Would appreciate some help. The logs are attached. Thanks!
Hi chemfire, welcome to the forum.
To make cleaning this machine easier
[*]Please do not uninstall/install any programs unless asked to
It is more difficult when files/programs are appearing in/disappearing from the logs.
[*]Please do not run any scans other than those requested
[*]Please follow all instructions in the order posted
[*]All logs/reports, etc… must be posted in Notepad. Please ensure that word wrap is unchecked. In notepad click format, uncheck word wrap if it is checked.
[*]Do not attach any logs/reports, etc… unless specifically requested to do so.
[*]If you have problems with or do not understand the instructions, Please ask before continuing.
[*]Please stay with this thread until given the All Clear. A absence of symptoms does not mean a clean machine.
There are quite a few services missing. We’ll worry about them after we get this cleaned up a bit.
Download ComboFix from one of these locations:
* IMPORTANT !!! Save ComboFix.exe to your Desktop
[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs
[*]Right click on ComboFix.exe, click Run as Administrator & follow the prompts.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1.Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer’s settings, including making I-E the default browser.
3. If after running combofix you recieve an message “Illegal operation attempted on a registery key that has been marked for deletion” or similar reboot the computer.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty [u]and terminates prematurely, the connection can be manually restored by restarting your machine.
Please post back with the combofix log.
Thanks
Okay, ran combofix, here is the log.
Hi chemfire,
I take it you are using a blank home page?
Your java is out of date. Click your start button > Control Panel
[*]Use the drop down menu beside view by and change it to small icons
[*]locate java (32bit) in the list and click on it
[*]when the java console opens click the update tab
[*]Click update now
Decline any other installs that may be offered whn the java is updated.
Next, Double click on OTL.exe
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
[*]Do Not copy the word CODE
[*]please note the fix starts with the :
:Services
:Files
C:\Users\Loki\AppData\Local\{7d073918-5d7e-950e-a671-1c5d262f5eba}\@
c:\windows\Installer\{7d073918-5d7e-950e-a671-1c5d262f5eba}\U
c:\windows\Installer\{7d073918-5d7e-950e-a671-1c5d262f5eba}
C:\Users\Loki\AppData\Local\{7d073918-5d7e-950e-a671-1c5d262f5eba}
:Commands
[emptytemp]
[createrestorepoint]
Then click the Run Fix button at the top
[*]Let the program run unhindered
[*]Please save the resulting log to be posted in your next reply.
[*]Reboot your computer
Please post the OTL fix log.
Next
This infection is known to corrupt some of windows services. We’ll have a look.
Please download Farbar Service Scanner and save it to your desktop.
[*]Check all the boxes and click scan
[*]Please copy and paste the log to your reply.
Pleas post back with the OTL fix log and the FSS log.
Yes I use a blank home page. Updated Java, and the Logs are attached. You’re being so helpful! Thank you
Hi chemfire,
Next, Double click on OTL.exe
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
[*]Do Not copy the word CODE
[*]please note the fix starts with the :
[*]to ensure you get it all click the [select]
:Services
:Reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS]
"DisplayName"="@%SystemRoot%\\system32\\qmgr.dll,-1000"
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"Description"="@%SystemRoot%\\system32\\qmgr.dll,-1001"
"ObjectName"="LocalSystem"
"ErrorControl"=dword:00000001
"Start"=dword:00000002
"DelayedAutoStart"=dword:00000001
"Type"=dword:00000020
"DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,45,00,76,00,65,00,\
6e,00,74,00,53,00,79,00,73,00,74,00,65,00,6d,00,00,00,00,00
"ServiceSidType"=dword:00000001
"RequiredPrivileges"=hex(7):53,00,65,00,43,00,72,00,65,00,61,00,74,00,65,00,47,\
00,6c,00,6f,00,62,00,61,00,6c,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,\
67,00,65,00,00,00,53,00,65,00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,00,6e,\
00,61,00,74,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,\
00,00,53,00,65,00,54,00,63,00,62,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,\
00,67,00,65,00,00,00,53,00,65,00,41,00,73,00,73,00,69,00,67,00,6e,00,50,00,\
72,00,69,00,6d,00,61,00,72,00,79,00,54,00,6f,00,6b,00,65,00,6e,00,50,00,72,\
00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,49,00,6e,00,\
63,00,72,00,65,00,61,00,73,00,65,00,51,00,75,00,6f,00,74,00,61,00,50,00,72,\
00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,00,00
"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\
00,01,00,00,00,60,ea,00,00,01,00,00,00,c0,d4,01,00,00,00,00,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
71,00,6d,00,67,00,72,00,2e,00,64,00,6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Performance]
"Library"="bitsperf.dll"
"Open"="PerfMon_Open"
"Collect"="PerfMon_Collect"
"Close"="PerfMon_Close"
"InstallType"=dword:00000001
"PerfIniFile"="bitsctrs.ini"
"First Counter"=dword:00000774
"Last Counter"=dword:00000784
"First Help"=dword:00000775
"Last Help"=dword:00000785
"Object List"="1908"
"1008"=hex(b):bc,81,53,b3,1d,d9,cc,01
"PerfMMFileName"="Global\\MMF_BITS_s"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Security]
"Security"=hex:01,00,14,90,90,00,00,00,a0,00,00,00,14,00,00,00,34,00,00,00,02,\
00,20,00,01,00,00,00,02,c0,18,00,00,00,0c,00,01,02,00,00,00,00,00,05,20,00,\
00,00,20,02,00,00,02,00,5c,00,04,00,00,00,00,02,14,00,ff,01,0f,00,01,01,00,\
00,00,00,00,05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,\
20,00,00,00,20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,04,\
00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,06,00,00,00,01,02,\
00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,20,00,00,\
00,20,02,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Enum]
"0"="Root\\LEGACY_BITS\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
:Commands
[emptytemp]
[createrestorepoint]
Then click the Run Fix button at the top
[*]Let the program run unhindered
[*]Please save the resulting log to be posted in your next reply.
[*]Reboot your computer
Please post the OTL fix log
Next rerun FSS the same way you did before and post the log.
Okay, all instructions followed and log posted.
I noticed my logs were word-wrapped. Here are the correct ones. I apologize for the hiccup.
Hi chemfire,
Click your start button. Copy and paste the following line into the search box and hit enter.
services.msc
Locate the following service, Windows Security Center
[*]in the right hand panel click Restart
[*]Did the service start or did you recieve an error essage?
Do the same with Windows Updates.
Next
You have this program installed, Malwarebytes’ Anti-Malware (MBAM). Please update it and run a scan.
Open MBAM
[*]Click the Update tab
[*]Click Check for Updates
[*]If an update is found, it will download and install the latest version.
[*]The program will close to update and reopen.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
Next
One more scan to check our handiwork.
As a Vista/Win7 user you will need to right click your browser icon and select “Run as Administrator” in order to run this scan.
[]Do not use this instance of your browser for anything besides doing this scan
[]When the scan is complete and the results saved, close that instance of your browser
[*]Open a new one the usual way and post the results in this topic.
*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don’t go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.
Go here to run an online scannner from
ESET
(Note: You can use Internet Explorer or FireFox for this scan. If you use FireFox you will be asked to install an additional component. Please allow this.)
[*]Tick the box next to YES, I accept the Terms of Use.
[*]Click Start
[*]When asked, allow the activex control to install
[*]Disable your Antivirus software. You can usually do this with its Notfication Tray icon near the clock
[*]Click Start
[*]Make sure that the option “Remove found threats” is Unchecked, and the option “Scan unwanted applications” is Checked.
[*]Click Scan.
[*]Wait for the scan to finish.
[*]When the scan completes, click List of found threats
[*]click Export to Text file and save the file to your desktop using a unique name, such as ESETScan.
[*]Include the contents of this report in your next reply
Note - when ESET doesn’t find any threats, no report will be created.
[*]Push the back button.
[*]Push Finish
[*]Re-enable your Antivirus software.
Please post back with
[]MBAM log
[]ESET log if there was one.
Any problems?
Services does not list Windows Security Center , but it does list Windows Update. I do not want to proceed without the go-ahead.
Hi chemfire,
Sorry about that, it’s called Security Center.