Jump to content

Cleaning infections from friend's computer


Recommended Posts

  • Replies 80
  • Created
  • Last Reply

Top Posters In This Topic

Farbar Service Scanner Version: 27-01-2016
Ran by m (administrator) on 17-09-2017 at 22:58:41
Running from "C:\Users\m\Desktop"
Windows 7 Ultimate Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Policy:
========================


Action Center:
============

wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.

winmgmt Service is not running. Checking service configuration:
The start type of winmgmt service is OK.
The ImagePath of winmgmt: "%systemroot%\system32\svchost.exe -k netsvcs".
The ServiceDll of winmgmt service is OK.


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============

Other Services:
==============


File Check:
========
C:\Windows\system32\nsisvc.dll => File is digitally signed
C:\Windows\system32\Drivers\nsiproxy.sys => File is digitally signed
C:\Windows\system32\dhcpcore.dll => File is digitally signed
C:\Windows\system32\Drivers\afd.sys => File is digitally signed
C:\Windows\system32\Drivers\tdx.sys => File is digitally signed
C:\Windows\system32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\system32\dnsrslvr.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\mpssvc.dll => File is digitally signed
C:\Windows\system32\bfe.dll => File is digitally signed
C:\Windows\system32\Drivers\mpsdrv.sys => File is digitally signed
C:\Windows\system32\SDRSVC.dll => File is digitally signed
C:\Windows\system32\vssvc.exe => File is digitally signed
C:\Windows\system32\wscsvc.dll => File is digitally signed
C:\Windows\system32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\system32\wuaueng.dll => File is digitally signed
C:\Windows\system32\qmgr.dll => File is digitally signed
C:\Windows\system32\es.dll => File is digitally signed
C:\Windows\system32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\system32\ipnathlp.dll => File is digitally signed
C:\Windows\system32\iphlpsvc.dll => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed


**** End of log ****

Link to post
Share on other sites

Fix result of Farbar Recovery Scan Tool (x86) Version: 17-09-2017
Ran by m (17-09-2017 23:08:38) Run:5
Running from C:\Users\m\Desktop
Loaded Profiles: m (Available Profiles: m)
Boot Mode: Normal

==============================================

fixlist content:
*****************
REG: REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc" /s
REG: REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv" /s
REG: REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winmgmt" /s
*****************


========= REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc" /s =========


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc
    DisplayName    REG_SZ    @%SystemRoot%\System32\wscsvc.dll,-200
    ErrorControl    REG_DWORD    0x1
    ImagePath    REG_EXPAND_SZ    %SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted
    Start    REG_DWORD    0x2
    Type    REG_DWORD    0x20
    Description    REG_SZ    @%SystemRoot%\System32\wscsvc.dll,-201
    DependOnService    REG_MULTI_SZ    RpcSs\0winmgmt
    ObjectName    REG_SZ    NT AUTHORITY\LocalService
    ServiceSidType    REG_DWORD    0x1
    RequiredPrivileges    REG_MULTI_SZ    SeChangeNotifyPrivilege\0SeImpersonatePrivilege
    DelayedAutoStart    REG_DWORD    0x1
    FailureActions    REG_BINARY    805101000000000000000000030000001400000001000000C0D4010001000000E09304000000000000000000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Enum
    0    REG_SZ    Root\LEGACY_WSCSVC\0000
    Count    REG_DWORD    0x1
    NextInstance    REG_DWORD    0x1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Parameters
    ServiceDllUnloadOnStop    REG_DWORD    0x1
    ServiceDll    REG_EXPAND_SZ    %SYSTEMROOT%\system32\wscsvc.dll

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Security
    Security    REG_BINARY    01001480C8000000D4000000140000003000000002001C000100000002801400FF010F00010100000000000100000000020098000600000000001400FD01020001010000000000051200000000001800FF010F0001020000000000052000000020020000000014009D010200010100000000000504000000000014008D010200010100000000000506000000000014000001000001010000000000050B000000000028001500000001060000000000055000000049599D779156E555DCF4E20EA78BEBCA7B421356010100000000000512000000010100000000000512000000

 

========= End of Reg: =========


========= REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv" /s =========


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv
    PreshutdownTimeout    REG_DWORD    0x36ee800
    DisplayName    REG_SZ    Windows Update
    ImagePath    REG_EXPAND_SZ    %systemroot%\system32\svchost.exe -k netsvcs
    Description    REG_SZ    Enables the detection, download, and installation of updates for Windows and other programs. If this service is disabled, users of this computer will not be able to use Windows Update or its automatic updating feature, and programs will not be able to use the Windows Update Agent (WUA) API.
    ObjectName    REG_SZ    LocalSystem
    ErrorControl    REG_DWORD    0x1
    Start    REG_DWORD    0x2
    DelayedAutoStart    REG_DWORD    0x1
    Type    REG_DWORD    0x20
    DependOnService    REG_MULTI_SZ    rpcss
    ServiceSidType    REG_DWORD    0x1
    RequiredPrivileges    REG_MULTI_SZ    SeAuditPrivilege\0SeCreateGlobalPrivilege\0SeCreatePageFilePrivilege\0SeTcbPrivilege\0SeAssignPrimaryTokenPrivilege\0SeImpersonatePrivilege\0SeIncreaseQuotaPrivilege
    FailureActions    REG_BINARY    80510100000000000000000003000000140000000100000060EA000000000000000000000000000000000000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters
    ServiceDll    REG_EXPAND_SZ    %systemroot%\system32\wuaueng.dll
    ServiceMain    REG_SZ    WUServiceMain
    ServiceDllUnloadOnStop    REG_DWORD    0x1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Security
    Security    REG_BINARY    010014807800000084000000140000003000000002001C000100000002801400FF000F000101000000000001000000000200480003000000000014009D00020001010000000000050B00000000001800FF010F000102000000000005200000002002000000001400FF010F00010100000000000512000000010100000000000512000000010100000000000512000000

 

========= End of Reg: =========


========= REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winmgmt" /s =========


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winmgmt
    DisplayName    REG_SZ    Windows Management Instrumentation
    ImagePath    REG_EXPAND_SZ    %systemroot%\system32\svchost.exe -k netsvcs
    Description    REG_SZ    Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
    ObjectName    REG_SZ    localSystem
    ErrorControl    REG_DWORD    0x0
    Start    REG_DWORD    0x2
    Type    REG_DWORD    0x20
    DependOnService    REG_MULTI_SZ    RPCSS
    ServiceSidType    REG_DWORD    0x1
    FailureActions    REG_BINARY    80510100000000000000000002000000140000000100000060EA00000100000060EA0000
    Group    REG_SZ    

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters
    ServiceDllUnloadOnStop    REG_DWORD    0x0
    ServiceDll    REG_EXPAND_SZ    %SystemRoot%\system32\wbem\WMIsvc.dll
    ServiceMain    REG_SZ    ServiceMain

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winmgmt\Security
    Security    REG_BINARY    01001480B4000000C4000000140000003000000002001C000100000002801400FF010F00010100000000000100000000020084000500000000002800FF010F00010600000000000550000000B589FB381984C2CB5C6C236D5700776EC002648700001800FF010F000102000000000005200000002002000000001400FF010F00010100000000000512000000000014008D010200010100000000000504000000000014008D01020001010000000000050600000001020000000000052000000020020000010100000000000512000000

 

========= End of Reg: =========


==== End of Fixlog 23:08:42 ====

Link to post
Share on other sites

Sorry for the delay. Ask your friend to download and run the 3 .reg files inside the Exports.zip file. Tell him to accept to merge the changes in the Registry for each one, and to confirm that he received a success message for each. Afterwards, ask him to run the last FRST fix once more, and to send me the fixlog.txt

https://forums.malwarebytes.com/topic/210514-cleaning-infections-from-friends-computer/?do=findComment&comment=1164494

Exports.zip

Link to post
Share on other sites

The imports were successful!

 

 

 

Fix result of Farbar Recovery Scan Tool (x86) Version: 13-09-2017
Ran by m (21-09-2017 04:07:49) Run:6
Running from C:\Users\m\Desktop
Loaded Profiles: m (Available Profiles: m)
Boot Mode: Normal

==============================================

fixlist content:
*****************
REG: REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc" /s
REG: REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv" /s
REG: REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winmgmt" /s
*****************


========= REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc" /s =========


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc
    DisplayName    REG_SZ    @%SystemRoot%\System32\wscsvc.dll,-200
    ErrorControl    REG_DWORD    0x1
    ImagePath    REG_EXPAND_SZ    %SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted
    Start    REG_DWORD    0x2
    Type    REG_DWORD    0x20
    Description    REG_SZ    @%SystemRoot%\System32\wscsvc.dll,-201
    DependOnService    REG_MULTI_SZ    RpcSs\0WinMgmt
    ObjectName    REG_SZ    NT AUTHORITY\LocalService
    ServiceSidType    REG_DWORD    0x1
    RequiredPrivileges    REG_MULTI_SZ    SeChangeNotifyPrivilege\0SeImpersonatePrivilege
    DelayedAutoStart    REG_DWORD    0x1
    FailureActions    REG_BINARY    805101000000000000000000030000001400000001000000C0D4010001000000E09304000000000000000000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Enum
    0    REG_SZ    Root\LEGACY_WSCSVC\0000
    Count    REG_DWORD    0x1
    NextInstance    REG_DWORD    0x1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Parameters
    ServiceDllUnloadOnStop    REG_DWORD    0x1
    ServiceDll    REG_EXPAND_SZ    %SystemRoot%\System32\wscsvc.dll

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Security
    Security    REG_BINARY    01001480C8000000D4000000140000003000000002001C000100000002801400FF010F00010100000000000100000000020098000600000000001400FD01020001010000000000051200000000001800FF010F0001020000000000052000000020020000000014009D010200010100000000000504000000000014008D010200010100000000000506000000000014000001000001010000000000050B000000000028001500000001060000000000055000000049599D779156E555DCF4E20EA78BEBCA7B421356010100000000000512000000010100000000000512000000

 

========= End of Reg: =========


========= REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv" /s =========


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv
    PreshutdownTimeout    REG_DWORD    0x36ee800
    DisplayName    REG_SZ    @%systemroot%\system32\wuaueng.dll,-105
    ImagePath    REG_EXPAND_SZ    %systemroot%\system32\svchost.exe -k netsvcs
    Description    REG_SZ    @%systemroot%\system32\wuaueng.dll,-106
    ObjectName    REG_SZ    LocalSystem
    ErrorControl    REG_DWORD    0x1
    Start    REG_DWORD    0x2
    DelayedAutoStart    REG_DWORD    0x1
    Type    REG_DWORD    0x20
    DependOnService    REG_MULTI_SZ    rpcss
    ServiceSidType    REG_DWORD    0x1
    RequiredPrivileges    REG_MULTI_SZ    SeAuditPrivilege\0SeCreateGlobalPrivilege\0SeCreatePageFilePrivilege\0SeTcbPrivilege\0SeAssignPrimaryTokenPrivilege\0SeImpersonatePrivilege\0SeIncreaseQuotaPrivilege\0SeShutdownPrivilege
    FailureActions    REG_BINARY    80510100000000000000000003000000140000000100000060EA000000000000000000000000000000000000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters
    ServiceDll    REG_EXPAND_SZ    %systemroot%\system32\wuaueng.dll
    ServiceMain    REG_SZ    WUServiceMain
    ServiceDllUnloadOnStop    REG_DWORD    0x1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Security
    Security    REG_BINARY    010014807800000084000000140000003000000002001C000100000002801400FF000F000101000000000001000000000200480003000000000014009D00020001010000000000050B00000000001800FF010F000102000000000005200000002002000000001400FF010F00010100000000000512000000010100000000000512000000010100000000000512000000

 

========= End of Reg: =========


========= REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winmgmt" /s =========


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winmgmt
    DisplayName    REG_SZ    @%Systemroot%\system32\wbem\wmisvc.dll,-205
    ImagePath    REG_EXPAND_SZ    %systemroot%\system32\svchost.exe -k netsvcs
    Description    REG_SZ    @%Systemroot%\system32\wbem\wmisvc.dll,-204
    ObjectName    REG_SZ    localSystem
    ErrorControl    REG_DWORD    0x0
    Start    REG_DWORD    0x2
    Type    REG_DWORD    0x20
    DependOnService    REG_MULTI_SZ    RPCSS
    ServiceSidType    REG_DWORD    0x1
    FailureActions    REG_BINARY    805101000000000000000000030000001400000001000000C0D4010001000000E09304000000000000000000
    Group    REG_SZ    

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters
    ServiceDllUnloadOnStop    REG_DWORD    0x1
    ServiceDll    REG_EXPAND_SZ    %SystemRoot%\system32\wbem\WMIsvc.dll
    ServiceMain    REG_SZ    ServiceMain

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winmgmt\Security
    Security    REG_BINARY    01001480B4000000C4000000140000003000000002001C000100000002801400FF010F00010100000000000100000000020084000500000000002800FF010F00010600000000000550000000B589FB381984C2CB5C6C236D5700776EC002648700001800FF010F000102000000000005200000002002000000001400FF010F00010100000000000512000000000014008D010200010100000000000504000000000014008D01020001010000000000050600000001020000000000052000000020020000010100000000000512000000

 

========= End of Reg: =========


==== End of Fixlog 04:07:54 ====

Link to post
Share on other sites

Farbar Service Scanner Version: 27-01-2016
Ran by m (administrator) on 21-09-2017 at 04:22:05
Running from "C:\Users\m\Desktop"
Windows 7 Ultimate Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Policy:
========================


Action Center:
============

wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.

winmgmt Service is not running. Checking service configuration:
The start type of winmgmt service is OK.
The ImagePath of winmgmt: "%systemroot%\system32\svchost.exe -k netsvcs".
The ServiceDll of winmgmt service is OK.


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\system32\nsisvc.dll => File is digitally signed
C:\Windows\system32\Drivers\nsiproxy.sys => File is digitally signed
C:\Windows\system32\dhcpcore.dll => File is digitally signed
C:\Windows\system32\Drivers\afd.sys => File is digitally signed
C:\Windows\system32\Drivers\tdx.sys => File is digitally signed
C:\Windows\system32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\system32\dnsrslvr.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\mpssvc.dll => File is digitally signed
C:\Windows\system32\bfe.dll => File is digitally signed
C:\Windows\system32\Drivers\mpsdrv.sys => File is digitally signed
C:\Windows\system32\SDRSVC.dll => File is digitally signed
C:\Windows\system32\vssvc.exe => File is digitally signed
C:\Windows\system32\wscsvc.dll => File is digitally signed
C:\Windows\system32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\system32\wuaueng.dll => File is digitally signed
C:\Windows\system32\qmgr.dll => File is digitally signed
C:\Windows\system32\es.dll => File is digitally signed
C:\Windows\system32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\system32\ipnathlp.dll => File is digitally signed
C:\Windows\system32\iphlpsvc.dll => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed


**** End of log ****

Link to post
Share on other sites

Fix result of Farbar Recovery Scan Tool (x86) Version: 13-09-2017
Ran by m (21-09-2017 04:43:05) Run:7
Running from C:\Users\m\Desktop
Loaded Profiles: m (Available Profiles: m)
Boot Mode: Normal

==============================================

fixlist content:
*****************
CMD: sc start wscsvc
CMD: sc start winmgmt
CMD: sc start wuauserv
*****************


========= sc start wscsvc =========

[SC] StartService FAILED 1068:

The dependency service or group failed to start.


========= End of CMD: =========


========= sc start winmgmt =========

[SC] StartService FAILED 1083:

The executable program that this service is configured to run in does not implement the service.


========= End of CMD: =========


========= sc start wuauserv =========


SERVICE_NAME: wuauserv
        TYPE               : 20  WIN32_SHARE_PROCESS  
        STATE              : 2  START_PENDING
                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x7d0
        PID                : 1072
        FLAGS              :

========= End of CMD: =========


==== End of Fixlog 04:43:23 ====

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.