button.
- It will create a log (FSS.txt).
- Attach here logreport.
*********************
Step#3
> I'd love to see the Combofix log.
Download fresh Combofix. Disable your AntiVirus and try it now to run.
-
OTL and FSS logs
Combofix still not working tho, still says need version 2000 or exp :P
-
Ok, download this registry file to your Desktop:
https://www.dropbox.com/s/3kw9vqjixsk6uex/BITS7.reg
Dubleclick to run it. On pop up windows click on YES/OK. Reboot your computer
> Re-run FSS and attach here fresh FSS.txt log
>How's your computer running now?
-
FSS is the normal log ( Internet- update - other services)
FSS2 is the second where i added fire wall to it, since firewall seems to be downs, mind taking a look?
But otherwise compouter is running ok, scanned with avast no malware found. Also no virus alert popups, and no windows shutdowns.
-
Re-run OTL.exe.
- Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
:processes
explorer.exe
svchost.exe
:commands
[Reboot]
:reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS]
"DisplayName"="@%SystemRoot%\\system32\\qmgr.dll,-1000"
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"Description"="@%SystemRoot%\\system32\\qmgr.dll,-1001"
"ObjectName"="LocalSystem"
"ErrorControl"=dword:00000001
"Start"=dword:00000002
"DelayedAutoStart"=dword:00000001
"Type"=dword:00000020
"DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,45,00,76,00,65,00,\
6e,00,74,00,53,00,79,00,73,00,74,00,65,00,6d,00,00,00,00,00
"ServiceSidType"=dword:00000001
"RequiredPrivileges"=hex(7):53,00,65,00,43,00,72,00,65,00,61,00,74,00,65,00,47,\
00,6c,00,6f,00,62,00,61,00,6c,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,\
67,00,65,00,00,00,53,00,65,00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,00,6e,\
00,61,00,74,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,\
00,00,53,00,65,00,54,00,63,00,62,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,\
00,67,00,65,00,00,00,53,00,65,00,41,00,73,00,73,00,69,00,67,00,6e,00,50,00,\
72,00,69,00,6d,00,61,00,72,00,79,00,54,00,6f,00,6b,00,65,00,6e,00,50,00,72,\
00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,49,00,6e,00,\
63,00,72,00,65,00,61,00,73,00,65,00,51,00,75,00,6f,00,74,00,61,00,50,00,72,\
00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,00,00
"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\
00,01,00,00,00,60,ea,00,00,01,00,00,00,c0,d4,01,00,00,00,00,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
71,00,6d,00,67,00,72,00,2e,00,64,00,6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS\Performance]
"Library"="bitsperf.dll"
"Open"="PerfMon_Open"
"Collect"="PerfMon_Collect"
"Close"="PerfMon_Close"
"InstallType"=dword:00000001
"PerfIniFile"="bitsctrs.ini"
"First Counter"=dword:000007d2
"Last Counter"=dword:000007e2
"First Help"=dword:000007d3
"Last Help"=dword:000007e3
"Object List"="2002"
"PerfMMFileName"="Global\\MMF_BITS_s"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS\Security]
"Security"=hex:01,00,14,80,90,00,00,00,a0,00,00,00,14,00,00,00,34,00,00,00,02,\
00,20,00,01,00,00,00,02,c0,18,00,00,00,0c,00,01,02,00,00,00,00,00,05,20,00,\
00,00,20,02,00,00,02,00,5c,00,04,00,00,00,00,02,14,00,ff,01,0f,00,01,01,00,\
00,00,00,00,05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,\
20,00,00,00,20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,04,\
00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,06,00,00,00,01,02,\
00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,20,00,00,\
00,20,02,00,00
- Then click the Run Fix button at the top.
- Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.
******************
Re-run FSS , check Windows Update and Scan.
Attach here fresh FSS.txt log
-
OTL, FSS logs
-
Ah, lets try again...
Download this reg key to your destop. Run it and click on pop-up Yes/Ok
https://www.dropbox.com/s/tf1ilyjlfp23kud/wuauserv7.reg
Reboot your computer.
Then download this one:
https://www.dropbox.com/s/3kw9vqjixsk6uex/BITS7.reg
Click on YES/Ok.
Reboot your computer.
************************
Download Complete Internet Repair tool.
www.datum-forensics.com/down/comintrep.exe
-Extract the program in a separate folder on the Desktop.
Double-clicking start comintrep and click Extract.
The program will create a new folder called Complete Internet Repair.
Close all running applications.
In the created folder, double-click on CIntRep run program.
Check boxes to Repair /Windows Automatic update options and then click Go!
Wait for the program to finish the repair and then will ask for reboot.
If no reboot, restart it.
Restart the program by double-clicking on CIntRep.
Click on File> Logging> Logging Open Directory.
With an arrow okaci CIntRep.txt using the attach file option.
If there are several logs, and they okaci the message.
=============
Re run FSS as before and attach here fresh FSS.txt log.
> How is your computer running now?
-
Logs:
Machine is running good, although firewall still messed up.
-
Re-run Complete Internet Repair, check all boxes and click on Go!.
Reboot your windows.
---------------
Download Windows Repair (all in one) from this site (http://www.tweaking.com/content/page/windows_repair_all_in_one.html)
Install the programme then run
(https://dl.dropbox.com/u/73555776/waio%20start.JPG)
Go to step 3 and allow it to run SFC
(https://dl.dropbox.com/u/73555776/waio%20step3.JPG)
On the start repairs tab click start
(https://dl.dropbox.com/u/73555776/waiostart%20rep.JPG)
Select the following items and tick restart system when finished
(https://dl.dropbox.com/u/73555776/waio%20rep%20list.JPG)
-----------------------
Re-run FSS. Check All options and click Scan. Attach here fresh FSS.txt.
-
Sorry, had a field week at military so couldnt go online. But anyways..
FSS log:
Firewall up and running good, and computer seems stable.
-
Are your computer running fine?
-
yes computer is running fine , no problems, thank you very much for your help :D
-
Good. It is necessary to uninstall ComboFix :
- Click Start (or (http://amf.mycity.rs/pg/images/VistaStartButton.png)) then Run.
On Windows7 or Vista you may use Start Search field if Run is not available.
- In the line of text type in (Copy) the following:
ComboFix /Uninstall
Note that there is a space between " ComboFix " and " /Uninstall " .
- then click OK (or press Enter ).
Wait for the uninstall process is complete.
> Re-run OTL and click on CleanUp! button.
You will be asked to reboot the machine to finish the cleanup process, choose Yes.
After the reboot all the tools we used should be gone.
Note: Some more recently created tools may not yet be removed by OTL. Feel free to manually delete any tools it leaves behind.