Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Google Redirection problem; tutorial didn't work [Closed]


  • This topic is locked This topic is locked

#16
godawgs

godawgs

    Teacher

  • Retired Staff
  • 8,228 posts
Hi ron,

Part of the problem is fixed. The logs are looking better. But we still have a good bit to do. What I want to do now is run another fix, turn the Windows firewall on, get an anti virus program on the system.

Before we do anything else, I need to clear up running the tools. Ideally all tools should be run from the desktop of the infected computer. It is ok to run OTL from the downloads directory of the root drive of the infected computer.... C:\Documents and Settings\Ron (the merciful)\My Documents\Downloads
You did that for the first run of OTL. But the last OTL run was from the flash drive:

OTL logfile created on: 12/15/2012 6:43:54 PM - Run 2
OTL by OldTimer - Version 3.2.69.0 Folder = E:\
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy


ComboFix must be run from the desktop of the root drive of the infected computer. You ran ComboFix from the flash drive:

ComboFix 12-12-14.01 - Ron (the merciful) 12/15/2012 17:24:33.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.120 [GMT -5:00]
Running from: E:\ComboFix.exe


My instructions in post #6 said this:

Please download all of the files requested in each step to a flash drive on the good computer. Then transfer them to the desktop of the sick computer and run them from the desktop of the sick computer.


Farbar Scanner Service was run from the Downloads folder on the C:\ drive. Keep it there for now.

I don't know where aswMBR was run from because it doesn't tell us.

I need all future OTL scans and fixes to be run from the C:\Documents and Settings\Ron (the merciful)\My Documents\Downloads folder.

I want you to copy ComboFix from the E:\ (flash drive) to the desktop of the sick computer. Make any future runs requested from there.

If you ran aswMBR from the flash drive I want you to copy it to the desktop of the sick computer and make any future runs from there.

Once that has been done, complete the following steps.

Please do the Steps in the order requested.


Step-1

Posted Image OTL Fix

Make sure you run OTL from the C:\Documents and Settings\Ron (the merciful)\My Documents\Downloads folder.

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

1. Please copy all of the text in the quote box below (Do Not copy the word Quote. To do this, highlight everything
inside the quote box (except the word Quote) , right click and click Copy.

:COMMANDS
[createrestorepoint]

:OTL
[2011/03/16 13:43:01 | 000,000,000 | ---D | M] (Search Toolbar) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wt3ptfy0.default\extensions\[email protected]
[2011/03/16 13:43:01 | 000,001,919 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wt3ptfy0.default\searchplugins\bing-zugo.xml
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 1
O33 - MountPoints2\{dc52b315-0951-11df-9eaf-001320354b33}\Shell - "" = AutoRun
O33 - MountPoints2\{dc52b315-0951-11df-9eaf-001320354b33}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{dc52b315-0951-11df-9eaf-001320354b33}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a

:FILES
C:\WINDOWS\assembly\GAC\Desktop.ini
c:\documents and settings\Ron (the merciful)\Application Data\BitTorrent

:COMMANDS
[emptytemp]


Warning: This fix is relevant for this system and no other. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

2. Please re-open Posted Image on your desktop.
3. Place the mouse pointer inside the Posted Image textbox, right click and click Paste. This will put the above script inside the textbox.
4. Click the Posted Image button.
5. Let the program run unhindered.
6. OTL may ask to reboot the machine. Please do so if asked.
7. Click the Posted Image button.
8. A report will open. Copy and Paste that report in your next reply.
9. If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, (where mmddyyyy_hhmmss is the date of the tool run).


Step-2.

You are going to need to manually delete/disable the BitTorrent plugin from Chrome.

Disable/Uninstall Chrome Plug-ins

  • Open the Chrome browser.
  • In the Address bar or Omni bar, type the following:

    chrome://plugins
  • On the Plug-ins page, find the BitTorrent plug-in. There should be an option to Disable or Uninstall the plug-in. If the Uninstall option is available, choose it. Otherwise Disable the plug-in.

    IF you can't find the plug-in that way:
  • Click the Wrench icon.
  • Click Options
  • Click Under the Hood
  • Click Content Settings
  • Click Plug-ins
  • Click Disable individual plug-ins
  • Find the plug-in listed above and Disable it.

Step-3.

Turn the Windows Firewall on

  • Click Start, click Run.
  • In the Run box, type Firewall.cpl, and then click OK.
  • On the General tab, click On (recommended).
  • Click OK.

Step-4.

Posted Image OTL Custom Scan

Make sure you run OTL from the C:\Documents and Settings\Ron (the merciful)\My Documents\Downloads folder.

1. Please copy the text in the Quote box below, (Do Not copy the word Quote), and paste it in the Posted Image box in OTL. To do that:
  • Highlight everything inside the quote box, (except the word Quote), right click the mouse and click Copy.

/md5start
wscsvc.dll
/md5stop
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WSCSVC]


2. Re-open OTL . To do that:
  • Double click on the Posted Image OTL icon to run it. (Vista / 7 Users:Right click on the icon and click Run as Administrator)
    Make sure all other windows are closed.
  • You will see a console like the one below:

    Posted Image
  • DO NOT check the box beside Scan All Users or Include 64bit Scans at the top of the console
  • Make sure the Output box at the top is set to Standard Output.
  • Place the mouse pointer inside thePosted Image box, right click and click Paste. This will put the above script inside OTL
  • Click the Posted Image button. Do not change any settings unless otherwise told to do so.
  • Let the scan run uninterrupted.
  • When the scan completes, it will open OTL.Txt. This file is also saved in the same location as OTL (it should be on your desktop).
  • Please copy the contents of this file and paste it into your reply. To do that:
  • On the OTL.txt file Menu Bar click Edit then click Select All. This will highlight the contents of the file. Then click Copy.
  • Right click inside the forum post window then click Paste. This will paste the contents of the OTL.txt file in the in the post window.

Step-5.

Uninstall a program

1. Please click Start > Control Panel > Add/Remove Programs
2. In the list of programs installed, locate the following program(s):

McAfee Security Scan Plus

3. Click on each program to highlight it and click Change/Remove.
4. After the programs have been uninstalled, close the Installed Programs window and the Control Panel.
5. Reboot the computer.

Delete the folders associated with the uninstalled programs.(Only do this if you uninstalled the program)

1. Using Windows Explorer (to get there right-click your Start button and click "Explore"), please delete the following folders(s) (if present):

C:\Program Files\McAfee Security Scan Plus

2. Close Windows Explorer.


Step-6.

Now reconnect the sick computer back to the internet. You can leave it connected

Install an Anti Virus program

Click here to go to our Free Antivirus and Antispyware Software page.
Under the Free Antivirus Software section you will find four anti virus programs. Download and install One of the first three. NEVER have more than one anti virus program installed and running at the same time. I personally recommend Microsoft Security Essentials. It integrates well with Windows. It doesn't have a big footprint. And it doesn't have the learning curve of the other two. You simply set it up once and forget it. It will automatically update itself.


Step-6.

Things For Your Next Post:
Please post the logs in the order requested. Do Not attach the logs unless I request it.
1. The OTL fixes log
2. Were you able to disable the BitTorrent plug-in?
3. Were you able to turn the Firewall on?
4. The new OTL.txt log
5. Let me know how the program uninstall went.
6. Which anti virus program did you download and install?
  • 0

Advertisements


#17
ron26

ron26

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 169 posts
All processes killed
========== COMMANDS ==========
Restore point Set: OTL Restore Point
========== OTL ==========
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wt3ptfy0.default\extensions\[email protected]\defaults\preferences folder moved successfully.
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wt3ptfy0.default\extensions\[email protected]\defaults folder moved successfully.
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wt3ptfy0.default\extensions\[email protected]\components folder moved successfully.
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wt3ptfy0.default\extensions\[email protected]\chrome\skin folder moved successfully.
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wt3ptfy0.default\extensions\[email protected]\chrome\content folder moved successfully.
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wt3ptfy0.default\extensions\[email protected]\chrome folder moved successfully.
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wt3ptfy0.default\extensions\[email protected] folder moved successfully.
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wt3ptfy0.default\searchplugins\bing-zugo.xml moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableCAD deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{dc52b315-0951-11df-9eaf-001320354b33}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{dc52b315-0951-11df-9eaf-001320354b33}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{dc52b315-0951-11df-9eaf-001320354b33}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{dc52b315-0951-11df-9eaf-001320354b33}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{dc52b315-0951-11df-9eaf-001320354b33}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{dc52b315-0951-11df-9eaf-001320354b33}\ not found.
File E:\LaunchU3.exe -a not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\ not found.
File F:\LaunchU3.exe -a not found.
========== FILES ==========
C:\WINDOWS\assembly\GAC\Desktop.ini moved successfully.
c:\documents and settings\Ron (the merciful)\Application Data\BitTorrent folder moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 79952948 bytes
->Temporary Internet Files folder emptied: 73429047 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 13835687 bytes
->Google Chrome cache emptied: 12035918 bytes
->Flash cache emptied: 602 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Ron (the merciful)
->Temp folder emptied: 71607466 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 7630794 bytes
->Google Chrome cache emptied: 9119602 bytes
->Flash cache emptied: 602 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 255.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 12162012_114517

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...
  • 0

#18
ron26

ron26

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 169 posts
Sorry for not being diligent & running things from the desktop. I didn't follow your instructions closely enough; I'll do better today.

I'm hung up on Step 2, disabling Bit Torrent plug in.

I cannot find it under the chrome/plugins list. I also don't have a wrench icon and searched for info, seems to have been replaced by three lines. Clicked on that, went into the plug-ins area of settings, it has an area to disable...but I'm still not finding the Bit Torrent plug in there.

Please advise. I do have a desktop icon for Bit Torrent. Wonder if I could open that and manually disable?

Sorry for the confusion, I'll wait to proceed. Thanks.
  • 0

#19
godawgs

godawgs

    Teacher

  • Retired Staff
  • 8,228 posts

I also don't have a wrench icon and searched for info, seems to have been replaced by three lines.

Yep, Chrome changed the icon. I don't use chrome so that got past me. :whistling: Click the three lines and follow the directions from there.
  • 0

#20
ron26

ron26

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 169 posts
Hi godawgs,

I'm trying to follow the steps to disable Bit Torrent but I'm not sure what to do.

It isn't listed under the chrome plug-ins.

I've followed Content Settings > Plug ins > Disable individual plug ins

But Bit Torrent is not in that list, so I can't click it and disable it.

Under plug ins in the content settings box it lists
run automatically (recommended)
click to play
block all

Manage exceptions

Disable individual plug ins (it's clickable)

But, clicking on that just brings me to the list, same one as I got to with chrome/plugins.

BitTorrent is not there.

Could I use a different browser? Could I open BitTorrent from my desktop and disable it?

Sorry for being dumb about this, but the list doesn't show BitTorrent and I don't want to do anything incorrectly.
  • 0

#21
godawgs

godawgs

    Teacher

  • Retired Staff
  • 8,228 posts

Could I open BitTorrent from my desktop and disable it?

Try that. If you can't do that, continue with the rest of the instructions and post those logs and answer the questions. :thumbsup:
  • 0

#22
ron26

ron26

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 169 posts
Okay, onto step 3...in the start/run/Firewall there was a check box under the "Exceptions" tab with BitTorrent checked. Should I/could I disable it there?
  • 0

#23
godawgs

godawgs

    Teacher

  • Retired Staff
  • 8,228 posts
Click BitTorrent to highlight it and click the Delete button.
  • 0

#24
ron26

ron26

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 169 posts
OTL logfile created on: 12/16/2012 3:57:57 PM - Run 3
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Ron (the merciful)\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

509.98 Mb Total Physical Memory | 278.20 Mb Available Physical Memory | 54.55% Memory free
1.22 Gb Paging File | 0.71 Gb Available in Paging File | 58.19% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 70.65 Gb Total Space | 49.61 Gb Free Space | 70.22% Space Free | Partition Type: NTFS
Drive E: | 7.84 Gb Total Space | 6.94 Gb Free Space | 88.52% Space Free | Partition Type: FAT32

Computer Name: RUSSO-DESKTOP | User Name: Ron (the merciful) | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/12/12 16:03:24 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Ron (the merciful)\My Documents\Downloads\OTL.exe
PRC - [2012/11/22 03:34:06 | 011,146,360 | ---- | M] (SugarSync, Inc.) -- C:\Program Files\SugarSync\SugarSyncManager.exe
PRC - [2012/11/08 16:58:24 | 016,070,136 | ---- | M] (Google) -- C:\Program Files\Google\Drive\googledrivesync.exe
PRC - [2012/09/21 15:12:00 | 000,331,776 | ---- | M] (LunarFrog.com) -- C:\Documents and Settings\Ron (the merciful)\Desktop\TaggedFrog_1.1\TaggedFrog.exe
PRC - [2012/08/26 23:21:12 | 026,924,984 | ---- | M] (Dropbox, Inc.) -- C:\Documents and Settings\Ron (the merciful)\Application Data\Dropbox\bin\Dropbox.exe
PRC - [2012/07/02 20:21:38 | 026,868,192 | ---- | M] (Dropbox, Inc.) -- C:\Documents and Settings\Administrator\Application Data\Dropbox\bin\Dropbox.exe
PRC - [2011/06/17 12:33:04 | 000,272,528 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Security Scan\3.0.207\SSScheduler.exe
PRC - [2010/09/27 10:58:24 | 001,528,616 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
PRC - [2009/08/16 08:50:04 | 000,653,104 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\BitTorrent\bittorrent.exe
PRC - [2009/04/17 18:01:32 | 000,929,792 | ---- | M] (Realtek Semiconductor Corp.) -- C:\Program Files\REALTEK\11n USB Wireless LAN Utility\RtWLan.exe
PRC - [2008/04/13 22:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/12/15 02:07:44 | 000,176,128 | ---- | M] (HP) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
PRC - [2004/09/29 11:14:36 | 000,069,632 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe


========== Modules (No Company Name) ==========

MOD - [2012/12/16 11:59:59 | 000,086,016 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Local Settings\temp\_MEI1922\_elementtree.pyd
MOD - [2012/12/16 11:59:59 | 000,040,448 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Local Settings\temp\_MEI1922\_socket.pyd
MOD - [2012/12/16 11:59:58 | 000,571,392 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Local Settings\temp\_MEI1922\pysqlite2._sqlite.pyd
MOD - [2012/12/16 11:59:58 | 000,096,256 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Local Settings\temp\_MEI1922\win32api.pyd
MOD - [2012/12/16 11:59:58 | 000,023,040 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Local Settings\temp\_MEI1922\win32ts.pyd
MOD - [2012/12/16 11:59:57 | 000,792,576 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Local Settings\temp\_MEI1922\wx._gdi_.pyd
MOD - [2012/12/16 11:59:57 | 000,263,168 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Local Settings\temp\_MEI1922\win32com.shell.shell.pyd
MOD - [2012/12/16 11:59:57 | 000,070,656 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Local Settings\temp\_MEI1922\wx._html2.pyd
MOD - [2012/12/16 11:59:57 | 000,011,776 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Local Settings\temp\_MEI1922\win32crypt.pyd
MOD - [2012/12/16 11:59:56 | 001,024,024 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Local Settings\temp\_MEI1922\windows._cacheinvalidation.pyd
MOD - [2012/12/16 11:59:55 | 000,354,304 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Local Settings\temp\_MEI1922\pythoncom26.dll
MOD - [2012/12/16 11:59:55 | 000,073,728 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Local Settings\temp\_MEI1922\_ctypes.pyd
MOD - [2012/12/16 11:59:55 | 000,017,920 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Local Settings\temp\_MEI1922\win32profile.pyd
MOD - [2012/12/16 11:59:54 | 000,731,136 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Local Settings\temp\_MEI1922\wx._misc_.pyd
MOD - [2012/12/16 11:59:53 | 000,110,592 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Local Settings\temp\_MEI1922\win32security.pyd
MOD - [2012/12/16 11:59:53 | 000,110,592 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Local Settings\temp\_MEI1922\PyWinTypes26.dll
MOD - [2012/12/16 11:59:52 | 000,645,120 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Local Settings\temp\_MEI1922\_ssl.pyd
MOD - [2012/12/16 11:59:51 | 001,169,408 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Local Settings\temp\_MEI1922\wx._core_.pyd
MOD - [2012/12/16 11:59:51 | 000,036,352 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Local Settings\temp\_MEI1922\win32process.pyd
MOD - [2012/12/16 11:59:51 | 000,022,528 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Local Settings\temp\_MEI1922\win32pdh.pyd
MOD - [2012/12/16 11:59:49 | 000,807,424 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Local Settings\temp\_MEI1922\wx._windows_.pyd
MOD - [2012/12/16 11:59:49 | 000,311,808 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Local Settings\temp\_MEI1922\_hashlib.pyd
MOD - [2012/12/16 11:59:48 | 000,121,856 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Local Settings\temp\_MEI1922\wx._wizard.pyd
MOD - [2012/12/16 11:59:48 | 000,111,104 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Local Settings\temp\_MEI1922\win32file.pyd
MOD - [2012/12/16 11:59:48 | 000,039,424 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Local Settings\temp\_MEI1922\win32inet.pyd
MOD - [2012/12/16 11:59:35 | 001,056,256 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Local Settings\temp\_MEI1922\wx._controls_.pyd
MOD - [2012/12/16 11:59:33 | 000,585,728 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Local Settings\temp\_MEI1922\unicodedata.pyd
MOD - [2012/12/16 11:59:33 | 000,153,088 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Local Settings\temp\_MEI1922\pyexpat.pyd
MOD - [2012/12/16 11:59:33 | 000,017,920 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Local Settings\temp\_MEI1922\win32event.pyd
MOD - [2012/12/16 11:59:33 | 000,011,776 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Local Settings\temp\_MEI1922\select.pyd
MOD - [2010/09/27 11:03:08 | 000,201,512 | ---- | M] () -- C:\WINDOWS\system32\vpnapi.dll
MOD - [2009/08/01 08:19:33 | 000,962,560 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\a4c5647e14a60542bdc6db025820565e\System.Configuration.ni.dll
MOD - [2009/08/01 08:16:09 | 005,640,192 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\1ae45140aef4a04f97a89e9de9a5a150\System.Xml.ni.dll
MOD - [2009/08/01 08:15:57 | 013,107,200 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\ebb37c7195048f4db5fd159fe8a40b8e\System.Windows.Forms.ni.dll
MOD - [2009/08/01 08:15:31 | 001,626,112 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\e46253c941b1614fa7fb1936725a5029\System.Drawing.ni.dll
MOD - [2009/08/01 08:15:26 | 008,093,696 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\a1dc0e83bea70640a5173b104b3dd6c8\System.ni.dll
MOD - [2009/08/01 08:15:05 | 011,415,552 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\54365b3e4a73e1489c0e41df3600e683\mscorlib.ni.dll
MOD - [2009/04/03 15:32:10 | 000,110,592 | ---- | M] () -- C:\Program Files\REALTEK\11n USB Wireless LAN Utility\EnumDevLib.dll
MOD - [2007/07/12 10:11:54 | 001,163,264 | ---- | M] () -- C:\Program Files\REALTEK\11n USB Wireless LAN Utility\acAuth.dll


========== Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- %SYSTEMROOT%\system32\wscsvc.dll -- (wscsvc)
SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - File not found [Auto | Stopped] -- %SystemRoot%\System32\ersvc.dll -- (ERSvc)
SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\system32\clipsrv.exe -- (ClipSrv)
SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\system32\cisvc.exe -- (CiSvc)
SRV - [2012/12/12 11:35:08 | 000,250,808 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/12/10 15:14:00 | 000,115,168 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2011/06/17 12:33:04 | 000,237,008 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee Security Scan\3.0.207\McCHSvc.exe -- (McComponentHostService)
SRV - [2010/11/30 23:42:12 | 000,036,352 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\OpenVPN\bin\openvpnserv.exe -- (OpenVPNService)
SRV - [2010/09/27 10:58:24 | 001,528,616 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
SRV - [2010/09/09 21:46:59 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2004/09/29 11:14:36 | 000,069,632 | ---- | M] (HP) [Auto | Running] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ComboFix\catchme.sys -- (catchme)
DRV - [2010/11/30 23:42:14 | 000,026,112 | ---- | M] (The OpenVPN Project) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tap0901.sys -- (tap0901)
DRV - [2010/09/27 10:56:00 | 000,308,859 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
DRV - [2009/04/17 09:44:46 | 000,574,080 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RTL8192su.sys -- (RTL8192su)
DRV - [2008/11/16 17:39:44 | 000,131,984 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE)
DRV - [2007/11/14 18:05:16 | 000,394,952 | ---- | M] (Zone Labs, LLC) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
DRV - [2007/01/18 19:28:02 | 000,005,275 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA)
DRV - [2004/09/17 07:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...Box&Form=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.dailytao.org/"
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:17.0.1
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_5_502_135.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0: C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll (DivX, Inc)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.7.2: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre7\bin\new_plugin\npjp2.dll File not found
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.7.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 17.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/12/10 15:14:01 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 17.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/12/10 15:13:48 | 000,000,000 | ---D | M]

[2012/09/21 15:07:11 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Ron (the merciful)\Application Data\Mozilla\Extensions
[2012/10/23 14:04:46 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Ron (the merciful)\Application Data\Mozilla\Firefox\Profiles\qdu253mj.default\extensions
[2012/12/10 15:13:39 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/12/10 15:14:00 | 000,262,112 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/09/05 20:26:22 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/10/23 09:37:56 | 000,002,058 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========

CHR - homepage:
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}&sugkey={google:suggestAPIKeyParameter},
CHR - homepage:
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\23.0.1271.97\PepperFlash\pepflashplayer.dll
CHR - plugin: Chrome Remote Desktop Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files\Google\Chrome\Application\23.0.1271.97\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\23.0.1271.97\pdf.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: DivX Web Player (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npdivx32.dll
CHR - plugin: DivX Player Netscape Plugin (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npDivxPlayerPlugin.dll
CHR - plugin: Microsoft Office 2003 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\NPOFFICE.DLL
CHR - plugin: QuickTime Plug-in 7.6.2 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.6.2 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.6.2 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.6.2 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.6.2 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.6.2 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.6.2 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
CHR - plugin: Google Earth Plugin (Enabled) = C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll
CHR - plugin: Java™ Platform SE 7 U7 (Enabled) = C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll
CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_5_502_135.dll
CHR - plugin: Java Deployment Toolkit 7.0.70.11 (Enabled) = C:\WINDOWS\system32\npDeployJava1.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll
CHR - Extension: Google Drive = C:\Documents and Settings\Ron (the merciful)\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_0\
CHR - Extension: YouTube = C:\Documents and Settings\Ron (the merciful)\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\
CHR - Extension: Google Search = C:\Documents and Settings\Ron (the merciful)\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\
CHR - Extension: Gmail = C:\Documents and Settings\Ron (the merciful)\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2012/12/15 17:41:56 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe (HP)
O4 - HKLM..\Run: [RoxWatchTray] C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe (Sonic Solutions)
O4 - HKCU..\Run: [GoogleDriveSync] C:\Program Files\Google\Drive\googledrivesync.exe (Google)
O4 - HKCU..\Run: [SugarSync] C:\Program Files\SugarSync\SugarSyncManager.exe (SugarSync, Inc.)
O4 - HKCU..\Run: [TaggedFrog] C:\Documents and Settings\Ron (the merciful)\Desktop\TaggedFrog_1.1\TaggedFrog.exe (LunarFrog.com)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk = C:\Program Files\McAfee Security Scan\3.0.207\SSScheduler.exe (McAfee, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\REALTEK 11n USB Wireless LAN Utility.lnk = C:\Program Files\REALTEK\11n USB Wireless LAN Utility\RtWLan.exe (Realtek Semiconductor Corp.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk = C:\WINDOWS\Installer\{1CE60928-8325-49A8-8B06-633E48DD2B67}\Icon3E5562ED7.ico ()
O4 - Startup: C:\Documents and Settings\Ron (the merciful)\Start Menu\Programs\Startup\Dropbox.lnk = C:\Documents and Settings\Ron (the merciful)\Application Data\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktopCleanupWizard = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableStatusMessages = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: VerboseStatus = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoInternetOpenWith = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyPictures = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://windowsupdate...b?1348506400799 (WUWebControl Class)
O16 - DPF: {CAFEEFAC-0017-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.7.0_07)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Ron (the merciful)\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Ron (the merciful)\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/07/01 22:43:35 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/12/16 15:34:17 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Ron (the merciful)\Recent
[2012/12/16 12:11:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ron (the merciful)\Application Data\BitTorrent
[2012/12/16 11:46:06 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2012/12/16 11:45:17 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/12/16 11:43:02 | 004,732,416 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Ron (the merciful)\Desktop\aswMBR.exe
[2012/12/16 11:39:03 | 005,010,912 | R--- | C] (Swearware) -- C:\Documents and Settings\Ron (the merciful)\Desktop\ComboFix.exe
[2012/12/15 17:47:41 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2012/12/15 17:41:24 | 000,000,000 | ---D | C] -- C:\Program Files\xerox
[2012/12/15 17:41:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\xircom
[2012/12/15 17:41:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\srchasst
[2012/12/15 17:41:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\oobe
[2012/12/15 17:41:23 | 000,000,000 | ---D | C] -- C:\Program Files\movie maker
[2012/12/15 17:41:22 | 000,000,000 | ---D | C] -- C:\Program Files\netmeeting
[2012/12/15 17:41:22 | 000,000,000 | ---D | C] -- C:\Program Files\msn gaming zone
[2012/12/15 17:41:22 | 000,000,000 | ---D | C] -- C:\WINDOWS\msagent
[2012/12/15 17:41:22 | 000,000,000 | ---D | C] -- C:\Program Files\microsoft frontpage
[2012/12/15 17:41:21 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\inetsrv
[2012/12/15 17:11:59 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2012/12/15 17:08:41 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Ron (the merciful)\My Documents\My Videos
[2012/12/15 17:08:40 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Ron (the merciful)\Start Menu\Programs\Administrative Tools
[2012/12/15 14:30:15 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/12/15 14:30:15 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/12/15 14:30:15 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/12/15 14:30:15 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/12/15 14:30:04 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/12/15 13:28:41 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\appmgmt
[2012/12/13 10:35:22 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Ron (the merciful)\My Documents\Google Drive
[2012/12/13 10:23:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Google Drive
[2012/12/13 10:05:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Google Chrome
[2012/12/13 09:57:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ron (the merciful)\Local Settings\Application Data\Google
[2012/12/12 13:56:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ron (the merciful)\Desktop\GooredFix Backups
[2012/12/12 12:59:08 | 000,000,000 | ---D | C] -- C:\_OTM
[2012/12/12 12:34:09 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2012/12/12 12:31:32 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2012/12/12 12:31:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ERUNT
[2012/12/12 11:41:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ron (the merciful)\My Documents\Dissertation Files
[2012/12/10 17:02:02 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Ron (the merciful)\IECompatCache
[2012/12/10 15:13:38 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2012/11/28 11:26:07 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Ron (the merciful)\PrivacIE
[2012/11/19 13:31:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2012/11/19 09:52:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2012/11/19 09:51:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2012/11/17 11:45:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2012/11/17 11:44:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe

========== Files - Modified Within 30 Days ==========

[2012/12/16 15:33:01 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/12/16 15:09:06 | 000,001,010 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-436374069-484061587-1606980848-500UA.job
[2012/12/16 15:09:06 | 000,000,900 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/12/16 12:02:09 | 000,398,114 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/12/16 12:02:08 | 000,061,016 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/12/16 11:59:32 | 000,002,447 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
[2012/12/16 11:57:26 | 000,000,896 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/12/16 11:57:08 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/12/16 11:57:02 | 534,827,008 | -HS- | M] () -- C:\hiberfil.sys
[2012/12/16 11:42:41 | 004,732,416 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Ron (the merciful)\Desktop\aswMBR.exe
[2012/12/15 17:41:56 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/12/15 17:12:05 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2012/12/15 14:16:52 | 005,010,912 | R--- | M] (Swearware) -- C:\Documents and Settings\Ron (the merciful)\Desktop\ComboFix.exe
[2012/12/14 16:09:00 | 000,000,958 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-436374069-484061587-1606980848-500Core.job
[2012/12/14 14:07:47 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/12/14 12:51:01 | 001,164,119 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Desktop\ElfPDFStreamPublic.pdf
[2012/12/14 12:14:14 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Word 2003 (2).lnk
[2012/12/14 10:13:45 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/12/13 10:35:55 | 000,001,487 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Desktop\Google Drive.lnk
[2012/12/13 10:08:20 | 000,001,813 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Desktop\Google Chrome.lnk
[2012/12/13 10:08:20 | 000,001,791 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2012/12/12 14:06:51 | 002,213,976 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Ron (the merciful)\Desktop\TDSSKiller.exe
[2012/12/12 12:31:34 | 000,000,611 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Desktop\NTREGOPT.lnk
[2012/12/12 12:31:34 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Desktop\ERUNT.lnk
[2012/12/12 11:35:03 | 000,697,272 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2012/12/12 11:35:02 | 000,073,656 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2012/12/07 09:12:09 | 000,000,800 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2012/12/06 16:12:39 | 000,000,534 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Desktop\Magic Briefcase.lnk

========== Files Created - No Company Name ==========

[2012/12/15 17:12:05 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2012/12/15 17:12:03 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2012/12/15 14:30:15 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/12/15 14:30:15 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/12/15 14:30:15 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/12/15 14:30:15 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/12/15 14:30:15 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/12/14 12:50:53 | 001,164,119 | ---- | C] () -- C:\Documents and Settings\Ron (the merciful)\Desktop\ElfPDFStreamPublic.pdf
[2012/12/13 10:35:54 | 000,001,487 | ---- | C] () -- C:\Documents and Settings\Ron (the merciful)\Desktop\Google Drive.lnk
[2012/12/13 10:08:20 | 000,001,813 | ---- | C] () -- C:\Documents and Settings\Ron (the merciful)\Desktop\Google Chrome.lnk
[2012/12/13 10:08:20 | 000,001,791 | ---- | C] () -- C:\Documents and Settings\Ron (the merciful)\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2012/12/12 12:31:34 | 000,000,611 | ---- | C] () -- C:\Documents and Settings\Ron (the merciful)\Desktop\NTREGOPT.lnk
[2012/12/12 12:31:34 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\Ron (the merciful)\Desktop\ERUNT.lnk
[2012/12/07 09:12:15 | 000,000,788 | ---- | C] () -- C:\Documents and Settings\Ron (the merciful)\Start Menu\Programs\Windows Media Player.lnk
[2012/12/07 09:12:08 | 000,000,800 | ---- | C] () -- C:\Documents and Settings\Ron (the merciful)\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2012/09/24 12:46:21 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/09/24 11:39:42 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2011/03/16 14:19:03 | 000,068,964 | ---- | C] () -- C:\WINDOWS\hpoins05.dat
[2011/03/16 14:19:03 | 000,019,696 | ---- | C] () -- C:\WINDOWS\hpomdl05.dat

========== ZeroAccess Check ==========

[2009/08/01 08:14:07 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2009/04/26 18:41:42 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/04/26 18:41:31 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2008/04/13 22:42:10 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== Custom Scans ==========

< [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] >

< [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WSCSVC] >

< End of report >
  • 0

#25
ron26

ron26

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 169 posts

Click BitTorrent to highlight it and click the Delete button.


Just saw this and I'd already run the OTL scan, step 4. Should I go back and try and delete BitTorrent?

If I click on it on the desktop it tells me it'll just delete the shortcut, not the program. Under Add/Remove Programs it doesn't show up.

I'll pause for now and wait for further instruction.

I was about to proceed with step 5. I will post the Step 4 log.
  • 0

Advertisements


#26
ron26

ron26

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 169 posts
Okay, I did Step 3 again, the Windows Firewall and deleted BitTorrent. I think that is what you wanted me to do, right?

I'll remain paused in the steps until you tell me if I need to re-run OTL, step 4 or proceed with step 5.

Sorry for the confusion, I didn't see your post.
  • 0

#27
ron26

ron26

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 169 posts
Shoot, time for me to leave and I won't be around this compute for the rest of the evening. I'll be around all day tomorrow though.

Hopefully I didn't screw anything up & sorry for the confusion. I'll wait to hear back from you.

Thanks for your assistance thus far!
  • 0

#28
godawgs

godawgs

    Teacher

  • Retired Staff
  • 8,228 posts

If I click on it on the desktop it tells me it'll just delete the shortcut, not the program. Under Add/Remove Programs it doesn't show up.

Right click on the shortcut and delete it.

Okay, I did Step 3 again, the Windows Firewall and deleted BitTorrent. I think that is what you wanted me to do, right?

Yep. And something must have worked, because the Babylon plug-in isn't in the scan anymore.

Go back to post #16 and complete Steps 5 and 6.

Let me know which anti virus program you installed.
  • 0

#29
ron26

ron26

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 169 posts
Hi godawgs,

Okay. Completed steps 5 & 6. I think I have posted all the logs you wanted (OTL x 2) and followed the other steps. I deleted BitTorrent as well.

Anti Virus Program
I installed Microsoft Security Essentials. It initially said, when I was downloading/installing, that it was still turned off and I would have to manually turn it on. It mentioned a Firewall. Hmm, I'm guessing this has something to do with the work we were doing?

Have to head home for the day but I'll check back in tomorrow and also try and confirm myself (and with your help) that it's up and running properly. It's now running a scan. I'll leave the computer on for the night and let it run.

Thanks so much for your help! Seems like we're getting close. I'll wait for your feedback & be back tomorrow morning. Thank you.

ron
  • 0

#30
godawgs

godawgs

    Teacher

  • Retired Staff
  • 8,228 posts
Hi Ron,

Thanks so much for your help! Seems like we're getting close.

You're welcome. And we're getting closer but we still have things to do.

You are missing a file for the Security Center. OTL didn't find one, but I want to make sure.

Do you have the XP installation disk that came with the computer?

Step-1.

  • Please run Farbar Service Scanner FSS.exe again.
  • Type the following in the edit box beside "Search:"

    wscsvc.dll
  • Click the Search Files button and post the log (FSS.txt) it makes to your reply.


Step-2.

Things For Your Next Post:
Please post the logs in the order requested. Do Not attach the logs unless I request it.
1. Answer my question about the XP installation disk.
2. The FSS.txt log
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP