Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 92790 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

ICE Cyber Crime virus on Windows XP [Solved]


  • This topic is locked This topic is locked
66 replies to this topic

#1 LMac

LMac

    Authentic Member

  • Authentic Member
  • PipPip
  • 42 posts

Posted 05 September 2014 - 05:57 AM

I have the Ice Cyber Crime virus on a PC  with windows XP (32 bit).

 

I have Norton Internet Security on the system.  It did not stop the infection and when I run a scan it did not find the virus.

 

I can boot up in safe mode with networking.

 

I need help removing this virus.

 

I am typing this on a different system - not infected.

 

 

Thank you.


    Advertisements

Register to Remove


#2 LiquidTension

LiquidTension

    SuperMember

  • Retired Classroom Teacher
  • 2,566 posts

Posted 05 September 2014 - 08:00 AM

Hello LMac, welcome to WhatTheTech's Malware Removal forum!
 
My username is LiquidTension, but you can call me Adam. I will be assisting you with your malware-related problems.
If you would allow me to call you by your first name I would prefer that. xsmile.png.pagespeed.ic.CwSpBGGvqN.png
 
======================================================
 
Please read through the points below to ensure this process moves as quickly and efficiently as possible.

  • Please read through my instructions thoroughly, and ensure you carry out each step in the order specified.
  • Please do not post logs using the CODEQUOTE or ATTACHMENT format. Logs should be posted directly in plain text. If you receive an error whilst posting, please break the log in half and use multiple posts.
  • Please do not run any tools or take any steps other than those I provide for you. Independent efforts may make matters worse, and will affect my ability in ascertaining the current situation & providing the best set of instructions for you.
  • Please backup important documents before proceeding with my instructions.
  • If you come across any issues whilst following my instructions, please stop and inform me of the issue in as much detail as possible. Please do not hesitate to ask before you run anything.
  • Topics are locked if no response is made after 5 days. Please inform me if you will require additional time to complete my instructions.
     

======================================================

 

Please boot back into Safe Mode with Networking. Download and run the following tools in this environment. Let me know if any issues arise. 

STEP 1
mlEX1wH.png RogueKiller

  • Please download RogueKiller (x32) and save the file to your Desktop.
  • Close any running programmes.
  • Double-click RogueKiller.exe to run the programme.
  • Allow the Prescan to complete. Upon completion, a window will open. Click Accept.
  • A browser window may open. Close the browser window.
  • Return to RogueKiller and click jpgUwzp.png. Upon completion, click phPvmc6.png.
  • Close the programme. Do not fix anything!
  • A log (RKreport.txt) will be open. Copy the contents of the log and paste in your next reply.

Note: If RogueKiller is unable to run, please retry. If you find after several attempts the programme will still not run, please rename RogueKiller.exe towinlogon.exe and try again.

 
STEP 2
xlK5Hdb.png.pagespeed.ce.J4MzrrPAEo.png Farbar Recovery Scan Tool (FRST) Scan

  • Please download Farbar Recovery Scan Tool (x32) and save the file to your Desktop.
  • Double-click FRST.exe to run the programme.
  • Click Yes to the disclaimer.
  • Ensure the Addition.txt box is checked.
  • Click the Scan button and let the programme run.
  • Upon completion, click OK, then OK on the Addition.txt pop up screen.
  • Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply. 
     

======================================================
 
STEP 3
xpfNZP4A.png.pagespeed.ic.bp5cRl1pJg.jpg Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • RKreport.txt
  • FRST.txt
  • Addition.txt

50QfLth.png

 

Would you like to help others with malware removal? Join our Classroom and learn how!


#3 LMac

LMac

    Authentic Member

  • Authentic Member
  • PipPip
  • 42 posts

Posted 05 September 2014 - 08:25 AM

Thanks Adam.  My name is Larry.  I appreciate your help in getting rid of this virus.

 

I have no important programs or files on the PC except Norton and I can reload that program if I lose it.

 

Before I came to this site and made this post I did download and run FRST.exe and the 2 reports you requested are already on my desk top.  I did not try to fix anything just ran the scan. 

 

Will running the FRST program first and the Roguekiller program second create an issue?

 

If so do you want me to re-run FRST.exe again after roguekiller is complete?

 

Thanks

Larry



#4 LiquidTension

LiquidTension

    SuperMember

  • Retired Classroom Teacher
  • 2,566 posts

Posted 05 September 2014 - 08:30 AM

Hello Larry, 
 

Before I came to this site and made this post I did download and run FRST.exe and the 2 reports you requested are already on my desk top.  I did not try to fix anything just ran the scan. 

How long ago did you run FRST?
 

Will running the FRST program first and the Roguekiller program second create an issue?

No, it won't cause an issue. If you ran FRST today, please proceed with RogueKiller and post the two FRST logs + RogueKiller log. 

 

If you ran FRST a couple of days ago, please run RogueKiller, followed by a rerun of FRST. 


50QfLth.png

 

Would you like to help others with malware removal? Join our Classroom and learn how!


#5 LMac

LMac

    Authentic Member

  • Authentic Member
  • PipPip
  • 42 posts

Posted 05 September 2014 - 08:43 AM

I downloaded and ran FRST earlier today.  I thought I could fix this myself, but I quickly learned I could not. 

 

Roguekiller completed the scan and a browser open it tried to go to something call BlogSpot   but a message came up and said it could not and the operation was aborted.  I closed the message box and the browser and then ran the report.

 

I will try to copy and paste the files you want from the PC that has the virus in the following posts.



#6 LiquidTension

LiquidTension

    SuperMember

  • Retired Classroom Teacher
  • 2,566 posts

Posted 05 September 2014 - 08:46 AM

Hi Larry, 

 

Your browser opening upon running RogueKiller is normal. 

 

If you have trouble posting the logs from the infected PC, please stop and let me know. I will provide instructions on how to safely transfer the files to your clean PC.


50QfLth.png

 

Would you like to help others with malware removal? Join our Classroom and learn how!


#7 LMac

LMac

    Authentic Member

  • Authentic Member
  • PipPip
  • 42 posts

Posted 05 September 2014 - 08:46 AM

RogueKiller V9.2.9.0 [Jul 11 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : https://www.adlice.c...es/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows XP (5.1.2600 Service Pack 2) 32 bits version
Started in : Safe mode with network support
User : Joe Blow [Admin rights]
Mode : Scan -- Date : 09/05/2014  07:36:14

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 16 ¤¤¤
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 192.168.0.1 205.171.2.25  -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 192.168.0.1 205.171.2.25  -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 192.168.0.1 205.171.2.25  -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Tcpip\Parameters | DhcpNameServer : 192.168.0.1 205.171.2.25  -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{133E1BE7-4823-45B8-A4D6-09AE514650DC} | DhcpNameServer : 192.168.0.1 205.171.2.25  -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{133E1BE7-4823-45B8-A4D6-09AE514650DC} | DhcpNameServer : 192.168.0.1 205.171.2.25  -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{133E1BE7-4823-45B8-A4D6-09AE514650DC} | DhcpNameServer : 192.168.0.1 205.171.2.25  -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Tcpip\Parameters\Interfaces\{133E1BE7-4823-45B8-A4D6-09AE514650DC} | DhcpNameServer : 192.168.0.1 205.171.2.25  -> FOUND
[PUM.StartMenu] HKEY_USERS\S-1-5-21-2291903390-3433162778-840360825-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowPrinters : 0  -> FOUND
[PUM.StartMenu] HKEY_USERS\S-1-5-21-2291903390-3433162778-840360825-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRecentDocs : 0  -> FOUND
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> FOUND
[Rans.Gendarm] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\winmgmt\Parameters | ServiceDll : C:\DOCUME~1\ALLUSE~1\APPLIC~1\50BC232.cpp  -> FOUND
[Rans.Gendarm] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\winmgmt\Parameters | ServiceDll : C:\DOCUME~1\ALLUSE~1\APPLIC~1\50BC232.cpp  -> FOUND
[Rans.Gendarm] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\winmgmt\Parameters | ServiceDll : C:\DOCUME~1\ALLUSE~1\APPLIC~1\50BC232.cpp  -> FOUND
[Rans.Gendarm] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\winmgmt\Parameters | ServiceDll : C:\DOCUME~1\ALLUSE~1\APPLIC~1\50BC232.cpp  -> FOUND
[PUM.SearchPage] HKEY_USERS\S-1-5-21-2291903390-3433162778-840360825-1006\Software\Microsoft\Internet Explorer\Main | Search Page : http://rd.yahoo.com/...//www.yahoo.com  -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Files : 1 ¤¤¤
[Rans.Gendarm][File] program.lnk -- C:\Documents and Settings\Joe Blow\Start Menu\Programs\Startup\program.lnk [LNK@] C:\WINDOWS\system32\rundll32.exe C:\DOCUME~1\ALLUSE~1\APPLIC~1\50BC232.cpp,xSS1 -> FOUND

¤¤¤ HOSTS File : 1 ¤¤¤
[C:\WINDOWS\System32\drivers\etc\hosts] 127.0.0.1       localhost

¤¤¤ Antirootkit : 0 (Driver: NOT LOADED [0x2]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] f805a109462a5da52bf7725f32d6a765
[BSP] 44e76c70a7a409e06dba851ad28fef86 : Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 114485 MB
User = LL1 ... OK
User = LL2 ... OK



#8 LMac

LMac

    Authentic Member

  • Authentic Member
  • PipPip
  • 42 posts

Posted 05 September 2014 - 08:50 AM

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 03-09-2014
Ran by Joe Blow (administrator) on OLD_DESK_TOP on 05-09-2014 04:37:35
Running from C:\Documents and Settings\Joe Blow\Desktop
Platform: Microsoft Windows XP Service Pack 2 (X86) OS Language: English (United States)
Internet Explorer Version 8
Boot Mode: Safe Mode (with Networking)

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingc...can-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingc...can-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo...very-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [hpsysdrv] => c:\windows\system\hpsysdrv.exe [52736 1998-05-07] (Hewlett-Packard Company)
HKLM\...\Run: [Recguard] => C:\WINDOWS\SMINST\RECGUARD.EXE [212992 2002-07-04] ()
HKLM\...\Run: [srmclean] => C:\Cpqs\Scom\srmclean.exe [36864 2001-07-24] ()
HKLM\...\Run: [NvCplDaemon] => RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
HKLM\...\Run: [nwiz] => nwiz.exe /install
Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxsrvc.dll (Intel Corporation)
HKU\S-1-5-21-2291903390-3433162778-840360825-1006\...\Run: [Microsoft Works Update Detection] => c:\Program Files\Microsoft Works\WkDetect.exe
Startup: C:\Documents and Settings\Joe Blow\Start Menu\Programs\Startup\program.lnk
ShortcutTarget: program.lnk -> C:\Documents and Settings\All Users\Application Data\50BC232.cpp (Corel Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/...//www.yahoo.com
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://store.presari...&c=2c02&lc=0409
HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/.../search/ie.html
SearchScopes: HKCU - DefaultScope {46A120EA-A6CA-427F-88AA-618F1920B282} URL = http://search.yahoo....=utf-8&fr=b1ie7
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKCU - {46A120EA-A6CA-427F-88AA-618F1920B282} URL = http://search.yahoo....=utf-8&fr=b1ie7
SearchScopes: HKCU - {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = http://nortonsafe.se...ct=sb&qsrc=2869
BHO: AcroIEHlprObj Class -> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -> C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx ()
BHO: Norton Identity Protection -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files\Norton Internet Security\Engine\21.5.0.19\coIEPlg.dll (Symantec Corporation)
BHO: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files\Norton Internet Security\Engine\21.5.0.19\IPS\IPSBHO.DLL (Symantec Corporation)
Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\21.5.0.19\coIEPlg.dll (Symantec Corporation)
Toolbar: HKCU - &Address - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\System32\browseui.dll (Microsoft Corporation)
Toolbar: HKCU - &Links - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\SHELL32.dll (Microsoft Corporation)
Toolbar: HKCU - No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} -  No File
Toolbar: HKCU - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\21.5.0.19\coIEPlg.dll (Symantec Corporation)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...all-131-win.cab
DPF: {CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA} http://java.sun.com/...all-131-win.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab
Handler: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\System32\msvidctl.dll (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1 205.171.2.25

FireFox:
========
FF HKLM\...\Firefox\Extensions: [{BBDA0591-3099-440a-AA10-41764D9DB4DB}] - C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.1.0.18\IPSFF
FF Extension: Norton Vulnerability Protection - C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.1.0.18\IPSFF [2013-12-11]
FF HKLM\...\Firefox\Extensions: [{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}] - C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.1.0.18\coFFPlgn
FF Extension: Norton Toolbar - C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.1.0.18\coFFPlgn [2014-09-05]

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [mkfokfffehpeedafpekjeddnmnjhmcmk] - C:\Program Files\Norton Internet Security\Engine\21.5.0.19\Exts\Chrome.crx [2014-08-21]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S2 NIS; C:\Program Files\Norton Internet Security\Engine\21.5.0.19\NIS.exe [276376 2014-07-31] (Symantec Corporation)
S2 winmgmt; C:\Documents and Settings\All Users\Application Data\50BC232.cpp [490496 2014-09-04] (Corel Corporation) [File not signed]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 ALCXWDM; C:\WINDOWS\System32\drivers\ALCXWDM.SYS [656172 2002-06-22] (Avance Logic, Inc.)
S1 BHDrvx86; C:\Program Files\Norton Internet Security\NortonData\21.1.0.18\Definitions\BASHDefs\20140821.007\BHDrvx86.sys [1138480 2014-08-18] (Symantec Corporation)
S1 ccSet_NIS; C:\WINDOWS\system32\drivers\NIS\1505000.013\ccSetx86.sys [127064 2013-09-25] (Symantec Corporation)
S3 eaps2kbd; C:\WINDOWS\System32\DRIVERS\eaps2kbd.sys [24035 2001-12-28] (Compaq Computer Corp.)
S1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [377648 2014-06-23] (Symantec Corporation)
S3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [109872 2014-06-11] (Symantec Corporation)
S3 gameenum; C:\WINDOWS\System32\DRIVERS\gameenum.sys [10624 2004-08-03] (Microsoft Corporation)
S3 i81x; C:\WINDOWS\System32\DRIVERS\i81xnt5.sys [158140 2001-08-08] (Intel® Corporation)
S3 iAimFP0; C:\WINDOWS\System32\DRIVERS\wADV01nt.sys [12479 2001-08-08] (Intel® Corporation)
S3 iAimFP1; C:\WINDOWS\System32\DRIVERS\wADV02NT.sys [12031 2001-08-08] (Intel® Corporation)
S3 iAimFP2; C:\WINDOWS\System32\DRIVERS\wADV05NT.sys [11679 2001-08-08] (Intel® Corporation)
S3 iAimFP3; C:\WINDOWS\System32\DRIVERS\wSiINTxx.sys [11999 2001-08-08] (Intel® Corporation)
S3 iAimFP4; C:\WINDOWS\System32\DRIVERS\wVchNTxx.sys [19359 2001-08-08] (Intel® Corporation)
S3 iAimTV0; C:\WINDOWS\System32\DRIVERS\wATV01nt.sys [29215 2001-08-08] (Intel® Corporation)
S3 iAimTV1; C:\WINDOWS\System32\DRIVERS\wATV02NT.sys [19199 2001-08-08] (Intel® Corporation)
S3 iAimTV3; C:\WINDOWS\System32\DRIVERS\wATV04nt.sys [33503 2001-08-08] (Intel® Corporation)
S3 iAimTV4; C:\WINDOWS\System32\DRIVERS\wCh7xxNT.sys [23519 2001-08-08] (Intel® Corporation)
S3 IDSxpx86; C:\Program Files\Norton Internet Security\NortonData\21.1.0.18\Definitions\IPSDefs\20140903.001\IDSxpx86.sys [448664 2014-08-29] (Symantec Corporation)
S3 ltmodem5; C:\WINDOWS\System32\DRIVERS\ltmdmnt.sys [623633 2002-01-24] (LT)
S3 ms_mpu401; C:\WINDOWS\System32\drivers\msmpu401.sys [2944 2001-08-17] (Microsoft Corporation)
S3 NAVENG; C:\Program Files\Norton Internet Security\NortonData\21.1.0.18\Definitions\VirusDefs\20140904.001\NAVENG.SYS [95704 2014-08-21] (Symantec Corporation)
S3 NAVEX15; C:\Program Files\Norton Internet Security\NortonData\21.1.0.18\Definitions\VirusDefs\20140904.001\NAVEX15.SYS [1636696 2014-08-21] (Symantec Corporation)
R3 rtl8139; C:\WINDOWS\System32\DRIVERS\RTL8139.SYS [20992 2004-08-03] (Realtek Semiconductor Corporation)
S3 S3Psddr; C:\WINDOWS\System32\DRIVERS\s3gnbm.sys [155008 2002-07-13] (S3 Graphics, Inc.)
S3 Secdrv; C:\WINDOWS\System32\DRIVERS\secdrv.sys [27440 2001-08-18] ()
S1 SRTSP; C:\WINDOWS\System32\Drivers\NIS\1505000.013\SRTSP.SYS [664280 2014-02-12] (Symantec Corporation)
S1 SRTSPX; C:\WINDOWS\system32\drivers\NIS\1505000.013\SRTSPX.SYS [32344 2013-09-09] (Symantec Corporation)
R0 SymDS; C:\WINDOWS\System32\drivers\NIS\1505000.013\SYMDS.SYS [367704 2013-09-09] (Symantec Corporation)
R0 SymEFA; C:\WINDOWS\System32\drivers\NIS\1505000.013\SYMEFA.SYS [936152 2014-03-03] (Symantec Corporation)
S3 SymEvent; C:\WINDOWS\system32\Drivers\SYMEVENT.SYS [142936 2013-12-11] (Symantec Corporation)
S1 SymIRON; C:\WINDOWS\system32\drivers\NIS\1505000.013\Ironx86.SYS [206936 2013-09-26] (Symantec Corporation)
S1 SYMTDI; C:\WINDOWS\System32\Drivers\NIS\1505000.013\SYMTDI.SYS [423256 2014-02-17] (Symantec Corporation)
R0 viaagp1; C:\WINDOWS\System32\DRIVERS\viaagp1.sys [27648 2002-03-04] (VIA Technologies, Inc.)
S3 wandrv; C:\WINDOWS\System32\DRIVERS\wandrv.sys [22608 2001-08-10] (America Online, Inc.)
S1 {6080A529-897E-4629-A488-ABA0C29B635E}; C:\WINDOWS\System32\drivers\ialmsbw.sys [90336 2002-05-22] (Intel Corporation)
S3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91}; C:\WINDOWS\System32\drivers\ialmkchw.sys [69504 2002-05-22] (Intel Corporation)
S4 hpt3xx; No ImagePath
S3 iAimTV2; System32\DRIVERS\wATV03nt.sys [X]
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96256 2004-08-03] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-09-05 04:37 - 2014-09-05 04:37 - 00011112 _____ () C:\Documents and Settings\Joe Blow\Desktop\FRST.txt
2014-09-05 04:37 - 2014-09-05 04:37 - 00000000 ____D () C:\FRST
2014-09-05 04:35 - 2014-09-05 04:35 - 01096704 _____ (Farbar) C:\Documents and Settings\Joe Blow\Desktop\FRST.exe
2014-09-04 15:22 - 2014-09-04 15:22 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\SMR410
2014-09-04 15:20 - 2014-09-04 15:20 - 03077584 ____N (Symantec Corporation) C:\Documents and Settings\Joe Blow\Desktop\NPE.exe
2014-09-04 15:18 - 2014-09-04 15:24 - 00000000 ____D () C:\Documents and Settings\Joe Blow\Local Settings\Application Data\NPE
2014-09-04 14:06 - 2014-09-04 14:06 - 00000000 __SHD () C:\Documents and Settings\Administrator\PrivacIE
2014-09-04 13:51 - 2014-09-04 13:51 - 00000000 __SHD () C:\Documents and Settings\Administrator\IETldCache
2014-09-04 13:51 - 2002-03-22 22:47 - 00053248 _____ () C:\Documents and Settings\Administrator\Desktop\Hot Deals from Compaq.exe
2014-09-04 13:50 - 2014-09-04 14:49 - 00000178 ___SH () C:\Documents and Settings\Administrator\ntuser.ini
2014-09-04 13:50 - 2014-09-04 14:39 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Temp
2014-09-04 13:50 - 2014-09-04 14:06 - 00000000 ____D () C:\Documents and Settings\Administrator
2014-09-04 13:50 - 2013-12-11 16:43 - 00000000 ___RD () C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories
2014-09-04 13:50 - 2002-08-02 02:15 - 00000000 ____D () C:\Documents and Settings\Administrator\WINDOWS
2014-09-04 13:50 - 2002-08-02 02:15 - 00000000 ____D () C:\Documents and Settings\Administrator\Start Menu\Programs\Quicken Financial Center
2014-09-04 13:50 - 2002-08-02 02:15 - 00000000 ____D () C:\Documents and Settings\Administrator\My Documents\My eBooks
2014-09-04 13:50 - 2002-08-02 02:15 - 00000000 ____D () C:\Documents and Settings\Administrator\Application Data\VERITAS
2014-09-04 13:50 - 2002-08-02 02:15 - 00000000 ____D () C:\Documents and Settings\Administrator\Application Data\Symantec
2014-09-04 13:50 - 2002-08-02 02:15 - 00000000 ____D () C:\Documents and Settings\Administrator\Application Data\Real
2014-09-04 13:50 - 2002-08-02 02:14 - 00000000 ____D () C:\Documents and Settings\Administrator\Application Data\InterTrust
2014-09-04 13:50 - 2002-08-02 02:14 - 00000000 ____D () C:\Documents and Settings\Administrator\Application Data\Adobe
2014-09-04 13:50 - 2002-08-01 22:01 - 00000809 _____ () C:\Documents and Settings\Administrator\Start Menu\Programs\Internet Explorer.lnk
2014-09-04 13:50 - 2002-08-01 20:04 - 00006905 _____ () C:\Documents and Settings\Administrator\ml2.srt
2014-09-04 13:50 - 2002-08-01 20:04 - 00006892 _____ () C:\Documents and Settings\Administrator\ml1.srt
2014-09-04 13:50 - 2002-08-01 20:04 - 00003318 _____ () C:\Documents and Settings\Administrator\tempdiff.txt
2014-09-04 13:50 - 2002-08-01 19:47 - 00001599 _____ () C:\Documents and Settings\Administrator\Start Menu\Programs\Remote Assistance.lnk
2014-09-04 13:50 - 2002-02-21 02:05 - 00000173 _____ () C:\Documents and Settings\Administrator\oobecmt.ini
2014-09-04 13:50 - 2001-11-13 03:49 - 00000205 _____ () C:\Documents and Settings\Administrator\My Documents\Yahoo! Briefcase.url
2014-09-04 13:41 - 2014-09-04 13:41 - 00490496 _____ (Corel Corporation) C:\Documents and Settings\All Users\Application Data\50BC232.cpp
2014-09-02 08:15 - 2014-09-02 08:19 - 00000000 ____D () C:\Documents and Settings\Joe Blow\Local Settings\Application Data\Adobe
2014-08-30 08:57 - 2014-08-30 08:57 - 00000579 _____ () C:\Documents and Settings\Joe Blow\plugin131.trace
2014-08-30 08:57 - 2014-08-30 08:57 - 00000000 ____D () C:\Documents and Settings\Joe Blow\.java

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-09-05 04:37 - 2014-09-05 04:37 - 00011112 _____ () C:\Documents and Settings\Joe Blow\Desktop\FRST.txt
2014-09-05 04:37 - 2014-09-05 04:37 - 00000000 ____D () C:\FRST
2014-09-05 04:37 - 2013-12-11 17:59 - 00000000 ____D () C:\Documents and Settings\Joe Blow\Local Settings\Temp
2014-09-05 04:35 - 2014-09-05 04:35 - 01096704 _____ (Farbar) C:\Documents and Settings\Joe Blow\Desktop\FRST.exe
2014-09-05 04:26 - 2013-12-11 20:41 - 00519275 _____ () C:\WINDOWS\WindowsUpdate.log
2014-09-05 04:26 - 2013-12-11 17:59 - 00000184 _____ () C:\WINDOWS\system\hpsysdrv.DAT
2014-09-05 04:26 - 2013-12-11 17:59 - 00000178 ___SH () C:\Documents and Settings\Joe Blow\ntuser.ini
2014-09-05 04:26 - 2002-08-01 19:51 - 00032594 _____ () C:\WINDOWS\SchedLgU.Txt
2014-09-05 04:26 - 2002-08-01 19:46 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2014-09-04 15:26 - 2013-12-12 11:19 - 00000830 _____ () C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2014-09-04 15:24 - 2014-09-04 15:18 - 00000000 ____D () C:\Documents and Settings\Joe Blow\Local Settings\Application Data\NPE
2014-09-04 15:22 - 2014-09-04 15:22 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\SMR410
2014-09-04 15:22 - 2002-08-01 19:33 - 00000220 __RSH () C:\boot.ini
2014-09-04 15:20 - 2014-09-04 15:20 - 03077584 ____N (Symantec Corporation) C:\Documents and Settings\Joe Blow\Desktop\NPE.exe
2014-09-04 15:18 - 2013-12-11 21:16 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Norton
2014-09-04 15:18 - 2013-12-11 17:50 - 00321664 _____ () C:\WINDOWS\ntbtlog.txt.bak
2014-09-04 14:56 - 2002-08-01 12:37 - 00131944 _____ () C:\WINDOWS\FaxSetup.log
2014-09-04 14:56 - 2002-08-01 12:37 - 00073718 _____ () C:\WINDOWS\ocgen.log
2014-09-04 14:56 - 2002-08-01 12:37 - 00055849 _____ () C:\WINDOWS\tsoc.log
2014-09-04 14:56 - 2002-08-01 12:37 - 00048577 _____ () C:\WINDOWS\comsetup.log
2014-09-04 14:56 - 2002-08-01 12:37 - 00029819 _____ () C:\WINDOWS\ntdtcsetup.log
2014-09-04 14:56 - 2002-08-01 12:37 - 00016663 _____ () C:\WINDOWS\iis6.log
2014-09-04 14:56 - 2002-08-01 12:37 - 00006335 _____ () C:\WINDOWS\msgsocm.log
2014-09-04 14:56 - 2002-08-01 12:37 - 00005766 _____ () C:\WINDOWS\ocmsn.log
2014-09-04 14:56 - 2002-08-01 12:37 - 00001891 _____ () C:\WINDOWS\imsins.log
2014-09-04 14:55 - 2013-12-11 20:06 - 00195692 _____ () C:\WINDOWS\setupapi.log
2014-09-04 14:55 - 2002-08-01 22:03 - 00000000 ____D () C:\Program Files\WildTangent
2014-09-04 14:49 - 2014-09-04 13:50 - 00000178 ___SH () C:\Documents and Settings\Administrator\ntuser.ini
2014-09-04 14:39 - 2014-09-04 13:50 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Temp
2014-09-04 14:06 - 2014-09-04 14:06 - 00000000 __SHD () C:\Documents and Settings\Administrator\PrivacIE
2014-09-04 14:06 - 2014-09-04 13:50 - 00000000 ____D () C:\Documents and Settings\Administrator
2014-09-04 13:51 - 2014-09-04 13:51 - 00000000 __SHD () C:\Documents and Settings\Administrator\IETldCache
2014-09-04 13:41 - 2014-09-04 13:41 - 00490496 _____ (Corel Corporation) C:\Documents and Settings\All Users\Application Data\50BC232.cpp
2014-09-04 13:13 - 2002-08-01 19:32 - 00001158 _____ () C:\WINDOWS\system32\wpa.dbl
2014-09-02 08:19 - 2014-09-02 08:15 - 00000000 ____D () C:\Documents and Settings\Joe Blow\Local Settings\Application Data\Adobe
2014-09-02 08:17 - 2013-12-12 11:19 - 00699568 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2014-09-02 08:17 - 2013-12-12 11:19 - 00071344 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2014-08-30 08:57 - 2014-08-30 08:57 - 00000579 _____ () C:\Documents and Settings\Joe Blow\plugin131.trace
2014-08-30 08:57 - 2014-08-30 08:57 - 00000000 ____D () C:\Documents and Settings\Joe Blow\.java
2014-08-21 13:04 - 2013-12-11 21:25 - 00001981 _____ () C:\Documents and Settings\All Users\Desktop\Norton Internet Security.LNK
2014-08-21 13:04 - 2013-12-11 21:25 - 00000000 ____D () C:\WINDOWS\system32\Drivers\NIS
2014-08-21 13:04 - 2013-12-11 21:24 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Norton Internet Security

Some content of TEMP:
====================
C:\Documents and Settings\Joe Blow\Local Settings\Temp\oi_{EE64BE09-1704-4AB7-B6D8-222458F2C2B9}.exe
C:\Documents and Settings\Joe Blow\Local Settings\Temp\Outobox.exe
C:\Documents and Settings\Joe Blow\Local Settings\Temp\uninst.dll

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End Of Log ============================



#9 LMac

LMac

    Authentic Member

  • Authentic Member
  • PipPip
  • 42 posts

Posted 05 September 2014 - 08:51 AM

Not sure why the paste in the last post has a line through the etxt.

 

It is not that way in the file I copied from



#10 LiquidTension

LiquidTension

    SuperMember

  • Retired Classroom Teacher
  • 2,566 posts

Posted 05 September 2014 - 08:53 AM

Don't worry, I've removed the strikethrough. 

 

Addition.txt is not complete. Please paste the complete contents of Addition.txt for me (unless == End of Log == is the only line missing).


50QfLth.png

 

Would you like to help others with malware removal? Join our Classroom and learn how!

    Advertisements

Register to Remove


#11 LMac

LMac

    Authentic Member

  • Authentic Member
  • PipPip
  • 42 posts

Posted 05 September 2014 - 08:56 AM

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 03-09-2014
Ran by Joe Blow at 2014-09-05 04:38:33
Running from C:\Documents and Settings\Joe Blow\Desktop
Boot Mode: Safe Mode (with Networking)
==========================================================

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Acrobat 5.0 (HKLM\...\Adobe Acrobat 5.0) (Version: 5.0 - Adobe Systems, Inc.)
Adobe Flash Player 14 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 14.0.0.176 - Adobe Systems Incorporated)
Intel® 845G Chipset Graphics Driver Software (HKLM\...\{8A708DD8-A5E6-11D4-A706-000629E95E20}) (Version:  - )
InterVideo WinDVD (HKLM\...\{C1939820-A945-11D4-86F6-0001031E5712}) (Version:  - InterVideo Inc.)
Java 2 Runtime Environment Standard Edition v1.3.1 (HKLM\...\JRE 1.3.1) (Version:  - )
Norton Internet Security (HKLM\...\NIS) (Version: 21.5.0.19 - Symantec Corporation)
NVIDIA Windows 2000/XP Display Drivers (HKLM\...\NVIDIA) (Version:  - )
outobox (HKLM\...\outobox) (Version: 2013.12.07.011955 - outobox) <==== ATTENTION
Python 2.2 combined Win32 extensions (HKLM\...\Python 2.2 combined Win32 extensions) (Version:  - )
Python 2.2.1 (HKLM\...\Python 2.2.1) (Version: 2.2.1 - PythonLabs at Zope Corporation)
S3Display (HKLM\...\S3Display) (Version:  - )
S3Gamma2 (HKLM\...\S3Gamma2) (Version:  - )
S3Info2 (HKLM\...\S3Info2) (Version:  - )
S3Overlay (HKLM\...\S3Overlay) (Version:  - )
Viewpoint Media Player (Remove Only) (HKLM\...\ViewpointMediaPlayer) (Version:  - )
WebFldrs XP (Version: 9.50.5318 - Microsoft Corporation) Hidden
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)
Windows XP Service Pack 2 (HKLM\...\Windows XP Service Pack) (Version: 20040803.231319 - Microsoft Corporation)
Works Suite OS Pack (Version: 1.0.0.0000 - Microsoft Corporation) Hidden

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

==================== Restore Points  =========================

Could not list Restore Points. Check "winmgmt" service or repair WMI.

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2002-08-01 19:32 - 2001-08-18 12:00 - 00000734 ____A C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\WINDOWS\Tasks\Registration reminder 2.job => C:\WINDOWS\System32\OOBE\oobebaln.exe
Task: C:\WINDOWS\Tasks\Registration reminder 3.job => C:\WINDOWS\System32\OOBE\oobebaln.exe

==================== Loaded Modules (whitelisted) =============

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SMR410 => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\UploadMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option => "OptionValue"="2"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

==================== Faulty Device Manager Devices =============

Could not list Devices. Check "winmgmt" service or repair WMI.

==================== Event log errors: =========================

Application errors:
==================
Error: (09/04/2014 01:53:36 PM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download....authrootseq.txt> with error: This network connection does not exist.

Error: (09/04/2014 01:53:35 PM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download....authrootseq.txt> with error: This network connection does not exist.

Error: (09/04/2014 01:53:35 PM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download....authrootseq.txt> with error: The server name or address could not be resolved

Error: (09/04/2014 01:53:11 PM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download....authrootseq.txt> with error: The server name or address could not be resolved

Error: (09/04/2014 01:52:28 PM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download....authrootseq.txt> with error: The server name or address could not be resolved

Error: (08/25/2014 08:59:25 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.18702, faulting module cowpplg.dll, version 2014.7.6.15, fault address 0x0000a7c9.
Processing media-specific event for [iexplore.exe!ws!]

Error: (06/04/2014 00:26:16 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.18702, faulting module mshtml.dll, version 8.0.6001.18702, fault address 0x00265067.
Processing media-specific event for [iexplore.exe!ws!]

Error: (04/19/2014 09:05:00 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.18702, faulting module msvcr100.dll, version 10.0.40219.325, fault address 0x00001fd0.
Processing media-specific event for [iexplore.exe!ws!]

Error: (04/19/2014 09:04:07 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.18702, faulting module mshtml.dll, version 8.0.6001.18702, fault address 0x001c3837.
Processing media-specific event for [iexplore.exe!ws!]

Error: (04/10/2014 00:04:49 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.18702, faulting module jvm.dll, version 0.0.0.0, fault address 0x000495ba.
Processing media-specific event for [iexplore.exe!ws!]

System errors:
=============
Error: (09/05/2014 04:41:09 AM) (Source: DCOM) (EventID: 10010) (User: OLD_DESK_TOP)
Description: The server {8BC3F05E-D86B-11D0-A075-00C04FB68820} did not register with DCOM within the required timeout.

Error: (09/05/2014 04:40:34 AM) (Source: DCOM) (EventID: 10010) (User: OLD_DESK_TOP)
Description: The server {8BC3F05E-D86B-11D0-A075-00C04FB68820} did not register with DCOM within the required timeout.

Error: (09/05/2014 04:40:04 AM) (Source: DCOM) (EventID: 10010) (User: OLD_DESK_TOP)
Description: The server {8BC3F05E-D86B-11D0-A075-00C04FB68820} did not register with DCOM within the required timeout.

Error: (09/05/2014 04:39:34 AM) (Source: DCOM) (EventID: 10010) (User: OLD_DESK_TOP)
Description: The server {8BC3F05E-D86B-11D0-A075-00C04FB68820} did not register with DCOM within the required timeout.

Error: (09/05/2014 04:39:04 AM) (Source: DCOM) (EventID: 10010) (User: OLD_DESK_TOP)
Description: The server {8BC3F05E-D86B-11D0-A075-00C04FB68820} did not register with DCOM within the required timeout.

Error: (09/05/2014 04:28:18 AM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (09/05/2014 04:27:49 AM) (Source: Dhcp) (EventID: 1002) (User: )
Description: The IP address lease 192.168.0.10 for the Network Card with network address 0240CA324142 has been
denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).

Error: (09/05/2014 03:48:28 AM) (Source: DCOM) (EventID: 10010) (User: NT AUTHORITY)
Description: The server {8BC3F05E-D86B-11D0-A075-00C04FB68820} did not register with DCOM within the required timeout.

Error: (09/05/2014 03:12:38 AM) (Source: DCOM) (EventID: 10010) (User: NT AUTHORITY)
Description: The server {8BC3F05E-D86B-11D0-A075-00C04FB68820} did not register with DCOM within the required timeout.

Error: (09/05/2014 03:12:08 AM) (Source: DCOM) (EventID: 10010) (User: NT AUTHORITY)
Description: The server {8BC3F05E-D86B-11D0-A075-00C04FB68820} did not register with DCOM within the required timeout.

Microsoft Office Sessions:
=========================
Error: (09/04/2014 01:53:36 PM) (Source: crypt32) (EventID: 8) (User: )
Description: http://www.download....rootseq.txtThis network connection does not exist.

Error: (09/04/2014 01:53:35 PM) (Source: crypt32) (EventID: 8) (User: )
Description: http://www.download....rootseq.txtThis network connection does not exist.

Error: (09/04/2014 01:53:35 PM) (Source: crypt32) (EventID: 8) (User: )
Description: http://www.download....hrootseq.txtThe server name or address could not be resolved

Error: (09/04/2014 01:53:11 PM) (Source: crypt32) (EventID: 8) (User: )
Description: http://www.download....hrootseq.txtThe server name or address could not be resolved

Error: (09/04/2014 01:52:28 PM) (Source: crypt32) (EventID: 8) (User: )
Description: http://www.download....hrootseq.txtThe server name or address could not be resolved

Error: (08/25/2014 08:59:25 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: iexplore.exe8.0.6001.18702cowpplg.dll2014.7.6.150000a7c9

Error: (06/04/2014 00:26:16 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: iexplore.exe8.0.6001.18702mshtml.dll8.0.6001.1870200265067

Error: (04/19/2014 09:05:00 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: iexplore.exe8.0.6001.18702msvcr100.dll10.0.40219.32500001fd0

Error: (04/19/2014 09:04:07 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: iexplore.exe8.0.6001.18702mshtml.dll8.0.6001.18702001c3837

Error: (04/10/2014 00:04:49 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: iexplore.exe8.0.6001.18702jvm.dll0.0.0.0000495ba

==================== Memory info ===========================

Processor:  Intel® Pentium® 4 CPU 2.53GHz
Percentage of memory in use: 38%
Total physical RAM: 1023.49 MB
Available physical RAM: 633.79 MB
Total Pagefile: 2461.27 MB
Available Pagefile: 2166.13 MB
Total Virtual: 2047.88 MB
Available Virtual: 1950.21 MB

==================== Drives ================================

Drive c: (PRESARIO) (Fixed) (Total:111.8 GB) (Free:103.47 GB) NTFS ==>[Drive with boot components (Windows XP)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 111.8 GB) (Disk ID: FCB1EC06)
Partition 1: (Active) - (Size=111.8 GB) - (Type=07 NTFS)

==================== End Of Log ============================



#12 LiquidTension

LiquidTension

    SuperMember

  • Retired Classroom Teacher
  • 2,566 posts

Posted 05 September 2014 - 09:30 AM

Hi Larry,

 

Please do the following. After completing the instructions below, boot into Normal Mode and rerun FRST (ensure Addition.txt is checked) and RogueKiller. Post Fixlog.txt, FRST.txt, Addition.txt and RKreport.txt in your next reply. 
 
xlK5Hdb.png.pagespeed.ce.J4MzrrPAEo.png Farbar Recovery Scan Tool (FRST) Script

  • Press the Windows Key xpdKOQKY.png.pagespeed.ic.tmAgS1-k6q.png + r on your keyboard at the same time. Type Notepad and click OK.
  • Copy the entire contents of the codebox below and paste into the Notepad document.
    start
    Startup: C:\Documents and Settings\Joe Blow\Start Menu\Programs\Startup\program.lnk
    ShortcutTarget: program.lnk -> C:\Documents and Settings\All Users\Application Data\50BC232.cpp (Corel Corporation)
    S2 winmgmt; C:\Documents and Settings\All Users\Application Data\50BC232.cpp [490496 2014-09-04] (Corel Corporation) [File not signed]
    C:\Documents and Settings\All Users\Application Data\50BC232.cpp
    end
  • Click FileSave As and type fixlist.txt as the File Name
  • Important: The file must be saved in the same location as FRST.exe. 

NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.

  • Right-Click FRST.exe and select xAVOiBNU.jpg.pagespeed.ic.H5HC6LkiJX.jpg Run as administrator to run the programme.
  • Click Fix.
  • A log (Fixlog.txt) will open on your desktop. Copy the contents of the log and paste in your next reply.

50QfLth.png

 

Would you like to help others with malware removal? Join our Classroom and learn how!


#13 LMac

LMac

    Authentic Member

  • Authentic Member
  • PipPip
  • 42 posts

Posted 05 September 2014 - 09:47 AM

Adam, I followed al instruction up to

 

  • Right-Click FRST.exe and select xAVOiBNU.jpg.pagespeed.ic.H5HC6LkiJX.jpg Run as administrator to run the programme.

when I right click I do not get Run as administrator as an option.

 

I do see "run as" on right click  but when I click on that it brings up a box that asks if I want to run this program.

 

 

 

 



#14 LiquidTension

LiquidTension

    SuperMember

  • Retired Classroom Teacher
  • 2,566 posts

Posted 05 September 2014 - 09:56 AM

My apologies, that is a mistake in my "canned speech". Please Double-click FRST.exe and follow the prompts. 


50QfLth.png

 

Would you like to help others with malware removal? Join our Classroom and learn how!


#15 LMac

LMac

    Authentic Member

  • Authentic Member
  • PipPip
  • 42 posts

Posted 05 September 2014 - 10:09 AM

The PC rebooted itself at the end of the script.

I am on the infected PC in normal mode.

 

Here is the log.

 

I will now run the other programs as instructed and post those logs

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 03-09-2014
Ran by Joe Blow at 2014-09-05 09:02:08 Run:1
Running from C:\Documents and Settings\Joe Blow\Desktop
Boot Mode: Safe Mode (with Networking)

==============================================

Content of fixlist:
*****************
start
Startup: C:\Documents and Settings\Joe Blow\Start Menu\Programs\Startup\program.lnk
ShortcutTarget: program.lnk -> C:\Documents and Settings\All Users\Application Data\50BC232.cpp (Corel Corporation)
S2 winmgmt; C:\Documents and Settings\All Users\Application Data\50BC232.cpp [490496 2014-09-04] (Corel Corporation) [File not signed]
C:\Documents and Settings\All Users\Application Data\50BC232.cpp
end
*****************

C:\Documents and Settings\Joe Blow\Start Menu\Programs\Startup\program.lnk => Moved successfully.
C:\Documents and Settings\All Users\Application Data\50BC232.cpp => Moved successfully.
winmgmt => Service restored successfully.
"C:\Documents and Settings\All Users\Application Data\50BC232.cpp" => File/Directory not found.

The system needed a reboot.

==== End of Fixlog ====


Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users