Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

kovter - trend locked under gpo. combo fix does not run - XPx32


  • This topic is locked This topic is locked
2 replies to this topic

#1 mathey

mathey

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 31 January 2015 - 12:40 PM

I have a computer with Windows XP and it has been acting strange for a couple weeks.  Our ISP notified us that we have kovter.   When I looked at the machine, trend is not showing up in the system tray and any attempt at reinstalling it gets a message that there is a software policy restriction.   Our friend tried to fix it, but this morning, combofix was still sitting and could not get to stage 1 after 12 hours.   I am hoping that someone can provide some help with removing this infection. I have attached the frst log and the addition.txt below

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 31-01-2015 01
Ran by Administrator (administrator) on USNCA-3355 on 31-01-2015 12:29:34
Running from C:\Documents and Settings\Administrator\Desktop
Loaded Profiles: atm & Administrator (Available profiles: atm & Administrator & ascherer)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Intel Corporation) C:\WINDOWS\system32\igfxsrvc.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SigmatelSysTrayApp] => C:\WINDOWS\stsystra.exe [282624 2006-07-24] (SigmaTel, Inc.)
HKLM\...\Run: [IAAnotif] => C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe [151552 2006-07-06] (Intel Corporation)
HKLM\...\Run: [Client Access Service] => C:\Program Files\IBM\Client Access\cwbsvstr.exe [20530 2005-06-06] (IBM Corporation)
HKLM\...\Run: [Client Access Help Update] => C:\Program Files\IBM\Client Access\cwbinhlp.exe [24626 2005-06-06] (IBM Corporation)
HKLM\...\Run: [Client Access Check Version] => C:\Program Files\IBM\Client Access\cwbckver.exe [45106 2005-06-06] (IBM Corporation)
HKLM\...\Run: [Client Access Express Welcome] => C:\Program Files\IBM\Client Access\cwbwlwiz.exe [20480 2005-06-06] (IBM Corporation)
HKLM\...\Run: [Client Access PC5250 Sound] => C:\Program Files\IBM\Client Access\Emulator\pcssnd.exe [40960 2005-06-06] (IBM Corporation)
HKLM\...\Run: [Discovery User Input] => c:\Discovery\User Input\userin32.exe [225280 2007-06-22] (Centennial Software Limited )
HKLM\...\Run: [OfficeScanNT Monitor] => C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe [866784 2011-03-23] (Trend Micro Inc.)
HKLM\...\Run: [KernelFaultCheck] => %systemroot%\system32\dumprep 0 -k
HKLM Group Policy restriction on software: C:\Program Files\Trend Micro <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%System32\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% <====== ATTENTION
Winlogon\Notify\MRCNotify: C:\WINDOWS\dwrcs\DWRCWXL.dll (SolarWinds)
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig]  <===== ATTENTION
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled ()
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
ShortcutTarget: Microsoft Office.lnk -> C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Yosemite Desktop-Laptop Backup Taskbar Monitor.lnk
ShortcutTarget: Yosemite Desktop-Laptop Backup Taskbar Monitor.lnk -> C:\Program Files\Barracuda\Yosemite Desktop-Laptop Backup\FKMonitor.exe (Barracuda Networks, Inc.)
ShellIconOverlayIdentifiers: [AutoCAD Digital Signatures Icon Overlay Handler] -> {36A21736-36C2-4C11-8ACB-D4136F2B57BD} => C:\WINDOWS\system32\AcSignIcon.dll (Autodesk)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1070330
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1070330
HKU\S-1-5-21-1980715077-3259889468-2055856600-1005\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1070330
HKU\S-1-5-21-1980715077-3259889468-2055856600-1005\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
HKU\S-1-5-21-1980715077-3259889468-2055856600-1005\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
HKU\S-1-5-21-1980715077-3259889468-2055856600-1005\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1070330
HKU\S-1-5-21-1980715077-3259889468-2055856600-500\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1070330
HKU\S-1-5-21-1980715077-3259889468-2055856600-500\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
HKU\S-1-5-21-1980715077-3259889468-2055856600-500\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
HKU\S-1-5-21-1980715077-3259889468-2055856600-500\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1070330
BHO: CBrowserHelperObject Object -> {CA6319C0-31B7-401E-A518-A07C3DB8F777} -> C:\Program Files\BAE\BAE.dll (Dell Inc.)
Toolbar: HKU\S-1-5-21-1980715077-3259889468-2055856600-1005 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Tcpip\Parameters: [DhcpNameServer] 172.16.1.1

FireFox:
========
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2010-08-27]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S2 CentennialClientAgent; c:\centenn.ial\audit\CAgent32.exe [851968 2007-06-22] (Centennial Software Limited ) [File not signed]
S2 CentennialIPTransferAgent; c:\centenn.ial\audit\xferwan.exe [303104 2007-06-22] (Centennial Software Limited ) [File not signed]
S3 Cwbrxd; C:\WINDOWS\CWBRXD.EXE [57344 2005-06-06] (IBM Corporation) [File not signed]
S2 DNTUS26; C:\WINDOWS\SYSTEM32\DNTUS26.EXE [114688 2008-07-23] (DameWare Development LLC) [File not signed]
S2 dwmrcs; C:\WINDOWS\dwrcs\DWRCS.EXE [705384 2012-08-16] (SolarWinds)
S2 FKService; C:\Program Files\Barracuda\Yosemite Desktop-Laptop Backup\FKService.exe [229376 2011-12-05] (Barracuda Networks, Inc.) [File not signed]
S2 IAANTMON; C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe [90112 2006-07-06] (Intel Corporation) [File not signed]
S2 Multi-user Cleanup Service; C:\Notes\ntmulti.exe [58760 2008-08-08] (IBM Corp)
S2 ntrtscan; C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe [1414744 2011-03-22] (Trend Micro Inc.)
S2 OpenFileAgent; C:\Program Files\CA\BrightStor ARCserve Backup for Laptops & Desktops\Client\BAOF\Ofant.exe [135168 2007-02-08] (CA) [File not signed]
S2 TIRmtSvc; C:\WINDOWS\TIREMOTE\TIRemoteService.exe [214016 2008-11-13] (Numara Software, Inc.) [File not signed]
S2 tmlisten; C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe [1366592 2011-03-22] (Trend Micro Inc.)
S3 TmProxy; C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe [689416 2009-07-15] (Trend Micro Inc.)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S4 abp480n5; C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS [23552 2001-08-17] (Microsoft Corporation)
S3 CdProbe; C:\WINDOWS\system32\DRIVERS\CDProbe.SYS [9248 2015-01-30] (Centennial Software Limited ) [File not signed]
S3 DwMirror; C:\WINDOWS\System32\DRIVERS\DamewareMini.sys [3712 2007-02-07] (DameWare Development, LLC)
R1 dwvkbd; C:\WINDOWS\System32\DRIVERS\dwvkbd.sys [26624 2007-02-15] (DameWare)
S2 FKDriver; c:\program files\barracuda\yosemite desktop-laptop backup\fkdriver.sys [142576 2011-12-05] (Barracuda Networks, Inc.) [File not signed]
S2 OFADriver; C:\WINDOWS\system32\drivers\ofant.sys [155817 2007-02-08] (CA) [File not signed]
S3 STHDA; C:\WINDOWS\System32\drivers\sthda.sys [1156648 2006-07-24] (SigmaTel, Inc.)
S2 tmcomm; C:\WINDOWS\system32\drivers\tmcomm.sys [302760 2015-01-30] (Trend Micro Inc.)
S2 TmFilter; C:\Program Files\Trend Micro\OfficeScan Client\TmXPFlt.sys [263968 2013-08-14] (Trend Micro Inc.)
S2 TmPreFilter; C:\Program Files\Trend Micro\OfficeScan Client\TmPreFlt.sys [36128 2013-08-14] (Trend Micro Inc.)
S1 tmtdi; C:\WINDOWS\System32\DRIVERS\tmtdi.sys [89872 2009-07-15] (Trend Micro Inc.)
S2 VSApiNt; C:\Program Files\Trend Micro\OfficeScan Client\VSApiNt.sys [1517600 2013-08-14] (Trend Micro Inc.)
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-31 12:29 - 2015-01-31 12:30 - 00010361 _____ () C:\Documents and Settings\Administrator\Desktop\FRST.txt
2015-01-31 12:29 - 2015-01-31 12:29 - 00000000 ____D () C:\FRST
2015-01-31 12:28 - 2015-01-31 12:28 - 01122304 _____ (Farbar) C:\Documents and Settings\Administrator\Desktop\FRST.exe
2015-01-31 12:27 - 2015-01-31 12:27 - 00000000 ____D () C:\Documents and Settings\Administrator\Application Data\Macromedia
2015-01-31 12:27 - 2015-01-31 12:27 - 00000000 ____D () C:\Documents and Settings\Administrator\Application Data\Adobe
2015-01-31 02:47 - 2015-01-31 02:48 - 00000000 ___SD () C:\ComboFix
2015-01-31 02:40 - 2015-01-31 02:40 - 00000000 __SHD () C:\Documents and Settings\Administrator\PrivacIE
2015-01-31 02:32 - 2015-01-31 02:32 - 00001730 _____ () C:\Documents and Settings\All Users\Desktop\UVK - Ultra Virus Killer.lnk
2015-01-31 02:32 - 2015-01-31 02:32 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\UVK - Ultra Virus Killer
2015-01-31 02:31 - 2015-01-31 02:37 - 00000000 ____D () C:\Program Files\UVK - Ultra Virus Killer
2015-01-30 17:27 - 2015-01-30 17:27 - 00000000 ____D () C:\cmdcons
2015-01-30 17:25 - 2015-01-30 17:25 - 00000000 __SHD () C:\Documents and Settings\Administrator\IETldCache
2015-01-30 16:52 - 2013-06-18 14:12 - 00660160 _____ (Sysinternals - www.sysinternals.com) C:\Documents and Settings\rswartz\Desktop\autoruns.exe
2015-01-30 16:44 - 2008-04-13 20:11 - 00021504 _____ (Microsoft Corporation) C:\WINDOWS\system32\hidserv.dll
2015-01-30 16:44 - 2008-04-13 20:11 - 00021504 _____ (Microsoft Corporation) C:\WINDOWS\system32\dllcache\hidserv.dll
2015-01-30 12:13 - 2015-01-30 16:57 - 00000327 _____ () C:\Boot.bak
2015-01-30 12:13 - 2004-08-03 23:00 - 00260272 __RSH () C:\cmldr
2015-01-30 12:09 - 2011-06-26 01:45 - 00256000 _____ () C:\WINDOWS\PEV.exe
2015-01-30 12:09 - 2010-11-07 12:20 - 00208896 _____ () C:\WINDOWS\MBR.exe
2015-01-30 12:09 - 2009-04-19 23:56 - 00060416 _____ (NirSoft) C:\WINDOWS\NIRCMD.exe
2015-01-30 12:09 - 2000-08-30 19:00 - 00518144 _____ (SteelWerX) C:\WINDOWS\SWREG.exe
2015-01-30 12:09 - 2000-08-30 19:00 - 00406528 _____ (SteelWerX) C:\WINDOWS\SWSC.exe
2015-01-30 12:09 - 2000-08-30 19:00 - 00212480 _____ (SteelWerX) C:\WINDOWS\SWXCACLS.exe
2015-01-30 12:09 - 2000-08-30 19:00 - 00098816 _____ () C:\WINDOWS\sed.exe
2015-01-30 12:09 - 2000-08-30 19:00 - 00080412 _____ () C:\WINDOWS\grep.exe
2015-01-30 12:09 - 2000-08-30 19:00 - 00068096 _____ () C:\WINDOWS\zip.exe
2015-01-30 11:42 - 2015-01-30 11:46 - 00000099 _____ () C:\Documents and Settings\rswartz\Desktop\OFCNTINST.log
2015-01-30 11:41 - 2011-11-21 09:25 - 56428989 _____ (Trend Micro Inc.) C:\Documents and Settings\rswartz\Desktop\OfficeScanSetup_10_6_32bit.exe
2015-01-30 11:37 - 2015-01-30 12:09 - 00000000 ____D () C:\Qoobox
2015-01-30 11:36 - 2015-01-30 11:36 - 00000000 ____D () C:\WINDOWS\erdnt
2015-01-30 11:32 - 2015-01-30 11:32 - 05611408 ____R (Swearware) C:\Documents and Settings\rswartz\Desktop\ComboFix.exe
2015-01-30 09:30 - 2015-01-30 19:01 - 00000000 ____D () C:\AdwCleaner
2015-01-30 09:28 - 2015-01-30 09:28 - 00000000 ____D () C:\Documents and Settings\rswartz\Desktop\mbar
2015-01-30 09:25 - 2015-01-30 16:52 - 00004840 _____ () C:\Documents and Settings\rswartz\Desktop\Rkill.txt
2015-01-30 08:59 - 2015-01-30 17:28 - 00114904 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-01-30 08:59 - 2015-01-30 08:59 - 00000777 _____ () C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2015-01-30 08:59 - 2015-01-30 08:59 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2015-01-30 08:59 - 2015-01-30 08:59 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2015-01-30 08:59 - 2015-01-30 08:59 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes
2015-01-30 08:59 - 2014-11-21 06:14 - 00054360 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2015-01-30 08:59 - 2014-11-21 06:14 - 00023256 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
2015-01-30 08:56 - 2015-01-30 08:56 - 20447072 _____ (Malwarebytes Corporation ) C:\Documents and Settings\rswartz\Desktop\mbam-setup-2.0.4.1028.exe
2015-01-06 11:16 - 2015-01-06 11:16 - 00000610 _____ () C:\Documents and Settings\rswartz\Desktop\Job Cost Review 2015.lnk
2015-01-06 11:15 - 2015-01-06 11:15 - 00000582 _____ () C:\Documents and Settings\rswartz\My Documents\Shortcut to Job Cost Review 2015.lnk
2015-01-06 11:14 - 2015-01-06 11:22 - 00390144 _____ () C:\Documents and Settings\rswartz\My Documents\Job Cost Review 2015.xls
2015-01-05 15:35 - 2015-01-12 09:59 - 00018432 _____ () C:\Documents and Settings\rswartz\My Documents\ATA Conversion 2014-2015.xls

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-31 12:30 - 2004-08-11 17:20 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Temp
2015-01-31 02:40 - 2004-08-11 17:20 - 00000000 ____D () C:\Documents and Settings\Administrator
2015-01-30 18:55 - 2007-04-23 06:34 - 00002479 _____ () C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Word.lnk
2015-01-30 18:55 - 2004-08-11 17:13 - 01900464 _____ () C:\WINDOWS\WindowsUpdate.log
2015-01-30 17:27 - 2004-08-11 17:00 - 00000327 __RSH () C:\Boot.ini
2015-01-30 17:25 - 2004-08-11 17:00 - 00002206 _____ () C:\WINDOWS\system32\wpa.dbl
2015-01-30 17:24 - 2007-04-19 10:15 - 00000178 ___SH () C:\Documents and Settings\rswartz\ntuser.ini
2015-01-30 17:24 - 2007-04-19 10:15 - 00000000 ____D () C:\Documents and Settings\rswartz\Local Settings\Temp
2015-01-30 16:46 - 2004-08-11 17:20 - 00032536 _____ () C:\WINDOWS\SchedLgU.Txt
2015-01-30 16:46 - 2004-08-11 17:20 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2015-01-30 16:45 - 2014-10-22 04:05 - 00000228 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2015-01-30 16:45 - 2007-03-30 07:45 - 00708388 _____ () C:\WINDOWS\setupapi.log
2015-01-30 16:44 - 2007-03-30 07:46 - 00001150 _____ () C:\WINDOWS\setupact.log
2015-01-30 16:43 - 2007-06-22 13:17 - 00009248 _____ (Centennial Software Limited ) C:\WINDOWS\system32\Drivers\CDProbe.SYS
2015-01-30 16:43 - 2004-08-11 17:12 - 00000000 ____D () C:\WINDOWS\system32\Restore
2015-01-30 15:53 - 2010-06-02 13:47 - 00000000 _SHDC () C:\{BWDLBackup}
2015-01-30 15:53 - 2007-04-19 10:15 - 00000000 ____D () C:\Documents and Settings\rswartz
2015-01-30 15:37 - 2004-08-11 17:21 - 00000000 ____D () C:\WINDOWS\Microsoft.NET
2015-01-30 11:46 - 2008-02-14 16:00 - 00000000 ____D () C:\Temp
2015-01-30 11:27 - 2010-04-14 15:42 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB979683_0$
2015-01-30 11:27 - 2008-02-15 16:33 - 00032377 _____ () C:\WINDOWS\TMFilter.log
2015-01-30 11:27 - 2007-04-19 10:03 - 00000904 _____ () C:\WINDOWS\system32\config\netlogon.ftl
2015-01-30 09:07 - 2008-02-14 16:06 - 00302760 _____ (Trend Micro Inc.) C:\WINDOWS\system32\Drivers\tmcomm.sys
2015-01-30 08:59 - 2013-08-21 10:06 - 00000000 ____D () C:\WINDOWS\dwrcs
2015-01-30 06:40 - 2013-05-11 09:31 - 00173056 _____ () C:\Documents and Settings\rswartz\My Documents\Attendence.xls
2015-01-30 03:37 - 2008-02-14 16:07 - 00018561 _____ () C:\WINDOWS\cfgall.ini
2015-01-30 01:48 - 2004-08-11 17:02 - 00000000 ____D () C:\WINDOWS\security
2015-01-28 15:19 - 2007-04-23 06:14 - 00002572 _____ () C:\Documents and Settings\rswartz\Desktop\Microsoft Word.lnk
2015-01-28 08:21 - 2010-11-23 07:43 - 00000000 ____D () C:\Notes
2015-01-20 12:45 - 2007-04-25 14:10 - 00000000 ____D () C:\Documents and Settings\rswartz\Application Data\AdobeUM
2015-01-19 11:40 - 2014-01-17 08:43 - 00204800 _____ () C:\Documents and Settings\rswartz\My Documents\OSHA 300 Form (w-formulas) 2014.xls
2015-01-14 12:16 - 2014-12-29 14:32 - 00000664 _____ () C:\WINDOWS\system32\d3d9caps.dat
2015-01-14 03:06 - 2013-08-15 02:00 - 00000000 ____D () C:\WINDOWS\system32\MRT
2015-01-14 03:00 - 2007-04-19 09:44 - 110348472 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2015-01-13 19:03 - 2010-11-23 07:30 - 00000178 ___SH () C:\Documents and Settings\srvrun\ntuser.ini
2015-01-12 12:54 - 2011-10-19 12:51 - 00224256 _____ () C:\Documents and Settings\rswartz\My Documents\Temp To Hire Eligible Date.xls
2015-01-08 15:00 - 2014-10-22 04:05 - 00000222 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
2015-01-06 11:08 - 2013-11-12 12:09 - 00378880 _____ () C:\Documents and Settings\rswartz\Desktop\Job Cost Review 2014.xls
2015-01-06 11:08 - 2007-04-23 06:14 - 00002568 _____ () C:\Documents and Settings\rswartz\Desktop\Microsoft Excel.lnk
2015-01-05 15:35 - 2014-01-06 14:49 - 00081408 _____ () C:\Documents and Settings\rswartz\My Documents\ATA CONVERSIONS 2013 2014.xls

==================== Files in the root of some directories =======

1998-12-08 21:53 - 1998-12-08 21:53 - 0099840 _____ (Symantec Corp.) C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-08 21:53 - 1998-12-08 21:53 - 0048640 _____ (Symantec Corp., Peter Norton Computing Group) C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-08 21:53 - 1998-12-08 21:53 - 0070144 _____ (Symantec Corp., Peter Norton Computing Group) C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-08 21:53 - 1998-12-08 21:53 - 0186368 _____ (Symantec Corp., Peter Norton Computing Group) C:\Program Files\Common Files\IRAREG.DLL
1998-12-08 21:53 - 1998-12-08 21:53 - 0017920 _____ (Symantec Corp.) C:\Program Files\Common Files\IRASRIAL.DLL
1998-12-08 21:53 - 1998-12-08 21:53 - 0031744 _____ (Symantec Corp., Peter Norton Computing Group) C:\Program Files\Common Files\IRAWEBTR.DLL

Some content of TEMP:
====================
C:\Documents and Settings\rswartz\Local Settings\Temp\MotoConnect_1.1.31_Driver_4.7.1.exe

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End Of Log ============================

 

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,756 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:00 PM

Posted 02 February 2015 - 09:48 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
start

CloseProcesses:

HKLM\...\Run: [KernelFaultCheck] => %systemroot%\system32\dumprep 0 -k
HKLM Group Policy restriction on software: C:\Program Files\Trend Micro <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%System32\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% <====== ATTENTION
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig]  <===== ATTENTION
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job => C:\WINDOWS\system32\xp_eos.exe

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log Fixlog.txt please post it to your reply.
===

Please run the Farbar tool one more time and post a fresh FRSt log for my review.

How is the computer running now?

#3 nasdaq

nasdaq

  • Malware Response Team
  • 38,756 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:00 PM

Posted 05 February 2015 - 11:23 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users