Author Topic: [Resolved K] Pop ups for Win 7 Antivirus 2012  (Read 3239 times)

0 Members and 1 Guest are viewing this topic.

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7270
Re: [Resolved K] Pop ups for Win 7 Antivirus 2012
« Reply #15 on: December 28, 2011, 01:39:35 am »
Have those items been stopped in MSCONFIG? Select start > type msconfig into the "search programs and files" box, tap "enter"
select the "startup" tab. Have a look to see if those items are enabled (ticked) then apply OK, you will have to reboot if you make changes. There will be an alert on re-boot, tick to not show again...

When that problem is fixed we can cleanup remove tools etc if you have no other issues....

Kevin

Offline cheme09

  • Bronze Member
  • Posts: 15
Re: [Resolved K] Pop ups for Win 7 Antivirus 2012
« Reply #16 on: December 28, 2011, 09:07:32 am »
Everything is checked under the startup tab.

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7270
Re: [Resolved K] Pop ups for Win 7 Antivirus 2012
« Reply #17 on: December 28, 2011, 03:50:10 pm »
You mentioned earlier about re-installing the software, have you done that yet?

Offline cheme09

  • Bronze Member
  • Posts: 15
Re: [Resolved K] Pop ups for Win 7 Antivirus 2012
« Reply #18 on: December 28, 2011, 06:01:37 pm »
All the PC-Doctor files CF deleted (from the CF log I had to zip) were the associated Lenovo Toolbox files.  I just reinstalled and all is back to normal.

Thanks for all of your help!

Offline cheme09

  • Bronze Member
  • Posts: 15
Re: [Resolved K] Pop ups for Win 7 Antivirus 2012
« Reply #19 on: December 28, 2011, 06:08:49 pm »
Actually, now that the Lenovo ThinkVantage Toolbox ran, it's telling me my Windows firewall is disabled?  When I try to click "Use recommended settings" I get a message box that says "Windows Firewall can't change some of your settings.  Error Code 0x80070424

My Sophos is currently enabled.  Would this affect it?

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7270
Re: [Resolved K] Pop ups for Win 7 Antivirus 2012
« Reply #20 on: December 29, 2011, 03:51:00 am »
Sophos will have no impact on your Windows Firewall as it is AV AS security, it is a safe assuption to make that the infection will have turned off the FW.

Go here http://support.microsoft.com/kb/2530126 complete "Method two" if that does not work, continue to "Method three"
Let me know if the FW is restored.

Kevin

Offline cheme09

  • Bronze Member
  • Posts: 15
Re: [Resolved K] Pop ups for Win 7 Antivirus 2012
« Reply #21 on: December 30, 2011, 05:29:13 pm »
Tried method two, but Windows Firewall isn't on the list.

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7270
Re: [Resolved K] Pop ups for Win 7 Antivirus 2012
« Reply #22 on: December 30, 2011, 05:36:26 pm »
Do you mean that Windows Firewall is missing from the full list of Services... if so do the following:

Please download Farbar Service Scanner and run it on the computer with the issue.

Make sure the following options are checked:

  • Windows Firewall
  • Security Center
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.
« Last Edit: December 30, 2011, 05:46:58 pm by kevinf80 »

Offline cheme09

  • Bronze Member
  • Posts: 15
Re: [Resolved K] Pop ups for Win 7 Antivirus 2012
« Reply #23 on: December 31, 2011, 11:56:00 am »
Farbar Service Scanner
Ran by Boss (administrator) on 31-12-2011 at 12:54:57
Microsoft Windows 7 Professional  Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************



Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open MpsSvc registry key. The service key does not exist.

bfe Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open bfe registry key. The service key does not exist.

mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.


Firewall Disabled Policy:
==================


Security Center:
============

File Check:
========
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7270
Re: [Resolved K] Pop ups for Win 7 Antivirus 2012
« Reply #24 on: January 01, 2012, 01:49:51 am »
OK, before we progress we need to make a new system restore point, instructions Here if required.

If for any reason you cannot make a new RP let me know, do not progress...

Next,

I`ve attached three files to this reply, bse.zip, mpssvc.zip and start_services.zip

UNzip each of those files to your Desktop then continue....

Right click on bfe.reg file, click "Merge".
Allow registry merge.
Right click on mpssvc.reg file, click "Merge".
Allow registry merge.

Restart computer.

Click Start and in "Search Box" type in:
regedit
Press Enter.

Registry editor will open.
Navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BFE
Right click on BFE key, click "Permissions"
Click on Add button, type Everyone and click OK.
Now click once on Everyone
Below, in "Permissions" pane checkmark "Allow" in "Full control" row.
Click "Apply" then "OK".

Close regedit and go back to your Desktop  find start_services.bat Right click on it, click "Run As Administrator" to run the fix. Agree any alerts, then re-boot.

Check FW status

Kevin..
« Last Edit: January 02, 2012, 06:33:49 pm by kevinf80 »

Offline cheme09

  • Bronze Member
  • Posts: 15
Re: [Resolved K] Pop ups for Win 7 Antivirus 2012
« Reply #25 on: January 02, 2012, 07:08:02 pm »
FW is set.  Thank you so much.  You've been very helpful throughout this whole process.  Is there any special way I should remove the programs I downloaded?

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7270
Re: [Resolved K] Pop ups for Win 7 Antivirus 2012
« Reply #26 on: January 02, 2012, 07:20:07 pm »
Excellent news, well done. OK we clean up as follows:

Step 1

Remove Combofix now that we're done with it
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")


  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
The above procedure will delete the following:
  • ComboFix and its associated files and folders.
  • VundoFix backups, if present
  • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.
It is very important that you get a successful uninstall because of the extra functions done at the same time, let me know if this does not happen.

Step 2

  • Download OTC by OldTimer and save it to your desktop. Alternative mirror
  • Double click icon to start the program.
    If you are using Vista or Windows 7, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Begining Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
  • This will remove tools we have used and itself. Any tools/logs remaining on the Desktop can be deleted.
If any of the following remain on your Desktop either delete or drag to the recycle bin:

RogueKiller
RKQuarantine folder
RKreports


Step 3

Remove ESET online scanner:

  • Click Start, type Uninstall a Program into the Search programs and files box, and then press ENTER.
  • Click to select ESET Online Scanner from the listing of installed products, and then click Uninstall/Change from the bar that displays the available tasks. Uninstall ESETonline Scanner, only re-boot if prompted.
Step 4

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version.
For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system.
The most current version of Sun Java is: Java Runtime Environment Version 6 Update 30.

  • Go to Sun Java
  • Select Windows 7/XP/Vista/2000/2003/2008 If using 64 bit OS Select Information about the 64-bit Java plug-in and follow prompts
  • Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
  • Reboot your computer

Step 5

Download TFC  to your desktop, from either of the following links
 Link 1
 Link 2
  • Save any open work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program. Vista or Windows 7 users right click and select “Run as Administartor”
  • If prompted, click "Yes" to reboot.
Save any open work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds.  TFC may re-boot your system, if not Re-boot it yourself to  complete cleaning process <---- Very Important

Keep TFC it is an excellent utility to keep your system optimized, it empties all user temp folders, Java cache etc etc.  Always remember to re-boot after a run, even if not prompted

Let me know if those steps completed OK,

If you have no remaining issues or concerns here are some tips to reduce the potential for malware infection in the future:

Make proper use of your antivirus and firewall

Antivirus and Firewall programs are integral to your computer security. However, just having them installed isn't enough. The definitions of these programs are frequently updated to detect the latest malware, if you don't keep up with these updates then you'll be vulnerable to infection. Many antivirus and firewall programs have automatic update features, make use of those if you can. If your program doesn't, then get in the habit of routinely performing manual updates, because it's important.

You should keep your antivirus and firewall guard enabled at all times, NEVER turn them off unless there's a specific reason to do so. Also, regularly performing a full system scan with your antivirus program is a good idea to make sure you're system remains clean. Once a week should be adequate. You can set the scan to run during a time when you don't plan to use the computer and just leave it to complete on its own.

Install and use WinPatrol  This will inform you of any attempted unauthorized changes to your system.

WinPatrol features explained Here

You will have several programs installed, these maybe outdated and vulnerable to exploits also. To be certain, please run the free online scan by Secunia, available Here   Before clicking the Start scan  button, please check the box for the option Enable thorough system inspection. Just below the "Scan Options:" section, you'll see the status of what's currently processing....
...when the scan completes, the message "Detection completed successfully" will appear in the Programs/Result section. For each problem detected, Secunia will offer a "Solution" option. Please follow those instructions to download updated versions of the programs as recommended by Secunia.

Use a safer web browser

Internet Explorer is not the most secure tool for browsing the web. It has been known to be very susceptible to infection, and there are a few good free alternatives:
 
Firefox,

Opera, and

Chrome.
 
All of these are excellent faster, safer, more powerful and functional free alternatives to Internet Explorer. It's definitely worth the short period of adjustment to start using one of these. If you wish to continue using Internet Explorer, it would be a good idea to follow the tutorial HERE which will help you to make IE MUCH safer.

These browser add-ons will help to make your browser safer:

Web of Trust warns you about risky websites that try to scam visitors, deliver malware or send spam. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous ones:

Available for Firefox and Internet Explorer.

Green to go,
Yellow for caution, and
Red to stop.


Available for Firefox only. NoScript helps to block malicious scripts and in general gives you much better control over what types of things webpages can do to your computer while you're browsing.

These are just a couple of the most popular add-ons, if you're interested in more, take a look at THIS article.

Here a couple of links by two security experts that will give some excellent tips and advice.

So how did I get infected in the first place by Tony Klein

How to prevent Malware by Miekiemoes

Finally this link HERE will give a comprehensive upto date list of free Security programs. To include - Antivirus, Antispyware, Firewall, Antimalware, Online scanners and rescue CD`s.

Don`t forget, the best form of defense is common sense. If you don`t recognize it, don`t open it. If something looks to good to be true, then it aint.

Let me know when you are OK for me to close out your thread,

Take care,

Kevin




Offline cheme09

  • Bronze Member
  • Posts: 15
Re: [Resolved K] Pop ups for Win 7 Antivirus 2012
« Reply #27 on: January 02, 2012, 10:14:25 pm »
I saw what I thought was the Combofix uninstall, but never received a confirmation message.  The icon is also still on my desktop.  It's also named Gotcha.exe, per the install instructions, if that matters.

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7270
Re: [Resolved K] Pop ups for Win 7 Antivirus 2012
« Reply #28 on: January 03, 2012, 02:53:43 am »
Either Delete the file or drag to the recycle bin, then empty the bin. OTC does remove the working files/and folders. We will have to reset system restore manuallly.

Create a new restore point:

   1. Right-click on Computer and go to Properties.
   2. Next click on the System Protection link.
   3. The System Properties dialog screen opens up and you will want to click on Create.
   4. Type in a description for the restore point which will help you remember the point at which is was created. Click on create.
   5. You should see the message "The restore point was  created successfully

To remove all but the most recent restore point do the following:

   1.      Open Disk Cleanup by clicking the Start button . In the search box, type Disk Cleanup, and then, in the list of results, click Disk Cleanup.
   2.      If prompted, select the drive that you want to clean up, and then click OK.
   3.      In the Disk Cleanup for (drive letter) dialog box, click Clean up system files. Administrator permission required If you're prompted for an administrator password or confirmation, type the password or provide confirmation.
   4.      If prompted, select the drive that you want to clean up, and then click OK.
   5.      Click the More Options tab, under System Restore and Shadow Copies, click Clean up.
   6.      In the Disk Cleanup dialog box, click Delete.
   7.      Click Delete Files, and then click OK. Re-Boot...

Any other issues or concerns?

Kevin :t

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7270
Re: [Resolved K] Pop ups for Win 7 Antivirus 2012
« Reply #29 on: January 06, 2012, 01:37:57 am »
Since this issue appears to be resolved  the topic has been closed. Glad we could help. :t

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

The fixes and advice in this thread are for this System only. Do not apply the instructions from this thread to your own System. Please start a new thread describing your issue and someone will be along to assist you.