|
Post by aldrich on Apr 17, 2017 12:20:25 GMT -8
I have run all of Norton's available scan's and power erasure to get rid of this trojan.kotver thing, but it keeps coming back after every restart. After several download trials and shutting off all of Norton's protections and windows defender I was able to finally get FRST.EXE to run long enough to tell me it wasn't compatible. Now I cannot get FRST64 to work. After several tries, i was finally able to get it open and begin a scan. Then it inexplicably closed and disappeared. So I downloaded it yet again (always saving to my desktop), but clicking on the icon now does absolutely nothing.
If you can help, I will be so very grateful!
|
|
dbrisen
Malware Removalists
Posts: 3,688
|
Post by dbrisen on Apr 17, 2017 19:36:53 GMT -8
[/b][/font] by random/random from 32bit here or 64bit here and save the file to your desktop. [*]Double click on RSIT.exe or RSIT64.exe to run the scanner. [*]Click Continue at the disclaimer screen. [*]Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)[/ul]
|
|
|
Post by aldrich on Apr 18, 2017 5:37:09 GMT -8
info.txt logfile of random's system information tool 1.16 2017-04-18 08:34:38
Err:510
0x0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000A180D7AC000000000200EEFFFFFF01000000FFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000055AA
Err:510
[2016/09/26 07:49:39]-->"C:\Program Files (x86)\InstallShield Installation Information\{46F4D124-20E5-4D12-BE52-EC177A7A4B42}\setup.exe" /z-uninstall <<Hidden
Adobe Acrobat Reader DC [20170412]-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-AC0F074E4100}
Adobe Flash Player 25 NPAPI [2017/04/11 11:55:22]-->C:\WINDOWS\SysWOW64\Macromed\Flash\FlashUtil32_25_0_0_148_Plugin.exe -maintain plugin
Adobe Refresh Manager [20170412]-->MsiExec.exe /I{AC76BA86-0804-1033-1959-001824214663}
Age of Empires III [20160717]-->C:\Program Files (x86)\InstallShield Installation Information\{70F8B183-99EB-4304-BA35-080E2DFFD2A3}\setup.exe -runfromtemp -l0x0409
Amazon Browser App [20130321]-->MsiExec.exe /I{0A7D6F3C-F2AB-48ED-BE23-99791BFF87D6}
ANNO 2070 [20161021]-->"C:\Program Files (x86)\InstallShield Installation Information\{B48E264C-C8CD-4617-B0BE-46E977BAD694}\setup.exe" -runfromtemp -l0x0809 -removeonly
Apple Application Support (32-bit) [20170329]-->MsiExec.exe /I{05E07D23-91E9-4E70-A4CC-EF505088F967}
Apple Application Support (64-bit) [20170329]-->MsiExec.exe /I{741291DA-2B34-4D44-8FB6-58EDE21261D8}
Apple Mobile Device Support [20170329]-->MsiExec.exe /I{DB18F1C0-846F-46F5-A074-5B97C8AF5C8E}
Apple Software Update [20170329]-->MsiExec.exe /I{52D87F32-70E4-4348-8148-C0B9F35B1314}
Audible Download Manager [2016/09/26 07:49:39]-->C:\Program Files (x86)\Audible\Bin\AudibleDM_iTunesSetup.exe /Uninstall
Bonjour [20150920]-->MsiExec.exe /X{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}
BrickStock [20151013]-->MsiExec.exe /I{ACF6EC0A-52CC-4DB8-8DDF-5C85E01597C9}
BrickStore [20130728]-->MsiExec.exe /I{07EA0F88-8E8F-11D9-8BDE-F66BAD1E3F3A}
Brothers - A Tale of Two Sons [2016/09/26 07:49:39]-->"C:\Program Files (x86)\Steam\steam.exe" steam://uninstall/225080
City Life World Edition [2016/09/26 07:49:39]-->C:\Program Files (x86)\Monte Cristo\City Life World Edition\uninst.exe
CivCity [20140509]-->RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{994E24A6-EC47-4201-8D0B-D4563B7AD66B}\setup.exe" -l0x9 -removeonly
Dawn of Discovery - Gold Edition [20160722]-->"C:\Program Files (x86)\InstallShield Installation Information\{6A09EC92-016B-4032-8CF1-6840B20C254A}\setup.exe" -runfromtemp -l0x0409 -removeonly
Driver & Application Installation [20130321]-->C:\Program Files (x86)\InstallShield Installation Information\{BFECCF2A-F094-4066-8BFA-29CCBB7F6602}\setup.exe -runfromtemp -l0x0009 -removeonly
EpsonNet Print [20140520]-->"C:\Program Files (x86)\InstallShield Installation Information\{3E31400D-274E-4647-916C-2CACC3741799}\ENPSETUP.EXE" -runfromtemp -l0x0409 -EPSON -removeonly
Genesys USB Mass Storage Device [20130321]-->RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{959B7F35-2819-40C5-A0CD-3C53B5FCC935}\setup.exe" -l0x9 -removeonly
GOG.com Downloader version 3.6.0 [20140415]-->"C:\Program Files (x86)\GOG.com\unins000.exe"
Google Chrome [20150711]-->"C:\Program Files (x86)\Google\Chrome\Application\57.0.2987.133\Installer\setup.exe" --uninstall --system-level --verbose-logging
Google Drive [20170327]-->MsiExec.exe /X{A1238426-ECDF-4639-BE2F-8D12A97AE23C}
Google Earth [20170205]-->MsiExec.exe /I{F6430171-B86B-4639-839E-374913E7911D}
Google Update Helper [20141114]-->MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
Google Update Helper [20170411]-->MsiExec.exe /I{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}
Google+ Auto Backup [20140108]-->MsiExec.exe /X{A50DE037-B5C0-4C8A-8049-B0C576B313D1}
GoToAssist Corporate [20141020]-->C:\Program Files (x86)\Citrix\GoToAssist\896\G2AUninstaller.exe /uninstall
Intel AppUp(SM) center [2016/09/26 07:49:39]-->C:\Program Files (x86)\Intel\IntelAppStore\run_uninstaller.exe
Intel(R) Management Engine Components [2016/09/26 07:49:39]-->C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\Uninstall\setup.exe -uninstall
Intel(R) Processor Graphics [2016/09/26 07:49:40]-->"C:\Program Files (x86)\Intel\Intel(R) Processor Graphics\Uninstall\setup.exe" -uninstall
Intel(R) SDK for OpenCL - CPU Only Runtime Package [2016/09/26 07:49:40]-->C:\Program Files (x86)\Intel\OpenCL SDK\2.0\Uninstall\setup.exe -uninstall
IntelĀ® Trusted Connect Service Client [20130321]-->MsiExec.exe /I{F4404AFD-2EF3-40C1-8C09-29E5F3B6972B}
iTunes [20170329]-->MsiExec.exe /I{164600BE-9CEC-44E6-9B38-2B12D5FE2342}
Java 8 Update 111 [20161102]-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F32180111F0}
Journey to the Center of the Earth [2016/09/26 07:49:40]-->RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{A9BA6D61-7302-4AEA-A225-CA9A1517B951}\setup.exe" -l0x9
LEGO Digital Designer [2016/09/26 07:49:39]-->C:\Program Files (x86)\LEGO Company\LEGO Digital Designer\Uninstall.exe
Lenovo Blacksilk USB Keyboard Driver [20130321]-->RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{B266E062-D6C5-485B-B426-51B152B041A6}\setup.exe" -l0x9 -removeonly
Lenovo Photos [2016/09/26 07:49:39]-->"C:\Program Files (x86)\LenovoPhotos\Lenovo Photos\uninstall.exe"
Lenovo Power2Go [20130321]-->"C:\Program Files (x86)\InstallShield Installation Information\{40BF1E83-20EB-11D8-97C5-0009C5020658}\setup.exe" /z-uninstall
Lenovo Power2Go [20130321]-->"C:\Program Files (x86)\InstallShield Installation Information\{40BF1E83-20EB-11D8-97C5-0009C5020658}\setup.exe" /z-uninstall
Lenovo PowerDVD10 [20130321]-->"C:\Program Files (x86)\InstallShield Installation Information\{DEC235ED-58A4-4517-A278-C41E8DAEAB3B}\setup.exe" /z-uninstall
Lenovo PowerDVD10 [20130321]-->"C:\Program Files (x86)\InstallShield Installation Information\{DEC235ED-58A4-4517-A278-C41E8DAEAB3B}\setup.exe" /z-uninstall
Lenovo Rescue System [20130321]-->"C:\Program Files (x86)\InstallShield Installation Information\{46F4D124-20E5-4D12-BE52-EC177A7A4B42}\setup.exe" /z-uninstall
Lenovo Rescue System [2016/09/26 07:49:39]-->"C:\Program Files (x86)\InstallShield Installation Information\{46F4D124-20E5-4D12-BE52-EC177A7A4B42}\setup.exe" /z-uninstall
LibreOffice 4.3 Help Pack (English (United States)) [20140815]-->MsiExec.exe /I{8A95909D-A7A3-4B2C-82AA-D3FD56EA7728}
LibreOffice 5.2.6.2 [20170408]-->MsiExec.exe /I{443795BA-BBA0-46CF-A07F-DB5B461785F7}
LTCM Client [20131206]-->MsiExec.exe /X{B38E9B55-7136-4E66-A084-320512FF3F6F}
LVT [20130321]-->C:\Program Files (x86)\InstallShield Installation Information\{9E3469A6-443A-452C-BF44-8D7CE3A9A7E2}\setup.exe -runfromtemp -removeonly
Machinarium [2016/09/26 07:49:39]-->C:\Program Files (x86)\Machinarium\uninst.exe
Microsoft Mouse and Keyboard Center [2016/09/26 07:49:31]-->C:\Program Files\Microsoft Mouse and Keyboard Center\setup.exe /uninstall
Microsoft OneDrive [2017/04/12 08:43:24]-->C:\Users\Jodie\AppData\Local\Microsoft\OneDrive\17.3.6799.0327\OneDriveSetup.exe /uninstall
Microsoft Silverlight [20170412]-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 Redistributable [20130728]-->MsiExec.exe /X{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}
Microsoft Visual C++ 2005 Redistributable [20140518]-->MsiExec.exe /X{837b34e3-7c30-493c-8f6a-2b0f04e2912c}
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 [20170408]-->MsiExec.exe /X{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 [20140111]-->MsiExec.exe /X{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729 [20130321]-->MsiExec.exe /X{6AFCA4E1-9B78-3640-8F72-A7BF33448200}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729 [20140613]-->MsiExec.exe /X{402ED4A1-8F5B-387A-8688-997ABF58B8F2}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 [20161020]-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 [20130321]-->MsiExec.exe /X{9BE518E6-ECC6-35A9-88E4-87755C07200F}
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 [20130321]-->MsiExec.exe /X{1D8E6291-B0D5-35EC-8441-6616F567A0F7}
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 [20130321]-->MsiExec.exe /X{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 [2016/09/26 07:49:40]-->"C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe" /uninstall
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 [20160113]-->MsiExec.exe /X{37B8F9C7-03FB-3253-8781-2517C99D7C00}
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 [20160113]-->MsiExec.exe /X{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}
Mozilla Firefox 52.0.1 (x86 en-US) [2017/04/13 10:05:25]-->"C:\Program Files (x86)\Mozilla Firefox\uninstall\helper.exe"
Mozilla Maintenance Service [2017/03/19 11:54:07]-->"C:\Program Files (x86)\Mozilla Maintenance Service\uninstall.exe"
My Game Long Name [2016/09/26 07:49:32]-->C:\Program Files (x86)\Ether One\Binaries\UnSetup.exe /uninstall
Myst III: Exile [2016/09/26 07:49:40]-->RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{9F05B89E-2873-11D5-9E9D-0050DA1EA555}\Setup.exe"
Myst IV - Revelation [2016/09/26 07:49:40]-->RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{96F702F3-7CA4-41B5-A70A-4F348DF99A9A}\setup.exe" -l0x9
Myst Uru - Complete Chronicles [2016/09/26 07:49:39]-->C:\GOG Games\Myst Uru Complete Chronicles\unins000.exe
Myst Uru Complete Chronicles [20140415]-->"C:\GOG Games\Myst Uru Complete Chronicles\unins000.exe"
Nitro Pro 8 [20130321]-->MsiExec.exe /X{34BE77EE-B563-49D7-A8A0-FFD76D29BBD3}
Norton 360 Premier [20150910]-->"C:\Program Files (x86)\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360\562C4DD5\22.9.1.12\InstStub.exe" /X /ARP
OpenOffice 4.1.3 [20170408]-->MsiExec.exe /I{EEA30AEB-8BA7-465B-85D4-098BB99733E7}
OpenRCT2 0.0.7-develop-a64dae5 [2017/01/31 17:26:53]-->C:\Program Files\OpenRCT2\uninstall.exe
Origin [2016/09/26 07:49:39]-->C:\Program Files (x86)\Origin\OriginUninstall.exe
Picasa 3 [2016/09/26 07:49:39]-->"C:\Program Files (x86)\Google\Picasa3\Uninstall.exe"
QuickTime [2016/09/26 07:49:39]-->C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
Realtek Ethernet Controller Driver [20130321]-->C:\Program Files (x86)\InstallShield Installation Information\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}\setup.exe -runfromtemp -l0x0409 -removeonly
Realtek High Definition Audio Driver [2016/09/27 09:19:45]-->C:\Program Files\Realtek\Audio\HDA\RtlUpd64.exe -r -m -nrg2709
RollerCoaster Tycoon 2 Triple Thrill Pack [2017/02/21 17:26:14]-->RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{4C5D15D2-5351-4F05-A96E-56C20554F977}\Setup.exe" -l0x9
Rollercoaster Tycoon 2 UCES [11/16/2016]-->"C:\Program Files (x86)\Infogrames Interactive\RollerCoaster Tycoon 2\Uninstall.exe" "C:\Program Files (x86)\Infogrames Interactive\RollerCoaster Tycoon 2\install.log"
Shared C Run-time for x64 [20130321]-->MsiExec.exe /I{EF79C448-6946-4D71-8134-03407888C054}
Software Updater [20150221]-->MsiExec.exe /X{E1BAD1BA-C0E8-4018-9281-E7D2C6B07474}
Steam [2016/09/26 07:49:39]-->C:\Program Files (x86)\Steam\uninstall.exe
SugarSync Manager [2016/09/26 07:49:39]-->C:\Program Files (x86)\SugarSync\uninstall.exe
The Settlers Online - Standalone Client [2016/10/13 17:18:05]-->"C:\Users\Jodie\AppData\Local\Ubisoft\The Settlers Online\Uninstall.exe"
The Tiny Bang Story [20140408]-->"C:\Program Files (x86)\Mangores.com\The Tiny Bang Story\unins000.exe"
Tropico 4 1.00 [2016/09/26 07:45:36]-->"C:\Program Files (x86)\Kalypso Media\Tropico 4\uninst.exe"
Ubisoft Game Launcher [20161020]-->"C:\Program Files (x86)\InstallShield Installation Information\{888F1505-C2B3-4FDE-835D-36353EBD4754}\setup.exe" -runfromtemp -l0x0409 -removeonly
Unmechanical [2016/09/26 07:49:32]-->C:\Unmechanical\Uninstall.exe
Update for Zip Extractor [2016/09/26 07:45:36]-->C:\Users\Jodie\AppData\Roaming\DigitalSites\UpdateProc\UpdateTask.exe /Uninstall
Uplay [2017/02/01 12:26:26]-->C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\Uninstall.exe
Zip Extractor Packages [2016/09/26 07:45:36]-->C:\Users\Jodie\AppData\Roaming\0D0S1L2Z1P1B\Zip Extractor Packages\uninstaller.exe /Uninstall /NM="Zip Extractor Packages" /AN="0D0S1L2Z1P1B" /MBN="Zip Extractor Packages"
Err:510
Computer Name: idea-PC
Event Code: 1014
Message: Name resolution for the name kmbnb.com timed out after none of the configured DNS servers responded.
Record Number: 12676
Source Name: Microsoft-Windows-DNS-Client
Time Written: 20170418124829.045938-000
Event Type: Warning
User: NT AUTHORITY\NETWORK SERVICE
Computer Name: idea-PC
Event Code: 1014
Message: Name resolution for the name imrk.net timed out after none of the configured DNS servers responded.
Record Number: 12638
Source Name: Microsoft-Windows-DNS-Client
Time Written: 20170418021625.101706-000
Event Type: Warning
User: NT AUTHORITY\NETWORK SERVICE
Computer Name: idea-PC
Event Code: 10010
Message: The server {37998346-3765-45B1-8C66-AA88CA6B20B8} did not register with DCOM within the required timeout.
Record Number: 12637
Source Name: Microsoft-Windows-DistributedCOM
Time Written: 20170417204232.738595-000
Event Type: Error
User: IDEA-PC\Jodie
Computer Name: idea-PC
Event Code: 7023
Message: The Connected Devices Platform Service service terminated with the following error:
Unspecified error
Record Number: 12636
Source Name: Service Control Manager
Time Written: 20170417204032.738942-000
Event Type: Error
User:
Computer Name: idea-PC
Event Code: 10010
Message: The server {37998346-3765-45B1-8C66-AA88CA6B20B8} did not register with DCOM within the required timeout.
Record Number: 12635
Source Name: Microsoft-Windows-DistributedCOM
Time Written: 20170417204032.683905-000
Event Type: Error
User: IDEA-PC\Jodie
Err:510
Computer Name: idea-PC
Event Code: 1000
Message: Faulting application name: iexplore.exe version: 11.0.14393.953 time stamp: 0x2a425e19
Faulting module name: unknown version: 0.0.0.0 time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x6329d4a1
Faulting process id: 0x9fec
Faulting application start time: 0x01d2b848524f0108
Faulting application path: C:\Program Files (x86)\Internet Explorer\iexplore.exe
Faulting module path: unknown
Report Id: df67b459-4b26-41f9-9323-39b3d5a9b082
Faulting package full name:
Faulting package-relative application ID:
Record Number: 13956
Source Name: Application Error
Time Written: 20170418133330.573616-000
Event Type: Error
User:
Computer Name: idea-PC
Event Code: 1000
Message: Faulting application name: iexplore.exe version: 11.0.14393.953 time stamp: 0x2a425e19
Faulting module name: jscript9.dll version: 11.0.14393.953 time stamp: 0x58ba589d
Exception code: 0xc0000602
Fault offset: 0x001f1b4f
Faulting process id: 0x73c0
Faulting application start time: 0x01d2b844463bee04
Faulting application path: C:\Program Files (x86)\Internet Explorer\iexplore.exe
Faulting module path: C:\Windows\System32\jscript9.dll
Report Id: c82810d5-a78d-4b75-a3da-ea06cb93ac3a
Faulting package full name:
Faulting package-relative application ID:
Record Number: 13953
Source Name: Application Error
Time Written: 20170418130517.612188-000
Event Type: Error
User:
Computer Name: idea-PC
Event Code: 1000
Message: Faulting application name: iexplore.exe version: 11.0.14393.953 time stamp: 0x2a425e19
Faulting module name: jscript9.dll version: 11.0.14393.953 time stamp: 0x58ba589d
Exception code: 0xc0000005
Fault offset: 0x0018167a
Faulting process id: 0x73c0
Faulting application start time: 0x01d2b844463bee04
Faulting application path: C:\Program Files (x86)\Internet Explorer\iexplore.exe
Faulting module path: C:\Windows\System32\jscript9.dll
Report Id: 34158433-3f3e-4ff6-ba0a-be5cbf5a6c5f
Faulting package full name:
Faulting package-relative application ID:
Record Number: 13951
Source Name: Application Error
Time Written: 20170418130514.397224-000
Event Type: Error
User:
Computer Name: idea-PC
Event Code: 1000
Message: Faulting application name: iexplore.exe version: 11.0.14393.953 time stamp: 0x2a425e19
Faulting module name: jscript9.dll version: 11.0.14393.953 time stamp: 0x58ba589d
Exception code: 0xc0000602
Fault offset: 0x001f1b4f
Faulting process id: 0x9908
Faulting application start time: 0x01d2b843ca76b53e
Faulting application path: C:\Program Files (x86)\Internet Explorer\iexplore.exe
Faulting module path: C:\Windows\System32\jscript9.dll
Report Id: 2efa5b8b-b81f-4781-a5a4-a154a9b6f125
Faulting package full name:
Faulting package-relative application ID:
Record Number: 13949
Source Name: Application Error
Time Written: 20170418130338.795423-000
Event Type: Error
User:
Computer Name: idea-PC
Event Code: 1000
Message: Faulting application name: iexplore.exe version: 11.0.14393.953 time stamp: 0x2a425e19
Faulting module name: AcroPDF.dll_unloaded version: 17.9.20044.25828 time stamp: 0x58e42f4d
Exception code: 0xc0000005
Fault offset: 0x00009924
Faulting process id: 0x9908
Faulting application start time: 0x01d2b843ca76b53e
Faulting application path: C:\Program Files (x86)\Internet Explorer\iexplore.exe
Faulting module path: AcroPDF.dll
Report Id: 3dba4333-34f1-40b7-9c86-60fefbe43957
Faulting package full name:
Faulting package-relative application ID:
Record Number: 13947
Source Name: Application Error
Time Written: 20170418130336.915167-000
Event Type: Error
User:
Err:510
Computer Name: idea-PC
Event Code: 4672
Message: Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
Record Number: 49546
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20170418133330.449499-000
Event Type: Audit Success
User:
Computer Name: idea-PC
Event Code: 4624
Message: An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: IDEA-PC$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -0
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -0
Network Account Domain: -0
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x344
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name:
Source Network Address: -0
Source Port: -0
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -0
Package Name (NTLM only): -0
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Record Number: 49545
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20170418133330.449492-000
Event Type: Audit Success
User:
Computer Name: idea-PC
Event Code: 4672
Message: Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
Record Number: 49544
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20170418132849.634674-000
Event Type: Audit Success
User:
Computer Name: idea-PC
Event Code: 4624
Message: An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: IDEA-PC$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -0
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -0
Network Account Domain: -0
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x344
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name:
Source Network Address: -0
Source Port: -0
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -0
Package Name (NTLM only): -0
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Record Number: 49543
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20170418132849.634662-000
Event Type: Audit Success
User:
Computer Name: idea-PC
Event Code: 4672
Message: Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
Record Number: 49542
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20170418130316.400933-000
Event Type: Audit Success
User:
Err:510
ComSpec = %SystemRoot%\system32\cmd.exe
OS = Windows_NT
PATHEXT = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE = AMD64
TEMP = %SystemRoot%\TEMP
TMP = %SystemRoot%\TEMP
USERNAME = SYSTEM
windir = %SystemRoot%
NUMBER_OF_PROCESSORS = 4
PROCESSOR_LEVEL = 6
PROCESSOR_IDENTIFIER = Intel64 Family 6 Model 58 Stepping 9 GenuineIntel
PROCESSOR_REVISION = 3a09
FP_NO_HOST_CHECK = NO
Path = C:\ProgramData\Oracle\Java\javapath;C:\Program Files (x86)\Intel\iCLS Client\;C:\Program Files\Intel\iCLS Client\;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;C:\Program Files (x86)\Intel\OpenCL SDK\2.0\bin\x86;C:\Program Files (x86)\Intel\OpenCL SDK\2.0\bin\x64;C:\Program Files\Intel\Intel(R) Management Engine Components\DAL;C:\Program Files\Intel\Intel(R) Management Engine Components\IPT;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT
configsetroot = %SystemRoot%\ConfigSetRoot
asl.log = Destination=file
PSModulePath = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\
-----------------EOF-----------------
|
|
|
Post by aldrich on Apr 18, 2017 5:40:02 GMT -8
I've been blocked. I was replying with the log.text. Cloudflare Ray ID: 35180564e58a4249
|
|
|
Post by aldrich on Apr 20, 2017 12:08:57 GMT -8
|
|
dbrisen
Malware Removalists
Posts: 3,688
|
Post by dbrisen on Apr 20, 2017 19:30:14 GMT -8
Sorry for the delay in helping you; I have had some family matters to take care of lately. Let us try this instead: Please post the two RSIT logs (log.txt and info.txt) to wikisend.com and provide the links here. Steps to do this are explained here .
|
|
|
Post by aldrich on Apr 21, 2017 7:51:55 GMT -8
|
|
dbrisen
Malware Removalists
Posts: 3,688
|
Post by dbrisen on Apr 24, 2017 7:54:00 GMT -8
Got the logs and after reviewing them, I think that we should proceed this way to first remove Kotver and then fix some system issues after that. Please download Malwarebytes Anti-Rootkit from here- Unzip the contents to a folder in a convenient location.
- Open the folder where the contents were unzipped and run mbar.exe
- Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
- Click on the Cleanup button to remove any threats and reboot if prompted to do so.
- Wait while the system shuts down and the cleanup process is performed.
- Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
- When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt .
[/ul] LAST >>>>INFO TO REPLY WITH:How is your system running now? The logs from MBAR - mbar-log.txt and the system-log.txt files please. Any questions?
|
|
|
Post by aldrich on Apr 29, 2017 7:47:30 GMT -8
|
|
dbrisen
Malware Removalists
Posts: 3,688
|
Post by dbrisen on May 1, 2017 6:52:15 GMT -8
Read Slowly and all of it.If you still have a Addition.txt log file on your desktop, please delete it now. Start FRST64 that is on your Desktop by double clicking and allowing the software to run when the User Access Control asks (if it does). The tool will start to run. When the tool opens click Yes to disclaimer. (if it does) Select Additional.txt in the Optional Scans section of FRST64. Press Scan button. It will make two logs ( FRST.txt and addition.txt) on your Desktop. Please attach the logs in your reply back. Or open the logs in notepad and copy the logs and paste back in a message as a reply. ( Ask if you don't know how to do either of these). Notes:
If your Security software blocks the running or download of FRST / FRST64, please disable the security software or make an exception for this file. FRST is updated very frequently and is safe to run but because of the frequent changes (to keep up with newest malware techniques) most Security Software does not approve of the unknown file. Right now the forum will not allow one to attach the Addition.txt file so please use wikisend.com or pastebin.com to upload the file and then post the download link here in your reply post.
|
|