ALSO, a 'grep.3XE has stopped working ' error message/dialog box popped up
Edited by polloq, 30 July 2014 - 05:53 PM.
Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!
Edited by polloq, 30 July 2014 - 05:53 PM.
ALSO, a 'grep.3XE has stopped working ' error message/dialog box popped up
I think that is part of ComboFix and not required unless you are running it. Actually, ComboFix has a built in "timeout" (stop working) after a certain period so that might be all it is.
Windows resource Protection could not perform this operation
Which action chkdsk or System File Checker?
Also, are you running them as Administrator... see instructions for System File Checker?
the grep.3xe error is arbitrary.
the sfc /scannow was done as admin
Hello polloq,
Please download the latest version of TDSSKiller from here and save it to your Desktop.
11:59:45.0407 0x0a98 TDSS rootkit removing tool 3.0.0.40 Jul 10 2014 12:37:58
11:59:46.0094 0x0a98 ============================================================
11:59:46.0094 0x0a98 Current date / time: 2014/08/03 11:59:46.0094
11:59:46.0094 0x0a98 SystemInfo:
11:59:46.0094 0x0a98
11:59:46.0094 0x0a98 OS Version: 6.1.7601 ServicePack: 1.0
11:59:46.0094 0x0a98 Product type: Workstation
11:59:46.0094 0x0a98 ComputerName: KOOSK-PC
11:59:46.0094 0x0a98 UserName: koosk
11:59:46.0094 0x0a98 Windows directory: C:\Windows
11:59:46.0094 0x0a98 System windows directory: C:\Windows
11:59:46.0094 0x0a98 Processor architecture: Intel x86
11:59:46.0094 0x0a98 Number of processors: 2
11:59:46.0094 0x0a98 Page size: 0x1000
11:59:46.0094 0x0a98 Boot type: Normal boot
11:59:46.0094 0x0a98 ============================================================
11:59:46.0140 0x0a98 BG loaded
11:59:52.0848 0x0a98 System UUID: {92FDE736-0780-7E1A-2284-EC1B85237D5E}
11:59:57.0369 0x0a98 Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 ( 149.05 Gb ), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
11:59:57.0650 0x0a98 ============================================================
11:59:57.0650 0x0a98 \Device\Harddisk0\DR0:
11:59:57.0665 0x0a98 MBR partitions:
11:59:57.0665 0x0a98 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x12A14BC1
11:59:57.0665 0x0a98 ============================================================
11:59:58.0133 0x0a98 C: <-> \Device\Harddisk0\DR0\Partition1
11:59:58.0133 0x0a98 ============================================================
11:59:58.0133 0x0a98 Initialize success
11:59:58.0133 0x0a98 ============================================================
12:00:44.0497 0x02c8 ============================================================
12:00:44.0559 0x02c8 Scan started
12:00:44.0559 0x02c8 Mode: Manual; SigCheck; TDLFS;
12:00:44.0559 0x02c8 ============================================================
12:00:44.0559 0x02c8 KSN ping started
12:00:55.0869 0x02c8 KSN ping finished: true
12:01:15.0385 0x02c8 ================ Scan system memory ========================
12:01:15.0385 0x02c8 System memory - ok
12:01:15.0385 0x02c8 ================ Scan services =============================
12:01:22.0373 0x02c8 [ 1B133875B8AA8AC48969BD3458AFE9F5, 01753BDD47F3F9BC0E0D23A069B9C56D4AE6A6B6295BC19B95AE245D25B12744 ] 1394ohci C:\Windows\system32\drivers\1394ohci.sys
12:01:28.0769 0x02c8 1394ohci - ok
12:01:30.0485 0x02c8 [ CEA80C80BED809AA0DA6FEBC04733349, AE69C142DC2210A4AE657C23CEA4A6E7CB32C4F4EBA039414123CAC52157509B ] ACPI C:\Windows\system32\drivers\ACPI.sys
12:01:30.0563 0x02c8 ACPI - ok
12:01:30.0657 0x02c8 [ 1EFBC664ABFF416D1D07DB115DCB264F, BF94D069D692140B792DBF4FD3CB0127D27C26CC5BFB6B0C28A8B6346767EE58 ] AcpiPmi C:\Windows\system32\drivers\acpipmi.sys
12:01:31.0203 0x02c8 AcpiPmi - ok
12:01:32.0108 0x02c8 [ A6B6AB9502B63F43A9A56AE6AFB22078, DD1F0BA3D8F3333F52A71EAE3719A001F6EF844D647FFABF0E4C56C6C764ACA7 ] AdobeFlashPlayerUpdateSvc C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
12:01:32.0451 0x02c8 AdobeFlashPlayerUpdateSvc - ok
12:01:32.0591 0x02c8 [ 21E785EBD7DC90A06391141AAC7892FB, A2D3D764C5E6DC0AD5AAF48485FFB8B121D2A40DC08ECF2D2CB92278A1002B25 ] adp94xx C:\Windows\system32\DRIVERS\adp94xx.sys
12:01:32.0967 0x02c8 adp94xx - ok
12:01:33.0060 0x02c8 [ 0C676BC278D5B59FF5ABD57BBE9123F2, 339E8A433D186BAAB6FCB44C82CC9FB6FCD63C87981449494CBEB2072CB6B7BB ] adpahci C:\Windows\system32\DRIVERS\adpahci.sys
12:01:33.0107 0x02c8 adpahci - ok
12:01:33.0201 0x02c8 [ 7C7B5EE4B7B822EC85321FE23A27DB33, A934AFB71D439555E6376DA9B34F82E8D39A300A4547BE9AC9311F6A3C36270C ] adpu320 C:\Windows\system32\DRIVERS\adpu320.sys
12:01:33.0248 0x02c8 adpu320 - ok
12:01:33.0560 0x02c8 [ 8B5EEFEEC1E6D1A72A06C526628AD161, 026CDF4C96F4D493E7BABF79A14C4B0B5ADCCEF0B081FFFA2E3B243B2414167F ] AeLookupSvc C:\Windows\System32\aelupsvc.dll
12:01:34.0340 0x02c8 AeLookupSvc - ok
12:01:34.0496 0x02c8 [ D0B388DA1D111A34366E04EB4A5DD156, 60D226F027F4025CC032CAFF73A80FAFB5FA75445654FDCF80CA8C0419C6E938 ] AFD C:\Windows\system32\drivers\afd.sys
12:01:34.0527 0x02c8 Suspicious file ( Forged ): C:\Windows\system32\drivers\afd.sys. Real md5: D0B388DA1D111A34366E04EB4A5DD156, sha256: 60D226F027F4025CC032CAFF73A80FAFB5FA75445654FDCF80CA8C0419C6E938, fake md5: 6FD6C45AFD5FB7C3165CA4166D510C82, fake sha256: 2BA0B5ADB00030FA044D51F7EAEB144758B5ADA63100987DCBC2D3F33FBF51F7
12:01:34.0527 0x02c8 AFD - detected ForgedFile.Multi.Generic ( 1 )
12:01:45.0182 0x02c8 Object is SCO, delete is not allowed
12:01:45.0182 0x02c8 AFD ( ForgedFile.Multi.Generic ) - warning
12:01:45.0322 0x02c8 Force sending object to P2P due to detect: AFD
12:01:48.0162 0x02c8 Object send P2P result: true
12:01:51.0064 0x02c8 [ 507812C3054C21CEF746B6EE3D04DD6E, D7E59350AC338AD229E3D10C76E32AE16D120311B263714A9CD94AB538633B0E ] agp440 C:\Windows\system32\drivers\agp440.sys
12:01:51.0157 0x02c8 agp440 - ok
12:01:51.0329 0x02c8 [ 8B30250D573A8F6B4BD23195160D8707, 64EC289AFCD63D84EAFD9D81C50D0A77BCC79A1EFF32C50B2776BB0C0151757D ] aic78xx C:\Windows\system32\DRIVERS\djsvs.sys
12:01:51.0360 0x02c8 aic78xx - ok
12:01:51.0657 0x02c8 [ 18A54E132947CD98FEA9ACCC57F98F13, 9D39AF972785E49F0DD12C4BAEF39A79CD69F098886BF152AF1B7CCE2E902115 ] ALG C:\Windows\System32\alg.exe
12:01:51.0906 0x02c8 ALG - ok
12:01:52.0125 0x02c8 [ 0D40BCF52EA90FC7DF2AEAB6503DEA44, 1D1AA8F50935D976C29DE7A84708CADBBBDD936F0DD2C059E820F0D21367B3B6 ] aliide C:\Windows\system32\drivers\aliide.sys
12:01:52.0296 0x02c8 aliide - ok
12:01:52.0405 0x02c8 [ F9756A98D69098DCA8945D62858A812C, 572ADBFCFDE2030B34A013AADC14DBC144EB3F34D06991E2464A3EA9605BC045 ] amacpi C:\Windows\system32\DRIVERS\null.sys
12:01:53.0622 0x02c8 amacpi - ok
12:01:53.0685 0x02c8 [ 3C6600A0696E90A463771C7422E23AB5, 370B33DC1C25B981628A318BAE434A78A5F0A0DA93C2896DC7A3D7B87AE1A5E7 ] amdagp C:\Windows\system32\drivers\amdagp.sys
12:01:53.0747 0x02c8 amdagp - ok
12:01:53.0919 0x02c8 [ CD5914170297126B6266860198D1D4F0, 2239FCBD1A7EC27CE4F10DA36AE6BD6CCB87E5128C82CA71B84BFE5AF5602A60 ] amdide C:\Windows\system32\drivers\amdide.sys
12:01:53.0981 0x02c8 amdide - ok
12:01:54.0106 0x02c8 [ 00DDA200D71BAC534BF56A9DB5DFD666, CA316B1FFD85BA1CF8664B3229DA1F238A5341E016059F7ED89702324CFD124B ] AmdK8 C:\Windows\system32\DRIVERS\amdk8.sys
12:01:54.0683 0x02c8 AmdK8 - ok
12:01:54.0948 0x02c8 [ 3CBF30F5370FDA40DD3E87DF38EA53B6, 7EACF1743367BE805357B6FD10F8F99E9B1C301FE3782D77719347B13DFA65EC ] AmdPPM C:\Windows\system32\DRIVERS\amdppm.sys
12:01:55.0120 0x02c8 AmdPPM - ok
12:01:55.0245 0x02c8 [ D320BF87125326F996D4904FE24300FC, F767D8C5C58D57202905D829F7AE1B1FF33937F407FDCE4C90E32A6638F27416 ] amdsata C:\Windows\system32\drivers\amdsata.sys
12:01:55.0276 0x02c8 amdsata - ok
12:01:55.0354 0x02c8 [ EA43AF0C423FF267355F74E7A53BDABA, 3F1335909AB0281A2FBDD7AD90E18309E091656CD32B48894B992789D8C61DB4 ] amdsbs C:\Windows\system32\DRIVERS\amdsbs.sys
12:01:55.0401 0x02c8 amdsbs - ok
12:01:55.0557 0x02c8 [ 46387FB17B086D16DEA267D5BE23A2F2, 8B8AC61B91F154B4EB5CC6DECB5FCCEBA8B42EFE94859947136AD06681EA8ED0 ] amdxata C:\Windows\system32\drivers\amdxata.sys
12:01:55.0572 0x02c8 amdxata - ok
12:01:55.0681 0x02c8 [ AEA177F783E20150ACE5383EE368DA19, 8FA9EE27AA1F22E8B8FE33A21028CA1E0062BAA95CB132C20D55B98C03B4254F ] AppID C:\Windows\system32\drivers\appid.sys
12:01:56.0883 0x02c8 AppID - ok
12:01:57.0163 0x02c8 [ 62A9C86CB6085E20DB4823E4E97826F5, E0F840B49710022C4FB437002AD06F64B0F6B5D628B32D00F2B66765E6B97E4B ] AppIDSvc C:\Windows\System32\appidsvc.dll
12:01:57.0460 0x02c8 AppIDSvc - ok
12:01:57.0756 0x02c8 [ EACFDF31921F51C097629F1F3C9129B4, 24138755D823E69760579ECBD672421192457CDC9941B2BC499C2D34D83E86C3 ] Appinfo C:\Windows\System32\appinfo.dll
12:01:58.0053 0x02c8 Appinfo - ok
12:01:59.0098 0x02c8 [ 6B73E94F9FE82D45781B8C8A09483082, C35EEAE7457168387A7C77A315524A3703ABDE49D9F23F59057315D9249D3473 ] Apple Mobile Device C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
12:01:59.0207 0x02c8 Apple Mobile Device - ok
12:01:59.0535 0x02c8 [ 2932004F49677BD84DBC72EDB754FFB3, 73F84582244AC53994A2F4499A119B4A84A6BF7FD3046C29A8080C763DE540B8 ] arc C:\Windows\system32\DRIVERS\arc.sys
12:01:59.0613 0x02c8 arc - ok
12:01:59.0675 0x02c8 [ 5D6F36C46FD283AE1B57BD2E9FEB0BC7, F7C9C3B4F2C816F57A43B2921672858C291054220BADE291044343778216F6BA ] arcsas C:\Windows\system32\DRIVERS\arcsas.sys
12:01:59.0722 0x02c8 arcsas - ok
Hello polloq,
VirSCAN.org Scanned Report :
Scanned time : 2014-08-04 10:08:11
Scanner results: 0%的杀软(0/39)报告发现病毒
File Name : afd.sys
File Size : 338944 byte
File Type : application/x-dosexec
MD5 : d0b388da1d111a34366e04eb4a5dd156
SHA1 : 9c7f9df1d32761eb8089a52500fbaab842bf50f9
Online report : http://r.virscan.org...a1ef10e6b249841
Scanner Engine Ver Sig Ver Sig Date Time Scan result
ahnlab 9.9.9 9.9.9 2013-05-28 4 Found nothing
antivir 1.9.2.0 1.9.159.0 7.11.165.22 16 Found nothing
antiy 120611 AVL140716 2014-07-17 5 Found nothing
arcavir 1.0 2011 2014-05-30 8 Found nothing
asquared 9.0.0.4157 9.0.0.4157 2014-07-03 25 Found nothing
avast 140803-0 4.7.4 2014-08-03 28 Found nothing
avg 2109/7410 10.0.1405 2014-07-24 1 Found nothing
baidu 2.0.1.0 4.1.3.52192 2.0.1.0 6 Found nothing
baidusd 1.0 1.0 2014-04-02 1 Found nothing
bitdefender 7.56190 7.90123 2014-08-04 9 Found nothing
clamav 19258 0.97.5 2014-08-03 1 Found nothing
comodo 15023 5.1 2014-07-17 3 Found nothing
ctch 4.6.5 5.3.14 2013-12-01 1 Found nothing
drweb 5.0.2.3300 5.0.1.1 2014-07-30 28 Found nothing
fortinet 22.576 5.1.153 2014-08-04 1 Found nothing
fprot 4.6.2.117 6.5.1.5418 2014-08-03 1 Found nothing
fsecure 2014-04-02-01 9.13 2014-04-02 7 Found nothing
gdata 24.3195 24.3195 2014-07-17 11 Found nothing
hauri 2.73 2.73 2014-07-16 1 Found nothing
ikarus 1.06.01 V1.32.31.0 2014-08-03 14 Found nothing
jiangmin 16.0.100 1.0.0.0 2014-07-11 31 Found nothing
kaspersky 5.5.33 5.5.33 2014-04-01 20 Found nothing
kingsoft 2.1 2.1 2013-09-22 4 Found nothing
mcafee 7474 5400.1158 2014-06-19 11 Found nothing
nod32 9809 3.0.21 2014-05-16 1 Found nothing
panda 9.05.01 9.05.01 2014-07-16 4 Found nothing
pcc 10.962.04 9.500-1005 2014-08-03 2 Found nothing
qh360 1.0.1 1.0.1 1.0.1 13 Found nothing
qqphone 1.0.0.0 1.0.0.0 2014-08-04 1 Found nothing
quickheal 14.00 14.00 2014-07-16 3 Found nothing
rising 25.23.00.02 25.23.00.02 2014-07-14 1 Found nothing
sophos 5.02 3.51.0 2014-06-20 6 Found nothing
sunbelt 3.9.2595.2 3.9.2595.2 2014-07-16 2 Found nothing
symantec 20030814.017 1.3.0.24 2003-08-14 1 Found nothing
tachyon 9.9.9 9.9.9 2013-12-27 3 Found nothing
thehacker 6.8.0.5 6.8.0.5 2014-07-11 1 Found nothing
tws 17.47.17308 1.0.2.2108 2014-07-17 7 Found nothing
vba 3.12.26.3 3.12.26.3 2014-08-01 3 Found nothing
virusbuster 15.0.867.0 5.5.2.13 2014-08-03 13 Found nothing
Edited by polloq, 03 August 2014 - 08:17 PM.
NOTE: no 'Old Windows' folder could be 'seen'.
NOTE: no 'Old Windows' folder could be 'seen'.
I used my machine as a guide (Win 7 Professional). I guess I must have got it wrong or mine may not be typical. In any event it looks like afd.sys was scanned and found clean.
Moving on
Please download Security Check by screen317 from here .
Results of screen317's Security Check version 0.99.86
Windows 7 Service Pack 1 x86 (UAC is enabled)
Internet Explorer 11
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Microsoft Security Essentials
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
AML Free Registry Cleaner 4.7
JavaFX 2.1.1
Java 7 Update 13
Java version out of Date!
Adobe Flash Player 14.0.0.145
Adobe Reader 9 Adobe Reader out of Date!
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 1%
````````````````````End of Log``````````````````````
NOTE: could not download file to desktop, only a 'partial' download achieved.
Edited by polloq, 05 August 2014 - 09:00 AM.
Hello again polloq,
NOTE: could not download file to desktop, only a 'partial' download achieved.
Seems to have run okay.
Now
Your Java is out of date. Older versions are vunerable to attack.
Please follow these steps:
Note: Before you download/install ensure you uncheck any other third party software options that might be offered. That is foistware and often they are undesirable programs.
Step 2
Your Adobe Acrobat Reader is out of date. Older versions are vunerable to attack.
Please go to the link below to update.
Note: Before you download/install ensure you uncheck the "Yes install Chrome as default browser and Google Toolbar for Internet Explorer" or any other third party software option. That is foistware.
http://www.adobe.com.../readstep2.html
Note: From time to time software suppliers change the foistware options so it may not show the one quoted in the instructions above. Just take care to untick any boxes offering an option to download or install any other program.
After those actions
Please run a free online scan with the ESET Online Scanner
Vista / Win7 users: Right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator.
Note: This scan works with Internet Explorer or Mozilla FireFox.
If using Mozilla Firefox you may need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
Disable your security programs.
...got to step 2 of 4 after ticking 'enable' detection of potentially unwanted applications, at initializing, got a : unexpected error 2002
Tried again, at step 2 of 4 initializing BOLD red error: Can not get update. Is proxy configured, back tracked, checked proxy config, it wants Proxy address, port, username & password, regardless whether I tick it or not
Edited by polloq, 05 August 2014 - 05:46 PM.
I don't know what happened there. I took that from my data base and for some reason it's picked up an old, unfinished test run.
My apologies for that.
I have edited my post to include the correct (hopefully) instructions. Tell me if you have any problems.
I could not Delete Quarantined files (option not given), hence a VERY unstable machine now, with core dumps GALORE & an endless loop of reboot.....
notepad went bezerk, so i saved (renamed/overwrote) to flash drive *.txt file (my only little victory)
C:\FRST\Quarantine\C\Users\koosk\AppData\Local\Temp\239e6e95-3c0e-4cdc-b844-1c1e47719221.exe.xBAD a variant of Win32/Toolbar.Visicom.A potentially unwanted application
C:\FRST\Quarantine\C\Users\koosk\AppData\Local\Temp\cloud_backup_setup.exe.xBAD Win32/MyPCBackup.A potentially unwanted application
C:\FRST\Quarantine\C\Users\koosk\AppData\Local\Temp\speedupmypc.exe.xBAD Win32/SpeedUpMyPC.A potentially unwanted application
C:\FRST\Quarantine\C\Users\koosk\AppData\Local\Temp\swa1_23.exe.xBAD a variant of MSIL/Adware.StrongVault.A application
C:\FRST\Quarantine\C\Users\koosk\AppData\Local\Temp\wajam_download.exe.xBAD Win32/Wajam.B potentially unwanted application
C:\Users\koosk\AppData\Roaming\Apple Computer\MobileSync\Backup\82350d73fb03e50956343323a08d65273d8c7377\a0f6dbc7aeebe0658d1d79fa91cf9cbde24f7dd3 a variant of Win32/ExFriendAlert.B potentially unwanted application
C:\Users\Public\Documents\Server\hlp.dat Win32/Bamital.EB trojan
Edited by polloq, 06 August 2014 - 08:07 AM.
So are you saying that ESET tried to remove FRST quarantine, couldn't, and then your machine went into an endless loop?
But it seems you were able to access your computer to get the text file that you have posted.
I take it that the FRST quarantine file hasn't been removed... I think it likely that the infection has locked one or more of the files in quarantine.
Assuming you are able to access your machine let's do this to remove the FRST quarantine:
Download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
Run FRST/FRST64 and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.
After that
If you machine is stable please run another FRST scan with the Addition.txt box ticked and post back the two logs generated - FRST.txt and Addition.txt.
0 members, 0 guests, 0 anonymous users
Community Forum Software by IP.Board
Licensed to: Geeks to Go, Inc.