Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

problem with trojans


  • This topic is locked This topic is locked
51 replies to this topic

#31 ryanjpr89

ryanjpr89
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 04 July 2012 - 01:30 PM

Hmm, I'm still getting the same error message. I tried grant perms, as well as the method I tried on BFE service. Still no luck. =(



Farbar Service Scanner Version: 25-06-2012 01
Ran by Ryan (administrator) on 04-07-2012 at 14:28:51
Running from "C:\Users\Ryan\Desktop"
Microsoft Windows 7 Home Premium (X86)
Boot Mode: Normal
****************************************************************



Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
The start type of MpsSvc service is OK.
The ImagePath of MpsSvc service is OK.
The ServiceDll of MpsSvc service is OK.


Firewall Disabled Policy:
==================


File Check:
========
C:\windows\system32\mpssvc.dll
[2009-07-13 19:53] - [2009-07-13 21:15] - 0565760 ____A (Microsoft Corporation) 5CD996CECF45CBC3E8D109C86B82D69E

C:\windows\system32\bfe.dll
[2009-07-13 19:54] - [2009-07-13 21:14] - 0493568 ____A (Microsoft Corporation) 85AC71C045CEB054ED48A7841AAE0C11

C:\windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\windows\system32\svchost.exe => MD5 is legit
C:\windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

BC AdBot (Login to Remove)

 


#32 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:35 PM

Posted 04 July 2012 - 07:34 PM

Do you have your windows CD handy?


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#33 ryanjpr89

ryanjpr89
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 05 July 2012 - 06:24 AM

No, my laptop unfortunately did not come with one.

#34 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:35 PM

Posted 05 July 2012 - 08:12 PM

OK, this is a slightly different Fix-It than the one we ran before. Give this a try:
http://support.microsoft.com/kb/943996

Also, what version of Kaspersky Antivirus do you have? If it has a firewall, that could be giving us this error.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#35 ryanjpr89

ryanjpr89
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 05 July 2012 - 08:34 PM

I uninstalled it, to see if that was the problem, but I'm still getting the error. I'm going to get a free anti virus, because the trial was about to run out.


The fix didn't work either =(

#36 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:35 PM

Posted 05 July 2012 - 08:42 PM

OK, let's see what happens when we try to start it. Sometimes the error message is a bit different.

Click Start, type cmd wait a second, the right-click cmd.exe under PRograms in the search results. Select Run as Administrator. When you get the popup, click Yes to allow it to run as Administrator.

NExt, copy the bold text below:
sc start mpssvc > "%USERPROFILE%\Desktop\Start.txt"

Then right-click in the command prompt window and select Paste. (Pressing Ctrl-V will not work here, you must use the mouse)
Then, press Enter.

It should run and get a new command prompt. Type exit and press Enter to close the window.

Post the contents of start.txt that should appear on your desktop.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#37 ryanjpr89

ryanjpr89
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 06 July 2012 - 03:09 AM

SERVICE_NAME: mpssvc
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 2 START_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x7d0
PID : 1468
FLAGS :

#38 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:35 PM

Posted 06 July 2012 - 03:27 PM

Hello, ryanjpr89.

OK, that was different...now it tried to start. Not sure if it did or not.

We'll need to re-run the query. If that did not work, I have a few other ideas.

  • Please open Notepad.
  • Copy and paste the text in the box below into Notepad.
    @ECHO OFF
    sc query mpssvc > "%USERPROFILE%\Desktop\Query.txt"
    start "%USERPROFILE%\Desktop\Query.txt"
    del %0
    This fix is custom made for this user's computer.
  • Select File-->Save As
  • Select File as Type: All Types (*.*)
  • Save it to your desktop as fixme.bat
  • Right-click on fixme.bat on your desktop and select "Run As Administrator". If Windows asks, click YES to allow it to proceed.
  • A window will briefly pop up then close.
  • A log will open, please copy and paste it into your response.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#39 ryanjpr89

ryanjpr89
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 08 July 2012 - 06:31 PM

SERVICE_NAME: mpssvc
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
WIN32_EXIT_CODE : 1066 (0x42a)
SERVICE_EXIT_CODE : 5 (0x5)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

#40 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:35 PM

Posted 08 July 2012 - 07:46 PM

OK, a different approach.

Click Start type cmd in the search box and wait for results to pop up. Right-click cmd.exe under Programs and select Run as Administrator. If you get the UAC popup, click Yes to allow the command prompt to run in elevated mode.

At the prompt type the following line of bold text exactly as shown and press Enter at the end of it.
net start mpssvc

Did the firewall start? I'm guessing not, but i wanted to try to manually start it vs. a batch file like before in case there was an issue there.

If it didn't work, type sc qc mpssvc > "%USERPROFILE%\Desktop\Query.txt" at the same elevated command prompt, press Enter to run it and post the logfile named Query.txt on your desktop. That will tell me a bit about how it's set to start, versus the current status.

Edited by etavares, 08 July 2012 - 07:46 PM.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#41 ryanjpr89

ryanjpr89
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 09 July 2012 - 01:39 PM

[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: mpssvc
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
LOAD_ORDER_GROUP : NetworkProvider
TAG : 0
DISPLAY_NAME : Windows Firewall
DEPENDENCIES : mpsdrv
: bfe
SERVICE_START_NAME : NT Authority\LocalService

#42 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:35 PM

Posted 09 July 2012 - 04:53 PM

OK, launch Start --> Computer
navigate to C:\windows\system32\
Right-click mpssvc.dll and click on Properties
Click the security
Under group or user names, click the first one (probably SYSTEM). List what items are checked in the Permission for System section at the bottom (E.g. Allow read & execute, allow read) in your reply. Click on the next group or user name (e.g. administrators) and list the permissions. Do this for all the group user names. E.g.:

SYSTEM
allow read & execute
allow read
Administrators
allow read & execute
allow read
...and so on


After you list that, please click the Advanced button at the bottom.
Click the Owner tab. Let me know what the "current owner" is..e.g. "TrustedInstaller"

Cancel out all the way after you list the permissions and the owner in your reply. Don't change anything yet.

-etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#43 ryanjpr89

ryanjpr89
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 09 July 2012 - 08:14 PM

System, Local Service, Administrators, and mpssvc all have full control.

Users have Read, and Read & Execute.


Current owner is Administrators.

#44 ryanjpr89

ryanjpr89
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 09 July 2012 - 08:24 PM

I seem to have fixed it.

Under Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess in the registry, I noticed a folder I didn't recognize.

I googled the folder, and found no results, and backed up the registry key, then removed the folder.

I then opened the firewall under control panel and clicked use suggested settings, and it seems to have fixed it, the service is now running, and firewall is enabled.

#45 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:35 PM

Posted 09 July 2012 - 09:53 PM

Nice work. What was the folder? That saves me from reinstalling the default firewall registry entries. :) Please run Farbar Service Scanner again and post the log and we'll finish up.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users