Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help removing very stubborn Rovnix.W virus - Windows XP


  • This topic is locked This topic is locked
45 replies to this topic

#1 SonnyCancun

SonnyCancun

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:48 AM

Posted 09 March 2014 - 04:13 PM

Hello!

 

I have done steps 1 thru 7 in the Preparation Guide for this forum.

 

Here is my problem:  Virus:DOS/Rovnix.W

 

I've downloaded Windows Defender Offline and booted my XP PC with it twice, but it hasn't rid me of Virus:DOS/Rovnix.W

 

The last time I tried it, I saw this:

 

Error code 0x800704ec This program is blocked by group policy.

 

I can't tell if the message is referring to the virus or to Windows Defender Offline.  And although the "Remove" option appeared to clear it up, I ran Microsoft Security Essentials, which found Virus:DOS/Rovnix.W again, as it always does with a full scan.

 

I found nothing regarding Windows Defender Offline in my registry, but I didn't look everywhere.

 

I have also run Malwarebytes Anti-Malware, and two downloads from Kaspersky.  Nothing has worked.

 

My goal now is to proceed through a step-by-step process of the type that I've seen here many times in my research.  I would greatly appreciate any help!  And let me know if I'm going about this correctly or incorrectly, please.

 

I've downloaded and run dds.com, per step 7.

 

I have pasted in DDS.txt below, and I'm attaching attach.txt

 

Thanks so much!

 

-- SonnyCancun

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 1.6.0_22
Run by Toshie Lou at 15:52:33 on 2014-03-09
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2022.1357 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ================
.
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\WINDOWS\ProPatches\Scheduler\stSchedEx.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Nero\Nero 7\Nero StartSmart\NeroStartSmart.exe
C:\Program Files\Nero\Nero 7\Core\nero.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uSearch Bar = hxxp://www.google.com/ie_rsearch.html
uSearch Page = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie_rsearch.html
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Oraweposteryydn] "c:\documents and settings\toshie lou\application data\xuxuicpi\iqxae.exe"
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IntelAudioStudio] "c:\program files\intel audio studio\IntelAudioStudio.exe" TRAY
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\toshie~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft security client\msseces.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-System: legalnoticecaption = 16th Circuit Court of Jackson County, MO
mPolicies-System: HideLogonScripts = dword:0
mPolicies-System: MaxGPOScriptWait = dword:3600
mPolicies-System: SoftwareSASGeneration = dword:1
mPolicies-Windows\System: AddAdminGroupToRUP = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {2EDF75C0-5ABD-49f9-BAB6-220476A32034} - hxxp://intel-drv-cdn.systemrequirementslab.com/multi/bin/sysreqlab_srlx.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1255555123551
DPF: {6F0892F7-0D44-41C3-BF07-7599873FAA04} - hxxp://jakas1677/crystalreportviewers115/ActiveXControls/ActiveXViewer.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
TCP: NameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{E1D5E25B-912C-4E86-B967-2ABA72BBDCA8} : DHCPNameServer = 209.18.47.61 209.18.47.62
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\toshie lou\application data\mozilla\firefox\profiles\wuw61ha6.default\
FF - prefs.js: browser.search.defaulturl -
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: keyword.URL - hxxp://start.sweetpacks.com/?src=2&st=12&crg=3.5000006.10045&barid={8D6E885D-D132-11E2-9DB6-0016760BAF36}&q=
FF - plugin: c:\program files\adobe\acrobat 11.0\acrobat\air\nppdf32.dll
FF - plugin: c:\program files\common files\adobe\oobe\pdapp\ccm\utilities\npAdobeAAMDetect32.dll
FF - plugin: c:\program files\common files\adobe\oobe\pdapp\ccm\utilities\npAdobeAAMDetect64.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20913.0\npctrlui.dll
FF - ExtSQL: 2014-01-24 12:49; {60330E4A-7C9B-3C97-F449-4A95BA59BCF6}; c:\documents and settings\toshie lou\application data\mozilla\firefox\profiles\wuw61ha6.default\extensions\{60330E4A-7C9B-3C97-F449-4A95BA59BCF6}
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2013-9-27 214696]
R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [2009-9-24 151592]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\common files\intuit\update service v4\IntuitUpdateService.exe [2013-6-28 14624]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2014-2-12 418376]
R2 Shavlik Scheduler;Shavlik Remote Scheduler Service;c:\windows\propatches\scheduler\stSchedEx.exe [2009-10-15 1287520]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2014-2-12 22856]
S1 iyufkogb;iyufkogb;\??\c:\windows\system32\drivers\iyufkogb.sys --> c:\windows\system32\drivers\iyufkogb.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2014-2-12 701512]
S3 DAmirr;DAmirr;c:\windows\system32\drivers\damirr.sys --> c:\windows\system32\drivers\DAmirr.sys [?]
S3 lpasvc;Microsoft Policy Platform Local Authority;c:\program files\microsoft policy platform\policyHost.exe [2011-12-6 48936]
S3 lppsvc;Microsoft Policy Platform Processor;c:\program files\microsoft policy platform\policyHost.exe [2011-12-6 48936]
S3 RTL8192cu;Belkin Wireless Adapter;c:\windows\system32\drivers\RTWlanU.sys [2013-10-15 914920]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2006-12-2 2805000]
S4 NAUpdate;Nero Update;c:\program files\nero\update\NASvc.exe [2012-7-13 769432]
.
=============== Created Last 30 ================
.
2014-03-07 16:14:54 7947048 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b2ebb7c7-5630-4632-adc2-3743c2d015ae}\mpengine.dll
2014-02-26 03:54:29 -------- d-----w- c:\documents and settings\toshie lou\local settings\application data\Ahead
2014-02-24 17:45:42 7947048 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2014-02-12 19:29:46 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-02-12 19:29:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
.
==================== Find3M  ====================
.
2013-12-18 12:13:56 231584 ------w- c:\windows\system32\MpSigStub.exe
.
============= FINISH: 15:53:42.98 ===============
 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:48 PM

Posted 10 March 2014 - 08:02 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

 

Scan with Gmer rootkit scanner

Please download Gmer from here by clicking on the "Download EXE" Button.

  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Show All ( should be unchecked by default )
  • Leave everything else as it is.
  • Close all other running programs as well as your Browser.
  • Click the Scan button & wait for it to finish.
  • Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.
  • Please post the content of the ark.txt here.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 SonnyCancun

SonnyCancun
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:48 AM

Posted 11 March 2014 - 10:00 AM

Thanks.  This is what I was hoping for, and I'll be following your instructions tonight.



#4 SonnyCancun

SonnyCancun
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:48 AM

Posted 11 March 2014 - 09:58 PM

Marius,  
 
I followed your instructions as best I could.  I never saw a randomly named GMER.exe, but a screen appeared with the check boxes you mentioned.
 
That application window was labeled as follows:
GMER 2.1.19357 WINDOWS 5.1.2600 Service Pack 3
 
I unchecked the boxes you specified and clicked the Scan button.  At the bottom of the screen was a series of locations being scanned.  After a few minutes, this appeared at the bottom:
 
SYSTEM\CurrentControlSet\Services\Eventlog\Application\Microsoft Office 10
 
It remained on that, unchanged, for 45 minutes.  At 45 minutes with no visible activity, I checked Task Manager, which showed 2vmwhfsc[1].exe at 50 percent cpu and 37,152K, 0 cpu on everything else, and no visible activity on anything.  Since there was no visible activity after 45 minutes, I clicked Stop, then Save. 
 
I considered doing it all over again, but I want to know what you think first.
 
FYI: On the screen there were also 3 check boxes labeled as follows:
 
Quick scan (box checked by default)
C:\ (box unchecked by default)
D:\ (box unchecked by default)
 
 I pasted in ark.txt below:
 
GMER 2.1.19357 - http://www.gmer.net
Rootkit scan 2014-03-11 21:47:45
Windows 5.1.2600 Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-10 WDC_WD800JD-22MSA1 rev.10.01E01 74.53GB
Running: 2vmwhfsc[1].exe; Driver: C:\DOCUME~1\TOSHIE~1\LOCALS~1\Temp\pwloqpow.sys
 
 
---- System - GMER 2.1 ----
 
SSDT  \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys                                                                                          ZwUnloadKey [0xA05306D0]
 
---- Registry - GMER 2.1 ----
 
Reg   HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows NT x86\Drivers\Version-3\PS Driver for Universal Print@Dependent Files  ???I?I??? ???????I???????????I????????????????#?????\\?\STORAGE#RemovableMedia#7&3b17b0e5&0&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}????????J???????????s???I?????I#???? ?????????????I????????????????n???a??????????????????????????????????????????????????????????I???I???B???I????{4D36E96F-E325-11CE-BFC1-08002BE10318}\0003???????.??L?????g????? ???????I???????????1????????????????#??H??? ???????:?????I?????H??????????N???Q?????????????????????????????????????????}901???????????v??yI????N??I?????????7?@???I?????I#???? ?????????????I?????I??????????n???a?????????????????????????????????????????????????}??????????&???&?4?&?6?&?N?&?N?&?0?&?H?&?=?&?P?&?P?&??USB??0???????????p?????yPF?????I????? ???????I???????????I????????????????#?????\\?\USB#Vid_0781&Pid_74e5#BA1103067588C1A80000000000000000#{a5dcbf10-6530-11d2-901f-00c04fb951ed}???? ???????#???????????I?????I#????????????E??????????? ???????/???????????1??????????????????????????? ???????/???????????G??????????????????????????? ???????I???????????1?????????????


#5 SonnyCancun

SonnyCancun
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:48 AM

Posted 11 March 2014 - 10:06 PM

PS:

 

I clicked Exit, and saw this, which I didn't expect:

 

GMER hasn't finished scanning yet.  Do you want to abort the scan ?

 

I clicked No and then clicked Scan again.  After a minute or so it was back on Microsoft Office 10 again.  

 

This time, I will leave it alone overnight, and I will post again tomorrow morning.



#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:48 PM

Posted 12 March 2014 - 04:32 AM

Scan with Malwarebytes Anti-Rootkit

Please download Malwarebytes Anti-Rootkit from here Malwarebytes : Malwarebytes Anti-Rootkit and save it to your desktop.

Be sure to print out and follow the instructions provided on that same page.

Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.

  • Double click the mbar.zip file to open it, then 'Extract all files'.
  • Double click the mbar folder to open it, then double click mbar.exe to start the tool.

Check for Updates, then Scan your system for malware

If malware is found, do NOT press the Cleanup button yet. Click EXIT.

I'd like to see the log first so I can see what it sees. You'll find the log in that mbar folder as MBAR-log-[date and time]***.txt . Please attach that to your next reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 SonnyCancun

SonnyCancun
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:48 AM

Posted 12 March 2014 - 08:54 AM

I will follow your latest instructions tonight.

 

Meanwhile..the GMER scan ran overnight with the same results as before; same display at bottom:

 

SYSTEM\CurrentControlSet\Services\Eventlog\Application\Microsoft Office 10

 

Also,  ark.txt was the same as the first one.  This time, Task Manager showed 99% cpu for 2vmwhfsc[1].exe.  

 

I shut the GMER scan down and exited.



#8 SonnyCancun

SonnyCancun
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:48 AM

Posted 12 March 2014 - 08:43 PM

I just found out that my wife ran a Microsoft Security Essentials full scan on the PC today, and it found nothing.  This is the first time in many weeks that it didn't find Virus:Rovnix.W

 

Sorry for the interruption.  Should I continue with your instructions, or does this change things?



#9 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:48 PM

Posted 13 March 2014 - 08:30 AM

Yes, please continue


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#10 SonnyCancun

SonnyCancun
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:48 AM

Posted 13 March 2014 - 09:07 PM

I ran the scan.  At the end it said "Scan finished.  No malware found."

 

Here is the log you requested:

 

Malwarebytes Anti-Rootkit BETA 1.07.0.1009
www.malwarebytes.org
 
Database version: v2014.03.13.10
 
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
 :: CCSPRG08A [administrator]
 
3/13/2014 7:57:24 PM
mbar-log-2014-03-13 (19-57-24).txt
 
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: 
Objects scanned: 492202
Time elapsed: 34 minute(s), 10 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
Physical Sectors Detected: 0
(No malicious items detected)
 
(end)


#11 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:48 PM

Posted 15 March 2014 - 08:45 AM

Full System Scan with Malwarebytes Antimalware

  • If not existing, please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.


If the program is already installed:
  • Run Malwarebytes Antimalware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform fullscan, place a checkmark on all hard drives, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Post that log back here.

 

 

 

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#12 SonnyCancun

SonnyCancun
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:48 AM

Posted 16 March 2014 - 09:37 PM

No malicious items were found by Malwarebytes
 
here is the log
 
*****
Malwarebytes Anti-Malware (PRO) 1.75.0.1300
www.malwarebytes.org
 
Database version: v2014.03.16.02
 
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Toshie Lou :: CCSPRG08A [administrator]
 
Protection: Disabled
 
3/16/2014 1:13:03 PM
mbam-log-2014-03-16 (13-13-03).txt
 
Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 580882
Time elapsed: 1 hour(s), 44 minute(s), 57 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
(end)
 
*****
 
Then, I disabled Microsoft Security Essentials runtime protection, then ran ESET Online Scanner.  It downloaded its virus signature database, then performed the scan.  Here is the list of threats:  I did not attempt to remove any of them.
 
*****
 
C:\Documents and Settings\sandinjs\Local Settings\Temp\conduitinstaller.exe Win32/Toolbar.Conduit potentially unwanted application
C:\Documents and Settings\sandinjs\Local Settings\Temp\Coupon-Caddy-ppi-US.exe Win32/Toolbar.CrossRider.B potentially unwanted application
C:\Documents and Settings\sandinjs\Local Settings\Temp\tbSomo.dll a variant of Win32/Toolbar.Conduit.B potentially unwanted application
C:\Documents and Settings\sandinjs\Local Settings\Temp\is1275519350\wajam_download.exe Win32/Wajam.C potentially unwanted application
C:\Documents and Settings\Toshie Lou\Local Settings\Temporary Internet Files\Content.IE5\847W5W3D\273698b3050f7b7ab015b8ce81b2795f20904081[1].htm HTML/Iframe.B.Gen virus
C:\WINDOWS\system32\cmdow.exe Win32/CMDOW.143 potentially unsafe application
 
*****


#13 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:48 PM

Posted 17 March 2014 - 03:29 AM

Scan with FRST in normal mode

Please download Farbar's Recovery Scan Tool to your desktop: FRST 32bit or FRST 64bit (If not sure: Start --> Computer (right click) --> properties)
 

  • Run FRST.
  • Don´t change one of the checkboxes and hit Scan.
  • Logfiles are created on your desktop.
  • Poste the FRST.txt and (after the first scan only!) the Addition.txt.

 


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#14 SonnyCancun

SonnyCancun
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:48 AM

Posted 17 March 2014 - 06:11 PM

Here is frst.txt

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 13-03-2014  01
Ran by Toshie Lou (administrator) on CCSPRG08A on 17-03-2014 18:03:50
Running from C:\Documents and Settings\Toshie Lou\Desktop
Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal
 
The only official download link for FRST:
Download link from any site other than Bleeping Computer is unpermitted or outdated.
 
==================== Processes (Whitelisted) =================
 
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Intuit Inc.) C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
(Sun Microsystems, Inc.) C:\Program Files\Java\jre6\bin\jqs.exe
(Shavlik Technologies, LLC) C:\WINDOWS\ProPatches\Scheduler\stSchedEx.exe
(Microsoft Corporation) C:\Program Files\UPHClean\uphclean.exe
(Intel Corporation) C:\WINDOWS\system32\igfxtray.exe
(Intel Corporation) C:\WINDOWS\system32\hkcmd.exe
(Intel Corporation) C:\WINDOWS\system32\igfxpers.exe
(Intel Corporation) C:\WINDOWS\system32\igfxsrvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Nero AG) C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
(Nero AG) C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
(Nero AG) C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
 
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [IntelAudioStudio] - "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
HKLM\...\Run: [] - [X]
HKLM\...\Run: [MSC] - C:\Program Files\Microsoft Security Client\msseces.exe [948440 2013-10-23] (Microsoft Corporation)
HKLM\...\Run: [SunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [248552 2010-05-14] (Sun Microsystems, Inc.)
HKLM\...\RunOnce: [Malwarebytes Anti-Malware] - C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent [532040 2013-04-04] (Malwarebytes Corporation)
HKU\S-1-5-21-769079328-3020190987-2214429306-1028\...\Run: [Oraweposteryydn] - "C:\Documents and Settings\Toshie Lou\Application Data\Xuxuicpi\iqxae.exe"
HKU\S-1-5-21-769079328-3020190987-2214429306-1028\...\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] - C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe [153136 2007-03-12] (Nero AG)
HKU\S-1-5-21-769079328-3020190987-2214429306-1028\...409d6c4515e9\InprocServer32: [Default-shell32] SHELL32.dll ATTENTION! ====> ZeroAccess?
Startup: C:\Documents and Settings\Toshie Lou\Start Menu\Programs\Startup\Microsoft Security Essentials.lnk
ShortcutTarget: Microsoft Security Essentials.lnk -> C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
 
==================== Internet (Whitelisted) ====================
 
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie_rsearch.html
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
Tcpip\Parameters: [DhcpNameServer] 209.18.47.61 209.18.47.62
 
FireFox:
========
FF ProfilePath: C:\Documents and Settings\Toshie Lou\Application Data\Mozilla\Firefox\Profiles\wuw61ha6.default
FF NewTab: hxxp://start.sweetpacks.com/?src=97&barid={8D6E885D-D132-11E2-9DB6-0016760BAF36}&crg=3.5000006.10045
FF DefaultSearchEngine: Bing
FF SelectedSearchEngine: Bing
FF Homepage: about:home
FF Keyword.URL: hxxp://start.sweetpacks.com/?src=2&st=12&crg=3.5000006.10045&barid={8D6E885D-D132-11E2-9DB6-0016760BAF36}&q=
FF Plugin: @adobe.com/ShockwavePlayer - C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF Plugin: @java.com/JavaPlugin - C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: Adobe Acrobat - C:\Program Files\Adobe\Acrobat 11.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)
FF Plugin: adobe.com/AdobeAAMDetect - C:\Program Files\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll (Adobe Systems)
FF SearchPlugin: C:\Documents and Settings\Toshie Lou\Application Data\Mozilla\Firefox\Profiles\wuw61ha6.default\searchplugins\MyStart.xml
FF SearchPlugin: C:\Documents and Settings\Toshie Lou\Application Data\Mozilla\Firefox\Profiles\wuw61ha6.default\searchplugins\sweetim.xml
FF Extension: IE Microsoft History AutoComplete List - C:\Documents and Settings\Toshie Lou\Application Data\Mozilla\Firefox\Profiles\wuw61ha6.default\Extensions\{60330E4A-7C9B-3C97-F449-4A95BA59BCF6} [2014-01-24]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} [2014-02-02]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ []
FF HKLM\...\Firefox\Extensions: [jqs@sun.com] - C:\Program Files\Java\jre6\lib\deploy\jqs\ff
FF Extension: Java Quick Starter - C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2011-04-28]
FF HKLM\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: Adobe Acrobat - Create PDF - C:\Program Files\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn [2013-07-31]
 
========================== Services (Whitelisted) =================
 
S4 IISADMIN; C:\WINDOWS\system32\inetsrv\inetinfo.exe [15360 2008-04-14] (Microsoft Corporation)
R2 JavaQuickStarterService; C:\Program Files\Java\jre6\bin\jqs.exe [153376 2011-04-28] (Sun Microsystems, Inc.)
S3 lpasvc; C:\Program Files\Microsoft Policy Platform\policyHost.exe [48936 2011-12-06] (Microsoft Corporation)
S3 lppsvc; C:\Program Files\Microsoft Policy Platform\policyHost.exe [48936 2011-12-06] (Microsoft Corporation)
R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [22208 2013-10-23] (Microsoft Corporation)
S4 msvsmon80; C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2805000 2006-12-02] (Microsoft Corporation)
S4 NAUpdate; C:\Program Files\Nero\Update\NASvc.exe [769432 2012-07-13] (Nero AG)
S4 OracleMTSRecoveryService; D:\oracle\ora92\bin\omtsreco.exe [57603 2002-04-30] (Oracle Corporation)
S4 OracleOraHome92ClientCache; D:\oracle\ora92\BIN\ONRSD.EXE [242328 2002-04-26] ()
R2 Shavlik Scheduler; C:\WINDOWS\ProPatches\Scheduler\stSchedEx.exe [1287520 2009-01-15] (Shavlik Technologies, LLC)
S2 SMTPSVC; C:\WINDOWS\system32\inetsrv\inetinfo.exe [15360 2008-04-14] (Microsoft Corporation)
R2 UPHClean; C:\Program Files\UPHClean\uphclean.exe [241725 2005-04-27] (Microsoft Corporation)
S2 W3SVC; C:\WINDOWS\system32\inetsrv\inetinfo.exe [15360 2008-04-14] (Microsoft Corporation)
S4 STacSV; c:\d\s\zi\STacSV.exe [X]
 
==================== Drivers (Whitelisted) ====================
 
R0 MpFilter; C:\WINDOWS\System32\DRIVERS\MpFilter.sys [214696 2013-09-27] (Microsoft Corporation)
R0 mv61xx; C:\WINDOWS\system32\Drivers\mv61xx.sys [151592 2009-09-24] (Marvell Semiconductor, Inc.)
S3 RTL8192cu; C:\WINDOWS\System32\DRIVERS\rtwlanu.sys [914920 2012-02-01] (Realtek Semiconductor Corporation                           )
S3 sfng32; C:\WINDOWS\System32\drivers\sfng32.sys [41728 2007-03-02] (Sonic Focus, Inc)
R3 STHDA; C:\WINDOWS\System32\drivers\sthda.sys [1270872 2007-12-14] (IDT, Inc.)
S3 DAmirr; system32\DRIVERS\DAmirr.sys [X]
S0 IntelIde; System32\DRIVERS\intelide.sys [X]
S1 iyufkogb; \??\C:\WINDOWS\system32\drivers\iyufkogb.sys [X]
U1 WS2IFSL; 
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2014-03-17 18:03 - 2014-03-17 18:04 - 00009314 _____ () C:\Documents and Settings\Toshie Lou\Desktop\FRST.txt
2014-03-17 18:03 - 2014-03-17 18:03 - 00000000 ____D () C:\FRST
2014-03-17 18:01 - 2014-03-17 18:01 - 01145856 _____ (Farbar) C:\Documents and Settings\Toshie Lou\Desktop\FRST.exe
2014-03-16 21:31 - 2014-03-16 21:31 - 00000793 _____ () C:\Documents and Settings\Toshie Lou\Desktop\ESET List of found threats.txt
2014-03-16 19:37 - 2014-03-16 19:37 - 00000000 ____D () C:\Program Files\ESET
2014-03-16 13:11 - 2014-03-16 13:11 - 00000795 _____ () C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2014-03-16 13:11 - 2014-03-16 13:11 - 00000000 ____D () C:\Program Files\Malwarebytes' Anti-Malware
2014-03-16 13:11 - 2014-03-16 13:11 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
2014-03-16 13:11 - 2013-04-04 14:50 - 00022856 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
2014-03-16 13:09 - 2014-03-16 13:09 - 10285040 _____ (Malwarebytes Corporation ) C:\Documents and Settings\Toshie Lou\Desktop\mbam-setup-1.75.0.1300.exe
2014-03-13 19:56 - 2014-03-13 21:03 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2014-03-13 19:55 - 2014-03-13 21:03 - 00000000 ____D () C:\Documents and Settings\Toshie Lou\Desktop\mbar
2014-03-13 19:47 - 2014-03-13 19:47 - 12589848 _____ (Malwarebytes Corp.) C:\Documents and Settings\Toshie Lou\Desktop\mbar-1.07.0.1009.exe
2014-03-12 06:19 - 2014-03-12 06:19 - 00001691 _____ () C:\Documents and Settings\Toshie Lou\Desktop\ark.txt
2014-03-09 15:47 - 2014-03-09 15:47 - 00688992 ____R (Swearware) C:\Documents and Settings\Toshie Lou\Desktop\dds.com
2014-03-09 15:14 - 2014-03-09 15:14 - 00000000 ____D () C:\Documents and Settings\Toshie Lou\Application Data\Ahead
2014-02-25 22:54 - 2014-03-09 15:15 - 00000000 ____D () C:\Documents and Settings\Toshie Lou\Local Settings\Application Data\Ahead
 
==================== One Month Modified Files and Folders =======
 
2014-03-17 18:04 - 2014-03-17 18:03 - 00009314 _____ () C:\Documents and Settings\Toshie Lou\Desktop\FRST.txt
2014-03-17 18:03 - 2014-03-17 18:03 - 00000000 ____D () C:\FRST
2014-03-17 18:01 - 2014-03-17 18:01 - 01145856 _____ (Farbar) C:\Documents and Settings\Toshie Lou\Desktop\FRST.exe
2014-03-17 17:25 - 2009-10-14 14:24 - 01077113 _____ () C:\WINDOWS\WindowsUpdate.log
2014-03-16 21:31 - 2014-03-16 21:31 - 00000793 _____ () C:\Documents and Settings\Toshie Lou\Desktop\ESET List of found threats.txt
2014-03-16 19:37 - 2014-03-16 19:37 - 00000000 ____D () C:\Program Files\ESET
2014-03-16 19:37 - 2012-11-01 15:42 - 00142855 _____ () C:\WINDOWS\setupapi.log
2014-03-16 13:11 - 2014-03-16 13:11 - 00000795 _____ () C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2014-03-16 13:11 - 2014-03-16 13:11 - 00000000 ____D () C:\Program Files\Malwarebytes' Anti-Malware
2014-03-16 13:11 - 2014-03-16 13:11 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
2014-03-16 13:09 - 2014-03-16 13:09 - 10285040 _____ (Malwarebytes Corporation ) C:\Documents and Settings\Toshie Lou\Desktop\mbam-setup-1.75.0.1300.exe
2014-03-16 09:44 - 2001-08-23 07:00 - 00002206 _____ () C:\WINDOWS\system32\wpa.dbl
2014-03-16 09:24 - 2013-12-03 22:06 - 00000384 ____H () C:\WINDOWS\Tasks\Microsoft Antimalware Scheduled Scan.job
2014-03-16 09:14 - 2009-10-14 14:29 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2014-03-16 09:14 - 2009-10-14 09:18 - 00000159 _____ () C:\WINDOWS\wiadebug.log
2014-03-16 09:14 - 2009-10-14 09:18 - 00000049 _____ () C:\WINDOWS\wiaservc.log
2014-03-15 01:38 - 2013-10-15 21:08 - 00000178 ___SH () C:\Documents and Settings\Toshie Lou\ntuser.ini
2014-03-15 01:38 - 2009-10-14 14:29 - 00032554 _____ () C:\WINDOWS\SchedLgU.Txt
2014-03-13 21:03 - 2014-03-13 19:56 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2014-03-13 21:03 - 2014-03-13 19:55 - 00000000 ____D () C:\Documents and Settings\Toshie Lou\Desktop\mbar
2014-03-13 19:48 - 2013-10-15 21:07 - 00000000 ____D () C:\Documents and Settings\Toshie Lou
2014-03-13 19:47 - 2014-03-13 19:47 - 12589848 _____ (Malwarebytes Corp.) C:\Documents and Settings\Toshie Lou\Desktop\mbar-1.07.0.1009.exe
2014-03-13 11:50 - 2013-10-15 22:30 - 00000000 ____D () C:\Documents and Settings\Toshie Lou\My Documents\EBAY!!!!
2014-03-13 11:49 - 2009-10-15 09:57 - 00002455 _____ () C:\Documents and Settings\All Users\Desktop\Microsoft Word.lnk
2014-03-12 06:19 - 2014-03-12 06:19 - 00001691 _____ () C:\Documents and Settings\Toshie Lou\Desktop\ark.txt
2014-03-11 13:13 - 2009-10-14 09:14 - 00674766 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2014-03-10 15:24 - 2011-07-11 14:00 - 00008704 ___SH () C:\WINDOWS\Thumbs.db
2014-03-10 15:24 - 2011-05-02 15:58 - 00000069 _____ () C:\WINDOWS\NeroDigital.ini
2014-03-10 14:59 - 2013-10-15 22:30 - 00000000 ____D () C:\Documents and Settings\Toshie Lou\My Documents\EBAYPICS
2014-03-09 15:47 - 2014-03-09 15:47 - 00688992 ____R (Swearware) C:\Documents and Settings\Toshie Lou\Desktop\dds.com
2014-03-09 15:15 - 2014-02-25 22:54 - 00000000 ____D () C:\Documents and Settings\Toshie Lou\Local Settings\Application Data\Ahead
2014-03-09 15:14 - 2014-03-09 15:14 - 00000000 ____D () C:\Documents and Settings\Toshie Lou\Application Data\Ahead
2014-02-26 01:14 - 2014-01-31 23:00 - 00000000 ____D () C:\WINDOWS\Microsoft Antimalware
2014-02-16 23:10 - 2014-01-20 13:43 - 01455712 _____ () C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-769079328-3020190987-2214429306-1028-0.dat
2014-02-16 23:10 - 2014-01-20 13:43 - 00166242 _____ () C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
 
Files to move or delete:
====================
C:\Documents and Settings\sandinjs\.vmrc_plugin_ovftool_settings.js
 
 
Some content of TEMP:
====================
C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-558d5c44.exe
C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-5d2d7d54.exe
C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-6148bd51.exe
C:\Documents and Settings\sandinjs\Local Settings\Temp\conduitinstaller.exe
C:\Documents and Settings\sandinjs\Local Settings\Temp\Coupon-Caddy-ppi-US.exe
C:\Documents and Settings\sandinjs\Local Settings\Temp\dvdshrink32setup.exe
C:\Documents and Settings\sandinjs\Local Settings\Temp\tbSomo.dll
C:\Documents and Settings\sandinjs\Local Settings\Temp\~tmp1381705011410.exe
C:\Documents and Settings\Toshie Lou\Local Settings\Temp\mpam-be537ec0.exe
 
 
==================== Bamital & volsnap Check =================
 
C:\WINDOWS\explorer.exe => MD5 is legit
C:\WINDOWS\system32\winlogon.exe => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
C:\WINDOWS\system32\User32.dll => MD5 is legit
C:\WINDOWS\system32\userinit.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\volsnap.sys => MD5 is legit
 
==================== End Of Log ============================
 
 
here is Addition.txt
 
Additional scan result of Farbar Recovery Scan Tool (x86) Version: 13-03-2014  01
Ran by Toshie Lou at 2014-03-17 18:04:26
Running from C:\Documents and Settings\Toshie Lou\Desktop
Boot Mode: Normal
==========================================================
 
 
==================== Security Center ========================
 
AV: Microsoft Security Essentials (Disabled - Up to date) {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
 
==================== Installed Programs ======================
 
Acquire 2.99.3.0 (HKLM\...\Acquire_is1) (Version:  - Dosadi LLC)
Adobe Acrobat XI Pro (HKLM\...\{AC76BA86-1033-FFFF-7760-000000000006}) (Version: 11.0.03 - Adobe Systems)
Adobe Flash Player 11 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 11.6.602.168 - Adobe Systems Incorporated)
Adobe Shockwave Player 11 (HKLM\...\Adobe Shockwave Player) (Version: 11 - Adobe Systems, Inc.)
Audiograbber 1.83 SE  (HKLM\...\Audiograbber) (Version: 1.83 SE  - Audiograbber)
Audiograbber MP3 Plugin (HKLM\...\Audiograbber-Lame) (Version: 1.0 - AG)
Compatibility Pack for the 2007 Office system (HKLM\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6514.5001 - Microsoft Corporation)
ESET Online Scanner v3 (HKLM\...\ESET Online Scanner) (Version:  - )
HP Officejet 6500 E710a-f Basic Device Software (HKLM\...\{670A25D9-1029-4D4E-93FF-66B3C07769D6}) (Version: 22.50.231.0 - Hewlett-Packard Co.)
HP Officejet 6500 E710a-f Help (HKLM\...\{037CD593-D760-4A00-B030-7BBAFA1123FE}) (Version: 140.0.2.2 - Hewlett Packard)
HP Update (HKLM\...\{B0069CFA-5BB9-4C03-B1C6-89CE290E5AFE}) (Version: 5.002.006.003 - Hewlett-Packard)
Imaging for Windows® 2.8 (HKLM\...\KodakImgV1) (Version:  - )
Intel Audio Studio 2.0 (HKLM\...\{2205E3A5-DCDC-461D-8ED6-D6F2341D3B64}) (Version: 2.00.00133 - Intel Corporation)
Intel Audio Studio 2.0 (Version: 2.00.00133 - Intel Corporation) Hidden
Intel® Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version:  - )
Jasc Paint Shop Pro 8 (HKLM\...\{81A34902-9D0B-4920-A25C-4CDC5D14B328}) (Version: 8.10.0000 - Jasc Software Inc)
Java Auto Updater (Version: 2.0.2.4 - Sun Microsystems, Inc.) Hidden
Java™ 6 Update 22 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83216022FF}) (Version: 6.0.220 - Oracle)
LiveReg (Symantec Corporation) (HKLM\...\LiveReg) (Version: 2.3.0.1833 - Symantec Corporation)
Macromedia Authorware Web Player (HKLM\...\Macromedia Authorware Web Player) (Version:  - )
Malwarebytes Anti-Malware version 1.75.0.1300 (HKLM\...\Malwarebytes' Anti-Malware_is1) (Version: 1.75.0.1300 - Malwarebytes Corporation)
Microsoft .NET Compact Framework 1.0 SP3 Developer (HKLM\...\{6C531060-84FB-4F96-8F33-29DF020632EB}) (Version: 1.0.4292 - Microsoft Corporation)
Microsoft .NET Compact Framework 2.0 (HKLM\...\{625386A4-B6B6-4911-A6E8-23189C3F2D15}) (Version: 2.0.5238 - Microsoft Corporation)
Microsoft .NET Framework 1.1 (HKLM\...\Microsoft .NET Framework 1.1  (1033)) (Version:  - )
Microsoft .NET Framework 1.1 (Version: 1.1.4322 - Microsoft) Hidden
Microsoft .NET Framework 1.1 Security Update (KB2416447) (HKLM\...\M2416447) (Version:  - )
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (Version: 4.0.30319 - Microsoft Corporation) Hidden
Microsoft Application Error Reporting (Version: 12.0.6012.5000 - Microsoft Corporation) Hidden
Microsoft Device Emulator version 1.0 - ENU (HKLM\...\{78B75C6D-E53C-424C-BF83-4B63BD4A6682}) (Version: 1.0.50727.42 - Microsoft Corporation)
Microsoft Document Explorer 2005 (HKLM\...\Microsoft Document Explorer 2005) (Version:  - Microsoft Corporation)
Microsoft Document Explorer 2005 (Version: 8.0.50727.42 - Microsoft Corporation) Hidden
Microsoft Office 2003 Web Components (HKLM\...\{90A40409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.6558.0 - Microsoft Corporation)
Microsoft Office 2007 Service Pack 2 (SP2) (Version:  - Microsoft) Hidden
Microsoft Office Project 2007 Service Pack 2 (SP2) (HKLM\...\{90120000-003A-0000-0000-0000000FF1CE}_PRJSTD_{9E73617F-2F38-4864-BD61-BB2DDFE43323}) (Version:  - Microsoft)
Microsoft Office Project 2007 Service Pack 2 (SP2) (Version:  - Microsoft) Hidden
Microsoft Office Project MUI (English) 2007 (Version: 12.0.6425.1000 - Microsoft Corporation) Hidden
Microsoft Office Project Standard 2007 (HKLM\...\PRJSTD) (Version: 12.0.6425.1000 - Microsoft Corporation)
Microsoft Office Project Standard 2007 (Version: 12.0.6425.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (English) 2007 (Version: 12.0.6425.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (French) 2007 (Version: 12.0.6425.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.6425.1000 - Microsoft Corporation) Hidden
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014 - Microsoft Corporation) Hidden
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2) (Version:  - Microsoft) Hidden
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.6425.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.6425.1000 - Microsoft Corporation) Hidden
Microsoft Office XP Professional (HKLM\...\{90110409-6000-11D3-8CFE-0050048383C9}) (Version: 10.0.6626.0 - Microsoft Corporation)
Microsoft Policy Platform (Version: 1.2.3520.0 - Microsoft Corporation) Hidden
Microsoft Security Client (Version: 4.4.0304.0 - Microsoft Corporation) Hidden
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.4.304.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.20913.0 - Microsoft Corporation)
Microsoft Software Update for Web Folders  (English) 12 (Version: 12.0.6425.1000 - Microsoft Corporation) Hidden
Microsoft SQL Server 2005 (HKLM\...\Microsoft SQL Server 2005) (Version:  - Microsoft Corporation)
Microsoft SQL Server 2005 Backward compatibility (HKLM\...\{0D61D68B-DF5E-4635-82C7-B0C53F0A581B}) (Version: 8.05.2312 - Microsoft Corporation)
Microsoft SQL Server 2005 Books Online (English) (September 2007) (HKLM\...\{6FDD4688-E063-401D-B6BE-7234E20B9173}) (Version: 9.00.3104 - Microsoft Corporation)
Microsoft SQL Server 2005 Mobile [ENU] Developer Tools (HKLM\...\{1389C6A4-4965-4AEC-9175-08B54A10FA48}) (Version: 3.0.0.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Tools (Version: 9.4.5000.00 - Microsoft Corporation) Hidden
Microsoft SQL Server 2005 Upgrade Advisor (English) (HKLM\...\{51759BA2-9C73-4B8F-A2C3-B72982B25426}) (Version: 9.00.1399.06 - Microsoft Corporation)
Microsoft SQL Server Native Client (HKLM\...\{7670D32F-DAE6-4E49-8C8B-B3F08B5B1686}) (Version: 9.00.5000.00 - Microsoft Corporation)
Microsoft SQL Server Setup Support Files (English) (HKLM\...\{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}) (Version: 9.00.5000.00 - Microsoft Corporation)
Microsoft Visual Basic 6.0 Enterprise Edition (HKLM\...\Visual Basic 6.0 Enterprise Edition) (Version:  - )
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual J# 2.0 Redistributable Package (HKLM\...\Microsoft Visual J# 2.0 Redistributable Package) (Version:  - Microsoft Corporation)
Microsoft Visual J# 2.0 Redistributable Package (Version: 2.0.50727 - Microsoft Corporation) Hidden
Microsoft Visual Studio 2005 Professional Edition - ENU (HKLM\...\Microsoft Visual Studio 2005 Professional Edition - ENU) (Version:  - Microsoft Corporation)
Microsoft Visual Studio 2005 Professional Edition - ENU (Version: 8.0.50728 - Microsoft Corporation) Hidden
Microsoft Visual Studio 2005 Professional Edition - ENU Service Pack 1 (KB926601) (HKLM\...\KB926601.T2_29ToU260_29) (Version: 1 - Microsoft Corporation)
Mozilla Firefox 25.0.1 (x86 en-US) (HKLM\...\Mozilla Firefox 25.0.1 (x86 en-US)) (Version: 25.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 25.0 - Mozilla)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 6.0 Parser (HKLM\...\{AEB9948B-4FF2-47C9-990E-47014492A0FE}) (Version: 6.00.3883.8 - Microsoft Corporation)
Nero 7 Essentials (HKLM\...\{2D428867-5883-449B-86F3-7B7187061033}) (Version: 7.02.7903 - Nero AG)
Nero Burning ROM (Version: 12.0.28001 - Nero AG) Hidden
Nero Burning ROM Help (CHM) (Version: 12.0.3000 - Nero AG) Hidden
Nero BurningROM 12 (HKLM\...\{C0CA68BF-2963-4139-8207-1E83038F86F8}) (Version: 12.0.00800 - Nero AG)
Nero ControlCenter (Version: 11.0.15500 - Nero AG) Hidden
Nero ControlCenter Help (CHM) (Version: 12.0.7000 - Nero AG) Hidden
Nero Core Components (Version: 11.0.18900 - Nero AG) Hidden
Nero SharedVideoCodecs (Version: 1.0.12100.2.0 - Nero AG) Hidden
Nero Update (Version: 11.0.11800.31.0 - Nero AG) Hidden
neroxml (Version: 1.0.0 - Nero AG) Hidden
NirSoft ShellExView (HKLM\...\NirSoft ShellExView) (Version:  - )
Prerequisite installer (Version: 12.0.0003 - Nero AG) Hidden
RC6 Crystal XI End User Components (HKLM\...\{5D5322B5-A19D-4124-89E1-57FE0546B528}) (Version: 6 - Canam Software Labs, Inc.)
RDC (Version:  - Microsoft Corporation) Hidden
Service Pack 4 for SQL Server Tools and Workstation Components 2005 ENU (KB2463332) (HKLM\...\KB2463332_SQLTools9) (Version: 9.4.5000 - Microsoft Corporation)
SigmaTel Audio (HKLM\...\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}) (Version: 5.10.4821.0 - SigmaTel)
SQLXML4 (HKLM\...\{6C79A48D-F9CE-4B4E-968C-5BCFC27630CF}) (Version: 9.00.5000.00 - Microsoft Corporation)
System Requirements Lab (HKLM\...\SystemRequirementsLab) (Version:  - )
TurboTax 2013 (HKLM\...\TurboTax 2013) (Version: 2013.0 - Intuit, Inc)
TurboTax 2013 WinPerFedFormset (Version: 013.000.1693 - Intuit Inc.) Hidden
TurboTax 2013 WinPerReleaseEngine (Version: 013.000.0437 - Intuit Inc.) Hidden
TurboTax 2013 WinPerTaxSupport (Version: 013.000.0162 - Intuit Inc.) Hidden
TurboTax 2013 wksiper (Version: 013.000.1134 - Intuit Inc.) Hidden
TurboTax 2013 wmoiper (Version: 013.000.1124 - Intuit Inc.) Hidden
TurboTax 2013 wrapper (Version: 013.000.0135 - Intuit Inc.) Hidden
Update for 2007 Microsoft Office System (KB967642) (HKLM\...\{90120000-003A-0000-0000-0000000FF1CE}_PRJSTD_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version:  - Microsoft)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (HKLM\...\{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}.KB963707) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2345886) (HKLM\...\KB2345886) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB955759) (HKLM\...\KB955759) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB967715) (HKLM\...\KB967715) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB971029) (HKLM\...\KB971029) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB971737) (HKLM\...\KB971737) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB973687) (HKLM\...\KB973687) (Version: 1 - Microsoft Corporation)
User Profile Hive Cleanup Service (HKLM\...\{FF77941A-2BFA-4A18-BE2E-69B9498E4D55}) (Version: 1.6.30 - Microsoft Corporation)
WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation) Hidden
WIMGAPI (HKLM\...\{721ABC3B-5F12-4332-9C0C-C11424EF666C}) (Version: 1.0.0.0 - Microsoft Corporation)
Windows Genuine Advantage Notifications (KB905474) (HKLM\...\WgaNotify) (Version: 1.9.0040.0 - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\KB892130) (Version:  - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\WGA) (Version: 1.7.0069.2 - Microsoft Corporation)
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)
Windows Media Player 11 (HKLM\...\Windows Media Player) (Version:  - )
Windows PowerShell™ 1.0 (HKLM\...\KB926139-v2) (Version: 2 - Microsoft Corporation)
WinZip 12.0 (HKLM\...\{CD95F661-A5C4-44F5-A6AA-ECDD91C240B7}) (Version: 12.0.8252 - WinZip Computing, S.L. )
 
==================== Restore Points  =========================
 
 
==================== Hosts content: ==========================
 
2001-08-23 07:00 - 2001-08-23 07:00 - 00000734 ____A C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1       localhost
 
==================== Scheduled Tasks (whitelisted) =============
 
Task: C:\WINDOWS\Tasks\Microsoft Antimalware Scheduled Scan.job => C:\Program Files\Microsoft Security Client\MpCmdRun.exe
 
==================== Loaded Modules (whitelisted) =============
 
 
==================== Alternate Data Streams (whitelisted) =========
 
AlternateDataStreams: C:\cpau.exe:CA_INOCULATEIT
 
==================== Safe Mode (whitelisted) ===================
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot => "AlternateShell"=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\69154575.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\69154575.sys => ""="Driver"
 
==================== Disabled items from MSCONFIG ==============
 
MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk => C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
MSCONFIG\startupreg: Acrobat Assistant 8.0 => "C:\Program Files\Adobe\Acrobat 11.0\Acrobat\Acrotray.exe"
MSCONFIG\startupreg: AdobeAAMUpdater-1.0 => "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
MSCONFIG\startupreg: DA Remote Management GUI => "C:\Program Files\DesktopAuthority\rmgui.exe"
MSCONFIG\startupreg: DesktopAuthority User Experience => "C:\Program Files\ScriptLogic\Desktop Authority\Client Files\8.10.255\CBM\ScriptLogic.CBM.UserExperience.exe"
MSCONFIG\startupreg: HP Software Update => C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
MSCONFIG\startupreg: NeroFilterCheck => C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
MSCONFIG\startupreg: SysTrayApp => %ProgramFiles%\IDT\WDM\sttray.exe
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (03/17/2014 05:16:10 PM) (Source: AutoEnrollment) (User: )
Description: Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b).  The specified domain either does not exist or could not be contacted.
  Enrollment will not be performed.
 
Error: (03/17/2014 09:16:10 AM) (Source: AutoEnrollment) (User: )
Description: Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b).  The specified domain either does not exist or could not be contacted.
  Enrollment will not be performed.
 
Error: (03/17/2014 01:16:11 AM) (Source: AutoEnrollment) (User: )
Description: Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b).  The specified domain either does not exist or could not be contacted.
  Enrollment will not be performed.
 
Error: (03/16/2014 05:16:11 PM) (Source: AutoEnrollment) (User: )
Description: Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b).  The specified domain either does not exist or could not be contacted.
  Enrollment will not be performed.
 
Error: (03/16/2014 09:16:11 AM) (Source: AutoEnrollment) (User: )
Description: Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b).  The specified domain either does not exist or could not be contacted.
  Enrollment will not be performed.
 
Error: (03/16/2014 09:16:08 AM) (Source: UserInit) (User: )
Description: Could not execute the following script addLocAdmin.bat. The system cannot find the file specified.
.
 
Error: (03/16/2014 09:14:36 AM) (Source: Userenv) (User: NT AUTHORITY)
Description: Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.
 
Error: (03/15/2014 01:38:04 AM) (Source: UserInit) (User: )
Description: Could not execute the following script c:\program files\scriptlogic\desktop authority\client files\8.10.255\cbm\scriptlogic.cbm.agent.exe. The system cannot find the file specified.
.
 
Error: (03/15/2014 01:38:03 AM) (Source: UserInit) (User: )
Description: Could not execute the following script SLlogoffScript.cmd. The system cannot find the file specified.
.
 
Error: (03/15/2014 01:11:18 AM) (Source: AutoEnrollment) (User: )
Description: Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b).  The specified domain either does not exist or could not be contacted.
  Enrollment will not be performed.
 
 
System errors:
=============
Error: (03/17/2014 05:25:00 PM) (Source: Microsoft Antimalware) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.
 
New Signature Version: 
 
Previous Signature Version: 1.167.1843.0
 
Update Source: %NT AUTHORITY59
 
Update Stage: 4.4.0304.00
 
Source Path: 4.4.0304.01
 
Signature Type: %NT AUTHORITY602
 
Update Type: %NT AUTHORITY604
 
User: NT AUTHORITY\SYSTEM
 
Current Engine Version: %NT AUTHORITY605
 
Previous Engine Version: %NT AUTHORITY606
 
Error code: %NT AUTHORITY607
 
Error description: %NT AUTHORITY608
 
Error: (03/17/2014 05:25:00 PM) (Source: DCOM) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}
 
Error: (03/17/2014 05:25:00 PM) (Source: DCOM) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}
 
Error: (03/17/2014 04:59:50 PM) (Source: W32Time) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible. 
No attempt to contact a source will be made for 959 minutes.
NtpClient has no source of accurate time.
 
Error: (03/17/2014 09:25:01 AM) (Source: Microsoft Antimalware) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.
 
New Signature Version: 
 
Previous Signature Version: 1.167.1843.0
 
Update Source: %NT AUTHORITY59
 
Update Stage: 4.4.0304.00
 
Source Path: 4.4.0304.01
 
Signature Type: %NT AUTHORITY602
 
Update Type: %NT AUTHORITY604
 
User: NT AUTHORITY\SYSTEM
 
Current Engine Version: %NT AUTHORITY605
 
Previous Engine Version: %NT AUTHORITY606
 
Error code: %NT AUTHORITY607
 
Error description: %NT AUTHORITY608
 
Error: (03/17/2014 09:25:01 AM) (Source: DCOM) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}
 
Error: (03/17/2014 09:25:01 AM) (Source: DCOM) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}
 
Error: (03/17/2014 01:25:01 AM) (Source: Microsoft Antimalware) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.
 
New Signature Version: 
 
Previous Signature Version: 1.167.1843.0
 
Update Source: %NT AUTHORITY59
 
Update Stage: 4.4.0304.00
 
Source Path: 4.4.0304.01
 
Signature Type: %NT AUTHORITY602
 
Update Type: %NT AUTHORITY604
 
User: NT AUTHORITY\SYSTEM
 
Current Engine Version: %NT AUTHORITY605
 
Previous Engine Version: %NT AUTHORITY606
 
Error code: %NT AUTHORITY607
 
Error description: %NT AUTHORITY608
 
Error: (03/17/2014 01:25:01 AM) (Source: DCOM) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}
 
Error: (03/17/2014 01:25:01 AM) (Source: DCOM) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}
 
 
Microsoft Office Sessions:
=========================
 
==================== Memory info =========================== 
 
Percentage of memory in use: 27%
Total physical RAM: 2021.73 MB
Available physical RAM: 1474.8 MB
Total Pagefile: 3914.45 MB
Available Pagefile: 3574.84 MB
Total Virtual: 2047.88 MB
Available Virtual: 1958.77 MB
 
==================== Drives ================================
 
Drive c: (WXP3IE7Base) (Fixed) (Total:74.53 GB) (Free:36.01 GB) NTFS ==>[Drive with boot components (Windows XP)]
Drive d: (2nd Drive) (Fixed) (Total:149.05 GB) (Free:97.67 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 75 GB) (Disk ID: 7D577D57)
Partition 1: (Active) - (Size=75 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 149 GB) (Disk ID: DA12282D)
 
Partition: GPT Partition Type.
 
==================== End Of Log ============================


#15 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:48 PM

Posted 18 March 2014 - 03:43 AM

Fix with FRST (normal mode)

  • Open notepad (Start =>All Programs => Accessories => Notepad).
  • Please copy the entire contents of the code box below.
    (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste).
  • Save it to the same direction as frst.exe (or frst64.exe) as fixlist.txt.

    HKU\S-1-5-21-769079328-3020190987-2214429306-1028\...\Run: [Oraweposteryydn] - "C:\Documents and Settings\Toshie Lou\Application Data\Xuxuicpi\iqxae.exe"
    HKU\S-1-5-21-769079328-3020190987-2214429306-1028\...409d6c4515e9\InprocServer32: [Default-shell32] SHELL32.dll ATTENTION! ====> ZeroAccess?
    FF NewTab: hxxp://start.sweetpacks.com/?src=97&barid={8D6E885D-D132-11E2-9DB6-0016760BAF36}&crg=3.5000006.10045
    FF Keyword.URL: hxxp://start.sweetpacks.com/?src=2&st=12&crg=3.5000006.10045&barid={8D6E885D-D132-11E2-9DB6-0016760BAF36}&q=
    
    S1 iyufkogb; \??\C:\WINDOWS\system32\drivers\iyufkogb.sys
    
    C:\Documents and Settings\sandinjs\Local Settings\Temp\conduitinstaller.exe
    C:\Documents and Settings\sandinjs\Local Settings\Temp\Coupon-Caddy-ppi-US.exe
    C:\Documents and Settings\sandinjs\Local Settings\Temp\tbSomo.dll
    C:\Documents and Settings\sandinjs\Local Settings\Temp\is1275519350\wajam_download.exe
    C:\Documents and Settings\Toshie Lou\Local Settings\Temporary Internet Files\Content.IE5\847W5W3D\273698b3050f7b7ab015b8ce81b2795f20904081[1].htm
    C:\WINDOWS\system32\cmdow.exe
    C:\Documents and Settings\Toshie Lou\Application Data\Xuxuicpi
    C:\WINDOWS\system32\drivers\iyufkogb.sys
    C:\Documents and Settings\sandinjs\.vmrc_plugin_ovftool_settings.js
    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
  • Run frst.exe (on 64bit, run frst64.exe) and press the Fix button just once and wait.
  • The tool will make a log (Fixlog.txt) which you find where you saved FRST. Please post it to your reply.

 

 

Scan with Farbar´s Service Scanner

Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender

  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users