I am working on a friends XP system and it’s severely infected.

I was able to scan everything in post, but while doing previous scans I seem to have lost networking completely. It comes on and turns off. Never on long enough to download and install av software. Was trying to log onto comcast and install nortons, but it keeps dropping networking before I finish.

also, I have run mbam several times and every time I get around 50 pups and I’m not even online.

Here is the result of aswMBR:

hey and welcome to the forum mark i will go and notify the expert on your problem. someone will help you when they are online later today.

update i have notify three of the expert here Essexboy, magna86 and twinhededeagle someone of this three will help you out so just be patience.

On completion of this try the net again

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:Commands
[CREATERESTOREPOINT]

:OTL
SRV - File not found [Disabled | Stopped] -- C:\DOCUME~1\Owner\LOCALS~1\Temp\VS.exe -- (VS)
SRV - File not found [Disabled | Stopped] -- C:\DOCUME~1\Owner\LOCALS~1\Temp\RIBCDPXOIDIE.exe -- (RIBCDPXOIDIE)
IE - HKLM\..\SearchScopes\{b0441a0e-a49a-4e16-afc1-74ecced1921f}: "URL" = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=UXxdm011YYus&ptb=ACAEB066-5854-41CD-BBBF-B3A2743DDCDC&ind=2012020815&ptnrS=UXxdm011YYus&si=maps4pc&n=77ed004f&psa=&st=sb&searchfor={searchTerms}
IE - HKLM\..\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}: "URL" = http://start.sweetpacks.com/?src=6&q={searchTerms}&st=12&crg=3.5000006.10042&barid={3F2732FD-9E29-11E2-9CE3-001320E07785}
IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\S-1-5-21-1844237615-436374069-839522115-1003\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://www.delta-search.com/?q={searchTerms}&affID=120520&babsrc=SP_ss&mntrId=8C00001320E07785
IE - HKU\S-1-5-21-1844237615-436374069-839522115-1003\..\SearchScopes\{b0441a0e-a49a-4e16-afc1-74ecced1921f}: "URL" = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=UXxdm011YYus&ptb=ACAEB066-5854-41CD-BBBF-B3A2743DDCDC&ind=2012020815&ptnrS=UXxdm011YYus&si=maps4pc&n=77ed004f&psa=&st=sb&searchfor={searchTerms}
IE - HKU\S-1-5-21-1844237615-436374069-839522115-1003\..\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}: "URL" = http://start.sweetpacks.com/?src=6&q={searchTerms}&st=12&crg=3.5000006.10042&barid={3F2732FD-9E29-11E2-9CE3-001320E07785}
FF - prefs.js..browser.search.defaultthis.engineName: "MixiDJ V4 Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT3287768&CUI=UN32395590812592731&UM=2&SearchSource=3&q={searchTerms}"
FF - prefs.js..browser.startup.homepage: "http://search.conduit.com/?ctid=CT3287768&CUI=UN32395590812592731&UM=2&SearchSource=13"
FF - prefs.js..keyword.URL: "http://search.conduit.com/ResultsExt.aspx?ctid=CT3287768&SearchSource=2&CUI=UN32395590812592731&UM=2&q="
FF - HKLM\Software\MozillaPlugins\@MapsGalaxy_39.com/Plugin: C:\Program Files\MapsGalaxy_39\bar\1.bin\NP39Stub.dll File not found
[2013/10/03 15:30:57 | 000,001,720 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\51e0cv57.default\searchplugins\sweetim.xml
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Activities present
O15 - HKLM\..Trusted Ranges: adpRange1 ([*] in Trusted sites)
O15 - HKLM\..Trusted Ranges: adpRange2 ([*] in Trusted sites)
O15 - HKLM\..Trusted Ranges: adpRange3 ([*] in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: adp.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: adp.com ([dsra1he.ds] * in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: adp.com ([dsrac1he.ds] * in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: adp.com ([dssda1he.ds] * in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: adp.com ([dssda2he.ds] * in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: adpremotesupport.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: adpremotesupport.com ([www] * in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Ranges: adpRange1 ([*] in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Ranges: adpRange2 ([*] in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Ranges: adpRange3 ([*] in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Ranges: adpRange4 ([*] in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: adp.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: adp.com ([dsra1he.ds] * in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: adp.com ([dsrac1he.ds] * in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: adp.com ([dssda1he.ds] * in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: adp.com ([dssda2he.ds] * in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: adpremotesupport.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: adpremotesupport.com ([www] * in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Ranges: adpRange1 ([*] in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Ranges: adpRange2 ([*] in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Ranges: adpRange3 ([*] in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Ranges: adpRange4 ([*] in Trusted sites)
O15 - HKU\S-1-5-21-1844237615-436374069-839522115-1003\..Trusted Ranges: 205.190.194.2 ([http] in Trusted sites)
O15 - HKU\S-1-5-21-1844237615-436374069-839522115-1003\..Trusted Ranges: adpRange1 ([*] in Trusted sites)
O15 - HKU\S-1-5-21-1844237615-436374069-839522115-1003\..Trusted Ranges: adpRange2 ([*] in Trusted sites)
O15 - HKU\S-1-5-21-1844237615-436374069-839522115-1003\..Trusted Ranges: adpRange3 ([*] in Trusted sites)
[2014/05/09 07:08:05 | 000,000,000 | ---D | C] -- E:\Documents and Settings\Owner\My Documents\Optimizer Pro
[2013/04/05 16:51:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Babylon
[2012/12/14 17:38:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Optimizer Pro
[2009/04/25 14:18:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PY_Software
[2013/02/04 10:51:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Quick PC Booster
[2013/04/11 14:52:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Strongvault Online Backup

:Files
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\bblmmloknbmfjgdjcdmmgpajlebiciec
C:\Program Files\MapsGalaxy_39
C:\WINDOWS\tasks\At*.job
netsh advfirewall reset /c
netsh advfirewall set allprofiles state ON /c
ipconfig /flushdns /c
netsh winsock reset catalog /c
netsh int ip reset c:\resetlog.txt  /c
ipconfig /release /c
ipconfig /renew /c

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

I run the OTL script and it hangs on, “Killing processes: DO NOT INTERRUPT…” It’s been stuck here for like 15 minutes now. Is this normal?

Also, I got impatient last night and was messing around with msconfig and noticed it was set to selective startup and several programs were disabled. I re-enabled them so I could remove them without having a selective startup menu. and remove things properly. I’m not sure if this messed anything up for OTL.

However, I was able to get better networking access by playing around with the intel nic diagnosis tool. If I ran the diagnosis programs, it would trigger the nic to work for a little bit and I installed Norton Security Suite. The free one from Comcast. Maybe it messes with OTL? Although it let it run fine, just hanging at the Killing Process part which shouldn’t be a problem.

I can rescan with the tools if you thing it may help.

also, one more thing, I noticed the OTL targets the ADP program that is used a lot. I have noticed it is installed in Add/Remove programs a lot like it doesn’t replace its updates. Could these be malicious, or maybe just adware? or is this a questionable program that shouldn’t be used?

If you want help, do only as been told nothing else.

No programmes should be in the internet trusted zone except maybe for MS updates or on a networked server.

Could you remove the following line from the OTL fix and then run it again

[emptytemp]

After fixes, internet access still messed up.

I had issues with otl quick scan freezing at firefox, so I just deleted firefox as it was recently installed.

Then the scan went fine, although it seems longer than normal considering it is a quick scan.

Attached logs. although there was no extra.txt from otl. adwcleaner only had adwcleaner[s0].txt file. no [s1] file if it really matters, unless I mis-scanned.

What error do you get when you try to connect ?

Please download MiniToolBox, save it to your desktop and run it.

https://dl.dropbox.com/u/73555776/minitoolbox.JPG

Checkmark the following checkboxes:

[]Flush DNS
[]Report IE Proxy Settings
[]Reset IE Proxy Settings
[]Report FF Proxy Settings
[]Reset FF Proxy Settings
[]List content of Hosts
[]List IP configuration
[]List Winsock Entries
[]List last 10 Event Viewer log
[]List Installed Programs
[]List Devices
[]List Users, Partitions and Memory size.
[*]List Minidump Files

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using “Reset FF Proxy Settings” option Firefox should be closed.

I don’t get an error, per se. I get network 3 has no connection or some such. and then it comes back ion occasionally and then back off. So far it only disconnected once when I first started IE.

Also I haven’t been able to install .net 1.1. SP1 this whole time. It just reports, “Some updates could not be installed”. no specific error message.

I also notoice I get a little lag and a few lost characters while typing. I’m not sure if it’s the network dropping and reconnecting quickly that it doesn’t report it, or some other issue.

as for closing firefox, it is still uninstalled. I’ll proibably reinstall when all done here.

The pings are OK however, there were several errors showing

Name: Ethernet Controller
Description: Ethernet Controller
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click “Update Driver”, which starts the Hardware Update wizard.

Name: SM Bus Controller
Description: SM Bus Controller
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click “Update Driver”, which starts the Hardware Update wizard.

Also there appears to be a DCOM problem. So maybe a re-install or repair would be the best option

Yes, there are no drivers installed for the motherboard, it is not compatible with xp. I’m just using the legacy support.

Instead I have an Intel NIC add-on card I use for networking. The PCI-e x1 CT EXPI9301CTBLK with an 82574L controller.

Okay, I think the network is behaving. It only occasionally loses network. And even then it is only for a millisecond and comes right back without a hiccup. Maybe a little lag here and there, but that may be the system in general. It’s been running since 2004 and lots of abuse.

Thank you very much

Any further problems ?

nope, I think this is good.

Thanks once again for all of your help.
-=Mark=-

ps, Do you know of a good tutorial on using OTL? My Google searches just seem to show how to post a message with OTL results and wait for help. It would be nice to learn how it works so I don’t have to pester you guys all of the time. lol

Deleted.

Steven, Posting how OTL works wasn’t the best of all ideas.

Mark, OTL can severely mess up a system. I wouldn’t use it w/o the supervision of somebody like Essex. Even when I fix computers (Family & Friends only), I ask him to check what I want to do. Just to be sure I won’t fudge anything up. If you want to learn how to use programs like OTL…

http://www.uniteagainstmalware.com/schools.php

GeeksToGo has a long waiting list (My application has been there for 2+ Weeks.) . But Essexboy teaches there.

Putting a mistyped command into OTL can really ruin your day… I did it once to confirm that disaster was looming and it did (I had an image standing by though )

In that case methinks I will send you on your merry way

Subject to no further problems

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Download and run Delfix

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article and this article.
I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe