Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

cannot remove Trojan.FakeAlert.H file and registry value [Closed]

Started by Angellalt , May 01 2012 05:56 PM

  • This topic is locked This topic is locked

#16
godawgs
Posted 14 May 2012 - 02:55 PM

godawgs

    Teacher

  • Retired Staff
  • 8,228 posts
Hi Angellalt,

Yep, ComboFix got some nasties that were hiding from OTL.:) It also showed some file paths missing from some drivers and services in the registry that we need to fix along with a couple of stragglers to cleanup.


Step-1.

Posted Image Run a CFScript

1. Close any open Windows, especially browsers.
  • IMPORTANT- Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. This fix will require a reboot to correct so make sure these are turned off and will not turn back on at reboot. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to the link here to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

2. Copy all of the text in the Code box below into Notepad. To do that highlight all the text in the code box then right click the mouse and click Copy.
KillAll::

Folder::
C:\Users\Ruta\AppData\Local\{416226A7-9957-11E1-826E-B8AC6F996F26}
C:\Windows\system64

Firefox::
FF - ProfilePath - c:\users\Ruta\AppData\Roaming\Mozilla\Firefox\Profiles\pgg179el.default\
FF - prefs.js: browser.search.defaulturl -

Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\androidusb]
"ImagePath"="c:\windows\system32\Drivers\ssadadb.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RdpVideoMiniport]
"ImagePath="c:\windows\system32\drivers\rdpvideominiport.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RSUSBSTOR]
"ImagePath="c:\windows\system32\Drivers\RtsUStor.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RTL8167]
"ImagePath="c:\windows\system32\DRIVERS\Rt64win7.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ssadbus]
"ImagePath="c:\windows\system32\DRIVERS\ssadbus.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ssadmdfl]
"ImagePath="c:\windows\system32\DRIVERS\ssadmdfl.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ssadmdm]
"ImagePath="c:\windows\system32\DRIVERS\ssadmdm.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\StkTMini]
"ImagePath"="c:\windows\system32\Drivers\StkTMini.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Synth3dVsc]
"ImagePath"="c:\windows\system32\drivers\synth3dvsc.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TsUsbFlt]
"ImagePath"="c:\windows\system32\drivers\tsusbflt.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tsusbhub]
"ImagePath"="c:\windows\system32\drivers\tsusbhub.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBAAPL64]
"ImagePath"="c:\windows\system32\Drivers\usbaapl64.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VGPU]
"ImagePath"="c:\windows\system32\drivers\rdvgkmd.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WatAdminSvc]
"ImagePath"="c:\windows\system32\Wat\WatAdminSvc.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd]
"ImagePath"="c:\windows\System32\Drivers\sptd.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ehdrv]
"ImagePath"="c:\windows\system32\DRIVERS\ehdrv.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vwififlt]
"ImagePath"="c:\windows\system32\DRIVERS\vwififlt.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AMD External Events Utility]
"ImagePath"="c:\windows\system32\atiesrxx.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\epfwwfp]
"ImagePath"="c:\windows\system32\DRIVERS\epfwwfp.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\amdkmdag]
"ImagePath"="c:\windows\system32\DRIVERS\atikmdag.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\amdkmdap]
"ImagePath"="c:\windows\system32\DRIVERS\atikmpag.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BcmVWL]
"ImagePath"="c:\windows\system32\DRIVERS\bcmvwl64.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\btwl2cap]
"ImagePath"="c:\windows\system32\DRIVERS\btwl2cap.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMProtector]
"ImagePath"="c:\windows\system32\drivers\mbam.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbfilter]
"ImagePath"="c:\windows\system32\DRIVERS\usbfilter.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vwifimp]
"ImagePath"="c:\windows\system32\DRIVERS\vwifimp.sys"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=""

Note: The above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Open Notepad. To do that click Start>>Run. in the Open box type notepad and click OK. An empty notepad window will open.
  • Right click inside the Notepad window and click Paste.
  • Click File then Save AS.
  • On the Save AS window click Desktop (on the left side of the window).
  • In the File Name box type CFScript.txt<--Very Important! (Make sure the CFS in the file name are CAPITAL letters.)
  • Click the Save as type down arrow and click All Files (*.*)
  • Click Save
This will save the CFScript.txt file to the Desktop.

4. Referring to the amimation below, drag the CFScript.txt file onto ComboFix.exe Cat icon and drop it.
ComboFix will launch and run the CFScript file
.

Posted Image

**Note: Do not mouse click ComboFix's window while it's running. That may cause it to stall**

When finished, ComboFix will produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Don't forget to re-enable your AntiVirus / AntiSpyware programs


Step-2.

Things For Your Next Post:
1. The ComboFix.txt log
2. Give me an update on the issues with the computer. Are you still getting blue screens? ect;
  • 0

Advertisements

#17
Essexboy
Posted 19 May 2012 - 08:18 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP