What to do with old XPSP-NULL or maybe 3 second hand

[XCowboy]

OK That worked, you know I waited for over an hour with my TP-Link Wireless Modem flashing like crazy.

I thought maybe you people were remotely fiddling with my computer so I didn't intervene.

 

You people should give us an idea of how long each process is expected to take.

 

Here it is Fixlog.txt

Fixlog.txt

[AdvancedSetup]

Yes, but now we need to do some other scans again to see what may have changed or gone back from the Last Known Good change.
 
Please restart the computer again and then run a new DDS scan and post back those logs.  You can delete your current DDS logs and program and get a new copy.
 
Please run the following scanner and send back the logs.

Download DDS from one of the locations below and save to your Desktop
dds.scr
dds.com

Temporarily disable any script blocker if your Anti-Virus/Anti-Malware has it.
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.
Then double click dds.scr or dds.com to run the tool.
Click the Run button if prompted with an Open File - Security Warning dialog box.
A black DOS console should open and run for a moment.

• When done, DDS will open two (2) logs:
  • DDS.txt
  • Attach.txt

• Save both reports to your desktop
• Please include the following logs in your next reply as an attachment: DDS.txt and Attach.txt
• You can ignore the note about zipping the Attach.txt file and just post it or attach it.

[XCowboy]

It may well be that I should have disabled my SuperAntiSpyware before running FRST to start with

because after F8 and loading back to "Last time ..." I also decided to disable SuperAntiSpyware as well.

 

Perhaps I should have done that first around but I don't believe I was instructed to do so.

 

Is there a way to go forwards rather than backwards in the registry loaded and try that again?

 

XCowboy

[AdvancedSetup]

No, sorry it does not work that way.   For the most part if any change it will be minor.  Go ahead and run the DDS scan and post those logs.

 

Thanks

[XCowboy]

Here we go again:

 

DDS.TXT

 

DDS (Ver_2012-11-20.01) - NTFS_x86 

Internet Explorer: 8.0.6001.18702

Run by Administrator at 22:48:56 on 2013-12-19

Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2550.1888 [GMT -5:00]

.

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

AV: ESET NOD32 Antivirus 7.0 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

.

============== Running Processes ================

.

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\SUPERAntiSpyware\SASCORE.EXE

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe

C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\igfxpers.exe

C:\WINDOWS\system32\ICO.EXE

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\system32\FSRremoS.EXE

C:\Program Files\VIAudioi\SBADeck\ADeck.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\QF9700\DriverMax\drivermax.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\TP-LINK\TL-WN321G\COMMON\TWCU.exe

C:\Program Files\iYogi Support Dock\iYogiSupportDock.exe

C:\Program Files\TP-LINK\TL-WN321G\COMMON\RegistryWriter.exe

C:\WINDOWS\System32\snmp.exe

C:\FILEMON.EXE

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\system32\ntvdm.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

C:\WINDOWS\system32\svchost.exe -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\System32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\System32\svchost.exe -k LocalService

.

============== Pseudo HJT Report ===============

.

uProxyOverride = <-loopback>;<local>

BHO: AcroIEHlprObj Class: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx

EB: {32683183-48a0-441b-a342-7c2a440a9478} - <orphaned>

uRun: [DriverMax] "c:\qf9700\drivermax\drivermax.exe" -agent

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [Mouse Suite 98 Daemon] ICO.EXE

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [cAudioFilterAgent] c:\program files\conexant\caudiofilteragent\cAudioFilterAgent.exe

mRun: [AudioDeck] c:\program files\viaudioi\sbadeck\ADeck.exe 1

mRun: [iYogi Support Dock] "c:\program files\iyogi support dock\sdstartup.exe" c:\program files\iyogi support dock\iYogiSupportDock.exe

mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tl-wn3~1.lnk - c:\program files\tp-link\tl-wn321g\common\TWCU.exe

uPolicies-Explorer: NoDriveTypeAutoRun = dword:323

uPolicies-Explorer: NoDriveAutoRun = dword:67108863

uPolicies-Explorer: NoDrives = dword:0

mPolicies-Explorer: NoDriveAutoRun = dword:67108863

mPolicies-Explorer: NoDriveTypeAutoRun = dword:323

mPolicies-Explorer: NoDrives = dword:0

mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1

mPolicies-Explorer: NoDriveTypeAutoRun = dword:323

mPolicies-Explorer: NoDriveAutoRun = dword:67108863

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - LocalServer32 - <no file>

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

TCP: NameServer = 192.168.1.1

TCP: Interfaces\{739FC658-6BE2-4B84-A589-74133BBBD2CA} : DHCPNameServer = 172.16.31.18 172.16.31.12 172.16.31.19

TCP: Interfaces\{D40E0885-9B75-41B1-9171-61698CD2812D} : DHCPNameServer = 192.168.1.1

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL

mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\31.0.1650.63\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome

.

============= SERVICES / DRIVERS ===============

.

R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2013-10-18 37664]

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2013-9-17 134248]

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2013-9-17 118768]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]

R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2013-10-10 120088]

R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2013-9-12 1337752]

R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-11-18 418376]

R2 PPPoEService;PPPoE Service;c:\progra~1\effici~1\entern~1\app\pppoeservice.exe [2013-10-26 49152]

R2 RalinkRegistryWriter;Ralink Registry Writer;c:\program files\tp-link\tl-wn321g\common\RegistryWriter.exe [2013-10-16 69632]

R3 FILEMON;FILEMON;c:\windows\system32\drivers\FILEM.SYS [2013-12-19 57612]

R4 REGMON;REGMON;c:\windows\system32\drivers\REGSYS.SYS [2013-12-19 38220]

S1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys --> c:\windows\system32\drivers\sbaphd.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-11-18 701512]

S2 PRTGCoreService;PRTG Core Server Service;c:\program files\prtg network monitor\PRTG Server.exe [2013-10-28 7232736]

S2 PRTGProbeService;PRTG Probe Service;c:\program files\prtg network monitor\PRTG Probe.exe [2013-10-28 8814304]

S2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys --> c:\windows\system32\drivers\sbapifs.sys [?]

S2 SupportDockService.exe;Support Dock Service;c:\program files\iyogi support dock\services\commagent\SupportDockService.exe [2012-8-7 78336]

S2 Util Lizardlink;Util Lizardlink;"c:\program files\lizardlink\bin\utillizardlink.exe" --> c:\program files\lizardlink\bin\utilLizardlink.exe [?]

S3 ENIMSR;ENIMSR;c:\progra~1\effici~1\entern~1\app\ENIMSR.SYS [2013-10-26 12924]

S3 esgiguard;esgiguard;\??\c:\program files\enigma software group\spyhunter\esgiguard.sys --> c:\program files\enigma software group\spyhunter\esgiguard.sys [?]

S3 gfiark;gfiark;c:\windows\system32\drivers\gfiark.sys --> c:\windows\system32\drivers\gfiark.sys [?]

S3 MBAMProtector;MBAMProtector;\??\c:\windows\system32\drivers\mbam.sys --> c:\windows\system32\drivers\mbam.sys [?]

S3 NTSPPPOE;Efficient Networks Enternet P.P.P.o.E LAN  Miniport Driver;c:\windows\system32\drivers\ntspppoe.sys [2013-10-26 161640]

S3 NTSTPL1;NTSTPL1;c:\progra~1\effici~1\entern~1\app\NTSTPL1.SYS [2013-10-26 16096]

S3 NTSTPL2;NTSTPL2;c:\progra~1\effici~1\entern~1\app\NTSTPL2.SYS [2013-10-26 16096]

S3 QF97USB;QF9700 USB2.0 To Fast Ethernet Adapter;c:\windows\system32\drivers\qf97usb.sys [2013-10-19 15232]

S3 RAWESR;RAWESR;c:\progra~1\effici~1\entern~1\app\RAWESR.SYS [2013-10-26 12924]

S3 TAPBIND;TAPBIND;c:\progra~1\effici~1\entern~1\app\TAPBIND1.SYS [2013-10-26 44544]

S3 USB_Ethernet_Adaptor;USB to Ethernet Adapter;c:\windows\system32\drivers\USB_Ethernet_Adaptor.sys [2013-10-18 16512]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [1980-1-1 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-7-20 754856]

S3 WPRO_41_2001;WinPcap Packet Driver (WPRO_41_2001);c:\windows\system32\drivers\wpro_41_2001.sys --> c:\windows\system32\drivers\WPRO_41_2001.sys [?]

.

=============== Created Last 30 ================

.

2013-12-20 02:06:04 38220 ------w- c:\windows\system32\drivers\REGSYS.SYS

2013-12-20 00:15:52 1231 ----a-w- C:\FSK.BAT

2013-12-19 22:24:23 57612 ------w- c:\windows\system32\drivers\FILEM.SYS

2013-12-19 17:53:14 -------- d-----w- C:\FRST

2013-12-19 13:41:47 4709 ----a-w- C:\mbam.bat

2013-12-19 03:16:03 -------- d-----w- c:\windows\ERUNT

2013-12-19 03:14:31 -------- d-----w- C:\jrt

2013-12-18 20:36:47 -------- d-----w- C:\SUPERDelete

2013-12-18 17:12:00 -------- d-----w- c:\program files\InstallConverter

2013-12-18 14:54:31 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes' Anti-Malware (portable)

2013-12-18 14:50:10 51416 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys

2013-12-18 14:46:11 -------- d-----w- C:\mbar

2013-12-18 06:09:51 -------- d-----w- c:\documents and settings\administrator\application data\SUPERAntiSpyware.com

2013-12-18 06:09:19 -------- d-----w- c:\program files\SUPERAntiSpyware

2013-12-18 06:09:19 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com

2013-12-18 04:47:15 -------- d-----w- c:\documents and settings\all users\application data\Avira

2013-12-18 02:35:42 22856 ----a-w- C:\mbam.sys

2013-12-17 17:00:25 -------- d-----w- C:\facebook

2013-12-16 15:58:28 -------- d-sha-r- C:\cmdcons

2013-12-16 15:56:13 98816 ----a-w- c:\windows\sed.exe

2013-12-16 15:56:13 256000 ----a-w- c:\windows\PEV.exe

2013-12-16 15:56:13 208896 ----a-w- c:\windows\MBR.exe

2013-12-15 10:50:26 -------- d-----w- C:\ComboFix  A guide and tutorial on using ComboFix_files

2013-12-14 20:04:39 891200 ----a-w- C:\SecurityCheck (1).exe

2013-12-14 19:00:41 3050 ----a-w- C:\PUP-ELIM.BAT

2013-12-14 14:58:25 891200 ----a-w- C:\SecurityCheck (2).exe

2013-12-14 14:39:34 891200 ----a-w- C:\SecurityCheck.exe

2013-12-06 18:36:20 -------- d-----w- C:\Vif-Billing service_files

2013-12-06 06:19:52 -------- d-----w- C:\Videotron-Gmail - SVP --- ISP connection options in 2007 to postal code H3K2R5 required for legal matter._files

2013-11-25 06:16:45 -------- d-----w- C:\Toledo former capital of Spain - Google Search_files

2013-11-21 16:48:18 -------- d-----w- C:\What to do with old XPSP-NULL or maybe 3 second hand - Malware Removal Help - Malwarebytes Forum_files

2013-11-20 19:01:14 -------- d-----w- C:\Trouble with LAN and Proxy settings - Resolved HijackThis Logs - Malwarebytes Forum_files

2013-11-20 18:15:23 1085542 ----a-w- C:\adwcleaner (1).exe

.

==================== Find3M  ====================

.

2013-11-20 23:51:22 819 ----a-w- C:\avast.bat

2013-11-19 17:42:00 1682336 ----a-w- C:\eset_nod32_antivirus_live_installer.exe

2013-11-19 17:38:25 5146522 ----a-w- C:\ComboFix.exe

2013-11-19 17:30:49 304 ----a-w- C:\EXCEPTI.BAT

2013-11-19 05:26:09 37664 ----a-w- c:\windows\system32\drivers\avgtpx86.sys

2013-11-19 03:39:29 377856 ----a-w- C:\1q6l0gue.exe

2013-11-19 03:38:49 377856 ----a-w- C:\zovgj0m1.exe

2013-11-18 19:07:23 10285040 ----a-w- C:\mbam-setup-1.75.0.1300 (2).exe

2013-11-16 18:29:13 65048 ---ha-w- c:\windows\system32\drivers\PROCMON23.SYS

2013-11-16 15:37:51 89088 ----a-w- C:\mbr.exe

2013-11-16 15:37:39 4745728 ----a-w- C:\aswmbr.exe

2013-11-16 15:36:37 28672 ----a-w- C:\catchme02.exe

2013-11-16 15:36:02 377856 ----a-w- C:\0gc1oz0r.exe

2013-11-16 15:34:54 377856 ----a-w- C:\v7olehrc.exe

2013-11-16 02:11:41 122 ----a-w- C:\1.BAT

2013-11-15 16:00:04 35 ----a-w- C:\cannot-get.bat

2013-11-15 13:26:29 93548 ----a-w- C:\system-volume.bat

2013-11-15 11:20:06 1610 ----a-w- C:\mydocs.bat

2013-11-14 23:27:04 5746904 ----a-w- C:\Iyogi-1MB-fileburst-SDSetup.exe

2013-11-14 22:04:20 3658 ----a-w- C:\stopzilla.bat

2013-11-14 18:40:14 94721720 ----a-w- C:\ManageEngine_DesktopCentral.exe

2013-11-14 18:39:29 430852 ----a-w- C:\xpkv-setup.exe

2013-11-14 15:43:18 19641384 ----a-w- C:\Stackify v1.2.162.1.exe

2013-11-14 15:01:26 688992 ------r- C:\dds.scr

2013-11-14 01:38:02 6352640 ----a-w- C:\RecoverKeysDemo.exe

2013-11-14 00:59:21 751688 ----a-w- C:\decrypt_mblblock.exe

2013-11-13 20:11:12 0 ----a-w- c:\windows\system32\TempWmicBatchFile.bat

2013-11-13 18:56:41 991232 ----a-w- C:\MicrosoftFixit50267 (1).msi

2013-11-13 18:56:24 991232 ----a-w- C:\MicrosoftFixit50267.msi

2013-11-13 18:50:27 10285040 ----a-w- C:\mbam-setup-1.75.0.1300 (1).exe

2013-11-13 18:46:16 1085542 ----a-w- C:\adwcleaner.exe

2013-11-13 18:29:49 10285040 ----a-w- C:\mbam-setup-1.75.0.1300.exe

2013-11-13 18:01:51 5955760 ----a-w- C:\SparkTrust PC Cleaner Plus Setup (1).exe

2013-11-13 17:59:42 5955760 ----a-w- C:\SparkTrust PC Cleaner Plus Setup.exe

2013-11-13 17:35:54 707664 ----a-w- C:\SZSetup_AID10121_AV.exe

2013-11-13 03:37:24 369 ----a-w- C:\studioDV.bat

2013-11-13 02:59:42 150528 ----a-w- c:\windows\system32\imagehlp.dll

2013-11-12 03:16:34 35800192 ----a-w- C:\sketchupwen.exe

2013-11-11 02:57:14 210 ----a-w- C:\D-LINK.BAT

2013-11-10 16:02:00 951 ----a-w- C:\QF9700.BAT

2013-11-09 18:56:36 147 ----a-w- C:\tracert.bat

2013-11-09 18:55:24 96 ----a-w- C:\ping-vif.bat

2013-11-09 18:54:57 354 ----a-w- C:\pingit.bat

2013-11-08 19:08:07 70 ----a-w- C:\hypert.bat

2013-11-07 21:51:42 4741 ----a-w- C:\chest.bat

2013-11-07 17:35:47 502 ----a-w- C:\blat-mailer.bat

2013-11-07 05:38:51 591360 ----a-w- c:\windows\system32\rpcrt4.dll

2013-11-07 01:12:31 1632 ----a-w- C:\telnet-modem.bat

2013-11-07 01:05:23 0 ----a-w- C:\d-link-op.bat

2013-11-06 18:46:31 231760 ----a-w- c:\windows\system32\drivers\truecrypt.sys

2013-11-06 14:40:20 2188 ----a-w- C:\VIR-X.BAT

2013-11-06 01:03:31 7168 ----a-w- c:\windows\system32\xpsp4res.dll

2013-11-05 18:22:11 55 ----a-w- C:\d-link4.bat

2013-11-05 17:25:22 497 ----a-w- C:\win7drv.bat

2013-11-05 05:09:23 55 ----a-w- C:\d-link2.bat

2013-11-04 18:08:59 900 ----a-w- C:\TP-LINK.BAT

2013-11-04 00:21:44 28 ----a-w- C:\SYSFILES.BAT

2013-11-04 00:09:28 69 ----a-w- C:\FIX.BAT

2013-10-31 21:30:40 19391 ----a-w- C:\deltree.exe

2013-10-31 00:03:17 98 ----a-w- C:\dosbox-cfg.bat

2013-10-30 14:45:22 2093 ----a-w- C:\vir-loc.bat

2013-10-30 02:26:17 1879040 ----a-w- c:\windows\system32\win32k.sys

2013-10-29 16:06:53 462 ----a-w- C:\dlink.bat

2013-10-29 07:57:34 920064 ----a-w- c:\windows\system32\wininet.dll

2013-10-29 07:57:33 43520 ------w- c:\windows\system32\licmgr10.dll

2013-10-29 07:57:33 18944 ----a-w- c:\windows\system32\corpol.dll

2013-10-29 07:57:33 1469440 ------w- c:\windows\system32\inetcpl.cpl

2013-10-29 00:45:02 385024 ------w- c:\windows\system32\html.iec

2013-10-26 16:05:15 354 ----a-w- C:\dsl.bat

2013-10-25 13:02:54 37 ----a-w- C:\ipcon.bat

2013-10-23 23:45:49 172032 ----a-w- c:\windows\system32\scrrun.dll

2013-10-21 03:27:04 2324 ----a-w- C:\MS-err.bat

2013-10-20 20:23:58 267 ----a-w- C:\drv-long-dir.bat

2013-10-19 11:40:53 548 ----a-w- C:\win95-drivers.bat

2013-10-17 05:31:32 371 ----a-w- C:\adobe.bat

2013-10-17 05:10:19 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2013-10-17 05:10:19 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2013-10-17 04:34:51 545 ----a-w- c:\documents and settings\administrator\win95-drivers.bat

2013-10-17 03:35:26 1071832 ----a-w- C:\install_flashplayer11x32ax_gtba_chra_dy_aaa_aih2.exe

2013-10-16 20:29:05 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys

2013-10-12 15:56:19 278528 ----a-w- c:\windows\system32\oakley.dll

2013-10-12 13:26:05 31 ----a-w- C:\drv.bat

2013-10-09 13:12:48 287744 ----a-w- c:\windows\system32\gdi32.dll

2013-10-07 10:59:21 603136 ----a-w- c:\windows\system32\crypt32.dll

2013-09-24 17:03:42 3361 ----a-w- C:\findme.bat

2013-09-24 01:01:44 745 ----a-w- C:\find-me.bat

.

============= FINISH: 22:49:52.34 ===============

 

ATTACH.TXT  

attach.txt

[AdvancedSetup]

Please do the following to see if we can clean up some of this as the logs still show some invalid behavior from some files.

 

Go run this routine and remove and reinstall MBAM

MBAM Clean Removal Process
 

 

Then you should already have MBAR installed - go to the folder where you extracted it and find the PLUGIN folder and in that folder you'll find a file named FIXDAMAGE.EXE please double click on that file and run it and then restart the computer.

 

IF you don't have MBAR then run this to get MBAR

 

Please download Malwarebytes Anti-Rootkit from HERE
If needed there is a self help tutorial here: MBAR tutorial

• Unzip the contents to a folder in a convenient location.
• Open the folder where the contents were unzipped and run mbar.exe
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
• Click on the Cleanup button to remove any threats and reboot if prompted to do so.
• Wait while the system shuts down and the cleanup process is performed.
• Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
• When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt
  

[XCowboy]

Here we go again!

 

Nothing found except I do not believe the program MBAR checked my bootable F: drive with 16G memory stick!

 

System-Log.txt

mbar-log-2013-12-20 (08-31-08).txt

system-log.txt

mbar-log-2013-12-20 (08-31-08).txt

[XCowboy]

What is very strange is that Windows Security Center tells me that virus protection is OFF

when in fact when I look into my SuperAntiSpyware AV program I go into PREFERENCES -->

REAL-TIME PROTECTION ---> ENABLE REAL TIME PROTECTION box is checked!

 

What gives here?

 

I have ( Perhaps a illusion ) thought I had REAL TIME PROTECTION enabled and when I

went back some time later to check it was unchecked.

 

XCowboy

[AdvancedSetup]

SUPERAntiSpyware is not an antivirus product and neither is MBAM.  

 

Did you run the FIXDAMAGE.EXE program and reboot as requested?

 

Please run a new DDS scan and post those logs.

[XCowboy]

If SuperAntiSpyware is not a antivirus program why does it have a

ENABLE REAL TIME PROTECTION box ?

 

Yes I ran fixdamage.exe, where I even made a note in my files as I 

have cut and copied here for your viewing pleasure. See below:

 

I think you should warn people how long it could take for your Icons

to reappear after rebooting, I was ready to reboot to a older version

of the registry because I thought the system was screwed up for

good.

 

NOTE:

*** It takes forever after rebooting for the screen ICONS program

     links to re-appear after running FIXDAMAGE.EXE.

     It looks like your system has lost it!

 

I will have DDS.txt and Attach.txt  in my next post

[XCowboy]

The latest incarnation of:

 

DDS.txt and Attach.txt  

dds.txt

attach.txt

[AdvancedSetup]

Whether a program has real time or not has nothing to do with whether or not they are an antivirus program.

 

As for alerting to time it takes that is quite subjective as some computer make the change almost instantaneously and see no lag.  Some run scans in a couple minutes some in 30 minutes or more so.  Patience is a virtue when dealing with computers.  Don't be so quick to force things.

 

Unless you're actively using their services I would recommend that you uninstall the iYogi program from your computer via the Control Panel, Add/Remove applet.  http://www.iyogi.net/

 

ESET NOD32 Antivirus appears to be the installed and running antivirus for you at this time.

 

 

How is the computer running now?

[XCowboy]

I just removed iyogi from the system. It was running ( I don't even know what?)

 

ESET NOD32 Antivirus has expired according to what messages I recieve yet  I'm not sure?

 

Aside from the just completed SUPERAntiSpyware  run which took 2 hours, and I received 

322 cookie type threats found which are deemed NOT critical and I did not remove ( I don't

necessarily want to play around with cookies since often then you need to re-enter

passwords and details when visiting sites you normally have instant access. )

 

Other than that the computer behaves well all in all.

 

It never really had any serious issues, only some AV programs bring out the fear in

people and some AV online programs want to scare people into purchasing their

probably virus and trojan infested stuff?

 

Where are we now?

 

What about my previous query about my XP ( NO SP ) machine? Are there any AV

programs that will work on the old XP straight up systems or do I have to upgrade 

it to XP SP+++?

 

Meanwhile thank you for your assistance!

 

XCowboy

[AdvancedSetup]

If ESET NOD32 has expired and you don't wish to renew it then please uninstall it and choose one of the free versions of either AVIRA or AVAST

 

As for supporting XP without any Service Pack I'm not aware of any that do and I would highly suggest installing Service Pack 3

At this point in time Windows XP without Service Pack 3 and the many other critical updates made available by Microsoft you're computer is swiss cheese already and waiting to be attacked.  Either get it up to date or don't even bother with it as there is no easy/good way to protect it without the updates from Microsoft.   Speaking of which Microsoft will stop supporting and updating Windows XP come April 2014 anyways... so you may want to start looking at possibly updating to Windows 7 or 8 if possible.

[XCowboy]

Microsoft Security Center does not recognize SUPERAntiSpyware as a anti-virus detecting agent yet even your AV removal site on MalwareBytes as I show below lists it as a virus detector  software.

 

• SUPERAntiSpyware Support.com: Site | File x86 | File x     

SUPERAntiSpyware caught a ( What we used to call a boot track virus ) RootKit virus and as I previously said on one of my discussions with you people"

 

 

"I ended up downloading FREE SUPERAntiSpyware. It found Trojan 

Trojan.Agent/Gen-Cryptor on my 16G dual bootable Memory Stick

 

It also found:

Memory items scanned      : 435

Memory threats detected   : 0

Registry items scanned    : 36637

Registry threats detected : 0

File items scanned        : 55053

File threats detected     : 430 

 

And best of all, it did not demand anything from me!

 

Now I installed mbar.exe in c:\mbar and ran it.

I left my UBUNTU bootable memory stick in as drive F:

I wonder if mbar will catch and destroy the 

Rootkit/Trojan Trojan.Agent/Gen-Cryptor because I did

not allow SUPERAntiSpyware to remove anything in fact it

is currently ready and requesting if I want to remove

all malware agents and Adware Tracking cookies it found."

 

None of your programs as I am aware of ever saw this agent

yet you and Micro$lop says that SUPERAntiSpyware is not

a antivirus tool/agent.

 

I found as again I mentioned earlier AVIRA acts more like a virus

itself as much as it might be a good AV detector.

 

As for AVAST, when I got the computer it had AVAST on it and it

seems like it let a lot of [PUP] agents onto the OS and files.

 

As for some of your programs, as I mentioned earlier, it flagged

SYS.BAT as a contaminated file when I know for a fact it was NOT

and in fact as I said earlier, it's twin sister ( exactly the same file

size only named in its stead SYS.BAK ) was not flagged.

Search back into the first page of this forum item.

 

Which brings me to ask a lot of questions about who knows what

about what?

 

I purchased the laptop XP ( 0 SP ) because I could afford the $20

to get it as well I inherited the problems that came with the IBM

Tower PC XP (SP3)  when I purchased it second hand because I

could afford it.

Some people are not as lucky or have not been screwed around

by a system that invariably screws with people!

With due respect

Regards,

 

XCowboy

 

 

[AdvancedSetup]

Well I'm sorry but I'm not going to get into any philosophical debates or discussions with you.

SUPERAntispyware is not an antivirus product and if you think it is that's up to you, I won't discuss it any further.

 

As for installing SP3 on your other computer again if you don't want to that's up to you.

 

If you no longer want any help or don't believe what I'm telling you that's fine - just say so and I'll go ahead and close your topic as there are many other users looking for help.

Detecting and removing an infection requires a lot of review and and scanning and even then things can slip by.  If you want a 100% clean system with no questions asked then FDISK, FORMAT and reinstall Windows from scratch and you won't have any infections.

 

Thank you

[XCowboy]

 

"Well I'm sorry but I'm not going to get into any 

philosophical debates or discussions with you.

SUPERAntispyware is not an antivirus product and 

if you think it is that's up to you, I won't 

discuss it any further."

 

 

Yes I still need your assistance however I feel

compelled to segway into the very essence of what

I see is a more general issues you people have 

brought to the fore via our Internet discussions.

 

As it turns out you were right that SUPERAntispyware

is NOT a antivirus program according to feedback I

received last night from the company itself:

 

"Your support ticket CSR00114907 has been updated "

Q1) When a scan takes place, does your software still

maintain vigilance on intruders, malware, agents

etc.?

 

Q2) Is your Trial version of SuperAntiSpyware considered

a official AV program? 

Microsoft Security Center ( in Windows Control Panel )

does not recognize SUPERAntiSpyware as a anti-virus 

detecting agent because when I have it running it

advises me my computer is UNPROTECTED!

 

ANSWER

 

Dec 23 2013 (Mon)

2:51:56 PM PST

 

SUPERAntiSpyware.com Replied:

 

Chris,

 

1.)  Yes.

 

2.)  No.  SUPERAntiSpyware is an anti-malware/spyware product.  

You should still be running a dedicated anti-virus as well.  

Avast is a very good free option.

 

 

 

1) Note: It is not I who said that SUPERAntispyware was

a antivirus program. It is in fact that it is listed

in your "List of Uninstaller Tools" on your link below

allong with plenty of other AV programs. I assumed 

SUPERAntispyware was a antivirus program itself! It's all

too confusing now.

 

Your listing of AV products and removal instructions:

 

https://forums.malwarebytes.org/index.php?showtopic=127580

Information: List of Uninstaller Tools

Started by AdvancedSetup, Jun 10 2013 08:25 PM

 

Norman Virus Control / Norman Security Suite: Site 1 | Site 2 |

Norman Ad-Aware : Site | File PDF

Norton Antivirus: Site | File

Norton [Toshiba] PC Checkup Uninstall: Site

Novell Cheyenne InocuLAN Anti-Virus: Site | File

nProtect Anti-Virus/Spyware: Site | File no longer appears to be available

SUPERAntiSpyware Support.com: Site | File x86 | File x64

 

 

In fact on December 18th. I have on record in its 

archives, SUPERAntiSpyware found the following 

Rootkit virus when none of your tools ever reported

it to my knowledge.

Trojan.Agent/Gen-Cryptor

D:\SYSTEM VOLUME INFORMATION\_RESTORE{9DA9F6DF-D0BF-4EC3-B32B-87D275394BBF}\RP22\A0007499.EXE

 

According to SUPERAntiSpyware archives, it was removed

Thursday Dec 19th. when I commanded the program to

clean everything.

 

None of all the other so called REAL AV programs I was

previously running including  AVAST, AVG, StopZilla,

ESET, MalwareBytes Anti Malware,  etc. found 

Trojan.Agent/Gen-Cryptor.

 

So what gives here?

 

 

I now installed AD-AWARE and it found 3 copies of 

Trojan.html.fakealert.P

1) c:\documents and settings\administrator\desktop\combofix_files\7848fda04

 

I had all put into quarantine.

 

"As for installing SP3 on your other computer again 

if you don't want to that's up to you."

 

My other computer is a ACER Laptop, I just thought

when I first opened this topic/thread 

 ( exactly 1 month ago ) someone in your area of 

expertise ( being that you  people deal with dozens 

or hundreds of people a year )

would have known of a AV tool that still worked on 

systens that ran XP (SP NULL/0). 

--> THUS THE name of this thread.

 

 

I know it's my decision to upgrade or not. I guess

the unavailability of a AV tool precludes the

neccessity to upgrade so in effect it really is 

not my decision to make either so in effect with

the feedback I get from you all I have no choice

but to upgrade or effectively trash the laptop.

 

"If you no longer want any help or don't believe 

what I'm telling you that's fine - just say so 

and I'll go ahead and close your topic as there 

are many other users looking for help."

 

As I said above, I really do need your continued

help and assistance!

 

 

"Detecting and removing an infection requires a 

lot of review and and scanning and even then 

things can slip by.  If you want a 100% clean 

system with no questions asked then FDISK, 

FORMAT and reinstall Windows from scratch 

and you won't have any infections."

 

 

I really don't want to get philosophical either

but again like the upgrade issue it is really 

not my decision to make but the call to do what

has to be done, so now I have to get philosophical

to the point where now even doctors have been

forced to listen to their patients for a change:

 

As you people seem to act as though you were doctors:

This thread  Posted 14 December 2013 - 11:10 PM

 

"No problem.  I will assist you.  Please just follow

 my directions and don't self medicate following 

other topics."

 

Telling me not to Self Medicate I thought I'd throw

in an analogy with my very real experience with medical

doctors themselves.

 

I myself was near death ( down from 155 lbs to

90 lbs and yet looking like I was a pregnant

woman with twins - hospitalized then for over

2 months )  when my doctor told me I needed a 

liver transplant if I wanted to live.

 

I had found on the Internet a poisoning called

PA's (Pyrrolizidine Alkoloids) and was sure that

was what I had and did not follow his advice 

and I'm still alive and well nearly 20 years later.

http://www.vif.com/users/chris-m/mcgill~1.html

Back to now 5'11 and 155 lbs.

 

On a recent radio show a well known doctor Goldman

brings up that very topic.

 

"That victory convinced deBronkart that the internet's 

access to knowledge could turn patients into powerful 

agents who have to ability to manage their own health."

http://www.cbc.ca/whitecoat/2013/12/09/e-patient-dave-extended-interview-with-dave-debronkart/

More and more doctors are realizing they need to

listen to their patients and occasionally even

learn from them.

 

 

I know it is tempting to simply Fdisk the thing

but boot sector virus's or in this case probably 

Rootkit/Trojan Trojan.Agent/Gen-Cryptor found by

my ( your so called non AV agent/product ) AV tool

SUPERAntiSpyware ( btw: after none of your tools 

appeared to even notice it on my system) are

removable. The tools are available today like

WINICE that used to work on Win95 and NT.

 

 

If you (we) give up then I guess the hackers won

and we'll all just FDISK every HD, Bootable Memory 

Stick with boot sector, etc.. on every system!

 

I don't think that is an option given the tools

at our disposal!

 

And YES I still appreciate and respect your all 

ability, knowledge, and experience! It surpasses 

mine to be sure and I'm sure together we can beat 

these malwares thrust upon us by people with 

apparently nothing better to do like graffiti 

artists only they don't affect millions of people.

 

My knowledge is dated to say the least but the

same principals still apply.

 

I hope you continue to work with me and that you

also understand where I'm coming from.

 

 

XCowboy

[AdvancedSetup]

No problem.   We'll continue to support you with malware detection and removal.

 

Please describe the issue you currently see on the computer (1 computer at a time, we'll get to the others once we're done with the main one)

 

PLEASE NOTE:  It is Christmas tomorrow and Holiday Season so response times can take a while.

[XCowboy]

Apres Christmas Greetings!

 

My only problem ad-Aware finds now I believe have been quarantined

by previous passes of other Softwares.

 

They are as follows:

 

adaware.dealply.F   c:\program files\dealply\dealply.dealply.crx.vir

gen.heur.VIZ.7        C:\system volume information\_restore(29FD9B63-4F58-4DB0-B2C4-8709D5244F27\RP55\A0031676.vpx

gen.heur.VIZ.7        C:\system volume information\_restore(29FD9B63-4F58-4DB0-B2C4-8709D5244F27\RP55\A0031682.vpx

gen.heur.VIZ.7        C:\system volume information\_restore(29FD9B63-4F58-4DB0-B2C4-8709D5244F27\RP55\A0031755.vpx

 

XCowboy

[AdvancedSetup]

Those are remnants and I would need to see the actual log.  Those in the System Volume are due to not cleaning out the old Restore Points (often that is not done until we're done just in case a restore is needed). 

 

If the folder Dealply is still there then I would recommend you remove it.  If you cannot then let me know and we'll use a tool to do so.

 

The only concern I had for the most part was that some of your services looked to not be working properly in one of the logs.

 

Please restart the computer a couple of times and then delete the FRST program and it's logs.  Then download a new fresh copy and run it again and post back the 2 new logs please.

 

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
  

 

[XCowboy]

OK so I did what you requested.

 

I rebooted twice.

 

I have added attachment of the log files

 

I deleted frst directory tree

I downloaded and ran FRST

 

I include the addition.txt and FRST.txt files newly created files

FRST.txt

Addition.txt

20131226T211716.828125PID1952_AdAwareService.log

20131226T211857.234375PID3488_AdAwareDesktop.log

20131226T211900.843750PID3684_AdAwareTray.log

Quarantine.txt

[AdvancedSetup]

Well the logs show that some services are still not starting or are crashing.  Please run the fix below and we'll run some other tools to see if we can fix this or not.

 

 

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.
 

fixlist.txt

[XCowboy]

I will run these tools tomorrow since I am heading out right now on

a assignment.

 

I am well aware of certain runtime events that are asked for in the

registry which I have still not removed and who's executables I have

disable ( renamed from .exe tp .ex ) to speed up my system most

notably the un-necessary and very time consuming upon system

boot-up PRTG software.

 

ie.

 

 Directory of C:\usr\snmp\persist

 

11/06/2013  09:33 PM    <DIR>          .

11/06/2013  09:33 PM    <DIR>          ..

10/28/2013  08:01 PM    <DIR>          mib_indexes

11/06/2013  09:33 PM               700 prtg.conf

               1 File(s)            700 bytes

               3 Dir(s)  11,629,273,088 bytes free

 Volume in drive C is IBM_PRELOAD

 Volume Serial Number is 8C05-D993

 

 Directory of C:\PROGRA~1\PRTGNE~1

 

10/17/2013  04:18 PM         8,814,304 PRTG Probe.ex

10/17/2013  04:18 PM         7,232,736 PRTG Server.ex

 

 

If some of these types of programs are the ones you are referring

to then they are not a problem but a result of deliberate action on

my part.

 

Thankx and talk to you tomorrow!

 

XCowboy

[XCowboy]

Good day!

 

And here is the created Fixlog.txt just created!

Fixlog.txt

[AdvancedSetup]

Hi there XCowboy,

 

Okay, so how is the computer running now?

Are there still any signs of an infection?