Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Google Redirection problem; tutorial didn't work [Closed]


  • This topic is locked This topic is locked

#46
ron26

ron26

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 169 posts
I right clicked, clicked Merge, it asked me if I wanted to run it, clicked Yes, then I got a Registry Editor Error:

Error accessing the registry.

I clicked Okay and that was all that happened. Should I just reboot the computer and go to step 2? Or, is there something wrong with what I'm doing?
  • 0

Advertisements


#47
godawgs

godawgs

    Teacher

  • Retired Staff
  • 8,228 posts
Let's try it another way.

Step-2.

Posted Image OTL Fix

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

1. Please copy all of the text in the quote box below (Do Not copy the word Quote. To do this, highlight everything
inside the quote box (except the word Quote) , right click and click Copy.

:COMMANDS
[createrestorepoint]

:REG
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WSCSVC]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WSCSVC\0000]
"Service"="wscsvc"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000020
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="Security Center"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WSCSVC\0000\Control]
"ActiveService"="wscsvc"

:COMMANDS
[reboot]


Warning: This fix is relevant for this system and no other. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

2. Please re-open Posted Image on your desktop.
3. Place the mouse pointer inside the Posted Image textbox, right click and click Paste. This will put the above script inside the textbox.
4. Click the Posted Image button.
5. Let the program run unhindered.
6. OTL may ask to reboot the machine. Please do so if asked.
7. Click the Posted Image button.
8. A report will open. Copy and Paste that report in your next reply.
9. If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, (where mmddyyyy_hhmmss is the date of the tool run).

Step-2.

Posted Image OTL Scan

1. Please copy the text in the Quote box below, (Do Not copy the word Quote), and paste it in the Posted Image box in OTL. To do that:
  • Highlight everything inside the quote box, (except the word Quote), right click the mouse and click Copy.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WSCSVC


Please re-open OTL
  • Double click the Posted Image icon on your desktop.
  • You will see a console like the one below:

    Posted Image
  • At the top of the console click the greyed out None button<---Very Important
  • Do Not click the box deside Include 64bit Scans
  • Make sure the Output box at the top is set to Standard Output
  • Click the Posted Image button. Do not change any settings unless otherwise told to do so.
  • Let the scan run uninterrupted.
  • When the scan completes, it will open OTL.Txt. This file is saved in the same location as OTL.
  • Please copy the contents of this file and paste it into your reply. To do that:
  • On the .txt file Menu Bar click Edit then click Select All. This will highlight the contents of the file. Then click Copy.
  • Right-click inside the forum post window then click Paste. This will paste the contents of the .txt file in the in the post window.

Step-3.

Things For Your Next Post:
Please post the logs in the order requested. Do Not attach the logs unless I request it.
1. The OTL.txt log
  • 0

#48
ron26

ron26

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 169 posts
========== COMMANDS ==========
Restore point Set: OTL Restore Point
========== REGISTRY ==========
Unable to set value : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WSCSVC\\"NextInstance"|dword:00000001 /E!
Unable to set value : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WSCSVC\0000\\"Service"|"wscsvc" /E!
Unable to set value : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WSCSVC\0000\\"Legacy"|dword:00000001 /E!
Unable to set value : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WSCSVC\0000\\"ConfigFlags"|dword:00000020 /E!
Unable to set value : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WSCSVC\0000\\"Class"|"LegacyDriver" /E!
Unable to set value : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WSCSVC\0000\\"ClassGUID"|"{8ECC055D-047F-11D1-A537-0000F8753ED1}" /E!
Unable to set value : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WSCSVC\0000\\"DeviceDesc"|"Security Center" /E!
Unable to set value : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WSCSVC\0000\Control\\"ActiveService"|"wscsvc" /E!
========== COMMANDS ==========

OTL by OldTimer - Version 3.2.69.0 log created on 12282012_173052
  • 0

#49
ron26

ron26

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 169 posts
OTL logfile created on: 12/28/2012 5:54:37 PM - Run 6
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Ron (the merciful)\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

509.98 Mb Total Physical Memory | 220.38 Mb Available Physical Memory | 43.21% Memory free
1.22 Gb Paging File | 0.80 Gb Available in Paging File | 65.92% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 70.65 Gb Total Space | 49.26 Gb Free Space | 69.72% Space Free | Partition Type: NTFS

Computer Name: RUSSO-DESKTOP | User Name: Ron (the merciful) | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

========== Custom Scans ==========

< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WSCSVC >

< End of report >
  • 0

#50
godawgs

godawgs

    Teacher

  • Retired Staff
  • 8,228 posts
Hi Ron,

I think we have a permissions issue with that registry key. Let's make sure that there aren't any residual malware files on the computer and then we will tackle the registry key.


Step-1.

Posted ImageMalwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware from Here or Here

Once downloaded, close all programs and browsers on your computer.

Double Click the mbam-setup.exe file to install the application.
  • When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings.
  • When the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan.
  • As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.

    NOTE: When the program loads, Decline the Malwarebytes' Anti-Malware Trial (You can activate this when we've finished, if you so wish)

    Posted Image
  • On the Scanner tab, make sure the the Perform full scan option is selected and then click on the Scan button to start scanning your computer.
  • MBAM will now start scanning your computer for malware. This process can take quite a while, so I suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.

    Posted Image
  • When the scan is finished a message box will appear as shown in the image below.

    Posted Image
    You should click on the OK button to close the message box and continue with the removal process.
  • You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
  • A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.

    Posted Image
  • Make sure that everything is checked EXCEPT items in System Restore, and click Remove Selected.<--Very Important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

I would suggest that you keep this antimalware program. Run a Quick Scan frequently and a Full Scan every week or so. Update the definition files before running a scan. Click the Update tab and update from there.


Step-2.

Run ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here then click on: Posted Image

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Uncheck the box beside Remove Found Threats
  • Make sure that the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically. The scan may take several hours.
  • Wait for the scan to finish. Do not touch either the Mouse or keyboard during the scan. Otherwise it may stall.
When The Scan is Complete:

  • If No Threats Were Found:
    • Put a checkmark in "Uninstall application on close"
    • Close the program
    • Report to me that nothing was found
  • If Threats Were Found:
    • Click on "list of threats found"
    • Click on "export to text file" and save it to the desktop as ESET SCAN.txt
    • Click on Back
    • Put a checkmark in "Uninstall application on close" (Be sure you have saved the file first)
    • Click on Finish
    • Close the program
    • Copy and paste the report here
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!


Step-3.

Run OTL again and click the Posted Image button. Post the log it produces in your next reply.


Step-4.

Things For Your Next Post:
Please post the logs in the order requested. Do Not attach the logs unless I request it.
1. The MalwareBytes log
2. The ESET log (IF it found anything)
3. The new OTL.txt log
  • 0

#51
ron26

ron26

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 169 posts
Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Database version: v2012.12.30.07

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Ron (the merciful) :: RUSSO-DESKTOP [administrator]

12/30/2012 11:54:36 AM
MBAM-log-2012-12-30 (16-10-22).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 370779
Time elapsed: 4 hour(s), 8 minute(s), 51 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|NoSMHelp (PUM.Hijack.Help) -> Bad: (1) Good: (0) -> No action taken.

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Documents and Settings\Administrator\My Documents\Downloads\Hewlett%20PackardDrivers.exe (PUP.Adware.Agent) -> No action taken.

(end)
  • 0

#52
ron26

ron26

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 169 posts
Hi godawgs,

I was only able to get through Step 1 today & need to leave. I should be back tomorrow but not positive with NYE and New Year's Day. Please don't close the thread yet though. I'll be back in touch once I've gotten the next steps done.

Thank you!

ron
  • 0

#53
godawgs

godawgs

    Teacher

  • Retired Staff
  • 8,228 posts
I'm sorry, but you didn't remove the threats. You will need to run MalwareBytes again. When you get to this screen:

Posted Image

Make sure that everything is checked EXCEPT items in System Restore, and click Remove Selected.<--Very Important

I will post complete instructions again if you need them.
Once you have re-run MalwareBytes, complete Steps 2,3 and 4 from post #50 and post the logs.
  • 0

#54
ron26

ron26

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 169 posts
Hmm, I thought I followed your instructions with Step 1 for Malwarebytes but I went ahead and ran it again. Here is the log, just finished running. No malicious items. I'll proceed with steps 2, 3, and 4.

Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Database version: v2012.12.30.07

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Ron (the merciful) :: RUSSO-DESKTOP [administrator]

1/2/2013 10:19:29 AM
mbam-log-2013-01-02 (10-19-29).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 371355
Time elapsed: 4 hour(s), 17 minute(s), 37 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
  • 0

#55
ron26

ron26

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 169 posts
C:\Qoobox\Quarantine\C\Program Files\Search Toolbar\SearchToolbarUpdater.exe.vir Win32/Toolbar.Zugo application
C:\System Volume Information\_restore{DA5C6AD2-EB94-49FA-B374-BA7DCEED8D06}\RP2\A0000002.dll Win32/Toolbar.Zugo application
C:\System Volume Information\_restore{DA5C6AD2-EB94-49FA-B374-BA7DCEED8D06}\RP2\A0000122.exe Win32/Toolbar.Zugo application
  • 0

Advertisements


#56
godawgs

godawgs

    Teacher

  • Retired Staff
  • 8,228 posts
MBAM shows clean this time.

The item in the ESET log are in the Qoobox\Quarantine folder and a System Restore folder. They aren't doing any harm there and we will remove them when we clean up the tools we used. Please post the requested log from the OTL Quick Scan.
  • 0

#57
ron26

ron26

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 169 posts
OTL logfile created on: 1/2/2013 5:55:04 PM - Run 7
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Ron (the merciful)\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

509.98 Mb Total Physical Memory | 49.92 Mb Available Physical Memory | 9.79% Memory free
1.22 Gb Paging File | 0.62 Gb Available in Paging File | 50.45% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 70.65 Gb Total Space | 48.48 Gb Free Space | 68.62% Space Free | Partition Type: NTFS

Computer Name: RUSSO-DESKTOP | User Name: Ron (the merciful) | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/12/20 20:23:52 | 011,179,720 | ---- | M] (SugarSync, Inc.) -- C:\Program Files\SugarSync\SugarSyncManager.exe
PRC - [2012/12/12 16:03:24 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Ron (the merciful)\Desktop\OTL.exe
PRC - [2012/11/08 16:58:24 | 016,070,136 | ---- | M] (Google) -- C:\Program Files\Google\Drive\googledrivesync.exe
PRC - [2012/09/21 15:12:00 | 000,331,776 | ---- | M] (LunarFrog.com) -- C:\Documents and Settings\Ron (the merciful)\Desktop\TaggedFrog_1.1\TaggedFrog.exe
PRC - [2012/09/12 17:25:22 | 000,020,472 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe
PRC - [2012/09/12 17:19:44 | 000,947,176 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2012/08/26 23:21:12 | 026,924,984 | ---- | M] (Dropbox, Inc.) -- C:\Documents and Settings\Ron (the merciful)\Application Data\Dropbox\bin\Dropbox.exe
PRC - [2010/09/27 10:58:24 | 001,528,616 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
PRC - [2009/04/17 18:01:32 | 000,929,792 | ---- | M] (Realtek Semiconductor Corp.) -- C:\Program Files\REALTEK\11n USB Wireless LAN Utility\RtWLan.exe
PRC - [2008/04/13 22:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/12/15 02:07:44 | 000,176,128 | ---- | M] (HP) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
PRC - [2004/09/29 11:14:36 | 000,069,632 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe


========== Modules (No Company Name) ==========

MOD - [2013/01/02 10:15:52 | 000,096,256 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Local Settings\temp\_MEI34042\win32api.pyd
MOD - [2013/01/02 10:15:52 | 000,086,016 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Local Settings\temp\_MEI34042\_elementtree.pyd
MOD - [2013/01/02 10:15:52 | 000,040,448 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Local Settings\temp\_MEI34042\_socket.pyd
MOD - [2013/01/02 10:15:52 | 000,023,040 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Local Settings\temp\_MEI34042\win32ts.pyd
MOD - [2013/01/02 10:15:51 | 000,571,392 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Local Settings\temp\_MEI34042\pysqlite2._sqlite.pyd
MOD - [2013/01/02 10:15:51 | 000,263,168 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Local Settings\temp\_MEI34042\win32com.shell.shell.pyd
MOD - [2013/01/02 10:15:50 | 000,792,576 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Local Settings\temp\_MEI34042\wx._gdi_.pyd
MOD - [2013/01/02 10:15:50 | 000,070,656 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Local Settings\temp\_MEI34042\wx._html2.pyd
MOD - [2013/01/02 10:15:50 | 000,011,776 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Local Settings\temp\_MEI34042\win32crypt.pyd
MOD - [2013/01/02 10:15:49 | 001,024,024 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Local Settings\temp\_MEI34042\windows._cacheinvalidation.pyd
MOD - [2013/01/02 10:15:47 | 000,354,304 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Local Settings\temp\_MEI34042\pythoncom26.dll
MOD - [2013/01/02 10:15:47 | 000,073,728 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Local Settings\temp\_MEI34042\_ctypes.pyd
MOD - [2013/01/02 10:15:47 | 000,017,920 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Local Settings\temp\_MEI34042\win32profile.pyd
MOD - [2013/01/02 10:15:46 | 000,731,136 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Local Settings\temp\_MEI34042\wx._misc_.pyd
MOD - [2013/01/02 10:15:45 | 000,110,592 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Local Settings\temp\_MEI34042\win32security.pyd
MOD - [2013/01/02 10:15:45 | 000,110,592 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Local Settings\temp\_MEI34042\PyWinTypes26.dll
MOD - [2013/01/02 10:15:44 | 000,645,120 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Local Settings\temp\_MEI34042\_ssl.pyd
MOD - [2013/01/02 10:15:43 | 000,036,352 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Local Settings\temp\_MEI34042\win32process.pyd
MOD - [2013/01/02 10:15:43 | 000,022,528 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Local Settings\temp\_MEI34042\win32pdh.pyd
MOD - [2013/01/02 10:15:42 | 001,169,408 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Local Settings\temp\_MEI34042\wx._core_.pyd
MOD - [2013/01/02 10:15:41 | 000,311,808 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Local Settings\temp\_MEI34042\_hashlib.pyd
MOD - [2013/01/02 10:15:40 | 000,807,424 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Local Settings\temp\_MEI34042\wx._windows_.pyd
MOD - [2013/01/02 10:15:39 | 000,121,856 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Local Settings\temp\_MEI34042\wx._wizard.pyd
MOD - [2013/01/02 10:15:39 | 000,111,104 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Local Settings\temp\_MEI34042\win32file.pyd
MOD - [2013/01/02 10:15:38 | 000,039,424 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Local Settings\temp\_MEI34042\win32inet.pyd
MOD - [2013/01/02 10:15:24 | 001,056,256 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Local Settings\temp\_MEI34042\wx._controls_.pyd
MOD - [2013/01/02 10:15:23 | 000,017,920 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Local Settings\temp\_MEI34042\win32event.pyd
MOD - [2013/01/02 10:15:22 | 000,585,728 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Local Settings\temp\_MEI34042\unicodedata.pyd
MOD - [2013/01/02 10:15:22 | 000,153,088 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Local Settings\temp\_MEI34042\pyexpat.pyd
MOD - [2013/01/02 10:15:21 | 000,011,776 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Local Settings\temp\_MEI34042\select.pyd
MOD - [2010/09/27 11:03:08 | 000,201,512 | ---- | M] () -- C:\WINDOWS\system32\vpnapi.dll
MOD - [2009/08/01 08:19:33 | 000,962,560 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\a4c5647e14a60542bdc6db025820565e\System.Configuration.ni.dll
MOD - [2009/08/01 08:16:09 | 005,640,192 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\1ae45140aef4a04f97a89e9de9a5a150\System.Xml.ni.dll
MOD - [2009/08/01 08:15:57 | 013,107,200 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\ebb37c7195048f4db5fd159fe8a40b8e\System.Windows.Forms.ni.dll
MOD - [2009/08/01 08:15:31 | 001,626,112 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\e46253c941b1614fa7fb1936725a5029\System.Drawing.ni.dll
MOD - [2009/08/01 08:15:26 | 008,093,696 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\a1dc0e83bea70640a5173b104b3dd6c8\System.ni.dll
MOD - [2009/08/01 08:15:05 | 011,415,552 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\54365b3e4a73e1489c0e41df3600e683\mscorlib.ni.dll
MOD - [2009/04/03 15:32:10 | 000,110,592 | ---- | M] () -- C:\Program Files\REALTEK\11n USB Wireless LAN Utility\EnumDevLib.dll
MOD - [2007/07/12 10:11:54 | 001,163,264 | ---- | M] () -- C:\Program Files\REALTEK\11n USB Wireless LAN Utility\acAuth.dll


========== Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - File not found [Auto | Stopped] -- %SystemRoot%\System32\ersvc.dll -- (ERSvc)
SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\system32\clipsrv.exe -- (ClipSrv)
SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\system32\cisvc.exe -- (CiSvc)
SRV - [2012/12/12 11:35:08 | 000,250,808 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/12/10 15:14:00 | 000,115,168 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012/09/12 17:25:22 | 000,020,472 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV - [2010/11/30 23:42:12 | 000,036,352 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\OpenVPN\bin\openvpnserv.exe -- (OpenVPNService)
SRV - [2010/09/27 10:58:24 | 001,528,616 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
SRV - [2010/09/09 21:46:59 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2004/09/29 11:14:36 | 000,069,632 | ---- | M] (HP) [Auto | Running] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ComboFix\catchme.sys -- (catchme)
DRV - [2010/11/30 23:42:14 | 000,026,112 | ---- | M] (The OpenVPN Project) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tap0901.sys -- (tap0901)
DRV - [2010/09/27 10:56:00 | 000,308,859 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
DRV - [2009/04/17 09:44:46 | 000,574,080 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RTL8192su.sys -- (RTL8192su)
DRV - [2008/11/16 17:39:44 | 000,131,984 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE)
DRV - [2007/11/14 18:05:16 | 000,394,952 | ---- | M] (Zone Labs, LLC) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
DRV - [2007/01/18 19:28:02 | 000,005,275 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA)
DRV - [2004/09/17 07:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...Box&Form=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.dailytao.org/"
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:17.0.1
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_5_502_135.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0: C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll (DivX, Inc)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.7.2: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre7\bin\new_plugin\npjp2.dll File not found
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.7.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 17.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/12/10 15:14:01 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 17.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/12/10 15:13:48 | 000,000,000 | ---D | M]

[2012/09/21 15:07:11 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Ron (the merciful)\Application Data\Mozilla\Extensions
[2012/10/23 14:04:46 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Ron (the merciful)\Application Data\Mozilla\Firefox\Profiles\qdu253mj.default\extensions
[2012/12/10 15:13:39 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/12/10 15:14:00 | 000,262,112 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/09/05 20:26:22 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/10/23 09:37:56 | 000,002,058 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========

CHR - homepage:
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}&sugkey={google:suggestAPIKeyParameter},
CHR - homepage:
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\23.0.1271.97\PepperFlash\pepflashplayer.dll
CHR - plugin: Chrome Remote Desktop Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files\Google\Chrome\Application\23.0.1271.97\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\23.0.1271.97\pdf.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: DivX Web Player (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npdivx32.dll
CHR - plugin: DivX Player Netscape Plugin (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npDivxPlayerPlugin.dll
CHR - plugin: Microsoft Office 2003 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\NPOFFICE.DLL
CHR - plugin: QuickTime Plug-in 7.6.2 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.6.2 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.6.2 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.6.2 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.6.2 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.6.2 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.6.2 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
CHR - plugin: Google Earth Plugin (Enabled) = C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll
CHR - plugin: Java™ Platform SE 7 U7 (Enabled) = C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll
CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_5_502_135.dll
CHR - plugin: Java Deployment Toolkit 7.0.70.11 (Enabled) = C:\WINDOWS\system32\npDeployJava1.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll
CHR - Extension: Google Drive = C:\Documents and Settings\Ron (the merciful)\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_0\
CHR - Extension: YouTube = C:\Documents and Settings\Ron (the merciful)\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\
CHR - Extension: Google Search = C:\Documents and Settings\Ron (the merciful)\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\
CHR - Extension: Gmail = C:\Documents and Settings\Ron (the merciful)\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2012/12/15 17:41:56 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe (HP)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [RoxWatchTray] C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe (Sonic Solutions)
O4 - HKCU..\Run: [GoogleDriveSync] C:\Program Files\Google\Drive\googledrivesync.exe (Google)
O4 - HKCU..\Run: [SugarSync] C:\Program Files\SugarSync\SugarSyncManager.exe (SugarSync, Inc.)
O4 - HKCU..\Run: [TaggedFrog] C:\Documents and Settings\Ron (the merciful)\Desktop\TaggedFrog_1.1\TaggedFrog.exe (LunarFrog.com)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\REALTEK 11n USB Wireless LAN Utility.lnk = C:\Program Files\REALTEK\11n USB Wireless LAN Utility\RtWLan.exe (Realtek Semiconductor Corp.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk = C:\WINDOWS\Installer\{1CE60928-8325-49A8-8B06-633E48DD2B67}\Icon3E5562ED7.ico ()
O4 - Startup: C:\Documents and Settings\Ron (the merciful)\Start Menu\Programs\Startup\Dropbox.lnk = C:\Documents and Settings\Ron (the merciful)\Application Data\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktopCleanupWizard = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableStatusMessages = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: VerboseStatus = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoInternetOpenWith = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyPictures = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://windowsupdate...b?1348506400799 (WUWebControl Class)
O16 - DPF: {CAFEEFAC-0017-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.7.0_07)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7D114F58-451D-4319-BDEE-2E9108F2C8A0}: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Ron (the merciful)\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Ron (the merciful)\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/07/01 22:43:35 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2013/01/02 15:17:21 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2012/12/30 16:27:12 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Ron (the merciful)\Recent
[2012/12/30 11:45:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ron (the merciful)\Application Data\Malwarebytes
[2012/12/30 11:35:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/12/30 11:34:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2012/12/30 11:34:43 | 000,021,104 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/12/30 11:34:42 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/12/20 19:16:26 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Ron (the merciful)\Desktop\OTL.exe
[2012/12/17 16:54:04 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2012/12/16 11:46:06 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2012/12/16 11:45:17 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/12/16 11:43:02 | 004,732,416 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Ron (the merciful)\Desktop\aswMBR.exe
[2012/12/16 11:39:03 | 005,010,912 | R--- | C] (Swearware) -- C:\Documents and Settings\Ron (the merciful)\Desktop\ComboFix.exe
[2012/12/15 17:47:41 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2012/12/15 17:41:24 | 000,000,000 | ---D | C] -- C:\Program Files\xerox
[2012/12/15 17:41:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\xircom
[2012/12/15 17:41:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\srchasst
[2012/12/15 17:41:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\oobe
[2012/12/15 17:41:23 | 000,000,000 | ---D | C] -- C:\Program Files\movie maker
[2012/12/15 17:41:22 | 000,000,000 | ---D | C] -- C:\Program Files\netmeeting
[2012/12/15 17:41:22 | 000,000,000 | ---D | C] -- C:\Program Files\msn gaming zone
[2012/12/15 17:41:22 | 000,000,000 | ---D | C] -- C:\WINDOWS\msagent
[2012/12/15 17:41:22 | 000,000,000 | ---D | C] -- C:\Program Files\microsoft frontpage
[2012/12/15 17:41:21 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\inetsrv
[2012/12/15 17:11:59 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2012/12/15 17:08:41 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Ron (the merciful)\My Documents\My Videos
[2012/12/15 17:08:40 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Ron (the merciful)\Start Menu\Programs\Administrative Tools
[2012/12/15 14:30:15 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/12/15 14:30:15 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/12/15 14:30:15 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/12/15 14:30:15 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/12/15 14:30:04 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/12/15 13:28:41 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\appmgmt
[2012/12/13 10:35:22 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Ron (the merciful)\My Documents\Google Drive
[2012/12/13 10:23:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Google Drive
[2012/12/13 10:05:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Google Chrome
[2012/12/13 09:57:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ron (the merciful)\Local Settings\Application Data\Google
[2012/12/12 13:56:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ron (the merciful)\Desktop\GooredFix Backups
[2012/12/12 12:59:08 | 000,000,000 | ---D | C] -- C:\_OTM
[2012/12/12 12:34:09 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2012/12/12 12:31:32 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2012/12/12 12:31:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ERUNT
[2012/12/12 11:41:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ron (the merciful)\My Documents\Dissertation Files
[2012/12/10 17:02:02 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Ron (the merciful)\IECompatCache
[2012/12/10 15:13:38 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox

========== Files - Modified Within 30 Days ==========

[2013/01/02 17:33:03 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2013/01/02 17:10:12 | 000,000,366 | -H-- | M] () -- C:\WINDOWS\tasks\MpIdleTask.job
[2013/01/02 17:09:35 | 000,000,900 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2013/01/02 17:09:04 | 000,001,010 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-436374069-484061587-1606980848-500UA.job
[2013/01/02 16:10:16 | 000,000,896 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2013/01/02 16:09:02 | 000,000,958 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-436374069-484061587-1606980848-500Core.job
[2013/01/02 10:24:01 | 000,000,384 | -H-- | M] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job
[2013/01/02 10:15:25 | 000,002,447 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
[2013/01/02 10:12:24 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013/01/02 10:12:18 | 534,827,008 | -HS- | M] () -- C:\hiberfil.sys
[2013/01/02 07:57:07 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/12/30 11:35:01 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/12/20 20:21:49 | 000,000,740 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Desktop\Shortcut to FSS.exe.lnk
[2012/12/20 19:01:42 | 000,001,064 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Desktop\LegacyWSCSVCbak.reg
[2012/12/20 18:54:14 | 000,001,040 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Desktop\LEGACY_WSCSVC.reg
[2012/12/20 10:43:45 | 001,001,895 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Desktop\1968 files.csv
[2012/12/20 09:46:19 | 000,398,114 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/12/20 09:46:18 | 000,061,016 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/12/17 16:55:38 | 000,001,945 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2012/12/16 11:42:41 | 004,732,416 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Ron (the merciful)\Desktop\aswMBR.exe
[2012/12/15 17:41:56 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/12/15 17:12:05 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2012/12/15 14:16:52 | 005,010,912 | R--- | M] (Swearware) -- C:\Documents and Settings\Ron (the merciful)\Desktop\ComboFix.exe
[2012/12/14 16:49:28 | 000,021,104 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/12/14 14:07:47 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/12/14 12:51:01 | 001,164,119 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Desktop\ElfPDFStreamPublic.pdf
[2012/12/14 12:14:14 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Word 2003 (2).lnk
[2012/12/13 10:35:55 | 000,001,487 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Desktop\Google Drive.lnk
[2012/12/13 10:08:20 | 000,001,813 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Desktop\Google Chrome.lnk
[2012/12/13 10:08:20 | 000,001,791 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2012/12/12 16:03:24 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Ron (the merciful)\Desktop\OTL.exe
[2012/12/12 14:06:51 | 002,213,976 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Ron (the merciful)\Desktop\TDSSKiller.exe
[2012/12/12 12:31:34 | 000,000,611 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Desktop\NTREGOPT.lnk
[2012/12/12 12:31:34 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Desktop\ERUNT.lnk
[2012/12/07 09:12:09 | 000,000,800 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2012/12/06 16:12:39 | 000,000,534 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Desktop\Magic Briefcase.lnk

========== Files Created - No Company Name ==========

[2012/12/30 11:35:01 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/12/20 20:21:49 | 000,000,740 | ---- | C] () -- C:\Documents and Settings\Ron (the merciful)\Desktop\Shortcut to FSS.exe.lnk
[2012/12/20 19:01:42 | 000,001,064 | ---- | C] () -- C:\Documents and Settings\Ron (the merciful)\Desktop\LegacyWSCSVCbak.reg
[2012/12/20 18:54:13 | 000,001,040 | ---- | C] () -- C:\Documents and Settings\Ron (the merciful)\Desktop\LEGACY_WSCSVC.reg
[2012/12/20 10:43:45 | 001,001,895 | ---- | C] () -- C:\Documents and Settings\Ron (the merciful)\Desktop\1968 files.csv
[2012/12/17 17:04:57 | 000,000,384 | -H-- | C] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job
[2012/12/17 17:04:57 | 000,000,366 | -H-- | C] () -- C:\WINDOWS\tasks\MpIdleTask.job
[2012/12/17 16:55:38 | 000,001,945 | ---- | C] () -- C:\WINDOWS\epplauncher.mif
[2012/12/17 16:54:49 | 000,001,698 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Security Essentials.lnk
[2012/12/15 17:12:05 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2012/12/15 17:12:03 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2012/12/15 14:30:15 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/12/15 14:30:15 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/12/15 14:30:15 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/12/15 14:30:15 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/12/15 14:30:15 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/12/14 12:50:53 | 001,164,119 | ---- | C] () -- C:\Documents and Settings\Ron (the merciful)\Desktop\ElfPDFStreamPublic.pdf
[2012/12/13 10:35:54 | 000,001,487 | ---- | C] () -- C:\Documents and Settings\Ron (the merciful)\Desktop\Google Drive.lnk
[2012/12/13 10:08:20 | 000,001,813 | ---- | C] () -- C:\Documents and Settings\Ron (the merciful)\Desktop\Google Chrome.lnk
[2012/12/13 10:08:20 | 000,001,791 | ---- | C] () -- C:\Documents and Settings\Ron (the merciful)\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2012/12/12 12:31:34 | 000,000,611 | ---- | C] () -- C:\Documents and Settings\Ron (the merciful)\Desktop\NTREGOPT.lnk
[2012/12/12 12:31:34 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\Ron (the merciful)\Desktop\ERUNT.lnk
[2012/12/07 09:12:15 | 000,000,788 | ---- | C] () -- C:\Documents and Settings\Ron (the merciful)\Start Menu\Programs\Windows Media Player.lnk
[2012/12/07 09:12:08 | 000,000,800 | ---- | C] () -- C:\Documents and Settings\Ron (the merciful)\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2012/09/24 12:46:21 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/09/24 11:39:42 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2011/03/16 14:19:03 | 000,068,964 | ---- | C] () -- C:\WINDOWS\hpoins05.dat
[2011/03/16 14:19:03 | 000,019,696 | ---- | C] () -- C:\WINDOWS\hpomdl05.dat

========== ZeroAccess Check ==========

[2009/08/01 08:14:07 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2009/04/26 18:41:42 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/04/26 18:41:31 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2008/04/13 22:42:10 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2012/07/11 09:31:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Applications
[2012/09/21 15:12:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LunarFrog
[2009/08/06 01:29:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
[2009/08/06 01:05:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Research In Motion
[2011/06/12 09:23:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Rosetta Stone
[2009/07/02 15:39:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2013/01/02 10:17:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ron (the merciful)\Application Data\Dropbox

========== Purity Check ==========



< End of report >
  • 0

#58
godawgs

godawgs

    Teacher

  • Retired Staff
  • 8,228 posts
I don't see any malware remaining. Next we need to see if any programs need to be updated. Then we can clean up the tools used and work on the permissions issue :)

Step-1.

Run Security Check

Download Security Check from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Step-2.

Things For Your Next Post:
Please post the logs in the order requested. Do Not attach the logs unless I request it.
1. The Checkup.txt log
  • 0

#59
ron26

ron26

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 169 posts
Results of screen317's Security Check version 0.99.56
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
Please wait while WMIC compiles updated MOF files.
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.70.0.1100
Java 7 Update 7
Java version out of Date!
Adobe Flash Player 11.5.502.135
Adobe Reader 10.1.4 Adobe Reader out of Date!
Mozilla Firefox (17.0.1)
Google Chrome 23.0.1271.97
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 15% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````
  • 0

#60
godawgs

godawgs

    Teacher

  • Retired Staff
  • 8,228 posts
Let's defragment the hard drive and update some programs.


Step-1.

Please go to this page for directions on defragmenting the computer.


Step-2.

Posted Image UPDATE JAVA
Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older versions of Java components and update:

  • Please download JavaRa to your desktop.
    • Click the Download button next to Legacy Version Version 1.1.6 to download JavaRA and unzip it to its own folder.
  • Run JavaRa.exe
  • Pick the language of your choice and click Select. Then click Remove Older Versions. Accept any prompts.
    Posted Image
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer. The most current version is Java SE 7u10.
    You want the Offline 32bit version, Windows x86 Offline 29.99 MB .
  • Click the link for the jre-7u10-windows-i586.exe file.

Step-3.

Update Adobe Reader

Earlier versions of Adobe Reader have known security flaws so it is recommended that you update your copy.
  • Go to Start > Control Panel > Add/Remove Programs
  • Remove ALL instances of Adobe Reader
  • Re-boot your computer as required.
  • Once ALL versions of Adobe Reader have been uninstalled, download the latest version of Adobe Reader from Here.
  • Remove the check mark next to Yes, install McAfee Security Scan Plus-optional box.
  • Click the Download Now button to download Adobe Reader and follow the directions.
Alternative Option: After uninstalling Adobe Reader, you could try installing Foxit Reader from HERE. Foxit Reader is a much smaller program. It has fewer add-ons therefore loads more quickly.
NOTE: When installing FoxitReader, be careful not to install anything to do with AskBar.


Your logs look clean. Let's remove the tools we used and then we will look at the Security Center issue

If you didn't uninstall ESET when you ran the program we will do it now.

Step-1.

Uninstall ESET

1. Please click Start > Control Panel > Add/Remove Programs
2. In the list of programs installed, locate the following program(s):

ESET

3. Click on each program to highlight it and click Change/Remove.
4. After the programs have been uninstalled, close the Installed Programs window and the Control Panel.
5. Reboot the computer.

Delete the folders associated with the uninstalled programs.(Only do this if you uninstalled the program)

1. Using Windows Explorer (to get there right-click your Start button and click "Explore"), please delete the following folders(s) (if present):

C:\Program Files\ESET

2. Close Windows Explorer.

Step-2.

Uninstall ComboFix
  • Click Start, then Run, or hold down the Windows key + R on your keyboard. This will display the Run dialogue box .
  • In the Run box, type in ComboFix /Uninstall (Notice the space between the "x" and "/") then click OK

    Posted Image
  • Follow the prompts on the screen.
  • A message should appear confirming that ComboFix was uninstalled
Step-3.

OTL Cleanup
1. Please copy all of the text in the Quote box below (Do Not copy the word Quote). To do this, highlight everything inside the Quote box (except the word Quote) , right click and click Copy.
  • :COMMANDS
    [CLEARALLRESTOREPOINTS]
    [EMPTYTEMP]

  • Please re-open Posted Image on your desktop.
  • Place the mouse pointer inside the Posted Image textbox, right click and click Paste. This will put the above script inside the textbox.
  • Click the Posted Image button.
  • Let the program run unhindered. When finished click the OK button and close the log that appears.
  • NOTE: I do not need to review the log produced.
  • OTL may ask to reboot the machine. Please do so if asked.
2. Please re-open Posted Image on your desktop.
  • Be sure all other programs are closed as this step will require a reboot.
  • Click on Posted Image
  • You will be prompted to reboot your system. Please do so.
The above process will flush all old System Restore points and create a new clean one. It will also remove most/all of the tools used and logs created during the cleanup process. After it is finished, OTL will remove itself. This is so that if you are ever infected again you will download the most current copy of the tool.

Step-4.

Delete the following Files/Folders:(If present)

MBR.txt
JavaRa-1.16-3-12-12.zip folder
JavaRa folder
jre-7u10-windows-i586.exe
scsvc.zip folder
wscsvc folder


Delete any other .bat, .log, .reg, .txt, and any other files created during this process, and left on the desktop and empty the Recycle Bin.

Step-5.

Reset Hidden Files and Folders

1. Click Start.
2. Open My Computer.
4. Select the Tools menu and click Folder Options.
5. Select the View tab.
6. Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
7. Click the Hide protected operating system files (recommended) option. Click Yes to confirm. Click OK.

Step-6.

Make a Fresh Restore Point, Clear the Old Restore Points, and Re-enable System Restore

The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected, but that's good news).

Note: Do not clear infected/old System Restore points before creating a new System Restore point first!

Windows XP
  • Click Start > All Programs > Accessories > System tools > System Restore. The System Restore Wizard opens.
  • Note: If the System Restore Wizard does not open, the System Restore feature may be turned off. To turn System Restore on, follow these steps:
  • Click Start, click Control Panel, and then double-click System.
  • Click the System Restore tab.
  • Make sure that the Turn off System Restore check box is not selected. Or, make sure that the Turn off System Restore on all drives check box is not selected.
  • Click OK.
[*] On the dialogue box that appears select Create a Restore Point
[*] Click NEXT
[*] Enter a name e.g. Clean
[*] Click CREATE
[*] Close System Restore[/list]Turn OFF System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
    Restart your computer.
Turn ON System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • UN-Check Turn off System Restore.
  • Click Apply, and then click OK.
    System Restore will now be active again.

Let me know how this went. :)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP