Need Help Malware issues

[bbmoon]

Logs

I ran these while in Safe Mode.


Farbar Service Scanner Version: 03-01-2016
Ran by Office (administrator) on 07-01-2016 at 12:06:46
Running from "C:\Documents and Settings\Office\Desktop"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Network
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Attempt to access Google IP returned error. Google IP is unreachable
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================
"HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\\EnableFirewall" registry value does not exist.


System Restore:
============

System Restore Policy:
========================


Security Center:
============

wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.

BITS Service is not running. Checking service configuration:
The start type of BITS service is OK.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.

EventSystem Service is not running. Checking service configuration:
The start type of EventSystem service is OK.
The ImagePath of EventSystem: "C:\WINDOWS\system32\svchost.exe -k netsvcs".
The ServiceDll of EventSystem: "C:\WINDOWS\system32\es.dll".


Windows Autoupdate Disabled Policy:
============================


Other Services:
==============


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\afd.sys => File is digitally signed
C:\WINDOWS\system32\Drivers\netbt.sys => File is digitally signed
C:\WINDOWS\system32\Drivers\tcpip.sys => File is digitally signed
C:\WINDOWS\system32\Drivers\ipsec.sys => File is digitally signed
C:\WINDOWS\system32\dnsrslvr.dll => File is digitally signed
C:\WINDOWS\system32\ipnathlp.dll => File is digitally signed
C:\WINDOWS\system32\netman.dll => File is digitally signed
C:\WINDOWS\system32\wbem\WMIsvc.dll => File is digitally signed
C:\WINDOWS\system32\srsvc.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\sr.sys => File is digitally signed
C:\WINDOWS\system32\wscsvc.dll => File is digitally signed
C:\WINDOWS\system32\wbem\WMIsvc.dll => File is digitally signed
C:\WINDOWS\system32\wuauserv.dll => File is digitally signed
C:\WINDOWS\system32\qmgr.dll => File is digitally signed
C:\WINDOWS\system32\es.dll => File is digitally signed
C:\WINDOWS\system32\cryptsvc.dll => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed

Extra List:
=======
aswTdi(8) Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
0x09000000050000000100000002000000030000000400000008000000090000000600000007000000
IpSec Tag value is correct.

**** End of log ****



Vino's Event Viewer v01c run on Windows XP in English
Report run at 07/01/2016 12:10:45 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 07/01/2016 12:07:34 PM
Type: error Category: 0
Event: 10005 Source: DCOM
DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Log: 'System' Date/Time: 07/01/2016 12:07:19 PM
Type: error Category: 0
Event: 7026 Source: Service Control Manager
The following boot-start or system-start driver(s) failed to load: aswRvrt aswSnx aswSP aswVmm Fips intelppm

Log: 'System' Date/Time: 07/01/2016 12:06:15 PM
Type: error Category: 0
Event: 10005 Source: DCOM
DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Log: 'System' Date/Time: 07/01/2016 12:04:20 PM
Type: error Category: 102
Event: 1003 Source: System Error
Error code 0000001a, parameter1 00041284, parameter2 0583c001, parameter3 000010c2, parameter4 c0883000.

Log: 'System' Date/Time: 07/01/2016 12:04:19 PM
Type: error Category: 102
Event: 1003 Source: System Error
Error code 1000008e, parameter1 c0000005, parameter2 8054bfcb, parameter3 b3a93968, parameter4 00000000.

Log: 'System' Date/Time: 07/01/2016 12:04:15 PM
Type: error Category: 102
Event: 1003 Source: System Error
Error code 1000008e, parameter1 c0000005, parameter2 8054bcc7, parameter3 b2c4051c, parameter4 00000000.

Log: 'System' Date/Time: 07/01/2016 12:02:07 PM
Type: error Category: 0
Event: 7022 Source: Service Control Manager
The Automatic Updates service hung on starting.

Log: 'System' Date/Time: 07/01/2016 12:01:12 PM
Type: error Category: 102
Event: 1003 Source: System Error
Error code 10000050, parameter1 e112d818, parameter2 00000000, parameter3 806203ba, parameter4 00000001.

Log: 'System' Date/Time: 07/01/2016 12:00:57 PM
Type: error Category: 102
Event: 1003 Source: System Error
Error code 10000050, parameter1 e10a0010, parameter2 00000001, parameter3 8054c0d1, parameter4 00000001.

Log: 'System' Date/Time: 07/01/2016 12:00:55 PM
Type: error Category: 102
Event: 1003 Source: System Error
Error code 1000008e, parameter1 c0000005, parameter2 8060e28f, parameter3 b3859914, parameter4 00000000.

Log: 'System' Date/Time: 07/01/2016 12:00:53 PM
Type: error Category: 102
Event: 1003 Source: System Error
Error code 00000024, parameter1 001902fe, parameter2 b28ce540, parameter3 b28ce23c, parameter4 b7e7fe4d.

Log: 'System' Date/Time: 07/01/2016 12:00:21 PM
Type: error Category: 102
Event: 1003 Source: System Error
Error code 1000008e, parameter1 c0000005, parameter2 b432685c, parameter3 b3108990, parameter4 00000000.

Log: 'System' Date/Time: 07/01/2016 12:00:14 PM
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The SSPORT service failed to start due to the following error: The system cannot find the file specified.

Log: 'System' Date/Time: 07/01/2016 12:00:14 PM
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The DgiVecp service failed to start due to the following error: The system cannot find the file specified.

Log: 'System' Date/Time: 07/01/2016 12:00:02 PM
Type: error Category: 0
Event: 59 Source: SideBySide
Generate Activation Context failed for C:\WINDOWS\WindowsShell.Manifest. Reference error message: The operation completed successfully. .

Log: 'System' Date/Time: 07/01/2016 12:00:01 PM
Type: error Category: 0
Event: 59 Source: SideBySide
Resolve Partial Assembly failed for Microsoft.Windows.Common-Controls. Reference error message: The system cannot find the path specified. .

Log: 'System' Date/Time: 07/01/2016 11:57:09 AM
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The SSPORT service failed to start due to the following error: The system cannot find the file specified.

Log: 'System' Date/Time: 07/01/2016 11:57:09 AM
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The DgiVecp service failed to start due to the following error: The system cannot find the file specified.

Log: 'System' Date/Time: 07/01/2016 11:55:54 AM
Type: error Category: 0
Event: 7022 Source: Service Control Manager
The Automatic Updates service hung on starting.

Log: 'System' Date/Time: 07/01/2016 11:54:03 AM
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The SSPORT service failed to start due to the following error: The system cannot find the file specified.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

[Juliet]

https://support.microsoft.com/en-us/kb/317277
You receive a "System Has Recovered from a Serious Error" message scroll down to Workaround

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

All the errors but one are related to ComboFix

Open Task Manager and look for the following
GREP.exe
PEV.exe
any file that has the extension *.3XE

One at a time, right-click and select End Process.

Application corrupt, means your download was no good. Either it was not complete or it was partially blocked.

The last photo was a picture of ComboFix trying to run.....

Delete the one you have now, try to download it again.


Download ComboFix from here:
Link 1
Link 2
Link 3

Place ComboFix.exe on your Desktop <--Important

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
  * Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
  
  
  You can get help on disabling your protection programs here
• Double click on ComboFix.exe & follow the prompts.
• You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)
• Your desktop may go blank. This is normal. It will return when ComboFix is done. Combofix may need to reboot your computer more than once to do its job this is normal.
• When finished, it shall produce a log for you. Post that log in your next reply
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  
  Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer
  
  ---------------------------------------------------------------------------------------------

 

[Juliet]

Forgot to post info for errors found in the Vino's Event Viewer

The following boot-start or system-start driver(s) failed to load: aswRvrt aswSnx aswSP aswVmm Fips intelppm

aswRvrt aswSnx aswSP aswVmm <-- antivirus. Were you in safe mode when running the tool? I think your were and have you seen any problems while using AVAST?
Does this Avast also include internet security as in firewall too?

intelppm <-- seems to be an intel processor driver

fips is also a windows core driver

 

[bbmoon]

Temporarily away from computer

Sorry for slow response, I am temporarily out of town and away from the computer.

I will try you latest suggestions as soon as I am back

 

[Juliet]

Was worried about you, so glad you posted.

 

[bbmoon]

Sorry for the delay.

I have removed the old Combofix and downloaded a copy to a USB drive from another computer and then copied from the USB drive to the problem computer.

Is it ok to run Combofix from Safe Mode, I thinking it will run in Safe Mode? The computer in Normal Mode is not stable enough to run Combofix. Things keep crashing. I did get Combofix running for a short time but it crashed pretty quickly.

I have attached some new photos of error messages I got while attempting to run Combofix. Most of the time the computer crashed before I ever had a chance to even run Combofix.

 

[Juliet]

Is it ok to run Combofix from Safe Mode

Yes it is

From the error messages I think there are some driver issues

disk space seems to be an issue

IMAPI imaging service is necessary to burn CD/DVDs
found in misconfig, if there and listed as "stopped" enabled it.

 

[Juliet]

Still need help?

 

[Juliet]

still with me?

 

[Juliet]

Since this issue appears resolved ... this Topic is closed.