Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirects and adobe installation popups


  • This topic is locked This topic is locked
116 replies to this topic

#31 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:01 AM

Posted 26 July 2012 - 04:41 PM

this may not make a difference to the error you are currently receiving, but I notice you are merging the reg fix from a temporary directory

please first download the reg fix to a location such as your desktop, then run the reg fix from there

Farbar Service Scanner is also being run from a temporary directory too,

so please download farbar service scanner and save it to your desktop as well before it is run,

please try the reg fix again from your desktop and let me know if you receive an error again and what that error is exactly,

then post a fresh FSS log while being run from the desktop

thank-you

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


BC AdBot (Login to Remove)

 


#32 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:01 AM

Posted 26 July 2012 - 06:03 PM

hello,


one of our experts has been assisting with this issue and has noticed an entry in one of the logs that may be preventing this reg fix

so please run the following:

Please download MiniRegTool64.zip and save it to your desktop.
Unzip it and run MiniRegTool64.exe

Copy and paste the following in the edit box:

HKEY_LOCAL_MACHINE\system\ControlSet001\services\MpsSvc
HKEY_LOCAL_MACHINE\system\CurrentControlSet\services\MpsSvc


check the Delete Key(s)/Value(s): radio button and press Go button.

Please post the content of the log (delete.txt) to your reply.


NEXT

please run the registry fix

please try it this way:



Click WinKey + R to open a run box > type notepad into the open run box > OK > this will open Notepad

Click Format and make certain that Word Wrap is NOT checked.

Copy/Paste the text inside of the code box into the open Notepad


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc]
"DisplayName"="@%SystemRoot%\\system32\\FirewallAPI.dll,-23090"
"Group"="NetworkProvider"
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,4c,00,6f,00,63,00,61,00,6c,00,53,00,65,00,72,00,76,00,69,00,63,\
00,65,00,4e,00,6f,00,4e,00,65,00,74,00,77,00,6f,00,72,00,6b,00,00,00
"Description"="@%SystemRoot%\\system32\\FirewallAPI.dll,-23091"
"ObjectName"="NT Authority\\LocalService"
"ErrorControl"=dword:00000001
"Start"=dword:00000002
"Type"=dword:00000020
"DependOnService"=hex(7):6d,00,70,00,73,00,64,00,72,00,76,00,00,00,62,00,66,00,\
65,00,00,00,00,00
"ServiceSidType"=dword:00000003
"RequiredPrivileges"=hex(7):53,00,65,00,41,00,73,00,73,00,69,00,67,00,6e,00,50,\
00,72,00,69,00,6d,00,61,00,72,00,79,00,54,00,6f,00,6b,00,65,00,6e,00,50,00,\
72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,41,00,75,\
00,64,00,69,00,74,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,\
00,00,53,00,65,00,43,00,68,00,61,00,6e,00,67,00,65,00,4e,00,6f,00,74,00,69,\
00,66,00,79,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,\
53,00,65,00,43,00,72,00,65,00,61,00,74,00,65,00,47,00,6c,00,6f,00,62,00,61,\
00,6c,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,\
65,00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,00,6e,00,61,00,74,00,65,00,50,\
00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,49,00,\
6e,00,63,00,72,00,65,00,61,00,73,00,65,00,51,00,75,00,6f,00,74,00,61,00,50,\
00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,00,00
"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\
00,01,00,00,00,c0,d4,01,00,01,00,00,00,e0,93,04,00,00,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
6d,00,70,00,73,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,00
"ServiceDllUnloadOnStop"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap]
"Collection"=hex:87,00,01,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc\Security]
"Security"=hex:01,00,14,80,b4,00,00,00,c0,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,84,00,05,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,04,00,00,00,00,\
00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,06,00,00,00,00,00,28,00,15,00,\
00,00,01,06,00,00,00,00,00,05,50,00,00,00,49,59,9d,77,91,56,e5,55,dc,f4,e2,\
0e,a7,8b,eb,ca,7b,42,13,56,01,01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,\
00,00,00,05,12,00,00,00


Now go to File > and click Save As,
From the drop down menu at the top of the box choose Desktop as the location to save this file.
Go down to the File Name box and type in fixme.reg as the file name, then choose All Files as the save as file type.
Then click the save button.

Once you have clicked the save button, close Notepad.

You should now see a file on your desktop that looks like this:

Posted Image

Locate the fixme.reg icon on your desktop and double click it, an information box will pop up asking if you want to merge the information in the file into the registry, click YES.

Once the file has run, the information will have merged with your registry so you can delete fixme.reg from your desktop as you won't be needing it any more.

NEXT

please post a fresh FSS log

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#33 thedutchman

thedutchman
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 26 July 2012 - 06:39 PM

This is the log from the miniregtool.

MiniRegTool by Farbar
Ran by For Others (administrator) on 2012-07-26 16:34:29

====================================
HKEY_LOCAL_MACHINE\system\ControlSet001\services\MpsSvc not found.
HKEY_LOCAL_MACHINE\system\CurrentControlSet\services\MpsSvc\Parameters could not be deleted.
HKEY_LOCAL_MACHINE\system\CurrentControlSet\services\MpsSvc\Security deleted successfully.
HKEY_LOCAL_MACHINE\system\CurrentControlSet\services\MpsSvc could not be deleted.

After that I tried to once again install and run the fixme.reg program and once again I was met with error.

The error notification states word for word:

"Registry Error. Cannot import C:\User\For Others\Desktop\Fixme.reg: error accessing the registry."

Edited by thedutchman, 26 July 2012 - 06:40 PM.


#34 thedutchman

thedutchman
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 26 July 2012 - 06:43 PM

After the fixme.reg program failed, I ran the FSS program, this is the new FSS log.

Farbar Service Scanner Version: 26-07-2012
Ran by For Others (administrator) on 26-07-2012 at 16:41:52
Running from "C:\Users\For Others\Desktop"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.

MpsSvc Service is not running. Checking service configuration:
The start type of MpsSvc service is OK.
The ImagePath of MpsSvc service is OK.
The ServiceDll of MpsSvc service is OK.


Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============

Other Services:
==============

sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is set to Auto
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

#35 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:01 AM

Posted 26 July 2012 - 06:43 PM

let's try this

use Mini reg tool again

Copy and paste the content of the code box in the edit box:

HKEY_LOCAL_MACHINE\system\CurrentControlSet\services\MpsSvc\Parameters 
HKEY_LOCAL_MACHINE\system\CurrentControlSet\services\MpsSvc


Check the Unlock Key(s) radio button and press Go button.


now try deleting those keys once more

then try to import the reg fix once again

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#36 thedutchman

thedutchman
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 26 July 2012 - 06:48 PM

I did what you asked, I unlocked, then deleted. This is the new log from the miniregtool.

MiniRegTool by Farbar
Ran by For Others (administrator) on 2012-07-26 16:46:11

====================================
HKEY_LOCAL_MACHINE\system\CurrentControlSet\services\MpsSvc\Parameters not found.
HKEY_LOCAL_MACHINE\system\CurrentControlSet\services\MpsSvc\Parameters could not be deleted.
HKEY_LOCAL_MACHINE\system\CurrentControlSet\services\MpsSvc\Security deleted successfully.
HKEY_LOCAL_MACHINE\system\CurrentControlSet\services\MpsSvc could not be deleted.

When I tried to import, the same error was displayed.

#37 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:01 AM

Posted 26 July 2012 - 08:20 PM

ok thanks

please re-run Farbar Service scanner once more

other than this have you noticed any other problems with the computer?

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#38 thedutchman

thedutchman
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 26 July 2012 - 08:58 PM

My windows firewall doesn't seem to be woring. I assume MSE will continue to function normally once I reinstall it. I don't know how to check what else may be wrong with it. The virus seems to have completely compromised my system and I'm not sure what's been affected, repaired, or left broken thus far.

#39 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:01 AM

Posted 26 July 2012 - 09:13 PM

yes, unfortunately you have been infected with one of the newer variants that is proving difficult to repair as it breaks critical windows services, right now, it appears the issue is with the Windows Firewall


You may want to take this time to back up all your important documents, images and music as you may have to reinstall your operating system


ESET has developed a new tool to repair services that have been broken by this infection

give it a try

download the ServicesRepair.exe from here and follow the instructions.

Reboot and post a new Farbar Service Scanner

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#40 thedutchman

thedutchman
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 26 July 2012 - 09:49 PM

I went to the site in the link.. After I ran the first program "EZ_Sirefix", which successfully ran and rebooted my computer, I tried to run the "EsetSirefefremover". It gave me a notification that there is no "win64" on my computer. So I bypassed that and moved on to running the third program which ran fine and rebooted my computer once that was finished. The last portion of the link guide tells me to access ESET on its main program window. However, I can't seem to find it on my desktop nor in my programs despite the fact that I downloaded all the programs the guide told me to.

Edited by thedutchman, 26 July 2012 - 09:50 PM.


#41 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:01 AM

Posted 26 July 2012 - 09:51 PM

it's just the ServicesRepair.exe that you need to run

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#42 thedutchman

thedutchman
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 26 July 2012 - 09:52 PM

oh ok, ill run the FSS now then

#43 thedutchman

thedutchman
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 26 July 2012 - 09:54 PM

This is the new FSS log

Farbar Service Scanner Version: 26-07-2012
Ran by For Others (administrator) on 26-07-2012 at 19:52:57
Running from "C:\Users\For Others\Desktop"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
The start type of MpsSvc service is OK.
The ImagePath of MpsSvc service is OK.
The ServiceDll of MpsSvc service is OK.


Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============

Other Services:
==============

sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is set to Disabled
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

#44 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:01 AM

Posted 26 July 2012 - 10:05 PM

well, that's much better

a couple of services are not started, but at least now they exist

we'll try and start the services manually


please run the following from an elevated command prompt

Go to Start > type cmd into the search box > when cmd.exe populates in the window above > right click it and choose to "Run as Administrator" to open an elevated command prompt

now copy/paste the following commands at the command prompt one at a time, pressing ENTER after each command

netsh advfirewall reset

net start mpsdrv

net start bfe

net start mpssvc

net start sharedaccess

regsvr32 firewallapi.dll

exit


confirm any message boxes that come up by clicking OK. The result on the last entry should say that it succeeded.
Note: If you receive any errors on any of the command lines, please let me know

Reboot the system.


post a fresh Farbar Service Scanner log

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#45 thedutchman

thedutchman
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 26 July 2012 - 10:10 PM

when i input the first command "netsh advfirewall reset" the command box responded "An error occurred while attempting to contact the windows firewall service. Make sure that the service is running and try your request again".

I went to access and run windows firewall, which responded "Windows Firewall can't change some of your settings. Error code 0x8007043b"

Edited by thedutchman, 26 July 2012 - 10:12 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users