Jump to content

Can't boot normally after virus removal...safe mode only

dpinning

By dpinning
in Resolved Malware Removal Logs

 Share

Recommended Posts

dpinning

dpinning

Posted
  • Author
Posted

Thank you for all of that information for what you are using Kevin. Thank you especially for including the links so that I can easily read up on them.

 

 

What do you think about this "geeks" take on MSE. Seems like he feels it might be more appropriate for those like yourself who are "in the know" vs more "average" users like myself.

 

I will have follow up question on maintenance routines (Are there some things you do daily or weekly or monthly, besides updating programs, even if your are showing no problems. Like running disk cleanup for example?... not sure if this thread would be the appropriate place to continue down that path.

 

A question I forgot to ask early on. It seems like uninstalling Avast was the inital move that enabled me to boot normally. Why was that?

 

Also looking forward to you interpreting Security Check log above. Seems like I have installed/am running two verison of explorer? Any downside to ditching explorer for Firefox say? Is there a way to copy all of my favorites over to it? Does Firefox have site limitations? (Some sites that it's not as friendly with as Explorer is?)

 

Malwarebyes Pro...and question in general. If my computer dies and I get a new one, does my subscription get lost with the old one? I noticed they will send a rescue cd for an extra fee. Is that needed in your mind? 

 

Which leads me to another question, (which will start to get off orginal topic) if I download sofware and have a crash, I know I can reimage if I have made a successful image. If I hadn't, should I be able to make a backup program cd from the program itself? Finally, to show my naivete, what does one do with 3 or 4 year old programs and data that are on a computer when the upgrade hardware?  How does it become transferable/readable?  Have to buy newer versions of the software for the newer operating system, which hopefully will backwardly open the old data that has been saved? Note sure that programs I bought for Vista (turbotax) would work on 7 for example.

 

Okay

Link to post
Share on other sites
  • Replies 131
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

kevinf80

kevinf80

Posted
Posted

That is a possibility..... Run the following:

 

Download Farbar Service Scanner from here: http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/ and run it on the computer with the issue.

Make sure the following options are checked:

 


Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update
Windows Defender

 


Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.

 

Kevin...

Link to post
Share on other sites
dpinning

dpinning

Posted
  • Author
Posted

Good Morning.  Here is the FSS log.

 

Farbar Service Scanner Version: 13-09-2013
Ran by David (administrator) on 13-10-2013 at 09:50:33
Running from "C:\Users\David\Desktop"
Windows Vista Home Premium Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is set to Disabled. The default start type is Auto.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.

MpsSvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking LEGACY_MpsSvc: ATTENTION!=====> Unable to open LEGACY_MpsSvc\0000 registry key. The key does not exist.

bfe Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking LEGACY_bfe: ATTENTION!=====> Unable to open LEGACY_bfe\0000 registry key. The key does not exist.

Firewall Disabled Policy:
==================
"HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" registry key does not exist.

System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is set to Disabled. The default start type is 3.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.

System Restore Disabled Policy:
========================

Security Center:
============

wscsvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking LEGACY_wscsvc: ATTENTION!=====> Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.

winmgmt Service is not running. Checking service configuration:
The start type of winmgmt service is OK.
The ImagePath of winmgmt: "%systemroot%\system32\svchost.exe -k netsvcs".
The ServiceDll of winmgmt: "C:\PROGRA~2\ktutkemrgwgxybopmbg.bfg".

Security Center Notification Icon =====> Unable to open HKLM\...\ShellServiceObjects\{FD6905CE-952F-41F1-9A6F-135D9C6622CC} key. The key does not exist.

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is set to Demand. The default start type is Auto.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.

Windows Autoupdate Disabled Policy:
============================

Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.

Other Services:
==============
Checking Start type of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
Checking ImagePath of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
Checking ServiceDll of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.

Checking Start type of SharedAccess: ATTENTION!=====> Unable to retrieve start type of SharedAccess. The value does not exist.
Checking ImagePath of SharedAccess: ATTENTION!=====> Unable to retrieve ImagePath of SharedAccess. The value does not exist.
Checking ServiceDll of SharedAccess: ATTENTION!=====> Unable to retrieve ServiceDll of SharedAccess. The value does not exist.
Checking FirewallRules of SharedAccess: ATTENTION!=====> Unable to open "SharedAccess\Defaults\FirewallPolicy\FirewallRules" registry key. The key does not exist.
Checking FirewallRules of SharedAccess: ATTENTION!=====> Unable to open "SharedAccess\Parameters\FirewallPolicy\FirewallRules" registry key. The key does not exist.

 

File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit

**** End of log ****

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Download Services Repair tool, available here - http://kb.eset.com/library/ESET/KB%20Team%20Only/Malware/ServicesRepair.exe and Save it to your Desktop. Right click on it and select Run As Administrator, follow the prompts. It should reboot when it finishes. If not reboot it yourself.

 

Next,

 

Rerun FSS and post a fresh log....

Link to post
Share on other sites
dpinning

dpinning

Posted
  • Author
Posted

Thanks Kevin. Here you go.

 

Farbar Service Scanner Version: 13-09-2013
Ran by David (administrator) on 13-10-2013 at 15:00:42
Running from "C:\Users\David\Desktop"
Windows Vista Home Premium Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is set to Disabled. The default start type is Auto.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============

Firewall Disabled Policy:
==================

System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is set to Disabled. The default start type is 3.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.

System Restore Disabled Policy:
========================

Security Center:
============

wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.
Checking LEGACY_wscsvc: ATTENTION!=====> Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.

winmgmt Service is not running. Checking service configuration:
The start type of winmgmt service is OK.
The ImagePath of winmgmt: "%systemroot%\system32\svchost.exe -k netsvcs".
The ServiceDll of winmgmt: "C:\PROGRA~2\ktutkemrgwgxybopmbg.bfg".

Security Center Notification Icon =====> Unable to open HKLM\...\ShellServiceObjects\{FD6905CE-952F-41F1-9A6F-135D9C6622CC} key. The key does not exist.

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================

Windows Defender:
==============

Other Services:
==============

File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit

**** End of log ****

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from the following link :-

 

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

 

  • Ensure that Combofix is saved directly to the Desktop <--- Very important
     
  • Disable all security programs as they will have a negative effect on Combofix, instructions available here  http://www.bleepingcomputer.com/forums/topic114351.html if required. Be aware the list may not have all programs listed, if you need more help please ask.
     
  • Close any open browsers and any other programs you might have running
     
  • Double click the combofix.gif icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
     
  • Instructions for running Combofix available here http://www.bleepingcomputer.com/combofix/how-to-use-combofix if required.
     
  • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
     
  • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

 

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

 

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read here  http://thespykiller.co.uk/index.php?page=20 why  disabling autoruns is recommended.

 

*EXTRA NOTES*


    If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
    If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
    If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

 

Post the log in next reply please...

 

Kevin

Link to post
Share on other sites
dpinning

dpinning

Posted
  • Author
Posted

Brilliant Kevin. I quickly checked and the firewall was back an on!

 

ComboFix is running. It has been on the "Scanning for infected files...This typically doesn't take more than 10 minutes. However, scan times for badly infected machines may easily double" blue window with blinking cursor for half and hour though.  No "clock change" statement or "completed stage" statements after that as the guide told me to expect. Do you think it is still working? How long have you seen this take?

 

BTW...what time do you plan on stopping checking the forum/hitting the hay tonight?

 

Best,

David

Link to post
Share on other sites
dpinning

dpinning

Posted
  • Author
Posted

Okay. Thanks for letting me know. The reason I was asking is because I have a tax document I have to prepare and efile by tuesday. The computer I am writing on now runs XP Pro and doesn't have the data or Turbo Tax program for 2012, which is residing on the Vista computer. No install disk as I downloaded to the computer from Amazon.

 

It seems like we are getting really close as the Vista has been running blazingly fast compared to prior to the BSOD and our work. However, it seems like there may be work to be done. If we still have work to be done when you crash, can I get up early and catch you to continue...as in, what does you Monday look like if need be? 

 

BTW, the image I recovered to the new hard drive we are working with on the Vista machine, I am assuming I should delete from the usb portable drive as it has all the crap we have been working through. Is there a special way I should delete that image and suspect backups on the portable drive?

 

Thanks again for all your help Kevin. 

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

I`m not 100% sure there is still malware on your system, there are definite issues with service files that maybe easy to fix. I would have liked to see a clean CF log before I went any further...

 

Regarding the image/backups you mention, your choice I guess. If you are done with those probably best to Format that drive, maybe worth leaving that action until we are done for sure..

 

http://www.ehow.com/how_4810727_reformat-external-hard-drive.html

 

I`ll probably be back online about 8am after I pack in at 1am....

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Can you re-boot your system and run the following:

 

Please download Portable Windows Repair (all in one) from one of the following:

http://www.tweaking.com/content/page/windows_repair_all_in_one.html
http://www.majorgeeks.com/Tweaking.com_-_Windows_Repair_Portable_d7222.html
http://www.bleepingcomputer.com/download/windows-repair-all-in-one-portable/

Unzip the contents into a newly created folder on your desktop.

Open the folder, run the tool by right click on Repair_Windows (icon with red briefcase) select "Run as Administrator"


Tweak1_zps10f67b3e.jpg


From the main GUI do the following:


Select Tab 4 and Create System Restore Point


Tweak4_zps98ef6707.jpg


Select Repairs tab => Click the Start


Tweak5_zps71b85f1c.jpg


The repairs window will open, Check the boxes as indicated, also the "Restart" options, the select Start...


Tweak6_zpsd6411a53.jpg


DON'T use the computer while each scan is in progress.

Post the log, to access select "settings" tab > "open log folder" tab


When finished run FSS one more time and post a fresh log

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.