Everything is hijacked… running thru a remote machine it seems. running combofix i cant install recovery console. cant connect to most things via https. mbam comes up with nothing as does superantispyware. combofix did fix some things tdsskiller - nothing. I also cleared the nvram on this xp machine i’m using now. my win7 laptop has the same or similar issues (tiny firewall was blocking 67 system connections!), so i havent tried to run it in weeks - i figure cleaning this desktop with xp would be easier since i can pull the cmos battery. I’m in over my head here. in the registry i found HKEY_CLASSES_ROOT.TMCONTAINER00000000000000000001 (and xx-002), while starting to look elsewhere. other “interesting” things caught by PCTools firewall plus: [.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
c:\windows\temp\7zsf.tmp\setup.exe
c:\windows\temp\nsh11.tmp\ns17.tmp
appl pid 4012
firefox - Port Name : \RPC
CONTROL\OLED097DAAB50284A4BBF456DC421A0
Process ID : 4068
Target Application PID : 1404
Target Application Path : C:\WINDOWS\SYSTEM32\SVCHOST.EXE

Connecting Application’s PID : 4068
Local Port : 65535
Protocol : UDP
Remote Port : 53

Application PID : 5368
Event Type : Windows Messaging - Initiate DDE
HWND : 0x10014
LPARAM : 0xc06ec06a
Message : 0x3e0
Target Application PID : 900
Target Application Path : C:\WINDOWS\SYSTEM32\CSRSS.EXE
Thread ID : 944
WPARAM : 0x2005ba
Application Path : c:\documents and settings\mom and
dad\my documents\mozilla firefox\firefox.exe
Event Type : Extended Event Hooking
Hook ID : 7
Hook Procedure : 0x197924346164x
Module : 1979187200
Process ID : 4252
Target Application PID : 0
Target Application Path : [SYSTEM PROCESS]
Thread ID : 0
Application Path : c:\program files\winrar\winrar.exe
Event Type : Open Thread
Target Application PID : 0
Target Application Path : [SYSTEM PROCESS]
Unique Thread : 5568

I can post logs if someone can help me PLEASE!

If you want help, then we need some logs https://forum.avast.com/index.php?topic=53253.0
Scroll down to second picture … Farbar Recovery Scan Tool … run as instructed and attach the two diagnostic logs

Also attach Combofix log

Thank you! here it is:
it was too large to post so both FRST.txt and addition.txt are attached

sorry - combofix log attached

Could you let me know what problems you have after this

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: Startup: C:\Documents and Settings\Mom and Dad\Start Menu\Programs\Startup\FrostWire On Startup.lnk [2010-12-23] ShortcutTarget: FrostWire On Startup.lnk -> C:\Program Files\FrostWire\FrostWire.exe (No File) Startup: C:\Documents and Settings\Mom and Dad\Start Menu\Programs\Startup\MEMonitor.lnk [2008-01-15] ShortcutTarget: MEMonitor.lnk -> C:\Program Files\Sprint music manager\MEMonitor.exe (No File) HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION HKU\S-1-5-21-2734996620-1405688005-191977121-1010\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION URLSearchHook: HKU\S-1-5-21-2734996620-1405688005-191977121-1010 - (No Name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - No File HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs,Tabs: "about:newtab" <======= ATTENTION U4 RemoteRegistry; no ImagePath S0 rqlswp; System32\drivers\dcifqkkp.sys [X] C:\windows\System32\drivers\dcifqkkp.sys Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F Reg: Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F RemoveProxy: CMD: netsh advfirewall reset CMD: netsh advfirewall set allprofiles state ON CMD: ipconfig /flushdns CMD: netsh winsock reset catalog CMD: netsh int ip reset c:\resetlog.txt CMD: ipconfig /release CMD: ipconfig /renew CMD: netsh int ipv4 reset CMD: netsh int ipv6 reset EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

sorry it took so long… when it rebooted it went into “dell diags” which it started doing 2 days ago. Fix log:

Fix result of Farbar Recovery Scan Tool (x86) Version:21-08-2015 03
Ran by Harry (2015-08-22 16:39:10) Run:1
Running from C:\Documents and Settings\Harry\Desktop
Loaded Profiles: Harry (Available Profiles: Katie Panetti & Mom and Dad & Mom & Dad & Harry & Administrator)
Boot Mode: Normal

==============================================

fixlist content:

CreateRestorePoint:
Startup: C:\Documents and Settings\Mom and Dad\Start Menu\Programs\Startup\FrostWire On Startup.lnk [2010-12-23]
ShortcutTarget: FrostWire On Startup.lnk → C:\Program Files\FrostWire\FrostWire.exe (No File)
Startup: C:\Documents and Settings\Mom and Dad\Start Menu\Programs\Startup\MEMonitor.lnk [2008-01-15]
ShortcutTarget: MEMonitor.lnk → C:\Program Files\Sprint music manager\MEMonitor.exe (No File)
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-2734996620-1405688005-191977121-1010\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
URLSearchHook: HKU\S-1-5-21-2734996620-1405688005-191977121-1010 - (No Name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - No File
HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs,Tabs: “about:newtab” <======= ATTENTION
U4 RemoteRegistry; no ImagePath
S0 rqlswp; System32\drivers\dcifqkkp.sys
C:\windows\System32\drivers\dcifqkkp.sys
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: Reg Delete “HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg” /F
Reg: Reg Add “HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg” /F
RemoveProxy:
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: ipconfig /release
CMD: ipconfig /renew
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
EmptyTemp:
CMD: bitsadmin /reset /allusers

Restore point was successfully created.
C:\Documents and Settings\Mom and Dad\Start Menu\Programs\Startup\FrostWire On Startup.lnk => moved successfully
C:\Program Files\FrostWire\FrostWire.exe not found.
C:\Documents and Settings\Mom and Dad\Start Menu\Programs\Startup\MEMonitor.lnk => moved successfully
C:\Program Files\Sprint music manager\MEMonitor.exe not found.
“HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer” => key removed successfully.
“HKU\S-1-5-21-2734996620-1405688005-191977121-1010\SOFTWARE\Policies\Microsoft\Internet Explorer” => key removed successfully.
HKU\S-1-5-21-2734996620-1405688005-191977121-1010\Software\Microsoft\Internet Explorer\URLSearchHooks\{4D25F926-B9FE-4682-BF72-8AB8210D6D75} => value removed successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\Tabs => value restored successfully
RemoteRegistry => service removed successfully.
rqlswp => service removed successfully.
“C:\windows\System32\drivers\dcifqkkp.sys” => File/Folder not found.

========= reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========

The operation completed successfully

========= End of Reg: =========

========= reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========

The operation completed successfully

========= End of Reg: =========

========= Reg Delete “HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg” /F =========

The operation completed successfully

========= End of Reg: =========

========= Reg Add “HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg” /F =========

The operation completed successfully

========= End of Reg: =========

========= RemoveProxy: =========

HKU.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings => value removed successfully.
HKU.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings => value removed successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings => value removed successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings => value removed successfully.
HKU\S-1-5-21-2734996620-1405688005-191977121-1010\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings => value removed successfully.
HKU\S-1-5-21-2734996620-1405688005-191977121-1010\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings => value removed successfully.

========= End of RemoveProxy: =========

========= netsh advfirewall reset =========

The following command was not found: advfirewall reset.

========= End of CMD: =========

========= netsh advfirewall set allprofiles state ON =========

The following command was not found: advfirewall set allprofiles state ON.

========= End of CMD: =========

========= ipconfig /flushdns =========

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========

========= netsh winsock reset catalog =========

Sucessfully reset the Winsock Catalog.
You must restart the machine in order to complete the reset.

========= End of CMD: =========

========= netsh int ip reset c:\resetlog.txt =========

========= End of CMD: =========

========= ipconfig /release =========

Windows IP Configuration

Ethernet adapter Local Area Connection:

    Connection-specific DNS Suffix  . : 

    IP Address. . . . . . . . . . . . : 0.0.0.0

    Subnet Mask . . . . . . . . . . . : 0.0.0.0

    Default Gateway . . . . . . . . . : 

========= End of CMD: =========

========= ipconfig /renew =========

Windows IP Configuration

Ethernet adapter Local Area Connection:

    Connection-specific DNS Suffix  . : 

    IP Address. . . . . . . . . . . . : 192.168.15.102

    Subnet Mask . . . . . . . . . . . : 255.255.255.0

    Default Gateway . . . . . . . . . : 192.168.15.1

========= End of CMD: =========

========= netsh int ipv4 reset =========

The following command was not found: int ipv4 reset.

========= End of CMD: =========

========= netsh int ipv6 reset =========

IPv6 is not installed.

========= End of CMD: =========

========= bitsadmin /reset /allusers =========

‘bitsadmin’ is not recognized as an internal or external command,
operable program or batch file.

========= End of CMD: =========

EmptyTemp: => 99.5 MB temporary data Removed.

The system needed a reboot.

==== End of Fixlog 16:42:25 ====

What are the current problems

Extremely slow internet (I have a corporate cable line - blazing fast - near T1 speed). machine at half speed. AVAST tells me it is up to date - then tells me it is out of date. I just checked Now - Avast up to date - current version 150817-2. AVAST emergency update wants to connect on occasion,Connecting Application’s PID : 5736
Local Port : 65535
Protocol : UDP
Remote Port : 53
but i haven’t let it yet.
If I don’t allow ALL of the following thru the firewall, i cant connect a browser:
Firefox is trying to act as a server.
Listening Application’s PID : 3932
Local Port : 1032

Firefox is trying to access the internet.
Connecting Application’s PID : 3932
Local Port : 65535
Protocol : UDP

Firefox is trying to modify or control another application.
Event Type : OLE Connect Port
Port Name : \RPC CONTROL\OLED14C147893B54741A5A7E640C136
Process ID : 3932
Target Application PID : 912
Target Application Path : C:\WINDOWS\SYSTEM32\SVCHOST.EXE
Remote Port : 53

Application PID : 3932
Command Line : --channel=“3932.0.869948897\1791960698” -greomni “C:\Documents and Settings\Mom and Dad\My Documents\Mozilla Firefox\omni.ja” -appomni "C:\Documents and Settings\Mom

Listening Application’s PID : 1468
Local Port : 1144
Protocol : TCP
Application Path : c:\documents and settings\mom and dad\my documents\mozilla firefox\plugin-container.exe
Connecting Application’s PID : 1468
Local Port : 65535
Protocol : UDP
Remote Port : 53
Application Path : c:\documents and settings\mom and dad\my documents\mozilla firefox\plugin-container.exe
The previous things I originally posted about the firewall catching, are gone - EXCEPT: OLE Connect Port which changed PID from 4068 to 3932
This old dell has 2 hidden partitions for factory recovery - a fat32 and fat16 - I mounted one after i saw there was a recycle bin and desktop.ini file installed on both 8-20-15. I cant delete them (hidden and system).
desktop ini file: [.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}

I downloaded firefox as IE 8 would connect 50%(?) of the time.
Many odd entries in the registry besides HKEY_CLASSES_ROOT.TMCONTAINER00000000000000000001 (and xx-002) which is still there… I’ve toyed with the windows registry since 1998 - but have been hands off so far
I should have done this last night… I believe you are on GMT.
Thank you for your help essexboy! I hope you have more ideas!

Avast does not appear to be updating as the current is 150823-2

Download Avast Uninstall Utility to your Desktop.
Download the correct version of Avast
Avast Free
Avast Pro
Avast Internet Security
Avast Premier
Disconnect from the net
Uninstall Avast via control panel

[]Run the uninstall tool and accept the reboot to safe mode
[]Once complete reboot your system
[*]Reinstall Avast

that wasn’t easy - locked up pc - had to push the button and do it in safe mode. windows add/remove programs said last used 12-5-14 size 344mb. it still wont update… says virus def up to date 150728-0. after successful install i was unable to get any internet access. voodooshield caught-stopped 3 command line scripts from executing :
rundll32.exe newdev.dll,clientsideinstall \. \pipe\pnp_device_install_pipe_0.{360c2040-ef2a-48ca-8cc5-81c53ef47525} and 2 more rundll32.exe ~~_0.{df0d92bf-45dd-4d46-acaf-obd978ff1338} (and) {eabf6088-debe-465e-9061-44ab530295d55}
After coming back home and rebooting - i’m online again at least.

Is the date and time correct on your computer ?

yes it is when i pulled the cmos battery it read 2003 but i corrected it after a day - been correct since. i did not believe that date… all seemed well until 3 weeks ago (avast functioning properly). I drive truck so I’m gone for 2-4 weeks at a time. I use this as a backup since my windows 7 machine got a virus, I hooked this up August 1. It was previously used nov. 2014 to jan 2015.

What programmes are the stopped files running from

I’m unable to find any of the 3 referenced strings. i have a program on cd to search for hidden registry values, but my cd drive gets disabled every time i reboot (unless i uninstall it first!). I’ll keep looking. I’d like to give you remote access - someone else already has remote access it seems!

I found {eabf6088-debe-465e-9061-44ab530295d55} and {360c2040-ef2a-48ca-8cc5-81c53ef47525} in a windows log file by searching for them with . as a file name. Apparently this has been happening since i came home and plugged in this machine on 8-16-15
Attached is the log - hopefully you can tell more from it. Also in a firefox backup java script file - attached.
My firewall was blocking avast from updating. I’ll see what it finds in the am
Thank you for your help!

Have you just installed a new printer ? … Or updated the driver for it