Still having problems
yesterday had multiple instances of chrome.exe (when not running chrome) in task manger
thye popped up & when away when vieing youtube w/IE as I recall
I disabled all google add-ins/EXT & removed all tasks except avast emergency updater- and then I could not repeat the issue
but it seems I saw some other odd process- which I have not seen again as I ran browers & retested

• updated and re-ran malwarebytes- it reports nothing
  _ i am currently using other PC
  _thought I saw pop-ups again- but cannot repeat it
  _Avast seem to be having difficulty running scan- very slow - not completing as expected
  _ have downloaded all tools from instructions page to prep for more agressive troubleshooting
  _most recent net framework updates will not install (attempted twice w/reboot in between- but net framework updates often an issue for this PC)
  _ I have restore points back to early Nov & backup of data prior to issues
  _ is it time, most effective use of time to restore from restore point or restore partitian?

• is this AvastEMUpdate.exe - a valid task?
  i do not see it on my other PC - both running Avast Free
  i see a lot of speculation about it on the web
  “C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe”

Avast reported last definition update on the 9th
_allowed me to update manually- current version 1/10/2013 8:22 am 130110-0
definitions show as current 10th
_ allowed me to run manual program update
prgram shows as current 7.0.1474

RE: Chrome.exe per info on web i am running a search for chrome.exe and so far
C:\Program Files\Google\Chrome\Application
Chrome.exe
old_chrome.exe
C:\Windows\perfech
CHROME.EXE-06157C0F.pf
CHROME.EXE-06157C12.pf
CHROME.EXE-06157C13.pf
CHROME.EXE-06157C16.pf

Adware report no registry entires, files clean

:‘( :’( :‘( :’(

the pop-ups are on my lpatop also
I have not being using it much, not downloaded vaudix or ANYTHNG else
HOWEVER the PC’s are on the same router/ISP connection & i have used logmein to control one through the other at times

both PC had a homepage of marketplaceleaders.org which did get infected and Avast reported a Blocked threat, which i reported to the site owner… and it may have been itrjmp.com-n they cleaned it & then got reinfected

I niotce from new OLT report (60 day period) I installed Vaudix in mid Nov vs mid Dec and it was mid-lae Dec when I noticed pop-ups on the desktop

now i think this is a drive by infection… unless it is smart enought to infect one PC from the other via shared connection & collected login

seems to me… more likely that Avast blocked a known threat and anohter unknown got through- esp since marketplaceleaders seemed to have a devil of time ridding it form their site. had it a number of days… then clean… then back… then clean… or not.
I am going to contact them to see what they know.

I am renning new set of logs.

Please advise iit you have given up on me due to what you consider a violation of not following directions.

Thank you for your reply.

Nope run some logs, if you are doing both systems then give the logs unique names

Thank you… I am at the end of my rope this infection is simply icing on my current life cake which is and has been almost impossible since May 2012.
I left a voicemail & email/contact w/marketplaceleaders.org explaining the issue (they were closed for the day), tht their site is hte common denominator for my PC’s, and asking for any info from them or their webmaster that may help in cleaning this off… and come to think of it… if an unknown driveby how Avast can update to defend users.

LOL… the contact form replies with “Please find a free download on “Hearing God” as a thank you gift to you for your interest and support of Marketplace Leaders.” Umm LMAO… I think I will pass on that download & just tune in to God w/o extra help
LOL. at least i still have my sense of humor- a small miracle… with that and God’s grace… and your help … this too will pass and hopefully others will benefit from our experience… and my apologies if you are not of a similar world view… i.e. God etc has a way of annoying many and i respect that many feel that way… to each his own said the old lady as she kissed the cow

OK - Back later with reports - I will do desktop first, since I am in progress there… but will as advised note which is which.

thank you for your reply & help!!!

I am going off lien now but I will look first thing tomorrow ;D

ok… maybe PC2 is not infected but seeing legitimate 3rd party advertisements

this is (so far) the only page where i see them …and i opened various pages & refreshed to try to inspire them to appear
http://hit-country-music-lyrics.com/brooks-and-dunn-believe-lyrics.html
firebug exam of the code shows
“porch swing”
very different form the i.trkjmp.com coding & link that I saw on the other PC…and on the other PC is affected many pages - every page it think, not just one.

can you (LOL) do you dare… check out the brooks & dunn page (one i had in my favorites from years ago)
LOL i went there for a little injection of faith… 9vs malware) & saw the pop-ups and assumed the worst
i pray i was wrong and PC2 is clean

but i am going to proceed to run the tools & upload the logs… invoke murphy’s law that if i invest all that time… it will turn out to be unneeded waste of time to troubleshoot a clean PC!

website is infected

Sucuri report
http://sitecheck.sucuri.net/results/hit-country-music-lyrics.com/brooks-and-dunn-believe-lyrics.html

so is that their own handi-work or have they been hacked… do i let them know?
how strange that i pick one old link out of hundreds? in my favorites and it is infected?
man God’s people are really under attack!

the brroks & dunn song & marketplaceleaders.org are both “Christain” resources
LOL. so it is not just me… looks like Satan’s hackers are making the rounds… God’s people must be cutting into his business! Gee… given the state of the world i thought Satan was way ahead!

LOL… they say the more one is attacked… the greater good difference one is making in the world.
LOL… maybe i need to takea break and do a little sinning

thanks for the site check
please advise if I should let them know that they are infected.

please advise if I should let them know that they are infected.

ty- re the brooks & dunn site- i will let them know… you malware warriers are GREAT!
;D

1st set of logs PC-1 which we have been working

i did not see anything to delete w/adware- so i am attaching scan report vs reboot log

• sorry if this is wrong- i am sick and now so tired and frazzeled i am making mistakes and getting confused

same with malwarebytes it reported nothing detected

OTL i ran 60 day report as i began to be unclear when i downloaded what & noticed pop-ups
and i use safelist to get extras report

i have to re-run aswMBR as PC seemed to lockup on last run

PC2 reports will have PC-2 in filename and be identifed as such in my post when i upload them.

thank you!

i gave http://hit-country-music-lyrics.com/country-music-lyrics-contact.html
the info re; their site infection- thank you for the info!

PC-1 seemed to bog down on 2nd attempt w/ aswMBr - i could not fully clear the screen saver and forced a reboot
took it offline
then set Avast boot time scan of C & D (recovery partition)
it is now runing boot scan
tomorrow once complete i will check report & re-attempt aswMBR

PC-2 first reports attached
aswMB still running

PC-2
asMBR attached

thank you!

OK PC1 does not look to bad … A bit of tidying up more than anything. How is this computer behaving ?
I will post separately for PC2

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\idsdefs\20101113.002\symidsco.sys -- (SYMIDSCO)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\PATTI~1.POT\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - File not found [Kernel | On_Demand | Unknown] -- C:\DOCUME~1\PATTI~1.POT\LOCALS~1\Temp\aswMBR.sys -- (aswMBR)
O3 - HKU\S-1-5-21-536995187-1795891562-3944622506-1008\..\Toolbar\ShellBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O3 - HKU\S-1-5-21-536995187-1795891562-3944622506-1008\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
[2013/01/04 17:36:49 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2013/01/04 17:36:49 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2013/01/04 17:36:49 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2013/01/04 17:36:49 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2013/01/04 17:35:34 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/11/16 21:24:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\patti.potter\Local Settings\Application Data\WhiteSmoke_US_New
[2012/11/16 21:23:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Vaudix

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

PC2 … It looks as though AdwCleaner killed the majority

Could you let me know how each computer is behaving

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O4 - HKU\S-1-5-21-424000380-4067286613-1435711853-1006..\Run: [Rohos] E:\agent.exe File not found

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

PC-1 still running boot time scan D: completed, C: @ 25%

PC2 after OTL fix log attached
cannot tell yet if it is running any better or worse
it is older under resoourced machine & I have not been using it much over the last 6 weeks due to bad backlight requiring shifting monitor between PCs or logmein connection (which is slow)

thank you!

A lot of junk on that system Total Files Cleaned = 20,224.00 mb
So it might be worth running a defragment on the disc

PC-2
yes i will run defrag.
i ran checkdisk, defrag and i thought disk cleanup & marcrium back-up full image earlier this week on this pc

any signs it was compromised by malware- need for password changes or was it only junk?
i thought it was clean (slow but ran properly, as expected) until i saw pop-ups on the Brooks & dunn page.

thank you!

At this stage I can see no apparent malware so it depends on whether the system is behaving as you expect… No unusual errors etc.