Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win 7 Security 2012 Totally Gone Now?


  • Please log in to reply
5 replies to this topic

#1 fisodf999

fisodf999

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:56 AM

Posted 19 January 2012 - 05:00 PM

Hi,

I was infected a few days ago with the Win 7 Security 2012 nonsense. I'm fairly knowledgeable about computers, so as soon as I saw it I knew what it was, and I followed your official guide to remove it.

The reason I'm posting is because I ran into a few hiccups along the way... certain steps didn't work exactly how they were explained in the guide. To the best of my knowledge, it is gone now. I ran several other common antivirus/antispyware programs (ad-aware, avg, avast, etc) after finishing your guide, just to be sure, and all said I had a clean bill of health. I'm still sort of paranoid about it though, so I was wondering if there was a quick diagnostic I could run and post the results so you can confirm that I'm officially clean once again.

Thank you!

BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:56 AM

Posted 19 January 2012 - 05:25 PM

Download

FSS

Checkmark

Internet Services
Windows Firewall
System Restore
Security Center
Windows Update

Click on "Scan".
Please copy and paste the log to your reply.

Download

aswMBR

Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here



Download

ESET online scanner


Install it

Click on START,it should download the virus definitions
When scan gets completed,click on LIST of found threats

Export the list to desktop,copy the contents of the text file in your reply

Good luck

#3 fisodf999

fisodf999
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:56 AM

Posted 19 January 2012 - 07:50 PM

Farbar Service Scanner Version: 18-01-2012 01
Ran by Fiso (administrator) on 19-01-2012 at 18:05:11
Microsoft Windows 7 Ultimate   (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy: 
==================


System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is OK.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.

VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.


System Restore Disabled Policy: 
========================


Security Center:
============

Windows Update:
===========

File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll
[2009-07-13 19:09] - [2009-07-13 20:41] - 0824832 ____A (Microsoft Corporation) AECAB449567D1846DAD63ECE49E893E3

C:\Windows\System32\bfe.dll
[2009-07-13 19:09] - [2009-07-13 20:40] - 0703488 ____A (Microsoft Corporation) 4992C609A6315671463E30F6512BC022

C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll
[2009-07-13 18:36] - [2009-07-13 20:41] - 0170496 ____A (Microsoft Corporation) 765A27C3279CE11D14CB9E4F5869FCA5

C:\Windows\System32\vssvc.exe
[2009-07-13 18:39] - [2009-07-13 20:39] - 1598976 ____A (Microsoft Corporation) 787898BF9FB6D7BD87A36E2D95C899BA

C:\Windows\System32\wscsvc.dll
[2011-02-09 02:46] - [2010-12-21 01:16] - 0097280 ____A (Microsoft Corporation) 8F9F3969933C02DA96EB0F84576DB43E

C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll
[2009-07-13 19:36] - [2009-07-13 20:41] - 2418176 ____A (Microsoft Corporation) 38340204A2D0228F1E87740FC5E554A7

C:\Windows\System32\qmgr.dll
[2009-07-13 18:46] - [2009-07-13 20:41] - 0848384 ____A (Microsoft Corporation) 7F0C323FE3DA28AA4AA1BDA3F575707F

C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll
[2009-07-13 18:49] - [2009-07-13 20:40] - 0175104 ____A (Microsoft Corporation) 8C57411B66282C01533CB776F98AD384

C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****



aswMBR version 0.9.9.1297 Copyright(c) 2011 AVAST Software
Run date: 2012-01-19 18:07:06
-----------------------------
18:07:06.529    OS Version: Windows x64 6.1.7600 
18:07:06.529    Number of processors: 8 586 0x1A05
18:07:06.530    ComputerName: FDESKTOP  UserName: Fiso
18:07:07.492    Initialize success
18:08:50.406    AVAST engine defs: 12011902
18:09:35.931    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
18:09:35.933    Disk 0 Vendor: WDC_WD10 05.0 Size: 953869MB BusType: 3
18:09:35.941    Disk 0 MBR read successfully
18:09:35.943    Disk 0 MBR scan
18:09:35.946    Disk 0 Windows 7 default MBR code
18:09:35.948    Disk 0 Partition 1 00     DE Dell Utility Dell 8.0       94 MB offset 63
18:09:35.959    Disk 0 Partition 2 80 (A) 07    HPFS/NTFS NTFS         9642 MB offset 194560
18:09:35.982    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS       944131 MB offset 19941376
18:09:36.004    Service scanning
18:09:36.290    Service MpNWMon C:\Windows\system32\DRIVERS\MpNWMon.sys **LOCKED** 32
18:09:36.891    Modules scanning
18:09:36.895    Disk 0 trace - called modules:
18:09:36.899    ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll 
18:09:36.903    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8008a91060]
18:09:36.907    3 CLASSPNP.SYS[fffff8800165143f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8008763050]
18:09:37.766    AVAST engine scan C:\Windows
18:09:40.192    AVAST engine scan C:\Windows\system32
18:11:10.129    AVAST engine scan C:\Windows\system32\drivers
18:11:19.153    AVAST engine scan C:\Users\Fiso
18:20:45.691    File: C:\Users\Fiso\Desktop\Apps\SCAR 3.22\scar.exe  **INFECTED** Win32:Malware-gen
18:25:46.764    AVAST engine scan C:\ProgramData
18:27:56.632    Scan finished successfully
18:30:00.793    Disk 0 MBR has been saved successfully to "C:\Users\Fiso\Desktop\MBR.dat"
18:30:00.839    The log file has been saved successfully to "C:\Users\Fiso\Desktop\aswMBR.txt"




The ESET scan found nothing.


I noticed that a program of mine (scar.exe) was flagged. It always get flagged as malware, but I've had it for years so I'm not particularly concerned about it. Hoping for good news! :)

#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:56 AM

Posted 19 January 2012 - 10:40 PM

That looks good,thanks for info about SCAR

Download

ESET online scanner


Install it

Click on START,it should download the virus definitions
When scan gets completed,click on LIST of found threats

Export the list to desktop,copy the contents of the text file in your reply

#5 fisodf999

fisodf999
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:56 AM

Posted 20 January 2012 - 06:09 PM

I ran ESET again, no results. When it finishes I get this window, not sure how to export a list from here...

Posted Image

#6 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:56 AM

Posted 20 January 2012 - 11:27 PM

That looks good

Download

TFC


Launch it,it will close all running programs

click on START,it should ask for reboot

Turn off your system restore,restart the PC,create a new restore point

http://windows.microsoft.com/en-US/windows7/Turn-System-Restore-on-or-off


Update your antivirus frequently,do not click on suspicious links

Safe surfing :)

Edited by narenxp, 20 January 2012 - 11:32 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users