farmer68623

March 11, 2014

Hello Gringo,

I ran the delfile.bat, moving on to the next step :DeFogger ~ I do not see in any of our posts that you instructed me to download or run DeFogger, and I don't have any reference to DeFog in my download files folder. I may be mistaken, however would like to run that for assurance. Please direct me to the Defogger download site.

thanks

March 10, 2014

Gringo ~ not sure it is relevent but this machine did not adjust for DLS

March 10, 2014

Hello Gringo

Followed your instructions, below is the Eset scan results. Observed some strange goings on with network connections, as in disabled connection appeared to active, then messages that no connection, then connected and showing ridicoulus network speeds. I will await your next intructions and again thank you for your help.

C:\Documents and Settings\Amanda\Desktop\ccsetup404.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\Documents and Settings\Amanda\My Documents\WinZip175.exe a variant of Win32/OpenInstall potentially unwanted application
C:\Documents and Settings\Amanda\My Documents\Downloads\DriverGuide_Driver_Download_168478.exe a variant of Win32/InstallCore.DN potentially unwanted application

March 8, 2014

Hi Gringo,

Attached is the MBAM log & HiJack this report. Regarding MBAM run, I did not have a prompt for any actions for System Volume and Remove Selected.

I took no action after HJThis other to copy and import the report. Okay, so I am again unable to paste these in my post- I will attach them and wait for your guidance.

mbam-log-2014-03-07 (03-55-51).txt

hijackthis.log

March 5, 2014

Ok Gringo~ either I'm a blithering idiot ~ or something. I could not find my post in the forum yesterday, so was unable to reply/post. Was having issues with downloading Hitman. So anyway, I'm pasting the Hitman results. This machine is not running as expected...

HitmanPro 3.7.9.212www.hitmanpro.com   Computer name . . . . : CREIGHTO-CGTHAC   Windows . . . . . . . : 5.1.3.2600.X86/1   User name . . . . . . : CREIGHTO-CGTHAC\Amanda   License . . . . . . . : Free   Scan date . . . . . . : 2014-03-05 00:37:54   Scan mode . . . . . . : Normal   Scan duration . . . . : 9m 33s   Disk access mode  . . : Direct disk access (SRB)   Cloud . . . . . . . . : Internet   Reboot  . . . . . . . : No   Threats . . . . . . . : 0   Traces  . . . . . . . : 1   Objects scanned . . . : 432,149   Files scanned . . . . : 7,822   Remnants scanned  . . : 55,696 files / 368,631 keysCookies _____________________________________________________________________   C:\Documents and Settings\Amanda\Cookies\DU6F5E7L.txt

Waiting for your reply, Thanks for your help

February 25, 2014

HI Gingo,

Yes, I believe I followed 2nd part of instructions, that was the part where fix it looked completely but the box didn't close. The other box that appeared had Delete History and other options to click. All were clicked, and go the red x error, and then went to tools / IE options/ advanced. However nowhere did I see an "click safety" option....

farmer

February 23, 2014

Hi Gringo,

I believe I still need assistance, have a family medical emergency going on. However, I did go to the microsoft link and downloaded and ran fixit. It ran for extremely long time and the progress box indicated that it was finished but never closed, and showed as running in task mgr. Another box popped behind the fixit and went thru the procedures that you instructed. It did somethings, and had a red X indicationg it deleted a bunch of stuff, but IE8 default reset failed. Browers still run slow. I do not use/nor like IE, however I want a clean machine. When I open IE8 it appears to load normally, with homepage now microsoft link, and opening new tab now goes to a blank page. The items I pasted in my last post still appear under Toolbars & Ext's. I am still getting unusually high CPU usage in either IE8 or Firefox. My Flash player ActiveX updated to the most current version, which previouly would not update. I had un-installed current version of Java, but have since reinstalled. Machine seems still unstable, but not as bad. I will await your response and respond to you sooner than I've done this past week. Thanks again!

February 20, 2014

Helllo Gringo,

I ran the OTL script as directed, below are the results.

========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\AutorunsDisabled\ deleted successfully.
Starting removal of ActiveX control {7530BFB8-7293-4D34-9923-61A11451AFC5}
C:\WINDOWS\Downloaded Program Files\OnlineScanner.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\AutorunsDisabled\ deleted successfully.
File Protocol\Handler\AutorunsDisabled - No CLSID value found not found.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Amanda\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Amanda\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYJAVA]

User: Administrator

User: All Users

User: Amanda
->Java cache emptied: 0 bytes

User: Default User

User: LocalService

User: NetworkService

Total Java Files Cleaned = 0.00 mb

[EMPTYFLASH]

User: Administrator

User: All Users

User: Amanda
->Flash cache emptied: 11697 bytes

User: Default User

User: LocalService

User: NetworkService

Total Flash Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.69.0 log created on 02192014_211452

I can't determine yet if the machine is running smooth yet, I will get on it tomorrow and see what happens. However I do have a concern about what I see and happens in IE8. There are some things in Toolbars & extentsions. There were similar in Firefox that went away when we started running your programs. Also, when I open IE8 my homepage page loads. When I open new tab, instead of getting a blank page it automatically redirects and opens Google search. I do not see anything under Tools or anywhere else to stop this, and this never occured until I got the other problems.

I am going to paste a few files to see if they represent any threats or problems.

Name:                   Diagnose Connection Problems...
Publisher:              Not Available
Type:                   Browser Extension
Version:                Not available
File date:
Date last accessed:     Today, February 19, 2014, 11 minutes ago
Class ID:               {E2E2DD38-D088-4134-82B7-F2BA38496583}
Use count:              26
Block count:            32
File:                   Not available
Folder:                 Not available

Name:                   Discuss
Publisher:              Not Available
Type:                   Explorer Bar
Version:                6.0.2900.5512
File date:
Date last accessed:     Monday, November 29, 1999, 6:00 PM
Class ID:               {BDEADE7F-C265-11D0-BCED-00A0C90AB50F}
Use count:              0
Block count:            0
File:                   shdocvw.dll
Folder:

Name:                   BottomFrame Class
Publisher:              Control name is not available
Type:                   Explorer Bar
Version:                Not available
File date:
Date last accessed:     Monday, November 29, 1999, 6:00 PM
Class ID:               {E2D2FE40-5674-4B77-802B-EC86B6C2C41D}
Use count:              0
Block count:            0
File:                   dsr.dll
Folder:                 C:\WINDOWS

Name:                   LeftFrame Class
Publisher:              Control name is not available
Type:                   Explorer Bar
Version:                Not available
File date:
Date last accessed:     Monday, November 29, 1999, 6:00 PM
Class ID:               {CE27D4DF-714B-4427-95EB-923FE53ADF8E}
Use count:              0
Block count:            0
File:                   dsr.dll
Folder:                 C:\WINDOWS

Look forward to hearing for your direction, and again many thanks.

The Mean Farmer

February 17, 2014

Hi Gringo, below is the OTL file.

OTL logfile created on: 2/17/2014 3:52:38 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Amanda\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.46 Mb Total Physical Memory | 137.17 Mb Available Physical Memory | 26.82% Memory free
1.22 Gb Paging File | 0.79 Gb Available in Paging File | 64.86% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 18.62 Gb Total Space | 9.75 Gb Free Space | 52.36% Space Free | Partition Type: NTFS

Computer Name: CREIGHTO-CGTHAC | User Name: Amanda | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Amanda\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files\AVAST Software\Avast\AvastUI.exe (AVAST Software)
PRC - C:\Program Files\AVAST Software\Avast\AvastSvc.exe (AVAST Software)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Linksys\WPC600N\WLService.exe (GEMTEKS)
PRC - C:\Program Files\Linksys\WPC600N\WPC600N.exe (Linksys)

========== Modules (No Company Name) ==========

MOD - C:\Program Files\AVAST Software\Avast\defs\14021700\algo.dll ()
MOD - C:\Program Files\Mozilla Firefox\mozjs.dll ()
MOD - C:\Program Files\AVAST Software\Avast\libcef.dll ()
MOD - C:\WINDOWS\system32\quartz.dll ()
MOD - C:\WINDOWS\system32\bcm1xsup.dll ()
MOD - C:\Program Files\Linksys\WPC600N\Security.dll ()
MOD - C:\Program Files\Linksys\WPC600N\GTW32N50.dll ()
MOD - C:\Program Files\Linksys\WPC600N\GEMWEP.DLL ()

========== Services (SafeList) ==========

SRV - (WPFFontCache_v0400) -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe File not found
SRV - (WPC600NSvc) -- C:\Program Files\Linksys\WPC600N\WLService.exe WPC600N.exe File not found
SRV - (AdobeFlashPlayerUpdateSvc) -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)
SRV - (MozillaMaintenance) -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation)
SRV - (avast! Antivirus) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe (AVAST Software)

========== Driver Services (SafeList) ==========

DRV - (PROCEXP151) -- C:\WINDOWS\system32\Drivers\PROCEXP151.SYS File not found
DRV - (PCIDump) -- File not found
DRV - (NSNDIS5) -- C:\WINDOWS\system32\NSNDIS5.SYS File not found
DRV - (Changer) -- File not found
DRV - (catchme) -- C:\DOCUME~1\Amanda\LOCALS~1\Temp\catchme.sys File not found
DRV - (aswMonFlt) -- C:\WINDOWS\system32\drivers\aswmonflt.sys (AVAST Software)
DRV - (aswSnx) -- C:\WINDOWS\system32\drivers\aswSnx.sys (AVAST Software)
DRV - (aswSP) -- C:\WINDOWS\system32\drivers\aswSP.sys (AVAST Software)
DRV - (aswTdi) -- C:\WINDOWS\system32\drivers\aswTdi.sys (AVAST Software)
DRV - (aswRdr) -- C:\WINDOWS\system32\drivers\aswRdr.sys (AVAST Software)
DRV - (aswVmm) -- C:\WINDOWS\System32\drivers\aswVmm.sys ()
DRV - (aswRvrt) -- C:\WINDOWS\System32\drivers\aswRvrt.sys ()
DRV - (Tcpip6) -- C:\WINDOWS\system32\drivers\tcpip6.sys (Microsoft Corporation)
DRV - (NwlnkIpx) -- C:\WINDOWS\system32\drivers\nwlnkipx.sys (Microsoft Corporation)
DRV - (nm) -- C:\WINDOWS\system32\drivers\nmnt.sys (Microsoft Corporation)
DRV - (WPC600N) -- C:\WINDOWS\system32\drivers\WPC600N.SYS (Broadcom Corporation)
DRV - (wldel48b) -- C:\WINDOWS\system32\drivers\wldel48b.sys (Dell)
DRV - (GTNDIS5) -- C:\Program Files\Linksys\WPC600N\GTNDIS5.sys (Printing Communications Assoc., Inc. (PCAUSA))
DRV - (ati2mtai) -- C:\WINDOWS\system32\drivers\ati2mtai.sys (ATI Technologies Inc.)
DRV - (omci) -- C:\WINDOWS\system32\drivers\omci.sys (Dell Computer Corporation)
DRV - (NwlnkNb) -- C:\WINDOWS\system32\drivers\nwlnknb.sys (Microsoft Corporation)
DRV - (NwlnkSpx) -- C:\WINDOWS\system32\drivers\nwlnkspx.sys (Microsoft Corporation)
DRV - (wlluc48) -- C:\WINDOWS\system32\drivers\wlluc48.sys (Lucent Technologies)
DRV - (CBEN5) -- C:\WINDOWS\system32\drivers\cben5.sys (Xircom, Inc.)
DRV - (atimtai) -- C:\WINDOWS\system32\drivers\atimtai.sys (ATI Technologies Inc.)
DRV - (maestro) -- C:\WINDOWS\system32\drivers\es198x.sys (ESS Technology, Inc.)
DRV - (SMCIRDA) -- C:\WINDOWS\system32\drivers\smcirda.sys (SMC)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://red.clientapps.yahoo.com/customize/ie/defaults/cs/ymsgr6/*http://www.yahoo.com/ext/search/search.html
IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1229272821-839522115-1957994488-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.pogo.com/
IE - HKU\S-1-5-21-1229272821-839522115-1957994488-1005\..\SearchScopes,DefaultScope = {BF17251D-1531-4AC4-A456-ED1C92EA0337}
IE - HKU\S-1-5-21-1229272821-839522115-1957994488-1005\..\SearchScopes\{BF17251D-1531-4AC4-A456-ED1C92EA0337}: "URL" = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
IE - HKU\S-1-5-21-1229272821-839522115-1957994488-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.startup.homepage: "https://www.pogo.com"
FF - prefs.js..extensions.enabledAddons: wrc%40avast.com:9.0.2013.75
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:27.0.1
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_12_0_0_44.dll ()

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\wrc@avast.com: C:\Program Files\AVAST Software\Avast\WebRep\FF [2014/01/23 22:32:18 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 27.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 27.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2014/02/06 02:47:58 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Amanda\Application Data\Mozilla\Extensions
[2014/02/13 18:13:37 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\browser\extensions
[2014/02/13 18:15:38 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2014/01/23 22:32:18 | 000,000,000 | ---D | M] (avast! Online Security) -- C:\PROGRAM FILES\AVAST SOFTWARE\AVAST\WEBREP\FF

O1 HOSTS File: ([2014/02/11 22:50:37 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (avast! Online Security) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O2 - BHO: (no name) - AutorunsDisabled - No CLSID value found.
O3 - HKLM\..\Toolbar: (avast! Online Security) - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O4 - HKLM..\Run: [AvastUI.exe] C:\Program Files\AVAST Software\Avast\AvastUI.exe (AVAST Software)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled [2014/02/05 22:43:41 | 000,000,000 | -H-D | M]
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1229272821-839522115-1957994488-1005\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1229272821-839522115-1957994488-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1229272821-839522115-1957994488-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1229272821-839522115-1957994488-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 68.105.28.11 68.105.29.11
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7EA6AE80-5921-4A56-A3DA-DA05CD875637}: DhcpNameServer = 192.168.1.1 68.105.28.11 68.105.29.11
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{B38BF4F5-866D-43FE-99F1-E18F0D90067C}: NameServer = 8.26.56.26,156.154.70.22
O18 - Protocol\Handler\AutorunsDisabled - No CLSID value found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Amanda\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Amanda\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (nwprovau) - C:\WINDOWS\System32\nwprovau.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2014/02/17 15:51:07 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Amanda\Desktop\OTL.exe
[2014/02/16 21:29:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Amanda\Desktop\RK_Quarantine
[2014/02/16 00:54:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
[2014/02/16 00:53:21 | 000,052,312 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamchameleon.sys
[2014/02/16 00:52:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Amanda\Desktop\mbar
[2014/02/13 18:13:36 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2014/02/12 23:55:43 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2014/02/12 23:26:07 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2014/02/12 22:10:42 | 000,000,000 | ---D | C] -- C:\ComboFix
[2014/02/12 21:48:00 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW
[2014/02/12 21:47:26 | 005,180,278 | R--- | C] (Swearware) -- C:\Documents and Settings\Amanda\Desktop\ComboFix.exe
[2014/02/11 21:38:52 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2014/02/11 21:38:52 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2014/02/11 21:38:52 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2014/02/11 21:38:52 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2014/02/11 21:37:26 | 000,000,000 | ---D | C] -- C:\Qoobox
[2014/02/06 01:46:37 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Maintenance Service
[2014/02/04 23:37:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\HitmanPro
[2014/02/04 22:09:52 | 000,000,000 | ---D | C] -- C:\AdwCleaner
[2014/01/24 16:33:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Amanda\Desktop\Old Firefox Data
[2014/01/22 14:12:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Amanda\Local Settings\Application Data\PCHealth
[2014/01/22 02:11:17 | 000,000,000 | ---D | C] -- C:\cda69190891d4fbe794be4e0675b
[2014/01/22 02:11:03 | 000,000,000 | ---D | C] -- C:\2e0c62deeee44eddad40b62c53f11c
[2014/01/21 23:08:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Amanda\Local Settings\Application Data\cache
[2014/01/21 23:07:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Amanda\Local Settings\Application Data\genienext
[2014/01/21 19:28:21 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2014/01/21 19:19:08 | 000,000,000 | ---D | C] -- C:\9bd49e06d940713d0cda55cd
[2014/01/21 19:18:55 | 000,000,000 | ---D | C] -- C:\3e60a1d65a3f8059803dc205f5d6ce
[2014/01/18 18:20:49 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2014/02/17 15:49:23 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Amanda\Desktop\OTL.exe
[2014/02/17 15:31:22 | 000,000,364 | -H-- | M] () -- C:\WINDOWS\tasks\avast! Emergency Update.job
[2014/02/17 15:26:37 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2014/02/17 15:25:29 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2014/02/16 19:24:08 | 000,052,312 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamchameleon.sys
[2014/02/16 18:58:06 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2014/02/16 18:57:59 | 000,692,616 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2014/02/16 18:57:58 | 000,071,048 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2014/02/16 18:41:56 | 003,813,376 | ---- | M] () -- C:\Documents and Settings\Amanda\Desktop\RogueKiller.exe
[2014/02/11 22:50:37 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2014/02/11 21:07:36 | 005,180,278 | R--- | M] (Swearware) -- C:\Documents and Settings\Amanda\Desktop\ComboFix.exe
[2014/02/06 01:46:51 | 000,000,742 | ---- | M] () -- C:\Documents and Settings\Amanda\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2014/02/06 01:46:43 | 000,000,724 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2014/02/05 22:43:42 | 000,000,630 | ---- | M] () -- C:\WINDOWS\System32\.crusader
[2014/02/05 10:32:27 | 000,067,824 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmonflt.sys
[2014/02/04 04:53:27 | 000,002,855 | ---- | M] () -- C:\WINDOWS\System32\redir.PIF
[2014/01/23 22:32:41 | 000,001,733 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2014/01/23 22:32:15 | 000,775,952 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
[2014/01/23 22:32:15 | 000,410,784 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2014/01/23 22:32:15 | 000,057,672 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2014/01/23 22:32:15 | 000,054,832 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2014/01/23 22:32:13 | 000,270,240 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
[2014/01/23 22:32:13 | 000,043,152 | ---- | M] (AVAST Software) -- C:\WINDOWS\avastSS.scr
[2014/01/22 21:32:27 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2014/01/21 18:21:44 | 000,418,842 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2014/01/21 18:21:44 | 000,067,032 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2014/02/16 21:26:16 | 003,813,376 | ---- | C] () -- C:\Documents and Settings\Amanda\Desktop\RogueKiller.exe
[2014/02/11 21:38:52 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2014/02/11 21:38:52 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2014/02/11 21:38:52 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2014/02/11 21:38:52 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2014/02/11 21:38:52 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2014/02/06 01:46:50 | 000,000,742 | ---- | C] () -- C:\Documents and Settings\Amanda\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2014/02/06 01:46:43 | 000,000,724 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2014/02/06 01:46:42 | 000,000,730 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
[2014/02/05 22:43:42 | 000,000,630 | ---- | C] () -- C:\WINDOWS\System32\.crusader
[2014/02/04 04:53:27 | 000,002,855 | ---- | C] () -- C:\WINDOWS\System32\redir.PIF
[2014/01/13 17:45:17 | 000,139,264 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2014/01/13 17:45:14 | 000,024,064 | ---- | C] () -- C:\WINDOWS\System32\WLTRYSVC.EXE
[2014/01/13 17:45:13 | 000,753,664 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2014/01/13 17:45:03 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\GTW32N50.dll
[2014/01/13 17:43:29 | 000,000,801 | ---- | C] () -- C:\WINDOWS\System32\WLAN.INI
[2014/01/03 23:54:11 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\ati2evxx.exe
[2013/12/24 02:34:59 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2013/12/22 19:27:01 | 000,180,248 | ---- | C] () -- C:\WINDOWS\System32\drivers\aswVmm.sys
[2013/12/22 19:27:00 | 000,049,944 | ---- | C] () -- C:\WINDOWS\System32\drivers\aswRvrt.sys
[2013/12/21 18:43:51 | 000,024,064 | ---- | C] () -- C:\WINDOWS\zoek-delete.exe
[2004/12/05 19:53:11 | 000,054,272 | ---- | C] () -- C:\Documents and Settings\Amanda\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== ZeroAccess Check ==========

[2014/01/10 01:20:19 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008/04/13 18:12:05 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/02/09 06:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2008/04/13 18:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

< End of report >

Thanks

February 17, 2014

Wow, lighning speed response. Will try attaching first. So far so good on attachments

Will wait for further instructions, once again, thanks so much!

mbar-log-2014-02-16 (00-55-39).txt

mbar-log-2014-02-16 (19-26-13).txt

RKreport0_D_02162014_213850.txt

RKreport0_S_02162014_213514.txt

February 17, 2014

Ok Gringo,

Ran MBAM anti-root kit, and Rogue Killer. MBAM appeared to show no problems. Rogue Killer produced 2 .txt files, Rk[0]D & Rk[0]S, and not the txt you requested. Multiple tries trying to paste all 3 files but won't allow me to paste, (I'am using flashdisk from problem machine to "clean" machine). The Rk files appear to have strange Cntl characters imbedded, but regardless I can import them. I guess the Ghost of Jerry Garcia is haunting me. From what I could interprupt it cleaned/quarantined Explorer Bar/Browser Extensions from Firefox, but see the same suspious items in IE8. I will try and copy/paste from the problem machine and see if that works........ don't expect different results, but will report back in the next few minutes to see if anything different.

February 14, 2014

Hi Gringo, so I got on the machine today, rebooted and brought up her. She sucks even worse now for some reason. Everything is the slowest, non-responsive I've seen. Even with browsers closed, just moving the mouse on the desktop will send the CPU peaking for no apparent reason.

I've ran Mbam & Avast AV, everything shows clean. Looking forward to hearing back from you.

Thanks, The Mean Farmer

February 13, 2014

Gringo, trying not to be a pain, I'm reporting to you from different machine. Since my last post I have taken no action since the Combofix run. Have not rebooted. Running in Task Mgr: [swreg.exe], 2 occurances(sp), and PEV.exe ....

February 13, 2014

Hi Gringo, didn't expect a response from last post. Combofix just finished and posted below.

ComboFix 14-02-11.01 - Amanda 02/12/2014 23:02:20.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.252 [GMT -6:00]
Running from: c:\documents and settings\Amanda\Desktop\ComboFix.exe
Command switches used :: E:\CFScript.txt.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
(((((((((((((((((((((((((   Files Created from 2014-01-13 to 2014-02-13 )))))))))))))))))))))))))))))))
.
.
2014-02-13 03:48 . 2014-02-13 04:10   --------   d-----w-   C:\32788R22FWJFW
2014-02-06 07:46 . 2014-02-06 07:46   --------   d-----w-   c:\program files\Mozilla Maintenance Service
2014-02-05 05:37 . 2014-02-05 05:58   --------   d-----w-   c:\documents and settings\All Users\Application Data\HitmanPro
2014-02-05 04:09 . 2014-02-09 00:22   --------   d-----w-   C:\AdwCleaner
2014-02-04 10:53 . 2014-02-04 10:53   2855   ----a-w-   c:\windows\system32\redir.PIF
2014-01-22 20:12 . 2014-01-22 20:12   --------   d-----w-   c:\documents and settings\Amanda\Local Settings\Application Data\PCHealth
2014-01-22 08:11 . 2014-01-22 08:11   --------   d-----w-   C:\cda69190891d4fbe794be4e0675b
2014-01-22 08:11 . 2014-01-22 08:14   --------   d-----w-   C:\2e0c62deeee44eddad40b62c53f11c
2014-01-22 05:08 . 2014-01-22 05:08   --------   d-----w-   c:\documents and settings\Amanda\Local Settings\Application Data\cache
2014-01-22 05:07 . 2014-02-05 05:21   --------   d-----w-   c:\documents and settings\Amanda\Local Settings\Application Data\genienext
2014-01-22 01:19 . 2014-01-22 01:19   --------   d-----w-   C:\9bd49e06d940713d0cda55cd
2014-01-22 01:18 . 2014-01-22 01:19   --------   d-----w-   C:\3e60a1d65a3f8059803dc205f5d6ce
2014-01-19 00:20 . 2014-01-19 00:20   --------   d-----w-   c:\program files\Trend Micro
2014-01-18 05:33 . 2014-01-18 05:33   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2014-01-18 05:33 . 2013-04-04 20:50   22856   ----a-w-   c:\windows\system32\drivers\mbam.sys
2014-01-14 06:09 . 2014-02-04 07:01   --------   d-----w-   c:\windows\SxsCaPendDel
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-02-06 04:55 . 2013-12-19 07:45   692616   ----a-w-   c:\windows\system32\FlashPlayerApp.exe
2014-02-06 04:55 . 2013-12-19 07:45   71048   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2014-02-05 16:32 . 2013-12-23 01:26   67824   ----a-w-   c:\windows\system32\drivers\aswmonflt.sys
2014-01-24 04:32 . 2013-12-23 01:27   57672   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
2014-01-24 04:32 . 2013-12-23 01:27   410784   ----a-w-   c:\windows\system32\drivers\aswSP.sys
2014-01-24 04:32 . 2013-12-23 01:26   775952   ----a-w-   c:\windows\system32\drivers\aswSnx.sys
2014-01-24 04:32 . 2013-12-23 01:26   54832   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
2014-01-24 04:32 . 2013-12-23 01:26   43152   ----a-w-   c:\windows\avastSS.scr
2014-01-24 04:32 . 2013-12-05 07:33   270240   ----a-w-   c:\windows\system32\aswBoot.exe
2013-12-24 05:20 . 2013-12-23 01:27   180248   ----a-w-   c:\windows\system32\drivers\aswVmm.sys
2013-12-23 01:26 . 2013-12-23 01:27   49944   ----a-w-   c:\windows\system32\drivers\aswRvrt.sys
2013-12-05 10:43 . 2013-12-05 10:43   1700352   ----a-w-   c:\windows\system32\gdiplus.dll
2013-12-05 10:43 . 2013-12-05 10:43   1060864   ----a-w-   c:\windows\system32\mfc71.dll
2013-11-27 20:21 . 2002-09-03 19:48   40960   ----a-w-   c:\windows\system32\drivers\ndproxy.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2014-01-24 04:32   259464   ----a-w-   c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2014-01-24 3767096]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2002-08-27 294912]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE -b -l [2001-2-13 83360]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe /startup [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages   REG_MULTI_SZ     msv1_0 nwprovau
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"CiSvc"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6881:TCP"= 6881:TCP:*:Disabled:Bittorrent
"6889:TCP"= 6889:TCP:Bit
"6884:TCP"= 6884:TCP:*:Disabled:Bittorrent
"6885:TCP"= 6885:TCP:*:Disabled:Bittorrent
"6886:TCP"= 6886:TCP:*:Disabled:Bittorent
"6887:TCP"= 6887:TCP:*:Disabled:Bittorent
"6888:TCP"= 6888:TCP:*:Disabled:Bittorent
"6969:TCP"= 6969:TCP:*:Disabled:Trigger Bittorent
"3724:TCP"= 3724:TCP:WOW
"6112:TCP"= 6112:TCP:WOW2
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)
.
R0 aswRvrt;avast! Revert;c:\windows\system32\drivers\aswRvrt.sys [12/22/2013 7:27 PM 49944]
R0 aswVmm;avast! VM Monitor;c:\windows\system32\drivers\aswVmm.sys [12/22/2013 7:27 PM 180248]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [12/22/2013 7:26 PM 775952]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/22/2013 7:27 PM 410784]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswmonflt.sys [12/22/2013 7:26 PM 67824]
R2 WPC600NSvc;WPC600NSvc;c:\program files\Linksys\WPC600N\WLService.exe [1/13/2014 5:44 PM 65596]
R3 ati2mtai;ati2mtai;c:\windows\system32\drivers\ati2mtai.sys [1/3/2014 11:54 PM 346752]
R3 maestro;ESS Maestro 3 Audio Driver (WDM);c:\windows\system32\drivers\es198x.sys [11/6/2004 9:20 PM 174464]
R3 wldel48b;Dell TrueMobile 1150 Series PCCard Driver;c:\windows\system32\drivers\wldel48b.sys [12/27/2013 12:22 AM 171520]
R3 WPC600N;Linksys Dual Band Wireless-N Notebook Adapter WPC600N;c:\windows\system32\drivers\WPC600N.SYS [1/13/2014 5:45 PM 822400]
S3 atimtai;atimtai;c:\windows\system32\drivers\atimtai.sys [11/6/2004 9:20 PM 281600]
S3 CBEN5;Xircom CardBus Ethernet 10/100 Adapter family;c:\windows\system32\drivers\cben5.sys [11/6/2004 9:21 PM 50498]
S3 PROCEXP151;PROCEXP151;\??\c:\windows\system32\Drivers\PROCEXP151.SYS --> c:\windows\system32\Drivers\PROCEXP151.SYS [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder
.
2014-02-06 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-12-19 04:55]
.
2014-02-13 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2013-12-23 04:32]
.
.
------- Supplementary Scan -------
.

uInternet Connection Wizard,ShellNext = iexplore
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1 68.105.28.11 68.105.29.11
TCP: Interfaces\{B38BF4F5-866D-43FE-99F1-E18F0D90067C}: NameServer = 8.26.56.26,156.154.70.22

FF - ProfilePath - c:\documents and settings\Amanda\Application Data\Mozilla\Firefox\Profiles\3e5tpy9j.default\

.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-02-12 23:20
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1229272821-839522115-1957994488-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2600)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2014-02-12 23:26:00
ComboFix-quarantined-files.txt 2014-02-13 05:25
ComboFix2.txt 2014-02-12 04:59
.
Pre-Run: 10,489,122,816 bytes free
Post-Run: 10,500,136,960 bytes free
.
- - End Of File - - 17C3F93D7C8F43211ED29BD26F2845DB
8F558EB6672622401DA993E1E865C861

February 13, 2014

Hello again Gringo,

I started to run Combofix according to your instructions, and shame on you! LOL ~ you didn't remind to disable anti-virus. I ended up doing a Hard Shut-down when shutdown stalled. It is re-running now, which has been taking a lil' over an hour. So while waiting I figured I get a little typing out of the way. As I just downloaded Combofix like 24 hours ago, I got a message during run-time saying Combofix is out of date, I clicked OK to update. Next, I was on the problem machine this afternoon, and both Firefox and IE8 were running very slow and eating up CPU usage. Occasionally on Shut-down or restart I get an error : 0xc000142 ~ but it goes away to fast to get complete details. Other than that I will update my post when Combofix finishes.

February 12, 2014

Hello Gringo, below is the log file from Combofix :

ComboFix 14-02-11.01 - Amanda 02/11/2014 22:24:49.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.233 [GMT -6:00]
Running from: c:\documents and settings\Amanda\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Amanda\Local Settings\Temporary Internet Files\Dell_c800_mainview.gif
c:\program files\AVAST Software\Avast\setup\28fa7f01-598c-4171-9478-f2c82a31c9f8.exe
c:\windows\system32\cache329
c:\windows\system32\cache329\B_329_4_1_646400.htm
c:\windows\system32\dllcache\wmpvis.dll
c:\windows\system32\drivers\etc\hosts.ics
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_SVCPROC
-------\Legacy_WINDOWS_OVERLAY_COMPONENTS
-------\Legacy_WINDOWS_VISFX_COMPONENTS
-------\Service_SvcProc
.
.
(((((((((((((((((((((((((   Files Created from 2014-01-12 to 2014-02-12 )))))))))))))))))))))))))))))))
.
.
2014-02-06 07:46 . 2014-02-06 07:46   --------   d-----w-   c:\program files\Mozilla Maintenance Service
2014-02-05 05:37 . 2014-02-05 05:58   --------   d-----w-   c:\documents and settings\All Users\Application Data\HitmanPro
2014-02-05 04:09 . 2014-02-09 00:22   --------   d-----w-   C:\AdwCleaner
2014-02-04 10:53 . 2014-02-04 10:53   2855   ----a-w-   c:\windows\system32\redir.PIF
2014-01-25 07:25 . 2014-01-25 07:25   388096   ----a-r-   c:\documents and settings\Amanda\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2014-01-22 20:12 . 2014-01-22 20:12   --------   d-----w-   c:\documents and settings\Amanda\Local Settings\Application Data\PCHealth
2014-01-22 08:11 . 2014-01-22 08:11   --------   d-----w-   C:\cda69190891d4fbe794be4e0675b
2014-01-22 08:11 . 2014-01-22 08:14   --------   d-----w-   C:\2e0c62deeee44eddad40b62c53f11c
2014-01-22 05:08 . 2014-01-22 05:08   --------   d-----w-   c:\documents and settings\Amanda\Local Settings\Application Data\cache
2014-01-22 05:07 . 2014-02-05 05:21   --------   d-----w-   c:\documents and settings\Amanda\Local Settings\Application Data\genienext
2014-01-22 01:19 . 2014-01-22 01:19   --------   d-----w-   C:\9bd49e06d940713d0cda55cd
2014-01-22 01:18 . 2014-01-22 01:19   --------   d-----w-   C:\3e60a1d65a3f8059803dc205f5d6ce
2014-01-19 00:20 . 2014-01-19 00:20   --------   d-----w-   c:\program files\Trend Micro
2014-01-18 05:33 . 2014-01-18 05:33   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2014-01-18 05:33 . 2013-04-04 20:50   22856   ----a-w-   c:\windows\system32\drivers\mbam.sys
2014-01-14 06:09 . 2014-02-04 07:01   --------   d-----w-   c:\windows\SxsCaPendDel
2014-01-14 03:27 . 2014-01-14 03:27   --------   d-----w-   c:\documents and settings\Amanda\Application Data\Oracle
2014-01-13 23:43 . 2014-01-13 23:43   --------   d-----w-   c:\program files\Linksys
2014-01-13 23:43 . 2014-01-13 23:43   --------   d-----w-   c:\documents and settings\Amanda\Application Data\InstallShield
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-02-06 04:55 . 2013-12-19 07:45   692616   ----a-w-   c:\windows\system32\FlashPlayerApp.exe
2014-02-06 04:55 . 2013-12-19 07:45   71048   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2014-02-05 16:32 . 2013-12-23 01:26   67824   ----a-w-   c:\windows\system32\drivers\aswmonflt.sys
2014-01-24 04:32 . 2013-12-23 01:27   57672   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
2014-01-24 04:32 . 2013-12-23 01:27   410784   ----a-w-   c:\windows\system32\drivers\aswSP.sys
2014-01-24 04:32 . 2013-12-23 01:26   775952   ----a-w-   c:\windows\system32\drivers\aswSnx.sys
2014-01-24 04:32 . 2013-12-23 01:26   54832   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
2014-01-24 04:32 . 2013-12-23 01:26   43152   ----a-w-   c:\windows\avastSS.scr
2014-01-24 04:32 . 2013-12-05 07:33   270240   ----a-w-   c:\windows\system32\aswBoot.exe
2013-12-24 05:20 . 2013-12-23 01:27   180248   ----a-w-   c:\windows\system32\drivers\aswVmm.sys
2013-12-23 01:26 . 2013-12-23 01:27   49944   ----a-w-   c:\windows\system32\drivers\aswRvrt.sys
2013-12-05 10:43 . 2013-12-05 10:43   1700352   ----a-w-   c:\windows\system32\gdiplus.dll
2013-12-05 10:43 . 2013-12-05 10:43   1060864   ----a-w-   c:\windows\system32\mfc71.dll
2013-11-27 20:21 . 2002-09-03 19:48   40960   ----a-w-   c:\windows\system32\drivers\ndproxy.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2014-01-24 04:32   259464   ----a-w-   c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2014-01-24 3767096]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2002-08-27 294912]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE -b -l [2001-2-13 83360]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe /startup [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages   REG_MULTI_SZ     msv1_0 nwprovau
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"CiSvc"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6881:TCP"= 6881:TCP:*:Disabled:Bittorrent
"6889:TCP"= 6889:TCP:Bit
"6884:TCP"= 6884:TCP:*:Disabled:Bittorrent
"6885:TCP"= 6885:TCP:*:Disabled:Bittorrent
"6886:TCP"= 6886:TCP:*:Disabled:Bittorent
"6887:TCP"= 6887:TCP:*:Disabled:Bittorent
"6888:TCP"= 6888:TCP:*:Disabled:Bittorent
"6969:TCP"= 6969:TCP:*:Disabled:Trigger Bittorent
"3724:TCP"= 3724:TCP:WOW
"6112:TCP"= 6112:TCP:WOW2
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)
.
R0 aswRvrt;avast! Revert;c:\windows\system32\drivers\aswRvrt.sys [12/22/2013 7:27 PM 49944]
R0 aswVmm;avast! VM Monitor;c:\windows\system32\drivers\aswVmm.sys [12/22/2013 7:27 PM 180248]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [12/22/2013 7:26 PM 775952]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/22/2013 7:27 PM 410784]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswmonflt.sys [12/22/2013 7:26 PM 67824]
R2 WPC600NSvc;WPC600NSvc;c:\program files\Linksys\WPC600N\WLService.exe [1/13/2014 5:44 PM 65596]
R3 ati2mtai;ati2mtai;c:\windows\system32\drivers\ati2mtai.sys [1/3/2014 11:54 PM 346752]
R3 maestro;ESS Maestro 3 Audio Driver (WDM);c:\windows\system32\drivers\es198x.sys [11/6/2004 9:20 PM 174464]
R3 wldel48b;Dell TrueMobile 1150 Series PCCard Driver;c:\windows\system32\drivers\wldel48b.sys [12/27/2013 12:22 AM 171520]
R3 WPC600N;Linksys Dual Band Wireless-N Notebook Adapter WPC600N;c:\windows\system32\drivers\WPC600N.SYS [1/13/2014 5:45 PM 822400]
S3 atimtai;atimtai;c:\windows\system32\drivers\atimtai.sys [11/6/2004 9:20 PM 281600]
S3 CBEN5;Xircom CardBus Ethernet 10/100 Adapter family;c:\windows\system32\drivers\cben5.sys [11/6/2004 9:21 PM 50498]
S3 PROCEXP151;PROCEXP151;\??\c:\windows\system32\Drivers\PROCEXP151.SYS --> c:\windows\system32\Drivers\PROCEXP151.SYS [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder
.
2014-02-06 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-12-19 04:55]
.
2014-02-12 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2013-12-23 04:32]
.
.
------- Supplementary Scan -------
.

uInternet Connection Wizard,ShellNext = iexplore
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1 68.105.28.11 68.105.29.11
TCP: Interfaces\{B38BF4F5-866D-43FE-99F1-E18F0D90067C}: NameServer = 8.26.56.26,156.154.70.22

FF - ProfilePath - c:\documents and settings\Amanda\Application Data\Mozilla\Firefox\Profiles\3e5tpy9j.default\

.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-CIS_{15198508-521A-4D69-8E5B-B94A6CCFF805} - c:\documents and settings\All Users\Application Data\cisB.exe
MSConfigStartUp-mobilegeni daemon - c:\program files\Mobogenie\DaemonProcess.exe
MSConfigStartUp-MsgCenterExe - c:\program files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
AddRemove-AutoUpdate - c:\windows\system32\auto_update_uninstall.exe
AddRemove-VBRunDLL - c:\windows\system32\VBUninstall.exe
AddRemove-VisFx - c:\windows\visfxun.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-02-11 22:51
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1229272821-839522115-1957994488-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3764)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Linksys\WPC600N\WPC600N.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2014-02-11 22:59:26 - machine was rebooted
ComboFix-quarantined-files.txt 2014-02-12 04:59
.
Pre-Run: 9,865,691,136 bytes free
Post-Run: 10,291,818,496 bytes free
.
- - End Of File - - 2D5637F06578F54CB19614A489B28560
8F558EB6672622401DA993E1E865C861

My machine has been mostly in idle mode and offline since we started running your diagnostic programs. I have not yet gone on-line to see if things are "normal", however I will be doing that soon. I guess I have maybe a question or two regarding the log I posted. Although I cannot interpret the log findings, I'm concerned as to some references in the log. Specifically, bittorent. Bitterorent and it's likes have been deleted, other deleted programs/folders that have been deleted reoccur. I see while observing scans that program/files/folders that have been deleted display in scan process appear in various sub-folders. Is this a problem and how do I permantently rid traces of deleted programs. So it's late and I'm tired, hope this makes sense. Look forward to your next response.

Thanks again,

Mean Farmer

February 9, 2014

Greeting Gringo, and once thanks for your help. Pasted below are the 2 files I ran.

# AdwCleaner v3.018 - Report created 08/02/2014 at 18:22:49
# Updated 28/01/2014 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Amanda - CREIGHTO-CGTHAC
# Running from : C:\Documents and Settings\Amanda\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

-\\ Mozilla Firefox v27.0 (en-US)

[ File : C:\Documents and Settings\Amanda\Application Data\Mozilla\Firefox\Profiles\3e5tpy9j.default\prefs.js ]

*************************

AdwCleaner[R0].txt - [1303 octets] - [04/02/2014 22:10:08]
AdwCleaner[R1].txt - [490 octets] - [08/02/2014 18:05:39]
AdwCleaner[R2].txt - [992 octets] - [08/02/2014 18:10:28]
AdwCleaner[s0].txt - [1187 octets] - [04/02/2014 22:19:11]
AdwCleaner[s1].txt - [914 octets] - [08/02/2014 18:22:49]

########## EOF - C:\AdwCleaner\AdwCleaner[s1].txt - [973 octets] ##########

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.1 (02.04.2014:1)
OS: Microsoft Windows XP x86
Ran by Amanda on Sat 02/08/2014 at 18:57:24.74
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Registry Values

~~~ Registry Keys

~~~ Files

~~~ Folders

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sat 02/08/2014 at 19:12:54.05
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I am curious about the Mozilla reference in the ADW txt as when I was using Firefox yesterday morning all kinds of strange things were going on, as near as I could tell it was or attempting to load tons of different tracking cookies. But your the PRO! I leave it you ~ hope to from you again soon.

Thanks again ~ The Mean Farmer

February 8, 2014

Hello Gringo,

Thank you for responding to my post. To be honest I know y'all are busy, but didn't expect that long of delay. I hate to get wordy, but here goes... I didn't think anyone was going to repond to my post. I really need this machine, even though it is antiquated and to be retired soon. So... I google PUP:Optional.MySearchDial from Malwarebytes forum by Stelian Pilici, who claimed to be MBAM Trusted Advisor. Followed his step by step instructions, and the first 2 are the same as you recommend. Well, found a bunch a stuff and supposedly cleaned things up. Still have issues, hope you can help even though I ventured out on my own in frustration.

I hope you are able to assist me at this juncunture in my dilemna. I will be using a flash drive back and forth from a clean machine and the problem child at hand.

So, if you can assist me, where do we start from?

Thank you for in and all assistance

The Mean Farmer

January 31, 2014

Hello, my computer is infected with PUP, and likely others. I am attaching the DDS & Attach files. I ran MBAM earlier this week, problem reoccured, so ran again last night and same problems. I also ran Avast scan after MBAM and it found a "Threat". I am including those scan results if they are of any use. Thank you in advance for any assistance.

dds.txt

attach.txt

mbam-log-2014-01-24 (23-50-38).txt

mbam-log-2014-01-30 (04-19-08).txt

avastscan.txt

January 18, 2014

Greetings! kevinf80 helped me get my machine cleaned up in December, now weird things happening. Since kev's help I've update SP3, drivers I could think of (BIOS),etc. Upgraded to 512 mem.(max), disabled TM1150 wireless Nic, installed Linksys 801.11N cardbus. The last 3 days starting getting operational errors.

Symptoms:

- CPU racing to max. quite often / slow operation

-Jan. 16 : Script errors in GMAIL options: Continue or Stop. Script errors max'd CPU, gmail not functional, effected the complete machine op. Slowness and CPU maxing continued after finally getting out of gmail, and rebooting several times.

Task manager showed 2 unfamiliar processes: aswOfferTool.exe (spawned by Avast? ), and dwwin.exe. When I retired for the night and did a shutdown received a error message that displayed quickly and vanished so I could not see what is was.

Jan. 17: Booted up, dwwin.exe, aswOfferTool.exe not running. Linksys showing a connection, but Firefox reported unable to connect. Tried IE8, failed. Retry: connected and loaded home page(POGO), then reported not connected~ work 0ffline etc...

Rebooted several times with an error I couldn't capture before restart. Rebooted and went away for awhile, was able to connect to internet, but still CPU running wild. After rebooting several times received error message: GTrMDrv.exe application failure. (I think this related to my Linksys [broadcom drivers]). That eventually went away, now CPU still going wild.

On Jan. 16 I updated new Version of Java & Flashplayer, and also installed Adobe reader *.

Any assistance or advice will be gratefully appreciated. (gratefully purposely spelled~lol)

I did run malware bytes with nothing showing, and no ill reports from avast

Sorry to be so wordy~thank you for any help

I haven't received a response, Am I not entiltled to help anymore?

Anyway, yesterday I expericened another strange symptom : several attempts to connect to gmail it appeared to be redirecting me to unsafe sites, I didn't think to write that info until later. I am posting my Hijackthis log if it is any help.

Please let me know if I'm in wrong category or not eligible for help.

December 25, 2013

Kevin, been busy updating machine, now have SP3, trying to update any drivers that I can. This does not appear in Task Mgr, but in SyS Info/Running Tasks I see two same file names running which look suspious : helpctr.exe {FilePath] c:\windows\pchealth\helpctr\binaries\helpctr.exe .Not sure if this is legit or not, other than every else seems dandy. One other unrelated question would be : is there a way to get WPA on Dell TrueMobile 1150 series wireless LanMini PCI card? I know this machine is old ~ just curious. Thanks again.

December 23, 2013

Hope this took care of my woes! Here is the OTM log. All files appear to be removed, accept the CMman folder, which is now empty. The epicenter folder containing snuinst.exe appeared when I opened Explorer, and then disappeared. If this resolves my troubles, I thank you so much for your assistance and patience. Farmer68623 a/k/a The Mean Farmer

December 22, 2013

Kevin, the offending files/folders still exist in Program Files directory. Successfully ran Zoek. Hijack This is still installed on my machine and ran and produced a log file. attached are it and the Zoek log. I just realized after running Zoek why the OTM program failed to run as expected~ I failed to paste the Instructions for Files to be Moved into the box... thanks again, next?

December 21, 2013

This didn't work well for me. Running Revo gave no results. OTM.exe run did not show a code box or any log/txt file that I know of. Everything in yellow/green bars were empty. Tried several times. I probably messed up because I was so frustrated I hit the Clean button. Not sure where I'm at now, do not see the c:\_OTMove dir ....... HELP!

December 21, 2013

I'm back again ... Kevin. Here is the ESETLog. Programs running in Task Mgr seem to proper files. I noticed that in the ESET log a program named snuinst.exe is in FRST\Quarantine\.. This file is also present in Program Files\epicenter\snuinst.exe, also a Folder named CMMan contains the file cmappudate.exe, as well in Folder CMAPP. The ESET only referred to cmappstub.exe in the CMAPP Folder. Not sure it is relevant, but I noticed that EQTraffic.exe shows up in Windows\Prefetch\EQTraffic.exe-22F995EC.pf? I will await your guidance for the next steps to take. Thanks again!

Events

Profiles

Forums

Posts posted by farmer68623

Important Information