Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

hijack this shows O14 - IERESET.INF: START_PAGE...Trojan? [Solved]


  • Please log in to reply

#16
ko57

ko57

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
The icons are there, some of the webpages I'd put there have the Explorer e imposed on a page instead of the gif. Was able to shut down both Avast and malwarebytes before Rogue Killer ran. I did turn Avast back on although it is out of date re definitions.

It immediately found 4+ entries right when the program started scanning!

So far so good...here are the reports:

RogueKiller V7.4.4 [05/08/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 2) 32 bits version
Started in : Normal mode
User: Kerry Owen [Admin rights]
Mode: Scan -- Date: 05/16/2012 20:00:38

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 5 ¤¤¤
[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (localhost:12080) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST9808210A +++++
--- User ---
[MBR] e51d3e1b2e33de5caf55cfaf82020567
[BSP] baf0d036800a9126de6705a97f5f5b07 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76308 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt

_________________________________________

RogueKiller V7.4.4 [05/08/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 2) 32 bits version
Started in : Normal mode
User: Kerry Owen [Admin rights]
Mode: Remove -- Date: 05/16/2012 20:05:01

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 5 ¤¤¤
[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (localhost:12080) -> NOT REMOVED, USE PROXYFIX
[HJ] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> REPLACED (1)
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST9808210A +++++
--- User ---
[MBR] e51d3e1b2e33de5caf55cfaf82020567
[BSP] baf0d036800a9126de6705a97f5f5b07 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76308 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt

________________________________________________

RogueKiller V7.4.4 [05/08/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 2) 32 bits version
Started in : Normal mode
User: Kerry Owen [Admin rights]
Mode: Shortcuts HJfix -- Date: 05/16/2012 20:14:24

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 210 / Fail 0
Quick launch: Success 0 / Fail 0
Programs: Success 4 / Fail 0
Start menu: Success 0 / Fail 0
User folder: Success 96 / Fail 0
My documents: Success 17 / Fail 0
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 0 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 471 / Fail 0
Backup: [NOT FOUND]

Drives:
[C:] \Device\HarddiskVolume1 -- 0x3 --> Restored
[D:] \Device\CdRom0 -- 0x5 --> Skipped

¤¤¤ Infection : ¤¤¤

Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt
  • 0

Advertisements


#17
CompCav

CompCav

    Member 5k

  • Expert
  • 12,448 posts
OK we made a little headway. I will do the proxy fix in the next step.


I will be back with it shortly!
  • 0

#18
CompCav

CompCav

    Member 5k

  • Expert
  • 12,448 posts
Step 1.


If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
To disable MBAM
Open the scanner and select the protection tab
Remove the tick from "Start with Windows"
Reboot and then run OTL
Posted Image




  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.

    :processes
    killallprocesses
    
    :OTL
    DRV - File not found [Kernel | Boot | Stopped] -- system32\drivers\Combo-Fix.sys -- (vkquwexg)
    IE - HKU\S-1-5-21-781878022-3114317985-875658923-1006\..\SearchScopes\{A198481A-19BF-4538-B3ED-D5B6142FF26C}: "URL" = http://search.aol.co...ionType=msie70a
    IE - HKU\S-1-5-21-781878022-3114317985-875658923-1006\..\SearchScopes\{B019BDE3-796B-4ECD-86E8-752747DD47D5}: "URL" = http://www.walmart.c...y={searchTerms}
    IE - HKU\S-1-5-21-781878022-3114317985-875658923-1006\..\SearchScopes\{D39DA297-1936-4F4C-8758-B395825B4AC2}: "URL" = http://asp.usatoday....w={searchTerms}
    IE - HKU\S-1-5-21-781878022-3114317985-875658923-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = localhost:12080
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
    FF - prefs.js..extensions.enabledItems: [email protected]:1.0
    FF - prefs.js..network.proxy.type: 4
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
    [2011/01/19 08:38:04 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    [2011/01/19 08:36:50 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
    [2011/01/19 08:36:46 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
    O3 - HKU\S-1-5-21-781878022-3114317985-875658923-1006\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
    O3 - HKU\S-1-5-21-781878022-3114317985-875658923-1006\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
    O3 - HKU\S-1-5-21-781878022-3114317985-875658923-1006\..\Toolbar\WebBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
    O15 - HKU\S-1-5-21-781878022-3114317985-875658923-1006\..Trusted Domains: foxsports.com ([msn] http in Trusted sites)
    O15 - HKU\S-1-5-21-781878022-3114317985-875658923-1006\..Trusted Domains: meade.com ([www] http in Trusted sites)
    O15 - HKU\S-1-5-21-781878022-3114317985-875658923-1006\..Trusted Domains: microsoft.com ([www] http in Trusted sites)
    O15 - HKU\S-1-5-21-781878022-3114317985-875658923-1006\..Trusted Domains: msn.com ([www] http in Trusted sites)
    O15 - HKU\S-1-5-21-781878022-3114317985-875658923-1006\..Trusted Domains: palmgear.com ([trials] http in Trusted sites)
    O15 - HKU\S-1-5-21-781878022-3114317985-875658923-1006\..Trusted Domains: photographyreview.com ([www] http in Trusted sites)
    O15 - HKU\S-1-5-21-781878022-3114317985-875658923-1006\..Trusted Domains: pogo.com ([game3] http in Trusted sites)
    O15 - HKU\S-1-5-21-781878022-3114317985-875658923-1006\..Trusted Domains: wetcanvas.com ([www] http in Trusted sites)
    O15 - HKU\S-1-5-21-781878022-3114317985-875658923-1006\..Trusted Ranges: Range78 ([*] in Trusted sites)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_23)
    O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_23)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_23)
    [2005/05/25 13:47:42 | 003,160,576 | ---- | M] () -- C:\epson10043.exe
    [2005/05/25 12:06:50 | 003,390,976 | ---- | M] () -- C:\epson10230.exe
    [2005/05/25 10:24:36 | 002,033,152 | ---- | M] () -- C:\epson10312.exe
    [2005/05/25 10:13:08 | 001,393,664 | ---- | M] () -- C:\epson10479.exe
    
    
    :files
    ipconfig /flushdns /c
    xcopy %Temp%\smtmp\1 "%AllUsersProfile%\Start Menu" /H /I /S /Y /C
    xcopy %Temp%\smtmp\2 "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch" /H /I /S /Y /C
    xcopy %Temp%\smtmp\3 "%AppData%\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar" /H /I /S /Y /C
    xcopy %Temp%\smtmp\4 "%AllUsersProfile%\Desktop" /H /I /S /Y /C
    
    :reg
    
    
    :Commands
    [purity]
    [resethosts]
    [emptyjava]
    [emptyflash]
    [createrestorepoint]
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date and the time of the tool run.


Step 2.

It looks like you had some Symantec/Norton products that did not uninstall properly.

Please use this Norton removal tool. Go to step two and click the yellow download button and save it to your desktop, then run it. This tool removes all of their products since 2003 so it will do the trick!


Step 3.

It looks like you have run ComboFix, please post the log usually found at C:\Combofix.txtand the OTL fix log
  • 0

#19
ko57

ko57

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
When my laptop re-booted, the message about the system configuration utility came on. I closed that and closed the system configuration window when it opened. I clicked on the otl icon on the desktop, the window comes up, appears for a second or two them disappears. Tried 3 stimes so far, it disappears.??
  • 0

#20
CompCav

CompCav

    Member 5k

  • Expert
  • 12,448 posts

the message about the system configuration utility came on

What does it say?



For OTL do this:

Simply delete it and then re download it from here to your desktop and run it
  • 0

#21
ko57

ko57

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Mentions how I'm in repair (diagnostics??) mode for the system configuration utility. When the SysUtil Window appears the General Tab is showing. It does give the option iirc not to show the warning window again.

I go to delete the OTL.exe on desktop, asks sure you want to send to recycle bin, I hit yes, then window comes up, titled:

Error Deleting File or Folder, then: Cannot delete OTL: Access denied.
Make sure the disk is not full or write protected and that the file is not currently in use.

I did check the volumn on C and it looks normal.

Right above the black/yellow OTL.exe shortcut is a what looks like program file shortcut gif with OTL.exe.part as the name. Do I delete that first?
  • 0

#22
CompCav

CompCav

    Member 5k

  • Expert
  • 12,448 posts
Yes
  • 0

#23
ko57

ko57

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Deleted that otl.exe.part file but the yellow & black otl.exe won't go to recycle bin. tried right clicking & drag, dropping. I do still have the otl and extras reports on desktop.? If I downloaded again-saved to desktop-would it overwrite?
  • 0

#24
CompCav

CompCav

    Member 5k

  • Expert
  • 12,448 posts
Press Ctrl-Alt-Del at the same time together and bring up task manager. Then click on OTL in task manager if it is showing and then click End Process. Then it should delete.
  • 0

#25
ko57

ko57

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
It isn't showing up in task manager. Tried to delete it again, still won't go.?
  • 0

Advertisements


#26
CompCav

CompCav

    Member 5k

  • Expert
  • 12,448 posts
Reboot the computer and then delete it.
  • 0

#27
ko57

ko57

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
It is asking about sysconfigutility. There is a checkbox near Don't show this message or launch System Configuration Utility when Windows statrs. Check this or leave it blank?
  • 0

#28
CompCav

CompCav

    Member 5k

  • Expert
  • 12,448 posts
Blank
  • 0

#29
ko57

ko57

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
The otl window still won't stay on the desktop. First it disappeared, then it stayed a little longer the 2nd time I tried. I copied that script to see if I could paste it the third time I tried opening it, I was able to then it disappeared again. So trying to resize/move my 1 internet window, it is showing 4 total windows, as in not allowing the previous locations to disappear.?
  • 0

#30
ko57

ko57

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Tried to shut Mozilla window(s), they would not. I guess the pc started hanging, wound up shutting it off for the night.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP