Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Information security and control act


  • Please log in to reply
14 replies to this topic

#1 Lecks

Lecks

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 30 July 2012 - 05:50 AM

Hello,

I'm new here, so apologies if this has arisen before. I am getting a message that "according to Information security and Control Act (ISCA) 2012" my computer is locked and I have to pay a "fine" to release it. My laptop runs Windows Vista. I have spybot but I hadn't run it for a few days, plus PCtools, and a couple of things i hadn't activated. The screen seems to be locked, with an e-mail address and a place to put the code to unlock the screen. There is a Garda (Irish police) logo in the corner of the screen to make it look official.

Luckily I had the loan of this Mac so I looked up "information security and control act" and found it was a virus/malware. A blog post gave a link to teesupport.com, who offered to help for $70. I don't mind paying but I thought I'd see if there are other solutions. I live in Ireland if that makes any difference.

Thanks,

Lecks

BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:06:56 AM

Posted 30 July 2012 - 06:18 AM

Can you boot into safemode with networking?

#3 Lecks

Lecks
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 30 July 2012 - 06:51 AM

Hello narenxp. I've done that. Seems to have worked, getting a desktop with much bigger icons. Also a message that the security centre is not running. What's my next move, please? Thanks.

#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:06:56 AM

Posted 30 July 2012 - 06:52 AM

Download

TDSSkiller

Launch it.Click on change parameters-Select TDLFS file system

Click on "Scan".Please post the LOG report(log file should be in your C drive)

Do not change the default options on scan results

Download

aswMBR

Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here

Download

ESET online scanner

Install it

Click on START,it should download the virus definitions
When scan gets completed,click on LIST of found threats

Export the list to desktop,copy the contents of the text file in your reply

#5 Lecks

Lecks
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 30 July 2012 - 10:42 AM

Thanks narenxp.

No threats found from TDSSkiller scan.

Log results from aswMBR as follows:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-07-30 13:03:16
-----------------------------
13:03:16.536 OS Version: Windows 6.0.6002 Service Pack 2
13:03:16.536 Number of processors: 2 586 0x170A
13:03:16.536 ComputerName: LIAM-PC UserName: Liam
13:03:26.770 Initialize success
13:05:15.580 AVAST engine defs: 12073000
13:06:12.963 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
13:06:12.963 Disk 0 Vendor: ST932042 0002 Size: 305245MB BusType: 3
13:06:12.979 Disk 0 MBR read successfully
13:06:12.979 Disk 0 MBR scan
13:06:12.994 Disk 0 Windows VISTA default MBR code
13:06:12.994 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 305243 MB offset 2048
13:06:13.010 Disk 0 scanning sectors +625139712
13:06:13.119 Disk 0 scanning C:\Windows\system32\drivers
13:06:24.248 Service scanning
13:06:42.820 Modules scanning
13:06:45.400 Disk 0 trace - called modules:
13:06:45.432 ntkrnlpa.exe CLASSPNP.SYS disk.sys PCTCore.sys acpi.sys hal.dll iaStor.sys
13:06:45.432 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87cd4820]
13:06:45.447 3 CLASSPNP.SYS[8afac8b3] -> nt!IofCallDriver -> [0x87cd4020]
13:06:45.447 5 PCTCore.sys[83720099] -> nt!IofCallDriver -> [0x86c2e3a8]
13:06:45.447 7 acpi.sys[806bc6bc] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x85e4f028]
13:06:46.290 AVAST engine scan C:\Windows
13:06:48.188 AVAST engine scan C:\Windows\system32
13:09:55.732 AVAST engine scan C:\Windows\system32\drivers
13:10:10.365 AVAST engine scan C:\Users\Liam
13:24:23.124 Disk 0 MBR has been saved successfully to "C:\Users\Liam\Documents\MBR.dat"
13:24:23.324 The log file has been saved successfully to "C:\Users\Liam\Documents\aswMBR results.txt"

The FixMBR button was highlighted but not the Fix button.

The ESET didn't find any threats, but two items are in the quarantine:

C:\Users\Liam\0.06378651590483253.exe
C:\ProgramData\Zpurdoas.exe


I haven't deleted the quarantined files yet. I would say you'd recommend I install these programs?

Thanks,

Lecks

#6 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:06:56 AM

Posted 30 July 2012 - 11:30 AM

I haven't deleted the quarantined files yet. I would say you'd recommend I install these programs?


Go ahead and delete them

Download

http://www.techspot.com/downloads/4716-malwarebytes-anti-malware.html

Install,update and run a full scan

Click on SHOW results.Select all infections and remove it

Reboot the PC into normal mode and scan MBAM in normal mode until you get a clean log

Post the clean log

#7 Lecks

Lecks
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 30 July 2012 - 03:27 PM

Hello,

Nothing found either in safe mode or normal mode.

Log for normal mode here:

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.30.08

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Liam :: LIAM-PC [administrator]

30/07/2012 19:59:52
mbam-log-2012-07-30 (19-59-52).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 279441
Time elapsed: 1 hour(s), 4 minute(s), 20 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#8 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:06:56 AM

Posted 30 July 2012 - 07:39 PM

Download

mini toolbox

Checkmark following boxes:

Flush DNS
Report IE Proxy Settings
Reset IE Proxy Settings
Report FF Proxy Settings
Reset FF Proxy Settings
List content of Hosts
List IP configuration
List Winsock Entries
List last 10 Event Viewer log
List Installed Programs
List Users, Partitions and Memory size

Click Go and post the result.

Download

FSS

Checkmark all the boxes

Click on "Scan".
Please copy and paste the log to your reply.


Download

adware cleaner

Launch it click on Delete

post the generated log

#9 Lecks

Lecks
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 31 July 2012 - 02:57 AM

Narenxp:

Mini Toolbox results:

MiniToolBox by Farbar Version: 23-07-2012
Ran by Liam (administrator) on 31-07-2012 at 08:39:55
Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================

::1 localhost

127.0.0.1 localhost

========================= IP Configuration: ================================

Atheros AR928X Wireless Network Adapter = Wireless Network Connection (Connected)
Marvell Yukon 88E8055 PCI-E Gigabit Ethernet Controller = Local Area Connection (Media disconnected)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : Liam-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Atheros AR928X Wireless Network Adapter
Physical Address. . . . . . . . . : 00-24-2C-10-CE-C7
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::d413:dc0b:1863:296a%11(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.16(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : 31 July 2012 08:23:14
Lease Expires . . . . . . . . . . : 31 July 2012 09:23:13
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 268444716
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-17-21-14-20-00-1D-BA-B5-62-EA
DNS Servers . . . . . . . . . . . : 89.101.160.4
89.101.160.5
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Marvell Yukon 88E8055 PCI-E Gigabit Ethernet Controller
Physical Address. . . . . . . . . : 00-1D-BA-26-36-5E
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 6:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : 6TO4 Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 7:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{7CAB8C2B-D1D0-4654-8EFC-C02ACA4517FE}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 11:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 02-00-54-55-4E-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:5ef5:79fb:3c72:992:3f57:feef(Preferred)
Link-local IPv6 Address . . . . . : fe80::3c72:992:3f57:feef%13(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter Local Area Connection* 13:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{C6AE81B0-92C4-4AC5-9A2E-1BF9E2DE96C1}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Server: ie-dub01a-dns01.upc.ie
Address: 89.101.160.4

Name: google.com
Addresses: 2a00:1450:400b:c00::64
209.85.143.100
209.85.143.101



Pinging google.com [209.85.143.101] with 32 bytes of data:

Reply from 209.85.143.101: bytes=32 time=10ms TTL=57

Reply from 209.85.143.101: bytes=32 time=9ms TTL=57



Ping statistics for 209.85.143.101:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 9ms, Maximum = 10ms, Average = 9ms

Server: ie-dub01a-dns01.upc.ie
Address: 89.101.160.4

Name: yahoo.com
Addresses: 72.30.38.140
209.191.122.70
98.139.183.24



Pinging yahoo.com [209.191.122.70] with 32 bytes of data:

Reply from 209.191.122.70: bytes=32 time=135ms TTL=53

Reply from 209.191.122.70: bytes=32 time=134ms TTL=53



Ping statistics for 209.191.122.70:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 134ms, Maximum = 135ms, Average = 134ms

Server: ie-dub01a-dns01.upc.ie
Address: 89.101.160.4

Name: bleepingcomputer.com
Address: 208.43.87.2



Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:

Reply from 208.43.87.2: Destination host unreachable.

Reply from 208.43.87.2: Destination host unreachable.



Ping statistics for 208.43.87.2:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),



Pinging 127.0.0.1 with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
11 ...00 24 2c 10 ce c7 ...... Atheros AR928X Wireless Network Adapter
10 ...00 1d ba 26 36 5e ...... Marvell Yukon 88E8055 PCI-E Gigabit Ethernet Controller
1 ........................... Software Loopback Interface 1
15 ...00 00 00 00 00 00 00 e0 6TO4 Adapter
12 ...00 00 00 00 00 00 00 e0 isatap.{7CAB8C2B-D1D0-4654-8EFC-C02ACA4517FE}
13 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
16 ...00 00 00 00 00 00 00 e0 isatap.{C6AE81B0-92C4-4AC5-9A2E-1BF9E2DE96C1}
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.16 25
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.16 281
192.168.1.16 255.255.255.255 On-link 192.168.1.16 281
192.168.1.255 255.255.255.255 On-link 192.168.1.16 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.16 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.16 281
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
13 18 ::/0 On-link
1 306 ::1/128 On-link
13 18 2001::/32 On-link
13 266 2001:0:5ef5:79fb:3c72:992:3f57:feef/128
On-link
11 281 fe80::/64 On-link
13 266 fe80::/64 On-link
13 266 fe80::3c72:992:3f57:feef/128
On-link
11 281 fe80::d413:dc0b:1863:296a/128
On-link
1 306 ff00::/8 On-link
13 266 ff00::/8 On-link
11 281 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\system32\NLAapi.dll [48128] (Microsoft Corporation)
Catalog5 02 C:\Windows\system32\napinsp.dll [50176] (Microsoft Corporation)
Catalog5 03 C:\Windows\system32\pnrpnsp.dll [62464] (Microsoft Corporation)
Catalog5 04 C:\Windows\system32\pnrpnsp.dll [62464] (Microsoft Corporation)
Catalog5 05 C:\Windows\System32\mswsock.dll [223232] (Microsoft Corporation)
Catalog5 06 C:\Windows\System32\winrnr.dll [19968] (Microsoft Corporation)
Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Catalog9 01 C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll [329688] (PC Tools Research Pty Ltd.)
Catalog9 02 C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll [329688] (PC Tools Research Pty Ltd.)
Catalog9 03 C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll [329688] (PC Tools Research Pty Ltd.)
Catalog9 04 C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll [329688] (PC Tools Research Pty Ltd.)
Catalog9 05 C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll [329688] (PC Tools Research Pty Ltd.)
Catalog9 06 C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll [329688] (PC Tools Research Pty Ltd.)
Catalog9 07 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 14 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 15 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 16 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 17 C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll [329688] (PC Tools Research Pty Ltd.)
Catalog9 18 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 19 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 20 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 21 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 22 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 23 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 24 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 25 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 26 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 27 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 28 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 29 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 30 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 31 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 32 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 33 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (07/30/2012 07:56:14 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0"1".
Dependent Assembly rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (07/30/2012 07:56:14 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0"1".
Dependent Assembly rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (07/30/2012 02:43:03 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0"1".
Dependent Assembly rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (07/30/2012 02:43:03 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0"1".
Dependent Assembly rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (07/30/2012 02:42:53 PM) (Source: EventSystem) (User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (07/30/2012 00:50:43 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0"1".
Dependent Assembly rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (07/30/2012 00:50:43 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0"1".
Dependent Assembly rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (07/30/2012 00:50:29 PM) (Source: EventSystem) (User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (07/30/2012 00:14:51 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 4400

Error: (07/30/2012 00:14:51 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 4400


System errors:
=============
Error: (07/31/2012 08:23:15 AM) (Source: Service Control Manager) (User: )
Description: Parallel port driver%%1058

Error: (07/31/2012 00:04:07 AM) (Source: Service Control Manager) (User: )
Description: Parallel port driver%%1058

Error: (07/30/2012 07:54:54 PM) (Source: Service Control Manager) (User: )
Description: Parallel port driver%%1058

Error: (07/30/2012 02:44:03 PM) (Source: Service Control Manager) (User: )
Description: avipbb
avkmgr
spldr
ssmdrv
Wanarpv6

Error: (07/30/2012 02:44:03 PM) (Source: Service Control Manager) (User: )
Description: Computer BrowserServer%%1068

Error: (07/30/2012 02:43:35 PM) (Source: DCOM) (User: )
Description: 1068fdPHost{145B4335-FE2A-4927-A040-7C35AD3180EF}

Error: (07/30/2012 02:42:56 PM) (Source: DCOM) (User: )
Description: 1084WSearch{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

Error: (07/30/2012 02:42:55 PM) (Source: DCOM) (User: )
Description: 1084WSearch{9E175B6D-F52A-11D8-B9A5-505054503030}

Error: (07/30/2012 02:42:53 PM) (Source: DCOM) (User: )
Description: 1084EventSystem{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (07/30/2012 02:42:45 PM) (Source: DCOM) (User: )
Description: 1084ShellHWDetection{DD522ACC-F821-461A-A407-50B198B896DC}


Microsoft Office Sessions:
=========================
Error: (07/30/2012 07:56:14 PM) (Source: SideBySide)(User: )
Description: rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0"C:\Windows\Installer\{0B2D57D5-8BFD-4554-A9B6-CC8CC0580F1D}\recordingmanager.exe

Error: (07/30/2012 07:56:14 PM) (Source: SideBySide)(User: )
Description: rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0"C:\Windows\Installer\{0B2D57D5-8BFD-4554-A9B6-CC8CC0580F1D}\recordingmanager.exe

Error: (07/30/2012 02:43:03 PM) (Source: SideBySide)(User: )
Description: rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0"C:\Windows\Installer\{0B2D57D5-8BFD-4554-A9B6-CC8CC0580F1D}\recordingmanager.exe

Error: (07/30/2012 02:43:03 PM) (Source: SideBySide)(User: )
Description: rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0"C:\Windows\Installer\{0B2D57D5-8BFD-4554-A9B6-CC8CC0580F1D}\recordingmanager.exe

Error: (07/30/2012 02:42:53 PM) (Source: EventSystem)(User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (07/30/2012 00:50:43 PM) (Source: SideBySide)(User: )
Description: rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0"C:\Windows\Installer\{0B2D57D5-8BFD-4554-A9B6-CC8CC0580F1D}\recordingmanager.exe

Error: (07/30/2012 00:50:43 PM) (Source: SideBySide)(User: )
Description: rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0"C:\Windows\Installer\{0B2D57D5-8BFD-4554-A9B6-CC8CC0580F1D}\recordingmanager.exe

Error: (07/30/2012 00:50:29 PM) (Source: EventSystem)(User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (07/30/2012 00:14:51 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 4400

Error: (07/30/2012 00:14:51 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledEvent 4400


=========================== Installed Programs ============================

Adobe Flash Player 11 ActiveX (Version: 11.3.300.268)
Adobe Flash Player 11 Plugin (Version: 11.3.300.268)
Apple Application Support (Version: 2.1.7)
Apple Mobile Device Support (Version: 5.1.1.4)
Apple Software Update (Version: 2.1.3.127)
Ask Toolbar (Version: 1.15.2.0)
Audacity 1.2.6
Avira Free Antivirus (Version: 12.0.0.1125)
Bonjour (Version: 3.0.0.10)
Dropbox (Version: 1.4.7)
eMusic Download Manager (Version: 5.0.5)
EPSON Scan
EPSON SX210 Series Printer Uninstall
ESET Online Scanner v3
Foxit PDF Creator Toolbar Updater (Version: 1.2.1.23037)
Foxit Reader (Version: 5.3.1.606)
Funnix Beginning Math (Version: 1.0.0.0)
Funnix Beginning Reading (Version: 1.0.0.0)
Google Chrome (Version: 20.0.1132.57)
Google Update Helper (Version: 1.3.21.115)
Intel® Graphics Media Accelerator Driver (Version: 8.15.10.2555)
iTunes (Version: 10.6.1.7)
Java Auto Updater (Version: 2.0.7.1)
Java™ 6 Update 31 (Version: 6.0.310)
Malwarebytes Anti-Malware version 1.62.0.1300 (Version: 1.62.0.1300)
McAfee Security Scan Plus (Version: 2.0.181.2)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (Version: 10.0.40219)
Mozilla Firefox 14.0.1 (x86 en-US) (Version: 14.0.1)
Mozilla Maintenance Service (Version: 14.0.1)
Norton Security Scan (Version: 3.7.2.5)
OpenOffice.org 3.3 (Version: 3.3.9567)
PeerBlock 1.1 (r518) (Version: 1.1.0.518)
QuickTime (Version: 7.72.80.56)
RealDownloader (Version: 1.1.0)
RealNetworks - Microsoft Visual C++ 2008 Runtime (Version: 9.0)
RealPlayer (Version: 15.0.4)
Realtek High Definition Audio Driver (Version: 6.0.1.5964)
RealUpgrade 1.1 (Version: 1.1.0)
Spybot - Search & Destroy (Version: 1.6.2)
Spyware Doctor with AntiVirus 8.0 (Version: 8.0)
Synaptics Pointing Device Driver (Version: 15.1.9.0)
The KMPlayer (remove only)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (Version: 1)
VLC media player 2.0.1 (Version: 2.0.1)

========================= Memory info: ===================================

Percentage of memory in use: 50%
Total physical RAM: 2938.31 MB
Available physical RAM: 1468.71 MB
Total Pagefile: 6082.94 MB
Available Pagefile: 4409.87 MB
Total Virtual: 2047.88 MB
Available Virtual: 1945.1 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:298.09 GB) (Free:127.51 GB) NTFS

========================= Users: ========================================

User accounts for \\LIAM-PC

Administrator Guest Liam


**** End of log ****

FSS log:

Farbar Service Scanner Version: 26-07-2012
Ran by Liam (administrator) on 31-07-2012 at 08:46:00
Running from "C:\Users\Liam\Downloads"
Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============

Other Services:
==============

sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is set to Disabled
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2012-05-19 18:13] - [2012-03-30 13:39] - 0905600 ____A (Microsoft Corporation) 27D470DABC77BC60D0A3B0E4DEB6CB91

C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\ipnathlp.dll
[2008-01-21 03:24] - [2008-01-21 03:24] - 0288256 ____A (Microsoft Corporation) E1499BD0FF76B1B2FBBF1AF339D91165

C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****
I'll put the adware cleaner log in another post. Thank you for your help.

#10 Lecks

Lecks
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 31 July 2012 - 03:28 AM

Adware cleaner results:

# AdwCleaner v1.703 - Logfile created 07/31/2012 at 08:57:00
# Updated 20/07/2012 by Xplode
# Operating system : Windows Vista ™ Home Premium Service Pack 2 (32 bits)
# User : Liam - LIAM-PC
# Running from : C:\Users\Liam\Downloads\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted : C:\Users\Liam\AppData\Local\APN
Folder Deleted : C:\Users\Liam\AppData\LocalLow\AskToolbar
Folder Deleted : C:\Users\Liam\AppData\Roaming\Mozilla\Firefox\Profiles\q7txbsyn.default\extensions\toolbar@ask.com
Folder Deleted : C:\Program Files\Ask.com
Folder Deleted : C:\Windows\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
File Deleted : C:\Users\Liam\AppData\Roaming\Mozilla\Firefox\Profiles\q7txbsyn.default\searchplugins\Askcom.xml

***** [Registry] *****

Key Deleted : HKCU\Software\APN
Key Deleted : HKCU\Software\AppDataLow\Software\AskToolbar
Key Deleted : HKCU\Software\Ask.com
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{79A765E1-C399-405B-85AF-466F52E918B0}
Key Deleted : HKLM\SOFTWARE\APN
Key Deleted : HKLM\SOFTWARE\AskToolbar
Key Deleted : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL
Key Deleted : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd
Key Deleted : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd.1
Key Deleted : HKLM\SOFTWARE\Classes\Installer\Features\A28B4D68DEBAA244EB686953B7074FEF
Key Deleted : HKLM\SOFTWARE\Classes\Installer\Products\A28B4D68DEBAA244EB686953B7074FEF
Key Deleted : HKLM\SOFTWARE\DT Soft
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [ApnUpdater]

***** [Registre - GUID] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{D4027C7F-154A-4066-A1AD-4243D8127440}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{32099AAC-C132-4136-9E9A-4E364A424E17}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{00000000-6E41-4FD3-8538-502F5495E5FC}]

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://eu.ask.com/?l=dis&o=101702 --> hxxp://www.google.com

-\\ Mozilla Firefox v14.0.1 (en-US)

Profile name : default
File : C:\Users\Liam\AppData\Roaming\Mozilla\Firefox\Profiles\q7txbsyn.default\prefs.js

Deleted : user_pref("browser.search.defaultengine", "Ask.com");
Deleted : user_pref("browser.search.defaultenginename", "Ask.com");
Deleted : user_pref("browser.search.order.1", "Ask.com");
Deleted : user_pref("browser.search.selectedEngine", "Ask.com");
Deleted : user_pref("browser.startup.homepage", "hxxp://eu.ask.com/?l=dis&o=101702");
Deleted : user_pref("extensions.asktb.ff-original-keyword-url", "");
Deleted : user_pref("extensions.toolbar@ask.com.install-event-fired", true);
Deleted : user_pref("keyword.URL", "hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=FXTV5&o=101699&local[...]

-\\ Google Chrome v20.0.1132.57

File : C:\Users\Liam\AppData\Local\Google\Chrome\User Data\Default\Preferences

Deleted : "scriptable_host": [ "*://*.ask.com/", "*://*.bagsbuy.com/*", "*://*.childrenschorus.[...]
Deleted : "matches": [ "*://*.google.com/*", "*://*.ask.com/", "*://*.bagsbuy.com/*", "*://*[...]
Deleted : "update_url": "hxxp://apnmedia.ask.com/media/toolbar/supertoolbar/chrome/manifest.php[...]

*************************

AdwCleaner[R1].txt - [5290 octets] - [31/07/2012 08:56:31]
AdwCleaner[S1].txt - [5236 octets] - [31/07/2012 08:57:00]

########## EOF - C:\AdwCleaner[S1].txt - [5364 octets] ##########

#11 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:06:56 AM

Posted 31 July 2012 - 06:39 AM

That looks good

Uninstall ask toolbar

Download

TFC

Launch it,it will close all running programs

click on START,it should ask for reboot

Turn off your system restore,restart the PC,create a new restore point

http://windows.microsoft.com/en-US/windows-vista/Turn-System-Restore-on-or-off

Update your flash player

Update your JAVA from here

http://java.com/en/download/inc/windows_upgrade_xpi.jsp

Update your antivirus frequently,do not click on suspicious links

Safe surfing :)

#12 Lecks

Lecks
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 01 August 2012 - 12:45 AM

Thank you very much for all your help. I am extremely grateful!

Regards,

Lecks

#13 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:06:56 AM

Posted 01 August 2012 - 06:20 AM

You're most welcome :)

#14 miggan_1

miggan_1

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 01 August 2012 - 05:29 PM

Hello.

I've had the same problem as the user above with the ISCA virus. I have used Malwarebytes Anti-Malware version 1.61.0.1400 which was recommended on another site. It found a couple of dangerous files which it deleted however when I boot my computer in normal mode the computer is still locked on the ISCA screen.

I am able to start the computer in safe mode with networking. If I follow the same process as the user above did will this get rid of the virus or is it a different approach for each computer?

Any help would be greatly appreciated.

#15 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:06:56 AM

Posted 01 August 2012 - 05:36 PM

miggan_1

Please create a new topic to avoid confusion

Thanks




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users