|
Post by frankftb on Nov 16, 2015 20:05:16 GMT -8
by the way adwcleaner did not find any threats. Thanks
|
|
dbrisen
Malware Removalists
Posts: 3,688
|
Post by dbrisen on Nov 16, 2015 22:45:21 GMT -8
There are several services turned off or disabled on your system. Did you do this yourself (if so, can you tell me why) or is this just system corruption? If the later, please download the following and repair the services.
Please download the ESET Services Repair Tool from here . Double click on ServicesRepair.exe; allow the file to run by clicking Run and / or Yes. Once the utility is done, please reboot your system to allow the services to start properly.
Once repaired , please rerun a scan with Farbar Service Scanner. (IF you still have the file on your desktop, you do not have to redownload it.) Please download Farbar Service Scanner to your desktop and double click on the file to run it. [/b] Windows FirewallSystem RestoreSecurity CenterWindows UpdateOther Services[/ul] Press " Scan". It will create a log (FSS.txt) in the same directory the tool is run. Please copy and paste the log to your reply. [/ul]
|
|
|
Post by frankftb on Nov 17, 2015 5:21:01 GMT -8
I did not disabled any services, services where repaired and this is the new FSS Log. Thanks. ******
Farbar Service Scanner Version: 26-07-2015 Ran by Administrator (administrator) on 17-11-2015 at 07:52:47 Running from "C:\Documents and Settings\Administrator\Desktop" Microsoft Windows XP Professional Service Pack 3 (X86) Boot Mode: Normal ****************************************************************
Internet Services: ============
Connection Status: ============== Localhost is accessible. LAN connected. Google IP is accessible. Google.com is accessible. Yahoo.com is accessible.
Windows Firewall: =============
Firewall Disabled Policy: ================== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall"=DWORD:0
System Restore: ============ Srservice Service is not running. Checking service configuration: The start type of Srservice service is OK. The ImagePath of Srservice service is OK. The ServiceDll of Srservice: "C:\WINDOWS\system32\srsvc.dll".
System Restore Policy: ======================== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore] "DisableSR"=DWORD:1
Security Center: ============
Windows Update: ============
Windows Autoupdate Disabled Policy: ============================
Other Services: ==============
File Check: ======== C:\WINDOWS\system32\dhcpcsvc.dll => File is digitally signed C:\WINDOWS\system32\Drivers\afd.sys [2008-10-15 20:24] - [2008-10-15 20:24] - 0138496 ____A (Microsoft Corporation) 4D43E74F2A1239D53929B82600F1971C
C:\WINDOWS\system32\Drivers\netbt.sys => File is digitally signed C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit C:\WINDOWS\system32\Drivers\ipsec.sys => File is digitally signed C:\WINDOWS\system32\dnsrslvr.dll => File is digitally signed C:\WINDOWS\system32\ipnathlp.dll => File is digitally signed C:\WINDOWS\system32\netman.dll => File is digitally signed C:\WINDOWS\system32\wbem\WMIsvc.dll => File is digitally signed C:\WINDOWS\system32\srsvc.dll => File is digitally signed C:\WINDOWS\system32\Drivers\sr.sys => File is digitally signed C:\WINDOWS\system32\wscsvc.dll => File is digitally signed C:\WINDOWS\system32\wbem\WMIsvc.dll => File is digitally signed C:\WINDOWS\system32\wuauserv.dll => File is digitally signed C:\WINDOWS\system32\qmgr.dll => File is digitally signed C:\WINDOWS\system32\es.dll => MD5 is legit C:\WINDOWS\system32\cryptsvc.dll => File is digitally signed C:\WINDOWS\system32\svchost.exe => File is digitally signed C:\WINDOWS\system32\rpcss.dll => File is digitally signed C:\WINDOWS\system32\services.exe => File is digitally signed
Extra List: ======= Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3) 0x0700000004000000010000000200000003000000050000000600000007000000 IpSec Tag value is correct.
**** End of log ****
|
|
dbrisen
Malware Removalists
Posts: 3,688
|
Post by dbrisen on Nov 18, 2015 21:55:17 GMT -8
Let's see if we can get System Restore running again now. Steps to turn on System Restore - Click Start, right-click My Computer, and then click Properties.
- In the System Properties dialog box, click the System Restore tab.
- Click to clear the Turn off System Restore check box. Or, click the Turn off System Restore on all drives check box.
- Click OK.
After a few moments, the System Properties dialog box closes. Did this seem to complete properly? (This is taken from this MS KB article support.microsoft.com/en-ca/kb/310405 )
|
|
|
Post by frankftb on Nov 19, 2015 3:58:14 GMT -8
Yes, it did complete properly.
|
|
dbrisen
Malware Removalists
Posts: 3,688
|
Post by dbrisen on Nov 20, 2015 23:04:09 GMT -8
Now that System Restore is working (and the malware has been cleaned) we should be able to check for copies of your files. Start with ShadowExplorer and see what it can find. ShadowExplorer[/b][/a] and save the file to your Desktop. Right-Click ShadowExplorer-0.9-portable.zip and click Extract All. Select your Desktop and click Extract. Right-Click ShadowExplorer.exe and select Run as administrator to run the programme. You will see a drop-down menu with the shadow copies of all partitions and disks present. Click C:\ from the drop-down menu. To the right, pick a date prior to the infection from the drop-down menu. To restore a whole folder, right-click on your desired folder and click Export. You will then be prompted as to where you would like to restore the contents of the folder to. [/ul] File Recovery SoftwareFile Recovery Software may be able to recover the original file deleted by the infection. Please bear in mind, the more you use the machine after the files are encrypted, the harder it will be for the recovery software to recover your files. [/a] Photorec Recuva[/ul]
|
|
|
Post by frankftb on Nov 21, 2015 4:22:05 GMT -8
"ShadowExplorer has encountered a problem and needs to close. We are sorry for the inconvenience." Tried it a few times, did not try it in safe mode.
|
|
dbrisen
Malware Removalists
Posts: 3,688
|
Post by dbrisen on Nov 21, 2015 12:30:17 GMT -8
See if any of the file recovery software finds anything for you.
|
|
|
Post by frankftb on Nov 23, 2015 20:18:46 GMT -8
there are no previous versions of my files, I tried the file recovery software listed. files are still encrypted.
|
|
dbrisen
Malware Removalists
Posts: 3,688
|
Post by dbrisen on Nov 25, 2015 22:45:09 GMT -8
Unfortunately, we have done the best we can with non-paid product. I do not know if you have access to Professional PC shops there and or can afford Professional Data Recovery software. You may want to look at this software: GetDataBack Simple at this web site ( www.runtime.org/index.html ). It may be worth just installing the free demo version and scanning your hard drive to see if any copies of old files can be found.
|
|