Jump to content

Advice Request, Re: Homeland Security Ransom Virus


Recommended Posts

Greetings,

I have spent hours on this forum reading, learning and attempting to remove the Homeland Security Ransom virus/malware... In my efforts, it appears that I have successfully removed the screen block and subsequent registry entries, infected files and the malware itself. In this effort however, I have disabled my computer from any network connectivity, am unable to reinstall LAN drivers and have created a quick Blue Screen crash upon restart...

 

Can someonw assist with helping me [1] assure I am complete with my malware removal, [2] resolve the LAN driver Network Connectivity issue, and [3] resolve my restart crash routine.

 

I really appreciate the help. I am online, available to respond quickly and available with a few computers, flash-drive in hand and sneakernet!

Thank you!

Jeff

----------

infected computer specs:

Windows 7 Ultimate

64-bit

Intel Core i7-2600K

Fatal1ty MB

Link to post
Share on other sites

Hello and post-32477-1261866970.gif

 

P2P/Piracy Warning:

 

   

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

Does your system fail to boot in Normal mode? if so will it boot to Safe Mode....

 

Kevin..

Link to post
Share on other sites

Ok we can run the following in Normal mode, if no internet you can d/l and save to flash drive and transfer to the Desktop of the sick PC, Logs can be transferred similar way...

 

Download Farbar Recovery Scan Tool and save it to your desktop.

 

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.


Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

Next,

 

Download Farbar Service Scanner from here: http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/ and run it on the computer with the issue.

Make sure the following options are checked:

 


Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update
Windows Defender

 


Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.

 

Thanks,

 

Kevin,,

Link to post
Share on other sites

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 22-04-2014
Ran by Administrator (administrator) on BEAST on 22-04-2014 15:38:08
Running from O:\VIRUS-Malware
Windows 7 Ultimate Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 11
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgrsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe
(AMD) C:\Windows\system32\atiesrxx.exe
(AMD) C:\Windows\system32\atieclxx.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Future Systems Solutions, Inc.) C:\Program Files\Common Files\Future Systems Solutions\Services\CASPERSVCS.EXE
(CrashPlan) C:\Program Files\CrashPlan\CrashPlanService.exe
(Intuit) C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
(Intuit Inc.) C:\Program Files (x86)\Common Files\Intuit\DataProtect\QBIDPService.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.23.9\GoogleCrashHandler.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
(Google) C:\Program Files (x86)\Google\Drive\googledrivesync.exe
(Code 42 Software, Inc.) C:\Program Files\CrashPlan\CrashPlanTray.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.23.9\GoogleCrashHandler64.exe
(Intuit Inc.) C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
(Intuit Inc.) C:\Program Files (x86)\Intuit\QuickBooks 2012\QBW32.EXE
(Dropbox, Inc.) C:\Users\Administrator\AppData\Roaming\Dropbox\bin\Dropbox.exe
(FNet Co., Ltd.) C:\Program Files (x86)\XFastUsb\XFastUsb.exe
(Stardock Corporation) C:\Program Files (x86)\Stardock\ThinkDesk\Multiplicity\Multipl.exe
(Evernote Corp., 305 Walnut Street, Redwood City, CA 94063) C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
(Google) C:\Program Files (x86)\Google\Drive\googledrivesync.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(Adobe Systems Inc.) C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgui.exe
(Mindjet) C:\Program Files (x86)\Mindjet\MindManager 14\MmReminderService.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Intuit, Inc.) C:\Program Files (x86)\Intuit\QuickBooks 2012\QBDBMgrN.exe
(Farbar) O:\VIRUS-Malware\FRST64(1).exe


==================== Registry (Whitelisted) ==================

HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [446392 2012-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [XFastUsb] => C:\Program Files (x86)\XFastUsb\XFastUsb.exe [4838912 2012-03-31] (FNet Co., Ltd.)
HKLM-x32\...\Run: [Multiplicity] => C:\Program Files (x86)\Stardock\ThinkDesk\Multiplicity\Multipl.exe [2508080 2008-12-13] (Stardock Corporation)
HKLM-x32\...\Run: [Adobe_ID0EYTHM] => C:\Program Files (x86)\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3Tray.exe [1884160 2007-03-20] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [43848 2014-02-06] (Apple Inc.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [intuit SyncManager] => C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe [2786104 2013-05-31] (Intuit Inc. All rights reserved.)
HKLM-x32\...\Run: [switchBoard] => C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AdobeCS6ServiceManager] => C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe [1073312 2012-03-09] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Adobe Acrobat Speed Launcher] => C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe [38984 2013-05-10] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Acrobat Assistant 8.0] => C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe [840768 2013-05-10] (Adobe Systems Inc.)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2012-10-25] (Apple Inc.)
HKLM-x32\...\Run: [AVG_UI] => C:\Program Files (x86)\AVG\AVG2014\avgui.exe [4971024 2014-03-19] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [MMReminderService] => C:\Program Files (x86)\Mindjet\MindManager 14\MMReminderService.exe [115552 2013-12-02] (Mindjet)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2014-02-21] (Apple Inc.)
Winlogon\Notify\Multi-x32: C:\Program Files (x86)\Stardock\ThinkDesk\Multiplicity\MultiWin64.dll (Stardock)
HKU\S-1-5-21-1737317261-1427757156-2377708800-500\...\Run: [GoogleDriveSync] => C:\Program Files (x86)\Google\Drive\googledrivesync.exe [21822128 2014-01-30] (Google)
Startup: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\Administrator\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
Startup: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EvernoteClipper.lnk
ShortcutTarget: EvernoteClipper.lnk -> C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe (Evernote Corp., 305 Walnut Street, Redwood City, CA 94063)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xDC950D82C44ECE01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.yahoo.com/search?p={searchTerms}&fr=chr-devicevm&type=ASRK
SearchScopes: HKCU - {0E89C721-D0E7-4585-BC2B-9E7CCF46F29C} URL = http://www.google.com/custom?client=pub-3794288947762788&forid=1&channel=5480255188&ie=UTF-8&oe=UTF-8&safe=active&cof=GALT%3A%23008000%3BGL%3A1%3BDIV%3A%23336699%3BVLC%3A663399%3BAH%3Acenter%3BBGC%3AFFFFFF%3BLBGC%3A336699%3BALC%3A0000FF%3BLC%3A0000FF%3BT%3A000000%3BGFNT%3A0000FF%3BGIMP%3A0000FF%3BFORID%3A1&hl=en&q={searchTerms}
BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Evernote extension - {92EF2EAD-A7CE-4424-B0DB-499CF856608E} - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll (Evernote Corp., 305 Walnut Street, Redwood City, CA 94063)
BHO-x32: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: SmartSelect Class - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Handler: intu-help-qb5 - {867FCB77-9823-4cd6-8210-D85F968D466F} -  No File
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} -  No File
Handler-x32: intu-help-qb5 - {867FCB77-9823-4cd6-8210-D85F968D466F} - C:\Program Files (x86)\Intuit\QuickBooks 2012\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
Handler-x32: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\Windows\SysWOW64\mscoree.dll (Microsoft Corporation)
Hosts: 127.0.0.1    localhost
Tcpip\Parameters: [DhcpNameServer] 10.0.1.1

FireFox:
========
FF ProfilePath: C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\upvrtgyj.default
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_12_0_0_77.dll ()
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_12_0_0_77.dll ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @Google.com/GoogleEarthPlugin - C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin-x32: @microsoft.com/GENUINE - disabled No File
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.23.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.23.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Acrobat - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Extension: Xmarks - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\upvrtgyj.default\Extensions\foxmarks@kei.com [2013-05-22]
FF Extension: Web Developer Toolbar Button - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\upvrtgyj.default\Extensions\webdevelopertoolbarbutton@polygonpla.net [2013-11-27]
FF Extension: ColorZilla - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\upvrtgyj.default\Extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326} [2012-08-04]
FF Extension: Evernote Web Clipper - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\upvrtgyj.default\Extensions\{E0B8C461-F8FB-49b4-8373-FE32E9252800} [2014-01-08]
FF Extension: Lightbeam - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\upvrtgyj.default\Extensions\jid1-F9UJ2thwoAm5gQ@jetpack.xpi [2013-11-14]
FF Extension: KGen - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\upvrtgyj.default\Extensions\kgen@elitwork.com.xpi [2012-04-01]
FF Extension: Save Images - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\upvrtgyj.default\Extensions\LDSI_plashcor@gmail.com.xpi [2014-02-12]
FF Extension: Keep Tube Downloader - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\upvrtgyj.default\Extensions\webmaster@keep-tube.com.xpi [2014-02-19]
FF Extension: All-in-One Sidebar - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\upvrtgyj.default\Extensions\{097d3191-e6fa-4728-9826-b533d755359d}.xpi [2012-04-01]
FF Extension: Session Manager - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\upvrtgyj.default\Extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30}.xpi [2012-04-01]
FF Extension: FlashGot - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\upvrtgyj.default\Extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}.xpi [2013-12-11]
FF Extension: Bulk Image Downloader - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\upvrtgyj.default\Extensions\{524B8EF8-C312-11DB-8039-536F56D89593}.xpi [2013-12-11]
FF Extension: MeasureIt - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\upvrtgyj.default\Extensions\{75CEEE46-9B64-46f8-94BF-54012DE155F0}.xpi [2012-04-01]
FF Extension: ReloadEvery - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\upvrtgyj.default\Extensions\{888d99e7-e8b5-46a3-851e-1ec45da1e644}.xpi [2012-04-01]
FF Extension: Web Developer - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\upvrtgyj.default\Extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}.xpi [2012-04-01]
FF Extension: CoolPreviews - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\upvrtgyj.default\Extensions\{CE6E6E3B-84DD-4cac-9F63-8D2AE4F30A4B}.xpi [2012-04-01]
FF Extension: Adblock Plus - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\upvrtgyj.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2013-08-29]
FF HKLM-x32\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: Adobe Acrobat - Create PDF - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn [2012-10-30]

Chrome:
=======
CHR HomePage:
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.117\PepperFlash\pepflashplayer.dll No File
CHR Plugin: (Shockwave Flash) - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_287.dll No File
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.117\ppGoogleNaClPluginChrome.dll No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.117\pdf.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.2) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.2) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin2.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.2) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin3.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.2) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin4.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.2) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin5.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.2) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin6.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.2) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin7.dll (Apple Inc.)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll No File
CHR Plugin: (iTunes Application Detector) - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
CHR Extension: (Google Drive) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-05-15]
CHR Extension: (YouTube) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2012-10-29]
CHR Extension: (Google Search) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2012-10-29]
CHR Extension: (Google Wallet) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-25]
CHR Extension: (Gmail) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2012-10-29]
CHR HKCU\...\Chrome\Extension: [apdfllckaahabafndbhieahigkjlhalf] - C:\Users\ADMINI~1\AppData\Local\Google\Drive\apdfllckaahabafndbhieahigkjlhalf_live.crx [2013-04-30]

==================== Services (Whitelisted) =================

R2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe [3782672 2014-02-23] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe [348008 2013-09-24] (AVG Technologies CZ, s.r.o.)
R2 caspereui; C:\Program Files\Common Files\Future Systems Solutions\Services\CASPERSVCS.EXE [715496 2013-11-18] (Future Systems Solutions, Inc.)
R2 casperhpb; C:\Program Files\Common Files\Future Systems Solutions\Services\CASPERSVCS.EXE [715496 2013-11-18] (Future Systems Solutions, Inc.)
R2 CrashPlanService; C:\Program Files\CrashPlan\CrashPlanService.exe [222720 2013-04-08] (CrashPlan)
R3 QuickBooksDB22; C:\Program Files (x86)\Intuit\QuickBooks 2012\QBDBMgrN.exe [679936 2011-08-19] (Intuit, Inc.)

==================== Drivers (Whitelisted) ====================

S1 AsrHidFilter; C:\Windows\System32\DRIVERS\AsrHidFilter.sys [17928 2010-12-22] (ASRock Inc.)
R1 Avgdiska; C:\Windows\System32\DRIVERS\avgdiska.sys [150808 2013-11-25] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [243480 2013-11-25] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [196376 2013-11-25] (AVG Technologies CZ, s.r.o.)
R1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [212280 2013-11-01] (AVG Technologies CZ, s.r.o.)
R0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [294712 2013-10-31] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [123704 2013-10-01] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [31544 2013-09-10] (AVG Technologies CZ, s.r.o.)
R3 FNETTBOH_305; C:\Windows\System32\drivers\FNETTBOH_305.SYS [31808 2012-04-17] (FNet Co., Ltd.)
R1 FNETURPX; C:\Windows\System32\drivers\FNETURPX.SYS [15936 2012-03-31] (FNet Co., Ltd.)
R1 Serial; C:\Windows\System32\DRIVERS\serial.sys [94208 2009-07-13] (Brother Industries Ltd.)
S3 SliceDisk5; C:\Program Files\A-FF Find and Mount\slicedisk-x64.sys [31824 2011-02-25] (Atola)
S3 AsrCDDrv; \??\C:\Windows\SysWOW64\Drivers\AsrCDDrv.sys [X]
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 EtronHub3; System32\Drivers\EtronHub3.sys [X]
S3 EtronXHCI; System32\Drivers\EtronXHCI.sys [X]
S3 IntcAzAudAddService; system32\drivers\RTKVHD64.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-04-22 12:35 - 2014-04-22 12:35 - 00274792 _____ () C:\Windows\Minidump\042214-18220-01.dmp
2014-04-22 12:09 - 2014-04-22 12:09 - 00000000 ____D () C:\Program Files\Intel
2014-04-22 11:41 - 2014-04-22 11:41 - 00002880 _____ () C:\Windows\System32\Tasks\Setup
2014-04-22 11:40 - 2014-04-22 11:40 - 00003180 _____ () C:\Windows\System32\Tasks\{047D4B53-0CA7-4B38-AB50-14E1369BA443}
2014-04-22 10:28 - 2014-04-22 12:35 - 522973545 _____ () C:\Windows\MEMORY.DMP
2014-04-22 10:28 - 2014-04-22 10:28 - 00274792 _____ () C:\Windows\Minidump\042214-18969-01.dmp
2014-04-22 10:21 - 2014-04-22 10:27 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-04-22 10:20 - 2014-04-22 10:27 - 00000000 ____D () C:\Users\Administrator\Desktop\mbar
2014-04-22 10:18 - 2014-04-22 10:18 - 00002809 _____ () C:\Users\Administrator\Desktop\RKreport[0]_SC_04222014_101816.txt
2014-04-22 10:18 - 2014-04-22 10:18 - 00002808 _____ () C:\Users\Administrator\Desktop\RKreport[0]_SC_04222014_101848.txt
2014-04-22 10:17 - 2014-04-22 10:17 - 00007352 _____ () C:\Users\Administrator\Desktop\RKreport[0]_D_04222014_101714.txt
2014-04-22 10:17 - 2014-04-22 10:17 - 00002001 _____ () C:\Users\Administrator\Desktop\RKreport[0]_H_04222014_101724.txt
2014-04-22 10:17 - 2014-04-22 10:17 - 00001912 _____ () C:\Users\Administrator\Desktop\RKreport[0]_PR_04222014_101726.txt
2014-04-22 10:17 - 2014-04-22 10:17 - 00001876 _____ () C:\Users\Administrator\Desktop\RKreport[0]_DN_04222014_101727.txt
2014-04-22 10:05 - 2014-04-22 10:05 - 00007204 _____ () C:\Users\Administrator\Desktop\RKreport[0]_S_04222014_100553.txt
2014-04-22 10:04 - 2014-04-22 10:18 - 00000000 ____D () C:\Users\Administrator\Desktop\RK_Quarantine
2014-04-22 09:58 - 2014-04-22 09:58 - 00001093 _____ () C:\Users\Administrator\Desktop\JRT.txt
2014-04-22 09:56 - 2014-04-22 09:56 - 00000000 ____D () C:\Windows\ERUNT
2014-04-22 09:20 - 2014-04-22 09:20 - 00035280 _____ () C:\ComboFix.txt
2014-04-22 09:14 - 2014-04-22 09:20 - 00000000 ____D () C:\Qoobox
2014-04-22 09:14 - 2011-06-26 00:45 - 00256000 _____ () C:\Windows\PEV.exe
2014-04-22 09:14 - 2010-11-07 11:20 - 00208896 _____ () C:\Windows\MBR.exe
2014-04-22 09:14 - 2009-04-19 22:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-04-22 09:14 - 2000-08-30 18:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-04-22 09:14 - 2000-08-30 18:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-04-22 09:14 - 2000-08-30 18:00 - 00098816 _____ () C:\Windows\sed.exe
2014-04-22 09:14 - 2000-08-30 18:00 - 00080412 _____ () C:\Windows\grep.exe
2014-04-22 09:14 - 2000-08-30 18:00 - 00068096 _____ () C:\Windows\zip.exe
2014-04-22 09:13 - 2014-04-22 09:19 - 00000000 ____D () C:\Windows\erdnt
2014-04-21 19:50 - 2014-04-22 09:50 - 00000000 ____D () C:\AdwCleaner
2014-04-21 17:36 - 2014-04-22 10:21 - 00119000 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-04-21 17:36 - 2014-04-22 10:20 - 00091352 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-04-21 17:36 - 2014-04-21 17:36 - 00001102 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-04-21 17:36 - 2014-04-21 17:36 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-04-21 17:36 - 2014-04-21 17:36 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-04-21 17:36 - 2014-04-03 09:51 - 00063192 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-04-21 17:36 - 2014-04-03 09:50 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-04-21 17:32 - 2014-04-21 17:32 - 00000000 ____D () C:\Users\Administrator\Desktop\New folder
2014-04-20 23:34 - 2014-04-22 15:38 - 00000000 ____D () C:\FRST
2014-04-20 17:07 - 2014-04-20 17:07 - 00002259 _____ () C:\Users\Jeff\Desktop\Google Chrome.lnk
2014-04-20 17:07 - 2014-04-20 17:07 - 00000000 ____D () C:\Users\Jeff\AppData\Local\Google
2014-04-20 15:36 - 2014-04-22 09:31 - 00000000 ____D () C:\ProgramData\2992199F9A
2014-03-31 15:43 - 2014-03-31 15:43 - 03204296 _____ () C:\Users\Administrator\Downloads\lj1018_1020_1022-HB-pnp-win64-en(1).exe
2014-03-24 17:05 - 2014-03-24 17:05 - 00000000 ____D () C:\Users\Administrator\Documents\Adobe

==================== One Month Modified Files and Folders =======

2014-04-22 15:38 - 2014-04-20 23:34 - 00000000 ____D () C:\FRST
2014-04-22 15:36 - 2014-03-19 16:44 - 00002520 _____ () C:\Windows\setupact.log
2014-04-22 15:36 - 2012-10-29 14:05 - 00000908 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-04-22 15:36 - 2012-04-01 12:06 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\Dropbox
2014-04-22 15:36 - 2012-04-01 11:35 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Adobe
2014-04-22 15:36 - 2009-07-13 23:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-04-22 15:12 - 2009-07-13 23:13 - 00006206 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-04-22 15:06 - 2012-03-31 11:46 - 01339427 _____ () C:\Windows\WindowsUpdate.log
2014-04-22 14:53 - 2012-10-29 14:05 - 00000912 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-04-22 13:19 - 2009-07-13 21:20 - 00000000 ____D () C:\Windows\system32\NDF
2014-04-22 13:00 - 2009-07-13 22:45 - 00021872 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-04-22 13:00 - 2009-07-13 22:45 - 00021872 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-04-22 12:35 - 2014-04-22 12:35 - 00274792 _____ () C:\Windows\Minidump\042214-18220-01.dmp
2014-04-22 12:35 - 2014-04-22 10:28 - 522973545 _____ () C:\Windows\MEMORY.DMP
2014-04-22 12:35 - 2012-04-18 11:54 - 00000000 ____D () C:\Windows\Minidump
2014-04-22 12:09 - 2014-04-22 12:09 - 00000000 ____D () C:\Program Files\Intel
2014-04-22 12:08 - 2013-10-24 16:27 - 00000000 ____D () C:\ProgramData\Package Cache
2014-04-22 11:41 - 2014-04-22 11:41 - 00002880 _____ () C:\Windows\System32\Tasks\Setup
2014-04-22 11:40 - 2014-04-22 11:40 - 00003180 _____ () C:\Windows\System32\Tasks\{047D4B53-0CA7-4B38-AB50-14E1369BA443}
2014-04-22 11:39 - 2012-03-31 15:27 - 00000000 ____D () C:\Program Files (x86)\Realtek
2014-04-22 10:28 - 2014-04-22 10:28 - 00274792 _____ () C:\Windows\Minidump\042214-18969-01.dmp
2014-04-22 10:27 - 2014-04-22 10:21 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-04-22 10:27 - 2014-04-22 10:20 - 00000000 ____D () C:\Users\Administrator\Desktop\mbar
2014-04-22 10:21 - 2014-04-21 17:36 - 00119000 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-04-22 10:20 - 2014-04-21 17:36 - 00091352 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-04-22 10:18 - 2014-04-22 10:18 - 00002809 _____ () C:\Users\Administrator\Desktop\RKreport[0]_SC_04222014_101816.txt
2014-04-22 10:18 - 2014-04-22 10:18 - 00002808 _____ () C:\Users\Administrator\Desktop\RKreport[0]_SC_04222014_101848.txt
2014-04-22 10:18 - 2014-04-22 10:04 - 00000000 ____D () C:\Users\Administrator\Desktop\RK_Quarantine
2014-04-22 10:17 - 2014-04-22 10:17 - 00007352 _____ () C:\Users\Administrator\Desktop\RKreport[0]_D_04222014_101714.txt
2014-04-22 10:17 - 2014-04-22 10:17 - 00002001 _____ () C:\Users\Administrator\Desktop\RKreport[0]_H_04222014_101724.txt
2014-04-22 10:17 - 2014-04-22 10:17 - 00001912 _____ () C:\Users\Administrator\Desktop\RKreport[0]_PR_04222014_101726.txt
2014-04-22 10:17 - 2014-04-22 10:17 - 00001876 _____ () C:\Users\Administrator\Desktop\RKreport[0]_DN_04222014_101727.txt
2014-04-22 10:17 - 2012-03-31 11:54 - 00000000 ___RD () C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2014-04-22 10:17 - 2012-03-31 11:45 - 00000000 ___RD () C:\Users\Jeff\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2014-04-22 10:05 - 2014-04-22 10:05 - 00007204 _____ () C:\Users\Administrator\Desktop\RKreport[0]_S_04222014_100553.txt
2014-04-22 09:58 - 2014-04-22 09:58 - 00001093 _____ () C:\Users\Administrator\Desktop\JRT.txt
2014-04-22 09:56 - 2014-04-22 09:56 - 00000000 ____D () C:\Windows\ERUNT
2014-04-22 09:50 - 2014-04-21 19:50 - 00000000 ____D () C:\AdwCleaner
2014-04-22 09:31 - 2014-04-20 15:36 - 00000000 ____D () C:\ProgramData\2992199F9A
2014-04-22 09:30 - 2012-04-01 12:07 - 00000000 ___RD () C:\Users\Administrator\Desktop\Dropbox
2014-04-22 09:30 - 2010-11-20 21:47 - 00270628 _____ () C:\Windows\PFRO.log
2014-04-22 09:20 - 2014-04-22 09:20 - 00035280 _____ () C:\ComboFix.txt
2014-04-22 09:20 - 2014-04-22 09:14 - 00000000 ____D () C:\Qoobox
2014-04-22 09:19 - 2014-04-22 09:13 - 00000000 ____D () C:\Windows\erdnt
2014-04-22 09:19 - 2009-07-13 20:34 - 00000215 _____ () C:\Windows\system.ini
2014-04-22 08:02 - 2012-03-31 15:54 - 00000000 ____D () C:\ProgramData\MFAData
2014-04-21 19:02 - 2009-07-13 22:45 - 00021504 _____ () C:\Windows\system32\umstartup.etl
2014-04-21 17:53 - 2009-07-13 22:45 - 00018432 _____ () C:\Windows\system32\umstartup000.etl
2014-04-21 17:36 - 2014-04-21 17:36 - 00001102 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-04-21 17:36 - 2014-04-21 17:36 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-04-21 17:36 - 2014-04-21 17:36 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-04-21 17:32 - 2014-04-21 17:32 - 00000000 ____D () C:\Users\Administrator\Desktop\New folder
2014-04-20 19:16 - 2012-11-27 15:36 - 00000000 ___RD () C:\Users\Administrator\Google Drive
2014-04-20 17:07 - 2014-04-20 17:07 - 00002259 _____ () C:\Users\Jeff\Desktop\Google Chrome.lnk
2014-04-20 17:07 - 2014-04-20 17:07 - 00000000 ____D () C:\Users\Jeff\AppData\Local\Google
2014-04-20 17:07 - 2012-03-31 11:45 - 00000000 ___RD () C:\Users\Jeff\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
2014-04-20 17:07 - 2012-03-31 11:45 - 00000000 ____D () C:\Users\Jeff\AppData\Local\VirtualStore
2014-04-20 15:42 - 2014-02-06 11:07 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Battle.net
2014-04-18 21:40 - 2014-02-06 11:07 - 00000000 ____D () C:\Program Files (x86)\Battle.net
2014-04-08 22:20 - 2014-02-20 10:59 - 00000000 ____D () C:\Users\Administrator\Documents\My Maps
2014-04-08 12:51 - 2012-11-02 13:39 - 00001456 _____ () C:\Users\Administrator\AppData\Local\Adobe Save for Web 13.0 Prefs
2014-04-08 10:48 - 2014-02-04 14:45 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-04-08 10:48 - 2012-05-14 14:11 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2014-04-08 10:47 - 2012-03-31 11:54 - 00000000 ____D () C:\Users\Administrator
2014-04-08 09:31 - 2012-10-24 19:49 - 00000000 ____D () C:\Program Files (x86)\Diablo III
2014-04-07 21:43 - 2014-03-10 11:57 - 00000000 ____D () C:\Users\Administrator\AppData\Local\EvernoteNW
2014-04-03 09:51 - 2014-04-21 17:36 - 00063192 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-04-03 09:50 - 2014-04-21 17:36 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-03-31 15:44 - 2013-08-26 23:05 - 00025995 _____ () C:\1020.log
2014-03-31 15:43 - 2014-03-31 15:43 - 03204296 _____ () C:\Users\Administrator\Downloads\lj1018_1020_1022-HB-pnp-win64-en(1).exe
2014-03-27 03:48 - 2012-10-29 14:05 - 00003908 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-03-27 03:48 - 2012-10-29 14:05 - 00003656 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-03-24 17:05 - 2014-03-24 17:05 - 00000000 ____D () C:\Users\Administrator\Documents\Adobe
2014-03-24 17:05 - 2012-03-31 15:31 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\Adobe

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


LastRegBack: 2014-04-19 00:27

==================== End Of Log ============================

Addition.txt

Link to post
Share on other sites

Farbar Service Scanner Version: 25-02-2014
Ran by Administrator (administrator) on 22-04-2014 at 15:46:10
Running from "O:\VIRUS-Malware"
Microsoft Windows 7 Ultimate  Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error. Google IP is unreachable
Attempt to access Google.com returned error: Other errors
Attempt to access Yahoo.com returned error: Other errors


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\S                                                                                                                                                                                                                                                                                                                                                                                                                                                                         

Link to post
Share on other sites

Please download http://www.rizonesoft.com/?ddownload=504 Complete Internet Repair and save it to your Desktop. <--- Do not save anywhere else Transfer with Flash drive...

Double click the icon and select Run (accept UAC alert if applicable)

Click Extract

Double click the Complete Internet Repair folder on your desktop.

Run the version relevant to your system, 32 bit or 64 bit.

Double click the CIntRep.exe icon  <----32 bit version.

Double click the ClntRep_64.exe icon  <--- 64 bit version

Place a checkmark next to the following entries:

 

Reset Internet Protocol (TCP/IP)

Repair Winsock (Reset Catalog)

Renew Internet Connections

Flush DNS Resolver Cache

Repair Internet Explorer 6.0.2900

Clear Windows Update History

Repair Windows / Automatic Updates

Repair SSL / HTTPS / Cryptography

Reset Windows Firewall Configuration

Restore the default hosts file

Repair Workgroup Computers view

 

Click Go!

 

Ignore any error messages for now

 

Click OK to reboot your computer, is internet restored...

Link to post
Share on other sites

Kevin, thank you for the time!

 

OK, completed just as you explained previously and I am NOT able to connect to the internet. dang.

 

Secondly, I blue screened super-quick on the mandatory restart which flashes super fast and upon reboot opens a "Windows has recovered from an unexpected shutdown" dialog. I still have that open if you want the details.

 

Standing by if you have any other suggestions. Again, thank you!

Link to post
Share on other sites

Run FSS one more time and post the new log..

 

Also can you zip up and attach the last couple of files from the minidump folder... eg C:\Windows\Minidump\042214-18220-01.dmp. If you have any trouble with the files, right click on the file, select copy. Go to Desktop, right click anywhere in open space and select paste.

Then right click on the copied file > select > send to > compressed (zipped) folder. The zipped folder will save same place as the file. Attach each to your reply

Link to post
Share on other sites

Farbar Service Scanner Version: 25-02-2014
Ran by Administrator (administrator) on 22-04-2014 at 16:45:18
Running from "O:\VIRUS-Malware"
Microsoft Windows 7 Ultimate  Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error. Google IP is unreachable
Attempt to access Google.com returned error: Other errors
Attempt to access Yahoo.com returned error: Other errors


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\iphlpsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

042214-18220-01.rar

042214-18969-01.rar

042214-34023-01.rar

Link to post
Share on other sites

Can you right click on the Internet icon next to the clock, select "Troubleshoot Problems"  What information do you see?

 

Next,

 

Select start > into the search box type device manager hit enter or select ok. In device manager are there any question or exclamation remarks against the following?

 

Realtek PCIe GBE Family Controller

 

Universal Serial Bus (USB) Controller

 

Event viewer indicates a driver update is required for both, Also the first one (Realtek PCIe) is listed as disabled, left click once to highlight Realtek, select "action" from the menu bar, then select "enable device" This starts the Enable Device wizard. Follow the instructions.

 

When that completes right click on each in turn and select update driver, as the internet is down you can only search the computer or Installation dvd if available. as you have access to another PC check the website of the device for driver update, d/l and save to flash drive. Point to that driver when selecting update driver in device manager.....
 

Link to post
Share on other sites

Yes, trouble-shooting doesn't resolve anywhere from [1] Detecting Problems or [2] Explore additional options...

 

Secondly, yes, there are exclamation marks next to both of those precise Network Adapters and Other devices. I have cycled through trying to update driver while each listed is Enabled and Disabled with no success of progress. Always loops back to nada.

 

Looking for drivers from Mfger's now and will attempt install. Stand by...

Link to post
Share on other sites

Kevin,

I've spent this last hour reattempting to install the latest drivers from device Manager and the setup file I found from Realtek. Neither had success, even my old CD with installer. Several reboots and trying to select the file direct from the driver download folder... (it even recognizes it when searching the USB thumbdrive) Every time I get the result of no avail. See attached image.

 

I'm at a loss. damn. Any other thoughts would be greatly appreciated!

thanks again for you efforts here!!!

Jeff

post-161665-0-33192300-1398214620_thumb.

Link to post
Share on other sites

Hiya Jeff,

 

I do not see the attached image, comes up with error message when I try to open.....

 

OK go back to Device manager, right click on each device in turn and select Uninstall Close out device manager and re-boot your system. When the system boots windows should see the hardware and install and attribute drivers from its own cache.

 

Go back into Device manager, see if the exclamations have cleared, if they have check connection. If no connection run the internet repair tool one more time, then reboot.....

 

Any good?

Link to post
Share on other sites

Nothing but the best this morning! Fresh rain last night, hot coffee (strong) this morning and a working computer! Kevin, I really appreciate your assistance with me on this issue. Really.

 

Couple things: I never really saw a confirmation from your responses to the logs and attachments that the ransom-ware was completely removed. Did you see that it was destroyed? Secondly, are there any last steps on cleaning my system of all the installs and ancillary products? Ill keep the Malwarebytes software installed for future checking. Any recommendations would be appreciated!

 

Lastly, I intend on paying you for your time! Well worth it!

Kindly, Jeff

Link to post
Share on other sites

Thank you for the kind words, much appreciated. I never saw any obvious malware or infection in the logs uploaded, that should not be taken as concrete evidence that your system is clean. Before we progress, clean up and remove tools I would like one final SCAN....

 

We need to run an online AV scan to ensure there are no remnants of any infection left on your system that may have been missed. This scan is very thorough and well worth running, it can take several hours please be patient and let it complete:

 

Run Eset Online Scanner

 

**Note** You will need to use Internet explorer for this scan - Vista and Windows 7/8 right click on IE shortcut and run as admin

 

Go to Eset web page http://www.eset.com/us/online-scanner/ to run an online scan from ESET.

 


Turn off the real time scanner of any existing antivirus program while performing the online scan
click on the Run ESET Online Scanner button
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the add/on to be installed
Click Start
Make sure that the option "Remove found threats"  is UNticked
Click on Advanced Settings, ensure the options
Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
Click Scan
wait for the virus definitions to be downloaded
Wait for the scan to finish

 

When the scan is complete

 


If no threats were found
put a checkmark in "Uninstall application on close"
close program
report to me that nothing was found

 

If threats were found

 


click on "list of threats found"
click on "export to text file" and save it as ESET SCAN and save to the desktop
Click on back
put a checkmark in "Uninstall application on close"
click on finish

 

close program

 

Copy and paste the report in next reply. Also give an update on any remaining issues or concerns.......

 

Thank you,

 

Kevin..... ;)

.

Link to post
Share on other sites

Odd behavior (not surprising) on IE's part... (I'm not a fan of IE at all) - [1] IE won't stay open. It flashes a quick window as if it's opening and very quickly shuts down. [2] I downloaded v11, v10, v9. All of these new installers claim by small dialog box that, "Internet Explorer did not finish installing - Intern Explorer XX is already installed on this system."

 

Any thoughts on how to get around IE? or how to proceed?

Thanks!

Link to post
Share on other sites

Go here:  http://support.microsoft.com/kb/923737 Expand "Automatically open the Reset Internet Explorer Settings dialog box" use the internal link to to download the automatic wizard, run that to reset IE settings...

Does IE respond any better...

Regarding Disk drives, have a read here: http://www.computerhope.com/issues/ch001090.htm
 

Link to post
Share on other sites

No luck two times through. (Tried it a second time for good measure after a reboot and assurance nothing else was running). So the result is the same when trying to open any version of IE; v11 which is installed and the installers of v10, v9.

 

Thoughts?

Link to post
Share on other sites

Howdy!

Hey, the Uninstall IE11 worked great. Rolled back to previous version allows IE to run. Next, went back to your previous instructions and am watching ESET Online Scanner do it's deal at the moment. Thank you! I'll report back once the scan is complete. Anything else at the moment?

 

You're awesome!

Link to post
Share on other sites

Crazy that ESET found more...

 

C:\Users\All Users\2992199F9A\cll4jzbj.cpp    a variant of Win32/Kryptik.CAGW trojan    
C:\Users\All Users\2992199F9A\jbzj4llc.faa    Win64/Reveton.A trojan    
C:\ProgramData\2992199F9A\cll4jzbj.cpp    a variant of Win32/Kryptik.CAGW trojan    cleaned by deleting - quarantined
C:\ProgramData\2992199F9A\jbzj4llc.faa    Win64/Reveton.A trojan    cleaned by deleting - quarantined
 

Link to post
Share on other sites

Kevin,

Couple details I think; know that the Blue Screens upon restart have stopped. Through the last few steps where I've needed to restart, I have NOT seen a Blue Screen nor has the Windows Dialog box shown confirming that a crash has occurred.

 

I resolved a couple of Disk Drives that were not mounting and have successfully Reactivated them via Disk Mgmt. I downloaded the 30day trial of ESET and am running an ESET deep scan on all external drives (5 = 2.5TB, take some time)

 

So, waiting your instructions on next steps but also keeping you in the loop with current processes.

Thank you!

Link to post
Share on other sites

Thanks for the update, we seem to have made good positive progress. Lets wait until the ESET deep scan completes and see what information is returned.... After that depending how your system is responding,  if there are any remaining issues or concerns etc we plan our next actions...

 

Kevin....

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.