Ice Removal Issues

[Bac-Man]

I feel like I have exhausted every option to remove the ICE virus from an infected laptop. Most promising is using the Kaspersky Rescue Disk but after it runs, it never finds the virus. Does anyone know of anything else I can try to get rid of this thing? Safe mode with command prompt and Hitman Pro have not worked properly when we tried to run them on the infected computer. Any help would be appreciated.

 

[TwinHeadedEagle]

What is the version of your system?

 

[Bac-Man]

What is the version of your system?

Not sure since we can only run the Rescue Disk and once it runs and completes the scan, we immediately get the ICE screen again when we reboot.

 

[TwinHeadedEagle]

Is it Windows XP/Vista/7/8

Do you have USB flash and blank CD and access to another computer?

 

[Bac-Man]

Is it Windows XP/Vista/7/8

Do you have USB flash and blank CD and access to another computer?

It is XP Pro, sorry thought you wanted to know the version number. Yes, we have several other computers which is how I created the Hitman(USB) and Kaspersky (CD). Hitman never even booted and the Kaspersky runs a system scan for a couple of hours and says it has not detected anything.

 

[TwinHeadedEagle]

Kaspersky and Hitman are blind for such viruses, we will clean it this way:


Please print these instruction out so that you know what you are doing

• Download OTLPENet.exe to your desktop
• Download Farbar Recovery Scan Tool and save it to a flash drive.
  
• Ensure that you have a blank CD in the drive
• Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
• Reboot your system using the boot CD you just created.
  Note : If you do not know how to set your computer to boot from CD follow the steps here
• Wait for the CD to detect your hardware and load the operating system
• Your system should now display a Reatogo desktop
  Note : as you are running from CD it is not exactly speedy
• Insert the USB with FRST
• Locate the flash drive with FRST and double click
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

 

[Bac-Man]

Kaspersky and Hitman are blind for such viruses, we will clean it this way:


Please print these instruction out so that you know what you are doing

• Download OTLPENet.exe to your desktop
• Download Farbar Recovery Scan Tool and save it to a flash drive.
  
• Ensure that you have a blank CD in the drive
• Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
• Reboot your system using the boot CD you just created.
  Note : If you do not know how to set your computer to boot from CD follow the steps here
• Wait for the CD to detect your hardware and load the operating system
• Your system should now display a Reatogo desktop
  Note : as you are running from CD it is not exactly speedy
• Insert the USB with FRST
• Locate the flash drive with FRST and double click
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 28-10-2013
Ran by SYSTEM on REATOGO on 28-10-2013 22:00:42
Running from D:\
Microsoft Windows XP (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [851968 2007-06-03] (Synaptics, Inc.)
HKLM\...\Run: [HotKeysCmds] - C:\WINDOWS\system32\hkcmd.exe [ ] ()
HKLM\...\Run: [Dell QuickSet] - C:\Program Files\Dell\QuickSet\quickset.exe [1191936 2007-05-14] (Dell Inc)
HKLM\...\Run: [Broadcom Wireless Manager UI] - C:\WINDOWS\system32\WLTRAY.EXE [2183168 2007-12-11] (Dell Inc.)
HKLM\...\Run: [SigmatelSysTrayApp] - C:\WINDOWS\stsystra.exe [405504 2007-06-06] (SigmaTel, Inc.)
HKLM\...\Run: [dscactivate] - C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe [16384 2008-03-11] ( )
HKLM\...\Run: [PCMService] - C:\Program Files\Dell\MediaDirect\PCMService.exe [184320 2007-12-21] (CyberLink Corp.)
HKLM\...\Run: [MVS Splash] - C:\Program Files\McAfee\Managed VirusScan\DesktopUI\XTray.exe [476480 2010-05-11] (McAfee, Inc.)
HKLM\...\Run: [McAfee Managed Services Tray] - "C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe"
HKLM\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [39792 2008-01-11] (Adobe Systems Incorporated)
HKLM\...\Run: [DellSupportCenter] - "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
HKLM\...\Run: [HP Software Update] - C:\Program Files\HP\HP Software Update\hpwuSchd2.exe [49152 2006-12-10] (Hewlett-Packard Co.)
HKLM\...\Run: [SunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM\...\Run: [] - [x]
HKLM\...\Run: [ApnUpdater] - C:\Program Files\Ask.com\Updater\Updater.exe [1648264 2013-04-25] (Ask)
HKLM\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\qttask.exe [421888 2013-07-11] (Apple Inc.)
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKU\PR Baca\...\Run: [swg] - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
HKU\PR Baca\...\Run: [DellSupportCenter] - "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
HKU\PR Baca\...\Run: [Skype] - C:\Program Files\Skype\Phone\Skype.exe [ 2013-06-21] (Skype Technologies S.A.)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
ShortcutTarget: Digital Line Detect.lnk -> C:\Program Files\Digital Line Detect\DLG.exe (Avanquest Software )
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\Documents and Settings\PR Baca\Start Menu\Programs\Startup\hjwhwqzj.lnk
ShortcutTarget: hjwhwqzj.lnk -> C:\DOCUME~1\ALLUSE~1\APPLIC~1\jzqwhwjh.dss (Sekizenkan Company)

========================== Services (Whitelisted) =================

S2 EngineServer; C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe [14144 2009-12-15] (McAfee, Inc.)
S2 LxrJD31s; C:\Windows\System32\LxrJD31s.exe [71168 2010-12-10] ()
S2 McShield; C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe [144704 2009-12-15] (McAfee, Inc.)
S4 MSSQLServerADHelper; c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [44384 2010-12-10] (Microsoft Corporation)
S2 myAgtSvc; C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe [282824 2010-05-11] (McAfee, Inc.)
S2 ptumlcmsvc; C:\WINDOWS\system32\ptumlcmsvc.exe [143360 2012-09-21] (DEVGURU Co., LTD)
S2 Skype C2C Service; C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [3289208 2013-05-14] (Skype Technologies S.A.)
S2 sprtsvc_dellsupportcenter; C:\Program Files\Dell Support Center\bin\sprtsvc.exe [201968 2008-08-14] (SupportSoft, Inc.)
S2 SWAGENT; C:\Program Files\McAfee\Managed VirusScan\Agent\swAgent.exe [202048 2010-05-11] (McAfee, Inc.)
S2 winmgmt; C:\DOCUME~1\ALLUSE~1\APPLIC~1\jzqwhwjh.dss [172032 2013-10-24] (Sekizenkan Company)
S2 wltrysvc; C:\Windows\System32\bcmwltry.exe [1921024 2007-12-11] (Dell Inc.)
S2 JavaQuickStarterService; "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"

==================== Drivers (Whitelisted) ====================

S4 abp480n5; C:\Windows\system32\DRIVERS\ABP480N5.SYS [23552 2001-08-17] (Microsoft Corporation)
S1 APPDRV; C:\Windows\SYSTEM32\DRIVERS\APPDRV.SYS [16128 2005-08-12] (Dell Inc)
S3 BCM43XX; C:\Windows\System32\DRIVERS\bcmwl5.sys [1123328 2007-12-11] (Broadcom Corp.)
S3 HPZid412; C:\Windows\System32\DRIVERS\HPZid412.sys [49920 2007-10-25] (HP)
S3 HPZipr12; C:\Windows\System32\DRIVERS\HPZipr12.sys [16496 2007-10-25] (HP)
S3 HPZius12; C:\Windows\System32\DRIVERS\HPZius12.sys [21568 2007-10-25] (HP)
S3 HSFHWAZL; C:\Windows\System32\DRIVERS\HSFHWAZL.sys [211200 2007-12-02] (Conexant Systems, Inc.)
S3 HSF_DPV; C:\Windows\System32\DRIVERS\HSF_DPV.sys [989952 2007-12-02] (Conexant Systems, Inc.)
S2 LxrJD31d; C:\WINDOWS\system32\Drivers\LxrJD31d.sys [69824 2010-12-10] ()
S3 MfeAVFK; C:\Windows\System32\drivers\MfeAVFK.sys [79816 2009-12-15] (McAfee, Inc.)
S3 MfeBOPK; C:\Windows\System32\drivers\MfeBOPK.sys [35272 2009-12-15] (McAfee, Inc.)
S1 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [214664 2009-12-15] (McAfee, Inc.)
S3 MfeRKDK; C:\Windows\System32\drivers\MfeRKDK.sys [34248 2009-12-15] (McAfee, Inc.)
S1 mfetdik; C:\Windows\System32\drivers\mfetdik.sys [55304 2009-12-15] (McAfee, Inc.)
S3 NWUSBCDFIL; C:\Windows\System32\DRIVERS\NwUsbCdFil.sys [20480 2008-07-07] (Novatel Wireless Inc.)
S3 NWUSBPort2; C:\Windows\System32\DRIVERS\nwusbser2.sys [174336 2008-05-09] (Novatel Wireless Inc.)
S3 PTUMLBUS; C:\Windows\System32\DRIVERS\PTUMLBUS.sys [88632 2012-09-21] (DEVGURU Co., LTD.)
S3 PTUMLCVsp; C:\Windows\System32\DRIVERS\PTUMLCVsp.sys [169016 2012-09-21] (DEVGURU Co., LTD.(www.devguru.co.kr))
S3 PTUMLMdm; C:\Windows\System32\DRIVERS\PTUMLMdm.sys [169016 2012-09-21] (DEVGURU Co., LTD.(www.devguru.co.kr))
S3 PTUMLNET; C:\Windows\System32\DRIVERS\PTUMLNET.sys [97592 2012-09-21] (DEVGURU Co., LTD.)
S3 PTUMLNVsp; C:\Windows\System32\DRIVERS\PTUMLNVsp.sys [169656 2012-09-21] (DEVGURU Co., LTD.(www.devguru.co.kr))
S3 PTUMLRMNET; C:\Windows\System32\DRIVERS\PTUMLRMNET.sys [59704 2012-09-21] (DEVGURU Co., LTD.)
S3 PTUMLVsp; C:\Windows\System32\DRIVERS\PTUMLVsp.sys [169016 2012-09-21] (DEVGURU Co., LTD.(www.devguru.co.kr))
S3 SMSIVZAM5; C:\PROGRA~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [32408 2011-11-29] (Smith Micro Inc.)
S3 STHDA; C:\Windows\System32\drivers\sthda.sys [1222840 2007-06-06] (SigmaTel, Inc.)
S3 PTDMBus; system32\DRIVERS\PTDMBus.sys [x]
S3 PTDMMdm; system32\DRIVERS\PTDMMdm.sys [x]
S3 PTDMVsp; system32\DRIVERS\PTDMVsp.sys [x]
S3 PTDMWFLT; system32\DRIVERS\PTDMWFLT.sys [x]
S3 PTDMWWAN; system32\DRIVERS\PTDMWWAN.sys [x]
S5 ScsiPort; C:\Windows\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
S3 SMNDIS5; \??\C:\PROGRA~1\VERIZO~1\VZACCE~1\SMNDIS5.SYS [x]
S3 SymIM; system32\DRIVERS\SymIM.sys [x]
S3 SymIMMP; system32\DRIVERS\SymIM.sys [x]
S1 WS2IFSL;

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-10-28 22:00 - 2013-10-28 22:00 - 00000000 ____D C:\FRST
2013-10-28 12:30 - 2013-10-28 12:30 - 00000000 ____D C:\Windows\CSC
2013-10-28 08:09 - 2013-10-28 14:11 - 00000000 ____D C:\Kaspersky Rescue Disk 10.0
2013-10-24 16:52 - 2013-10-28 19:39 - 95025368 ____T C:\Documents and Settings\All Users\Application Data\hjwhwqzj.bxx
2013-10-24 16:52 - 2013-10-28 19:39 - 00000000 _____ C:\Documents and Settings\All Users\Application Data\hjwhwqzj.fvv
2013-10-24 16:52 - 2013-10-24 16:52 - 00172032 _____ (Sekizenkan Company) C:\Documents and Settings\All Users\Application Data\jzqwhwjh.dss
2013-10-22 12:53 - 2013-10-22 12:53 - 00033468 _____ C:\Documents and Settings\PR Baca\My Documents\Information for Will.htm
2013-10-22 12:53 - 2013-10-22 12:53 - 00000000 ____D C:\Documents and Settings\PR Baca\My Documents\Information for Will_files
2013-10-10 12:46 - 2013-10-10 12:46 - 00000000 __HDC C:\Windows\$NtUninstallKB2847311$
2013-10-10 12:45 - 2013-10-10 12:45 - 00009600 _____ C:\Windows\KB2862335.log
2013-10-10 12:45 - 2013-10-10 12:45 - 00000000 __HDC C:\Windows\$NtUninstallKB2862335$
2013-10-10 12:40 - 2013-10-10 12:40 - 00011109 _____ C:\Windows\KB2868038.log
2013-10-10 12:40 - 2013-10-10 12:40 - 00000000 __HDC C:\Windows\$NtUninstallKB2868038$
2013-10-10 12:38 - 2013-10-10 12:39 - 00011340 _____ C:\Windows\KB2879017-IE8.log
2013-10-10 12:38 - 2013-10-10 12:38 - 00000000 __HDC C:\Windows\$NtUninstallKB2883150$
2013-10-10 10:41 - 2013-10-10 12:46 - 00013678 _____ C:\Windows\KB2847311.log
2013-10-10 10:41 - 2013-07-02 22:12 - 00025088 ____N (Microsoft Corporation) C:\Windows\System32\dllcache\hidparse.sys
2013-10-10 10:41 - 2013-07-02 22:12 - 00025088 ____N (Microsoft Corporation) C:\Windows\System32\dllcache\hidparse.sys
2013-10-10 10:40 - 2013-07-16 20:58 - 00123008 ____N (Microsoft Corporation) C:\Windows\System32\dllcache\usbvideo.sys
2013-10-10 10:40 - 2013-07-16 20:58 - 00123008 ____N (Microsoft Corporation) C:\Windows\System32\dllcache\usbvideo.sys
2013-10-10 10:40 - 2013-07-16 20:58 - 00060160 ____N (Microsoft Corporation) C:\Windows\System32\dllcache\usbaudio.sys
2013-10-10 10:40 - 2013-07-16 20:58 - 00060160 ____N (Microsoft Corporation) C:\Windows\System32\dllcache\usbaudio.sys
2013-10-10 10:40 - 2013-07-16 20:58 - 00046848 ____N (Microsoft Corporation) C:\Windows\System32\dllcache\irbus.sys
2013-10-10 10:40 - 2013-07-16 20:58 - 00046848 ____N (Microsoft Corporation) C:\Windows\System32\dllcache\irbus.sys
2013-10-10 10:11 - 2013-10-10 10:11 - 00000000 __HDC C:\Windows\$NtUninstallKB2862330$
2013-10-10 09:55 - 2013-10-28 13:06 - 00107815 _____ C:\Windows\setupapi.log
2013-10-10 09:25 - 2013-08-08 20:55 - 00144128 ____N (Microsoft Corporation) C:\Windows\System32\dllcache\usbport.sys
2013-10-10 09:25 - 2013-08-08 20:55 - 00144128 ____N (Microsoft Corporation) C:\Windows\System32\dllcache\usbport.sys
2013-10-10 09:25 - 2013-08-08 20:55 - 00005376 ____N (Microsoft Corporation) C:\Windows\System32\dllcache\usbd.sys
2013-10-10 09:25 - 2013-08-08 20:55 - 00005376 ____N (Microsoft Corporation) C:\Windows\System32\dllcache\usbd.sys
2013-10-10 09:25 - 2009-03-18 07:02 - 00030336 ____N (Microsoft Corporation) C:\Windows\System32\dllcache\usbehci.sys
2013-10-10 09:25 - 2009-03-18 07:02 - 00030336 ____N (Microsoft Corporation) C:\Windows\System32\dllcache\usbehci.sys

==================== One Month Modified Files and Folders =======

2013-10-28 22:00 - 2013-10-28 22:00 - 00000000 ____D C:\FRST
2013-10-28 19:39 - 2013-10-24 16:52 - 95025368 ____T C:\Documents and Settings\All Users\Application Data\hjwhwqzj.bxx
2013-10-28 19:39 - 2013-10-24 16:52 - 00000000 _____ C:\Documents and Settings\All Users\Application Data\hjwhwqzj.fvv
2013-10-28 19:39 - 2004-08-11 18:09 - 00000050 _____ C:\Windows\wiaservc.log
2013-10-28 18:14 - 2004-08-11 18:09 - 00000159 _____ C:\Windows\wiadebug.log
2013-10-28 16:57 - 2004-08-11 18:13 - 02033693 _____ C:\Windows\WindowsUpdate.log
2013-10-28 16:48 - 2004-08-11 18:00 - 00002206 _____ C:\Windows\System32\wpa.dbl
2013-10-28 14:11 - 2013-10-28 08:09 - 00000000 ____D C:\Kaspersky Rescue Disk 10.0
2013-10-28 13:06 - 2013-10-10 09:55 - 00107815 _____ C:\Windows\setupapi.log
2013-10-28 12:30 - 2013-10-28 12:30 - 00000000 ____D C:\Windows\CSC
2013-10-24 21:32 - 2004-08-11 18:20 - 00032470 _____ C:\Windows\SchedLgU.Txt
2013-10-24 18:49 - 2008-05-28 12:07 - 00000178 ___SH C:\Documents and Settings\PR Baca\ntuser.ini
2013-10-24 16:52 - 2013-10-24 16:52 - 00172032 _____ (Sekizenkan Company) C:\Documents and Settings\All Users\Application Data\jzqwhwjh.dss
2013-10-24 16:51 - 2012-08-26 11:54 - 00000000 ____D C:\Documents and Settings\PR Baca\Local Settings\Application Data\AskToolbar
2013-10-24 16:48 - 2013-04-25 12:59 - 00000000 ____D C:\Documents and Settings\PR Baca\Application Data\Skype
2013-10-24 15:13 - 2013-05-07 13:04 - 00002265 _____ C:\Documents and Settings\All Users\Desktop\Skype.lnk
2013-10-23 16:35 - 2008-05-16 16:01 - 00028424 _____ C:\Windows\setupact.log
2013-10-22 12:53 - 2013-10-22 12:53 - 00033468 _____ C:\Documents and Settings\PR Baca\My Documents\Information for Will.htm
2013-10-22 12:53 - 2013-10-22 12:53 - 00000000 ____D C:\Documents and Settings\PR Baca\My Documents\Information for Will_files
2013-10-21 17:46 - 2004-08-11 18:07 - 01876478 _____ C:\Windows\FaxSetup.log
2013-10-21 17:46 - 2004-08-11 18:07 - 00918217 _____ C:\Windows\ocgen.log
2013-10-21 17:46 - 2004-08-11 18:07 - 00863199 _____ C:\Windows\tsoc.log
2013-10-21 17:46 - 2004-08-11 18:07 - 00595960 _____ C:\Windows\System32\PerfStringBackup.INI
2013-10-21 17:46 - 2004-08-11 18:07 - 00585768 _____ C:\Windows\msmqinst.log
2013-10-21 17:46 - 2004-08-11 18:07 - 00576211 _____ C:\Windows\comsetup.log
2013-10-21 17:46 - 2004-08-11 18:07 - 00350035 _____ C:\Windows\ntdtcsetup.log
2013-10-21 17:46 - 2004-08-11 18:07 - 00327289 _____ C:\Windows\netfxocm.log
2013-10-21 17:46 - 2004-08-11 18:07 - 00129821 _____ C:\Windows\MedCtrOC.log
2013-10-21 17:46 - 2004-08-11 18:07 - 00095942 _____ C:\Windows\iis6.log
2013-10-21 17:46 - 2004-08-11 18:07 - 00094384 _____ C:\Windows\ocmsn.log
2013-10-21 17:46 - 2004-08-11 18:07 - 00093964 _____ C:\Windows\msgsocm.log
2013-10-21 17:46 - 2004-08-11 18:07 - 00093817 _____ C:\Windows\tabletoc.log
2013-10-21 17:46 - 2004-08-11 18:07 - 00004757 _____ C:\Windows\imsins.log
2013-10-21 17:46 - 2004-08-11 18:02 - 00000000 ____D C:\Windows\System32\inetsrv
2013-10-18 13:17 - 2013-08-28 19:04 - 00001813 _____ C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
2013-10-14 17:54 - 2004-08-11 18:21 - 00000000 ____D C:\Windows\Microsoft.NET
2013-10-10 13:22 - 2004-08-11 18:06 - 00267800 _____ C:\Windows\System32\FNTCACHE.DAT
2013-10-10 12:49 - 2008-05-16 16:27 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Microsoft Help
2013-10-10 12:46 - 2013-10-10 12:46 - 00000000 __HDC C:\Windows\$NtUninstallKB2847311$
2013-10-10 12:46 - 2013-10-10 10:41 - 00013678 _____ C:\Windows\KB2847311.log
2013-10-10 12:46 - 2008-05-16 16:14 - 00242612 _____ C:\Windows\updspapi.log
2013-10-10 12:46 - 2004-08-11 18:07 - 00001393 _____ C:\Windows\imsins.BAK
2013-10-10 12:45 - 2013-10-10 12:45 - 00009600 _____ C:\Windows\KB2862335.log
2013-10-10 12:45 - 2013-10-10 12:45 - 00000000 __HDC C:\Windows\$NtUninstallKB2862335$
2013-10-10 12:45 - 2013-07-12 19:57 - 00000000 ____D C:\Windows\System32\MRT
2013-10-10 12:42 - 2008-06-23 08:49 - 78106760 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-10-10 12:40 - 2013-10-10 12:40 - 00011109 _____ C:\Windows\KB2868038.log
2013-10-10 12:40 - 2013-10-10 12:40 - 00000000 __HDC C:\Windows\$NtUninstallKB2868038$
2013-10-10 12:39 - 2013-10-10 12:38 - 00011340 _____ C:\Windows\KB2879017-IE8.log
2013-10-10 12:38 - 2013-10-10 12:38 - 00000000 __HDC C:\Windows\$NtUninstallKB2883150$
2013-10-10 10:11 - 2013-10-10 10:11 - 00000000 __HDC C:\Windows\$NtUninstallKB2862330$
2013-10-10 09:25 - 2013-03-13 17:12 - 01065976 _____ C:\Windows\setupapi.log.3.old
2013-10-09 17:30 - 2013-05-07 13:04 - 00000000 ___RD C:\Program Files\Skype
2013-10-09 17:30 - 2013-04-25 12:58 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Skype
2013-10-08 13:28 - 2012-07-30 13:30 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2013-10-08 13:28 - 2012-07-30 13:30 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2013-10-06 11:25 - 2010-12-10 23:28 - 05000129 _____ C:\Windows\System32\ptumlacsvc-1.log

Some content of TEMP:
====================
C:\Documents and Settings\PR Baca\Local Settings\Temp\ApnStub.exe
C:\Documents and Settings\PR Baca\Local Settings\Temp\eject.exe
C:\Documents and Settings\PR Baca\Local Settings\Temp\jre-6u34-windows-i586-iftw.exe
C:\Documents and Settings\PR Baca\Local Settings\Temp\jre-6u35-windows-i586-iftw.exe
C:\Documents and Settings\PR Baca\Local Settings\Temp\setup.exe
C:\Documents and Settings\PR Baca\Local Settings\Temp\SkypeSetup.exe
C:\Documents and Settings\PR Baca\Local Settings\Temp\SkypeSetupFull(6.1.73.129)(Trackable457)trackable.exe
C:\Documents and Settings\PR Baca\Local Settings\Temp\~tmf4040273340246802631.dll


==================== Known DLLs (Whitelisted) ============


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points (XP) =====================

RP: -> 2013-10-22 16:46 - 032768 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP938

RP: -> 2013-10-18 17:27 - 032768 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP937

RP: -> 2013-10-14 18:14 - 032768 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP936

RP: -> 2013-10-13 15:42 - 032768 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP935

RP: -> 2013-10-13 14:24 - 032768 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP934

RP: -> 2013-10-10 12:36 - 032768 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP933

RP: -> 2013-10-10 10:09 - 032768 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP932

RP: -> 2013-10-09 19:02 - 032768 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP931

RP: -> 2013-10-08 15:29 - 032768 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP930

RP: -> 2013-10-06 13:39 - 032768 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP929

RP: -> 2013-10-03 17:39 - 032768 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP928

RP: -> 2013-10-02 15:53 - 032768 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP927

RP: -> 2013-09-22 14:04 - 032768 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP926

RP: -> 2013-09-19 18:28 - 032768 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP925

RP: -> 2013-09-18 12:27 - 032768 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP924

RP: -> 2013-09-16 17:53 - 032768 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP923

RP: -> 2013-09-15 13:15 - 032768 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP922

RP: -> 2013-09-13 18:52 - 032768 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP921

RP: -> 2013-09-13 13:23 - 032768 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP920

RP: -> 2013-09-13 12:22 - 032768 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP919

RP: -> 2013-09-13 00:41 - 032768 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP918

RP: -> 2013-09-12 21:13 - 032768 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP917

RP: -> 2013-09-12 16:02 - 032768 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP916

RP: -> 2013-09-11 20:11 - 032768 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP915

RP: -> 2013-09-11 12:45 - 032768 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP914

RP: -> 2013-09-11 12:06 - 032768 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP913

RP: -> 2013-09-10 13:36 - 032768 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP912

RP: -> 2013-09-10 13:35 - 032768 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP911

RP: -> 2013-09-10 13:24 - 032768 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP910

RP: -> 2013-09-08 21:13 - 032768 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP909

RP: -> 2013-09-06 18:06 - 032768 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP908

RP: -> 2013-09-04 23:38 - 032768 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP907

RP: -> 2013-09-02 19:09 - 032768 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP906

RP: -> 2013-09-01 15:35 - 032768 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP905

RP: -> 2013-08-29 23:05 - 032768 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP904

RP: -> 2013-08-28 11:31 - 032768 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP903

RP: -> 2013-08-27 11:29 - 032768 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP902

RP: -> 2013-08-25 23:51 - 032768 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP901

RP: -> 2013-08-22 00:32 - 032768 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP900

RP: -> 2013-08-20 13:40 - 032768 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP899

RP: -> 2013-08-17 20:34 - 032768 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP898

RP: -> 2013-08-15 17:26 - 032768 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP897

RP: -> 2013-08-14 12:44 - 032768 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP896

RP: -> 2013-08-14 11:30 - 032768 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP895

RP: -> 2013-08-12 22:21 - 032768 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP894

RP: -> 2013-08-09 16:19 - 032768 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP893

RP: -> 2013-08-08 08:30 - 032768 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP892

RP: -> 2013-08-07 08:05 - 032768 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP891

RP: -> 2013-08-05 22:34 - 032768 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP890

RP: -> 2013-08-03 18:54 - 032768 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP889

RP: -> 2013-08-01 17:16 - 032768 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP888

RP: -> 2013-07-30 17:36 - 032768 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP887

RP: -> 2013-07-29 16:04 - 032768 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP886

RP: -> 2013-07-28 13:36 - 032768 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP885

RP: -> 2013-07-25 15:47 - 032768 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP884


==================== Memory info ===========================

Percentage of memory in use: 13%
Total physical RAM: 2037.97 MB
Available physical RAM: 1756.32 MB
Total Pagefile: 1868.64 MB
Available Pagefile: 1784.72 MB
Total Virtual: 2047.88 MB
Available Virtual: 1984.92 MB

==================== Drives ================================

Drive b: (RAMDisk) (Fixed) (Total:0.06 GB) (Free:0.06 GB) NTFS
Drive c: () (Fixed) (Total:109.21 GB) (Free:82.28 GB) NTFS ==>[Drive with boot components (Windows XP)]
Drive d: (HITMANPRO) (Removable) (Total:1.86 GB) (Free:1.86 GB) FAT32
Drive x: (ReatogoPE) (CDROM) (Total:0.43 GB) (Free:0 GB) CDFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 112 GB) (Disk ID: 41AB2316)
Partition 1: (Not Active) - (Size=86 MB) - (Type=DE)
Partition 2: (Active) - (Size=109 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=2 GB) - (Type=OF Extended)

========================================================
Disk: 1 (Size: 2 GB) (Disk ID: B0D023BB)
Partition 1: (Active) - (Size=2 GB) - (Type=0B)

==================== End Of Log ============================

 

[TwinHeadedEagle]

On your clean PC, download the following file by right-clicking it and select save as

[attachment=6059]

and save it onto your flash drive.

Then, boot to system recovery, plug in your flash drive, open FRST and click fix. Post the generated log.

Attempt to boot normally.

 

[Bac-Man]

On your clean PC, download the following file by right-clicking it and select save as



and save it onto your flash drive.

Then, boot to system recovery, plug in your flash drive, open FRST and click fix. Post the generated log.

Attempt to boot normally.

Appears to have neutralized the virus and we can boot normally at this point. Internet is working properly

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 28-10-2013
Ran by SYSTEM at 2013-10-29 11:08:31 Run:1
Running from D:\
Boot Mode: Recovery

==============================================

Content of fixlist:
*****************
HKLM\...\Run: [ApnUpdater] - C:\Program Files\Ask.com\Updater\Updater.exe [1648264 2013-04-25] (Ask)
C:\Program Files\Ask.com
Startup: C:\Documents and Settings\PR Baca\Start Menu\Programs\Startup\hjwhwqzj.lnk
C:\DOCUME~1\ALLUSE~1\APPLIC~1\jzqwhwjh.dss
S2 winmgmt; C:\DOCUME~1\ALLUSE~1\APPLIC~1\jzqwhwjh.dss [172032 2013-10-24] (Sekizenkan Company)
C:\DOCUME~1\ALLUSE~1\APPLIC~1\jzqwhwjh.dss
C:\Documents and Settings\All Users\Application Data\hjwhwqzj.bxx
C:\Documents and Settings\All Users\Application Data\hjwhwqzj.fvv
C:\Documents and Settings\All Users\Application Data\jzqwhwjh.dss
C:\Documents and Settings\PR Baca\Local Settings\Application Data\AskToolbar
C:\Documents and Settings\PR Baca\Local Settings\Temp
cmd: ifconfig /flushdns
*****************

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\ApnUpdater => Value deleted successfully.
C:\Program Files\Ask.com => Moved successfully.
C:\Documents and Settings\PR Baca\Start Menu\Programs\Startup\hjwhwqzj.lnk => Moved successfully.
C:\DOCUME~1\ALLUSE~1\APPLIC~1\jzqwhwjh.dss => Moved successfully.
winmgmt => Service restored successfully.
"C:\DOCUME~1\ALLUSE~1\APPLIC~1\jzqwhwjh.dss" => File/Directory not found.
C:\Documents and Settings\All Users\Application Data\hjwhwqzj.bxx => Moved successfully.
C:\Documents and Settings\All Users\Application Data\hjwhwqzj.fvv => Moved successfully.
"C:\Documents and Settings\All Users\Application Data\jzqwhwjh.dss" => File/Directory not found.
C:\Documents and Settings\PR Baca\Local Settings\Application Data\AskToolbar => Moved successfully.
C:\Documents and Settings\PR Baca\Local Settings\Temp => Moved successfully.

========= ifconfig /flushdns =========

'ifconfig' is not recognized as an internal or external command,
operable program or batch file.

========= End of CMD: =========


==== End of Fixlog ====

 

[TwinHeadedEagle]

Re-run FRST and post me fresh scan from Windows...

 

[Bac-Man]

Re-run FRST and post me fresh scan from Windows...

we were in a bit of a time crunch to get it back out to our sales person. We ended up putting Malewarebytes on it and running a couple of scans before shipping it back to him. It was working great when we shipped it, hopefully this did it. Thank you for all of your help.