Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can only access in Safe Mode


  • This topic is locked This topic is locked
52 replies to this topic

#1 Fhallest

Fhallest

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 19 October 2013 - 01:34 AM

I was recently referred here from the am I infected forum.  I am having issues with my computer unable to properly run any programs in normal mode and can only access in safe mode.  Here is the link to the forum post directly relating to this issue and its initial cause. I hope this helps explain what has happened.

 

Thanks

 

Randy 

 

 

http://www.bleepingcomputer.com/forums/t/510738/can-only-access-in-safe-mode/

 

Mod Edit:  OP was not provided guidelines for posting in MRL, I sent PM requesting that OP read Guide and submit logs ASAP to this topic - Hamluis.


Edited by hamluis, 19 October 2013 - 07:00 AM.
PM sent OP - Hamluis.


BC AdBot (Login to Remove)

 


#2 Fhallest

Fhallest
  • Topic Starter

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 19 October 2013 - 01:48 PM

Ok 

 

Here are the required files I forgot to include in my initial post.  In addition, I cannot access the internet via the infected machine and will be using my wife's power Mac. 

 

Thanks again

 

Randy

Attached Files



#3 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:12:36 AM

Posted 22 October 2013 - 06:22 PM

Hello Fhallest, and welcome to the Malware Removal Logs forum! :)

My name is bloopie and I'll be helping you with your problems as best I can! :thumbup2:

A few things to keep in mind while we are working together:

  • If you have since resolved the original problem you were having, I would appreciate it if you let me know.
  • If you are unsure about any of the steps just post what you can and I will guide you!
  • Please tell me if you have your original Windows CD/DVD available.
  • Please copy and paste all logs here unless otherwise instructed!
  • Upon completing the steps below I will review your topic an do my best to resolve your issues.
  • Please do not run any other tools without my instruction to do so!

==========

Step :step1:

First, I must mention, that your logs indicate that you have run Combofix before (or, at least "tried to") on September 23rd. If the tool has run and created a log, please post it in your next reply. The log can be found at C:\Combofix.txt.

==========

Step :step2:

Now I'd like to get another log from FRST...instructions are below. If you need to copy the tool over from a flash drive to run on the infected machine, that will also work. Please run the tool on any boot mode that is successful:

Please download Farbar Recovery Scan Tool and save it to your Desktop/Flash drive.

Note: You need to run the version compatible with your system. You will need the 32-bit version.

  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please copy and paste log back here.
  • The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe). Please also paste that along with the FRST.txt into your reply.

==========

Step :step3:

In addition to the FRST logs, I'd also like you to get a log from FSS using the same method above:

Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure all checkboxes are checked!
  • Press the "Scan" button.
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log in your next reply.

==========

Please post all requested logs in your next reply, and let me know if you had any trouble with any tool!

bloopie



#4 Fhallest

Fhallest
  • Topic Starter

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 23 October 2013 - 01:23 AM

Bloopie,

 

First thanks for responding and taking the time to help me.  I cannot find any combofix logs on my troubled machine and all logs would be listed in my other posts.  I have the the necessary CD's from Microsoft as they took pity and sent me another one recently.  When running any scan tool that has the option to click on fix it could you please clarify if you would like me to click on fix it or just retrieve the scan data generated from the software scanning my computer.

 

Randy



#5 Fhallest

Fhallest
  • Topic Starter

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 23 October 2013 - 01:54 AM

Ok here are the scans.

 

 

Farbar Service Scanner Version: 20-10-2013
Ran by Randy Nettell (administrator) on 23-10-2013 at 00:38:02
Running from "H:\"
Microsoft Windows XP Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************
 
Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is set to Disabled. The default start type is Auto.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.
 
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is set to Disabled. The default start type is Auto.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.
 
 
Connection Status:
==============
Localhost is accessible.
LAN connected.
Attempt to access Google IP returned error. Google IP is unreachable
Attempt to access Google.com returned error: Other errors
Attempt to access Yahoo.com returned error: Other errors
 
 
Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is set to Disabled. The default start type is Auto.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.
 
netman Service is not running. Checking service configuration:
The start type of netman service is set to Disabled. The default start type is 3.
The ImagePath of netman service is OK.
The ServiceDll of netman service is OK.
 
winmgmt Service is not running. Checking service configuration:
The start type of winmgmt service is set to Disabled. The default start type is Auto.
The ImagePath of winmgmt service is OK.
The ServiceDll of winmgmt service is OK.
 
 
Firewall Disabled Policy: 
==================
 
 
System Restore:
============
Srservice Service is not running. Checking service configuration:
The start type of Srservice service is set to Disabled. The default start type is Auto.
The ImagePath of Srservice service is OK.
The ServiceDll of Srservice service is OK.
 
 
System Restore Disabled Policy: 
========================
 
 
Security Center:
============
 
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is set to Disabled. The default start type is Auto.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.
 
winmgmt Service is not running. Checking service configuration:
The start type of winmgmt service is set to Disabled. The default start type is Auto.
The ImagePath of winmgmt service is OK.
The ServiceDll of winmgmt service is OK.
 
 
Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is set to Disabled. The default start type is Auto.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.
 
BITS Service is not running. Checking service configuration:
The start type of BITS service is set to Disabled. The default start type is Auto.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.
 
EventSystem Service is not running. Checking service configuration:
The start type of EventSystem service is set to Disabled. The default start type is 3.
The ImagePath of EventSystem: "C:\WINDOWS\system32\svchost.exe -k netsvcs".
The ServiceDll of EventSystem: "C:\WINDOWS\system32\es.dll".
 
 
Windows Autoupdate Disabled Policy: 
============================
 
PlugPlay Service is not running. Checking service configuration:
The start type of PlugPlay service is set to Disabled. The default start type is Auto.
The ImagePath of PlugPlay service is OK.
 
 
Other Services:
==============
 
 
File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
 
Extra List:
=======
aswTdi(8) Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4) 
0x080000000500000001000000020000000300000004000000080000000600000007000000
IpSec Tag value is correct.
 
**** End of log ****
 
Additional scan result of Farbar Recovery Scan Tool (x86) Version: 22-10-2013
Ran by Randy Nettell at 2013-10-23 00:33:42
Running from H:\
Boot Mode: Normal
==========================================================
 
 
==================== Security Center ========================
 
Could not list Security Center items. Check WMI.
 
 
==================== Installed Programs ======================
 
Adobe Flash Player 11 ActiveX (Version: 11.9.900.117)
Adobe Flash Player 11 Plugin (Version: 11.9.900.117)
Adobe Reader XI (11.0.05) (Version: 11.0.05)
Apple Application Support (Version: 2.3.3)
Apple Mobile Device Support (Version: 6.1.0.13)
Astroburn Lite (Version: 1.7.0.0175)
avast! Free Antivirus (Version: 8.0.1483.0)
Bonjour (Version: 3.0.0.10)
CCleaner (Version: 4.00)
Cheat Engine 6.1
DAEMON Tools Lite (Version: 4.47.1.0333)
ESET Online Scanner v3
foobar2000 v1.2.9 (Version: 1.2.9)
Google Chrome (Version: 30.0.1599.69)
Google Update Helper (Version: 1.3.21.165)
GPGNet (Version: 1.0.0)
Hearts of Iron III Gold (Version: 2.03.00.0)
Homeworld2
Kukuxumusu ANTfermin Screensaver
Kukuxumusu Digital Clock Screensaver
Kukuxumusu Kosmos Screensaver
Malwarebytes Anti-Malware version 1.75.0.1300 (Version: 1.75.0.1300)
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 1.1 Security Update (KB2833941)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1)
Microsoft Fix it Center (Version: 1.0.0100)
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Access MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Groove MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office InfoPath MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Professional Plus 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (French) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Silverlight (Version: 5.1.20125.0)
Microsoft Software Update for Web Folders  (English) 14 (Version: 14.0.6029.1000)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.56336)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.59193)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (Version: 10.0.40219)
Microsoft Visual J# 2.0 Redistributable Package
Microsoft Visual J# 2.0 Redistributable Package (Version: 2.0.50727)
Microsoft XNA Framework Redistributable 3.1 (Version: 3.1.10527.0)
Mozilla Firefox 24.0 (x86 en-US) (Version: 24.0)
Mozilla Maintenance Service (Version: 24.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
NVIDIA Control Panel 310.90 (Version: 310.90)
NVIDIA Drivers
NVIDIA Graphics Driver 310.90 (Version: 310.90)
NVIDIA HD Audio Driver 1.3.18.0 (Version: 1.3.18.0)
NVIDIA Install Application (Version: 2.1002.109.706)
NVIDIA nView 136.53 (Version: 136.53)
NVIDIA PhysX (Version: 9.12.1031)
NVIDIA PhysX System Software 9.12.1031 (Version: 9.12.1031)
NVIDIA Update 1.11.3 (Version: 1.11.3)
NVIDIA Update Components (Version: 1.11.3)
QT Lite 4.1.0 (Version: 4.1.0)
Republic at War 1.1.5 (Version: 1.1.5)
Shad'O version 1.0 (Version: 1.0)
Shadowrun Returns
Spybot - Search & Destroy (Version: 1.6.2)
Star Wars Empire at War (Version: 1.0)
Star Wars Empire at War Forces of Corruption (Version: 1.0)
StarDrive
Update for Microsoft .NET Framework 3.5 SP1 (KB2836940) (Version: 1)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939) (Version: 1)
Update for Windows Internet Explorer 8 (KB2598845) (Version: 1)
Update for Windows Internet Explorer 8 (KB2632503) (Version: 1)
Update for Windows XP (KB2345886) (Version: 1)
Update for Windows XP (KB2467659) (Version: 1)
Update for Windows XP (KB2492386) (Version: 1)
Update for Windows XP (KB2661254-v2) (Version: 2)
Update for Windows XP (KB2736233) (Version: 1)
Update for Windows XP (KB2749655) (Version: 1)
Update for Windows XP (KB2808679) (Version: 1)
Update for Windows XP (KB2863058) (Version: 1)
Update for Windows XP (KB951978) (Version: 1)
Update for Windows XP (KB968389) (Version: 1)
Update for Windows XP (KB971029) (Version: 1)
Update for Windows XP (KB973815) (Version: 1)
VLC media player 2.0.7 (Version: 2.0.7)
WebFldrs XP (Version: 9.50.7523)
Windows Genuine Advantage Notifications (KB905474) (Version: 1.9.0040.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Management Framework Core
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3 (Version: 20080414.031525)
WinRAR 4.20 (32-bit) (Version: 4.20.0)
 
==================== Restore Points  =========================
 
Could not list Restore Points. Check WMI.
 
 
==================== Hosts content: ==========================
 
2006-02-28 06:00 - 2013-09-27 14:41 - 00449839 ___RA C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1       localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
127.0.0.1 10sek.com
127.0.0.1 www.10sek.com
127.0.0.1 www.1-2005-search.com
127.0.0.1 1-2005-search.com
127.0.0.1 123fporn.info
127.0.0.1 www.123fporn.info
127.0.0.1 123haustiereundmehr.com
127.0.0.1 www.123haustiereundmehr.com
 
There are 1000 more lines.
 
 
==================== Scheduled Tasks (whitelisted) =============
 
Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\WINDOWS\Tasks\avast! Emergency Update.job => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
 
==================== Loaded Modules (whitelisted) =============
 
 
==================== Alternate Data Streams (whitelisted) =========
 
 
==================== Safe Mode (whitelisted) ===================
 
 
==================== Faulty Device Manager Devices =============
 
Could not list Devices. Check WMI.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (09/29/2013 07:17:18 PM) (Source: Application Error) (User: )
Description: Faulting application sword of the stars.exe, version 0.0.0.0, faulting module msvcr80.dll, version 8.0.50727.6195, fault address 0x00008aa0.
Processing media-specific event for [sword of the stars.exe!ws!]
 
Error: (09/16/2013 00:17:34 AM) (Source: Application Error) (User: )
Description: Faulting application forgedalliance.exe, version 1.5.0.1, faulting module forgedalliance.exe, version 1.5.0.1, fault address 0x005382e8.
Processing media-specific event for [forgedalliance.exe!ws!]
 
Error: (08/25/2013 02:16:13 AM) (Source: Application Error) (User: )
Description: Faulting application forgedalliance.exe, version 1.5.0.1, faulting module forgedalliance.exe, version 1.5.0.1, fault address 0x005382e8.
Processing media-specific event for [forgedalliance.exe!ws!]
 
Error: (08/23/2013 11:40:24 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 37004812
 
Error: (08/23/2013 11:40:24 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 37004812
 
Error: (08/23/2013 11:40:24 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second
 
Error: (08/23/2013 01:25:29 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 109390
 
Error: (08/23/2013 01:25:29 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 109390
 
Error: (08/23/2013 01:25:29 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second
 
Error: (08/23/2013 01:25:13 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 93765
 
 
System errors:
=============
Error: (10/23/2013 00:33:45 AM) (Source: DCOM) (User: HOME-B39ED94609)
Description: DCOM got error "%%1058" attempting to start the service winmgmt with arguments ""
in order to run the server:
{8BC3F05E-D86B-11D0-A075-00C04FB68820}
 
Error: (10/23/2013 00:33:43 AM) (Source: DCOM) (User: HOME-B39ED94609)
Description: DCOM got error "%%1058" attempting to start the service winmgmt with arguments ""
in order to run the server:
{8BC3F05E-D86B-11D0-A075-00C04FB68820}
 
Error: (10/23/2013 00:33:42 AM) (Source: DCOM) (User: HOME-B39ED94609)
Description: DCOM got error "%%1058" attempting to start the service winmgmt with arguments ""
in order to run the server:
{8BC3F05E-D86B-11D0-A075-00C04FB68820}
 
Error: (10/23/2013 00:33:19 AM) (Source: DCOM) (User: HOME-B39ED94609)
Description: DCOM got error "%%1058" attempting to start the service winmgmt with arguments ""
in order to run the server:
{8BC3F05E-D86B-11D0-A075-00C04FB68820}
 
Error: (10/23/2013 00:01:22 AM) (Source: DCOM) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}
 
Error: (10/23/2013 00:01:16 AM) (Source: DCOM) (User: HOME-B39ED94609)
Description: DCOM got error "%%1058" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AD1-2166-11D1-B1D0-00805FC1270E}
 
Error: (10/23/2013 00:01:16 AM) (Source: DCOM) (User: HOME-B39ED94609)
Description: DCOM got error "%%1058" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}
 
Error: (10/23/2013 00:01:15 AM) (Source: DCOM) (User: HOME-B39ED94609)
Description: DCOM got error "%%1058" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}
 
Error: (10/23/2013 00:01:13 AM) (Source: DCOM) (User: HOME-B39ED94609)
Description: DCOM got error "%%1058" attempting to start the service winmgmt with arguments ""
in order to run the server:
{8BC3F05E-D86B-11D0-A075-00C04FB68820}
 
Error: (10/23/2013 00:01:11 AM) (Source: DCOM) (User: HOME-B39ED94609)
Description: DCOM got error "%%1058" attempting to start the service winmgmt with arguments ""
in order to run the server:
{8BC3F05E-D86B-11D0-A075-00C04FB68820}
 
 
Microsoft Office Sessions:
=========================
Error: (09/29/2013 07:17:18 PM) (Source: Application Error)(User: )
Description: sword of the stars.exe0.0.0.0msvcr80.dll8.0.50727.619500008aa0
 
Error: (09/16/2013 00:17:34 AM) (Source: Application Error)(User: )
Description: forgedalliance.exe1.5.0.1forgedalliance.exe1.5.0.1005382e8
 
Error: (08/25/2013 02:16:13 AM) (Source: Application Error)(User: )
Description: forgedalliance.exe1.5.0.1forgedalliance.exe1.5.0.1005382e8
 
Error: (08/23/2013 11:40:24 AM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 37004812
 
Error: (08/23/2013 11:40:24 AM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledEvent 37004812
 
Error: (08/23/2013 11:40:24 AM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: Continuously busy for more than a second
 
Error: (08/23/2013 01:25:29 AM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 109390
 
Error: (08/23/2013 01:25:29 AM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledEvent 109390
 
Error: (08/23/2013 01:25:29 AM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: Continuously busy for more than a second
 
Error: (08/23/2013 01:25:13 AM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 93765
 
 
==================== Memory info =========================== 
 
Percentage of memory in use: 24%
Total physical RAM: 2047.48 MB
Available physical RAM: 1539.44 MB
Total Pagefile: 3940.43 MB
Available Pagefile: 3680.18 MB
Total Virtual: 2047.88 MB
Available Virtual: 1955.54 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:232.88 GB) (Free:78.4 GB) NTFS ==>[Drive with boot components (Windows XP)]
Drive h: () (Removable) (Total:15.1 GB) (Free:4.65 GB) FAT32
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 233 GB) (Disk ID: 25A425A3)
Partition 1: (Active) - (Size=233 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 15 GB) (Disk ID: C3072E18)
Partition 1: (Active) - (Size=15 GB) - (Type=0C)
 
==================== End Of Log ============================
 
 
 
 
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 22-10-2013
Ran by Randy Nettell (administrator) on HOME-B39ED94609 on 23-10-2013 00:33:19
Running from H:\
Microsoft Windows XP Service Pack 3 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal
 
==================== Could not list processes ===============
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [MSConfig] - C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE [169984 2008-04-13] (Microsoft Corporation)
 
==================== Internet (Whitelisted) ====================
 
URLSearchHook: ATTENTION ==> Default URLSearchHook is missing.
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search
BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (Safer Networking Limited)
BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL (Microsoft Corporation)
Toolbar: HKLM - avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
 
FireFox:
========
FF ProfilePath: C:\Documents and Settings\Randy Nettell\Application Data\Mozilla\Firefox\Profiles\83fzr6kn.default
FF user.js: detected! => C:\Documents and Settings\Randy Nettell\Application Data\Mozilla\Firefox\Profiles\83fzr6kn.default\user.js
FF Homepage: hxxp://xfinity.comcast.net/
FF Plugin: @adobe.com/FlashPlayer - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_9_900_117.dll ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.21.165\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.21.165\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @videolan.org/vlc,version=2.0.7 - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Extension: monetomi - C:\Documents and Settings\Randy Nettell\Application Data\Mozilla\Firefox\Profiles\83fzr6kn.default\Extensions\firefox@monetomi.info
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF Extension: Microsoft .NET Framework Assistant - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: avast! WebRep - C:\Program Files\AVAST Software\Avast\WebRep\FF
 
========================== Services (Whitelisted) =================
 
S4 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [45248 2013-03-06] (AVAST Software)
 
==================== Drivers (Whitelisted) ====================
 
R1 AmdPPM; C:\Windows\System32\DRIVERS\AmdPPM.sys [33792 2007-04-16] (Advanced Micro Devices)
R2 aswFsBlk; C:\Windows\System32\Drivers\aswFsBlk.sys [29816 2013-03-06] (AVAST Software)
R2 aswMonFlt; C:\WINDOWS\system32\drivers\aswMonFlt.sys [66336 2013-03-06] (AVAST Software)
R1 AswRdr; C:\Windows\System32\Drivers\AswRdr.sys [49760 2013-03-06] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [49248 2013-03-06] ()
R1 aswSnx; C:\Windows\System32\Drivers\aswSnx.sys [765736 2013-03-06] (AVAST Software)
R1 aswSP; C:\Windows\System32\Drivers\aswSP.sys [368176 2013-03-06] (AVAST Software)
R1 aswTdi; C:\Windows\System32\Drivers\aswTdi.sys [62376 2013-03-06] (AVAST Software)
S3 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [164736 2013-03-06] ()
R2 DgiVecp; C:\WINDOWS\system32\Drivers\DgiVecp.sys [38400 2009-10-12] (Samsung Electronics Co., Ltd.)
R1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [242240 2013-03-16] (DT Soft Ltd)
R3 ms_mpu401; C:\Windows\System32\drivers\msmpu401.sys [2944 2001-08-17] (Microsoft Corporation)
R3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [5810 2004-08-12] ()
S3 Neo_VPN; C:\Windows\System32\DRIVERS\Neo_0074.sys [25824 2013-08-19] (SoftEther Project at University of Tsukuba, Japan.)
R3 NVENETFD; C:\Windows\System32\DRIVERS\NVENETFD.sys [54784 2008-08-01] (NVIDIA Corporation)
R3 NVHDA; C:\Windows\System32\drivers\nvhda32.sys [124264 2012-07-03] (NVIDIA Corporation)
R3 nvnetbus; C:\Windows\System32\DRIVERS\nvnetbus.sys [22016 2008-08-01] (NVIDIA Corporation)
S3 pnicml; C:\DOCUME~1\RANDYN~1\LOCALS~1\Temp\pnicml.sys [29696 2006-07-07] ()
R3 REVO; C:\Windows\System32\drivers\revo.sys [116671 2013-04-08] (Midiman/M-Audio)
R3 REVOSENS; C:\Windows\System32\drivers\revosens.sys [401536 2013-04-08] (Sensaura Ltd)
S3 catchme; \??\C:\ComboFix\catchme.sys [x]
S4 IntelIde; No ImagePath
U5 ScsiPort; C:\Windows\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-10-23 00:23 - 2013-10-23 00:23 - 00000000 ____D C:\FRST
2013-10-19 12:33 - 2013-10-19 12:33 - 00011964 _____ C:\Documents and Settings\Randy Nettell\Desktop\attach.txt
2013-10-19 12:33 - 2013-10-19 12:33 - 00007254 _____ C:\Documents and Settings\Randy Nettell\Desktop\dds.txt
2013-10-19 12:32 - 2012-11-19 18:43 - 00688992 ____R (Swearware) C:\Documents and Settings\Randy Nettell\Desktop\dds.com
2013-10-17 17:44 - 2013-10-17 17:44 - 00008490 _____ C:\Documents and Settings\Randy Nettell\Desktop\aswBootAAvastBootScan.txt
2013-10-16 13:16 - 2013-10-16 13:16 - 00018597 _____ C:\Documents and Settings\Randy Nettell\Desktop\Result.txt
2013-10-13 15:42 - 2013-10-13 15:42 - 00000000 __SHD C:\WINDOWS\CSC
2013-10-13 15:25 - 2013-10-13 15:25 - 00000420 _____ C:\WINDOWS\regopt.log
2013-10-10 22:00 - 2013-10-23 00:20 - 00030249 _____ C:\WINDOWS\setupapi.log
2013-10-10 21:37 - 2013-10-10 21:50 - 00000000 ____D C:\Documents and Settings\Randy Nettell\Desktop\mbar
2013-10-10 18:25 - 2013-10-16 12:59 - 00050642 _____ C:\Documents and Settings\Randy Nettell\Desktop\Rkill.txt
2013-10-09 00:45 - 2013-10-09 00:45 - 00000000 ____D C:\Documents and Settings\Randy Nettell\Application Data\Open Download Manager
2013-10-09 00:44 - 2013-10-09 00:44 - 00000000 ____D C:\WINDOWS\system32\modules
2013-10-09 00:44 - 2013-10-09 00:44 - 00000000 ____D C:\WINDOWS\system32\js
2013-10-09 00:44 - 2013-10-09 00:44 - 00000000 ____D C:\WINDOWS\system32\images
2013-10-09 00:44 - 2013-10-09 00:44 - 00000000 ____D C:\WINDOWS\system32\html
2013-10-09 00:44 - 2013-10-09 00:44 - 00000000 ____D C:\WINDOWS\system32\css
2013-10-09 00:43 - 2013-10-09 00:43 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Babylon
2013-10-09 00:42 - 2013-10-09 00:56 - 00000000 ____D C:\Program Files\OpenDownloaderManager
2013-10-07 19:20 - 2013-10-09 00:43 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-10-07 19:20 - 2013-10-07 19:20 - 00000730 _____ C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
2013-10-07 19:20 - 2013-10-07 19:20 - 00000724 _____ C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
2013-10-07 19:20 - 2013-10-07 19:20 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2013-09-27 21:27 - 2013-09-27 21:27 - 00005028 _____ C:\Documents and Settings\Randy Nettell\My Documents\cc_20130927_212707.reg
2013-09-27 14:41 - 2013-09-23 15:14 - 00000027 _____ C:\WINDOWS\system32\Drivers\etc\hosts.20130927-144106.backup
2013-09-24 21:55 - 2013-09-24 21:55 - 00000760 _____ C:\Documents and Settings\Randy Nettell\Desktop\Cheat Engine.lnk
2013-09-24 21:55 - 2013-09-24 21:55 - 00000000 ____D C:\Program Files\Cheat Engine 6.1
2013-09-24 21:55 - 2013-09-24 21:55 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Cheat Engine 6.1
2013-09-23 15:18 - 2013-09-23 15:18 - 00013052 _____ C:\ComboFix.txt
2013-09-23 15:12 - 2013-09-23 15:12 - 00008192 ____H C:\WINDOWS\system32\config\SECURITY.tmp.LOG
2013-09-23 15:12 - 2013-09-23 15:12 - 00000000 ____H C:\WINDOWS\system32\config\system.tmp.LOG
2013-09-23 15:12 - 2013-09-23 15:12 - 00000000 ____H C:\WINDOWS\system32\config\software.tmp.LOG
2013-09-23 15:12 - 2013-09-23 15:12 - 00000000 ____H C:\WINDOWS\system32\config\SAM.tmp.LOG
2013-09-23 15:12 - 2013-09-23 15:12 - 00000000 ____H C:\WINDOWS\system32\config\default.tmp.LOG
2013-09-23 15:00 - 2013-09-23 15:00 - 00000000 _RSHD C:\cmdcons
2013-09-23 15:00 - 2013-08-20 14:36 - 00000211 _____ C:\Boot.bak
2013-09-23 15:00 - 2004-08-03 23:00 - 00260272 __RSH C:\cmldr
2013-09-23 14:58 - 2013-09-23 15:18 - 00000000 ____D C:\Qoobox
2013-09-23 14:58 - 2013-09-23 15:16 - 00000000 ____D C:\WINDOWS\erdnt
2013-09-23 14:58 - 2011-06-26 00:45 - 00256000 _____ C:\WINDOWS\PEV.exe
2013-09-23 14:58 - 2010-11-07 11:20 - 00208896 _____ C:\WINDOWS\MBR.exe
2013-09-23 14:58 - 2009-04-19 22:56 - 00060416 _____ (NirSoft) C:\WINDOWS\NIRCMD.exe
2013-09-23 14:58 - 2000-08-30 18:00 - 00518144 _____ (SteelWerX) C:\WINDOWS\SWREG.exe
2013-09-23 14:58 - 2000-08-30 18:00 - 00406528 _____ (SteelWerX) C:\WINDOWS\SWSC.exe
2013-09-23 14:58 - 2000-08-30 18:00 - 00212480 _____ (SteelWerX) C:\WINDOWS\SWXCACLS.exe
2013-09-23 14:58 - 2000-08-30 18:00 - 00098816 _____ C:\WINDOWS\sed.exe
2013-09-23 14:58 - 2000-08-30 18:00 - 00080412 _____ C:\WINDOWS\grep.exe
2013-09-23 14:58 - 2000-08-30 18:00 - 00068096 _____ C:\WINDOWS\zip.exe
 
==================== One Month Modified Files and Folders =======
 
2013-10-23 00:30 - 2013-03-10 00:37 - 00000000 __SHD C:\Documents and Settings\NetworkService
2013-10-23 00:23 - 2013-10-23 00:23 - 00000000 ____D C:\FRST
2013-10-23 00:20 - 2013-10-10 22:00 - 00030249 _____ C:\WINDOWS\setupapi.log
2013-10-23 00:01 - 2006-02-28 06:00 - 00002422 _____ C:\WINDOWS\system32\wpa.dbl
2013-10-19 12:34 - 2013-09-16 01:43 - 00226767 _____ C:\WINDOWS\WindowsUpdate.log
2013-10-19 12:33 - 2013-10-19 12:33 - 00011964 _____ C:\Documents and Settings\Randy Nettell\Desktop\attach.txt
2013-10-19 12:33 - 2013-10-19 12:33 - 00007254 _____ C:\Documents and Settings\Randy Nettell\Desktop\dds.txt
2013-10-17 17:44 - 2013-10-17 17:44 - 00008490 _____ C:\Documents and Settings\Randy Nettell\Desktop\aswBootAAvastBootScan.txt
2013-10-16 21:26 - 2013-05-11 01:16 - 00000000 ___HD C:\Program Files\InstallShield Installation Information
2013-10-16 21:26 - 2013-03-20 01:13 - 00000000 ____D C:\Documents and Settings\Randy Nettell\My Documents\My Games
2013-10-16 13:16 - 2013-10-16 13:16 - 00018597 _____ C:\Documents and Settings\Randy Nettell\Desktop\Result.txt
2013-10-16 12:59 - 2013-10-10 18:25 - 00050642 _____ C:\Documents and Settings\Randy Nettell\Desktop\Rkill.txt
2013-10-13 21:12 - 2013-03-18 13:00 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2013-10-13 21:07 - 2013-03-09 15:30 - 00000256 __RSH C:\boot.ini
2013-10-13 21:07 - 2006-02-28 06:00 - 00000983 _____ C:\WINDOWS\win.ini
2013-10-13 21:07 - 2006-02-28 06:00 - 00000327 _____ C:\WINDOWS\system.ini
2013-10-13 20:41 - 2013-03-09 15:33 - 00576850 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2013-10-13 20:36 - 2013-08-20 14:37 - 00032480 _____ C:\WINDOWS\SchedLgU.Txt
2013-10-13 20:36 - 2013-03-10 00:37 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2013-10-13 20:29 - 2013-03-11 22:59 - 00000900 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2013-10-13 20:29 - 2013-03-11 22:59 - 00000378 ____H C:\WINDOWS\Tasks\avast! Emergency Update.job
2013-10-13 20:28 - 2013-03-11 22:59 - 00000896 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2013-10-13 15:42 - 2013-10-13 15:42 - 00000000 __SHD C:\WINDOWS\CSC
2013-10-13 15:38 - 2013-03-10 00:38 - 00000042 ___SH C:\Documents and Settings\Randy Nettell\ntuser.ini
2013-10-13 15:33 - 2013-08-12 00:42 - 00000884 __RSH C:\Documents and Settings\Randy Nettell\ntuser.pol
2013-10-13 15:33 - 2013-03-10 00:38 - 00000000 ____D C:\Documents and Settings\Randy Nettell
2013-10-13 15:27 - 2013-03-09 15:30 - 00001024 ____H C:\WINDOWS\system32\config\userdiff.LOG
2013-10-13 15:25 - 2013-10-13 15:25 - 00000420 _____ C:\WINDOWS\regopt.log
2013-10-12 19:44 - 2013-06-24 12:27 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2013-10-12 16:32 - 2013-03-17 17:41 - 00000000 ____D C:\Documents and Settings\Randy Nettell\Application Data\vlc
2013-10-11 23:35 - 2013-03-12 20:12 - 00043520 _____ C:\WINDOWS\system32\CmdLineExt03.dll
2013-10-11 23:27 - 2013-03-10 19:34 - 00000000 ____D C:\WINDOWS\system32\LogFiles
2013-10-10 21:50 - 2013-10-10 21:37 - 00000000 ____D C:\Documents and Settings\Randy Nettell\Desktop\mbar
2013-10-10 21:50 - 2013-06-29 19:26 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2013-10-10 21:33 - 2013-03-10 18:11 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2508429$
2013-10-10 18:24 - 2013-03-12 16:36 - 00000000 ____D C:\Documents and Settings\Randy Nettell\Application Data\BitTorrent
2013-10-09 11:44 - 2013-03-11 23:22 - 00692616 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2013-10-09 11:44 - 2013-03-11 23:22 - 00071048 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2013-10-09 00:56 - 2013-10-09 00:42 - 00000000 ____D C:\Program Files\OpenDownloaderManager
2013-10-09 00:45 - 2013-10-09 00:45 - 00000000 ____D C:\Documents and Settings\Randy Nettell\Application Data\Open Download Manager
2013-10-09 00:44 - 2013-10-09 00:44 - 00000000 ____D C:\WINDOWS\system32\modules
2013-10-09 00:44 - 2013-10-09 00:44 - 00000000 ____D C:\WINDOWS\system32\js
2013-10-09 00:44 - 2013-10-09 00:44 - 00000000 ____D C:\WINDOWS\system32\images
2013-10-09 00:44 - 2013-10-09 00:44 - 00000000 ____D C:\WINDOWS\system32\html
2013-10-09 00:44 - 2013-10-09 00:44 - 00000000 ____D C:\WINDOWS\system32\css
2013-10-09 00:43 - 2013-10-09 00:43 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Babylon
2013-10-09 00:43 - 2013-10-07 19:20 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-10-07 19:20 - 2013-10-07 19:20 - 00000730 _____ C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
2013-10-07 19:20 - 2013-10-07 19:20 - 00000724 _____ C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
2013-10-07 19:20 - 2013-10-07 19:20 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2013-10-07 19:20 - 2013-03-10 01:23 - 00000000 ____D C:\Documents and Settings\Randy Nettell\Application Data\Mozilla
2013-09-30 13:58 - 2013-04-04 00:38 - 00000000 ____D C:\Program Files\Lighthouse Interactive
2013-09-27 21:27 - 2013-09-27 21:27 - 00005028 _____ C:\Documents and Settings\Randy Nettell\My Documents\cc_20130927_212707.reg
2013-09-25 09:56 - 2013-03-25 13:05 - 00065536 _____ C:\WINDOWS\system32\config\OAlerts.evt
2013-09-24 21:55 - 2013-09-24 21:55 - 00000760 _____ C:\Documents and Settings\Randy Nettell\Desktop\Cheat Engine.lnk
2013-09-24 21:55 - 2013-09-24 21:55 - 00000000 ____D C:\Program Files\Cheat Engine 6.1
2013-09-24 21:55 - 2013-09-24 21:55 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Cheat Engine 6.1
2013-09-23 15:18 - 2013-09-23 15:18 - 00013052 _____ C:\ComboFix.txt
2013-09-23 15:18 - 2013-09-23 14:58 - 00000000 ____D C:\Qoobox
2013-09-23 15:16 - 2013-09-23 14:58 - 00000000 ____D C:\WINDOWS\erdnt
2013-09-23 15:14 - 2013-09-27 14:41 - 00000027 _____ C:\WINDOWS\system32\Drivers\etc\hosts.20130927-144106.backup
2013-09-23 15:13 - 2013-03-09 15:31 - 00262144 _____ C:\WINDOWS\system32\config\SECURITY.bak
2013-09-23 15:13 - 2013-03-09 15:31 - 00028672 _____ C:\WINDOWS\system32\config\SAM.bak
2013-09-23 15:13 - 2013-03-09 15:30 - 41418752 _____ C:\WINDOWS\system32\config\software.bak
2013-09-23 15:13 - 2013-03-09 15:30 - 05242880 _____ C:\WINDOWS\system32\config\default.bak
2013-09-23 15:13 - 2013-03-09 15:30 - 04718592 _____ C:\WINDOWS\system32\config\system.bak
2013-09-23 15:12 - 2013-09-23 15:12 - 00008192 ____H C:\WINDOWS\system32\config\SECURITY.tmp.LOG
2013-09-23 15:12 - 2013-09-23 15:12 - 00000000 ____H C:\WINDOWS\system32\config\system.tmp.LOG
2013-09-23 15:12 - 2013-09-23 15:12 - 00000000 ____H C:\WINDOWS\system32\config\software.tmp.LOG
2013-09-23 15:12 - 2013-09-23 15:12 - 00000000 ____H C:\WINDOWS\system32\config\SAM.tmp.LOG
2013-09-23 15:12 - 2013-09-23 15:12 - 00000000 ____H C:\WINDOWS\system32\config\default.tmp.LOG
2013-09-23 15:00 - 2013-09-23 15:00 - 00000000 _RSHD C:\cmdcons
 
==================== Bamital & volsnap Check =================
 
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== End Of Log ============================


#6 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:12:36 AM

Posted 23 October 2013 - 12:37 PM

Hello again,

Looking over your logs, it does appear that Combofix did save a log and it is still on your machine:

2013-09-23 15:18 - 2013-09-23 15:18 - 00013052 _____ C:\ComboFix.txt


Please verify that file is there (it may only say Combofix without the .txt) on the root of your C: drive, and copy and paste the log in your next reply if you can.

If you're sure you can't find it, then we'll take another tact:

==========

Please copy the next three files onto your flashdrive, then transfer them over to your sick computer:

Now run these tools, on your sick computer from normal boot mode, with the below instructions:

Step :step1:

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters


    tds2.jpg
  • Check Loaded Modules, Verify Driver Digital Signature, and Detect TDLFS file system
  • If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now


    2012081514h0118.png
  • Click Start Scan and allow the scan process to run


    tds4-1.jpg
  • If threats are detected select Skip or Cure (if available) for all of them unless otherwise instructed.
    ***Do NOT select Delete!
  • Click Continue


    tds6.jpg
  • Click Reboot computer
  • Please copy the TDSSKiller.[Version]_[Date]_[Time]_log.txt file found in your root directory (typically c:\) and paste it into your next reply

==========

Step :step2:

  • Double click the aswMBR.exe icon, and click Run.
  • When asked if you'd like to "download the latest Avast! virus definitions", click Yes.
  • Click the Scan button to start the scan.
  • On completion of the scan, click the save log button, save it to your desktop, then copy and paste it in your next reply.

==========

Step :step3:

  • Right-click the cintrepair on your desktop, and select Extract All...
  • Extract the files to the default selections by clicking Next, Next, Finish.
  • Once extracted, you should be able to open cintrepair folder and double-click on CIntRep.exe
  • Make sure all boxes are checked EXCEPT "Restore the default hosts file", then click "Go!"
  • Reboot the machine.

==========

Step :step4:

Finally, please run a fresh FSS scan and post the latest results for me in your next reply.

==============================

In addition to all requested logs, please let me know if there are any changes to the machine in normal mode now! Programs still not working?

If you have any trouble or do not understand any of the instructions above, please stop and let me know!

bloopie


Edited by bloopie, 23 October 2013 - 06:11 PM.


#7 Fhallest

Fhallest
  • Topic Starter

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 24 October 2013 - 01:22 AM

Bloopie,

 

I have included all requested text files except complete internet repair.  I kept getting a error message "Line 4623 Autolt Error" Error: variable must be type "object"

 

 

ComboFix 13-09-23.02 - Randy Nettell 09/23/2013  15:07:26.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2047.1465 [GMT -6:00]
Running from: c:\documents and settings\Randy Nettell\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\INSTALL.LOG
c:\windows\iun6002.exe
c:\windows\system32\_000005_.tmp.dll
c:\windows\wininit.ini
.
Infected copy of c:\windows\system32\kernel32.dll was found and disinfected 
Restored copy from - c:\windows\$hf_mig$\KB2758857\SP3QFE\kernel32.dll 
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_DEFAULTTABSEARCH
.
.
(((((((((((((((((((((((((   Files Created from 2013-08-23 to 2013-09-23  )))))))))))))))))))))))))))))))
.
.
2013-09-18 00:05 . 2013-09-18 00:06 -------- d-----w- c:\program files\Common Files\Adobe
2013-09-05 14:04 . 2013-09-05 14:04 209272 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-09-23 06:58 . 2013-03-13 02:12 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2013-09-20 10:44 . 2013-03-12 05:22 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-09-20 10:44 . 2013-03-12 05:22 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-08-19 20:31 . 2013-08-19 20:31 25824 ----a-w- c:\windows\system32\drivers\Neo_0074.sys
2013-08-17 05:20 . 2013-08-17 05:20 133688 ----a-w- c:\windows\system32\vpncmd.exe
2013-07-26 02:47 . 2006-02-28 12:00 920064 ----a-w- c:\windows\system32\wininet.dll
2013-07-26 02:47 . 2006-02-28 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2013-07-26 02:47 . 2006-02-28 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-07-25 15:52 . 2006-02-28 12:00 385024 ------w- c:\windows\system32\html.iec
2013-07-10 10:37 . 2006-02-28 12:00 406016 ----a-w- c:\windows\system32\usp10.dll
2013-07-04 03:03 . 2006-02-28 12:00 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-07-04 02:08 . 2004-08-03 22:59 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-07-03 06:27 . 2013-07-03 06:27 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2013-03-06 22:32 121968 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2013-03-06 4767304]
"RevoTaskbarApp"="c:\windows\system32\RevoTask.exe" [2013-04-08 217088]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-12-29 15635896]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-09-05 958576]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SoftEther VPN Client Manager Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SoftEther VPN Client Manager Startup.lnk
backup=c:\windows\pss\SoftEther VPN Client Manager Startup.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-09-05 14:03 958576 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2013-01-28 19:08 59720 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]
2010-03-13 20:54 91520 ----a-w- c:\program files\Microsoft Office\Office14\BCSSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2013-03-14 08:23 3672640 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2012-12-29 08:07 15635896 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2012-12-29 08:07 108984 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2012-12-29 10:31 1982312 ----a-w- c:\program files\NVIDIA Corporation\nview\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 22:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"NvCplDaemon"="RUNDLL32.EXE"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\StarDrive\\StarDrive.exe"=
"c:\\Program Files\\THQ\\Gas Powered Games\\Supreme Commander - Forged Alliance\\bin\\ForgedAlliance.exe"=
"c:\\Program Files\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"=
"c:\\Documents and Settings\\Randy Nettell\\Application Data\\BitTorrent\\BitTorrent.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management 
.
R0 aswRvrt;aswRvrt;c:\windows\system32\drivers\aswRvrt.sys [3/11/2013 10:59 PM 49248]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [3/11/2013 10:59 PM 765736]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [3/11/2013 10:59 PM 368176]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [3/16/2013 8:20 PM 242240]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/11/2013 10:59 PM 29816]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [3/11/2013 10:59 PM 66336]
S3 aswVmm;aswVmm;c:\windows\system32\drivers\aswVmm.sys [3/11/2013 10:59 PM 164736]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [6/13/2011 10:09 PM 267568]
S3 Neo_VPN;VPN Client Device Driver - VPN;c:\windows\system32\drivers\Neo_0074.sys [8/19/2013 2:31 PM 25824]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-09-22 20:24 1177552 ----a-w- c:\program files\Google\Chrome\Application\29.0.1547.76\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-23 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-03-12 10:44]
.
2013-04-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 23:57]
.
2013-09-23 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2013-03-12 22:32]
.
2013-09-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-03-12 04:59]
.
2013-09-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-03-12 04:59]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Randy Nettell\Application Data\Mozilla\Firefox\Profiles\t1h3z0j1.default-1377325391156\
FF - prefs.js: browser.startup.homepage - hxxp://xfinity.comcast.net/
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-Advanced SystemCare 6 - c:\program files\IObit\Advanced SystemCare 6\ASCTray.exe
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
MSConfigStartUp-SoftEther VPN Client UI Helper - c:\program files\SoftEther VPN Client\vpnclient.exe
AddRemove-Revolution - c:\windows\iun6002.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-09-23 15:14
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_175_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_175_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3984)
c:\windows\system32\WININET.dll
c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
c:\progra~1\MICROS~2\Office14\1033\GrooveIntlResource.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2013-09-23  15:18:16 - machine was rebooted
ComboFix-quarantined-files.txt  2013-09-23 21:18
.
Pre-Run: 78,551,322,624 bytes free
Post-Run: 78,390,083,584 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 48635DFABA7EEE881F08E533ED9E8EEE
8F558EB6672622401DA993E1E865C861
 
 
 
18:26:49.0578 0x07ac  TDSS rootkit removing tool 3.0.0.14 Oct 15 2013 15:35:38
18:26:54.0140 0x07ac  ============================================================
18:26:54.0140 0x07ac  Current date / time: 2013/10/23 18:26:54.0140
18:26:54.0140 0x07ac  SystemInfo:
18:26:54.0140 0x07ac  
18:26:54.0140 0x07ac  OS Version: 5.1.2600 ServicePack: 3.0
18:26:54.0140 0x07ac  Product type: Workstation
18:26:54.0140 0x07ac  ComputerName: HOME-B39ED94609
18:26:54.0140 0x07ac  UserName: Randy Nettell
18:26:54.0140 0x07ac  Windows directory: C:\WINDOWS
18:26:54.0140 0x07ac  System windows directory: C:\WINDOWS
18:26:54.0140 0x07ac  Processor architecture: Intel x86
18:26:54.0140 0x07ac  Number of processors: 2
18:26:54.0140 0x07ac  Page size: 0x1000
18:26:54.0140 0x07ac  Boot type: Normal boot
18:26:54.0140 0x07ac  ============================================================
18:26:56.0562 0x07ac  Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
18:26:56.0562 0x07ac  Drive \Device\Harddisk1\DR2 - Size: 0x3C7800000 (15.12 Gb), SectorSize: 0x200, Cylinders: 0x7B5, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
18:26:56.0562 0x07ac  ============================================================
18:26:56.0562 0x07ac  \Device\Harddisk0\DR0:
18:26:56.0562 0x07ac  MBR partitions:
18:26:56.0562 0x07ac  \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x1D1C0681
18:26:56.0562 0x07ac  \Device\Harddisk1\DR2:
18:26:56.0562 0x07ac  MBR partitions:
18:26:56.0562 0x07ac  \Device\Harddisk1\DR2\Partition1: MBR, Type 0xC, StartLBA 0x20, BlocksNum 0x1E3BFE0
18:26:56.0562 0x07ac  ============================================================
18:26:56.0578 0x07ac  C: <-> \Device\Harddisk0\DR0\Partition1
18:26:56.0593 0x07ac  ============================================================
18:26:56.0593 0x07ac  Initialize success
18:26:56.0593 0x07ac  ============================================================
18:28:22.0468 0x07a8  Deinitialize success
 

 

18:26:49.0578 0x07ac  TDSS rootkit removing tool 3.0.0.14 Oct 15 2013 15:35:38
18:26:54.0140 0x07ac  ============================================================
18:26:54.0140 0x07ac  Current date / time: 2013/10/23 18:26:54.0140
18:26:54.0140 0x07ac  SystemInfo:
18:26:54.0140 0x07ac  
18:26:54.0140 0x07ac  OS Version: 5.1.2600 ServicePack: 3.0
18:26:54.0140 0x07ac  Product type: Workstation
18:26:54.0140 0x07ac  ComputerName: HOME-B39ED94609
18:26:54.0140 0x07ac  UserName: Randy Nettell
18:26:54.0140 0x07ac  Windows directory: C:\WINDOWS
18:26:54.0140 0x07ac  System windows directory: C:\WINDOWS
18:26:54.0140 0x07ac  Processor architecture: Intel x86
18:26:54.0140 0x07ac  Number of processors: 2
18:26:54.0140 0x07ac  Page size: 0x1000
18:26:54.0140 0x07ac  Boot type: Normal boot
18:26:54.0140 0x07ac  ============================================================
18:26:56.0562 0x07ac  Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
18:26:56.0562 0x07ac  Drive \Device\Harddisk1\DR2 - Size: 0x3C7800000 (15.12 Gb), SectorSize: 0x200, Cylinders: 0x7B5, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
18:26:56.0562 0x07ac  ============================================================
18:26:56.0562 0x07ac  \Device\Harddisk0\DR0:
18:26:56.0562 0x07ac  MBR partitions:
18:26:56.0562 0x07ac  \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x1D1C0681
18:26:56.0562 0x07ac  \Device\Harddisk1\DR2:
18:26:56.0562 0x07ac  MBR partitions:
18:26:56.0562 0x07ac  \Device\Harddisk1\DR2\Partition1: MBR, Type 0xC, StartLBA 0x20, BlocksNum 0x1E3BFE0
18:26:56.0562 0x07ac  ============================================================
18:26:56.0578 0x07ac  C: <-> \Device\Harddisk0\DR0\Partition1
18:26:56.0593 0x07ac  ============================================================
18:26:56.0593 0x07ac  Initialize success
18:26:56.0593 0x07ac  ============================================================
18:28:22.0468 0x07a8  Deinitialize success
 
 
aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-10-23 18:41:42
-----------------------------
18:41:42.984    OS Version: Windows 5.1.2600 Service Pack 3
18:41:42.984    Number of processors: 2 586 0x2B01
18:41:43.000    ComputerName: HOME-B39ED94609  UserName: Randy Nettell
18:41:43.609    Initialize success
18:41:46.546    AVAST engine defs: 13101300
18:42:15.828    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T0L0-9
18:42:15.828    Disk 0 Vendor: WDC_WD2500JD-00HBC0 08.02D08 Size: 238475MB BusType: 3
18:42:15.937    Disk 0 MBR read successfully
18:42:15.937    Disk 0 MBR scan
18:42:16.046    Disk 0 Windows XP default MBR code
18:42:16.046    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS       238464 MB offset 63
18:42:16.093    Disk 0 scanning sectors +488376000
18:42:16.203    Disk 0 scanning C:\WINDOWS\system32\drivers
18:42:30.078    Service scanning
18:42:41.796    Modules scanning
18:42:44.015    Module: C:\WINDOWS\system32\ntdll.dll  **SUSPICIOUS**
18:42:44.015    Disk 0 trace - called modules:
18:42:44.031    ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS 
18:42:44.031    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89d70ab8]
18:42:44.031    3 CLASSPNP.SYS[b8108fd7] -> nt!IofCallDriver -> \Device\00000070[0x89d883b8]
18:42:44.031    5 ACPI.sys[b7f49620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP4T0L0-9[0x89d7fd98]
18:42:44.531    AVAST engine scan C:\WINDOWS
18:42:49.984    AVAST engine scan C:\WINDOWS\system32
18:45:47.281    AVAST engine scan C:\WINDOWS\system32\drivers
18:46:13.546    AVAST engine scan C:\Documents and Settings\Randy Nettell
19:06:58.203    AVAST engine scan C:\Documents and Settings\All Users
19:07:46.156    Scan finished successfully
20:28:42.734    Disk 0 MBR has been saved successfully to "H:\MBR.dat"
20:28:42.765    The log file has been saved successfully to "H:\aswMBR.txt"
 
Farbar Service Scanner Version: 20-10-2013
Ran by Randy Nettell (administrator) on 24-10-2013 at 00:12:09
Running from "H:\"
Microsoft Windows XP Service Pack 3 (X86)
Boot Mode: Network
****************************************************************
 
Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is set to Disabled. The default start type is Auto.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.
 
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is set to Disabled. The default start type is Auto.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.
 
 
Connection Status:
==============
Localhost is accessible.
LAN connected.
Attempt to access Google IP returned error. Google IP is unreachable
Attempt to access Google.com returned error: Other errors
Attempt to access Yahoo.com returned error: Other errors
 
 
Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is set to Disabled. The default start type is Auto.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.
 
netman Service is not running. Checking service configuration:
The start type of netman service is set to Disabled. The default start type is 3.
The ImagePath of netman service is OK.
The ServiceDll of netman service is OK.
 
winmgmt Service is not running. Checking service configuration:
The start type of winmgmt service is set to Disabled. The default start type is Auto.
The ImagePath of winmgmt service is OK.
The ServiceDll of winmgmt service is OK.
 
 
Firewall Disabled Policy: 
==================
 
 
System Restore:
============
Srservice Service is not running. Checking service configuration:
The start type of Srservice service is set to Disabled. The default start type is Auto.
The ImagePath of Srservice service is OK.
The ServiceDll of Srservice service is OK.
 
 
System Restore Disabled Policy: 
========================
 
 
Security Center:
============
 
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is set to Disabled. The default start type is Auto.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.
 
winmgmt Service is not running. Checking service configuration:
The start type of winmgmt service is set to Disabled. The default start type is Auto.
The ImagePath of winmgmt service is OK.
The ServiceDll of winmgmt service is OK.
 
 
Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is set to Disabled. The default start type is Auto.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.
 
BITS Service is not running. Checking service configuration:
The start type of BITS service is set to Disabled. The default start type is Auto.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.
 
EventSystem Service is not running. Checking service configuration:
The start type of EventSystem service is set to Disabled. The default start type is 3.
The ImagePath of EventSystem: "C:\WINDOWS\system32\svchost.exe -k netsvcs".
The ServiceDll of EventSystem: "C:\WINDOWS\system32\es.dll".
 
 
Windows Autoupdate Disabled Policy: 
============================
 
PlugPlay Service is not running. Checking service configuration:
The start type of PlugPlay service is set to Disabled. The default start type is Auto.
The ImagePath of PlugPlay service is OK.
 
 
Other Services:
==============
 
 
File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
 
Extra List:
=======
aswTdi(8) Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4) 
0x080000000500000001000000020000000300000004000000080000000600000007000000
IpSec Tag value is correct.
 
**** End of log ****


#8 Fhallest

Fhallest
  • Topic Starter

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 24 October 2013 - 01:24 AM

I hope I got everything and thanks again

 

Randy



#9 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:12:36 AM

Posted 24 October 2013 - 12:55 PM

Hello again,

 

The help is my pleasure...
 
That's everything I asked for, well done! :)
 
Okay, now let's run a fix with FRST, and then we'll run another scan with Combofix. Please download this attached Attached File  fixlist.txt   787bytes   2 downloads and save it to your flashdrive. Now download Combofix from here and also save it to the flashdrive.
 
Then transfer both of these files over to the sick computer. We'll be running them in normal boot mode with the below instructions:

Step :step1:

When transferring the fixlist.txt to the sick machine, please be sure to read the note below!:

NOTE: It's important that both files, FRST and fixlist.txt are in the same location (the desktop for instance) or the fix will not work!!

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST and press the Fix button just once and wait.

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

==========

Step :step2:

Run Combofix

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out here or here

Combofix may need to reboot your computer more than once to do its job...this is normal.

  • Close any open browsers or any other programs that are open.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you C:\Combofix.txt. Please include that in your next reply.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

==========

Please post both requested logs in your next reply and please let me know how the computer is running now! If you are unsure of any instruction, please stop and let me know.

bloopie



#10 Fhallest

Fhallest
  • Topic Starter

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 24 October 2013 - 07:16 PM

Bloobie,

 

I have to ask are you a big Star Wars Fan?  Secondly are you a big NFL football fan?  Third do you follow specific players in the NFL like quarterbacks?  If so then I think you will understand the following Joke.  I live here in Denver and Peyton Manning is now the Broncos QB.  He recently went back to Indy to Play against Andrew Luck their New QB replacing Peyton.  The standing joke was "Luck I am your Father"   :luke: reference to Star Wars.  I know it is a bad one but us Geeks thought is was Hilarious and it foretold the outcome of the Game.  The Broncos lost and if you have no defense what can one say.  I am a Cheesehead from WI but will root for the Donkeys.  Just thought I would pass this useless piece of information alog.

 

P.S.  Jets or Giant  :devil:



#11 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:12:36 AM

Posted 24 October 2013 - 10:24 PM

Hello again,

 

Ha...the last thing I expected when I just got back to my computer was a question or joke about football! ...But then again, stranger things have happened! :lmao:

 

Star Wars fan? ...very much so!! ...Football fan?...not so much, unfortunately.

 

I haven't been watching much of any sport recently. My 2 year old, work, and fighting malware takes up nearly all of my current time. Sorry, I'm not much for that particular topic...my main interests aren't really sports related. There are a couple of sports I do follow, but none heavily anymore.

 

==========

 

Please let me know how how things are going with the computer after my last instructions, and we'll see if we can get this thing cleaned up. :)

 

bloopie



#12 Fhallest

Fhallest
  • Topic Starter

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 25 October 2013 - 01:40 AM

Bloopie,

 

Well things did not go to well with the scans.  First when I am running in Normal mode it takes a very long time after clicking on my computer for the window to open up to allow me access.  You can hear or tell that there is something constantly running in the background sucking up cpu cycles.  

 

When I tried to run the FRST program with the fixlist.txt from the desktop it would not run at all, so I created a folder.  When running from both locations I got a Line 4623 Autolt Error with the line number changing depending where I tried to run the program from but it did generate a report from running in the folder location. 

 

I ran combofix and all I could find is a brief report.  I am not sure what I did wrong.  My computer is still running a fever and very ill.  Let me know what I did wrong and what I need to do to get these scans to function correctly.  Let me know what I need to do next and thanks again

 

Randy

 

 
ComboFix 13-10-24.01 - Randy Nettell 10/24/2013  20:58:05.2.2 - x86
Running from: C:\Documents and Settings\Randy Nettell\Desktop\ComboFix.exe
 
 

 

 

 

 

 

 

 


Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 22-10-2013
Ran by Randy Nettell at 2013-10-24 20:42:38 Run:2
Running from C:\Documents and Settings\Randy Nettell\Desktop\New Folder
Boot Mode: Normal
 
==============================================
 
Content of fixlist:
*****************
HKLM\...\Run: [MSConfig] - C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE [169984 2008-04-13] (Microsoft Corporation)
C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE
URLSearchHook: ATTENTION ==> Default URLSearchHook is missing.
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search
FF ProfilePath: C:\Documents and Settings\Randy Nettell\Application Data\Mozilla\Firefox\Profiles\83fzr6kn.default
FF user.js: detected! => C:\Documents and Settings\Randy Nettell\Application Data\Mozilla\Firefox\Profiles\83fzr6kn.default\user.js
S3 pnicml; C:\DOCUME~1\RANDYN~1\LOCALS~1\Temp\pnicml.sys [29696 2006-07-07] ()
C:\DOCUME~1\RANDYN~1\LOCALS~1\Temp\pnicml.sys
File: C:\WINDOWS\system.ini
*****************
 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\MSConfig => Value not found.
C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE => Moved successfully.
 


#13 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:12:36 AM

Posted 25 October 2013 - 01:33 PM

Hello again,
 
Please double-check those logs again...they are both incomplete. Each one should end with an *** End of Log *** or *** End of Report *** message at the bottom.

See if you can post both complete logs for me in your next reply.

Also, you may want to backup all the data that you want to save from the machine, in case there is just too much damage to the OS from your infections.

bloopie



#14 Fhallest

Fhallest
  • Topic Starter

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 25 October 2013 - 02:06 PM

Bloopie,

 

These are the only logs I can find on my computer and will need help locating.  What method should I be using to find these text files?  I searched the whole hard drive using a .txt as a search parameter.   I have looked at when the logs were created to make sure I am selecting the correct one and can find no others.  Is there a specific location I should be looking?  Do I need to run the programs again?

 

What about the error messages I keep getting every time I try to run something on my computer and the list of programs running or using up cpu cycles?  I can see what is running when I use explorer after pressing ctrl alt del.  Its like something is piggy backing on my computer and slowing everything down and is countering normal operations.

 

Randy



#15 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:12:36 AM

Posted 25 October 2013 - 04:27 PM

Hello again,

 

What about the error messages I keep getting every time I try to run something on my computer and the list of programs running or using up cpu cycles?

It's tough to tell what's causing them right now. We first need to eliminate any running malware from your system, then we could troubleshoot the errors. This is why I need to see the logs from the tools we run, so I can see what's happening with the fixes we perform.

 

==========

 

Each Combofix run will move the old log, and replace it with the new one. So you should still be able to find the Combofix log at C:\Combofix.txt just as you did last time. Copy and paste the complete log in your next reply.

 

The Fixlog.txt from FRST gets saved to the same location the tool is run from. Wherever FRST, FRST.txt, and fixlist.txt are, you should also have the fixlog...they should all be in the same place. Please copy and paste the contents of Fixlog.txt in your next reply.

 

Also, since you ran FRST twice, double check for a Fixlog possibly on your desktop...if you can't find it there, then please navigate to C:\FRST\Logs and let me know what's there. Also navigate to C:\FRST\Quarantine and let me know what's there as well. Post any and all FRST logs where possible in your next reply.

 

==========

 

After you get the logs posted, I'd like you to try and perform a "cleanboot" and see if your machine still has the same errors and problems as when booted normally. Have a look at this link on how to perform a clean boot: http://support.microsoft.com/kb/310353

 

Let me know how everything goes and post all the logs you can for me!

 

bloopie






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users