PUP infection

farmer68623 · January 31, 2014

Hello, my computer is infected with PUP, and likely others. I am attaching the DDS & Attach files. I ran MBAM earlier this week, problem reoccured, so ran again last night and same problems. I also ran Avast scan after MBAM and it found a "Threat". I am including those scan results if they are of any use. Thank you in advance for any assistance.

dds.txt

attach.txt

mbam-log-2014-01-24 (23-50-38).txt

mbam-log-2014-01-30 (04-19-08).txt

avastscan.txt

gringo_pr · February 6, 2014

Hello farmer68623

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.

Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

Please do not run any tools unless instructed to do so.
- We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
Please do not attach logs or use code boxes, just copy and paste the text.
- Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
Please read every post completely before doing anything.
- Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
Please provide feedback about your experience as we go.
- A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.

NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

These are the programs I would like you to run next, if you have any problems with one of these just skip it and move on to the next one.

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.

Close all open programs and internet browsers.
Double click on AdwCleaner.exe to run the tool.
Click on Scan.
After the scan is complete click on "Clean"
Confirm each time with Ok.
Your computer will be rebooted automatically. A text file will open after the restart.
Please post the content of that logfile with your next answer.
You can find the logfile at C:\AdwCleaner[s1].txt as well.

-Junkware-Removal-Tool-

Please download Junkware Removal Tool to your desktop.

Shut down your protection software now to avoid potential conflicts.
Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.

When they are complete let me have the two reports and let me know how things are running.

Gringo

farmer68623 · February 8, 2014

Hello Gringo,

Thank you for responding to my post. To be honest I know y'all are busy, but didn't expect that long of delay. I hate to get wordy, but here goes... I didn't think anyone was going to repond to my post. I really need this machine, even though it is antiquated and to be retired soon. So... I google PUP:Optional.MySearchDial from Malwarebytes forum by Stelian Pilici, who claimed to be MBAM Trusted Advisor. Followed his step by step instructions, and the first 2 are the same as you recommend. Well, found a bunch a stuff and supposedly cleaned things up. Still have issues, hope you can help even though I ventured out on my own in frustration.

I hope you are able to assist me at this juncunture in my dilemna. I will be using a flash drive back and forth from a clean machine and the problem child at hand.

So, if you can assist me, where do we start from?

Thank you for in and all assistance

The Mean Farmer

gringo_pr · February 8, 2014

Hello farmer68623

I understand

Go ahead and run those two programs for me anyway - I would like to see if they pick up anything new

Gringo

farmer68623 · February 9, 2014

Greeting Gringo, and once thanks for your help. Pasted below are the 2 files I ran.

# AdwCleaner v3.018 - Report created 08/02/2014 at 18:22:49
# Updated 28/01/2014 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Amanda - CREIGHTO-CGTHAC
# Running from : C:\Documents and Settings\Amanda\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

-\\ Mozilla Firefox v27.0 (en-US)

[ File : C:\Documents and Settings\Amanda\Application Data\Mozilla\Firefox\Profiles\3e5tpy9j.default\prefs.js ]

*************************

AdwCleaner[R0].txt - [1303 octets] - [04/02/2014 22:10:08]
AdwCleaner[R1].txt - [490 octets] - [08/02/2014 18:05:39]
AdwCleaner[R2].txt - [992 octets] - [08/02/2014 18:10:28]
AdwCleaner[s0].txt - [1187 octets] - [04/02/2014 22:19:11]
AdwCleaner[s1].txt - [914 octets] - [08/02/2014 18:22:49]

########## EOF - C:\AdwCleaner\AdwCleaner[s1].txt - [973 octets] ##########

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.1 (02.04.2014:1)
OS: Microsoft Windows XP x86
Ran by Amanda on Sat 02/08/2014 at 18:57:24.74
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Registry Values

~~~ Registry Keys

~~~ Files

~~~ Folders

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sat 02/08/2014 at 19:12:54.05
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I am curious about the Mozilla reference in the ADW txt as when I was using Firefox yesterday morning all kinds of strange things were going on, as near as I could tell it was or attempting to load tons of different tracking cookies. But your the PRO! I leave it you ~ hope to from you again soon.

Thanks again ~ The Mean Farmer

gringo_pr · February 10, 2014

Hello farmer68623

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.

Link 1
Link 2
Link 3

1. Close any open browsers or any other programs that are open.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

In your next post I need the following
Log from Combofix
let me know of any problems you may have had
How is the computer doing now?

Gringo

farmer68623 · February 12, 2014

Hello Gringo, below is the log file from Combofix :

ComboFix 14-02-11.01 - Amanda 02/11/2014 22:24:49.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.233 [GMT -6:00]
Running from: c:\documents and settings\Amanda\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Amanda\Local Settings\Temporary Internet Files\Dell_c800_mainview.gif
c:\program files\AVAST Software\Avast\setup\28fa7f01-598c-4171-9478-f2c82a31c9f8.exe
c:\windows\system32\cache329
c:\windows\system32\cache329\B_329_4_1_646400.htm
c:\windows\system32\dllcache\wmpvis.dll
c:\windows\system32\drivers\etc\hosts.ics
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_SVCPROC
-------\Legacy_WINDOWS_OVERLAY_COMPONENTS
-------\Legacy_WINDOWS_VISFX_COMPONENTS
-------\Service_SvcProc
.
.
(((((((((((((((((((((((((   Files Created from 2014-01-12 to 2014-02-12 )))))))))))))))))))))))))))))))
.
.
2014-02-06 07:46 . 2014-02-06 07:46   --------   d-----w-   c:\program files\Mozilla Maintenance Service
2014-02-05 05:37 . 2014-02-05 05:58   --------   d-----w-   c:\documents and settings\All Users\Application Data\HitmanPro
2014-02-05 04:09 . 2014-02-09 00:22   --------   d-----w-   C:\AdwCleaner
2014-02-04 10:53 . 2014-02-04 10:53   2855   ----a-w-   c:\windows\system32\redir.PIF
2014-01-25 07:25 . 2014-01-25 07:25   388096   ----a-r-   c:\documents and settings\Amanda\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2014-01-22 20:12 . 2014-01-22 20:12   --------   d-----w-   c:\documents and settings\Amanda\Local Settings\Application Data\PCHealth
2014-01-22 08:11 . 2014-01-22 08:11   --------   d-----w-   C:\cda69190891d4fbe794be4e0675b
2014-01-22 08:11 . 2014-01-22 08:14   --------   d-----w-   C:\2e0c62deeee44eddad40b62c53f11c
2014-01-22 05:08 . 2014-01-22 05:08   --------   d-----w-   c:\documents and settings\Amanda\Local Settings\Application Data\cache
2014-01-22 05:07 . 2014-02-05 05:21   --------   d-----w-   c:\documents and settings\Amanda\Local Settings\Application Data\genienext
2014-01-22 01:19 . 2014-01-22 01:19   --------   d-----w-   C:\9bd49e06d940713d0cda55cd
2014-01-22 01:18 . 2014-01-22 01:19   --------   d-----w-   C:\3e60a1d65a3f8059803dc205f5d6ce
2014-01-19 00:20 . 2014-01-19 00:20   --------   d-----w-   c:\program files\Trend Micro
2014-01-18 05:33 . 2014-01-18 05:33   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2014-01-18 05:33 . 2013-04-04 20:50   22856   ----a-w-   c:\windows\system32\drivers\mbam.sys
2014-01-14 06:09 . 2014-02-04 07:01   --------   d-----w-   c:\windows\SxsCaPendDel
2014-01-14 03:27 . 2014-01-14 03:27   --------   d-----w-   c:\documents and settings\Amanda\Application Data\Oracle
2014-01-13 23:43 . 2014-01-13 23:43   --------   d-----w-   c:\program files\Linksys
2014-01-13 23:43 . 2014-01-13 23:43   --------   d-----w-   c:\documents and settings\Amanda\Application Data\InstallShield
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-02-06 04:55 . 2013-12-19 07:45   692616   ----a-w-   c:\windows\system32\FlashPlayerApp.exe
2014-02-06 04:55 . 2013-12-19 07:45   71048   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2014-02-05 16:32 . 2013-12-23 01:26   67824   ----a-w-   c:\windows\system32\drivers\aswmonflt.sys
2014-01-24 04:32 . 2013-12-23 01:27   57672   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
2014-01-24 04:32 . 2013-12-23 01:27   410784   ----a-w-   c:\windows\system32\drivers\aswSP.sys
2014-01-24 04:32 . 2013-12-23 01:26   775952   ----a-w-   c:\windows\system32\drivers\aswSnx.sys
2014-01-24 04:32 . 2013-12-23 01:26   54832   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
2014-01-24 04:32 . 2013-12-23 01:26   43152   ----a-w-   c:\windows\avastSS.scr
2014-01-24 04:32 . 2013-12-05 07:33   270240   ----a-w-   c:\windows\system32\aswBoot.exe
2013-12-24 05:20 . 2013-12-23 01:27   180248   ----a-w-   c:\windows\system32\drivers\aswVmm.sys
2013-12-23 01:26 . 2013-12-23 01:27   49944   ----a-w-   c:\windows\system32\drivers\aswRvrt.sys
2013-12-05 10:43 . 2013-12-05 10:43   1700352   ----a-w-   c:\windows\system32\gdiplus.dll
2013-12-05 10:43 . 2013-12-05 10:43   1060864   ----a-w-   c:\windows\system32\mfc71.dll
2013-11-27 20:21 . 2002-09-03 19:48   40960   ----a-w-   c:\windows\system32\drivers\ndproxy.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2014-01-24 04:32   259464   ----a-w-   c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2014-01-24 3767096]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2002-08-27 294912]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE -b -l [2001-2-13 83360]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe /startup [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages   REG_MULTI_SZ     msv1_0 nwprovau
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"CiSvc"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6881:TCP"= 6881:TCP:*:Disabled:Bittorrent
"6889:TCP"= 6889:TCP:Bit
"6884:TCP"= 6884:TCP:*:Disabled:Bittorrent
"6885:TCP"= 6885:TCP:*:Disabled:Bittorrent
"6886:TCP"= 6886:TCP:*:Disabled:Bittorent
"6887:TCP"= 6887:TCP:*:Disabled:Bittorent
"6888:TCP"= 6888:TCP:*:Disabled:Bittorent
"6969:TCP"= 6969:TCP:*:Disabled:Trigger Bittorent
"3724:TCP"= 3724:TCP:WOW
"6112:TCP"= 6112:TCP:WOW2
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)
.
R0 aswRvrt;avast! Revert;c:\windows\system32\drivers\aswRvrt.sys [12/22/2013 7:27 PM 49944]
R0 aswVmm;avast! VM Monitor;c:\windows\system32\drivers\aswVmm.sys [12/22/2013 7:27 PM 180248]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [12/22/2013 7:26 PM 775952]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/22/2013 7:27 PM 410784]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswmonflt.sys [12/22/2013 7:26 PM 67824]
R2 WPC600NSvc;WPC600NSvc;c:\program files\Linksys\WPC600N\WLService.exe [1/13/2014 5:44 PM 65596]
R3 ati2mtai;ati2mtai;c:\windows\system32\drivers\ati2mtai.sys [1/3/2014 11:54 PM 346752]
R3 maestro;ESS Maestro 3 Audio Driver (WDM);c:\windows\system32\drivers\es198x.sys [11/6/2004 9:20 PM 174464]
R3 wldel48b;Dell TrueMobile 1150 Series PCCard Driver;c:\windows\system32\drivers\wldel48b.sys [12/27/2013 12:22 AM 171520]
R3 WPC600N;Linksys Dual Band Wireless-N Notebook Adapter WPC600N;c:\windows\system32\drivers\WPC600N.SYS [1/13/2014 5:45 PM 822400]
S3 atimtai;atimtai;c:\windows\system32\drivers\atimtai.sys [11/6/2004 9:20 PM 281600]
S3 CBEN5;Xircom CardBus Ethernet 10/100 Adapter family;c:\windows\system32\drivers\cben5.sys [11/6/2004 9:21 PM 50498]
S3 PROCEXP151;PROCEXP151;\??\c:\windows\system32\Drivers\PROCEXP151.SYS --> c:\windows\system32\Drivers\PROCEXP151.SYS [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder
.
2014-02-06 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-12-19 04:55]
.
2014-02-12 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2013-12-23 04:32]
.
.
------- Supplementary Scan -------
.

uInternet Connection Wizard,ShellNext = iexplore
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1 68.105.28.11 68.105.29.11
TCP: Interfaces\{B38BF4F5-866D-43FE-99F1-E18F0D90067C}: NameServer = 8.26.56.26,156.154.70.22

FF - ProfilePath - c:\documents and settings\Amanda\Application Data\Mozilla\Firefox\Profiles\3e5tpy9j.default\

.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-CIS_{15198508-521A-4D69-8E5B-B94A6CCFF805} - c:\documents and settings\All Users\Application Data\cisB.exe
MSConfigStartUp-mobilegeni daemon - c:\program files\Mobogenie\DaemonProcess.exe
MSConfigStartUp-MsgCenterExe - c:\program files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
AddRemove-AutoUpdate - c:\windows\system32\auto_update_uninstall.exe
AddRemove-VBRunDLL - c:\windows\system32\VBUninstall.exe
AddRemove-VisFx - c:\windows\visfxun.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-02-11 22:51
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1229272821-839522115-1957994488-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3764)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Linksys\WPC600N\WPC600N.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2014-02-11 22:59:26 - machine was rebooted
ComboFix-quarantined-files.txt 2014-02-12 04:59
.
Pre-Run: 9,865,691,136 bytes free
Post-Run: 10,291,818,496 bytes free
.
- - End Of File - - 2D5637F06578F54CB19614A489B28560
8F558EB6672622401DA993E1E865C861

My machine has been mostly in idle mode and offline since we started running your diagnostic programs. I have not yet gone on-line to see if things are "normal", however I will be doing that soon. I guess I have maybe a question or two regarding the log I posted. Although I cannot interpret the log findings, I'm concerned as to some references in the log. Specifically, bittorent. Bitterorent and it's likes have been deleted, other deleted programs/folders that have been deleted reoccur. I see while observing scans that program/files/folders that have been deleted display in scan process appear in various sub-folders. Is this a problem and how do I permantently rid traces of deleted programs. So it's late and I'm tired, hope this makes sense. Look forward to your next response.

Thanks again,

Mean Farmer

gringo_pr · February 13, 2014

Hello farmer68623

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Please start by opening Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.

Restart if you have to.

Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

In your next post I need the following
- report from Combofix
- let me know of any problems you may have had
- How is the computer doing now after running the script?

Gringo

farmer68623 · February 13, 2014

Hello again Gringo,

I started to run Combofix according to your instructions, and shame on you! LOL ~ you didn't remind to disable anti-virus. I ended up doing a Hard Shut-down when shutdown stalled. It is re-running now, which has been taking a lil' over an hour. So while waiting I figured I get a little typing out of the way. As I just downloaded Combofix like 24 hours ago, I got a message during run-time saying Combofix is out of date, I clicked OK to update. Next, I was on the problem machine this afternoon, and both Firefox and IE8 were running very slow and eating up CPU usage. Occasionally on Shut-down or restart I get an error : 0xc000142 ~ but it goes away to fast to get complete details. Other than that I will update my post when Combofix finishes.

gringo_pr · February 13, 2014

ok let me know how it goes

gringo

farmer68623 · February 13, 2014

Hi Gringo, didn't expect a response from last post. Combofix just finished and posted below.

ComboFix 14-02-11.01 - Amanda 02/12/2014 23:02:20.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.252 [GMT -6:00]
Running from: c:\documents and settings\Amanda\Desktop\ComboFix.exe
Command switches used :: E:\CFScript.txt.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
(((((((((((((((((((((((((   Files Created from 2014-01-13 to 2014-02-13 )))))))))))))))))))))))))))))))
.
.
2014-02-13 03:48 . 2014-02-13 04:10   --------   d-----w-   C:\32788R22FWJFW
2014-02-06 07:46 . 2014-02-06 07:46   --------   d-----w-   c:\program files\Mozilla Maintenance Service
2014-02-05 05:37 . 2014-02-05 05:58   --------   d-----w-   c:\documents and settings\All Users\Application Data\HitmanPro
2014-02-05 04:09 . 2014-02-09 00:22   --------   d-----w-   C:\AdwCleaner
2014-02-04 10:53 . 2014-02-04 10:53   2855   ----a-w-   c:\windows\system32\redir.PIF
2014-01-22 20:12 . 2014-01-22 20:12   --------   d-----w-   c:\documents and settings\Amanda\Local Settings\Application Data\PCHealth
2014-01-22 08:11 . 2014-01-22 08:11   --------   d-----w-   C:\cda69190891d4fbe794be4e0675b
2014-01-22 08:11 . 2014-01-22 08:14   --------   d-----w-   C:\2e0c62deeee44eddad40b62c53f11c
2014-01-22 05:08 . 2014-01-22 05:08   --------   d-----w-   c:\documents and settings\Amanda\Local Settings\Application Data\cache
2014-01-22 05:07 . 2014-02-05 05:21   --------   d-----w-   c:\documents and settings\Amanda\Local Settings\Application Data\genienext
2014-01-22 01:19 . 2014-01-22 01:19   --------   d-----w-   C:\9bd49e06d940713d0cda55cd
2014-01-22 01:18 . 2014-01-22 01:19   --------   d-----w-   C:\3e60a1d65a3f8059803dc205f5d6ce
2014-01-19 00:20 . 2014-01-19 00:20   --------   d-----w-   c:\program files\Trend Micro
2014-01-18 05:33 . 2014-01-18 05:33   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2014-01-18 05:33 . 2013-04-04 20:50   22856   ----a-w-   c:\windows\system32\drivers\mbam.sys
2014-01-14 06:09 . 2014-02-04 07:01   --------   d-----w-   c:\windows\SxsCaPendDel
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-02-06 04:55 . 2013-12-19 07:45   692616   ----a-w-   c:\windows\system32\FlashPlayerApp.exe
2014-02-06 04:55 . 2013-12-19 07:45   71048   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2014-02-05 16:32 . 2013-12-23 01:26   67824   ----a-w-   c:\windows\system32\drivers\aswmonflt.sys
2014-01-24 04:32 . 2013-12-23 01:27   57672   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
2014-01-24 04:32 . 2013-12-23 01:27   410784   ----a-w-   c:\windows\system32\drivers\aswSP.sys
2014-01-24 04:32 . 2013-12-23 01:26   775952   ----a-w-   c:\windows\system32\drivers\aswSnx.sys
2014-01-24 04:32 . 2013-12-23 01:26   54832   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
2014-01-24 04:32 . 2013-12-23 01:26   43152   ----a-w-   c:\windows\avastSS.scr
2014-01-24 04:32 . 2013-12-05 07:33   270240   ----a-w-   c:\windows\system32\aswBoot.exe
2013-12-24 05:20 . 2013-12-23 01:27   180248   ----a-w-   c:\windows\system32\drivers\aswVmm.sys
2013-12-23 01:26 . 2013-12-23 01:27   49944   ----a-w-   c:\windows\system32\drivers\aswRvrt.sys
2013-12-05 10:43 . 2013-12-05 10:43   1700352   ----a-w-   c:\windows\system32\gdiplus.dll
2013-12-05 10:43 . 2013-12-05 10:43   1060864   ----a-w-   c:\windows\system32\mfc71.dll
2013-11-27 20:21 . 2002-09-03 19:48   40960   ----a-w-   c:\windows\system32\drivers\ndproxy.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2014-01-24 04:32   259464   ----a-w-   c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2014-01-24 3767096]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2002-08-27 294912]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE -b -l [2001-2-13 83360]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe /startup [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages   REG_MULTI_SZ     msv1_0 nwprovau
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"CiSvc"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6881:TCP"= 6881:TCP:*:Disabled:Bittorrent
"6889:TCP"= 6889:TCP:Bit
"6884:TCP"= 6884:TCP:*:Disabled:Bittorrent
"6885:TCP"= 6885:TCP:*:Disabled:Bittorrent
"6886:TCP"= 6886:TCP:*:Disabled:Bittorent
"6887:TCP"= 6887:TCP:*:Disabled:Bittorent
"6888:TCP"= 6888:TCP:*:Disabled:Bittorent
"6969:TCP"= 6969:TCP:*:Disabled:Trigger Bittorent
"3724:TCP"= 3724:TCP:WOW
"6112:TCP"= 6112:TCP:WOW2
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)
.
R0 aswRvrt;avast! Revert;c:\windows\system32\drivers\aswRvrt.sys [12/22/2013 7:27 PM 49944]
R0 aswVmm;avast! VM Monitor;c:\windows\system32\drivers\aswVmm.sys [12/22/2013 7:27 PM 180248]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [12/22/2013 7:26 PM 775952]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/22/2013 7:27 PM 410784]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswmonflt.sys [12/22/2013 7:26 PM 67824]
R2 WPC600NSvc;WPC600NSvc;c:\program files\Linksys\WPC600N\WLService.exe [1/13/2014 5:44 PM 65596]
R3 ati2mtai;ati2mtai;c:\windows\system32\drivers\ati2mtai.sys [1/3/2014 11:54 PM 346752]
R3 maestro;ESS Maestro 3 Audio Driver (WDM);c:\windows\system32\drivers\es198x.sys [11/6/2004 9:20 PM 174464]
R3 wldel48b;Dell TrueMobile 1150 Series PCCard Driver;c:\windows\system32\drivers\wldel48b.sys [12/27/2013 12:22 AM 171520]
R3 WPC600N;Linksys Dual Band Wireless-N Notebook Adapter WPC600N;c:\windows\system32\drivers\WPC600N.SYS [1/13/2014 5:45 PM 822400]
S3 atimtai;atimtai;c:\windows\system32\drivers\atimtai.sys [11/6/2004 9:20 PM 281600]
S3 CBEN5;Xircom CardBus Ethernet 10/100 Adapter family;c:\windows\system32\drivers\cben5.sys [11/6/2004 9:21 PM 50498]
S3 PROCEXP151;PROCEXP151;\??\c:\windows\system32\Drivers\PROCEXP151.SYS --> c:\windows\system32\Drivers\PROCEXP151.SYS [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder
.
2014-02-06 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-12-19 04:55]
.
2014-02-13 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2013-12-23 04:32]
.
.
------- Supplementary Scan -------
.

uInternet Connection Wizard,ShellNext = iexplore
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1 68.105.28.11 68.105.29.11
TCP: Interfaces\{B38BF4F5-866D-43FE-99F1-E18F0D90067C}: NameServer = 8.26.56.26,156.154.70.22

FF - ProfilePath - c:\documents and settings\Amanda\Application Data\Mozilla\Firefox\Profiles\3e5tpy9j.default\

.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-02-12 23:20
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1229272821-839522115-1957994488-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2600)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2014-02-12 23:26:00
ComboFix-quarantined-files.txt 2014-02-13 05:25
ComboFix2.txt 2014-02-12 04:59
.
Pre-Run: 10,489,122,816 bytes free
Post-Run: 10,500,136,960 bytes free
.
- - End Of File - - 17C3F93D7C8F43211ED29BD26F2845DB
8F558EB6672622401DA993E1E865C861

farmer68623 · February 13, 2014

Gringo, trying not to be a pain, I'm reporting to you from different machine. Since my last post I have taken no action since the Combofix run. Have not rebooted. Running in Task Mgr: [swreg.exe], 2 occurances(sp), and PEV.exe ....

farmer68623 · February 14, 2014

Hi Gringo, so I got on the machine today, rebooted and brought up her. She sucks even worse now for some reason. Everything is the slowest, non-responsive I've seen. Even with browsers closed, just moving the mouse on the desktop will send the CPU peaking for no apparent reason.

I've ran Mbam & Avast AV, everything shows clean. Looking forward to hearing back from you.

Thanks, The Mean Farmer

gringo_pr · February 14, 2014

Hello farmer68623

Malwarebytes Anti-Rootkit

1.Download Malwarebytes Anti-Rootkit

2.Unzip the contents to a folder in a convenient location.

3.Open the folder where the contents were unzipped and run mbar.exe

4.Follow the instructions in the wizard to update and allow the program to scan your computer for threats.

5.Click on the Cleanup button to remove any threats and reboot if prompted to do so.

6.Wait while the system shuts down and the cleanup process is performed.

7.Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.

8.If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

•Internet access
•Windows Update
•Windows Firewall

9.If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included with Malwarebytes Anti-Rootkit and reboot.

10.Verify that your system is now functioning normally.

--RogueKiller--

Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit

Quit all programs that you may have started.
Please disconnect any external drives from the computer before you run this scan!
For Vista or Windows 7, right-click and select "Run as Administrator to start"
For Windows XP, double-click to start.
Wait until Prescan has finished ...
Then Click on "Scan" button
Wait until the Status box shows "Scan Finished"
click on "delete"
Wait until the Status box shows "Deleting Finished"
Click on "Report" and copy/paste the content of the Notepad into your next reply.
the scan will make two reports the one I would like to see is called RKreport[2].txt on your Desktop
Exit/Close RogueKiller+

send me the reports made from MBAR and Roguekiller and also let me know how the computer is doing at this time.

Gringo

farmer68623 · February 17, 2014

Ok Gringo,

Ran MBAM anti-root kit, and Rogue Killer. MBAM appeared to show no problems. Rogue Killer produced 2 .txt files, Rk[0]D & Rk[0]S, and not the txt you requested. Multiple tries trying to paste all 3 files but won't allow me to paste, (I'am using flashdisk from problem machine to "clean" machine). The Rk files appear to have strange Cntl characters imbedded, but regardless I can import them. I guess the Ghost of Jerry Garcia is haunting me. From what I could interprupt it cleaned/quarantined Explorer Bar/Browser Extensions from Firefox, but see the same suspious items in IE8. I will try and copy/paste from the problem machine and see if that works........ don't expect different results, but will report back in the next few minutes to see if anything different.

gringo_pr · February 17, 2014

try attaching them or upload them here and send me the link - https://www.wetransfer.com/

farmer68623 · February 17, 2014

Wow, lighning speed response. Will try attaching first. So far so good on attachments

Will wait for further instructions, once again, thanks so much!

mbar-log-2014-02-16 (00-55-39).txt

mbar-log-2014-02-16 (19-26-13).txt

RKreport0_D_02162014_213850.txt

RKreport0_S_02162014_213514.txt

gringo_pr · February 17, 2014

Hello farmer68623

Lets get a deeper look into the system and lets see if something shows up.

Download and run OTL

Download OTL by Old Timer and save it to your Desktop.

Double click on OTL.exe to run it.
Under Output, ensure that Minimal Output is selected.
Under Extra Registry section, select Use SafeList.
Click the Scan All Users checkbox.
Click on Run Scan at the top left hand corner.
When done, two Notepad files will open.
- OTL.txt <-- Will be opened and the that I need posted back here
- Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later
Please post the contents of OTL.txt in your next reply.

Gringo

farmer68623 · February 17, 2014

Hi Gringo, below is the OTL file.

OTL logfile created on: 2/17/2014 3:52:38 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Amanda\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.46 Mb Total Physical Memory | 137.17 Mb Available Physical Memory | 26.82% Memory free
1.22 Gb Paging File | 0.79 Gb Available in Paging File | 64.86% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 18.62 Gb Total Space | 9.75 Gb Free Space | 52.36% Space Free | Partition Type: NTFS

Computer Name: CREIGHTO-CGTHAC | User Name: Amanda | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Amanda\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files\AVAST Software\Avast\AvastUI.exe (AVAST Software)
PRC - C:\Program Files\AVAST Software\Avast\AvastSvc.exe (AVAST Software)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Linksys\WPC600N\WLService.exe (GEMTEKS)
PRC - C:\Program Files\Linksys\WPC600N\WPC600N.exe (Linksys)

========== Modules (No Company Name) ==========

MOD - C:\Program Files\AVAST Software\Avast\defs\14021700\algo.dll ()
MOD - C:\Program Files\Mozilla Firefox\mozjs.dll ()
MOD - C:\Program Files\AVAST Software\Avast\libcef.dll ()
MOD - C:\WINDOWS\system32\quartz.dll ()
MOD - C:\WINDOWS\system32\bcm1xsup.dll ()
MOD - C:\Program Files\Linksys\WPC600N\Security.dll ()
MOD - C:\Program Files\Linksys\WPC600N\GTW32N50.dll ()
MOD - C:\Program Files\Linksys\WPC600N\GEMWEP.DLL ()

========== Services (SafeList) ==========

SRV - (WPFFontCache_v0400) -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe File not found
SRV - (WPC600NSvc) -- C:\Program Files\Linksys\WPC600N\WLService.exe WPC600N.exe File not found
SRV - (AdobeFlashPlayerUpdateSvc) -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)
SRV - (MozillaMaintenance) -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation)
SRV - (avast! Antivirus) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe (AVAST Software)

========== Driver Services (SafeList) ==========

DRV - (PROCEXP151) -- C:\WINDOWS\system32\Drivers\PROCEXP151.SYS File not found
DRV - (PCIDump) -- File not found
DRV - (NSNDIS5) -- C:\WINDOWS\system32\NSNDIS5.SYS File not found
DRV - (Changer) -- File not found
DRV - (catchme) -- C:\DOCUME~1\Amanda\LOCALS~1\Temp\catchme.sys File not found
DRV - (aswMonFlt) -- C:\WINDOWS\system32\drivers\aswmonflt.sys (AVAST Software)
DRV - (aswSnx) -- C:\WINDOWS\system32\drivers\aswSnx.sys (AVAST Software)
DRV - (aswSP) -- C:\WINDOWS\system32\drivers\aswSP.sys (AVAST Software)
DRV - (aswTdi) -- C:\WINDOWS\system32\drivers\aswTdi.sys (AVAST Software)
DRV - (aswRdr) -- C:\WINDOWS\system32\drivers\aswRdr.sys (AVAST Software)
DRV - (aswVmm) -- C:\WINDOWS\System32\drivers\aswVmm.sys ()
DRV - (aswRvrt) -- C:\WINDOWS\System32\drivers\aswRvrt.sys ()
DRV - (Tcpip6) -- C:\WINDOWS\system32\drivers\tcpip6.sys (Microsoft Corporation)
DRV - (NwlnkIpx) -- C:\WINDOWS\system32\drivers\nwlnkipx.sys (Microsoft Corporation)
DRV - (nm) -- C:\WINDOWS\system32\drivers\nmnt.sys (Microsoft Corporation)
DRV - (WPC600N) -- C:\WINDOWS\system32\drivers\WPC600N.SYS (Broadcom Corporation)
DRV - (wldel48b) -- C:\WINDOWS\system32\drivers\wldel48b.sys (Dell)
DRV - (GTNDIS5) -- C:\Program Files\Linksys\WPC600N\GTNDIS5.sys (Printing Communications Assoc., Inc. (PCAUSA))
DRV - (ati2mtai) -- C:\WINDOWS\system32\drivers\ati2mtai.sys (ATI Technologies Inc.)
DRV - (omci) -- C:\WINDOWS\system32\drivers\omci.sys (Dell Computer Corporation)
DRV - (NwlnkNb) -- C:\WINDOWS\system32\drivers\nwlnknb.sys (Microsoft Corporation)
DRV - (NwlnkSpx) -- C:\WINDOWS\system32\drivers\nwlnkspx.sys (Microsoft Corporation)
DRV - (wlluc48) -- C:\WINDOWS\system32\drivers\wlluc48.sys (Lucent Technologies)
DRV - (CBEN5) -- C:\WINDOWS\system32\drivers\cben5.sys (Xircom, Inc.)
DRV - (atimtai) -- C:\WINDOWS\system32\drivers\atimtai.sys (ATI Technologies Inc.)
DRV - (maestro) -- C:\WINDOWS\system32\drivers\es198x.sys (ESS Technology, Inc.)
DRV - (SMCIRDA) -- C:\WINDOWS\system32\drivers\smcirda.sys (SMC)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://red.clientapps.yahoo.com/customize/ie/defaults/cs/ymsgr6/*http://www.yahoo.com/ext/search/search.html
IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1229272821-839522115-1957994488-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.pogo.com/
IE - HKU\S-1-5-21-1229272821-839522115-1957994488-1005\..\SearchScopes,DefaultScope = {BF17251D-1531-4AC4-A456-ED1C92EA0337}
IE - HKU\S-1-5-21-1229272821-839522115-1957994488-1005\..\SearchScopes\{BF17251D-1531-4AC4-A456-ED1C92EA0337}: "URL" = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
IE - HKU\S-1-5-21-1229272821-839522115-1957994488-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.startup.homepage: "https://www.pogo.com"
FF - prefs.js..extensions.enabledAddons: wrc%40avast.com:9.0.2013.75
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:27.0.1
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_12_0_0_44.dll ()

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\wrc@avast.com: C:\Program Files\AVAST Software\Avast\WebRep\FF [2014/01/23 22:32:18 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 27.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 27.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2014/02/06 02:47:58 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Amanda\Application Data\Mozilla\Extensions
[2014/02/13 18:13:37 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\browser\extensions
[2014/02/13 18:15:38 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2014/01/23 22:32:18 | 000,000,000 | ---D | M] (avast! Online Security) -- C:\PROGRAM FILES\AVAST SOFTWARE\AVAST\WEBREP\FF

O1 HOSTS File: ([2014/02/11 22:50:37 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (avast! Online Security) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O2 - BHO: (no name) - AutorunsDisabled - No CLSID value found.
O3 - HKLM\..\Toolbar: (avast! Online Security) - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O4 - HKLM..\Run: [AvastUI.exe] C:\Program Files\AVAST Software\Avast\AvastUI.exe (AVAST Software)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled [2014/02/05 22:43:41 | 000,000,000 | -H-D | M]
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1229272821-839522115-1957994488-1005\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1229272821-839522115-1957994488-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1229272821-839522115-1957994488-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1229272821-839522115-1957994488-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 68.105.28.11 68.105.29.11
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7EA6AE80-5921-4A56-A3DA-DA05CD875637}: DhcpNameServer = 192.168.1.1 68.105.28.11 68.105.29.11
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{B38BF4F5-866D-43FE-99F1-E18F0D90067C}: NameServer = 8.26.56.26,156.154.70.22
O18 - Protocol\Handler\AutorunsDisabled - No CLSID value found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Amanda\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Amanda\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (nwprovau) - C:\WINDOWS\System32\nwprovau.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2014/02/17 15:51:07 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Amanda\Desktop\OTL.exe
[2014/02/16 21:29:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Amanda\Desktop\RK_Quarantine
[2014/02/16 00:54:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
[2014/02/16 00:53:21 | 000,052,312 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamchameleon.sys
[2014/02/16 00:52:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Amanda\Desktop\mbar
[2014/02/13 18:13:36 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2014/02/12 23:55:43 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2014/02/12 23:26:07 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2014/02/12 22:10:42 | 000,000,000 | ---D | C] -- C:\ComboFix
[2014/02/12 21:48:00 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW
[2014/02/12 21:47:26 | 005,180,278 | R--- | C] (Swearware) -- C:\Documents and Settings\Amanda\Desktop\ComboFix.exe
[2014/02/11 21:38:52 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2014/02/11 21:38:52 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2014/02/11 21:38:52 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2014/02/11 21:38:52 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2014/02/11 21:37:26 | 000,000,000 | ---D | C] -- C:\Qoobox
[2014/02/06 01:46:37 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Maintenance Service
[2014/02/04 23:37:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\HitmanPro
[2014/02/04 22:09:52 | 000,000,000 | ---D | C] -- C:\AdwCleaner
[2014/01/24 16:33:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Amanda\Desktop\Old Firefox Data
[2014/01/22 14:12:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Amanda\Local Settings\Application Data\PCHealth
[2014/01/22 02:11:17 | 000,000,000 | ---D | C] -- C:\cda69190891d4fbe794be4e0675b
[2014/01/22 02:11:03 | 000,000,000 | ---D | C] -- C:\2e0c62deeee44eddad40b62c53f11c
[2014/01/21 23:08:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Amanda\Local Settings\Application Data\cache
[2014/01/21 23:07:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Amanda\Local Settings\Application Data\genienext
[2014/01/21 19:28:21 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2014/01/21 19:19:08 | 000,000,000 | ---D | C] -- C:\9bd49e06d940713d0cda55cd
[2014/01/21 19:18:55 | 000,000,000 | ---D | C] -- C:\3e60a1d65a3f8059803dc205f5d6ce
[2014/01/18 18:20:49 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2014/02/17 15:49:23 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Amanda\Desktop\OTL.exe
[2014/02/17 15:31:22 | 000,000,364 | -H-- | M] () -- C:\WINDOWS\tasks\avast! Emergency Update.job
[2014/02/17 15:26:37 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2014/02/17 15:25:29 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2014/02/16 19:24:08 | 000,052,312 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamchameleon.sys
[2014/02/16 18:58:06 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2014/02/16 18:57:59 | 000,692,616 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2014/02/16 18:57:58 | 000,071,048 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2014/02/16 18:41:56 | 003,813,376 | ---- | M] () -- C:\Documents and Settings\Amanda\Desktop\RogueKiller.exe
[2014/02/11 22:50:37 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2014/02/11 21:07:36 | 005,180,278 | R--- | M] (Swearware) -- C:\Documents and Settings\Amanda\Desktop\ComboFix.exe
[2014/02/06 01:46:51 | 000,000,742 | ---- | M] () -- C:\Documents and Settings\Amanda\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2014/02/06 01:46:43 | 000,000,724 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2014/02/05 22:43:42 | 000,000,630 | ---- | M] () -- C:\WINDOWS\System32\.crusader
[2014/02/05 10:32:27 | 000,067,824 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmonflt.sys
[2014/02/04 04:53:27 | 000,002,855 | ---- | M] () -- C:\WINDOWS\System32\redir.PIF
[2014/01/23 22:32:41 | 000,001,733 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2014/01/23 22:32:15 | 000,775,952 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
[2014/01/23 22:32:15 | 000,410,784 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2014/01/23 22:32:15 | 000,057,672 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2014/01/23 22:32:15 | 000,054,832 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2014/01/23 22:32:13 | 000,270,240 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
[2014/01/23 22:32:13 | 000,043,152 | ---- | M] (AVAST Software) -- C:\WINDOWS\avastSS.scr
[2014/01/22 21:32:27 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2014/01/21 18:21:44 | 000,418,842 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2014/01/21 18:21:44 | 000,067,032 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2014/02/16 21:26:16 | 003,813,376 | ---- | C] () -- C:\Documents and Settings\Amanda\Desktop\RogueKiller.exe
[2014/02/11 21:38:52 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2014/02/11 21:38:52 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2014/02/11 21:38:52 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2014/02/11 21:38:52 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2014/02/11 21:38:52 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2014/02/06 01:46:50 | 000,000,742 | ---- | C] () -- C:\Documents and Settings\Amanda\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2014/02/06 01:46:43 | 000,000,724 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2014/02/06 01:46:42 | 000,000,730 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
[2014/02/05 22:43:42 | 000,000,630 | ---- | C] () -- C:\WINDOWS\System32\.crusader
[2014/02/04 04:53:27 | 000,002,855 | ---- | C] () -- C:\WINDOWS\System32\redir.PIF
[2014/01/13 17:45:17 | 000,139,264 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2014/01/13 17:45:14 | 000,024,064 | ---- | C] () -- C:\WINDOWS\System32\WLTRYSVC.EXE
[2014/01/13 17:45:13 | 000,753,664 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2014/01/13 17:45:03 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\GTW32N50.dll
[2014/01/13 17:43:29 | 000,000,801 | ---- | C] () -- C:\WINDOWS\System32\WLAN.INI
[2014/01/03 23:54:11 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\ati2evxx.exe
[2013/12/24 02:34:59 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2013/12/22 19:27:01 | 000,180,248 | ---- | C] () -- C:\WINDOWS\System32\drivers\aswVmm.sys
[2013/12/22 19:27:00 | 000,049,944 | ---- | C] () -- C:\WINDOWS\System32\drivers\aswRvrt.sys
[2013/12/21 18:43:51 | 000,024,064 | ---- | C] () -- C:\WINDOWS\zoek-delete.exe
[2004/12/05 19:53:11 | 000,054,272 | ---- | C] () -- C:\Documents and Settings\Amanda\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== ZeroAccess Check ==========

[2014/01/10 01:20:19 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008/04/13 18:12:05 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/02/09 06:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2008/04/13 18:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

< End of report >

Thanks

gringo_pr · February 19, 2014

Hello farmer68623

I would like you to run this custom script for me now and when it is complete please give me the report and a status update for the computer.

Run OTL Script

Double-click OTL.exe to start the program.

Copy and Paste the following code into the

text box.

:OTLFF - user.js - File not foundO2 - BHO: (no name) - AutorunsDisabled - No CLSID value found.O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (Reg Error: Key error.)O18 - Protocol\Handler\AutorunsDisabled - No CLSID value found:Filesipconfig /flushdns /c:Commands[PURITY][emptyjava][EMPTYFLASH][reboot]

Then click the Run Fix button at the top.
Click .
OTL may ask to reboot the machine. Please do so if asked.
The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.
Note** if the report does not popup after the computer reboots you can find it here in this folder - C:\_OTL\MovedFiles
It will be named - mmddyyyy_hhmmss.log
Where mmddyyyy_hhmmss - are numbers representing the date and time the fix was run.

Let me know How things are doing

Gringo

farmer68623 · February 20, 2014

Helllo Gringo,

I ran the OTL script as directed, below are the results.

========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\AutorunsDisabled\ deleted successfully.
Starting removal of ActiveX control {7530BFB8-7293-4D34-9923-61A11451AFC5}
C:\WINDOWS\Downloaded Program Files\OnlineScanner.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\AutorunsDisabled\ deleted successfully.
File Protocol\Handler\AutorunsDisabled - No CLSID value found not found.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Amanda\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Amanda\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYJAVA]

User: Administrator

User: All Users

User: Amanda
->Java cache emptied: 0 bytes

User: Default User

User: LocalService

User: NetworkService

Total Java Files Cleaned = 0.00 mb

[EMPTYFLASH]

User: Administrator

User: All Users

User: Amanda
->Flash cache emptied: 11697 bytes

User: Default User

User: LocalService

User: NetworkService

Total Flash Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.69.0 log created on 02192014_211452

I can't determine yet if the machine is running smooth yet, I will get on it tomorrow and see what happens. However I do have a concern about what I see and happens in IE8. There are some things in Toolbars & extentsions. There were similar in Firefox that went away when we started running your programs. Also, when I open IE8 my homepage page loads. When I open new tab, instead of getting a blank page it automatically redirects and opens Google search. I do not see anything under Tools or anywhere else to stop this, and this never occured until I got the other problems.

I am going to paste a few files to see if they represent any threats or problems.

Name:                   Diagnose Connection Problems...
Publisher:              Not Available
Type:                   Browser Extension
Version:                Not available
File date:
Date last accessed:     Today, February 19, 2014, 11 minutes ago
Class ID:               {E2E2DD38-D088-4134-82B7-F2BA38496583}
Use count:              26
Block count:            32
File:                   Not available
Folder:                 Not available

Name:                   Discuss
Publisher:              Not Available
Type:                   Explorer Bar
Version:                6.0.2900.5512
File date:
Date last accessed:     Monday, November 29, 1999, 6:00 PM
Class ID:               {BDEADE7F-C265-11D0-BCED-00A0C90AB50F}
Use count:              0
Block count:            0
File:                   shdocvw.dll
Folder:

Name:                   BottomFrame Class
Publisher:              Control name is not available
Type:                   Explorer Bar
Version:                Not available
File date:
Date last accessed:     Monday, November 29, 1999, 6:00 PM
Class ID:               {E2D2FE40-5674-4B77-802B-EC86B6C2C41D}
Use count:              0
Block count:            0
File:                   dsr.dll
Folder:                 C:\WINDOWS

Name:                   LeftFrame Class
Publisher:              Control name is not available
Type:                   Explorer Bar
Version:                Not available
File date:
Date last accessed:     Monday, November 29, 1999, 6:00 PM
Class ID:               {CE27D4DF-714B-4427-95EB-923FE53ADF8E}
Use count:              0
Block count:            0
File:                   dsr.dll
Folder:                 C:\WINDOWS

Look forward to hearing for your direction, and again many thanks.

The Mean Farmer

gringo_pr · February 21, 2014

Hello farmer68623

first I would like you to go here and click on the fixit button - http://support.microsoft.com/kb/923737

Then I want you to do the following

Start Internet Explorer.
click on "safety"
click on "Delete Browsing History"
make sure all boxes are checked
click on "Delete"
click on "Tools",
click "Internet Options".
On the "Advanced" tab, click "Reset"
put a check mark next to "Delete Personal Settings"
click "Reset" to confirm
when complete click the "Close" button
restart IE

Gringo

gringo_pr · February 23, 2014

Hello

48 Hour bump

It has been more than 48 hours since my last post.

do you still need help with this?
do you need more time?
are you having problems following my instructions?
if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo

farmer68623 · February 23, 2014

Hi Gringo,

I believe I still need assistance, have a family medical emergency going on. However, I did go to the microsoft link and downloaded and ran fixit. It ran for extremely long time and the progress box indicated that it was finished but never closed, and showed as running in task mgr. Another box popped behind the fixit and went thru the procedures that you instructed. It did somethings, and had a red X indicationg it deleted a bunch of stuff, but IE8 default reset failed. Browers still run slow. I do not use/nor like IE, however I want a clean machine. When I open IE8 it appears to load normally, with homepage now microsoft link, and opening new tab now goes to a blank page. The items I pasted in my last post still appear under Toolbars & Ext's. I am still getting unusually high CPU usage in either IE8 or Firefox. My Flash player ActiveX updated to the most current version, which previouly would not update. I had un-installed current version of Java, but have since reinstalled. Machine seems still unstable, but not as bad. I will await your response and respond to you sooner than I've done this past week. Thanks again!

gringo_pr · February 24, 2014

Hello

Beside running the fix it - did you run the second part of the instructions?

gringo

PUP infection

Recommended Posts

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Recently Browsing 0 members

Important Information