Jump to content

farmer68623

Honorary Members
 View Profile  See their activity

  • Posts

    32

  • Joined

  • Last visited

 Content Type 

Everything posted by farmer68623

  1. farmer68623
    Hello Gringo, I ran the delfile.bat, moving on to the next step :DeFogger ~ I do not see in any of our posts that you instructed me to download or run DeFogger, and I don't have any reference to DeFog in my download files folder. I may be mistaken, however would like to run that for assurance. Please direct me to the Defogger download site. thanks
  2. farmer68623
    Gringo ~ not sure it is relevent but this machine did not adjust for DLS
  3. farmer68623
    Hello Gringo Followed your instructions, below is the Eset scan results. Observed some strange goings on with network connections, as in disabled connection appeared to active, then messages that no connection, then connected and showing ridicoulus network speeds. I will await your next intructions and again thank you for your help. C:\Documents and Settings\Amanda\Desktop\ccsetup404.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application C:\Documents and Settings\Amanda\My Documents\WinZip175.exe a variant of Win32/OpenInstall potentially unwanted application C:\Documents and Settings\Amanda\My Documents\Downloads\DriverGuide_Driver_Download_168478.exe a variant of Win32/InstallCore.DN potentially unwanted application
  4. farmer68623
    Hi Gringo, Attached is the MBAM log & HiJack this report. Regarding MBAM run, I did not have a prompt for any actions for System Volume and Remove Selected. I took no action after HJThis other to copy and import the report. Okay, so I am again unable to paste these in my post- I will attach them and wait for your guidance. mbam-log-2014-03-07 (03-55-51).txt hijackthis.log
  5. farmer68623
    Ok Gringo~ either I'm a blithering idiot ~ or something. I could not find my post in the forum yesterday, so was unable to reply/post. Was having issues with downloading Hitman. So anyway, I'm pasting the Hitman results. This machine is not running as expected... HitmanPro 3.7.9.212www.hitmanpro.com Computer name . . . . : CREIGHTO-CGTHAC Windows . . . . . . . : 5.1.3.2600.X86/1 User name . . . . . . : CREIGHTO-CGTHAC\Amanda License . . . . . . . : Free Scan date . . . . . . : 2014-03-05 00:37:54 Scan mode . . . . . . : Normal Scan duration . . . . : 9m 33s Disk access mode . . : Direct disk access (SRB) Cloud . . . . . . . . : Internet Reboot . . . . . . . : No Threats . . . . . . . : 0 Traces . . . . . . . : 1 Objects scanned . . . : 432,149 Files scanned . . . . : 7,822 Remnants scanned . . : 55,696 files / 368,631 keysCookies _____________________________________________________________________ C:\Documents and Settings\Amanda\Cookies\DU6F5E7L.txt Waiting for your reply, Thanks for your help
  6. farmer68623
    HI Gingo, Yes, I believe I followed 2nd part of instructions, that was the part where fix it looked completely but the box didn't close. The other box that appeared had Delete History and other options to click. All were clicked, and go the red x error, and then went to tools / IE options/ advanced. However nowhere did I see an "click safety" option.... farmer
  7. farmer68623
    Hi Gringo, I believe I still need assistance, have a family medical emergency going on. However, I did go to the microsoft link and downloaded and ran fixit. It ran for extremely long time and the progress box indicated that it was finished but never closed, and showed as running in task mgr. Another box popped behind the fixit and went thru the procedures that you instructed. It did somethings, and had a red X indicationg it deleted a bunch of stuff, but IE8 default reset failed. Browers still run slow. I do not use/nor like IE, however I want a clean machine. When I open IE8 it appears to load normally, with homepage now microsoft link, and opening new tab now goes to a blank page. The items I pasted in my last post still appear under Toolbars & Ext's. I am still getting unusually high CPU usage in either IE8 or Firefox. My Flash player ActiveX updated to the most current version, which previouly would not update. I had un-installed current version of Java, but have since reinstalled. Machine seems still unstable, but not as bad. I will await your response and respond to you sooner than I've done this past week. Thanks again!
  8. farmer68623
    Helllo Gringo, I ran the OTL script as directed, below are the results. ========== OTL ========== Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\AutorunsDisabled\ deleted successfully. Starting removal of ActiveX control {7530BFB8-7293-4D34-9923-61A11451AFC5} C:\WINDOWS\Downloaded Program Files\OnlineScanner.inf moved successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\AutorunsDisabled\ deleted successfully. File Protocol\Handler\AutorunsDisabled - No CLSID value found not found. ========== FILES ========== < ipconfig /flushdns /c > Windows IP Configuration Successfully flushed the DNS Resolver Cache. C:\Documents and Settings\Amanda\Desktop\cmd.bat deleted successfully. C:\Documents and Settings\Amanda\Desktop\cmd.txt deleted successfully. ========== COMMANDS ========== [EMPTYJAVA] User: Administrator User: All Users User: Amanda ->Java cache emptied: 0 bytes User: Default User User: LocalService User: NetworkService Total Java Files Cleaned = 0.00 mb [EMPTYFLASH] User: Administrator User: All Users User: Amanda ->Flash cache emptied: 11697 bytes User: Default User User: LocalService User: NetworkService Total Flash Files Cleaned = 0.00 mb OTL by OldTimer - Version 3.2.69.0 log created on 02192014_211452 I can't determine yet if the machine is running smooth yet, I will get on it tomorrow and see what happens. However I do have a concern about what I see and happens in IE8. There are some things in Toolbars & extentsions. There were similar in Firefox that went away when we started running your programs. Also, when I open IE8 my homepage page loads. When I open new tab, instead of getting a blank page it automatically redirects and opens Google search. I do not see anything under Tools or anywhere else to stop this, and this never occured until I got the other problems. I am going to paste a few files to see if they represent any threats or problems. Name: Diagnose Connection Problems... Publisher: Not Available Type: Browser Extension Version: Not available File date: Date last accessed: Today, February 19, 2014, 11 minutes ago Class ID: {E2E2DD38-D088-4134-82B7-F2BA38496583} Use count: 26 Block count: 32 File: Not available Folder: Not available Name: Discuss Publisher: Not Available Type: Explorer Bar Version: 6.0.2900.5512 File date: Date last accessed: Monday, November 29, 1999, 6:00 PM Class ID: {BDEADE7F-C265-11D0-BCED-00A0C90AB50F} Use count: 0 Block count: 0 File: shdocvw.dll Folder: Name: BottomFrame Class Publisher: Control name is not available Type: Explorer Bar Version: Not available File date: Date last accessed: Monday, November 29, 1999, 6:00 PM Class ID: {E2D2FE40-5674-4B77-802B-EC86B6C2C41D} Use count: 0 Block count: 0 File: dsr.dll Folder: C:\WINDOWS Name: LeftFrame Class Publisher: Control name is not available Type: Explorer Bar Version: Not available File date: Date last accessed: Monday, November 29, 1999, 6:00 PM Class ID: {CE27D4DF-714B-4427-95EB-923FE53ADF8E} Use count: 0 Block count: 0 File: dsr.dll Folder: C:\WINDOWS Look forward to hearing for your direction, and again many thanks. The Mean Farmer
  9. farmer68623
    Hi Gringo, below is the OTL file. OTL logfile created on: 2/17/2014 3:52:38 PM - Run 1 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Amanda\Desktop Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 511.46 Mb Total Physical Memory | 137.17 Mb Available Physical Memory | 26.82% Memory free 1.22 Gb Paging File | 0.79 Gb Available in Paging File | 64.86% Paging File free Paging file location(s): C:\pagefile.sys 0 0 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 18.62 Gb Total Space | 9.75 Gb Free Space | 52.36% Space Free | Partition Type: NTFS Computer Name: CREIGHTO-CGTHAC | User Name: Amanda | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - C:\Documents and Settings\Amanda\Desktop\OTL.exe (OldTimer Tools) PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) PRC - C:\Program Files\AVAST Software\Avast\AvastUI.exe (AVAST Software) PRC - C:\Program Files\AVAST Software\Avast\AvastSvc.exe (AVAST Software) PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation) PRC - C:\Program Files\Linksys\WPC600N\WLService.exe (GEMTEKS) PRC - C:\Program Files\Linksys\WPC600N\WPC600N.exe (Linksys) ========== Modules (No Company Name) ========== MOD - C:\Program Files\AVAST Software\Avast\defs\14021700\algo.dll () MOD - C:\Program Files\Mozilla Firefox\mozjs.dll () MOD - C:\Program Files\AVAST Software\Avast\libcef.dll () MOD - C:\WINDOWS\system32\quartz.dll () MOD - C:\WINDOWS\system32\bcm1xsup.dll () MOD - C:\Program Files\Linksys\WPC600N\Security.dll () MOD - C:\Program Files\Linksys\WPC600N\GTW32N50.dll () MOD - C:\Program Files\Linksys\WPC600N\GEMWEP.DLL () ========== Services (SafeList) ========== SRV - (WPFFontCache_v0400) -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe File not found SRV - (WPC600NSvc) -- C:\Program Files\Linksys\WPC600N\WLService.exe WPC600N.exe File not found SRV - (AdobeFlashPlayerUpdateSvc) -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated) SRV - (MozillaMaintenance) -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation) SRV - (avast! Antivirus) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe (AVAST Software) ========== Driver Services (SafeList) ========== DRV - (PROCEXP151) -- C:\WINDOWS\system32\Drivers\PROCEXP151.SYS File not found DRV - (PCIDump) -- File not found DRV - (NSNDIS5) -- C:\WINDOWS\system32\NSNDIS5.SYS File not found DRV - (Changer) -- File not found DRV - (catchme) -- C:\DOCUME~1\Amanda\LOCALS~1\Temp\catchme.sys File not found DRV - (aswMonFlt) -- C:\WINDOWS\system32\drivers\aswmonflt.sys (AVAST Software) DRV - (aswSnx) -- C:\WINDOWS\system32\drivers\aswSnx.sys (AVAST Software) DRV - (aswSP) -- C:\WINDOWS\system32\drivers\aswSP.sys (AVAST Software) DRV - (aswTdi) -- C:\WINDOWS\system32\drivers\aswTdi.sys (AVAST Software) DRV - (aswRdr) -- C:\WINDOWS\system32\drivers\aswRdr.sys (AVAST Software) DRV - (aswVmm) -- C:\WINDOWS\System32\drivers\aswVmm.sys () DRV - (aswRvrt) -- C:\WINDOWS\System32\drivers\aswRvrt.sys () DRV - (Tcpip6) -- C:\WINDOWS\system32\drivers\tcpip6.sys (Microsoft Corporation) DRV - (NwlnkIpx) -- C:\WINDOWS\system32\drivers\nwlnkipx.sys (Microsoft Corporation) DRV - (nm) -- C:\WINDOWS\system32\drivers\nmnt.sys (Microsoft Corporation) DRV - (WPC600N) -- C:\WINDOWS\system32\drivers\WPC600N.SYS (Broadcom Corporation) DRV - (wldel48b) -- C:\WINDOWS\system32\drivers\wldel48b.sys (Dell) DRV - (GTNDIS5) -- C:\Program Files\Linksys\WPC600N\GTNDIS5.sys (Printing Communications Assoc., Inc. (PCAUSA)) DRV - (ati2mtai) -- C:\WINDOWS\system32\drivers\ati2mtai.sys (ATI Technologies Inc.) DRV - (omci) -- C:\WINDOWS\system32\drivers\omci.sys (Dell Computer Corporation) DRV - (NwlnkNb) -- C:\WINDOWS\system32\drivers\nwlnknb.sys (Microsoft Corporation) DRV - (NwlnkSpx) -- C:\WINDOWS\system32\drivers\nwlnkspx.sys (Microsoft Corporation) DRV - (wlluc48) -- C:\WINDOWS\system32\drivers\wlluc48.sys (Lucent Technologies) DRV - (CBEN5) -- C:\WINDOWS\system32\drivers\cben5.sys (Xircom, Inc.) DRV - (atimtai) -- C:\WINDOWS\system32\drivers\atimtai.sys (ATI Technologies Inc.) DRV - (maestro) -- C:\WINDOWS\system32\drivers\es198x.sys (ESS Technology, Inc.) DRV - (SMCIRDA) -- C:\WINDOWS\system32\drivers\smcirda.sys (SMC) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://red.clientapps.yahoo.com/customize/ie/defaults/cs/ymsgr6/*http://www.yahoo.com/ext/search/search.html IE - HKLM\..\SearchScopes,DefaultScope = IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope = IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope = IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-1229272821-839522115-1957994488-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.pogo.com/ IE - HKU\S-1-5-21-1229272821-839522115-1957994488-1005\..\SearchScopes,DefaultScope = {BF17251D-1531-4AC4-A456-ED1C92EA0337} IE - HKU\S-1-5-21-1229272821-839522115-1957994488-1005\..\SearchScopes\{BF17251D-1531-4AC4-A456-ED1C92EA0337}: "URL" = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?} IE - HKU\S-1-5-21-1229272821-839522115-1957994488-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..browser.search.update: false FF - prefs.js..browser.startup.homepage: "https://www.pogo.com" FF - prefs.js..extensions.enabledAddons: wrc%40avast.com:9.0.2013.75 FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:27.0.1 FF - user.js - File not found FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_12_0_0_44.dll () FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\wrc@avast.com: C:\Program Files\AVAST Software\Avast\WebRep\FF [2014/01/23 22:32:18 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 27.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 27.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2014/02/06 02:47:58 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Amanda\Application Data\Mozilla\Extensions [2014/02/13 18:13:37 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\browser\extensions [2014/02/13 18:15:38 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [2014/01/23 22:32:18 | 000,000,000 | ---D | M] (avast! Online Security) -- C:\PROGRAM FILES\AVAST SOFTWARE\AVAST\WEBREP\FF O1 HOSTS File: ([2014/02/11 22:50:37 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (avast! Online Security) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software) O2 - BHO: (no name) - AutorunsDisabled - No CLSID value found. O3 - HKLM\..\Toolbar: (avast! Online Security) - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software) O4 - HKLM..\Run: [AvastUI.exe] C:\Program Files\AVAST Software\Avast\AvastUI.exe (AVAST Software) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled [2014/02/05 22:43:41 | 000,000,000 | -H-D | M] O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-21-1229272821-839522115-1957994488-1005\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-1229272821-839522115-1957994488-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKU\S-1-5-21-1229272821-839522115-1957994488-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKU\S-1-5-21-1229272821-839522115-1957994488-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation) O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 68.105.28.11 68.105.29.11 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7EA6AE80-5921-4A56-A3DA-DA05CD875637}: DhcpNameServer = 192.168.1.1 68.105.28.11 68.105.29.11 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{B38BF4F5-866D-43FE-99F1-E18F0D90067C}: NameServer = 8.26.56.26,156.154.70.22 O18 - Protocol\Handler\AutorunsDisabled - No CLSID value found O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation) O24 - Desktop WallPaper: C:\Documents and Settings\Amanda\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O24 - Desktop BackupWallPaper: C:\Documents and Settings\Amanda\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation) O30 - LSA: Authentication Packages - (nwprovau) - C:\WINDOWS\System32\nwprovau.dll (Microsoft Corporation) O32 - HKLM CDRom: AutoRun - 1 O34 - HKLM BootExecute: (autocheck autochk *) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = ComFile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) ========== Files/Folders - Created Within 30 Days ========== [2014/02/17 15:51:07 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Amanda\Desktop\OTL.exe [2014/02/16 21:29:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Amanda\Desktop\RK_Quarantine [2014/02/16 00:54:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable) [2014/02/16 00:53:21 | 000,052,312 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamchameleon.sys [2014/02/16 00:52:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Amanda\Desktop\mbar [2014/02/13 18:13:36 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox [2014/02/12 23:55:43 | 000,000,000 | -HSD | C] -- C:\RECYCLER [2014/02/12 23:26:07 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp [2014/02/12 22:10:42 | 000,000,000 | ---D | C] -- C:\ComboFix [2014/02/12 21:48:00 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW [2014/02/12 21:47:26 | 005,180,278 | R--- | C] (Swearware) -- C:\Documents and Settings\Amanda\Desktop\ComboFix.exe [2014/02/11 21:38:52 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe [2014/02/11 21:38:52 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe [2014/02/11 21:38:52 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe [2014/02/11 21:38:52 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe [2014/02/11 21:37:26 | 000,000,000 | ---D | C] -- C:\Qoobox [2014/02/06 01:46:37 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Maintenance Service [2014/02/04 23:37:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\HitmanPro [2014/02/04 22:09:52 | 000,000,000 | ---D | C] -- C:\AdwCleaner [2014/01/24 16:33:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Amanda\Desktop\Old Firefox Data [2014/01/22 14:12:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Amanda\Local Settings\Application Data\PCHealth [2014/01/22 02:11:17 | 000,000,000 | ---D | C] -- C:\cda69190891d4fbe794be4e0675b [2014/01/22 02:11:03 | 000,000,000 | ---D | C] -- C:\2e0c62deeee44eddad40b62c53f11c [2014/01/21 23:08:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Amanda\Local Settings\Application Data\cache [2014/01/21 23:07:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Amanda\Local Settings\Application Data\genienext [2014/01/21 19:28:21 | 000,000,000 | ---D | C] -- C:\Config.Msi [2014/01/21 19:19:08 | 000,000,000 | ---D | C] -- C:\9bd49e06d940713d0cda55cd [2014/01/21 19:18:55 | 000,000,000 | ---D | C] -- C:\3e60a1d65a3f8059803dc205f5d6ce [2014/01/18 18:20:49 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2014/02/17 15:49:23 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Amanda\Desktop\OTL.exe [2014/02/17 15:31:22 | 000,000,364 | -H-- | M] () -- C:\WINDOWS\tasks\avast! Emergency Update.job [2014/02/17 15:26:37 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl [2014/02/17 15:25:29 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [2014/02/16 19:24:08 | 000,052,312 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamchameleon.sys [2014/02/16 18:58:06 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job [2014/02/16 18:57:59 | 000,692,616 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe [2014/02/16 18:57:58 | 000,071,048 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl [2014/02/16 18:41:56 | 003,813,376 | ---- | M] () -- C:\Documents and Settings\Amanda\Desktop\RogueKiller.exe [2014/02/11 22:50:37 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts [2014/02/11 21:07:36 | 005,180,278 | R--- | M] (Swearware) -- C:\Documents and Settings\Amanda\Desktop\ComboFix.exe [2014/02/06 01:46:51 | 000,000,742 | ---- | M] () -- C:\Documents and Settings\Amanda\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk [2014/02/06 01:46:43 | 000,000,724 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk [2014/02/05 22:43:42 | 000,000,630 | ---- | M] () -- C:\WINDOWS\System32\.crusader [2014/02/05 10:32:27 | 000,067,824 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmonflt.sys [2014/02/04 04:53:27 | 000,002,855 | ---- | M] () -- C:\WINDOWS\System32\redir.PIF [2014/01/23 22:32:41 | 000,001,733 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk [2014/01/23 22:32:15 | 000,775,952 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys [2014/01/23 22:32:15 | 000,410,784 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSP.sys [2014/01/23 22:32:15 | 000,057,672 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys [2014/01/23 22:32:15 | 000,054,832 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys [2014/01/23 22:32:13 | 000,270,240 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe [2014/01/23 22:32:13 | 000,043,152 | ---- | M] (AVAST Software) -- C:\WINDOWS\avastSS.scr [2014/01/22 21:32:27 | 000,000,327 | RHS- | M] () -- C:\boot.ini [2014/01/21 18:21:44 | 000,418,842 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat [2014/01/21 18:21:44 | 000,067,032 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] ========== Files Created - No Company Name ========== [2014/02/16 21:26:16 | 003,813,376 | ---- | C] () -- C:\Documents and Settings\Amanda\Desktop\RogueKiller.exe [2014/02/11 21:38:52 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe [2014/02/11 21:38:52 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe [2014/02/11 21:38:52 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe [2014/02/11 21:38:52 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe [2014/02/11 21:38:52 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe [2014/02/06 01:46:50 | 000,000,742 | ---- | C] () -- C:\Documents and Settings\Amanda\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk [2014/02/06 01:46:43 | 000,000,724 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk [2014/02/06 01:46:42 | 000,000,730 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk [2014/02/05 22:43:42 | 000,000,630 | ---- | C] () -- C:\WINDOWS\System32\.crusader [2014/02/04 04:53:27 | 000,002,855 | ---- | C] () -- C:\WINDOWS\System32\redir.PIF [2014/01/13 17:45:17 | 000,139,264 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll [2014/01/13 17:45:14 | 000,024,064 | ---- | C] () -- C:\WINDOWS\System32\WLTRYSVC.EXE [2014/01/13 17:45:13 | 000,753,664 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll [2014/01/13 17:45:03 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\GTW32N50.dll [2014/01/13 17:43:29 | 000,000,801 | ---- | C] () -- C:\WINDOWS\System32\WLAN.INI [2014/01/03 23:54:11 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\ati2evxx.exe [2013/12/24 02:34:59 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll [2013/12/22 19:27:01 | 000,180,248 | ---- | C] () -- C:\WINDOWS\System32\drivers\aswVmm.sys [2013/12/22 19:27:00 | 000,049,944 | ---- | C] () -- C:\WINDOWS\System32\drivers\aswRvrt.sys [2013/12/21 18:43:51 | 000,024,064 | ---- | C] () -- C:\WINDOWS\zoek-delete.exe [2004/12/05 19:53:11 | 000,054,272 | ---- | C] () -- C:\Documents and Settings\Amanda\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini ========== ZeroAccess Check ========== [2014/01/10 01:20:19 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shdocvw.dll -- [2008/04/13 18:12:05 | 001,499,136 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2009/02/09 06:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] "" = %systemroot%\system32\wbem\wbemess.dll -- [2008/04/13 18:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both < End of report > Thanks
  10. farmer68623
    Wow, lighning speed response. Will try attaching first. So far so good on attachments Will wait for further instructions, once again, thanks so much! mbar-log-2014-02-16 (00-55-39).txt mbar-log-2014-02-16 (19-26-13).txt RKreport0_D_02162014_213850.txt RKreport0_S_02162014_213514.txt
  11. farmer68623
    Ok Gringo, Ran MBAM anti-root kit, and Rogue Killer. MBAM appeared to show no problems. Rogue Killer produced 2 .txt files, Rk[0]D & Rk[0]S, and not the txt you requested. Multiple tries trying to paste all 3 files but won't allow me to paste, (I'am using flashdisk from problem machine to "clean" machine). The Rk files appear to have strange Cntl characters imbedded, but regardless I can import them. I guess the Ghost of Jerry Garcia is haunting me. From what I could interprupt it cleaned/quarantined Explorer Bar/Browser Extensions from Firefox, but see the same suspious items in IE8. I will try and copy/paste from the problem machine and see if that works........ don't expect different results, but will report back in the next few minutes to see if anything different.
  12. farmer68623
    Hi Gringo, so I got on the machine today, rebooted and brought up her. She sucks even worse now for some reason. Everything is the slowest, non-responsive I've seen. Even with browsers closed, just moving the mouse on the desktop will send the CPU peaking for no apparent reason. I've ran Mbam & Avast AV, everything shows clean. Looking forward to hearing back from you. Thanks, The Mean Farmer
  13. farmer68623
    Gringo, trying not to be a pain, I'm reporting to you from different machine. Since my last post I have taken no action since the Combofix run. Have not rebooted. Running in Task Mgr: [swreg.exe], 2 occurances(sp), and PEV.exe ....
  14. farmer68623
    Hi Gringo, didn't expect a response from last post. Combofix just finished and posted below. ComboFix 14-02-11.01 - Amanda 02/12/2014 23:02:20.2.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.252 [GMT -6:00] Running from: c:\documents and settings\Amanda\Desktop\ComboFix.exe Command switches used :: E:\CFScript.txt.txt AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D} . . ((((((((((((((((((((((((( Files Created from 2014-01-13 to 2014-02-13 ))))))))))))))))))))))))))))))) . . 2014-02-13 03:48 . 2014-02-13 04:10 -------- d-----w- C:\32788R22FWJFW 2014-02-06 07:46 . 2014-02-06 07:46 -------- d-----w- c:\program files\Mozilla Maintenance Service 2014-02-05 05:37 . 2014-02-05 05:58 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro 2014-02-05 04:09 . 2014-02-09 00:22 -------- d-----w- C:\AdwCleaner 2014-02-04 10:53 . 2014-02-04 10:53 2855 ----a-w- c:\windows\system32\redir.PIF 2014-01-22 20:12 . 2014-01-22 20:12 -------- d-----w- c:\documents and settings\Amanda\Local Settings\Application Data\PCHealth 2014-01-22 08:11 . 2014-01-22 08:11 -------- d-----w- C:\cda69190891d4fbe794be4e0675b 2014-01-22 08:11 . 2014-01-22 08:14 -------- d-----w- C:\2e0c62deeee44eddad40b62c53f11c 2014-01-22 05:08 . 2014-01-22 05:08 -------- d-----w- c:\documents and settings\Amanda\Local Settings\Application Data\cache 2014-01-22 05:07 . 2014-02-05 05:21 -------- d-----w- c:\documents and settings\Amanda\Local Settings\Application Data\genienext 2014-01-22 01:19 . 2014-01-22 01:19 -------- d-----w- C:\9bd49e06d940713d0cda55cd 2014-01-22 01:18 . 2014-01-22 01:19 -------- d-----w- C:\3e60a1d65a3f8059803dc205f5d6ce 2014-01-19 00:20 . 2014-01-19 00:20 -------- d-----w- c:\program files\Trend Micro 2014-01-18 05:33 . 2014-01-18 05:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2014-01-18 05:33 . 2013-04-04 20:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys 2014-01-14 06:09 . 2014-02-04 07:01 -------- d-----w- c:\windows\SxsCaPendDel . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2014-02-06 04:55 . 2013-12-19 07:45 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2014-02-06 04:55 . 2013-12-19 07:45 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2014-02-05 16:32 . 2013-12-23 01:26 67824 ----a-w- c:\windows\system32\drivers\aswmonflt.sys 2014-01-24 04:32 . 2013-12-23 01:27 57672 ----a-w- c:\windows\system32\drivers\aswTdi.sys 2014-01-24 04:32 . 2013-12-23 01:27 410784 ----a-w- c:\windows\system32\drivers\aswSP.sys 2014-01-24 04:32 . 2013-12-23 01:26 775952 ----a-w- c:\windows\system32\drivers\aswSnx.sys 2014-01-24 04:32 . 2013-12-23 01:26 54832 ----a-w- c:\windows\system32\drivers\aswRdr.sys 2014-01-24 04:32 . 2013-12-23 01:26 43152 ----a-w- c:\windows\avastSS.scr 2014-01-24 04:32 . 2013-12-05 07:33 270240 ----a-w- c:\windows\system32\aswBoot.exe 2013-12-24 05:20 . 2013-12-23 01:27 180248 ----a-w- c:\windows\system32\drivers\aswVmm.sys 2013-12-23 01:26 . 2013-12-23 01:27 49944 ----a-w- c:\windows\system32\drivers\aswRvrt.sys 2013-12-05 10:43 . 2013-12-05 10:43 1700352 ----a-w- c:\windows\system32\gdiplus.dll 2013-12-05 10:43 . 2013-12-05 10:43 1060864 ----a-w- c:\windows\system32\mfc71.dll 2013-11-27 20:21 . 2002-09-03 19:48 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast] @="{472083B0-C522-11CF-8763-00608CC02F24}" [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}] 2014-01-24 04:32 259464 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2014-01-24 3767096] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2002-08-27 294912] . c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE -b -l [2001-2-13 83360] Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe /startup [2008-5-26 123904] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 nwprovau . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot] @="" . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "CiSvc"=3 (0x3) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\WINDOWS\\system32\\mmc.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "6881:TCP"= 6881:TCP:*:Disabled:Bittorrent "6889:TCP"= 6889:TCP:Bit "6884:TCP"= 6884:TCP:*:Disabled:Bittorrent "6885:TCP"= 6885:TCP:*:Disabled:Bittorrent "6886:TCP"= 6886:TCP:*:Disabled:Bittorent "6887:TCP"= 6887:TCP:*:Disabled:Bittorent "6888:TCP"= 6888:TCP:*:Disabled:Bittorent "6969:TCP"= 6969:TCP:*:Disabled:Trigger Bittorent "3724:TCP"= 3724:TCP:WOW "6112:TCP"= 6112:TCP:WOW2 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings] "AllowInboundEchoRequest"= 1 (0x1) "AllowInboundTimestampRequest"= 1 (0x1) "AllowInboundMaskRequest"= 1 (0x1) "AllowInboundRouterRequest"= 1 (0x1) "AllowOutboundPacketTooBig"= 1 (0x1) . R0 aswRvrt;avast! Revert;c:\windows\system32\drivers\aswRvrt.sys [12/22/2013 7:27 PM 49944] R0 aswVmm;avast! VM Monitor;c:\windows\system32\drivers\aswVmm.sys [12/22/2013 7:27 PM 180248] R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [12/22/2013 7:26 PM 775952] R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/22/2013 7:27 PM 410784] R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswmonflt.sys [12/22/2013 7:26 PM 67824] R2 WPC600NSvc;WPC600NSvc;c:\program files\Linksys\WPC600N\WLService.exe [1/13/2014 5:44 PM 65596] R3 ati2mtai;ati2mtai;c:\windows\system32\drivers\ati2mtai.sys [1/3/2014 11:54 PM 346752] R3 maestro;ESS Maestro 3 Audio Driver (WDM);c:\windows\system32\drivers\es198x.sys [11/6/2004 9:20 PM 174464] R3 wldel48b;Dell TrueMobile 1150 Series PCCard Driver;c:\windows\system32\drivers\wldel48b.sys [12/27/2013 12:22 AM 171520] R3 WPC600N;Linksys Dual Band Wireless-N Notebook Adapter WPC600N;c:\windows\system32\drivers\WPC600N.SYS [1/13/2014 5:45 PM 822400] S3 atimtai;atimtai;c:\windows\system32\drivers\atimtai.sys [11/6/2004 9:20 PM 281600] S3 CBEN5;Xircom CardBus Ethernet 10/100 Adapter family;c:\windows\system32\drivers\cben5.sys [11/6/2004 9:21 PM 50498] S3 PROCEXP151;PROCEXP151;\??\c:\windows\system32\Drivers\PROCEXP151.SYS --> c:\windows\system32\Drivers\PROCEXP151.SYS [?] . --- Other Services/Drivers In Memory --- . *NewlyCreated* - GTNDIS5 . Contents of the 'Scheduled Tasks' folder . 2014-02-06 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-12-19 04:55] . 2014-02-13 c:\windows\Tasks\avast! Emergency Update.job - c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2013-12-23 04:32] . . ------- Supplementary Scan ------- . uInternet Connection Wizard,ShellNext = iexplore IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 TCP: DhcpNameServer = 192.168.1.1 68.105.28.11 68.105.29.11 TCP: Interfaces\{B38BF4F5-866D-43FE-99F1-E18F0D90067C}: NameServer = 8.26.56.26,156.154.70.22 FF - ProfilePath - c:\documents and settings\Amanda\Application Data\Mozilla\Firefox\Profiles\3e5tpy9j.default\ . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2014-02-12 23:20 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-1229272821-839522115-1957994488-1005\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'explorer.exe'(2600) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2014-02-12 23:26:00 ComboFix-quarantined-files.txt 2014-02-13 05:25 ComboFix2.txt 2014-02-12 04:59 . Pre-Run: 10,489,122,816 bytes free Post-Run: 10,500,136,960 bytes free . - - End Of File - - 17C3F93D7C8F43211ED29BD26F2845DB 8F558EB6672622401DA993E1E865C861
  15. farmer68623
    Hello again Gringo, I started to run Combofix according to your instructions, and shame on you! LOL ~ you didn't remind to disable anti-virus. I ended up doing a Hard Shut-down when shutdown stalled. It is re-running now, which has been taking a lil' over an hour. So while waiting I figured I get a little typing out of the way. As I just downloaded Combofix like 24 hours ago, I got a message during run-time saying Combofix is out of date, I clicked OK to update. Next, I was on the problem machine this afternoon, and both Firefox and IE8 were running very slow and eating up CPU usage. Occasionally on Shut-down or restart I get an error : 0xc000142 ~ but it goes away to fast to get complete details. Other than that I will update my post when Combofix finishes.
  16. farmer68623
    Hello Gringo, below is the log file from Combofix : ComboFix 14-02-11.01 - Amanda 02/11/2014 22:24:49.1.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.233 [GMT -6:00] Running from: c:\documents and settings\Amanda\Desktop\ComboFix.exe AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\Amanda\Local Settings\Temporary Internet Files\Dell_c800_mainview.gif c:\program files\AVAST Software\Avast\setup\28fa7f01-598c-4171-9478-f2c82a31c9f8.exe c:\windows\system32\cache329 c:\windows\system32\cache329\B_329_4_1_646400.htm c:\windows\system32\dllcache\wmpvis.dll c:\windows\system32\drivers\etc\hosts.ics . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Legacy_SVCPROC -------\Legacy_WINDOWS_OVERLAY_COMPONENTS -------\Legacy_WINDOWS_VISFX_COMPONENTS -------\Service_SvcProc . . ((((((((((((((((((((((((( Files Created from 2014-01-12 to 2014-02-12 ))))))))))))))))))))))))))))))) . . 2014-02-06 07:46 . 2014-02-06 07:46 -------- d-----w- c:\program files\Mozilla Maintenance Service 2014-02-05 05:37 . 2014-02-05 05:58 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro 2014-02-05 04:09 . 2014-02-09 00:22 -------- d-----w- C:\AdwCleaner 2014-02-04 10:53 . 2014-02-04 10:53 2855 ----a-w- c:\windows\system32\redir.PIF 2014-01-25 07:25 . 2014-01-25 07:25 388096 ----a-r- c:\documents and settings\Amanda\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2014-01-22 20:12 . 2014-01-22 20:12 -------- d-----w- c:\documents and settings\Amanda\Local Settings\Application Data\PCHealth 2014-01-22 08:11 . 2014-01-22 08:11 -------- d-----w- C:\cda69190891d4fbe794be4e0675b 2014-01-22 08:11 . 2014-01-22 08:14 -------- d-----w- C:\2e0c62deeee44eddad40b62c53f11c 2014-01-22 05:08 . 2014-01-22 05:08 -------- d-----w- c:\documents and settings\Amanda\Local Settings\Application Data\cache 2014-01-22 05:07 . 2014-02-05 05:21 -------- d-----w- c:\documents and settings\Amanda\Local Settings\Application Data\genienext 2014-01-22 01:19 . 2014-01-22 01:19 -------- d-----w- C:\9bd49e06d940713d0cda55cd 2014-01-22 01:18 . 2014-01-22 01:19 -------- d-----w- C:\3e60a1d65a3f8059803dc205f5d6ce 2014-01-19 00:20 . 2014-01-19 00:20 -------- d-----w- c:\program files\Trend Micro 2014-01-18 05:33 . 2014-01-18 05:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2014-01-18 05:33 . 2013-04-04 20:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys 2014-01-14 06:09 . 2014-02-04 07:01 -------- d-----w- c:\windows\SxsCaPendDel 2014-01-14 03:27 . 2014-01-14 03:27 -------- d-----w- c:\documents and settings\Amanda\Application Data\Oracle 2014-01-13 23:43 . 2014-01-13 23:43 -------- d-----w- c:\program files\Linksys 2014-01-13 23:43 . 2014-01-13 23:43 -------- d-----w- c:\documents and settings\Amanda\Application Data\InstallShield . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2014-02-06 04:55 . 2013-12-19 07:45 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2014-02-06 04:55 . 2013-12-19 07:45 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2014-02-05 16:32 . 2013-12-23 01:26 67824 ----a-w- c:\windows\system32\drivers\aswmonflt.sys 2014-01-24 04:32 . 2013-12-23 01:27 57672 ----a-w- c:\windows\system32\drivers\aswTdi.sys 2014-01-24 04:32 . 2013-12-23 01:27 410784 ----a-w- c:\windows\system32\drivers\aswSP.sys 2014-01-24 04:32 . 2013-12-23 01:26 775952 ----a-w- c:\windows\system32\drivers\aswSnx.sys 2014-01-24 04:32 . 2013-12-23 01:26 54832 ----a-w- c:\windows\system32\drivers\aswRdr.sys 2014-01-24 04:32 . 2013-12-23 01:26 43152 ----a-w- c:\windows\avastSS.scr 2014-01-24 04:32 . 2013-12-05 07:33 270240 ----a-w- c:\windows\system32\aswBoot.exe 2013-12-24 05:20 . 2013-12-23 01:27 180248 ----a-w- c:\windows\system32\drivers\aswVmm.sys 2013-12-23 01:26 . 2013-12-23 01:27 49944 ----a-w- c:\windows\system32\drivers\aswRvrt.sys 2013-12-05 10:43 . 2013-12-05 10:43 1700352 ----a-w- c:\windows\system32\gdiplus.dll 2013-12-05 10:43 . 2013-12-05 10:43 1060864 ----a-w- c:\windows\system32\mfc71.dll 2013-11-27 20:21 . 2002-09-03 19:48 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast] @="{472083B0-C522-11CF-8763-00608CC02F24}" [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}] 2014-01-24 04:32 259464 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2014-01-24 3767096] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2002-08-27 294912] . c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE -b -l [2001-2-13 83360] Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe /startup [2008-5-26 123904] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 nwprovau . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot] @="" . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "CiSvc"=3 (0x3) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\WINDOWS\\system32\\mmc.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "6881:TCP"= 6881:TCP:*:Disabled:Bittorrent "6889:TCP"= 6889:TCP:Bit "6884:TCP"= 6884:TCP:*:Disabled:Bittorrent "6885:TCP"= 6885:TCP:*:Disabled:Bittorrent "6886:TCP"= 6886:TCP:*:Disabled:Bittorent "6887:TCP"= 6887:TCP:*:Disabled:Bittorent "6888:TCP"= 6888:TCP:*:Disabled:Bittorent "6969:TCP"= 6969:TCP:*:Disabled:Trigger Bittorent "3724:TCP"= 3724:TCP:WOW "6112:TCP"= 6112:TCP:WOW2 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings] "AllowInboundEchoRequest"= 1 (0x1) "AllowInboundTimestampRequest"= 1 (0x1) "AllowInboundMaskRequest"= 1 (0x1) "AllowInboundRouterRequest"= 1 (0x1) "AllowOutboundPacketTooBig"= 1 (0x1) . R0 aswRvrt;avast! Revert;c:\windows\system32\drivers\aswRvrt.sys [12/22/2013 7:27 PM 49944] R0 aswVmm;avast! VM Monitor;c:\windows\system32\drivers\aswVmm.sys [12/22/2013 7:27 PM 180248] R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [12/22/2013 7:26 PM 775952] R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/22/2013 7:27 PM 410784] R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswmonflt.sys [12/22/2013 7:26 PM 67824] R2 WPC600NSvc;WPC600NSvc;c:\program files\Linksys\WPC600N\WLService.exe [1/13/2014 5:44 PM 65596] R3 ati2mtai;ati2mtai;c:\windows\system32\drivers\ati2mtai.sys [1/3/2014 11:54 PM 346752] R3 maestro;ESS Maestro 3 Audio Driver (WDM);c:\windows\system32\drivers\es198x.sys [11/6/2004 9:20 PM 174464] R3 wldel48b;Dell TrueMobile 1150 Series PCCard Driver;c:\windows\system32\drivers\wldel48b.sys [12/27/2013 12:22 AM 171520] R3 WPC600N;Linksys Dual Band Wireless-N Notebook Adapter WPC600N;c:\windows\system32\drivers\WPC600N.SYS [1/13/2014 5:45 PM 822400] S3 atimtai;atimtai;c:\windows\system32\drivers\atimtai.sys [11/6/2004 9:20 PM 281600] S3 CBEN5;Xircom CardBus Ethernet 10/100 Adapter family;c:\windows\system32\drivers\cben5.sys [11/6/2004 9:21 PM 50498] S3 PROCEXP151;PROCEXP151;\??\c:\windows\system32\Drivers\PROCEXP151.SYS --> c:\windows\system32\Drivers\PROCEXP151.SYS [?] . --- Other Services/Drivers In Memory --- . *NewlyCreated* - GTNDIS5 . Contents of the 'Scheduled Tasks' folder . 2014-02-06 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-12-19 04:55] . 2014-02-12 c:\windows\Tasks\avast! Emergency Update.job - c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2013-12-23 04:32] . . ------- Supplementary Scan ------- . uInternet Connection Wizard,ShellNext = iexplore IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 TCP: DhcpNameServer = 192.168.1.1 68.105.28.11 68.105.29.11 TCP: Interfaces\{B38BF4F5-866D-43FE-99F1-E18F0D90067C}: NameServer = 8.26.56.26,156.154.70.22 FF - ProfilePath - c:\documents and settings\Amanda\Application Data\Mozilla\Firefox\Profiles\3e5tpy9j.default\ . - - - - ORPHANS REMOVED - - - - . HKLM-Run-CIS_{15198508-521A-4D69-8E5B-B94A6CCFF805} - c:\documents and settings\All Users\Application Data\cisB.exe MSConfigStartUp-mobilegeni daemon - c:\program files\Mobogenie\DaemonProcess.exe MSConfigStartUp-MsgCenterExe - c:\program files\Common Files\Real\Update_OB\RealOneMessageCenter.exe AddRemove-AutoUpdate - c:\windows\system32\auto_update_uninstall.exe AddRemove-VBRunDLL - c:\windows\system32\VBUninstall.exe AddRemove-VisFx - c:\windows\visfxun.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2014-02-11 22:51 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-1229272821-839522115-1957994488-1005\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'explorer.exe'(3764) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\System32\WLTRYSVC.EXE c:\windows\System32\bcmwltry.exe c:\program files\AVAST Software\Avast\AvastSvc.exe c:\windows\system32\Ati2evxx.exe c:\windows\system32\SearchIndexer.exe c:\program files\Linksys\WPC600N\WPC600N.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2014-02-11 22:59:26 - machine was rebooted ComboFix-quarantined-files.txt 2014-02-12 04:59 . Pre-Run: 9,865,691,136 bytes free Post-Run: 10,291,818,496 bytes free . - - End Of File - - 2D5637F06578F54CB19614A489B28560 8F558EB6672622401DA993E1E865C861 My machine has been mostly in idle mode and offline since we started running your diagnostic programs. I have not yet gone on-line to see if things are "normal", however I will be doing that soon. I guess I have maybe a question or two regarding the log I posted. Although I cannot interpret the log findings, I'm concerned as to some references in the log. Specifically, bittorent. Bitterorent and it's likes have been deleted, other deleted programs/folders that have been deleted reoccur. I see while observing scans that program/files/folders that have been deleted display in scan process appear in various sub-folders. Is this a problem and how do I permantently rid traces of deleted programs. So it's late and I'm tired, hope this makes sense. Look forward to your next response. Thanks again, Mean Farmer
  17. farmer68623
    Greeting Gringo, and once thanks for your help. Pasted below are the 2 files I ran. # AdwCleaner v3.018 - Report created 08/02/2014 at 18:22:49 # Updated 28/01/2014 by Xplode # Operating System : Microsoft Windows XP Service Pack 3 (32 bits) # Username : Amanda - CREIGHTO-CGTHAC # Running from : C:\Documents and Settings\Amanda\Desktop\AdwCleaner.exe # Option : Clean ***** [ Services ] ***** ***** [ Files / Folders ] ***** ***** [ Shortcuts ] ***** ***** [ Registry ] ***** ***** [ Browsers ] ***** -\\ Internet Explorer v8.0.6001.18702 -\\ Mozilla Firefox v27.0 (en-US) [ File : C:\Documents and Settings\Amanda\Application Data\Mozilla\Firefox\Profiles\3e5tpy9j.default\prefs.js ] ************************* AdwCleaner[R0].txt - [1303 octets] - [04/02/2014 22:10:08] AdwCleaner[R1].txt - [490 octets] - [08/02/2014 18:05:39] AdwCleaner[R2].txt - [992 octets] - [08/02/2014 18:10:28] AdwCleaner[s0].txt - [1187 octets] - [04/02/2014 22:19:11] AdwCleaner[s1].txt - [914 octets] - [08/02/2014 18:22:49] ########## EOF - C:\AdwCleaner\AdwCleaner[s1].txt - [973 octets] ########## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Junkware Removal Tool (JRT) by Thisisu Version: 6.1.1 (02.04.2014:1) OS: Microsoft Windows XP x86 Ran by Amanda on Sat 02/08/2014 at 18:57:24.74 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~ Services ~~~ Registry Values ~~~ Registry Keys ~~~ Files ~~~ Folders ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Scan was completed on Sat 02/08/2014 at 19:12:54.05 End of JRT log ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I am curious about the Mozilla reference in the ADW txt as when I was using Firefox yesterday morning all kinds of strange things were going on, as near as I could tell it was or attempting to load tons of different tracking cookies. But your the PRO! I leave it you ~ hope to from you again soon. Thanks again ~ The Mean Farmer
  18. farmer68623
    Hello Gringo, Thank you for responding to my post. To be honest I know y'all are busy, but didn't expect that long of delay. I hate to get wordy, but here goes... I didn't think anyone was going to repond to my post. I really need this machine, even though it is antiquated and to be retired soon. So... I google PUP:Optional.MySearchDial from Malwarebytes forum by Stelian Pilici, who claimed to be MBAM Trusted Advisor. Followed his step by step instructions, and the first 2 are the same as you recommend. Well, found a bunch a stuff and supposedly cleaned things up. Still have issues, hope you can help even though I ventured out on my own in frustration. I hope you are able to assist me at this juncunture in my dilemna. I will be using a flash drive back and forth from a clean machine and the problem child at hand. So, if you can assist me, where do we start from? Thank you for in and all assistance The Mean Farmer
  19. farmer68623
    Hello, my computer is infected with PUP, and likely others. I am attaching the DDS & Attach files. I ran MBAM earlier this week, problem reoccured, so ran again last night and same problems. I also ran Avast scan after MBAM and it found a "Threat". I am including those scan results if they are of any use. Thank you in advance for any assistance. dds.txt attach.txt mbam-log-2014-01-24 (23-50-38).txt mbam-log-2014-01-30 (04-19-08).txt avastscan.txt
  20. farmer68623
    Greetings! kevinf80 helped me get my machine cleaned up in December, now weird things happening. Since kev's help I've update SP3, drivers I could think of (BIOS),etc. Upgraded to 512 mem.(max), disabled TM1150 wireless Nic, installed Linksys 801.11N cardbus. The last 3 days starting getting operational errors. Symptoms: - CPU racing to max. quite often / slow operation -Jan. 16 : Script errors in GMAIL options: Continue or Stop. Script errors max'd CPU, gmail not functional, effected the complete machine op. Slowness and CPU maxing continued after finally getting out of gmail, and rebooting several times. Task manager showed 2 unfamiliar processes: aswOfferTool.exe (spawned by Avast? ), and dwwin.exe. When I retired for the night and did a shutdown received a error message that displayed quickly and vanished so I could not see what is was. Jan. 17: Booted up, dwwin.exe, aswOfferTool.exe not running. Linksys showing a connection, but Firefox reported unable to connect. Tried IE8, failed. Retry: connected and loaded home page(POGO), then reported not connected~ work 0ffline etc... Rebooted several times with an error I couldn't capture before restart. Rebooted and went away for awhile, was able to connect to internet, but still CPU running wild. After rebooting several times received error message: GTrMDrv.exe application failure. (I think this related to my Linksys [broadcom drivers]). That eventually went away, now CPU still going wild. On Jan. 16 I updated new Version of Java & Flashplayer, and also installed Adobe reader *. Any assistance or advice will be gratefully appreciated. (gratefully purposely spelled~lol) I did run malware bytes with nothing showing, and no ill reports from avast Sorry to be so wordy~thank you for any help I haven't received a response, Am I not entiltled to help anymore? Anyway, yesterday I expericened another strange symptom : several attempts to connect to gmail it appeared to be redirecting me to unsafe sites, I didn't think to write that info until later. I am posting my Hijackthis log if it is any help. Please let me know if I'm in wrong category or not eligible for help.
  21. farmer68623
    Kevin, been busy updating machine, now have SP3, trying to update any drivers that I can. This does not appear in Task Mgr, but in SyS Info/Running Tasks I see two same file names running which look suspious : helpctr.exe {FilePath] c:\windows\pchealth\helpctr\binaries\helpctr.exe .Not sure if this is legit or not, other than every else seems dandy. One other unrelated question would be : is there a way to get WPA on Dell TrueMobile 1150 series wireless LanMini PCI card? I know this machine is old ~ just curious. Thanks again.
  22. farmer68623
    Hope this took care of my woes! Here is the OTM log. All files appear to be removed, accept the CMman folder, which is now empty. The epicenter folder containing snuinst.exe appeared when I opened Explorer, and then disappeared. If this resolves my troubles, I thank you so much for your assistance and patience. Farmer68623 a/k/a The Mean Farmer
  23. farmer68623
    Kevin, the offending files/folders still exist in Program Files directory. Successfully ran Zoek. Hijack This is still installed on my machine and ran and produced a log file. attached are it and the Zoek log. I just realized after running Zoek why the OTM program failed to run as expected~ I failed to paste the Instructions for Files to be Moved into the box... thanks again, next?
  24. farmer68623
    This didn't work well for me. Running Revo gave no results. OTM.exe run did not show a code box or any log/txt file that I know of. Everything in yellow/green bars were empty. Tried several times. I probably messed up because I was so frustrated I hit the Clean button. Not sure where I'm at now, do not see the c:\_OTMove dir ....... HELP!
  25. farmer68623
    I'm back again ... Kevin. Here is the ESETLog. Programs running in Task Mgr seem to proper files. I noticed that in the ESET log a program named snuinst.exe is in FRST\Quarantine\.. This file is also present in Program Files\epicenter\snuinst.exe, also a Folder named CMMan contains the file cmappudate.exe, as well in Folder CMAPP. The ESET only referred to cmappstub.exe in the CMAPP Folder. Not sure it is relevant, but I noticed that EQTraffic.exe shows up in Windows\Prefetch\EQTraffic.exe-22F995EC.pf? I will await your guidance for the next steps to take. Thanks again!
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.