Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ICE Virus Need Assistance in Removing


  • This topic is locked This topic is locked
4 replies to this topic

#1 volumes94

volumes94

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 09 April 2014 - 09:39 PM

Hello my laptop with Windows 7 64-bit has the ICE Virus. Safe Mode does not work and neither does safe mode with command prompt. HitmanPro Kickstart failed for me as well. I have read other topics and found your suggestion was to use Farbar Recovery Scan Tool and I have done just that. Here is the txt from the file

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-03-2014 (ATTENTION: ====> FRST version is 27 days old and could be outdated)
Ran by SYSTEM on MININT-6QLDHTN on 09-04-2014 21:17:48
Running from F:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 11
Boot Mode: Recovery
 
The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.
 
 
The only official download link for FRST:
Download link for 32-Bit version:
Download link for 64-Bit Version:
Download link from any site other than Bleeping Computer is unpermitted or outdated.
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [Apoint] - C:\Program Files\DellTPad\Apoint.exe [357376 2009-09-16] (Alps Electric Co., Ltd.)
HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [8158240 2009-10-09] (Realtek Semiconductor)
HKLM\...\Run: [QuickSet] - C:\Program Files\Dell\QuickSet\QuickSet.exe [3189016 2009-10-01] (Dell Inc.)
HKLM\...\Run: [Broadcom Wireless Manager UI] - C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRAY.exe [4968960 2009-07-16] (Dell Inc.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] - c:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [35696 2009-02-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [PDVDDXSrv] - C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe [140520 2009-06-24] (CyberLink Corp.)
HKLM-x32\...\Run: [Dell Webcam Central] - C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe [409744 2009-06-24] (Creative Technology Ltd)
HKLM-x32\...\Run: [FAStartup] - [X]
HKLM-x32\...\Run: [DellSupportCenter] - C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe [206064 2009-05-21] (SupportSoft, Inc.)
HKLM-x32\...\Run: [FATrayAlert] - C:\Program Files (x86)\Sensible Vision\Fast Access\FATrayMon.exe [98488 2011-04-23] (Sensible Vision )
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [43848 2014-01-20] (Apple Inc.)
HKLM-x32\...\Run: [AVG_TRAY] - C:\Program Files (x86)\AVG\AVG2012\avgtray.exe [2598520 2012-11-19] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [] - [X]
HKLM-x32\...\Run: [ApnUpdater] - C:\Program Files (x86)\Ask.com\Updater\Updater.exe [1561768 2012-05-04] (Ask)
HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254896 2012-09-17] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [vProt] - C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe [2539544 2014-03-02] ()
HKLM-x32\...\Run: [QuickTime Task] - C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2013-05-01] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2014-01-20] (Apple Inc.)
HKLM-x32\...\Run: [HP Software Update] - C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard)
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
Winlogon\Notify\FastAccess-x32: C:\Program Files (x86)\Sensible Vision\Fast Access\FALogNot.dll ()
HKU\Kenneth\...\Run: [Facebook Update] - C:\Users\Kenneth\AppData\Local\Facebook\Update\FacebookUpdate.exe [138096 2012-07-11] (Facebook Inc.)
HKU\Kenneth\...\Run: [ooVoo.exe] - C:\Program Files (x86)\ooVoo\oovoo.exe [27040888 2012-08-20] (ooVoo LLC)
HKU\Kenneth\...\Run: [Google Update] - C:\Users\Kenneth\AppData\Local\Google\Update\GoogleUpdate.exe [116648 2012-03-29] (Google Inc.)
HKU\Kenneth\...\Run: [Skype] - C:\Program Files (x86)\Skype\Phone\Skype.exe [20584608 2013-11-14] (Skype Technologies S.A.)
Lsa: [Notification Packages] scecli FAPassSync
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7gfrv3rj.lnk
ShortcutTarget: 7gfrv3rj.lnk -> C:\ProgramData\jr3vrfg7.cpp (Microsoft Corporation)
Startup: C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk
ShortcutTarget: Dell Dock.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.4.1.lnk
ShortcutTarget: OpenOffice.org 3.4.1.lnk -> C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe ()
Startup: C:\Users\Kenneth\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7gfrv3rj.lnk
ShortcutTarget: 7gfrv3rj.lnk -> C:\ProgramData\jr3vrfg7.cpp (Microsoft Corporation)
Startup: C:\Users\Kenneth\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk
ShortcutTarget: Dell Dock.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Kenneth\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monitor Ink Alerts - HP Deskjet 1000 J110 series.lnk
ShortcutTarget: Monitor Ink Alerts - HP Deskjet 1000 J110 series.lnk -> C:\Program Files\HP\HP Deskjet 1000 J110 series\Bin\HPStatusBL.dll (Hewlett-Packard Co.)
Startup: C:\Users\Kenneth\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.4.1.lnk
ShortcutTarget: OpenOffice.org 3.4.1.lnk -> C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe ()
 
==================== Services (Whitelisted) =================
 
S2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2012\avgidsagent.exe [5175856 2013-10-15] (AVG Technologies CZ, s.r.o.)
S2 avgwd; C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe [193288 2012-02-14] (AVG Technologies CZ, s.r.o.)
S2 c2cautoupdatesvc; C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1363616 2014-01-02] (Microsoft Corporation)
S2 c2cpnrsvc; C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1748640 2014-01-02] (Microsoft Corporation)
S2 SCManager; C:\Program Files (x86)\SafeConnect\scManager.sys [176520 2012-11-19] (Impulse Point, LLC)
S2 vToolbarUpdater18.0.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.0.0\ToolbarUpdater.exe [1759768 2014-03-02] (AVG Secure Search)
S2 Winmgmt; C:\ProgramData\7gfrv3rj.zvv [331504 2014-03-05] (Microsoft Corporation)
S2 wltrysvc; C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe [3417088 2009-07-16] (Dell Inc.)
 
==================== Drivers (Whitelisted) ====================
 
S3 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [127328 2012-12-10] (AVG Technologies CZ, s.r.o. )
S3 AVGIDSFilter; C:\Windows\System32\DRIVERS\avgidsfiltera.sys [29776 2011-12-23] (AVG Technologies CZ, s.r.o. )
S0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [28480 2012-04-19] (AVG Technologies CZ, s.r.o. )
S1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [307040 2012-11-08] (AVG Technologies CZ, s.r.o.)
S1 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [47696 2011-12-23] (AVG Technologies CZ, s.r.o.)
S0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [36944 2012-01-31] (AVG Technologies CZ, s.r.o.)
S1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [384800 2013-04-11] (AVG Technologies CZ, s.r.o.)
S1 avgtp; C:\Windows\system32\drivers\avgtpx64.sys [50976 2014-03-02] (AVG Technologies)
S3 massfilter_hs; C:\Windows\system32\drivers\massfilter_hs.sys [20232 2012-06-20] (HandSet Incorporated)
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2014-04-09 21:16 - 2014-04-09 21:17 - 00000000 ___DC () C:\FRST
 
==================== One Month Modified Files and Folders =======
 
2014-04-09 21:17 - 2014-04-09 21:16 - 00000000 ___DC () C:\FRST
2014-04-01 19:11 - 2014-03-05 14:11 - 95027928 ___CT () C:\ProgramData\7gfrv3rj.fee
2014-04-01 19:10 - 2011-12-07 15:55 - 00000896 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-04-01 19:09 - 2011-12-07 15:55 - 00000900 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-04-01 19:08 - 2012-04-12 15:25 - 00000916 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3973649525-2998911651-3272659895-1000UA.job
2014-04-01 19:07 - 2009-07-13 20:45 - 00014240 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-04-01 19:07 - 2009-07-13 20:45 - 00014240 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-04-01 19:05 - 2012-07-16 15:04 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-04-01 19:04 - 2009-07-13 21:10 - 01556419 _____ () C:\Windows\WindowsUpdate.log
2014-04-01 18:59 - 2014-02-27 19:02 - 00003248 _____ () C:\Windows\setupact.log
2014-04-01 18:59 - 2009-07-13 21:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-03-17 19:20 - 2010-01-23 12:02 - 01125710 _____ () C:\Windows\PFRO.log
2014-03-17 19:16 - 2012-07-29 23:43 - 00000000 ____D () C:\Windows\System32\Drivers\AVG
2014-03-17 19:16 - 2012-01-12 22:03 - 00000000 ___DC () C:\ProgramData\MFAData
 
Files to move or delete:
====================
C:\ProgramData\7gfrv3rj.fee
C:\ProgramData\7gfrv3rj.zvv
 
 
Some content of TEMP:
====================
C:\Users\Kenneth\AppData\Local\Temp\~+JF8262938939708389962.dll
 
 
==================== Known DLLs (Whitelisted) ================
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== EXE ASSOCIATION =====================
 
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
 
==================== Restore Points  =========================
 
Restore point made on: 2014-04-01 19:12:57
 
==================== Memory info =========================== 
 
Percentage of memory in use: 21%
Total physical RAM: 3892.54 MB
Available physical RAM: 3055.59 MB
Total Pagefile: 3890.69 MB
Available Pagefile: 3126.92 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB
 
==================== Drives ================================
 
Drive c: (OS) (Fixed) (Total:58.59 GB) (Free:4.49 GB) NTFS
Drive d: () (Fixed) (Total:229.63 GB) (Free:221.13 GB) NTFS
Drive e: (2009.10.23_0002) (CDROM) (Total:0.26 GB) (Free:0 GB) UDF
Drive f: () (Fixed) (Total:7.45 GB) (Free:7.38 GB) NTFS
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298 GB) (Disk ID: E635605C)
 
Partition: GPT Partition Type.
 
========================================================
Disk: 2 (Size: 7 GB) (Disk ID: D7ACB4F1)
 
Partition: GPT Partition Type.
 
 
LastRegBack: 2014-03-02 14:12
 
==================== End Of Log ============================
 
I will be awaiting your reply. Thanks!


BC AdBot (Login to Remove)

 


#2 seedy21

seedy21

  • Malware Response Team
  • 742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Yorkshire, UK
  • Local time:04:47 AM

Posted 11 April 2014 - 04:12 PM

Hi volumes94 and Welcome to BleepingComputer.

I am currently looking though your logs and will advice you on what to do in my next reply.

“It's only after we've lost everything that we're free to do anything.”
― Chuck Palahniuk, Fight Club

unite_blue.png


#3 seedy21

seedy21

  • Malware Response Team
  • 742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Yorkshire, UK
  • Local time:04:47 AM

Posted 11 April 2014 - 06:38 PM

Hello volumes94

I'm Seedy21 and I will be helping you with your issues.

Please note the following information about the malware forum:

  • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by me
  • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
  • Please reply within 48 hours, if you are going to be away for longer please let us know or the topic will be closed for been inactive
  • If you are using Cracked or Illegal software your thread will be closed
  • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close.

Step 1

Open notepad. Please copy the contents of the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
Save it on the flashdrive as fixlist.txt
 

HKLM-x32\...\Run: [FAStartup] - [X]
Startup: C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7gfrv3rj.lnk
ShortcutTarget: 7gfrv3rj.lnk -> C:\ProgramData\jr3vrfg7.cpp (Microsoft Corporation)
Startup: C:\Users\Kenneth\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7gfrv3rj.lnk
ShortcutTarget: 7gfrv3rj.lnk -> C:\ProgramData\jr3vrfg7.cpp (Microsoft Corporation)
S2 Winmgmt; C:\ProgramData\7gfrv3rj.zvv [331504 2014-03-05] (Microsoft Corporation)
C:\ProgramData\jr3vrfg7.cpp 
C:\ProgramData\jr3vrfg7.zvv
C:\ProgramData\7gfrv3rj.fee
C:\Users\Kenneth\AppData\Local\Temp\~+JF8262938939708389962.dll

NOTICE: This script was written specifically for this user, for use on that particular machine.
Running this on another machine may cause damage to your operating system


On Vista or Windows 7: Now please enter System Recovery Options.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Step 2

We need to see some additional information about what is happening in your machine.
Please perform the following scan:

  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool.
  • When done, DDS will open two (2) logs
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop.
  • The instructions here ask you to attach the Attach.txt.
    DDS.jpg
  • Instead of attaching, please copy/paste both logs into your next reply.
  • Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control HERE


“It's only after we've lost everything that we're free to do anything.”
― Chuck Palahniuk, Fight Club

unite_blue.png


#4 seedy21

seedy21

  • Malware Response Team
  • 742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Yorkshire, UK
  • Local time:04:47 AM

Posted 14 April 2014 - 03:14 PM

This is a 48 hour status check. We need to continue our troubleshooting to make sure there are no more threats on your machine. If you don't have any free time please reply back to this thread and we will keep it open.

If you don't reply back within 24 hours, this thread may be closed for inactivity.


“It's only after we've lost everything that we're free to do anything.”
― Chuck Palahniuk, Fight Club

unite_blue.png


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,141 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:47 PM

Posted 16 April 2014 - 04:08 PM

Due to the lack of feedback/inactivity, this Topic is closed. Should you need it reopened, please contact a Forum Moderator or member of the Malware Response Team. Include the address of this thread in your request. If you have a new issue, please start a New Topic. This applies only to the original poster. Everyone else please begin a New Topic.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users