Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Recovering from CryptoLocker and innumerable other issues


  • Please log in to reply
4 replies to this topic

#1 nannyg13

nannyg13

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:44 AM

Posted 11 April 2015 - 07:06 PM

 My SO just complained about his computer not working right, so I started checking it out and found a hell hole of infections. CryptoLocker was the worst, but multiple trojans, viruses, other malware. I think I've gotten rid of everything, but it's still acting screwy. I want to wipe it but he doesn't have the disks, so I'm cleaning and refreshing as best I can. The one problem that I can't seem to fix is that the windows firewall will not start. I've run all the the Microsoft Fix It things and they can't fix it. Went into the registry editor and the MpsSvc is nowhere to be found in the files the tutorial said to look at. I'm guessing there's more work to be done? Please help!

 

Windows 7

Ran Malwarebytes

Ran Microsoft Security Essentials

Ran AdAware

Ran CC Cleaner

Ran Avast

Ran AVG

Ran Symantec


Edited by hamluis, 12 April 2015 - 06:51 AM.
Moved from Win 7 to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 nannyg13

nannyg13
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:44 AM

Posted 11 April 2015 - 07:08 PM

Farbar Service Scanner Version: 17-01-2015
Ran by Ben Sanderson (administrator) on 11-04-2015 at 20:07:26
Running from "C:\Users\Ben Sanderson\Downloads"
Microsoft Windows 7 Home Premium  Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************
 
Internet Services:
============
 
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.
 
 
Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.
 
MpsSvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
 
 
Firewall Disabled Policy: 
==================
"HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" registry key does not exist.
 
 
System Restore:
============
 
System Restore Policy: 
========================
 
 
Action Center:
============
 
wscsvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
 
Action Center Notification Icon =====> Unable to open HKLM\...\ShellServiceObjects\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A} key. The key does not exist.
 
 
Windows Update:
============
wuauserv Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
 
 
Windows Autoupdate Disabled Policy: 
============================
 
 
Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
 
 
Other Services:
==============
Checking Start type of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
Checking ImagePath of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
Checking ServiceDll of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
 
Checking Start type of SharedAccess: ATTENTION!=====> Unable to retrieve start type of SharedAccess. The value does not exist.
Checking ImagePath of SharedAccess: ATTENTION!=====> Unable to retrieve ImagePath of SharedAccess. The value does not exist.
Checking ServiceDll of SharedAccess: ATTENTION!=====> Unable to retrieve ServiceDll of SharedAccess. The value does not exist.
Checking FirewallRules of SharedAccess: ATTENTION!=====> Unable to open "SharedAccess\Defaults\FirewallPolicy\FirewallRules" registry key. The key does not exist.
 
 
File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\dhcpcore.dll => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\SDRSVC.dll => File is digitally signed
C:\Windows\System32\vssvc.exe => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\System32\ipnathlp.dll => File is digitally signed
C:\Windows\System32\iphlpsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
 
 
**** End of log ****


#3 hamluis

hamluis

    Moderator


  • Moderator
  • 55,377 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:05:44 AM

Posted 12 April 2015 - 06:51 AM

Well...I'm not sure that one can "clean and

 

 My SO just complained about his computer not working right, so I started checking it out and found a hell hole of infections. CryptoLocker was the worst, but multiple trojans, viruses, other malware. I think I've gotten rid of everything, but it's still acting screwy. I want to wipe it but he doesn't have the disks, so I'm cleaning and refreshing as best I can. The one problem that I can't seem to fix is that the windows firewall will not start. I've run all the the Microsoft Fix It things and they can't fix it. Went into the registry editor and the MpsSvc is nowhere to be found in the files the tutorial said to look at. I'm guessing there's more work to be done? Please help!

 

Windows 7

Ran Malwarebytes

Ran Microsoft Security Essentials

Ran AdAware

Ran CC Cleaner

Ran Avast

Ran AVG

Ran Symantec

 

Moved to Am I Infected forum for a look.  If the system truly had Cryptolocker and who knows what else...you should have someone familiar with malware take a look, not a Windows 7 issue, IMO.

 

Louis



#4 nannyg13

nannyg13
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:44 AM

Posted 12 April 2015 - 11:27 AM

Opps, I'm new, sorry I put it in the wrong forum. But there's no doubt it was a cryptolocker of some sort. I found the original popup image buried in his EVE online game files. It told you to go to a specific address that let you into the server, pay your money, and you get the code to unlock your files. All of the files affected had an extra extension added (.nnysihl), over 20000 corrupted at last count. By cleaning, I meant getting rid of the now useless files and making sure nothing else was lurking around. And there is an issue with Windows components as there are several service keys missing. Any help would be most appreciated.



#5 nannyg13

nannyg13
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:44 AM

Posted 12 April 2015 - 01:16 PM

Now running Kaspersky and superantispyware. So far nothing new is showing up. Also running Windows Repair from tweaking.com. That has found several issues so far, we'll go from there...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users