You are not logged in.

Thursday, April 17th 2014, 12:03am

Dear visitor, welcome to Avira Support Forum. If this is your first visit here, please read the Help. It explains in detail how this page works. To use all features of this page, you should consider registering. Please use the registration form, to register here or read more information about the registration process. If you are already registered, please login here.

  • "ArsenalGunner954" started this thread

Date of registration:
Oct 12th 2012

Version:
Avira Free Antivirus

Operating System:
Windows 7

  • Send private message

1

Friday, October 12th 2012, 6:57pm

AT/ATRAPS.Gen2 Removal for Windows 7

Hello all,

Can someone please guide me through the removal of AT/ATRAPS.Gen2? I am on a laptop using Wndows 7. Thank you all.

DR

Farger

Moderator

Date of registration:
Jul 10th 2009

Version:
Avira Free Antivirus
Avira Ultimate Protection Suite
Avira Internet Security

Operating System:
Windows XP/ Windows 7

  • Send private message

2

Friday, October 12th 2012, 10:14pm

Hi,

  • Please download RogueKiller and save to the desktop.
  • Close all windows and browsers
  • Right-click the program and select 'Run as Administrator'
  • Press the scan button.
  • A report opens on the desktop named - RKreport.txt
  • Please post it in your next reply.
Scotty is currently on patrol


  • "ArsenalGunner954" started this thread

Date of registration:
Oct 12th 2012

Version:
Avira Free Antivirus

Operating System:
Windows 7

  • Send private message

3

Saturday, October 13th 2012, 4:43am

Thank you Farger for taking the time to help me. I could not download RogueKiller from the link you provided, but I used a download from Geekstogo.com. Below are the results of my scan:


RogueKiller V8.1.1 [10/03/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website: http://tigzy.geekstogo.com/roguekiller.php
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User : Daniel Reyes [Admin rights]
Mode : Scan -- Date : 10/12/2012 22:37:15

¤¤¤ Bad processes : 1 ¤¤¤
[SVCHOST] svchost.exe -- C:\Windows\SysWOW64\svchost.exe -> KILLED [TermProc]

¤¤¤ Registry Entries : 7 ¤¤¤
[HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
[HJ DESK] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-21-4007427963-1751281713-1661640320-1000\$de79eed27fa29d89f8cc6f4aeb5d9c75\n.) -> FOUND
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-18\$de79eed27fa29d89f8cc6f4aeb5d9c75\n.) -> FOUND
[HJ INPROC][ZeroAccess] HKLM\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-18\$de79eed27fa29d89f8cc6f4aeb5d9c75\n.) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] Desktop.ini : C:\windows\Assembly\GAC_32\Desktop.ini --> FOUND
[ZeroAccess][FILE] Desktop.ini : C:\windows\Assembly\GAC_64\Desktop.ini --> FOUND
[ZeroAccess][FILE] n : C:\$recycle.bin\S-1-5-18\$de79eed27fa29d89f8cc6f4aeb5d9c75\n --> FOUND
[ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-18\$de79eed27fa29d89f8cc6f4aeb5d9c75\@ --> FOUND
[ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-21-4007427963-1751281713-1661640320-1000\$de79eed27fa29d89f8cc6f4aeb5d9c75\@ --> FOUND
[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-18\$de79eed27fa29d89f8cc6f4aeb5d9c75\U --> FOUND
[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-21-4007427963-1751281713-1661640320-1000\$de79eed27fa29d89f8cc6f4aeb5d9c75\U --> FOUND
[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-18\$de79eed27fa29d89f8cc6f4aeb5d9c75\L --> FOUND
[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-21-4007427963-1751281713-1661640320-1000\$de79eed27fa29d89f8cc6f4aeb5d9c75\L --> FOUND

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\windows\system32\drivers\etc\hosts



¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST9500420AS ATA Device +++++
--- User ---
[MBR] 365373a1fe685e5a8784ea739211c83c
[BSP] 3272325559109da2b518fdde8e3da377 : Windows Vista MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 464268 Mo
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 953894912 | Size: 11171 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt

This post has been edited 1 times, last edit by "ArsenalGunner954" (Oct 13th 2012, 4:46am)


Farger

Moderator

Date of registration:
Jul 10th 2009

Version:
Avira Free Antivirus
Avira Ultimate Protection Suite
Avira Internet Security

Operating System:
Windows XP/ Windows 7

  • Send private message

4

Saturday, October 13th 2012, 6:49am

Hi,

Please re-run RogueKiller.
Wait until Prescan has finished.
Click on Scan.
Now click the Registry tab and locate these:

Source code

1
2
3
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-21-4007427963-1751281713-1661640320-1000\$de79eed27fa29d89f8cc6f4aeb5d9c75\n.) -> FOUND
 [HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-18\$de79eed27fa29d89f8cc6f4aeb5d9c75\n.) -> FOUND
 [HJ INPROC][ZeroAccess] HKLM\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-18\$de79eed27fa29d89f8cc6f4aeb5d9c75\n.) -> FOUND


Place a checkmark on it, leave the others unchecked.
Now press the Delete button.

Click on the Files tab
Place a checkmark each of these items:

Source code

1
2
3
4
5
6
7
8
9
[ZeroAccess][FILE] Desktop.ini : C:\windows\Assembly\GAC_32\Desktop.ini --> FOUND
[ZeroAccess][FILE] Desktop.ini : C:\windows\Assembly\GAC_64\Desktop.ini --> FOUND
[ZeroAccess][FILE] n : C:\$recycle.bin\S-1-5-18\$de79eed27fa29d89f8cc6f4aeb5d9c75\n --> FOUND
[ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-18\$de79eed27fa29d89f8cc6f4aeb5d9c75\@ --> FOUND
[ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-21-4007427963-1751281713-1661640320-1000\$de79eed27fa29d89f8cc6f4aeb5d9c75\@ --> FOUND
[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-18\$de79eed27fa29d89f8cc6f4aeb5d9c75\U --> FOUND
[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-21-4007427963-1751281713-1661640320-1000\$de79eed27fa29d89f8cc6f4aeb5d9c75\U --> FOUND
[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-18\$de79eed27fa29d89f8cc6f4aeb5d9c75\L --> FOUND
[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-21-4007427963-1751281713-1661640320-1000\$de79eed27fa29d89f8cc6f4aeb5d9c75\L --> FOUND


Now press the Delete button.
If asked to restart the computer, please do so immediately.
When it is finished, there will be a log on your desktop called: RKreport[2].txt
Post the log in your next reply.
Scotty is currently on patrol


  • "ArsenalGunner954" started this thread

Date of registration:
Oct 12th 2012

Version:
Avira Free Antivirus

Operating System:
Windows 7

  • Send private message

5

Saturday, October 13th 2012, 7:48am

I ran the scan and deleted the 3 files. It then asked to restart the computer so I restarted it. Once rebooted, I clicked FILE, and no options were available. I ran the scan 3 more times just to make sure to no avail. Here is the report:


RogueKiller V8.1.1 [10/03/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website: http://tigzy.geekstogo.com/roguekiller.php
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User : Daniel Reyes [Admin rights]
Mode : Remove -- Date : 10/13/2012 01:23:46

¤¤¤ Bad processes : 1 ¤¤¤
[SVCHOST] svchost.exe -- C:\Windows\SysWOW64\svchost.exe -> KILLED [TermProc]

¤¤¤ Registry Entries : 6 ¤¤¤
[HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> NOT SELECTED
[HJ DESK] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> NOT SELECTED
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> NOT SELECTED
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> NOT SELECTED
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-21-4007427963-1751281713-1661640320-1000\$de79eed27fa29d89f8cc6f4aeb5d9c75\n.) -> REPLACED (C:\windows\system32\shell32.dll)
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-18\$de79eed27fa29d89f8cc6f4aeb5d9c75\n.) -> REPLACED (C:\windows\system32\wbem\fastprox.dll)

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] Desktop.ini : C:\windows\Assembly\GAC_32\Desktop.ini --> REMOVED AT REBOOT
[ZeroAccess][FILE] Desktop.ini : C:\windows\Assembly\GAC_64\Desktop.ini --> REMOVED AT REBOOT
[ZeroAccess][FILE] n : C:\$recycle.bin\S-1-5-18\$de79eed27fa29d89f8cc6f4aeb5d9c75\n --> REMOVED AT REBOOT
[ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-18\$de79eed27fa29d89f8cc6f4aeb5d9c75\@ --> REMOVED AT REBOOT
[ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-21-4007427963-1751281713-1661640320-1000\$de79eed27fa29d89f8cc6f4aeb5d9c75\@ --> REMOVED
[Del.Parent][FILE] 00000004.@ : C:\$recycle.bin\S-1-5-18\$de79eed27fa29d89f8cc6f4aeb5d9c75\U\00000004.@ --> REMOVED
[Del.Parent][FILE] 00000008.@ : C:\$recycle.bin\S-1-5-18\$de79eed27fa29d89f8cc6f4aeb5d9c75\U\00000008.@ --> REMOVED
[Del.Parent][FILE] 000000cb.@ : C:\$recycle.bin\S-1-5-18\$de79eed27fa29d89f8cc6f4aeb5d9c75\U\000000cb.@ --> REMOVED
[Del.Parent][FILE] 80000000.@ : C:\$recycle.bin\S-1-5-18\$de79eed27fa29d89f8cc6f4aeb5d9c75\U\80000000.@ --> REMOVED
[Del.Parent][FILE] 80000032.@ : C:\$recycle.bin\S-1-5-18\$de79eed27fa29d89f8cc6f4aeb5d9c75\U\80000032.@ --> REMOVED
[Del.Parent][FILE] 80000064.@ : C:\$recycle.bin\S-1-5-18\$de79eed27fa29d89f8cc6f4aeb5d9c75\U\80000064.@ --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\$recycle.bin\S-1-5-18\$de79eed27fa29d89f8cc6f4aeb5d9c75\U --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\$recycle.bin\S-1-5-21-4007427963-1751281713-1661640320-1000\$de79eed27fa29d89f8cc6f4aeb5d9c75\U --> REMOVED
[Del.Parent][FILE] 00000004.@ : C:\$recycle.bin\S-1-5-18\$de79eed27fa29d89f8cc6f4aeb5d9c75\L\00000004.@ --> REMOVED
[Del.Parent][FILE] 201d3dde : C:\$recycle.bin\S-1-5-18\$de79eed27fa29d89f8cc6f4aeb5d9c75\L\201d3dde --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\$recycle.bin\S-1-5-18\$de79eed27fa29d89f8cc6f4aeb5d9c75\L --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\$recycle.bin\S-1-5-21-4007427963-1751281713-1661640320-1000\$de79eed27fa29d89f8cc6f4aeb5d9c75\L --> REMOVED

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\windows\system32\drivers\etc\hosts



¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST9500420AS ATA Device +++++
--- User ---
[MBR] 365373a1fe685e5a8784ea739211c83c
[BSP] 3272325559109da2b518fdde8e3da377 : Windows Vista MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 464268 Mo
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 953894912 | Size: 11171 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[4].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt


Thank you.

Farger

Moderator

Date of registration:
Jul 10th 2009

Version:
Avira Free Antivirus
Avira Ultimate Protection Suite
Avira Internet Security

Operating System:
Windows XP/ Windows 7

  • Send private message

6

Saturday, October 13th 2012, 11:10pm

Hi,

Please download OTL from the link below:
OTL

Save it to your desktop/
Double click on the icon on your desktop.
OTL should now start. Change the following settings:
- Click on Scan All Users checkbox given at the top
- Under File Scans, change File age to 90
- Change Standard Registry to All
- Check the boxes beside LOP Check and Purity Check
Copy and Paste the following code into the textbox.
Don't copy the word "quoted"

Quoted


netsvcs
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%SYSTEMDRIVE%\*.*
%USERPROFILE%\*.*
%USERPROFILE%\Application Data\*.*
%USERPROFILE%\Application Data\*.
%USERPROFILE%\Local Settings\*.*
%USERPROFILE%\Local Settings\temp\*.exe
%USERPROFILE%\Local Settings\Temporary Internet Files\*.exe
%USERPROFILE%\Local Settings\Application Data\*.*
%AllUsersProfile%\*.*
%AllUsersProfile%\Application Data\*.*
%AllUsersProfile%\Application Data\*.
%AllUsersProfile%\Application Data\Local Settings\*.*
%AllUsersProfile%\Application Data\Local Settings\Temp\*.exe
%ALLUSERSPROFILE%\Documents\My Music\*.exe
%ALLUSERSPROFILE%\Documents\My Pictures\*.exe
%ALLUSERSPROFILE%\Documents\My Videos\*.exe
%ALLUSERSPROFILE%\Documents\*.exe
%USERPROFILE%\My Documents\*.*
%CommonProgramFiles%\*.*
%CommonProgramFiles%\ComObjects*.*
%PROGRAMFILES%\*.*
%PROGRAMFILES%\*.
%systemroot%\system32\config\systemprofile\*.*
%systemroot%\system32\config\systemprofile\Application Data\*.*
%systemroot%\system32\config\systemprofile\\Local Settings\*.*
%systemroot%\system32\config\systemprofile\\Local Settings\Application Data\*.*
%systemroot%\system32\config\systemprofile\\Local Settings\Temp\*.exe
%systemroot%\system32\config\systemprofile\\Local Settings\Temporary Internet Files\*.exe
C:\Documents and Settings\LocalService\Application Data\*.*
C:\Documents and Settings\LocalService\Local Settings\Application Data\*.*
C:\Documents and Settings\LocalService\Local Settings\temp\*.exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\*.exe
C:\Documents and Settings\LocalService\Local Settings\*.*
C:\Documents and Settings\LocalService\*.*
C:\Documents and Settings\NetworkService\Application Data\*.*
C:\Documents and Settings\NetworkService\Local Settings\Application Data\*.*
C:\Documents and Settings\NetworkService\Local Settings\temp\*.exe
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\*.exe
C:\Documents and Settings\NetworkService\Local Settings\*.*
C:\Documents and Settings\NetworkService\*.*
%windir%\temp\*.exe
%windir%\*.
%windir%\installer\*.
%windir%\system32\*.
%Temp%\smtmp\1\*.*
%Temp%\smtmp\2\*.*
%Temp%\smtmp\3\*.*
%Temp%\smtmp\4\*.*
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /90
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\*. /rp /s
%systemroot%\assembly\tmp\*.* /S /MD5
%systemroot%\assembly\temp\*.* /S /MD5
%systemroot%\assembly\GAC\*.ini
%systemroot%\assembly\GAC_32\*.ini
%SystemRoot%\assembly\GAC_MSIL\*.ini
wsSystemRoot|l,n,u,@;True;False;True;$,{ /fn
%systemdrive%\$Recycle.Bin|@;true;true;true /fp
HKEY_CLASSES_ROOT\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24} /s
HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} /s
HKEY_CURRENT_USER\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} /s
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8} /s
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24} /s
HKEY_CLASSES_ROOT\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F} /s
HKEY_CLASSES_ROOT\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9} /s
HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9} /s
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F} /s
HKEY_CURRENT_USER\Software\Classes\clsid\{12d0253a-7c96-815c-11e0-3034bbd97cc0}] /s
HKEY_CURRENT_USER\Software\MSOLoad /s
>C:\commands.txt echo list vol /raw /hide /c
/wait
>C:\DiskReport.txt diskpart /s C:\commands.txt /raw /hide /c
/wait
type c:\diskreport.txt /c
/wait
erase c:\commands.txt /hide /c
/wait
erase c:\diskreport.txt /hide /c
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
consrv.dll
services.exe
svchost.exe
explorer.exe
userinit.exe
winlogon.exe
smss.exe
lsass.exe
atapi.sys
iaStor.sys
serial.sys
disk.sys
volsnap.sys
redbook.sys
i8042prt.sys
afd.sys
netbt.sys
tcpip.sys
ipsec.sys
hlp.dat
str.sys
crexv.ocx
/md5stop

Push the button.
One report will open, copy and paste it in a reply here:
OTL.txt <-- Will be opened
Scotty is currently on patrol


  • "ArsenalGunner954" started this thread

Date of registration:
Oct 12th 2012

Version:
Avira Free Antivirus

Operating System:
Windows 7

  • Send private message

7

Saturday, October 13th 2012, 11:51pm

I copied and pasted the report into pastebin. Please notify me what to do next. Thank you.

  • "ArsenalGunner954" started this thread

Date of registration:
Oct 12th 2012

Version:
Avira Free Antivirus

Operating System:
Windows 7

  • Send private message

8

Sunday, October 14th 2012, 2:18am

I copied the report into pastebin, Here is the link: http://pastebin.com/6SPfvhth
Thank you.

Farger

Moderator

Date of registration:
Jul 10th 2009

Version:
Avira Free Antivirus
Avira Ultimate Protection Suite
Avira Internet Security

Operating System:
Windows XP/ Windows 7

  • Send private message

9

Sunday, October 14th 2012, 1:06pm

Hi,

It is not recommended to use more than one antivirus solutions: along with Avira, you are running Norton Internet Security...

1. Please re-run RogueKiller.
Wait until Prescan has finished.
Click on Scan.

Click on the Files tab
Place a checkmark each of these items:

Source code

1
2
3
4
[ZeroAccess][FILE] Desktop.ini : C:\windows\Assembly\GAC_32\Desktop.ini --> FOUND
[ZeroAccess][FILE] Desktop.ini : C:\windows\Assembly\GAC_64\Desktop.ini --> FOUND
[ZeroAccess][FILE] n : C:\$recycle.bin\S-1-5-18\$de79eed27fa29d89f8cc6f4aeb5d9c75\n --> FOUND
[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-18\$de79eed27fa29d89f8cc6f4aeb5d9c75\U --> FOUND


Now press the Delete button.
If asked to restart the computer, please do so immediately.
When it is finished, there will be a log on your desktop called: RKreport[5].txt
Post the log in your next reply.

2. open OTL
Copy and paste the following quoted text under . Do not include the word "Quoted";

Quoted


:OTL
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-4007427963-1751281713-1661640320-1000\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O4:64bit: - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [AirCardEnabler] File not found
O4 - HKU\S-1-5-21-4007427963-1751281713-1661640320-1000..\Run: [btprux] "C:\Windows\System32\rundll32.exe" ,FillContiguousStrides File not found
O4 - HKU\S-1-5-21-4007427963-1751281713-1661640320-1000..\Run: [spnet] rundll32.exe ",PVDecodeObject File not found
[2012/09/08 01:41:08 | 000,000,824 | ---- | C] () -- C:\Users\Daniel Reyes\AppData\Roaming\lyjsb
[2012/09/07 21:16:59 | 000,000,000 | ---- | C] () -- C:\Users\Daniel Reyes\AppData\Local\¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ
[2012/09/07 20:47:21 | 000,090,176 | ---- | C] () -- C:\Users\Daniel Reyes\AppData\Roaming\lj1y6nb.dat
[2012/09/07 20:47:13 | 000,086,080 | ---- | C] () -- C:\Users\Daniel Reyes\AppData\Roaming\aftr4sb.dat
[2012/09/07 20:47:06 | 000,060,992 | ---- | C] () -- C:\Users\Daniel Reyes\AppData\Roaming\slr8k5s.dat
[2009/07/14 00:55:00 | 000,000,227 | RHS- | M] () -- C:\windows\assembly\Desktop.ini

:Commands
[purity]
[emptytemp]
[Reboot]
Make sure other windows are closed, so the scan can be performed without a break;
Click on at the top;
Click OK button;
A reboot can be required. You will see OTL fix log. If not, a copy of the OTL fix log is saved in C:\_OTL\Moved Files.
Copy/paste the content of the log back here in your next post.
Scotty is currently on patrol

This post has been edited 1 times, last edit by "Farger" (Oct 14th 2012, 3:22pm)


  • "ArsenalGunner954" started this thread

Date of registration:
Oct 12th 2012

Version:
Avira Free Antivirus

Operating System:
Windows 7

  • Send private message

10

Sunday, October 14th 2012, 6:30pm

1. Below is the report from the re-run of RogueKiller:


RogueKiller V8.1.1 [10/03/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website: http://tigzy.geekstogo.com/roguekiller.php
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User : Daniel Reyes [Admin rights]
Mode : Remove -- Date : 10/14/2012 12:19:41

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\windows\system32\drivers\etc\hosts



¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST9500420AS ATA Device +++++
--- User ---
[MBR] 365373a1fe685e5a8784ea739211c83c
[BSP] 3272325559109da2b518fdde8e3da377 : Windows Vista MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 464268 Mo
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 953894912 | Size: 11171 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[8].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt ; RKreport[5].txt ;
RKreport[6].txt ; RKreport[7].txt ; RKreport[8].txt


2. Below are the results from OTL scan:


All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
64bit-Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
Registry value HKEY_USERS\S-1-5-21-4007427963-1751281713-1661640320-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
64bit-Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\AirCardEnabler deleted successfully.
Registry value HKEY_USERS\S-1-5-21-4007427963-1751281713-1661640320-1000\Software\Microsoft\Windows\CurrentVersion\Run\\btprux deleted successfully.
Registry value HKEY_USERS\S-1-5-21-4007427963-1751281713-1661640320-1000\Software\Microsoft\Windows\CurrentVersion\Run\\spnet deleted successfully.
C:\Users\Daniel Reyes\AppData\Roaming\lyjsb moved successfully.
C:\Users\Daniel Reyes\AppData\Local\¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ moved successfully.
C:\Users\Daniel Reyes\AppData\Roaming\lj1y6nb.dat moved successfully.
C:\Users\Daniel Reyes\AppData\Roaming\aftr4sb.dat moved successfully.
C:\Users\Daniel Reyes\AppData\Roaming\slr8k5s.dat moved successfully.
C:\windows\assembly\Desktop.ini moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

User: All Users

User: Daniel Reyes
->Temp folder emptied: 611338379 bytes
->Temporary Internet Files folder emptied: 253075052 bytes
->Java cache emptied: 105399013 bytes
->Google Chrome cache emptied: 458536064 bytes
->Flash cache emptied: 1644 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 444826792 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50333 bytes
RecycleBin emptied: 4469 bytes

Total Files Cleaned = 1,786.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 10142012_122134

Files\Folders moved on Reboot...
C:\Users\Daniel Reyes\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...


Thanks again!

Farger

Moderator

Date of registration:
Jul 10th 2009

Version:
Avira Free Antivirus
Avira Ultimate Protection Suite
Avira Internet Security

Operating System:
Windows XP/ Windows 7

  • Send private message

11

Sunday, October 14th 2012, 8:51pm

Hi,

Did you have the option to delete files/folders in RogueKiller which I have pointed out?
Scotty is currently on patrol


  • "ArsenalGunner954" started this thread

Date of registration:
Oct 12th 2012

Version:
Avira Free Antivirus

Operating System:
Windows 7

  • Send private message

12

Sunday, October 14th 2012, 9:57pm

Under FILES, I located the files/folders that you pointed out to delete, however, there was no option to check/uncheck for deletion. I highlighted the 4 files/folders and selected delete. I just ran RogueKiller again, and now there is nothing under FILES.

Farger

Moderator

Date of registration:
Jul 10th 2009

Version:
Avira Free Antivirus
Avira Ultimate Protection Suite
Avira Internet Security

Operating System:
Windows XP/ Windows 7

  • Send private message

13

Monday, October 15th 2012, 5:14pm

Hi,

Lets recheck:

1 Download TDSSKiller and save it to your desktop.
  • Right-click on tdsskiller.exe and select "Run as Administrator" to run the application, then click on Change parameters;
  • Check the box next to Verify Driver Digital Signature and Detect TDLFS file system;
  • Click OK;
  • Click Start Scan button;
  • Do NOT use the computer while the scan is performed;
  • When the scan is over, the utility outputs a list of detected objects with description;

    - The utility automatically selects an action (Cure or Delete) for malicious objects;
    Note [1]: Ensure Cure is selected, then click Continue, rebooting to finish the cleaning process.
    Note [2]: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed by me;
    Note [3]: If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose Skip and click on Continue;

    - The utility prompts the user to select an action to apply to suspicious objects (Skip, by default);

  • If no reboot is required, click on Report. A log file should appear.
  • By default, the utility outputs the log into system disk root folder (it is usually the disk with installed operating system, C:\);
  • The logs have names like: UtilityName.Version_Date_Time_log.txt | E.g. C:\TDSSKiller.2.4.17.0_10.02.2011_11.20.55_log.txt;
  • Please submit the log to Pastebin.com and post the URL in your next reply


2. Please download the newest version of Malwarebytes' Anti-Malware and install it.
Please start the application by double-click on it's icon.
Once the program has loaded go to the UPDATE tab and check for updates.
When the update is complete, select the Scanner tab
Select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad.
Please save it to a convenient location and post the results in your next reply.

3. Scan your PC with the help of [http://www.eset.com/home/products/online-scanner/']ESET Online Scanner[/url]
Note: Disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.

- Once you have downloaded the file, double click on the icon on your desktop.
- Accept the "Terms of Use".
- Click "Start" button.
- Accept any security warnings from your browser.
- Check
- Make sure that the option "Remove found threats" is Unchecked.
-When the Computer scan settings display shows, click the Advanced option, place a check next to the following (if it is not already checked):
  • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology

- Push the Start button.
- ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
- When the scan completes, push
- Push and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
- Push the button.
- Push
Post back the scan report.

4. Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure that all options are checked.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


5. Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Scotty is currently on patrol


  • "ArsenalGunner954" started this thread

Date of registration:
Oct 12th 2012

Version:
Avira Free Antivirus

Operating System:
Windows 7

  • Send private message

14

Tuesday, October 16th 2012, 3:16am

1.
I ran TDS SKiller and no malicious files were
detected. This is the URL for the report submitted in PasteBin: http://pastebin.com/07uJJHZF

2.
After Malwarebytes Anti-malware performed the
scan, I deleted the selected files. A notice from Avira came up saying that an
attempt to manipulate the registry was blocked, however, I believe the deletion
went through. Below is the report:

Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org
Database version: v2012.10.15.11
Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385
Daniel Reyes :: DANIELREYES-PC
[administrator]
10/15/2012 6:00:01 PM
mbam-log-2012-10-15 (18-00-01).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup |
Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 200058
Time elapsed: 3 minute(s), 3 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 4

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{F1466FD9-7297-48D5-AEA4-F651EF101F1D} (PUP.BFlix) ->
Quarantined and deleted successfully.

HKCR\CLSID\{F1466FD9-7297-48D5-AEA4-F651EF101F1D}
(PUP.BFlix) -> Quarantined and deleted successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{F1466FD9-7297-48D5-AEA4-F651EF101F1D}
(PUP.BFlix) -> Quarantined and deleted successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{F1466FD9-7297-48D5-AEA4-F651EF101F1D}
(PUP.BFlix) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 1
C:\ProgramData\TheBflix (PUP.BFlix) ->
Quarantined and deleted successfully.
Files Detected: 4
C:\ProgramData\TheBflix\background.html
(PUP.BFlix) -> Quarantined and deleted successfully.
C:\ProgramData\TheBflix\content.js
(PUP.BFlix) -> Quarantined and deleted successfully.
C:\ProgramData\TheBflix\hjakmojkcnhgipgkkbiempkfdndcnlah.crx
(PUP.BFlix) -> Quarantined and deleted successfully.
C:\ProgramData\TheBflix\settings.ini
(PUP.BFlix) -> Quarantined and deleted successfully.

(end)

3.
ESETScan report (1):
C:\ProgramData\Tarma
Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\_Setupx.dll a variant of Win32/Adware.Yontoo.B
application
C:\Users\All Users\Tarma
Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\_Setupx.dll a variant of Win32/Adware.Yontoo.B
application
C:\Users\Daniel
Reyes\AppData\Local\{E218D8A1-F952-11E1-8270-B8AC6F996F26}\chrome\content\browser.xul JS/Redirector.NIQ trojan
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary
Internet Files\Content.IE5\62AXOPQ5\cat-and-dolphin-playing-together[1].txt HTML/ScrInject.B.Gen virus
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary
Internet Files\Content.IE5\LIXMVQOA\all-videos[1].txt HTML/ScrInject.B.Gen virus
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary
Internet Files\Content.IE5\62AXOPQ5\cat-and-dolphin-playing-together[1].txt HTML/ScrInject.B.Gen virus
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary
Internet Files\Content.IE5\LIXMVQOA\all-videos[1].txt HTML/ScrInject.B.Gen virus

4. Farbar Scanner report:
Farbar Service Scanner Version: 07-10-2012
Ran by Daniel Reyes
(administrator) on 15-10-2012 at 21:04:54
Running from "C:\Users\Daniel
Reyes\Downloads"
Microsoft Windows 7 Home
Premium (X64)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.

Windows Firewall:
============
mpsdrv Service is not running.
Checking service configuration:
The start type of mpsdrv service
is OK.

The ImagePath of mpsdrv service is
OK.

MpsSvc Service is not running.
Checking service configuration:

Checking Start type:
ATTENTION!=====> Unable to open MpsSvc registry key. The service key does
not exist.

Checking ImagePath:
ATTENTION!=====> Unable to open MpsSvc registry key. The service key does
not exist.

Checking ServiceDll:
ATTENTION!=====> Unable to open MpsSvc registry key. The service key does
not exist.
bfe Service is not running.
Checking service configuration:

Checking Start type:
ATTENTION!=====> Unable to open bfe registry key. The service key does not
exist.

Checking ImagePath:
ATTENTION!=====> Unable to open bfe registry key. The service key does not
exist.

Checking ServiceDll:
ATTENTION!=====> Unable to open bfe registry key. The service key does not
exist.

Firewall Disabled Policy:
==================

System Restore:
============
System Restore Disabled Policy:
========================
Action Center:
============
wscsvc Service is not running.
Checking service configuration:
Checking Start type:
ATTENTION!=====> Unable to open wscsvc registry key. The service key does
not exist.

Checking ImagePath:
ATTENTION!=====> Unable to open wscsvc registry key. The service key does
not exist.

Checking ServiceDll:
ATTENTION!=====> Unable to open wscsvc registry key. The service key does
not exist.

Windows Update:
============
wuauserv Service is not running.
Checking service configuration:
Checking Start type:
ATTENTION!=====> Unable to open wuauserv registry key. The service key does
not exist.

Checking ImagePath:
ATTENTION!=====> Unable to open wuauserv registry key. The service key does
not exist.

Checking ServiceDll:
ATTENTION!=====> Unable to open wuauserv registry key. The service key does
not exist.

BITS Service is not running.
Checking service configuration:

Checking Start type:
ATTENTION!=====> Unable to open BITS registry key. The service key does not
exist.

Checking ImagePath:
ATTENTION!=====> Unable to open BITS registry key. The service key does not
exist.

Checking ServiceDll:
ATTENTION!=====> Unable to open BITS registry key. The service key does not
exist.

Windows Autoupdate Disabled Policy:
============================
Windows Defender:
==============
WinDefend Service is not running.
Checking service configuration:

Checking Start type:
ATTENTION!=====> Unable to open WinDefend registry key. The service key does
not exist.

Checking ImagePath:
ATTENTION!=====> Unable to open WinDefend registry key. The service key does
not exist.

Checking ServiceDll:
ATTENTION!=====> Unable to open WinDefend registry key. The service key does
not exist.

Other Services:
==============
Checking Start type of
SharedAccess: ATTENTION!=====> Unable to retrieve start type of
SharedAccess. The value does not exist.

Checking ImagePath of
SharedAccess: ATTENTION!=====> Unable to retrieve ImagePath of SharedAccess.
The value does not exist.

Checking ServiceDll of
SharedAccess: ATTENTION!=====> Unable to open SharedAccess registry key. The
service key does not exist.

File Check:
========
C:\Windows\System32\nsisvc.dll
=> MD5 is legit

C:\Windows\System32\drivers\nsiproxy.sys
=> MD5 is legit

C:\Windows\System32\dhcpcore.dll
=> MD5 is legit

C:\Windows\System32\drivers\afd.sys

[2012-02-14 19:25] - [2011-12-27
23:59] - 0499200 ____A (Microsoft Corporation) DB9D6C6B2CD95A9CA414D045B627422E

C:\Windows\System32\drivers\tdx.sys
=> MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys
[2012-05-11 02:13] - [2012-03-30
07:09] - 1895280 ____A (Microsoft Corporation) 624C5B3AA4C99B3184BB922D9ECE3FF0

C:\Windows\System32\dnsrslvr.dll
=> MD5 is legit

C:\Windows\System32\mpssvc.dll
[2009-07-13 20:09] - [2009-07-13
21:41] - 0824832 ____A (Microsoft Corporation) AECAB449567D1846DAD63ECE49E893E3

C:\Windows\System32\bfe.dll =>
MD5 is legit

C:\Windows\System32\drivers\mpsdrv.sys
=> MD5 is legit

C:\Windows\System32\SDRSVC.dll

[2009-07-13 19:36] - [2009-07-13
21:41] - 0170496 ____A (Microsoft Corporation) 765A27C3279CE11D14CB9E4F5869FCA5

C:\Windows\System32\vssvc.exe
=> MD5 is legit

C:\Windows\System32\wscsvc.dll
=> MD5 is legit

C:\Windows\System32\wbem\WMIsvc.dll
=> MD5 is legit

C:\Windows\System32\wuaueng.dll
=> MD5 is legit

C:\Windows\System32\qmgr.dll =>
MD5 is legit

C:\Windows\System32\es.dll =>
MD5 is legit

C:\Windows\System32\cryptsvc.dll

[2012-06-13 18:38] - [2012-04-24
01:59] - 0182272 ____A (Microsoft Corporation) F02786B66375292E58C8777082D4396D

C:\Program Files\Windows
Defender\MpSvc.dll => MD5 is legit

C:\Windows\System32\svchost.exe
=> MD5 is legit

C:\Windows\System32\rpcss.dll
=> MD5 is legit

**** End of log ****

5. Security Check, checkup.txt:
Results of screen317's Security Check
version 0.99.51
Windows 7
x64 (UAC is enabled)

Out
of date service pack!!


Internet Explorer 8 Out of
date!

``````````````Antivirus/Firewall
Check:``````````````


Windows Security Center service
is not running! This report may not be accurate!


Norton Internet Security

WMI entry may not exist for antivirus;
attempting automatic update.


Avira successfully updated!

`````````Anti-malware/Other Utilities
Check:`````````

Malwarebytes Anti-Malware version
1.65.0.1400

JavaFX 2.1.1

Java(TM) 6 Update 31

Java
7 Update 7

Adobe Flash Player 11.4.402.287

Adobe Reader X 10.0.1 Adobe
Reader out of Date!

Google Chrome 21.0.1180.83

Google Chrome 21.0.1180.89

Google Chrome 22.0.1229.79

Google Chrome 22.0.1229.92

Google Chrome 22.0.1229.94

````````Process Check: objlist.exe by
Laurent````````

Norton ccSvcHst.exe

Avira Antivir avgnt.exe

Avira Antivir avguard.exe

ESET
ESET Online Scanner OnlineScannerApp.exe

`````````````````System Health
check`````````````````


Total Fragmentation on Drive C: 0%

````````````````````End of
Log``````````````````````



Thank you!! You have been such a great help!

This post has been edited 1 times, last edit by "ArsenalGunner954" (Oct 16th 2012, 3:35am)


  • "ArsenalGunner954" started this thread

Date of registration:
Oct 12th 2012

Version:
Avira Free Antivirus

Operating System:
Windows 7

  • Send private message

15

Tuesday, October 16th 2012, 7:10pm

I also uninstalled Norton Antivirus, but for some reason it shows up in the report. Thanks again.

Farger

Moderator

Date of registration:
Jul 10th 2009

Version:
Avira Free Antivirus
Avira Ultimate Protection Suite
Avira Internet Security

Operating System:
Windows XP/ Windows 7

  • Send private message

16

Tuesday, October 16th 2012, 10:29pm

Hi,

We must fix all broken services...

1. Backup Your Registry with the help of ERUNT

  • Download ERUNT from
    here
  • Unzip all the files into a folder of your choice.
  • Open Erunt.exe. Follow the prompts leaving the values at default.


2. Now please download BFERestore.exe and save it to your desktop.

Double click on the downloaded file. It should only take a few seconds to run.

When complete, it will say "Done! Please check if BFE service is running now"

A reboot may be necessary.

Now download the following files and save them to your desktop:

MpsSvc.reg

bfe.reg

wscsvc.reg

wuauserv.reg

BITS.reg

WinDefend.reg

SharedAccess.reg

Launch them ,click YES when you get UAC prompt. An information box will pop up asking if you want to merge the information in the file into the registry, click YES.

Now reboot the computer.

Post new log from Farbar Service Scanner (FSS)
Scotty is currently on patrol


  • "ArsenalGunner954" started this thread

Date of registration:
Oct 12th 2012

Version:
Avira Free Antivirus

Operating System:
Windows 7

  • Send private message

17

Tuesday, October 16th 2012, 11:30pm

I followed the instruction, but an information DID NOT show up asking if I want to merge the information in the file into the registry. I am now going to run the FSS and post the report.

  • "ArsenalGunner954" started this thread

Date of registration:
Oct 12th 2012

Version:
Avira Free Antivirus

Operating System:
Windows 7

  • Send private message

18

Tuesday, October 16th 2012, 11:38pm

Below is the FSS report:


Farbar Service Scanner Version: 07-10-2012
Ran by Daniel Reyes (administrator) on 16-10-2012 at 17:35:09
Running from "C:\Users\Daniel Reyes\Downloads"
Microsoft Windows 7 Home Premium (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
The start type of MpsSvc service is OK.
The ImagePath of MpsSvc service is OK.
The ServiceDll of MpsSvc service is OK.


Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============

Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys
[2012-02-14 19:25] - [2011-12-27 23:59] - 0499200 ____A (Microsoft Corporation) DB9D6C6B2CD95A9CA414D045B627422E

C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys
[2012-05-11 02:13] - [2012-03-30 07:09] - 1895280 ____A (Microsoft Corporation) 624C5B3AA4C99B3184BB922D9ECE3FF0

C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll
[2009-07-13 20:09] - [2009-07-13 21:41] - 0824832 ____A (Microsoft Corporation) AECAB449567D1846DAD63ECE49E893E3

C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll
[2009-07-13 19:36] - [2009-07-13 21:41] - 0170496 ____A (Microsoft Corporation) 765A27C3279CE11D14CB9E4F5869FCA5

C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll
[2012-06-13 18:38] - [2012-04-24 01:59] - 0182272 ____A (Microsoft Corporation) F02786B66375292E58C8777082D4396D

C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

Farger

Moderator

Date of registration:
Jul 10th 2009

Version:
Avira Free Antivirus
Avira Ultimate Protection Suite
Avira Internet Security

Operating System:
Windows XP/ Windows 7

  • Send private message

19

Wednesday, October 17th 2012, 5:38pm

Hi,

  • Press windows key + R on your keyboard at the same time.
  • Type regedit and press Enter
  • Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MpsSvc
  • Right-Click MpsSvc and select Permissions
  • Click Advanced.
  • Under Owner tab select the entry starting with you user name, example: Dan (Dan-PC\Dan)
  • Put a check mark next to Replace owner on subcontainers and objects and click Apply and OK.
  • Under Security click Add, enter “Everyone” and click Check names and click ok.
  • Now click on Everyone in the list at the top, and check the “Allow Full Control” checkbox below.
  • Click Apply and OK.
  • Type cmd into the start box and when cmd.exe populates in the window above > right click it and choose "Run as an Administrator"
  • Type: net start MpsSvc and hit Enter.

  • Reboot the computer.
  • Post new log from FSS in your next reply.
Scotty is currently on patrol


  • "ArsenalGunner954" started this thread

Date of registration:
Oct 12th 2012

Version:
Avira Free Antivirus

Operating System:
Windows 7

  • Send private message

20

Wednesday, October 17th 2012, 8:45pm

Below is the FSS report:

Farbar Service Scanner Version: 07-10-2012
Ran by Daniel Reyes (administrator) on 17-10-2012 at 14:43:53
Running from "C:\Users\Daniel Reyes\Downloads"
Microsoft Windows 7 Home Premium (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
The start type of MpsSvc service is OK.
The ImagePath of MpsSvc service is OK.
The ServiceDll of MpsSvc service is OK.


Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============

Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys
[2012-02-14 19:25] - [2011-12-27 23:59] - 0499200 ____A (Microsoft Corporation) DB9D6C6B2CD95A9CA414D045B627422E

C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys
[2012-05-11 02:13] - [2012-03-30 07:09] - 1895280 ____A (Microsoft Corporation) 624C5B3AA4C99B3184BB922D9ECE3FF0

C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll
[2009-07-13 20:09] - [2009-07-13 21:41] - 0824832 ____A (Microsoft Corporation) AECAB449567D1846DAD63ECE49E893E3

C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll
[2009-07-13 19:36] - [2009-07-13 21:41] - 0170496 ____A (Microsoft Corporation) 765A27C3279CE11D14CB9E4F5869FCA5

C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll
[2012-10-16 17:41] - [2012-06-02 01:25] - 0182272 ____A (Microsoft Corporation) BAF19B633933A9FB4883D27D66C39E9A

C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

Thank you.