[ko57]

The icons are there, some of the webpages I'd put there have the Explorer e imposed on a page instead of the gif. Was able to shut down both Avast and malwarebytes before Rogue Killer ran. I did turn Avast back on although it is out of date re definitions.

It immediately found 4+ entries right when the program started scanning!

So far so good...here are the reports:

RogueKiller V7.4.4 [05/08/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 2) 32 bits version
Started in : Normal mode
User: Kerry Owen [Admin rights]
Mode: Scan -- Date: 05/16/2012 20:00:38

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 5 ¤¤¤
[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (localhost:12080) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST9808210A +++++
--- User ---
[MBR] e51d3e1b2e33de5caf55cfaf82020567
[BSP] baf0d036800a9126de6705a97f5f5b07 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76308 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt

_________________________________________

RogueKiller V7.4.4 [05/08/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 2) 32 bits version
Started in : Normal mode
User: Kerry Owen [Admin rights]
Mode: Remove -- Date: 05/16/2012 20:05:01

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 5 ¤¤¤
[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (localhost:12080) -> NOT REMOVED, USE PROXYFIX
[HJ] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> REPLACED (1)
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST9808210A +++++
--- User ---
[MBR] e51d3e1b2e33de5caf55cfaf82020567
[BSP] baf0d036800a9126de6705a97f5f5b07 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76308 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt

________________________________________________

RogueKiller V7.4.4 [05/08/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 2) 32 bits version
Started in : Normal mode
User: Kerry Owen [Admin rights]
Mode: Shortcuts HJfix -- Date: 05/16/2012 20:14:24

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 210 / Fail 0
Quick launch: Success 0 / Fail 0
Programs: Success 4 / Fail 0
Start menu: Success 0 / Fail 0
User folder: Success 96 / Fail 0
My documents: Success 17 / Fail 0
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 0 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 471 / Fail 0
Backup: [NOT FOUND]

Drives:
[C:] \Device\HarddiskVolume1 -- 0x3 --> Restored
[D:] \Device\CdRom0 -- 0x5 --> Skipped

¤¤¤ Infection : ¤¤¤

Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt

[CompCav]

OK we made a little headway. I will do the proxy fix in the next step.


I will be back with it shortly!

[CompCav]

Step 1.


If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
To disable MBAM
Open the scanner and select the protection tab
Remove the tick from "Start with Windows"
Reboot and then run OTL

• Please reopen on your desktop.
  
• Copy and Paste the following code into the textbox.
  
  

  :processes
  killallprocesses
  
  :OTL
  DRV - File not found [Kernel | Boot | Stopped] -- system32\drivers\Combo-Fix.sys -- (vkquwexg)
  IE - HKU\S-1-5-21-781878022-3114317985-875658923-1006\..\SearchScopes\{A198481A-19BF-4538-B3ED-D5B6142FF26C}: "URL" = http://search.aol.co...ionType=msie70a
  IE - HKU\S-1-5-21-781878022-3114317985-875658923-1006\..\SearchScopes\{B019BDE3-796B-4ECD-86E8-752747DD47D5}: "URL" = http://www.walmart.c...y={searchTerms}
  IE - HKU\S-1-5-21-781878022-3114317985-875658923-1006\..\SearchScopes\{D39DA297-1936-4F4C-8758-B395825B4AC2}: "URL" = http://asp.usatoday....w={searchTerms}
  IE - HKU\S-1-5-21-781878022-3114317985-875658923-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = localhost:12080
  FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
  FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
  FF - prefs.js..network.proxy.type: 4
  FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
  [2011/01/19 08:38:04 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
  [2011/01/19 08:36:50 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
  [2011/01/19 08:36:46 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
  O3 - HKU\S-1-5-21-781878022-3114317985-875658923-1006\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
  O3 - HKU\S-1-5-21-781878022-3114317985-875658923-1006\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
  O3 - HKU\S-1-5-21-781878022-3114317985-875658923-1006\..\Toolbar\WebBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
  O15 - HKU\S-1-5-21-781878022-3114317985-875658923-1006\..Trusted Domains: foxsports.com ([msn] http in Trusted sites)
  O15 - HKU\S-1-5-21-781878022-3114317985-875658923-1006\..Trusted Domains: meade.com ([www] http in Trusted sites)
  O15 - HKU\S-1-5-21-781878022-3114317985-875658923-1006\..Trusted Domains: microsoft.com ([www] http in Trusted sites)
  O15 - HKU\S-1-5-21-781878022-3114317985-875658923-1006\..Trusted Domains: msn.com ([www] http in Trusted sites)
  O15 - HKU\S-1-5-21-781878022-3114317985-875658923-1006\..Trusted Domains: palmgear.com ([trials] http in Trusted sites)
  O15 - HKU\S-1-5-21-781878022-3114317985-875658923-1006\..Trusted Domains: photographyreview.com ([www] http in Trusted sites)
  O15 - HKU\S-1-5-21-781878022-3114317985-875658923-1006\..Trusted Domains: pogo.com ([game3] http in Trusted sites)
  O15 - HKU\S-1-5-21-781878022-3114317985-875658923-1006\..Trusted Domains: wetcanvas.com ([www] http in Trusted sites)
  O15 - HKU\S-1-5-21-781878022-3114317985-875658923-1006\..Trusted Ranges: Range78 ([*] in Trusted sites)
  O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_23)
  O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_23)
  O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_23)
  [2005/05/25 13:47:42 | 003,160,576 | ---- | M] () -- C:\epson10043.exe
  [2005/05/25 12:06:50 | 003,390,976 | ---- | M] () -- C:\epson10230.exe
  [2005/05/25 10:24:36 | 002,033,152 | ---- | M] () -- C:\epson10312.exe
  [2005/05/25 10:13:08 | 001,393,664 | ---- | M] () -- C:\epson10479.exe
  
  
  :files
  ipconfig /flushdns /c
  xcopy %Temp%\smtmp\1 "%AllUsersProfile%\Start Menu" /H /I /S /Y /C
  xcopy %Temp%\smtmp\2 "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch" /H /I /S /Y /C
  xcopy %Temp%\smtmp\3 "%AppData%\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar" /H /I /S /Y /C
  xcopy %Temp%\smtmp\4 "%AllUsersProfile%\Desktop" /H /I /S /Y /C
  
  :reg
  
  
  :Commands
  [purity]
  [resethosts]
  [emptyjava]
  [emptyflash]
  [createrestorepoint]

  
  
  
• Push
  
• OTL may ask to reboot the machine. Please do so if asked.
  
• Click the OK button.
  
• A report will open. Copy and Paste that report in your next reply.
  
• If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date and the time of the tool run.

Step 2.

It looks like you had some Symantec/Norton products that did not uninstall properly.

Please use this Norton removal tool. Go to step two and click the yellow download button and save it to your desktop, then run it. This tool removes all of their products since 2003 so it will do the trick!


Step 3.

It looks like you have run ComboFix, please post the log usually found at C:\Combofix.txtand the OTL fix log

[ko57]

When my laptop re-booted, the message about the system configuration utility came on. I closed that and closed the system configuration window when it opened. I clicked on the otl icon on the desktop, the window comes up, appears for a second or two them disappears. Tried 3 stimes so far, it disappears.??

[CompCav]

Quote

the message about the system configuration utility came on

What does it say?



For OTL do this:

Simply delete it and then re download it from here to your desktop and run it

[ko57]

Mentions how I'm in repair (diagnostics??) mode for the system configuration utility. When the SysUtil Window appears the General Tab is showing. It does give the option iirc not to show the warning window again.

I go to delete the OTL.exe on desktop, asks sure you want to send to recycle bin, I hit yes, then window comes up, titled:

Error Deleting File or Folder, then: Cannot delete OTL: Access denied.
Make sure the disk is not full or write protected and that the file is not currently in use.

I did check the volumn on C and it looks normal.

Right above the black/yellow OTL.exe shortcut is a what looks like program file shortcut gif with OTL.exe.part as the name. Do I delete that first?

[CompCav]

Yes

[ko57]

Deleted that otl.exe.part file but the yellow & black otl.exe won't go to recycle bin. tried right clicking & drag, dropping. I do still have the otl and extras reports on desktop.? If I downloaded again-saved to desktop-would it overwrite?

[CompCav]

Press Ctrl-Alt-Del at the same time together and bring up task manager. Then click on OTL in task manager if it is showing and then click End Process. Then it should delete.

[ko57]

It isn't showing up in task manager. Tried to delete it again, still won't go.?

[CompCav]

Reboot the computer and then delete it.

[ko57]

It is asking about sysconfigutility. There is a checkbox near Don't show this message or launch System Configuration Utility when Windows statrs. Check this or leave it blank?

[CompCav]

Blank

[ko57]

The otl window still won't stay on the desktop. First it disappeared, then it stayed a little longer the 2nd time I tried. I copied that script to see if I could paste it the third time I tried opening it, I was able to then it disappeared again. So trying to resize/move my 1 internet window, it is showing 4 total windows, as in not allowing the previous locations to disappear.?

[ko57]

Tried to shut Mozilla window(s), they would not. I guess the pc started hanging, wound up shutting it off for the night.