Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Maine Turnpike Authority Phishing Scam Virus [Closed]

Started by plante , Aug 15 2014 04:15 PM

  • This topic is locked This topic is locked

#31
plante
Posted 19 August 2014 - 11:54 AM

plante

    Member

  • Topic Starter
  • Member
  • PipPip
  • 63 posts
 
C:\Windows\system32>sfc /scanfile=C:\Windows\system32\drivers\afd.sys

  • 0

Advertisements

#32
plante
Posted 19 August 2014 - 11:56 AM

plante

    Member

  • Topic Starter
  • Member
  • PipPip
  • 63 posts
 
Sorry here is the complete text
 
C:\Windows\system32>sfc /scanfile=C:\Windows\system32\drivers\afd.sys
 
 
Windows Resource Protection found corrupt files and successfully repaired
them. Details are included in the CBS.Log windir\Logs\CBS\CBS.log. For
example C:\Windows\Logs\CBS\CBS.log
 
The system file repair changes will take effect after the next reboot.
 
C:\Windows\system32>pause
Press any key to continue . . .

  • 0

#33
Naathim
Posted 19 August 2014 - 12:03 PM

Naathim

    GeekU Minion

  • Expert
  • 4,568 posts

OK. You may close the black window. Now please run the following script:


batch-win7.png Run Batch Script

We need to prepare a batch script file.

  • Press the WindowsKey.png + R on your keyboard at the same time.
  • A Run window should appear in the lower left corner. Type in notepad.exe and press Enter.
  • In the shown window paste in the following script:
    @echo off
findstr /c:"[SR]" %windir%\Logs\CBS\CBS.log >%userprofile%\Desktop\ForNaat.txt
del %0
  • Go to File menu and select Save as.
  • Make sure that the Save as type option is set to All Files (*.*) and the place to save will be your desktop.
  • Name the file fix.bat and select Save.

After that, your prepared fix.bat file should be located on your desktop.

  • Right-click on the batch-win7.png icon and select RunAsAdmin.jpg Run as Administrator to start the script.
  • This procedure may take some time. Please be patient and let it run uninterrupted!
  • It should delete self and leave the ForNaat.txt report on your desktop upon completion.

Please include it in your next reply.


  • 0

#34
plante
Posted 19 August 2014 - 12:16 PM

plante

    Member

  • Topic Starter
  • Member
  • PipPip
  • 63 posts
2014-08-19 13:52:55, Info                  CSI    00000009 [SR] Verifying 1 components
2014-08-19 13:52:55, Info                  CSI    0000000a [SR] Beginning Verify and Repair transaction
2014-08-19 13:52:55, Info                  CSI    0000000c [SR] Repairing corrupted file [ml:520{260},l:62{31}]"\??\C:\Windows\System32\drivers"\[l:14{7}]"afd.sys" from store
2014-08-19 13:52:55, Info                  CSI    0000000e [SR] Verify complete
2014-08-19 13:52:55, Info                  CSI    0000000f [SR] Repairing 1 components
2014-08-19 13:52:55, Info                  CSI    00000010 [SR] Beginning Verify and Repair transaction
2014-08-19 13:52:55, Info                  CSI    00000012 [SR] Repairing corrupted file [ml:520{260},l:62{31}]"\??\C:\Windows\System32\drivers"\[l:14{7}]"afd.sys" from store
2014-08-19 13:52:55, Info                  CSI    00000014 [SR] Repair complete
2014-08-19 13:52:55, Info                  CSI    00000015 [SR] Committing transaction
2014-08-19 13:52:55, Info                  CSI    00000016 [SR] Cannot commit interactively, there are boot critical components being repaired
2014-08-19 13:52:55, Info                  CSI    00000017 [SR] Repairing 1 components
2014-08-19 13:52:55, Info                  CSI    00000018 [SR] Beginning Verify and Repair transaction
2014-08-19 13:52:55, Info                  CSI    0000001a [SR] Repairing corrupted file [ml:520{260},l:62{31}]"\??\C:\Windows\System32\drivers"\[l:14{7}]"afd.sys" from store
2014-08-19 13:52:56, Info                  CSI    0000001c [SR] Repair complete

  • 0

#35
Naathim
Posted 19 August 2014 - 12:18 PM

Naathim

    GeekU Minion

  • Expert
  • 4,568 posts

OK, please manually reboot your machine.

 

Is the connection back?


  • 0

#36
plante
Posted 19 August 2014 - 12:26 PM

plante

    Member

  • Topic Starter
  • Member
  • PipPip
  • 63 posts

I rebooted.  Still no internet access.   


  • 0

#37
Naathim
Posted 19 August 2014 - 12:33 PM

Naathim

    GeekU Minion

  • Expert
  • 4,568 posts

OK, let's try manual import of the correct registry entries.


Windows-System-Restore-Point.png Create a System Restore Point

Creating and maintaining System Restore Points is a backup plan if something would go wrong. Better to be safe than sorry.

  • Press the StartOrb.jpg, right-click on Computer and select Properties.
  • Select System Protection.
  • Confirm if prompted and/or enter the Administrator password if necessary.
  • At the bottom click Create.
  • Enter the name, like Fresh Restore Point and click Create.
  • You will be prompted when finished.

You may now close the System Properties window.


TweakingRegistryBackup.jpg Backing up Registry with Tweaking.com

Modifying the registry may create unforeseen results, so we always recommend creating a backup prior to doing that.

Please download Registry Backup (portable edition) by Tweaking.com and save the file to the desktop.
It will come as a zipped file, so you will need to unzip it. You may do it by right-clicking on it and choosing Extract All. Extract it to your desktop.

  • Enter the Tweaking.com directory and right-click on TweakingRegistryBackup.jpg icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Once the main console is loaded, press Backup Now at the bottom.
  • Wait patiently until the backup is done - it may take several minutes.
  • Once finished (a message like Successful 12/12 Registry Files Backed Up will appear) - close the app.
  • On your main drive a folder named RegBackup should appear. This is the place where the backup is stored.

This tool won't generate any report.
You may delete it after we're done with the cleaning, but I'd recommend to save it and do a backup once per month. It's better to be safe than sorry.


reg_file_icon.jpg Registry Fix

Modifying the registry may create unforeseen results. Please do not proceed, unless you have created a registry backup prior to doing that!

Please download the attached below registry files and transfer them to the corrupted machine:
Attached File  HKLM.SYSTEM.CurrentControlSet.Control.SafeBoot.Network.AFD.reg   101bytes   245 downloads
Attached File  HKLM.SYSTEM.CurrentControlSet.Enum.Root.LEGACY_AFD.reg   537bytes   242 downloads
Attached File  HKLM.SYSTEM.CurrentControlSet.services.AFD.reg   687bytes   239 downloads
Attached File  HKLM.SYSTEM.Setup.AllowStart.AFD.reg   62bytes   248 downloads
Attached File  HKLM.SYSTEM.CurrentControlSet.services.Dhcp.reg   25.79KB   227 downloads
Attached File  HKLM.SYSTEM.CurrentControlSet.services.Dnscache.reg   6.59KB   234 downloads

Now we need to import them into the registry.

  • Locate these files on your desktop.
  • For each file right-click the reg_file_icon.jpg icon of your file and select Merge.
  • You'll be prompted about adding the information to the registry. Please agree.

After completing import, please manually reboot your machine.


Any improvement?


  • 0

#38
plante
Posted 19 August 2014 - 12:57 PM

plante

    Member

  • Topic Starter
  • Member
  • PipPip
  • 63 posts

could not import the legacy_afd.reg file   error accessing registry      Rebooted but does not seem to be any improvement, no internet access.


  • 0

#39
Naathim
Posted 19 August 2014 - 01:28 PM

Naathim

    GeekU Minion

  • Expert
  • 4,568 posts

OK. I've got another idea.
 
Delete from the corrupted machine your copy of ComboFix. On a operational one please download fresh one, and using my instructions run it again.
Post its logfile.



51a5bf3d99e8a-ComboFixlogo16.png Scan with ComboFix

This is a very powerful tool that should be used only if advised by Malware Analyst.
Do not run ComboFix on your own!

Referring to this instruction, please download ComboFix by sUBs and save it to your desktop.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
If you are a user of CD emulation software (like Daemon Tools or Alcohol) also disable it for the cleaning process - instructions here.

  • Right-click on 51a5bf3d99e8a-ComboFixlogo16.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the disclaimer and agree if prompted to install Recovery Console.
  • Do not take any actions while ComboFix goes through your System - it may cause it to stall!
  • This scan may take some time!
  • When finished - it will display a logfile (located also on your main drive, usually C:\ComboFix.txt).

Include that log in your next reply.
icon_idea.gif If you'll encounter any issues with internet connection after running ComboFix, please visit this link.
icon_idea.gif If an error about operation on the key marked for deletion will appear after running the tool, please reboot your machine.
icon_idea.gif Don't forget to re-enable your previously switched-off protection software!


  • 0

#40
plante
Posted 19 August 2014 - 02:30 PM

plante

    Member

  • Topic Starter
  • Member
  • PipPip
  • 63 posts
rebooted machine no internet access
 
 
ComboFix 14-08-19.01 - Isaiah 08/19/2014  15:57:05.3.4 - x64
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.1.1033.18.3765.2318 [GMT -4:00]
Running from: E:\ComboFix.exe
AV: AVG Anti-Virus 2011 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus 2011 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Isaiah\AppData\Roaming\loaderRunning.tmp
.
.
(((((((((((((((((((((((((   Files Created from 2014-07-19 to 2014-08-19  )))))))))))))))))))))))))))))))
.
.
2014-08-19 20:18 . 2014-08-19 20:18 20 ----a-w- c:\windows\SysWow64\drivers\WS2IFSL.SYS ERROR(0x00000002)
2014-08-19 20:09 . 2014-08-19 20:09 -------- d-----w- c:\users\QBDataServiceUser\AppData\Local\temp
2014-08-19 20:09 . 2014-08-19 20:09 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-08-19 20:09 . 2014-08-19 20:09 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2014-08-19 18:44 . 2014-08-19 18:44 -------- d-----w- C:\RegBackup
2014-08-19 18:43 . 2014-08-19 18:43 -------- d-----w- c:\program files (x86)\Tweaking.com
2014-08-19 18:22 . 2014-08-19 18:22 0 ----a-w- c:\windows\SysWow64\sho7ADA.tmp
2014-08-19 17:57 . 2014-08-19 17:57 0 ----a-w- c:\windows\SysWow64\shoB240.tmp
2014-08-18 15:37 . 2014-08-18 15:58 -------- d-----w- C:\AdwCleaner
2014-08-17 22:05 . 2014-08-17 22:05 -------- d-----w- c:\windows\ERUNT
2014-08-17 22:02 . 2014-08-17 22:05 -------- d-----w- c:\users\Isaiah\AppData\Roaming\Free Download Manager
2014-08-17 22:00 . 2014-08-17 22:00 -------- d-----w- c:\program files (x86)\Free Download Manager
2014-08-17 22:00 . 2014-08-17 22:00 -------- d-----w- c:\users\Isaiah\AppData\Local\Programs
2014-08-17 21:49 . 2014-08-17 21:49 -------- d-----w- c:\program files\B021CBBD-E38E-4F8C-8E93-6624B0597A23
2014-08-16 22:05 . 2014-08-19 11:36 -------- d-----w- C:\FRST
2014-08-16 07:09 . 2014-08-07 01:52 526848 ----a-w- c:\windows\system32\aepdu.dll
2014-08-16 07:09 . 2014-08-07 01:46 424448 ----a-w- c:\windows\system32\aeinv.dll
2014-08-15 21:02 . 2014-08-15 21:02 -------- d-----w- c:\program files\CCleaner
2014-07-29 14:11 . 2014-07-29 14:11 -------- d-----w- c:\program files (x86)\Common Files\Java
2014-07-29 14:10 . 2014-07-11 07:02 98216 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-08-17 23:03 . 2009-07-14 00:10 20048 ----a-w- c:\windows\system32\drivers\WS2IFSL.SYS
2014-08-16 07:02 . 2010-10-28 14:41 99218768 ----a-w- c:\windows\system32\MRT.exe
2014-08-11 20:37 . 2012-11-08 17:24 50976 ----a-w- c:\windows\system32\drivers\avgtpx64.sys
2014-07-10 23:23 . 2012-08-08 00:58 358616 ----a-w- c:\windows\system32\drivers\RapportKE64.sys
2014-07-10 01:12 . 2012-09-19 20:26 699056 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-07-10 01:12 . 2012-02-28 01:32 71344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-07-01 13:17 . 2014-07-01 13:20 83968 ----a-w- c:\windows\system32\E_YD4BHVA.DLL
2014-07-01 13:17 . 2014-07-01 13:20 120320 ----a-w- c:\windows\system32\E_YLMHVA.DLL
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2013-10-10 19:26 1021448 ----a-r- c:\program files (x86)\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2013-10-10 19:26 1021448 ----a-r- c:\program files (x86)\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2013-10-10 19:26 1021448 ----a-r- c:\program files (x86)\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04 131480 ----a-w- c:\users\Isaiah\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04 131480 ----a-w- c:\users\Isaiah\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04 131480 ----a-w- c:\users\Isaiah\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Akamai NetSession Interface"="c:\users\Isaiah\AppData\Local\Akamai\netsession_win.exe" [2014-04-18 4672920]
"EPLTarget\P0000000000000000"="c:\windows\system32\spool\DRIVERS\x64\3\E_YATIHVA.EXE" [2014-07-01 241280]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Dell DataSafe Online"="c:\program files (x86)\Dell DataSafe Online\DataSafeOnline.exe" [2010-02-09 1807680]
"PDVDDXSrv"="c:\program files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-12-29 140520]
"Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2009-06-24 409744]
"Desktop Disc Tool"="c:\program files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [2009-10-15 498160]
"DellSupportCenter"="c:\program files (x86)\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"AVG_TRAY"="c:\program files (x86)\AVG\AVG10\avgtray.exe" [2012-08-01 2345592]
"Intuit SyncManager"="c:\program files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2011-09-30 2215768]
"EEventManager"="c:\program files (x86)\Epson Software\Event Manager\EEventManager.exe" [2010-10-12 979328]
"FUFAXRCV"="c:\program files (x86)\Epson Software\FAX Utility\FUFAXRCV.exe" [2011-03-09 495616]
"FUFAXSTM"="c:\program files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe" [2011-03-09 856064]
"LTCM Client"="c:\program files (x86)\LTCM Client\ltcmClient.exe" [2009-08-05 1596096]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2014-02-13 43848]
"Carbonite Backup"="c:\program files (x86)\Carbonite\Carbonite Backup\CarboniteUI.exe" [2013-10-10 1056264]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2014-01-17 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2014-02-21 152392]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2014-07-11 256896]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"="c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [2010-09-27 560128]
.
c:\users\Isaiah\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Isaiah\AppData\Roaming\Dropbox\bin\Dropbox.exe /systemstartup [2014-7-29 36414496]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Intuit Data Protect.lnk - c:\program files (x86)\Common Files\Intuit\DataProtect\IntuitDataProtect.exe /Startup [2012-3-9 5969752]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\3.8.130\SSScheduler.exe [2013-9-6 324320]
QuickBooks Update Agent.lnk - c:\program files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2012-5-14 1156968]
QuickBooks_Standard_21.lnk - c:\program files (x86)\Intuit\QuickBooks 2011\QBW32.EXE -silent [2012-5-14 1178984]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe /firstrun [2009-12-15 1324384]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_Dlls"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ   autocheck autochk *\0c:\progra~2\AVG\AVG10\avgchsva.exe /sync\0c:\progra~2\AVG\AVG10\avgrsa.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [x]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\3.8.130\McCHSvc.exe;c:\program files\McAfee Security Scan\3.8.130\McCHSvc.exe [x]
R3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\DRIVERS\netaapl64.sys;c:\windows\SYSNATIVE\DRIVERS\netaapl64.sys [x]
R3 silabenm;Silicon Labs CP210x USB to UART Bridge Serial Port Enumerator Driver;c:\windows\system32\DRIVERS\silabenm.sys;c:\windows\SYSNATIVE\DRIVERS\silabenm.sys [x]
R3 silabser;Silicon Labs CP210x USB to UART Bridge Driver;c:\windows\system32\DRIVERS\silabser.sys;c:\windows\SYSNATIVE\DRIVERS\silabser.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\DRIVERS\WSDScan.sys;c:\windows\SYSNATIVE\DRIVERS\WSDScan.sys [x]
S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys;c:\windows\SYSNATIVE\DRIVERS\AVGIDSEH.Sys [x]
S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys;c:\windows\SYSNATIVE\DRIVERS\avgrkx64.sys [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys;c:\windows\SYSNATIVE\Drivers\PxHlpa64.sys [x]
S0 RapportKE64;RapportKE64;c:\windows\System32\Drivers\RapportKE64.sys;c:\windows\SYSNATIVE\Drivers\RapportKE64.sys [x]
S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys;c:\windows\SYSNATIVE\DRIVERS\avgldx64.sys [x]
S1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys;c:\windows\SYSNATIVE\DRIVERS\avgmfx64.sys [x]
S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys;c:\windows\SYSNATIVE\DRIVERS\avgtdia.sys [x]
S1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx64.sys;c:\windows\SYSNATIVE\drivers\avgtpx64.sys [x]
S1 RapportCerberus_69875;RapportCerberus_69875;c:\programdata\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus64_69875.sys;c:\programdata\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus64_69875.sys [x]
S1 RapportEI64;RapportEI64;c:\program files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys;c:\program files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys [x]
S1 RapportPG64;RapportPG64;c:\program files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys;c:\program files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys [x]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_0057cbec48a2d7cf\AESTSr64.exe;c:\windows\SYSNATIVE\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_0057cbec48a2d7cf\AESTSr64.exe [x]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe;c:\program files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [x]
S2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG10\avgwdsvc.exe;c:\program files (x86)\AVG\AVG10\avgwdsvc.exe [x]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [x]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe;c:\program files\Dell\DellDock\DockLogin.exe [x]
S2 EpsonCustomerParticipation;EpsonCustomerParticipation;c:\program files\EPSON\EpsonCustomerParticipation\EPCP.exe;c:\program files\EPSON\EpsonCustomerParticipation\EPCP.exe [x]
S2 QBVSS;QBIDPService;c:\program files (x86)\Common Files\Intuit\DataProtect\QBIDPService.exe;c:\program files (x86)\Common Files\Intuit\DataProtect\QBIDPService.exe [x]
S2 RapportMgmtService;Rapport Management Service;c:\program files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe;c:\program files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe [x]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [x]
S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [x]
S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Acceler.sys;c:\windows\SYSNATIVE\DRIVERS\Acceler.sys [x]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys;c:\windows\SYSNATIVE\DRIVERS\AVGIDSDriver.Sys [x]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys;c:\windows\SYSNATIVE\DRIVERS\AVGIDSFilter.Sys [x]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys;c:\windows\SYSNATIVE\DRIVERS\CtClsFlt.sys [x]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys;c:\windows\SYSNATIVE\DRIVERS\HECIx64.sys [x]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys;c:\windows\SYSNATIVE\DRIVERS\Impcd.sys [x]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
S3 O2MDGRDR;O2MDGRDR;c:\windows\system32\DRIVERS\o2mdgx64.sys;c:\windows\SYSNATIVE\DRIVERS\o2mdgx64.sys [x]
S3 RemotePCHelpDesk;RemotePCHelpDesk;c:\windows\system32\DRIVERS\RemotePCHelpDesk.sys;c:\windows\SYSNATIVE\DRIVERS\RemotePCHelpDesk.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2014-08-17 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-09-19 01:12]
.
2014-08-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-15 11:27]
.
2014-08-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-15 11:27]
.
2014-08-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-928644344-3032971394-1657302220-1001Core.job
- c:\users\Isaiah\AppData\Local\Google\Update\GoogleUpdate.exe [2012-02-11 13:41]
.
2014-08-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-928644344-3032971394-1657302220-1001UA.job
- c:\users\Isaiah\AppData\Local\Google\Update\GoogleUpdate.exe [2012-02-11 13:41]
.
2012-01-13 c:\windows\Tasks\SyncBack Dell Studio 17 Backup.job
- c:\program files (x86)\2BrightSparks\SyncBack\SyncBack.exe [2010-10-01 22:45]
.
2012-01-13 c:\windows\Tasks\SyncBack Kimball Files Backup.job
- c:\program files (x86)\2BrightSparks\SyncBack\SyncBack.exe [2010-10-01 22:45]
.
2012-02-07 c:\windows\Tasks\SyncBack My Pictures Backup.job
- c:\program files (x86)\2BrightSparks\SyncBack\SyncBack.exe [2010-10-01 22:45]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2013-10-10 19:12 1294344 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2013-10-10 19:12 1294344 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2013-10-10 19:12 1294344 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04 164760 ----a-w- c:\users\Isaiah\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04 164760 ----a-w- c:\users\Isaiah\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04 164760 ----a-w- c:\users\Isaiah\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04 164760 ----a-w- c:\users\Isaiah\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2010-01-20 487424]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-04-07 166424]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-04-07 391192]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-04-07 413720]
"Broadcom Wireless Manager UI"="c:\program files\Dell\DW WLAN Card\WLTRAY.exe" [2009-12-16 5470208]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 660360]
"Logitech Download Assistant"="c:\windows\System32\LogiLDA.dll" [2012-09-20 1832760]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = <-loopback>;<local>
IE: Download all with Free Download Manager - file://c:\program files (x86)\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files (x86)\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files (x86)\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files (x86)\Free Download Manager\dllink.htm
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Isaiah\AppData\Roaming\Mozilla\Firefox\Profiles\pqvjg8a6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=WLETDF&PC=WLEM&q=
FF - prefs.js: browser.startup.homepage - www.yahoo.com
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
AddRemove-Search Toolbar - c:\program files (x86)\Search Toolbar\SearchToolbarUninstall.exe
AddRemove-{501451DE-5808-4599-B544-8BD0915B6B24}_is1 - c:\program files (x86)\FreeRIP3\unins000.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
c:\program files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\DRIVERS\o2flash.exe
c:\program files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE
c:\program files (x86)\AVG\AVG10\avgam.exe
c:\program files (x86)\Trusteer\Rapport\bin\RapportService.exe
c:\program files (x86)\Intuit\QuickBooks 2011\QBW32.EXE
c:\users\Isaiah\AppData\Roaming\Dropbox\bin\Dropbox.exe
c:\program files (x86)\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
c:\program files (x86)\Google\Update\1.3.24.15\GoogleCrashHandler.exe
c:\program files (x86)\Dell Support Center\bin\sprtsvc.exe
.
**************************************************************************
.
Completion time: 2014-08-19  16:24:33 - machine was rebooted
ComboFix-quarantined-files.txt  2014-08-19 20:24
ComboFix2.txt  2014-08-17 21:19
ComboFix3.txt  2014-08-17 02:46
.
Pre-Run: 209,934,807,040 bytes free
Post-Run: 209,621,532,672 bytes free
.
- - End Of File - - 255FCE90546EF54BEFAB51B788D226B1
5C616939100B85E558DA92B899A0FC36

  • 0

Advertisements

#41
Naathim
Posted 20 August 2014 - 05:05 AM

Naathim

    GeekU Minion

  • Expert
  • 4,568 posts

After a consult with a friend let's try something another.


Repair_Windows.png Repair Windows with Tweaking.com

Please download Tweaking.com Windows Repair All-In-One (portable edition) and save the file to your desktop.
It will come as a zipped file, so you will need to unzip it. You may do it by right-clicking on it and choosing Extract All. Extract it to your desktop.
I strongly suggest to print out these guidelines for further reference.

This one needs to be done in steps. You will see many tabs with them, each one containing its own tasks. Please make sure to perform only the ones listed below!
This is very important to follow only these steps and guidelines. Running another ones may conflict with the other things that are currently being repaired. Also I would recommend a cup of tea while the whole procedures will be done. It will surely take some amount of time.

Enter the Tweaking.com directory, right-click on Repair_Windows.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.

Tab 3: Check File System

  • Click the Check button. It will verify if the full scan is needed.
  • If no errors will be found, please proceed to the next step.
  • If errors are found, please click the Do it button:
    • Your system will be restarted
    • Repairing File System errors may take some time.
    • Please be patient and let it run uninterrupted!

Once completed, please proceed to the next step.

Tab 4: Check System Files

  • Click the Do it button to perform the scan.
  • System Files check usually takes some time to complete. Please be patient and let it run uninterrupted!
  • If any corruptions are found, there will be an attempt to fix it:
    • If running Windows XP, you may need to insert your installation CD to complete repairs.
    • If running Windows Vista, 7 or 8 the CD won't be needed in most cases.
  • Your machine may need to be rebooted to complete repairs.

Once completed, please proceed to the next step.

Tab 5: Registry Backup & System Restore

  • We need to create a Registry backup and a System Restore point prior to any fixes - this is crucial because fixing is always a invasive procedure.
  • Click Backup to backup your registry.
  • When finished, click Create to create a fresh Restore point.

Once completed, please proceed to the next step.

Tab 6: Start Repairs

  • Click Start.
  • You will be presented with a new window, divided verticaly
  • Under the right one please make sure that Restart/Shutdown System when finished is ticked and the Restart System option is marked.
  • Inside the left one you will see listed fixing options.
  • Click Unselect All at the bottom and then make sure these ones are checked:
    • 01 - Reset Registry Permissions
    • 02 - Reset File Permissions
    • 03 - Reset Service Permissions
    • 04 - Register System Files
    • 05 - Repair WMI
    • 06 - Repair Windows Firewall
    • 07 - Repair Internet Explorer
    • 09 - Repair Hosts File
    • 10 - Remove Policies Set By Infections
    • 13 - Repair Winsock & DNS Cache
    • 15 - Repair Proxy Settings
    • 17 - Repair Windows Updates
    • 24 - Repair Windows Safe Mode
    • 25 - Repair Print Spooler
    • 26 - Restore Important Windows Services
    • 27 - Set Windows Services To Default Startup
  • Press Start Repairs button on the lower right.
  • This whole procedure may take some amount of time and your machine will be rebooted upon completion.
  • After the reboot, navigate to the Tweaking.com folder once again.
  • Enter the subfolder called Logs.

Please include here for me any logfile(s) you will find there.
Also please update me how is your machine after the performed repairs.


  • 0

#42
plante
Posted 20 August 2014 - 08:09 AM

plante

    Member

  • Topic Starter
  • Member
  • PipPip
  • 63 posts

Hi Naat,

 

I attempted to follow the steps in the last post.  After rebooting after step 4 when prompted, the computer started up and shows the desktop background and no icons except for a few on the taskbar.  There is a cursor that follows the mouse movement, but you cannot click or open anything.  Please advise!!!

 

Thanks!


  • 0

#43
Naathim
Posted 20 August 2014 - 08:28 AM

Naathim

    GeekU Minion

  • Expert
  • 4,568 posts
I will discuss it with my colleagues and come back to you shortly.
  • 0

#44
plante
Posted 20 August 2014 - 08:39 AM

plante

    Member

  • Topic Starter
  • Member
  • PipPip
  • 63 posts

Hi Naat,

 

The system just came back, I can now navigate in an all windows.  I am going to go to Step 5 and continue from the last post.  I'll post the logs as soon as I am done.

 

Thanks!


  • 0

#45
Naathim
Posted 20 August 2014 - 08:41 AM

Naathim

    GeekU Minion

  • Expert
  • 4,568 posts
Great news. Please continue then and keep me posted :)
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP