Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bringing my Asus EEE back from the dead


  • This topic is locked This topic is locked
133 replies to this topic

#1 JoAnne DG

JoAnne DG

  • Members
  • 170 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 18 February 2015 - 04:36 PM

Back in December of 2011, I got a virus on my Asus EEE machine.  I was still able to start the machine, access saved documents, etc., but when I tried to get on the internet, the machine would turn itself off.  I've let it sit since then, but a recent great experience here on Bleeping Computer lead me to tried to revive the computer a few days ago. 

 

I ran Malwarebytes, JRT and Rougekiller on the machine, with some success.  I also tried unsuccessfully to use a system restore date of 12/27/11, right before I got the virus.  After all those interventions, the computer stopped turning itself off after I clicked the IE icon, and I was able to get to a blank IE screen, but not to my homepage. 

 

I then visited this page using a different computer-- http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/ -- and attempted to do the preliminary steps before asking for help.  I was unable to enable to firewall on the ASUS as I could not connect with Windows FIrewall/Internet Connect Sharing.  I have no FRST log to post as I was also unable to download FRST 32 to a thumb drive since my other computer is a 64 bit computer.  Sorry.  When I try to troubleshoot my lack of internet access, the diagnostics say that I have no IP address. (I do have the old address written down.)  I also get a message that says, "The ASUS EEE ACPI Service needs to close."

 

 

I first ran JRT: the JRT log is below.  Malwarebytes found and deleted 2 files after I ran JRT.  Rougekiller found a bunch of PUM files in the registry, which it deleted and replaced. 

 

The ASUS runs Windows EP.  I was running Trend Micro Titanium at the time I got the virus.

 

 

I think all I may need to do is put in an IP address and clean up any remaining virus. I have to say that I would not have had the confidence to try this had I not had such a wonderful prior experience here.

 

Thanks so much,

 

JoAnne

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.0 (11.29.2014:1)
OS: Microsoft Windows XP x86
Ran by JoAnne on Mon 02/16/2015 at 22:00:28.93
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL

 

~~~ Registry Keys

Successfully deleted: [Registry Key - Orphan] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}
Successfully deleted: [Registry Key - Orphan] HKEY_CLASSES_ROOT\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}

 

~~~ Files

 

~~~ Folders

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 02/16/2015 at 22:12:16.14
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Edited by hamluis, 18 February 2015 - 05:11 PM.
Moved from AV/AM Software to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 shanepearce

shanepearce

  • Banned
  • 50 posts
  • OFFLINE
  •  
  • Local time:03:45 AM

Posted 18 February 2015 - 04:48 PM

try booting from a repair cd
https://www.technibble.com/large-list-of-useful-computer-repair-cds/
hirens boot cd is a good one but make sure you get 15.2 as it is the only legal one without any illegal software on it
http://www.hiren.info/pages/bootcd

#3 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:45 AM

Posted 18 February 2015 - 05:15 PM

Based on the information provided in this Topic, and my prior knowledge of the circumstances surrounding this computer the Topic will be moved to the Virus Removal Forum. Thank you for your assistance.

Oh My!

Edited by Oh My!, 18 February 2015 - 05:16 PM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:45 AM

Posted 18 February 2015 - 05:18 PM

Hi JoAnne,

Just wanted to let you know I am aboard. Please give me just a few minutes to review your Post. :)
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:45 AM

Posted 18 February 2015 - 05:27 PM

Greetings JoAnne,

I know you know the routine so I will spare you the introduction.

You should be able to download the 32 bit version of FRST on a 64 bit computer. If you are able to, please run the program and post the logs.

Please do this. Obviously you will need to download from a working computer and transfer the file.

===================================================

Farbar's Service Scanner

--------------------
  • Please download Farbar Service Scanner, save it to your desktop, and run it.
  • Make sure the following options are checked:

Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update
Windows Defender
Other Services

  • Press Scan
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.
===================================================

Farbar's MiniToolBox

--------------------
  • Please download MiniToolBox, save it to your desktop
  • Please close any Firefox browsers you may have open
  • Double click the icon to launch the program
  • Make sure only the following options are checked:

Flush DNS
Report IE Proxy Settings
Reset IE Proxy Settings
Report FF Proxy Settings
Reset FF Proxy Settings
List content of Hosts
List IP configuration
List Winsock Entries
List devices >>(Problem only)<<

  • Click Go and once the scan is completed a Result.txt Notepad document will open on your desktop
  • Please copy and paste the contents in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • FRST logs, if availiable
  • FSS.txt
  • Result.txt

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#6 JoAnne DG

JoAnne DG
  • Topic Starter

  • Members
  • 170 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 18 February 2015 - 06:22 PM

Great to "see" you, Gary!

 

Here's FSS log:

 

Farbar Service Scanner Version: 17-01-2015
Ran by JoAnne (ATTENTION: The logged in user is not administrator) on 18-02-2015 at 17:07:56
Running from "D:\"
Microsoft Windows XP Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

afd Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open afd registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open afd registry key. The service key does not exist.

Connection Status:
==============
Localhost is accessible.
LAN connected.
Attempt to access Google IP returned error. Google IP is unreachable
Attempt to access Google.com returned error: Other errors
Attempt to access Yahoo.com returned error: Other errors

Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.

Firewall Disabled Policy:
==================
"HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\\EnableFirewall" registry value does not exist.

System Restore:
============

System Restore Policy:
========================

Security Center:
============

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".

BITS Service is not running. Checking service configuration:
The start type of BITS service is OK.
The ImagePath of BITS service is OK.
The ServiceDll of BITS: "C:\WINDOWS\system32\qmgr.dll".

Windows Autoupdate Disabled Policy:
============================

RpcSs Service is not running. Checking service configuration:
The start type of RpcSs service is OK.
The ImagePath of RpcSs service is OK.

Other Services:
==============

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\afd.sys
[2009-08-11 07:03] - [2011-02-16 07:22] - 0138496 ____A () D9BFE00AE553C8DD1327EDBF189A0012

ATTENTION!=====> C:\WINDOWS\system32\Drivers\afd.sys IS INFECTED.

C:\WINDOWS\system32\Drivers\netbt.sys => File is digitally signed
C:\WINDOWS\system32\Drivers\tcpip.sys => File is digitally signed
C:\WINDOWS\system32\Drivers\ipsec.sys => File is digitally signed
C:\WINDOWS\system32\dnsrslvr.dll => File is digitally signed
C:\WINDOWS\system32\ipnathlp.dll => File is digitally signed
C:\WINDOWS\system32\netman.dll => File is digitally signed
C:\WINDOWS\system32\wbem\WMIsvc.dll => File is digitally signed
C:\WINDOWS\system32\srsvc.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\sr.sys => File is digitally signed
C:\WINDOWS\system32\wscsvc.dll => File is digitally signed
C:\WINDOWS\system32\wbem\WMIsvc.dll => File is digitally signed
C:\WINDOWS\system32\wuauserv.dll => File is digitally signed
C:\WINDOWS\system32\qmgr.dll => File is digitally signed
C:\WINDOWS\system32\es.dll => File is digitally signed
C:\WINDOWS\system32\cryptsvc.dll => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed

Extra List:
=======
Avgtdix(9) fssfltr(8) Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
0x09000000040000000100000002000000030000000500000006000000070000000800000009000000
ATTENTION!=====> IpSec Tag value should be 4. ATTENTION!=====> IpSec Tag value is missing and it should be 4.

**** End of log ****

 

Here is Result.txt:

 

MiniToolBox by Farbar  Version: 30-11-2014
Ran by JoAnne (administrator) on 18-02-2015 at 17:14:23
Running from "D:\"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

 

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Hosts content: =================================

127.0.0.1 localhost

========================= IP Configuration: ================================

Atheros AR9285 Wireless Network Adapter = Wireless Network Connection (Connected)
Atheros AR8132 PCI-E Fast Ethernet Controller = Local Area Connection (Media disconnected)

# ----------------------------------
# Interface IP Configuration        
# ----------------------------------
pushd interface ip

# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp

# Interface IP Configuration for "Wireless Network Connection"

set address name="Wireless Network Connection" source=dhcp
set dns name="Wireless Network Connection" source=dhcp register=PRIMARY
set wins name="Wireless Network Connection" source=dhcp

popd
# End of interface IP configuration

 

Windows IP Configuration

 

        Host Name . . . . . . . . . . . . : YOUR-UK0FBXZJ0B

        Primary Dns Suffix  . . . . . . . :

        Node Type . . . . . . . . . . . . : Broadcast

        IP Routing Enabled. . . . . . . . : No

        WINS Proxy Enabled. . . . . . . . : No

 

Ethernet adapter Local Area Connection:

 

        Media State . . . . . . . . . . . : Media disconnected

        Description . . . . . . . . . . . : Atheros AR8132 PCI-E Fast Ethernet Controller

        Physical Address. . . . . . . . . : 90-E6-BA-E8-92-28

 

Ethernet adapter Wireless Network Connection:

 

        Connection-specific DNS Suffix  . :

        Description . . . . . . . . . . . : Atheros AR9285 Wireless Network Adapter

        Physical Address. . . . . . . . . : 00-25-D3-C7-CA-82

        Dhcp Enabled. . . . . . . . . . . : Yes

        Autoconfiguration Enabled . . . . : Yes

        IP Address. . . . . . . . . . . . : 0.0.0.0

        Subnet Mask . . . . . . . . . . . : 0.0.0.0

        Default Gateway . . . . . . . . . :

        DHCP Server . . . . . . . . . . . : 192.168.0.1

Server:  UnKnown
Address:  127.0.0.1

Ping request could not find host google.com. Please check the name and try again.

Server:  UnKnown
Address:  127.0.0.1

Ping request could not find host yahoo.com. Please check the name and try again.

 

Pinging 127.0.0.1 with 32 bytes of data:

 

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

 

Ping statistics for 127.0.0.1:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...90 e6 ba e8 92 28 ...... Atheros AR8132 PCI-E Fast Ethernet Controller - Packet Scheduler Miniport
0x3 ...00 25 d3 c7 ca 82 ...... Atheros AR9285 Wireless Network Adapter - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1   1
  255.255.255.255  255.255.255.255  255.255.255.255               3   1
  255.255.255.255  255.255.255.255  255.255.255.255               2   1
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================

Catalog5 01 mswsock.dll [] (Microsoft Corporation)
ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"

Catalog5 02 C:\WINDOWS\system32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 mswsock.dll [] (Microsoft Corporation)
ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"

Catalog9 01 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 02 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 03 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 04 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 05 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 06 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 07 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 08 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 09 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 10 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 11 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 12 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 13 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 14 C:\WINDOWS\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 15 C:\WINDOWS\system32\rsvpsp.dll [92672] (Microsoft Corporation)

========================= Devices: ================================

**** End of log ****

 

I took another stab at FRST.  It's telling me I need administrator permission to download.  This was my third attempt on this computer.  I'll try to locate another working computer or changes administrators on this computer.


Edited by JoAnne DG, 18 February 2015 - 06:27 PM.


#7 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:45 AM

Posted 18 February 2015 - 07:02 PM

Hi JoAnne,

Nice to work with you again too.

Please do this. Again, I will need you to make the necessary adjustments to perform the task.

===================================================

SystemLook by jpshortstuff

--------------------
  • Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Vista\Windows 7 users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following codebox into the main textfield:
:filefind
afd.sys
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • SystemLook report

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#8 JoAnne DG

JoAnne DG
  • Topic Starter

  • Members
  • 170 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 18 February 2015 - 08:03 PM

Having problems.  Got the FRST 32 bit version from another computer.  It won't run; it says it has "encountered a problem" and needs to close.  System Look doesn't give me a prompt that says SystemLook.exe.  It gives me a button that say "Look."  When I click on it, it there's a message that says, "Script required."

 

The  FRST 32 bit version also won't run.  Not a valid Win 32 application.


Edited by JoAnne DG, 18 February 2015 - 08:04 PM.


#9 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:45 AM

Posted 18 February 2015 - 08:37 PM

Please attempt to complete the steps while in Safe Mode.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#10 JoAnne DG

JoAnne DG
  • Topic Starter

  • Members
  • 170 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 18 February 2015 - 10:36 PM

Sweet success!!!!

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 18-02-2015 01
Ran by Administrator (administrator) on YOUR-UK0FBXZJ0B on 18-02-2015 21:30:02
Running from D:\
Loaded Profiles: Administrator (Available profiles: JoAnne & Tom & Administrator)
Platform: Microsoft Windows XP Home Edition Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Safe Mode (minimal)
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
(Farbar) D:\FRST32.exe
==================== Registry (Whitelisted) ==================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM\...\Run: [AsusACPIServer] => C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe [630784 2009-04-16] (ASUSTeK Computer Inc.)
HKLM\...\Run: [AsusEPCMonitor] => C:\Program Files\EeePC\ACPI\AsEPCMon.exe [98304 2009-03-13] (ASUSTeK Computer Inc.)
HKLM\...\Run: [AsusTray] => C:\Program Files\EeePC\ACPI\AsTray.exe [118784 2009-04-16] (ASUSTeK Computer Inc.)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1512744 2009-04-09] (Synaptics Incorporated)
HKLM\...\Run: [SynAsusAcpi] => C:\Program Files\Synaptics\SynTP\SynAsusAcpi.exe [79144 2009-04-09] (Synaptics Incorporated)
HKLM\...\Run: [LiveUpdate] => C:\Program Files\Asus\LiveUpdate\LiveUpdate.exe [712704 2009-06-25] ()
HKLM\...\Run: [IMJPMIG8.1] => C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [208952 2008-04-14] (Microsoft Corporation)
HKLM\...\Run: [MSPY2002] => C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe [59392 2008-04-14] ()
HKLM\...\Run: [PHIME2002ASync] => C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [455168 2008-04-14] (Microsoft Corporation)
HKLM\...\Run: [PHIME2002A] => C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [455168 2008-04-14] (Microsoft Corporation)
HKLM\...\Run: [RemoteControl] => C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [71216 2007-03-14] (Cyberlink Corp.)
HKLM\...\Run: [LanguageShortcut] => C:\Program Files\CyberLink\PowerDVD\Language\Language.exe [52256 2007-01-08] ()
HKLM\...\Run: [LGODDFU] => C:\Program Files\lg_fwupdate\fwupdate.exe [557056 2009-12-29] (BitLeader)
HKLM\...\Run: [RTHDCPL] => C:\WINDOWS\RTHDCPL.EXE [17881088 2009-04-27] (Realtek Semiconductor Corp.)
HKLM\...\Run: [NIS] => "C:\Program Files\Norton Internet Security\Setup.exe" /RELAUNCH /RUNONCE
HKLM\...\Run: [Trend Micro Titanium] => C:\Program Files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe [1111568 2011-02-16] (Trend Micro Inc.)
HKLM\...\Run: [Trend Micro Client Framework] => C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe [116752 2011-02-10] (Trend Micro Inc.)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [254696 2011-06-09] (Sun Microsystems, Inc.)
HKLM\...\Policies\Explorer: [NoCDBurning] 0
HKU\S-1-5-21-3321329191-697609078-3071625828-500\...\Run: [Eee Docking] => C:\Program Files\ASUS\Eee Docking\Eee Docking.exe [397312 2009-07-27] ()
HKU\S-1-5-21-3321329191-697609078-3071625828-500\...\MountPoints2: {c7cf2138-863c-11de-bb57-806d6172696f} - E:\setup.exe
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ SuperHybridEngine.lnk
ShortcutTarget: SuperHybridEngine.lnk -> C:\Program Files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe (ASUSTeK Computer Inc.)
Startup: C:\Documents and Settings\JoAnne\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Documents and Settings\Tom\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Documents and Settings\Tom\Start Menu\Programs\Startup\OneNote Table Of Contents.onetoc2 ()
==================== Internet (Whitelisted) ====================
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
HKU\S-1-5-21-3321329191-697609078-3071625828-500\Software\Microsoft\Internet Explorer\Main,Start Page = http://asus.msn.com
HKU\S-1-5-21-3321329191-697609078-3071625828-500\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search
BHO: Adobe PDF Reader Link Helper -> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
BHO: TmIEPlugInBHO Class -> {1CA1377B-DC1D-4A52-9585-6E06050FAC53} -> C:\Program Files\Trend Micro\AMSP\Module\20004\1.5.1464\6.6.1079\TmIEPlg.dll (Trend Micro Inc.)
BHO: Skype add-on (mastermind) -> {22BF413B-C6D2-4d91-82A9-A0F997BA588C} -> C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
BHO: Windows Live Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO: Google Toolbar Notifier BHO -> {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -> C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll (Google Inc.)
BHO: TmBpIeBHO Class -> {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} -> C:\Program Files\Trend Micro\AMSP\Module\20002\6.6.1010\6.6.1010\TmBpIe32.dll (Trend Micro Inc.)
BHO: Bing Bar Helper -> {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -> "C:\Program Files\Microsoft\BingBar\BingExt.dll" No File
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO: JQSIEStartDetectorImpl Class -> {E7E6F031-17CE-4C07-BC86-EABFE594F69C} -> C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKLM - Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files\Microsoft\BingBar\BingExt.dll" No File
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\Module\20002\6.6.1010\6.6.1010\TmBpIe32.dll (Trend Micro Inc.)
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\Module\20004\1.5.1464\6.6.1079\TmIEPlg.dll (Trend Micro Inc.)
Winsock: Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 03 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Hosts: 127.0.0.1 localhost
StartMenuInternet: IEXPLORE.EXE - iexplore.exe
FireFox:
========
FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin: @microsoft.com/WLPG,version=14.0.8064.0206 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.21.57\npGoogleUpdate3.dll No File
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.21.57\npGoogleUpdate3.dll No File
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2009-12-30]
FF HKLM\...\Firefox\Extensions: [{22C7F6C6-8D67-4534-92B5-529A0EC09405}] - C:\Program Files\Trend Micro\AMSP\Module\20004\1.5.1464\6.6.1079\firefoxextension
FF Extension: Trend Micro NSC Firefox Extension - C:\Program Files\Trend Micro\AMSP\Module\20004\1.5.1464\6.6.1079\firefoxextension [2011-05-27]
FF HKLM\...\Firefox\Extensions: [jqs@sun.com] - C:\Program Files\Java\jre6\lib\deploy\jqs\ff
FF Extension: Java Quick Starter - C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2011-08-29]
StartMenuInternet: FIREFOX.EXE - firefox.exe
Chrome:
=======
StartMenuInternet: chrome.exe - C:\Documents and Settings\JoAnne\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
========================== Services (Whitelisted) =================
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
S2 JavaQuickStarterService; C:\Program Files\Java\jre6\bin\jqs.exe [153376 2011-08-29] (Sun Microsystems, Inc.)
S2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-11-21] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [969016 2014-11-21] (Malwarebytes Corporation)
S2 RichVideo; C:\Program Files\CyberLink\Shared Files\RichVideo.exe [272024 2007-05-13] ()
S3 RoxMediaDB11; C:\Program Files\Common Files\Roxio Shared\11.0\SharedCOM\RoxMediaDB11.exe [1128944 2009-05-20] (Sonic Solutions)
S2 Amsp; "C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe" coreFrameworkHost.exe -m=rb -dt=60000 [X]
S2 BBUpdate; "C:\Program Files\Microsoft\BingBar\SeaPort.EXE" [X]
==================== Drivers (Whitelisted) ====================
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
S3 Ambfilt; C:\WINDOWS\System32\drivers\Ambfilt.sys [1684736 2008-08-05] (Creative)
S3 AR5416; C:\WINDOWS\System32\DRIVERS\athw.sys [1528928 2009-03-14] (Atheros Communications, Inc.)
R3 AsusACPI; C:\WINDOWS\System32\DRIVERS\ASUSACPI.sys [10752 2008-04-08] (ASUSTeK Computer Inc.)
S1 Avgldx86; C:\WINDOWS\System32\DRIVERS\avgldx86.sys [248656 2011-01-07] (AVG Technologies CZ, s.r.o.)
S1 Avgmfx86; C:\WINDOWS\System32\DRIVERS\avgmfx86.sys [34896 2011-03-01] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx86; C:\WINDOWS\System32\DRIVERS\avgrkx86.sys [32592 2011-03-16] (AVG Technologies CZ, s.r.o.)
S1 Avgtdix; C:\WINDOWS\System32\DRIVERS\avgtdix.sys [297168 2011-04-04] (AVG Technologies CZ, s.r.o.)
S3 CCDECODE; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [17024 2008-04-13] (Microsoft Corporation)
S2 fssfltr; C:\WINDOWS\System32\DRIVERS\fssfltr_tdi.sys [55152 2009-02-06] (Microsoft Corporation)
S3 L1c; C:\WINDOWS\System32\DRIVERS\l1c51x86.sys [38912 2009-03-01] (Atheros Communications, Inc.)
S3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [23256 2014-11-21] (Malwarebytes Corporation)
S3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [114904 2015-02-18] (Malwarebytes Corporation)
S3 Monfilt; C:\WINDOWS\System32\drivers\Monfilt.sys [1389056 2006-01-04] (Creative Technology Ltd.)
S3 MPE; C:\WINDOWS\System32\DRIVERS\MPE.sys [15232 2008-04-14] (Microsoft Corporation)
S3 NdisIP; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [10880 2008-04-13] (Microsoft Corporation)
S3 RT80x86; C:\WINDOWS\System32\DRIVERS\RT2860.sys [1015424 2009-07-10] (Ralink Technology, Corp.)
S3 SNP2UVC; C:\WINDOWS\System32\DRIVERS\snp2uvc.sys [1759616 2009-03-13] ()
S2 tmactmon; C:\WINDOWS\System32\DRIVERS\tmactmon.sys [80464 2011-01-25] (Trend Micro Inc.)
S2 tmcomm; C:\WINDOWS\System32\DRIVERS\tmcomm.sys [189520 2011-01-25] (Trend Micro Inc.)
S2 tmevtmgr; C:\WINDOWS\System32\DRIVERS\tmevtmgr.sys [64080 2011-01-25] (Trend Micro Inc.)
S1 tmtdi; C:\WINDOWS\System32\DRIVERS\tmtdi.sys [92112 2011-01-25] (Trend Micro Inc.)
S3 USB28xxBGA; C:\WINDOWS\System32\DRIVERS\emBDA.sys [566784 2009-04-22] (eMPIA Technology, Inc.)
S3 USB28xxOEM; C:\WINDOWS\System32\DRIVERS\emOEM.sys [528256 2009-04-22] (eMPIA Technology, Inc.)
S3 uvclf; C:\WINDOWS\System32\DRIVERS\uvclf.sys [39040 2008-11-19] (GenesysLogic Technologies, Inc.)
S3 AmUStor; system32\drivers\AmUStor.SYS [X]
S3 btaudio; system32\drivers\btaudio.sys [X]
S3 BTDriver; system32\DRIVERS\btport.sys [X]
S3 BTWDNDIS; system32\DRIVERS\btwdndis.sys [X]
S3 btwhid; system32\DRIVERS\btwhid.sys [X]
S3 BTWUSB; System32\Drivers\btwusb.sys [X]
S4 IntelIde; No ImagePath
U1 WS2IFSL; No ImagePath
==================== NetSvcs (Whitelisted) ===================
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
==================== One Month Created Files and Folders ========
(If an entry is included in the fixlist, the file\folder will be moved.)
2015-02-18 18:57 - 2015-02-18 21:30 - 00000000 ____D () C:\FRST
2015-02-18 18:16 - 2015-02-18 18:10 - 00139264 _____ () C:\Documents and Settings\JoAnne\Desktop\SystemLook.exe
2015-02-18 16:43 - 2015-02-18 16:43 - 00090112 _____ () C:\WINDOWS\Minidump\Mini021815-01.dmp
2015-02-16 22:51 - 2015-02-17 22:50 - 00034808 _____ () C:\WINDOWS\system32\Drivers\TrueSight.sys
2015-02-16 22:50 - 2015-02-16 22:51 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\RogueKiller
2015-02-16 22:12 - 2015-02-16 22:12 - 00001510 _____ () C:\Documents and Settings\Tom\Desktop\JRT.txt
2015-02-16 22:00 - 2015-02-16 22:00 - 00000000 ____D () C:\WINDOWS\ERUNT
2015-02-16 21:42 - 2015-02-18 17:05 - 00114904 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-02-16 21:42 - 2015-02-17 21:42 - 00000777 _____ () C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2015-02-16 21:42 - 2015-02-17 21:42 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2015-02-16 21:42 - 2015-02-17 21:42 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2015-02-16 21:42 - 2014-11-21 06:14 - 00054360 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2015-02-16 21:41 - 2015-02-16 21:42 - 00000000 ____D () C:\Documents and Settings\Tom\Application Data\Malwarebytes
==================== One Month Modified Files and Folders =======
(If an entry is included in the fixlist, the file\folder will be moved.)
2015-02-18 21:30 - 2011-12-21 18:05 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Temp
2015-02-18 21:06 - 2009-08-11 00:10 - 00004822 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2015-02-18 19:07 - 2011-07-25 18:34 - 00000982 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-3321329191-697609078-3071625828-1006UA.job
2015-02-18 18:23 - 2010-01-31 14:45 - 00000886 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2015-02-18 17:21 - 2011-09-03 22:16 - 00001002 _____ () C:\WINDOWS\Tasks\FacebookUpdateTaskUserS-1-5-21-3321329191-697609078-3071625828-1006UA.job
2015-02-18 17:14 - 2009-12-28 10:03 - 00000000 ____D () C:\Documents and Settings\JoAnne\Local Settings\Temp
2015-02-18 17:05 - 2010-02-14 20:36 - 00000000 ____D () C:\Documents and Settings\JoAnne\Tracing
2015-02-18 17:05 - 2009-12-29 15:20 - 00000347 _____ () C:\WINDOWS\lgfwup.ini
2015-02-18 17:05 - 2009-12-29 15:20 - 00000000 ____D () C:\Program Files\lg_fwupdate
2015-02-18 17:04 - 2010-01-31 14:45 - 00000882 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2015-02-18 17:04 - 2009-12-29 16:56 - 00000000 ____D () C:\Documents and Settings\JoAnne\Start Menu\Programs\CyberLink DVD Suite
2015-02-18 16:43 - 2011-02-03 16:58 - 00000000 ____D () C:\WINDOWS\Minidump
2015-02-18 16:43 - 2009-08-11 07:19 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2015-02-18 16:43 - 2009-08-11 07:14 - 01512358 _____ () C:\WINDOWS\WindowsUpdate.log
2015-02-18 16:43 - 2009-08-11 00:12 - 00000159 _____ () C:\WINDOWS\wiadebug.log
2015-02-18 16:43 - 2009-08-11 00:12 - 00000049 _____ () C:\WINDOWS\wiaservc.log
2015-02-18 15:22 - 2009-12-28 11:11 - 00000000 ____D () C:\Documents and Settings\Tom\Local Settings\Temp
2015-02-18 15:21 - 2009-12-29 15:13 - 00000000 ____D () C:\Documents and Settings\Tom\Start Menu\Programs\CyberLink DVD Suite
2015-02-17 23:51 - 2009-12-28 11:11 - 00000178 ___SH () C:\Documents and Settings\Tom\ntuser.ini
2015-02-17 23:51 - 2009-12-28 10:03 - 00000178 ___SH () C:\Documents and Settings\JoAnne\ntuser.ini
2015-02-17 23:43 - 2009-12-31 20:16 - 00001134 ____C () C:\Documents and Settings\JoAnne\Application Data\wklnhst.dat
2015-02-17 23:21 - 2011-09-03 22:16 - 00000980 _____ () C:\WINDOWS\Tasks\FacebookUpdateTaskUserS-1-5-21-3321329191-697609078-3071625828-1006Core.job
2015-02-17 22:45 - 2009-08-11 07:19 - 00000178 ___SH () C:\Documents and Settings\LocalService\ntuser.ini
2015-02-17 22:44 - 2009-08-11 07:19 - 00032506 _____ () C:\WINDOWS\SchedLgU.Txt
2015-02-17 22:43 - 2011-09-22 00:19 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\AVAST Software
2015-02-17 22:43 - 2009-08-11 07:16 - 00002577 _____ () C:\WINDOWS\system32\CONFIG.NT
2015-02-17 11:23 - 2009-08-11 00:09 - 00156228 _____ () C:\WINDOWS\setupapi.log
2015-02-17 01:07 - 2011-07-25 18:34 - 00000930 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-3321329191-697609078-3071625828-1006Core.job
2015-02-16 21:42 - 2011-12-20 23:03 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes
2015-02-16 21:34 - 2009-08-11 07:03 - 00001158 _____ () C:\WINDOWS\system32\wpa.dbl
Some content of TEMP:
====================
C:\Documents and Settings\JoAnne\Local Settings\Temp\dllnt_dump.dll
C:\Documents and Settings\JoAnne\Local Settings\Temp\GUR1.exe
C:\Documents and Settings\Tom\Local Settings\Temp\dllnt_dump.dll
==================== Bamital & volsnap Check =================
(There is no automatic fix for files that do not pass verification.)
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
==================== End Of Log ============================

Edited by Oh My!, 18 February 2015 - 10:41 PM.


#11 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:45 AM

Posted 18 February 2015 - 10:48 PM

Can you copy and paste the Addition.txt log. That report should have been created and placed on the Desktop.

Additionally please do this.

===================================================

Farbar's Recovery Scan Tool Search

--------------------
  • Launch FRST
  • Copy/paste the following in the Search Field
afd.sys
  • Click Search File(s) button
  • When completed click OK and a Search.txt document will open on your desktop
  • Copy and paste the contents of that document your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Addition.txt
  • Search.txt

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:45 AM

Posted 18 February 2015 - 10:59 PM

Hi JoAnne,

You may have figured this out already but since you are running FRST from your USB drive the report files will be contained on that device.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#13 JoAnne DG

JoAnne DG
  • Topic Starter

  • Members
  • 170 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 18 February 2015 - 11:43 PM

Farbar Recovery Scan Tool (x86) Version: 18-02-2015 01
Ran by JoAnne at 2015-02-18 22:37:35
Running from D:\
Boot Mode: Normal

================== Search Files: "afd.sys" =============

C:\WINDOWS\system32\drivers\afd.sys
[2009-08-11 07:03][2011-02-16 07:22] 0138496 ____A ()

C:\WINDOWS\system32\dllcache\afd.sys
[2009-08-11 07:03][2011-02-16 07:22] 0138496 ___AC (Microsoft Corporation)  [File is signed]

C:\WINDOWS\$NtUninstallKB956803$\afd.sys
[2009-08-11 13:35][2008-06-20 05:40] 0138496 ___AC (Microsoft Corporation)  [File is signed]

C:\WINDOWS\$NtUninstallKB951748$\afd.sys
[2009-08-11 13:32][2008-04-14 06:00] 0138112 ___AC (Microsoft Corporation)  [File is signed]

C:\WINDOWS\$NtUninstallKB2509553$\afd.sys
[2011-04-16 20:05][2008-08-14 04:04] 0138496 ____C (Microsoft Corporation)  [File is signed]

C:\WINDOWS\$NtUninstallKB2503665$\afd.sys
[2011-06-17 02:11][2008-10-16 08:43] 0138496 ____C (Microsoft Corporation)  [File is signed]

C:\WINDOWS\$hf_mig$\KB956803\SP3QFE\afd.sys
[2009-08-11 13:35][2008-08-14 04:34] 0138496 ____A (Microsoft Corporation)  [File is signed]

C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\afd.sys
[2009-08-11 13:32][2008-06-20 05:48] 0138496 ____A (Microsoft Corporation)  [File is signed]

C:\WINDOWS\$hf_mig$\KB2509553\SP3QFE\afd.sys
[2008-10-16 09:07][2008-10-16 09:07] 0138496 ____A (Microsoft Corporation)  [File is signed]

C:\WINDOWS\$hf_mig$\KB2503665\SP3QFE\afd.sys
[2011-06-16 11:23][2011-02-16 07:25] 0138496 ____A (Microsoft Corporation)  [File is signed]

====== End Of Search ======

 

The Addition file is not on the thumb drive.  I am trying to re-run FRST to get it for you.


Edited by JoAnne DG, 18 February 2015 - 11:53 PM.


#14 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:45 AM

Posted 18 February 2015 - 11:58 PM

Thank you.

I am ending for the evening and will check your reply in the morning.

Please do this, continuing to make adjustments to the instructions as necessary.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the Windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it to your desktop (<<<Important) as fixlist.txt
BHO: Bing Bar Helper -> {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -> "C:\Program Files\Microsoft\BingBar\BingExt.dll" No File
Toolbar: HKLM - Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files\Microsoft\BingBar\BingExt.dll" No File
Winsock: Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 03 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
S2 Amsp; "C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe" coreFrameworkHost.exe -m=rb -dt=60000 [X]
S2 BBUpdate; "C:\Program Files\Microsoft\BingBar\SeaPort.EXE" [X]
S3 AmUStor; system32\drivers\AmUStor.SYS [X]
S3 btaudio; system32\drivers\btaudio.sys [X]
S3 BTDriver; system32\DRIVERS\btport.sys [X]
S3 BTWDNDIS; system32\DRIVERS\btwdndis.sys [X]
S3 btwhid; system32\DRIVERS\btwhid.sys [X]
S3 BTWUSB; System32\Drivers\btwusb.sys [X]
S4 IntelIde; No ImagePath
U1 WS2IFSL; No ImagePath
C:\Documents and Settings\JoAnne\Local Settings\Temp\dllnt_dump.dll
C:\Documents and Settings\JoAnne\Local Settings\Temp\GUR1.exe
C:\Documents and Settings\Tom\Local Settings\Temp\dllnt_dump.dll
cmd: copy /y C:\WINDOWS\$hf_mig$\KB2503665\SP3QFE\afd.sys C:\WINDOWS\system32\drivers
  • Launch FRST and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

Manually Importing an Attached Registry Key (.reg) File

-------------------
  • Download [attachment=161929:AFD.reg] and save it to your desktop
  • Right click on the file and select Merge
  • Once you receive confirmation the information was successfully merged reboot your computer
  • Check your Internet access
===================================================

Rerun Farbar Service Scanner and post the results

===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlog
  • Do you have Internet access?
  • FSS.txt

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#15 JoAnne DG

JoAnne DG
  • Topic Starter

  • Members
  • 170 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 19 February 2015 - 12:44 AM

No luck with the Addition.txt in either normal or safe mode.  I kept getting corrupt file messages or a message that says, "A device attached to the system is not functioning."

 

Here is the fixlog:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 18-02-2015 01
Ran by JoAnne at 2015-02-18 23:37:59 Run:2
Running from D:\
Loaded Profiles: JoAnne (Available profiles: JoAnne & Tom & Administrator)
Boot Mode: Safe Mode (minimal)

==============================================

Content of fixlist:
*****************
BHO: Bing Bar Helper -> {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -> "C:\Program Files\Microsoft\BingBar\BingExt.dll" No File
Toolbar: HKLM - Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files\Microsoft\BingBar\BingExt.dll" No File
Winsock: Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 03 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
S2 Amsp; "C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe" coreFrameworkHost.exe -m=rb -dt=60000 [X]
S2 BBUpdate; "C:\Program Files\Microsoft\BingBar\SeaPort.EXE" [X]
S3 AmUStor; system32\drivers\AmUStor.SYS [X]
S3 btaudio; system32\drivers\btaudio.sys [X]
S3 BTDriver; system32\DRIVERS\btport.sys [X]
S3 BTWDNDIS; system32\DRIVERS\btwdndis.sys [X]
S3 btwhid; system32\DRIVERS\btwhid.sys [X]
S3 BTWUSB; System32\Drivers\btwusb.sys [X]
S4 IntelIde; No ImagePath
U1 WS2IFSL; No ImagePath
C:\Documents and Settings\JoAnne\Local Settings\Temp\dllnt_dump.dll
C:\Documents and Settings\JoAnne\Local Settings\Temp\GUR1.exe
C:\Documents and Settings\Tom\Local Settings\Temp\dllnt_dump.dll
cmd: copy /y C:\WINDOWS\$hf_mig$\KB2503665\SP3QFE\afd.sys C:\WINDOWS\system32\drivers
*****************

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d2ce3e00-f94a-4740-988e-03dc2f38c34f} => Key not found.
"HKCR\CLSID\{d2ce3e00-f94a-4740-988e-03dc2f38c34f}" => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{8dcb7100-df86-4384-8842-8fa844297b3f} => value deleted successfully.
"HKCR\CLSID\{8dcb7100-df86-4384-8842-8fa844297b3f}" => Key deleted successfully.
Winsock: Catalog5 entry 000000000001\\LibraryPath  was set successfully to %SystemRoot%\System32\mswsock.dll
Winsock: Catalog5 entry 000000000003\\LibraryPath  was set successfully to %SystemRoot%\System32\mswsock.dll
Amsp => Service deleted successfully.
BBUpdate => Service deleted successfully.
AmUStor => Service deleted successfully.
btaudio => Service deleted successfully.
BTDriver => Service deleted successfully.
BTWDNDIS => Service deleted successfully.
btwhid => Service deleted successfully.
BTWUSB => Service deleted successfully.

 

IntelIde => Service deleted successfully.
WS2IFSL => Service deleted successfully.
C:\Documents and Settings\JoAnne\Local Settings\Temp\dllnt_dump.dll => Moved successfully.
C:\Documents and Settings\JoAnne\Local Settings\Temp\GUR1.exe => Moved successfully.
C:\Documents and Settings\Tom\Local Settings\Temp\dllnt_dump.dll => Moved successfully.

=========  copy /y C:\WINDOWS\$hf_mig$\KB2503665\SP3QFE\afd.sys C:\WINDOWS\system32\drivers =========

        1 file(s) copied.

========= End of CMD: =========

==== End of Fixlog 23:38:01 ====

 

Attempting to merge and getting "Can not import D:|AFD reg:Error accessing the registry."

 

Somehow, I have internet access again, though clicking on the IE icon causes the creation of copies of the icon on the desktop.  I also have a message that says, "Asus ACPI Service Intel igfxext.ege not running.  Display switch hot key is void. 

 

There is no FSS.txt on the thumbdrive or desktop.

 

I got a message from Java telling me to update, so I am doing so.

 

Virtual back pats all around!!!! 

 

Good night and thanks!


Edited by JoAnne DG, 19 February 2015 - 01:02 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users