Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

W10 Defender Zeus popup received...and I called the number...help!


  • Please log in to reply
21 replies to this topic

#1 PapPawS

PapPawS

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:04 AM

Posted 03 May 2017 - 04:02 PM

Dell Optiplex 3020 machine with Windows 10.0.14393 O.S. - When entering a simple search for "drainage solutions in tulsa broken arrow" I immediately got a very valid looking Defender alert screen saying Zeus virus was aboard - do not proceed - call the techline...I took leave of all my senses and ended up doing just that and spoke with two separate "techs" who assured me during repeated questioning that I had in fact reached Microsoft Support Services and they were definitely MS techs who would gladly, and for no charge, help with the issue. OK, stupid me now went further and gave them remote access to my machine. After a rapid presentation of all the problem errors on my machine and an explanation of what they would do to effect repairs and THEN the 3 cost levels (1 year, 2 year or Lifetime service) available for the "repair products" I was asked to choose - repair or complete crashed machine. Long story short...I chose the cheapest level and was told since I had no money at present it could be paid in 10 days on a call back from them. I watched as they remotely ran Junkware Removal Tool (free version) by Malwarebytes, Adguard and CCcleaner software along with other things I couldn't completely follow. At the end I had new icons for Adguard, CCcleaner, Google Chrome browser and a remote access icon for something like "GoToCustomer" or some such added to my desktop. They asked me to go to any preferred web page to show that all was working which I did. They had my cell phone number already and now asked for name, address and information about taking care of the payment...Knowing full well that I had allowed myself to be scammed by this time, I did not give them any more info and left it with them notifying me that they would be calling me in 10 days time to receive their payment. On termination of the call my machine was rebooted and came up to a W10 logon screen different from normal (no wallpaper). On login my machine goes to an Administrator : cmd.exe C:\WINDOWS\system32> black screen. With the use of Ctrl-Alt-Del keys I chose "change user" to be presented with my normal "stack of rocks" wallpaper logon screen but on login still receive only the Administrator : cmd.exe C:\WINDOWS\system32> black screen. System was powered off and remains that way. On another system on my network I have changed router security, financial and email account passwords and have submitted all pertinent info on this to the MS Security form webpage. I received excellent help with a virus on my son's PC from this site two years ago and hope someone will consider helping me regain access to my W10 machine and rid it of any and all "badware". I can't begin to express how ridiculous I feel for being duped by this scam! I thank you in advance for any help that is offered!!

 



BC AdBot (Login to Remove)

 


#2 iMacg3

iMacg3

    Bleepin' PowerPC G3


  • Malware Study Hall Senior
  • 1,412 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indiana, USA
  • Local time:04:04 AM

Posted 03 May 2017 - 05:06 PM

Try booting into Safe Mode with Networking. This will allow you to run Rkill on your PC.

 

Download Rkill from one of the below three links. (Use the one that runs on your PC without being blocked).

Link 1

Link 2

Link 3

 

  1. Double-click on the file you downloaded (either rkill.exe, iExplore.exe, or rkill.com) to launch Rkill.

  2. If a black box appears, the program is running correctly. If nothing happens, then try another link.

  3. Let the scan complete, then paste the contents of the text file that pops up at the end into a post.

  4. Important: Do not restart your computer once the scan is done!


Edited by iMacg3, 03 May 2017 - 05:18 PM.

Regards, iMacg3

If I do not reply to your malware removal topic in 48 hours, please send me a PM.

"Do, or do not. There is no try." - Yoda


#3 PapPawS

PapPawS
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:04 AM

Posted 04 May 2017 - 11:02 AM

Thank you so much for your response. Safe mode with networking did not allow me to access the internet so I downloaded the rkill files to a thumbdrive on my XP machine and then put them on the W10 box and ran the link1 file successfully with the following results:

 

Rkill 2.8.4 by Lawrence Abrams (Grinler)
Copyright 2008-2017 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 05/04/2017 10:48:06 AM in x64 mode. (Safe Mode)
Windows Version: Windows 10 Pro 
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * No issues found.
 
Checking Windows Service Integrity: 
 
 * COM+ Event System (EventSystem) is not Running.
   Startup Type set to: Automatic
 
 * Security Center (wscsvc) is not Running.
   Startup Type set to: Automatic (Delayed Start)
 
 * gagp30kx [Missing Service]
 * IEEtwCollectorService [Missing Service]
 * IoQos [Missing Service]
 * nv_agp [Missing Service]
 * TimeBroker [Missing Service]
 * uagp35 [Missing Service]
 * uliagpkx [Missing Service]
 * WcsPlugInService [Missing Service]
 * wpcfltr [Missing Service]
 * WSService [Missing Service]
 
 * agp440 [Missing ImagePath]
 
 * AJRouter => %SystemRoot%\system32\svchost.exe -k LocalServiceNetworkRestricted [Incorrect ImagePath]
 * WpnService => %systemroot%\system32\svchost.exe -k netsvcs [Incorrect ImagePath]
 
 * vmicrdv => %SystemRoot%\System32\icsvcext.dll [Incorrect ServiceDLL]
 * vmicvss => %SystemRoot%\System32\icsvcext.dll [Incorrect ServiceDLL]
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * No issues found.
 
Program finished at: 05/04/2017 10:48:17 AM
Execution time: 0 hours(s), 0 minute(s), and 11 seconds(s)
 
I did NOT restart the W10 box and await your further instructions...


#4 iMacg3

iMacg3

    Bleepin' PowerPC G3


  • Malware Study Hall Senior
  • 1,412 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indiana, USA
  • Local time:04:04 AM

Posted 04 May 2017 - 11:09 AM

Run all these in safe mode with networking.

 

Download Farbar MiniToolBox and save the file to your desktop.

  1. Open MiniToolBox by right-clicking it and selecting Run as Administrator.

  2. Make sure the following options are checked and then click Go:

Report IE Proxy Settings

Report FF Proxy Settings

List content of Hosts

List IP configuration

List Winsock Entries

List last 10 Event Viewer log

List Installed Programs

List Devices (Don't change any settings here)

List Users, Partitions and Memory size

List Restore Points

  1. Paste the log file contents into a post.

 

Download ESET Online Scanner and save it to your desktop

 

  1. Double-click on the ESET Online Scanner icon to launch ESET.

  2. Click through the prompts and select “Enable detection of potentially unwanted applications.”

  3. Click “Scan” and let the tool run.

  4. Once done, click the “Save to text file...” Save the file to your desktop and paste the contents into a post.

 

Download Hitman Pro and save it to your desktop. (32 bit) (64 bit).

  1. Double-click on the Hitman Pro EXE file on your desktop.

  2. Download Hitman Pro. Right click it and select Run as Administrator.

3. Once it's open, click Settings, then uncheck Scan for Tracking Cookies. 

4. Click OK, then click Next.

  1. Select No, I only want to perform a one time scan. click Next.

    6. HitmanPro will start scanning your system. Once done scanning, HitmanPro will display a screen with any threats found. Important: Click on the drop-down tab next to the infection name and then click Apply to All > Ignore. If not, you could cause damage to your operating system! Make sure you choose to Ignore the files and then click next. You will be at the results window. Click "Save Log" and save it to your desktop. Paste its contents into a post.

 

 

Download Malwarebytes Anti-Rootkit and save it to your desktop.

  1. Double-click on the .EXE file that you downloaded and follow the extracting prompt.

  2. Find the MBAR folder and launch the executable in the folder.

  3. Select the option to Update the virus definitions.

  4. Once done updating, MBAR will scan your computer.

  5. When complete, please click Cleanup to remove the threats. Do NOT click inside the window when MBAR is doing the cleanup process.

  6. When finished, restart the PC.

  7. Post these logs in a forum post, which are inside the MBAR folder: mbar-log(date) and system-log.txt.


Edited by iMacg3, 04 May 2017 - 11:10 AM.

Regards, iMacg3

If I do not reply to your malware removal topic in 48 hours, please send me a PM.

"Do, or do not. There is no try." - Yoda


#5 PapPawS

PapPawS
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:04 AM

Posted 04 May 2017 - 01:53 PM

Result of Mini Tool Box run...others will follow as I do each one in turn...thank you!

 

MiniToolBox by Farbar  Version: 17-06-2016
Ran by PapPawS (administrator) on 04-05-2017 at 13:42:04
Running from "F:\Users\PapPawS\Desktop"
Microsoft Windows 10 Pro  (X64)
Model: OptiPlex 3020 Manufacturer: Dell Inc.
Boot Mode: Network
***************************************************************************
 
========================= IE Proxy Settings: ============================== 
 
Proxy is not enabled.
No Proxy Server is set.
========================= Hosts content: =================================
========================= IP Configuration: ================================
 
Dell Wireless 1540 802.11a/g/n (2.4GHz/5GHz) = Wi-Fi (Hardware not present)
Realtek PCIe GBE Family Controller = Ethernet (Media disconnected)
 
 
# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4
 
reset
set global taskoffload=disabled
set interface interface="Local Area Connection* 1" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Local Area Connection* 5" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Local Area Connection* 2" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Wi-Fi" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Ethernet" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
 
 
popd
# End of IPv4 configuration
 
 
 
Windows IP Configuration
 
   Host Name . . . . . . . . . . . . : DOpti3020
   Primary Dns Suffix  . . . . . . . : 
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
 
Ethernet adapter Ethernet:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : F8-BC-12-64-D3-DD
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
Server:  UnKnown
Address:  127.0.0.1
 
Ping request could not find host google.com. Please check the name and try again.
Server:  UnKnown
Address:  127.0.0.1
 
Ping request could not find host yahoo.com. Please check the name and try again.
 
Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
 
Ping statistics for 127.0.0.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
  9...f8 bc 12 64 d3 dd ......Realtek PCIe GBE Family Controller
  1...........................Software Loopback Interface 1
===========================================================================
 
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
===========================================================================
Persistent Routes:
  None
 
IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    331 ::1/128                  On-link
  1    331 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================
 
Catalog5 01 C:\WINDOWS\SysWOW64\napinsp.dll [55808] (Microsoft Corporation)
Catalog5 02 C:\WINDOWS\SysWOW64\pnrpnsp.dll [70656] (Microsoft Corporation)
Catalog5 03 C:\WINDOWS\SysWOW64\pnrpnsp.dll [70656] (Microsoft Corporation)
Catalog5 04 C:\WINDOWS\SysWOW64\NLAapi.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\WINDOWS\SysWOW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog5 06 C:\WINDOWS\SysWOW64\winrnr.dll [24064] (Microsoft Corporation)
Catalog9 01 C:\WINDOWS\SysWOW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog9 02 C:\WINDOWS\SysWOW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog9 03 C:\WINDOWS\SysWOW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog9 04 C:\WINDOWS\SysWOW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog9 05 C:\WINDOWS\SysWOW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog9 06 C:\WINDOWS\SysWOW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog9 07 C:\WINDOWS\SysWOW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog9 08 C:\WINDOWS\SysWOW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog9 09 C:\WINDOWS\SysWOW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog9 10 C:\WINDOWS\SysWOW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog9 11 C:\WINDOWS\SysWOW64\mswsock.dll [306016] (Microsoft Corporation)
Catalog9 12 C:\WINDOWS\SysWOW64\mswsock.dll [306016] (Microsoft Corporation)
x64-Catalog5 01 F:\Windows\System32\napinsp.dll [File Not found] ()
x64-Catalog5 02 F:\Windows\System32\pnrpnsp.dll [File Not found] ()
x64-Catalog5 03 F:\Windows\System32\pnrpnsp.dll [File Not found] ()
x64-Catalog5 04 F:\Windows\System32\NLAapi.dll [File Not found] ()
x64-Catalog5 05 F:\Windows\System32\mswsock.dll [File Not found] ()
x64-Catalog5 06 F:\Windows\System32\winrnr.dll [File Not found] ()
x64-Catalog9 01 F:\Windows\System32\mswsock.dll [File Not found] ()
x64-Catalog9 02 F:\Windows\System32\mswsock.dll [File Not found] ()
x64-Catalog9 03 F:\Windows\System32\mswsock.dll [File Not found] ()
x64-Catalog9 04 F:\Windows\System32\mswsock.dll [File Not found] ()
x64-Catalog9 05 F:\Windows\System32\mswsock.dll [File Not found] ()
x64-Catalog9 06 F:\Windows\System32\mswsock.dll [File Not found] ()
x64-Catalog9 07 F:\Windows\System32\mswsock.dll [File Not found] ()
x64-Catalog9 08 F:\Windows\System32\mswsock.dll [File Not found] ()
x64-Catalog9 09 F:\Windows\System32\mswsock.dll [File Not found] ()
x64-Catalog9 10 F:\Windows\System32\mswsock.dll [File Not found] ()
x64-Catalog9 11 F:\Windows\System32\mswsock.dll [File Not found] ()
x64-Catalog9 12 F:\Windows\System32\mswsock.dll [File Not found] ()
 
========================= Event log errors: ===============================
 
Application errors:
==================
Error: (05/04/2017 10:26:22 AM) (Source: Microsoft-Windows-Immersive-Shell) (User: DOPTI3020)
Description: Activation of app Microsoft.Getstarted_5.0.13.0_x64__8wekyb3d8bbwe:App.AppX7mv0s3r0wanj0n66dy6vax24ps6avzvz.mca failed with error: -2144927149 See the Microsoft-Windows-TWinUI/Operational log for additional information.
 
Error: (05/02/2017 02:03:08 PM) (Source: Application Error) (User: )
Description: Faulting application name: LogonUI.exe, version: 10.0.14393.0, time stamp: 0x57899b5a
Faulting module name: ntdll.dll, version: 10.0.14393.479, time stamp: 0x5825887f
Exception code: 0xc0000005
Fault offset: 0x0000000000030bdd
Faulting process id: 0x7fc
Faulting application start time: 0xLogonUI.exe0
Faulting application path: LogonUI.exe1
Faulting module path: LogonUI.exe2
Report Id: LogonUI.exe3
Faulting package full name: LogonUI.exe4
Faulting package-relative application ID: LogonUI.exe5
 
Error: (05/02/2017 01:07:43 PM) (Source: Perflib) (User: )
Description: rdyboost4
 
Error: (05/02/2017 12:52:16 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.
 
 
Details:
AddCoreCsiFiles : RtlConvertNtFilePathToWin32Path() failed.
 
System Error:
0xC0000039 (unresolvable).
 
Error: (05/02/2017 10:00:29 AM) (Source: Microsoft-Windows-EFS) (User: DOPTI3020)
Description: 7.488: EFS service failed to provision a user for EDP. Error code: 0x80070005.
 
Error: (05/02/2017 09:57:57 AM) (Source: Application Error) (User: )
Description: Faulting application name: esu.exe, version: 1.0.0.0, time stamp: 0x58dac8d5
Faulting module name: KERNELBASE.dll, version: 10.0.14393.1066, time stamp: 0x58d9f07f
Exception code: 0xe0434352
Fault offset: 0x000da932
Faulting process id: 0x196c
Faulting application start time: 0xesu.exe0
Faulting application path: esu.exe1
Faulting module path: esu.exe2
Report Id: esu.exe3
Faulting package full name: esu.exe4
Faulting package-relative application ID: esu.exe5
 
Error: (05/02/2017 09:57:57 AM) (Source: .NET Runtime) (User: )
Description: Application: esu.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.IO.FileNotFoundException
   at Garmin.Omt.Service.Shared.Overrides+<UpdateDatacenterOverridesAsync>d__61.MoveNext()
   at System.Runtime.CompilerServices.AsyncTaskMethodBuilder.Start[[Garmin.Omt.Service.Shared.Overrides+<UpdateDatacenterOverridesAsync>d__61, ExpressSelfUpdater, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null]](<UpdateDatacenterOverridesAsync>d__61 ByRef)
   at Garmin.Omt.Service.Shared.Overrides.UpdateDatacenterOverridesAsync(Boolean)
   at Garmin.Omt.Service.Shared.Overrides..cctor()
 
Exception Info: System.TypeInitializationException
   at Garmin.Omt.Service.Shared.Overrides.get_OmtBaseUrl()
   at Garmin.Omt.Express.SelfUpdater.Program.RealMain()
   at Garmin.Omt.Express.SelfUpdater.Program.Main(System.String[])
 
Error: (05/01/2017 10:25:40 AM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.
 
 
Details:
AddCoreCsiFiles : RtlConvertNtFilePathToWin32Path() failed.
 
System Error:
0xC0000039 (unresolvable).
 
Error: (05/01/2017 10:25:40 AM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.
 
 
Details:
AddCoreCsiFiles : RtlConvertNtFilePathToWin32Path() failed.
 
System Error:
0xC0000039 (unresolvable).
 
Error: (05/01/2017 10:12:39 AM) (Source: Microsoft-Windows-EFS) (User: DOPTI3020)
Description: 7.488: EFS service failed to provision a user for EDP. Error code: 0x80070005.
 
 
System errors:
=============
Error: (05/04/2017 01:42:05 PM) (Source: DCOM) (User: DOPTI3020)
Description: 1084WSearchUnavailable{B52D54BB-4818-4EB9-AA80-F9EACD371DF8}
 
Error: (05/04/2017 01:42:05 PM) (Source: DCOM) (User: DOPTI3020)
Description: 1084WSearchUnavailable{B52D54BB-4818-4EB9-AA80-F9EACD371DF8}
 
Error: (05/04/2017 01:42:05 PM) (Source: DCOM) (User: DOPTI3020)
Description: 1084ShellHWDetectionUnavailable{DD522ACC-F821-461A-A407-50B198B896DC}
 
Error: (05/04/2017 01:36:24 PM) (Source: DCOM) (User: DOPTI3020)
Description: 1084ShellHWDetectionUnavailable{DD522ACC-F821-461A-A407-50B198B896DC}
 
Error: (05/04/2017 01:36:19 PM) (Source: DCOM) (User: DOPTI3020)
Description: 1084ShellHWDetectionUnavailable{DD522ACC-F821-461A-A407-50B198B896DC}
 
Error: (05/04/2017 01:26:23 PM) (Source: DCOM) (User: DOPTI3020)
Description: 1084ShellHWDetectionUnavailable{DD522ACC-F821-461A-A407-50B198B896DC}
 
Error: (05/04/2017 01:16:23 PM) (Source: DCOM) (User: DOPTI3020)
Description: 1084ShellHWDetectionUnavailable{DD522ACC-F821-461A-A407-50B198B896DC}
 
Error: (05/04/2017 01:06:23 PM) (Source: DCOM) (User: DOPTI3020)
Description: 1084ShellHWDetectionUnavailable{DD522ACC-F821-461A-A407-50B198B896DC}
 
Error: (05/04/2017 12:56:23 PM) (Source: DCOM) (User: DOPTI3020)
Description: 1084ShellHWDetectionUnavailable{DD522ACC-F821-461A-A407-50B198B896DC}
 
Error: (05/04/2017 12:46:23 PM) (Source: DCOM) (User: DOPTI3020)
Description: 1084ShellHWDetectionUnavailable{DD522ACC-F821-461A-A407-50B198B896DC}
 
 
Microsoft Office Sessions:
=========================
Error: (05/04/2017 10:26:22 AM) (Source: Microsoft-Windows-Immersive-Shell)(User: DOPTI3020)
Description: Microsoft.Getstarted_5.0.13.0_x64__8wekyb3d8bbwe:App.AppX7mv0s3r0wanj0n66dy6vax24ps6avzvz.mca-2144927149
 
Error: (05/02/2017 02:03:08 PM) (Source: Application Error)(User: )
Description: LogonUI.exe10.0.14393.057899b5antdll.dll10.0.14393.4795825887fc00000050000000000030bdd7fc01d2c3769fe483f1C:\WINDOWS\system32\LogonUI.exeC:\WINDOWS\SYSTEM32\ntdll.dllb8dc5792-3c98-4ad5-b5a5-192f09c7e15d
 
Error: (05/02/2017 01:07:43 PM) (Source: Perflib)(User: )
Description: rdyboost4
 
Error: (05/02/2017 12:52:16 PM) (Source: Microsoft-Windows-CAPI2)(User: )
Description: 
Details:
AddCoreCsiFiles : RtlConvertNtFilePathToWin32Path() failed.
 
System Error:
0xC0000039 (unresolvable)
 
Error: (05/02/2017 10:00:29 AM) (Source: Microsoft-Windows-EFS)(User: DOPTI3020)
Description: 74880x80070005
 
Error: (05/02/2017 09:57:57 AM) (Source: Application Error)(User: )
Description: esu.exe1.0.0.058dac8d5KERNELBASE.dll10.0.14393.106658d9f07fe0434352000da932196c01d2c3547b5d05cbC:\Program Files (x86)\Garmin\Express SelfUpdater\esu.exeC:\WINDOWS\System32\KERNELBASE.dll04dce5b2-31ad-498c-b8d5-45c64e822347
 
Error: (05/02/2017 09:57:57 AM) (Source: .NET Runtime)(User: )
Description: Application: esu.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.IO.FileNotFoundException
   at Garmin.Omt.Service.Shared.Overrides+<UpdateDatacenterOverridesAsync>d__61.MoveNext()
   at System.Runtime.CompilerServices.AsyncTaskMethodBuilder.Start[[Garmin.Omt.Service.Shared.Overrides+<UpdateDatacenterOverridesAsync>d__61, ExpressSelfUpdater, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null]](<UpdateDatacenterOverridesAsync>d__61 ByRef)
   at Garmin.Omt.Service.Shared.Overrides.UpdateDatacenterOverridesAsync(Boolean)
   at Garmin.Omt.Service.Shared.Overrides..cctor()
 
Exception Info: System.TypeInitializationException
   at Garmin.Omt.Service.Shared.Overrides.get_OmtBaseUrl()
   at Garmin.Omt.Express.SelfUpdater.Program.RealMain()
   at Garmin.Omt.Express.SelfUpdater.Program.Main(System.String[])
 
Error: (05/01/2017 10:25:40 AM) (Source: Microsoft-Windows-CAPI2)(User: )
Description: 
Details:
AddCoreCsiFiles : RtlConvertNtFilePathToWin32Path() failed.
 
System Error:
0xC0000039 (unresolvable)
 
Error: (05/01/2017 10:25:40 AM) (Source: Microsoft-Windows-CAPI2)(User: )
Description: 
Details:
AddCoreCsiFiles : RtlConvertNtFilePathToWin32Path() failed.
 
System Error:
0xC0000039 (unresolvable)
 
Error: (05/01/2017 10:12:39 AM) (Source: Microsoft-Windows-EFS)(User: DOPTI3020)
Description: 74880x80070005
 
 
=========================== Installed Programs ============================
 
Adguard (HKLM-x32\...\{685F6AB3-7C61-42D1-AE5B-3864E48D1035}) (Version: 6.1.331.1732 - Performix LLC) Hidden
Adguard (HKLM-x32\...\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}) (Version: 6.1.331.1732 - Performix LLC)
ANT Drivers Installer x64 (HKLM\...\{7664AF65-7B0D-4171-9F0F-50455278B428}) (Version: 2.3.4 - Garmin Ltd or its subsidiaries) Hidden
CCleaner (HKLM\...\CCleaner) (Version: 5.28 - Piriform)
Citrix Online Launcher (HKLM-x32\...\{48947098-A67C-46D4-90C5-9F2F6F0F96FE}) (Version: 1.0.449 - Citrix)
Crucial Storage Executive (HKCU\...\Crucial Storage Executive 3.30.022016.10) (Version: 3.30.022016.10 - Crucial)
DVD-Cloner V14.00 Build 1419 (HKLM-x32\...\DVD-Cloner 2017_is1) (Version: 14.00.0.1419 - OpenCloner Inc.)
EdgeManage (HKLM-x32\...\{5776C30E-2F76-4F62-8130-F7783B1FD2A1}) (Version: 1.6.1.0 - Emmet Gray)
Elevated Installer (HKLM-x32\...\{1052502B-4C91-43F9-B160-AE39ED57C9F0}) (Version: 5.3.1.0 - Garmin Ltd or its subsidiaries) Hidden
Garmin Express (HKLM-x32\...\{BCC7CA85-E57F-452D-BB44-15A1CE018BD0}) (Version: 5.3.1.0 - Garmin Ltd or its subsidiaries) Hidden
Garmin Express (HKLM-x32\...\{bd8bd200-9a60-4969-b267-6b565f36e3da}) (Version: 5.3.1.0 - Garmin Ltd or its subsidiaries)
Garmin Express Tray (HKLM-x32\...\{DA9C865D-6762-4931-8588-0B13B7A0796B}) (Version: 5.3.1.0 - Garmin Ltd or its subsidiaries) Hidden
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 58.0.3029.81 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.5 - Google Inc.) Hidden
Google Update Helper (HKLM-x32\...\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}) (Version: 1.3.21.169 - Google Inc.) Hidden
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 20.19.15.4531 - Intel Corporation)
LibreOffice 5.1.6.2 (HKLM\...\{549C3097-A17C-4163-9B03-D52865B2BBEE}) (Version: 5.1.6.2 - The Document Foundation)
Maxx Audio Installer (x64) (HKLM\...\{307032B2-6AF2-46D7-B933-62438DEB2B9A}) (Version: 2.6.6448.1 - Waves Audio Ltd.) Hidden
Microsoft OneDrive (HKCU\...\OneDriveSetup.exe) (Version: 17.3.6799.0327 - Microsoft Corporation)
Realtek Audio COM Components (HKLM-x32\...\{2355B503-9B11-4449-861D-1C1748B26320}) (Version: 1.0.2 - Realtek Semiconductor Corp.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6086 - Realtek Semiconductor Corp.)
VLC media player (HKLM\...\VLC media player) (Version: 2.2.4 - VideoLAN)
Windows Driver Package - Dynastream Innovations, Inc. ANT LibUSB Drivers (04/11/2012 1.2.40.201) (HKLM\...\F9D2A789F9CFF8CEC36B544F53877C80F1F73C46) (Version: 04/11/2012 1.2.40.201 - Dynastream Innovations, Inc.)
Windows Driver Package - Silicon Labs Software (DSI_SiUSBXp_3_1) USB  (02/06/2007 3.1) (HKLM\...\D1506E0025B5A3F9EB8270FE81C1EEDD9388B8A2) (Version: 02/06/2007 3.1 - Silicon Labs Software)
 
========================= Devices: ================================
 
Name: The Broadcom 802.11 Network Adapter provides wireless local area networking.
Description: Dell Wireless 1540 802.11a/g/n (2.4GHz/5GHz)
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Broadcom
Service: BCMWL63A
Device ID: PCI\VEN_14E4&DEV_4359&SUBSYS_00141028&REV_00\0000E6FFFFAA3C7700
Problem: : Windows cannot initialize the device driver for this hardware. (Code 37)
Resolution: The driver returned failure from its DriverEntry routine. Uninstall the driver, and then click "Scan for hardware changes" to reinstall or upgrade the driver.
 
 
========================= Memory info: ===================================
 
Percentage of memory in use: 6%
Total physical RAM: 16302.61 MB
Available physical RAM: 15208.25 MB
Total Virtual: 18734.61 MB
Available Virtual: 17843.45 MB
 
========================= Partitions: =====================================
 
1 Drive c: () (Fixed) (Total:223.02 GB) (Free:181.47 GB) NTFS
3 Drive e: (PageSwapfiles) (Fixed) (Total:40 GB) (Free:37.29 GB) NTFS
4 Drive f: (UserProfiles) (Fixed) (Total:911.44 GB) (Free:857.76 GB) NTFS
5 Drive g: (Xpander) (Fixed) (Total:911.45 GB) (Free:911.24 GB) NTFS
6 Drive h: (My Book) (Fixed) (Total:1862.98 GB) (Free:1849.89 GB) NTFS
 
========================= Users: ========================================
 
User accounts for \\DOPTI3020
 
Administrator            DefaultAccount           Guest                    
PapPawS                  
 
========================= Restore Points ==================================
 
11-04-2017 14:10:26 Scheduled Checkpoint
19-04-2017 13:25:43 Scheduled Checkpoint
22-04-2017 21:26:06 Windows Update
01-05-2017 15:25:40 Scheduled Checkpoint
02-05-2017 17:52:16 JRT Pre-Junkware Removal
 
**** End of log ****


#6 PapPawS

PapPawS
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:04 AM

Posted 04 May 2017 - 02:00 PM

ESET app fails at "downloading current database" since the PC can't get onto the internet. I have to leave to pickup grandkids and take to tae kwon do now but I will check in later this evening!


Edited by PapPawS, 04 May 2017 - 02:02 PM.


#7 iMacg3

iMacg3

    Bleepin' PowerPC G3


  • Malware Study Hall Senior
  • 1,412 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indiana, USA
  • Local time:04:04 AM

Posted 04 May 2017 - 02:39 PM

I think you are going into Safe mode, and not Safe Mode with Networking. Try the option with Networking and see if it works.


Regards, iMacg3

If I do not reply to your malware removal topic in 48 hours, please send me a PM.

"Do, or do not. There is no try." - Yoda


#8 PapPawS

PapPawS
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:04 AM

Posted 04 May 2017 - 07:41 PM

I have tried 3 separate times now using choice 5 or F5 - safe mode with networking and every time it comes up showing no network connection/no connection available in the task bar and my wireless adapter shows can not be initiated in Device Manager. Sorry, I don't know what else to do?



#9 PapPawS

PapPawS
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:04 AM

Posted 04 May 2017 - 07:43 PM

should the safe mode screen indicate in some way that it is in fact in "with networking" mode? should it say "safe mode with networking" in the corners of the screen?



#10 iMacg3

iMacg3

    Bleepin' PowerPC G3


  • Malware Study Hall Senior
  • 1,412 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indiana, USA
  • Local time:04:04 AM

Posted 04 May 2017 - 08:36 PM

Safe mode with networking should look like this. (Link to image)


Regards, iMacg3

If I do not reply to your malware removal topic in 48 hours, please send me a PM.

"Do, or do not. There is no try." - Yoda


#11 PapPawS

PapPawS
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:04 AM

Posted 04 May 2017 - 08:54 PM

I am accessing safe mode from the login screen presented to me (which I believe to be the Administrator account) on startup using shift key/power icon/restart - choose an option - troubleshoot - advanced options - start settings - restart and then selecting option 5 or F5 for Safe Mode with Networking and every time I have had no network connection available so...



#12 iMacg3

iMacg3

    Bleepin' PowerPC G3


  • Malware Study Hall Senior
  • 1,412 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indiana, USA
  • Local time:04:04 AM

Posted 04 May 2017 - 09:09 PM

Can you connect to the network with WiFi or Ethernet while in Safe Mode with Networking?

 

Try these steps:

  1. Shut down the computer once in "Safe Mode" by using the power button on the computer, not the "Shut down" option.
  2. Turn the computer on again.
  3. Select the Safe Mode with Networking option on the menu.

Regards, iMacg3

If I do not reply to your malware removal topic in 48 hours, please send me a PM.

"Do, or do not. There is no try." - Yoda


#13 PapPawS

PapPawS
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:04 AM

Posted 04 May 2017 - 10:23 PM

OK...here is exactly how it goes attempting this. Power on system - comes up to apparent administrator login screen - press shift key and click on power icon to restart - presented with choose an option screen - select troubleshoot - presented with advanced options screen - select startup settings - click restart - from the screen presented select option 5 "Safe Mode with Networking" - the administrator login screen is presented again and after I enter my password the screen presented says "safe mode" in both upper corners, a blue box in the center says "the app cannot start - tips cannot start from the administrator logon, choose another logon option and try again" - I click close on this box and check the network icon in the task bar which is the same every time I've tried this - no connection available. I hit the power button on the case front powering the system down. I hit the power button on the case and power the system up - the administrator login screen is presented and after I enter my password and hit the enter key I'm eventually presented with a black screen with the following showing:

 

Administrator : cmd.exe

 

Microsoft Windows [version 10.0.14393]

2016 Microsoft Corporation, All Rights Reserved

 

C:\ WINDOWS \ system32>

 

 

So I'm stumped...any thoughts you have on how to proceed are appreciated!



#14 iMacg3

iMacg3

    Bleepin' PowerPC G3


  • Malware Study Hall Senior
  • 1,412 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indiana, USA
  • Local time:04:04 AM

Posted 05 May 2017 - 09:07 AM

This is a well-known malware type.

Please type explorer.exe and press enter once you reach the black screen.

If this doesn't work, please download Hitman Pro and Malwarebytes Anti-Rootkit using the above instructions and run them in safe mode. 


Edited by iMacg3, 05 May 2017 - 09:42 AM.

Regards, iMacg3

If I do not reply to your malware removal topic in 48 hours, please send me a PM.

"Do, or do not. There is no try." - Yoda


#15 PapPawS

PapPawS
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:04 AM

Posted 05 May 2017 - 10:32 AM

Powered up the PC, entered PW at the admin login screen and was presented with the command prompt black screen listed above, typing explorer.exe presented the blue box mid screen:

 

This app can't open

Tips can't be opened using the Built-in Administrator account.

Sign in with a different account and try again.

 

with the prompt reverting to the C:\ WINDOWS \ system32>

 

I typed "exit" at this prompt and was presented with the safe mode screen (?) I shut the machine down using the start/shutdown icons, powered back up to the admin login screen then shift/power icon - restart etc. back into option 5, safe mode with networking (network still shows "not available") and will run Hitman and Malwarebytes Root kit at this time and post each result when complete.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users