Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Trojan.Packer found - Computer very slow [Solved]

Started by Racingal60 , Jul 18 2013 10:52 AM

  • This topic is locked This topic is locked

#31
Racingal60
Posted 29 July 2013 - 07:04 AM

Racingal60

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Here you go:

OTL logfile created on: 7/29/2013 7:57:45 AM - Run 4
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Dawn\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.24 Gb Total Physical Memory | 2.61 Gb Available Physical Memory | 80.53% Memory free
6.32 Gb Paging File | 5.92 Gb Available in Paging File | 93.63% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.71 Gb Total Space | 319.89 Gb Free Space | 68.69% Space Free | Partition Type: NTFS
Drive S: | 465.72 Gb Total Space | 431.67 Gb Free Space | 92.69% Space Free | Partition Type: NTFS

Computer Name: GINA1 | User Name: Dawn | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/07/19 08:40:33 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dawn\Desktop\OTL (1).exe
PRC - [2013/04/05 03:53:30 | 000,121,600 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\IPROSetMonitor.exe
PRC - [2013/01/11 17:16:44 | 000,530,488 | ---- | M] (Gillware Data Services, LLC) -- C:\Program Files\Gillware Remote Backup\ArchiveService.exe
PRC - [2013/01/02 12:21:37 | 000,161,664 | ---- | M] (Oracle Corporation) -- C:\Program Files\Java\jre7\bin\jqs.exe
PRC - [2010/08/05 20:11:44 | 001,885,488 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Smc.exe
PRC - [2010/08/05 20:05:52 | 001,459,568 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\SmcGui.exe
PRC - [2010/07/01 18:17:24 | 001,832,072 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
PRC - [2010/05/06 18:21:14 | 000,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
PRC - [2009/11/27 17:05:30 | 000,641,024 | ---- | M] (WinMagic Inc.) -- C:\Program Files\WinMagic\SecureDoc-NT\SDService.exe
PRC - [2008/10/04 14:58:04 | 000,201,968 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/01/11 18:50:16 | 000,030,312 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe


========== Modules (No Company Name) ==========

MOD - [2013/01/11 17:16:44 | 000,057,400 | ---- | M] () -- C:\Program Files\Gillware Remote Backup\zlib_gw.dll
MOD - [2013/01/11 17:16:34 | 000,031,800 | ---- | M] () -- C:\Program Files\Gillware Remote Backup\ArchiveTypesPS.dll
MOD - [2009/11/27 17:05:12 | 000,018,432 | ---- | M] () -- C:\WINDOWS\system32\SDXML.dll
MOD - [2009/11/27 17:05:02 | 000,527,360 | ---- | M] () -- C:\WINDOWS\system32\sdck.dll


========== Services (SafeList) ==========

SRV - [2013/07/11 14:46:38 | 000,257,416 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2013/04/05 03:53:30 | 000,121,600 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\WINDOWS\system32\IPROSetMonitor.exe -- (Intel®
SRV - [2013/01/11 17:16:44 | 000,530,488 | ---- | M] (Gillware Data Services, LLC) [Auto | Running] -- C:\Program Files\Gillware Remote Backup\ArchiveService.exe -- (ArchiveService)
SRV - [2013/01/02 12:21:37 | 000,161,664 | ---- | M] (Oracle Corporation) [Auto | Running] -- C:\Program Files\Java\jre7\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2011/10/31 09:55:49 | 000,013,160 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files\Citrix\GoToAssist\615\g2aservice.exe -- (GoToAssist)
SRV - [2010/08/05 20:11:44 | 001,885,488 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\Smc.exe -- (SmcService)
SRV - [2010/07/01 18:17:24 | 001,832,072 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2010/07/01 17:24:02 | 000,357,704 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- C:\Program Files\Symantec AntiVirus\SNAC.EXE -- (SNAC)
SRV - [2010/05/06 18:21:14 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr)
SRV - [2010/05/06 18:21:14 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr)
SRV - [2010/02/17 11:53:18 | 003,093,880 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)
SRV - [2009/11/27 17:05:30 | 000,641,024 | ---- | M] (WinMagic Inc.) [Auto | Running] -- C:\Program Files\WinMagic\SecureDoc-NT\SDService.exe -- (WinMagic SecureDoc Service)
SRV - [2008/10/04 14:58:04 | 000,201,968 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_DellSupportCenter)
SRV - [2008/01/11 18:50:16 | 000,030,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe -- (BcmSqlStartupSvc)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\GINADO~1\LOCALS~1\Temp\_B0E3.tmp\FoxAwdWINFLASH.sys -- (FoxAwdWINFLASH)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\Dawn\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2013/07/22 08:18:01 | 000,035,144 | ---- | M] () [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbamchameleon.sys -- (mbamchameleon)
DRV - [2013/06/17 03:00:00 | 001,611,992 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20130721.020\NAVEX15.SYS -- (NAVEX15)
DRV - [2013/06/17 03:00:00 | 000,093,272 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20130721.020\NAVENG.SYS -- (NAVENG)
DRV - [2013/04/05 05:11:04 | 000,031,048 | ---- | M] (Intel Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\iqvw32.sys -- (NAL)
DRV - [2012/08/15 03:00:00 | 000,106,656 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2012/08/10 03:00:00 | 000,376,480 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2011/06/02 10:08:34 | 000,011,336 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\SystemRequirementsLab\cpudrv.sys -- (cpudrv)
DRV - [2011/02/21 10:09:38 | 000,125,488 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2010/03/08 13:59:14 | 000,320,944 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\srtspl.sys -- (SRTSPL)
DRV - [2010/03/08 13:59:14 | 000,283,184 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\srtsp.sys -- (SRTSP)
DRV - [2010/03/08 13:59:14 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\srtspx.sys -- (SRTSPX)
DRV - [2009/12/18 16:42:12 | 000,421,424 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2009/11/18 16:07:12 | 000,179,200 | ---- | M] (WinMagic Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\SDDisk2K.sys -- (SDDisk2K)
DRV - [2009/09/28 11:53:00 | 000,020,224 | ---- | M] (WinMagic, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\PinFile.sys -- (PinFile)
DRV - [2009/09/25 15:57:24 | 000,117,120 | ---- | M] (WinMagic Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\SDDToki.sys -- (SDDToki)
DRV - [2009/09/25 15:57:24 | 000,075,520 | ---- | M] (WinMagic Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\SDDVD.sys -- (SDDVD)
DRV - [2009/09/03 17:03:48 | 000,188,080 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\symtdi.sys -- (SYMTDI)
DRV - [2009/09/03 17:03:48 | 000,026,416 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\symredrv.sys -- (SYMREDRV)
DRV - [2009/03/05 14:03:34 | 000,016,512 | ---- | M] (WinMagic Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\SDUPC.sys -- (SDUPC)
DRV - [2007/07/16 20:48:54 | 004,403,712 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1081208
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1081208
IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1081208
IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope =
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1081208
IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-21-866049194-2568044671-1873219407-1011\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page =
IE - HKU\S-1-5-21-866049194-2568044671-1873219407-1011\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-866049194-2568044671-1873219407-1011\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-21-866049194-2568044671-1873219407-1011\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKU\S-1-5-21-866049194-2568044671-1873219407-1011\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKU\S-1-5-21-866049194-2568044671-1873219407-1011\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre7\bin\new_plugin\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)



========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&q={searchTerms}&{google:cursorPosition}{google:zeroPrefixUrl}sugkey={google:suggestAPIKeyParameter},
CHR - homepage: http://www.excite.com/
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files\Google\Chrome\Application\28.0.1500.72\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\28.0.1500.72\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\28.0.1500.72\gcswf32.dll
CHR - plugin: Wajam (Enabled) = C:\Documents and Settings\Dawn\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jpmbfleldcgkldadpdinhjjopdfpjfjp\1.24_0\plugins/PriamNPAPI.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 7.0.0.147 (Enabled) = C:\Program Files\Java\jre7\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 7 (Enabled) = C:\Program Files\Java\jre7\bin\new_plugin\npjp2.dll
CHR - plugin: QuickTime Plug-in 7.6.6 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.6.6 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.6.6 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.6.6 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.6.6 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.6.6 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.6.6 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin7.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: YouTube = C:\Documents and Settings\Dawn\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0\
CHR - Extension: Google Search = C:\Documents and Settings\Dawn\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0\
CHR - Extension: Gmail = C:\Documents and Settings\Dawn\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2013/07/19 15:22:44 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-866049194-2568044671-1873219407-1011\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-866049194-2568044671-1873219407-1011\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-866049194-2568044671-1873219407-1011\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-866049194-2568044671-1873219407-1011\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{F4D662B4-C5C2-4337-8824-C04913A6029F}: DhcpNameServer = 10.0.0.1
O18 - Protocol\Handler\sds {79E0F14C-9C52-4218-89A7-7C4B0563D121} - C:\Program Files\SHARP\Sharpdesk\ExplorerExtensions.dll (SHARP CORPORATION)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: GinaDLL - (SDocGina.dll) - C:\WINDOWS\System32\SDocGina.dll (Winmagic Inc.)
O20 - Winlogon\Notify\GoToAssist: DllName - (C:\Program Files\Citrix\GoToAssist\615\G2AWinLogon.dll) - C:\Program Files\Citrix\GoToAssist\615\g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
O24 - Desktop WallPaper: C:\WINDOWS\dell.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\dell.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/11 18:15:00 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2013/07/26 12:41:31 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERUNT
[2013/07/26 12:40:57 | 000,561,140 | ---- | C] (Oleg N. Scherbakov) -- C:\Documents and Settings\Dawn\Desktop\JRT.exe
[2013/07/26 12:19:59 | 000,000,000 | ---D | C] -- C:\_OTL
[2013/07/25 13:28:24 | 000,147,456 | ---- | C] (Eric_71) -- C:\Documents and Settings\Dawn\Desktop\MbrScan.exe
[2013/07/24 12:35:22 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2013/07/23 18:49:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2013/07/23 16:21:55 | 005,092,552 | R--- | C] (Swearware) -- C:\Documents and Settings\Dawn\Desktop\ComboFix.exe
[2013/07/22 11:57:48 | 004,745,728 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Dawn\Desktop\aswMBR.exe
[2013/07/19 15:14:47 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2013/07/19 15:11:18 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2013/07/19 15:11:18 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2013/07/19 15:11:18 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2013/07/19 15:11:18 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2013/07/19 14:56:25 | 000,000,000 | ---D | C] -- C:\Qoobox
[2013/07/19 14:56:20 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Dawn\Start Menu\Programs\Administrative Tools
[2013/07/19 14:24:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
[2013/07/19 14:11:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dawn\Local Settings\Application Data\CRE
[2013/07/19 08:40:32 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Dawn\Desktop\OTL (1).exe
[2013/07/19 08:21:52 | 002,237,968 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Dawn\Desktop\tdsskiller.exe
[2013/07/19 03:00:47 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\MRT
[2013/07/18 13:51:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dawn\Desktop\RK_Quarantine
[2013/07/18 11:01:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Google Chrome
[2013/07/18 08:36:07 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Dawn\Recent
[2013/07/17 13:43:29 | 000,000,000 | ---D | C] -- C:\Program Files\SystemRequirementsLab
[2013/07/17 13:43:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dawn\Application Data\SystemRequirementsLab
[2013/07/17 11:32:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dawn\Local Settings\Application Data\Deployment
[2013/07/17 11:32:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\QuickTime
[2013/07/17 11:31:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
[2013/07/17 11:30:45 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2013/07/17 08:10:18 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2013/07/16 13:16:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dawn\My Documents\temp

========== Files - Modified Within 30 Days ==========

[2013/07/29 07:34:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2013/07/29 07:05:00 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2013/07/29 02:00:00 | 000,000,390 | ---- | M] () -- C:\WINDOWS\tasks\Gillware Remote Backup - DefaultCritical.job
[2013/07/28 18:30:00 | 000,000,382 | ---- | M] () -- C:\WINDOWS\tasks\Gillware Remote Backup - DefaultHigh.job
[2013/07/28 18:15:00 | 000,000,386 | ---- | M] () -- C:\WINDOWS\tasks\Gillware Remote Backup - DefaultMedium.job
[2013/07/28 15:13:00 | 000,000,308 | ---- | M] () -- C:\WINDOWS\tasks\Gillware Remote Backup - Remote Backup Updater.job
[2013/07/28 15:04:00 | 000,000,278 | ---- | M] () -- C:\WINDOWS\tasks\Gillware Remote Backup - Upload Event Log.job
[2013/07/28 11:05:00 | 000,000,878 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2013/07/26 12:47:13 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/07/26 12:46:16 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013/07/26 12:46:13 | 3478,274,048 | -HS- | M] () -- C:\hiberfil.sys
[2013/07/26 12:40:58 | 000,561,140 | ---- | M] (Oleg N. Scherbakov) -- C:\Documents and Settings\Dawn\Desktop\JRT.exe
[2013/07/26 12:16:05 | 000,005,031 | ---- | M] () -- C:\WINDOWS\wcds.ini
[2013/07/25 23:04:00 | 000,000,272 | ---- | M] () -- C:\WINDOWS\tasks\Gillware Remote Backup - Audit.job
[2013/07/25 13:29:31 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Dawn\Desktop\Dump_Hdd0_DR0.old
[2013/07/25 13:29:31 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Dawn\Desktop\Dump_Hdd0_DR0.mbr
[2013/07/25 13:28:25 | 000,147,456 | ---- | M] (Eric_71) -- C:\Documents and Settings\Dawn\Desktop\MbrScan.exe
[2013/07/24 14:55:04 | 000,000,120 | ---- | M] () -- C:\WINDOWS\QUICKEN.INI
[2013/07/24 14:11:38 | 000,002,473 | ---- | M] () -- C:\Documents and Settings\Dawn\Desktop\Microsoft Office Excel 2007.lnk
[2013/07/24 08:55:23 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\Dawn\Desktop\Microsoft Office Word 2007.lnk
[2013/07/24 07:52:22 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Dawn\Desktop\MBR.dat
[2013/07/23 18:49:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2013/07/23 18:45:03 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\Gillware Remote Backup - DefaultLow.job
[2013/07/23 16:23:58 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Dawn\Desktop\MBRCheck_MBR_Backup_07-23-13_16-23-58.bak
[2013/07/23 16:22:02 | 005,092,552 | R--- | M] (Swearware) -- C:\Documents and Settings\Dawn\Desktop\ComboFix.exe
[2013/07/23 11:44:20 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\Dawn\Desktop\MBRCheck.exe
[2013/07/22 12:02:35 | 004,745,728 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Dawn\Desktop\aswMBR.exe
[2013/07/22 08:56:16 | 000,666,633 | ---- | M] () -- C:\Documents and Settings\Dawn\Desktop\adwcleaner.exe
[2013/07/22 08:18:01 | 000,035,144 | ---- | M] () -- C:\WINDOWS\System32\drivers\mbamchameleon.sys
[2013/07/19 15:22:44 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2013/07/19 15:14:54 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2013/07/19 14:13:35 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\TempWmicBatchFile.bat
[2013/07/19 14:12:11 | 013,399,154 | ---- | M] () -- C:\Documents and Settings\Dawn\Desktop\mbar-1.06.0.1004.zip
[2013/07/19 08:40:33 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dawn\Desktop\OTL (1).exe
[2013/07/19 08:35:32 | 000,001,864 | ---- | M] () -- C:\Documents and Settings\Dawn\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2013/07/19 08:21:58 | 002,237,968 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Dawn\Desktop\tdsskiller.exe
[2013/07/18 13:51:01 | 000,915,968 | ---- | M] () -- C:\Documents and Settings\Dawn\Desktop\RogueKiller (1).exe
[2013/07/18 11:01:15 | 000,001,846 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2013/07/18 10:28:56 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2013/07/18 08:29:02 | 000,000,817 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2013/07/17 08:10:40 | 000,001,637 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2013/07/12 09:28:24 | 000,002,483 | ---- | M] () -- C:\Documents and Settings\Dawn\Desktop\Microsoft Office PowerPoint 2007.lnk
[2013/07/11 14:46:33 | 000,692,104 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2013/07/11 14:46:32 | 000,071,048 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2013/07/11 07:54:37 | 000,269,392 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2013/07/10 16:55:05 | 000,599,624 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2013/07/10 16:55:05 | 000,121,790 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2013/07/10 14:57:02 | 000,000,833 | ---- | M] () -- C:\Documents and Settings\Dawn\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2013/07/10 14:57:02 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\Dawn\Desktop\Windows Media Player.lnk

========== Files Created - No Company Name ==========

[2013/07/25 13:28:48 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Dawn\Desktop\Dump_Hdd0_DR0.old
[2013/07/25 13:28:48 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Dawn\Desktop\Dump_Hdd0_DR0.mbr
[2013/07/23 16:23:58 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Dawn\Desktop\MBRCheck_MBR_Backup_07-23-13_16-23-58.bak
[2013/07/23 11:44:20 | 000,080,384 | ---- | C] () -- C:\Documents and Settings\Dawn\Desktop\MBRCheck.exe
[2013/07/22 13:28:21 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Dawn\Desktop\MBR.dat
[2013/07/22 08:56:15 | 000,666,633 | ---- | C] () -- C:\Documents and Settings\Dawn\Desktop\adwcleaner.exe
[2013/07/22 08:18:01 | 000,035,144 | ---- | C] () -- C:\WINDOWS\System32\drivers\mbamchameleon.sys
[2013/07/19 15:14:54 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2013/07/19 15:14:50 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2013/07/19 15:11:18 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2013/07/19 15:11:18 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2013/07/19 15:11:18 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2013/07/19 15:11:18 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2013/07/19 15:11:18 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2013/07/19 14:12:06 | 013,399,154 | ---- | C] () -- C:\Documents and Settings\Dawn\Desktop\mbar-1.06.0.1004.zip
[2013/07/18 13:51:00 | 000,915,968 | ---- | C] () -- C:\Documents and Settings\Dawn\Desktop\RogueKiller (1).exe
[2013/07/18 11:01:15 | 000,001,846 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2013/07/18 11:00:16 | 000,000,882 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2013/07/18 11:00:15 | 000,000,878 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2013/07/17 13:46:34 | 000,001,904 | ---- | C] () -- C:\WINDOWS\System32\SetupBD.din
[2013/07/17 08:10:40 | 000,001,637 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2013/07/10 14:57:02 | 000,000,833 | ---- | C] () -- C:\Documents and Settings\Dawn\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2013/04/03 12:52:36 | 000,004,608 | ---- | C] () -- C:\Documents and Settings\Dawn\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2013/03/27 08:01:22 | 000,000,000 | ---- | C] () -- C:\WINDOWS\BackupServiceFormView.INI
[2013/03/25 08:59:52 | 000,000,120 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2012/10/10 12:17:07 | 000,000,027 | ---- | C] () -- C:\WINDOWS\FTSL.INI
[2012/02/15 19:05:04 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/09/22 16:28:01 | 000,000,049 | ---- | C] () -- C:\WINDOWS\entpack.ini
[2011/09/15 12:52:11 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/02/06 11:56:26 | 000,000,278 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Microsoft.SqlServer.Compact.351.32.bc

========== ZeroAccess Check ==========

[2004/08/11 18:21:56 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008/04/13 19:12:05 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/02/09 07:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2008/04/13 19:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2009/01/21 15:10:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\New York Life
[2009/03/10 17:00:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Citrix
[2013/06/04 12:12:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2012/07/11 07:57:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GFI Software
[2009/01/21 15:10:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\New York Life
[2008/12/07 22:58:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC-Doctor
[2008/12/07 22:58:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PCDr
[2013/02/13 13:39:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RICOH
[2010/01/14 12:24:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sharp
[2010/01/14 12:29:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sharpdesk
[2008/12/07 22:58:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft
[2008/12/07 22:55:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Uninstall
[2010/09/21 12:04:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2013/07/16 07:58:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dawn\Application Data\Enpiqu
[2009/01/21 15:10:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dawn\Application Data\New York Life
[2013/07/17 13:43:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dawn\Application Data\SystemRequirementsLab
[2013/04/01 11:16:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dawn\Application Data\Windows Search
[2009/01/21 15:10:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\New York Life
[2011/12/08 11:27:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gina Dorr\Application Data\Catalina Marketing Corp
[2009/02/17 14:57:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gina Dorr\Application Data\Centra
[2009/07/31 11:31:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gina Dorr\Application Data\eRoom
[2009/01/21 15:10:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gina Dorr\Application Data\New York Life
[2010/10/08 09:56:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gina Dorr\Application Data\Saba
[2009/01/22 16:18:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gina Dorr\Application Data\Sharpdesk
[2009/01/21 13:08:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gina Dorr\Application Data\Windows Desktop Search
[2009/01/21 13:09:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gina Dorr\Application Data\Windows Search
[2012/06/04 09:14:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Ad-Aware Antivirus
[2009/01/21 15:10:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\New York Life
[2009/01/21 15:10:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\New York Life

========== Purity Check ==========



< End of report >

Let me know what else you would like me to run! :)

Thanks!
Roxie
  • 0

Advertisements

#32
godawgs
Posted 29 July 2013 - 10:01 AM

godawgs

    Teacher

  • Retired Staff
  • 8,228 posts
Thanks,

The Conduit search and browser hijack entries are gone. Whitesmoke is hiding itself pretty good. Sometimes it installs in the Chrome extensions so we will look there. It looks like the AVG is coming from the Excite.com homepage that the Chrome browser has been set to.

Deleted [l.3108] : urls_to_restore_on_startup = [ "hxxp://www.excite.com/", "hxxp://mysearch.avg.com/?cid={E220B[...]

AdwCleaner removed it but since the Chrome homepage is set to Excite.com it always loads up when the browser is opened.
Did you change the Chrome home page to Excite.com?

Let's troubleshoot some Chrome settings and see if we can find the nasties.


Step-1.

Chrome search engine and other settings taken over by an unwanted program

Please go to the Chrome support page here and follow the directions under the Solutions section for the following:

  • Chrome no longer returns results from your preferred search engine (e.g., Google.com)
  • Chrome always starts up with extra tabs or pages that you don't recognize.
  • You see a different home page when you click the Home button.
  • When you try to navigate to any webpage, a different webpage appears.
If this found and resolved the Whitesomke and AVG issues let me know. If it didn't work our next course of action would be to reset Chrome back to it's default settings. If you were able to find Wajam and remove it let me know. If you didn't we can manually do another OTL fix to remove the Wajam entry.

I want you to disable any Screen Saver you might have running before Steps 2 and 3.


Step-2.

Posted ImageMalwarebytes' Anti-Malware

Close all programs and browsers on your computer and disable any screen saver you might have running.

  • Double Click the MalwareBytes icon on the desktop. When the program opens you will be at the main program as shown below.

    Posted Image
  • Click the Update tab and update the program if required.
  • Click the Scanner tab, make sure the the Perform full scan option is selected and then click on the Scan button to start scanning your computer.
    MBAM will now start scanning your computer for malware. This process can take quite a while, so I suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.

    Posted Image
  • When the scan is finished a message box will appear as shown in the image below.

    Posted Image

    You should click on the OK button to close the message box and continue with the removal process.
  • You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
  • A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.

    Posted Image
  • Make sure that everything is checked EXCEPT items in System Restore (see the image below), and click Remove Selected<---Very Important.

    Posted Image
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

I would suggest that you keep this antimalware program. Run a Quick Scan frequently and a Full Scan every week or so. Update the definition files before running a scan. Click the Update tab and update from there.


Step-3.

Run ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista / 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.
  • Please go here then click on: Posted Image

    Note: If using Mozilla Firefox you will need to download the ESET Smart Installer. Click on esetsmartinstaller_enu.exe to download the Smart Installer. Save it to the desktop.
    When prompted double click on the Posted Image icon on the desktop.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Uncheck the box beside Remove Found Threats
  • Make sure that the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically. The scan may take several hours.
  • Wait for the scan to finish. Do not touch either the Mouse or keyboard during the scan. Otherwise it may stall.
When The Scan is Complete:

  • If No Threats Were Found:
    • Put a checkmark in "Uninstall application on close"
    • Close the program
    • Report to me that nothing was found
  • If Threats Were Found:
    • Click on "list of threats found"
    • Click on "export to text file" and save it to the desktop as ESET SCAN.txt
    • Click on Back
    • Put a checkmark in "Uninstall application on close" (Be sure you have saved the file first)
    • Click on Finish
    • Close the program
    • Copy and paste the report here
Note: Do not forget to re-enable your Anti-Virus application after running the above scan! You can also re-enable your Screen Saver now.


Step-4.

Things For Your Next Post:
Please post the logs in the order requested. Do Not attach the logs unless I request it.
1. Please answer my question about changing the homepage to Excite
2. Let me know if the Chrome troubleshooting steps found Whitesmoke or Wajam
3. The MalwareBytes log
4. The ESET online scan log (IF it found anything.) IF it didn't just let me know.
  • 0

#33
Racingal60
Posted 29 July 2013 - 03:10 PM

Racingal60

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
OK - first off yes, she changed her home page to "excite.com". Do you want me to change it to something else?

I was able to remove the extra tabs for both AVG and Whitesmokenew from opening when I began Chrome. However, when I tried to remove like and extension or whatever, it was NOT there.

I just finished the MBAM results and here is the log from there:

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.07.29.05

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Dawn :: GINA1 [administrator]

7/29/2013 11:36:42 AM
mbam-log-2013-07-29 (11-36-42).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 590204
Time elapsed: 4 hour(s), 27 minute(s), 9 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11111111-1111-1111-1111-110211621178} (PUP.Optional.Crossrider) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 6
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1704\A0200268.exe (Malware.Packer.EPGen) -> No action taken.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1704\A0200272.dll (Trojan.Medfos.RRE) -> No action taken.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1704\A0200273.dll (Trojan.Medfos) -> No action taken.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1710\A0203419.exe (Trojan.Packer) -> No action taken.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1710\A0203420.exe (Trojan.Packer) -> No action taken.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1712\A0205446.dll (PUP.Optional.Wajam) -> No action taken.

(end)

There were 7 things found - but I unchecked all of those in restore as you asked me to. :)

I will now run the ESET Online Scanner and will post that next.

Thanks again!
Roxie
  • 0

#34
godawgs
Posted 29 July 2013 - 11:42 PM

godawgs

    Teacher

  • Retired Staff
  • 8,228 posts

Thanks again!

You are welcome.

...she changed her home page to "excite.com". Do you want me to change it to something else?

That is up to her. I was just letting you know that according to the AdwCleaner log the Excite homepage is what is adding AVG to a new tab when the Chrome browser is opened.

I was able to remove the extra tabs for both AVG and Whitesmokenew from opening when I began Chrome.

Did you do that using the support page at Google or did you resolve it in another way?

However, when I tried to remove like and extension or whatever, it was NOT there.

Could you clarify that please? I didn't understand it.

There were 7 things found - but I unchecked all of those in restore as you asked me to.

We'll clear the system restore files when we clean up. In the mean time those files are quarantined and can't do any harm as long as those restore points aren't used.

I'll be waiting for the ESET scan results.
  • 0

#35
Racingal60
Posted 30 July 2013 - 07:01 AM

Racingal60

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
OK - sorry about the vague answer....I wasn't sure what to call it. Yes, I was able to delete those pages from the support section you gave me on google. One of the help sections on the Google page was "Chrome no longer returns results from your preferred search engine - that told me how to delete extensions and neither of these were in there. So the second one "Chrome always starts up with extra tabs or pages that you don't recognize...helped me remove it. That is what I meant y the "Like and extension or whatever." SORRY!

Here is the ESET Scan file:

C:\Documents and Settings\Dawn\My Documents\Downloads\PDFWriterSetup (1).exe a variant of Win32/InstallCore.BQ application
C:\Documents and Settings\Dawn\My Documents\Downloads\PDFWriterSetup.exe a variant of Win32/InstallCore.BQ application
C:\Documents and Settings\Dawn\My Documents\Downloads\ZipOpenerSetup.exe Win32/InstallCore.BN application
C:\Documents and Settings\Dawn\My Documents\My Download Files\free-file-viewer.exe a variant of Win32/InstallIQ application
C:\Documents and Settings\Dawn\My Documents\My Download Files\Google_Chrome_Setup.exe a variant of Win32/Adware.iBryte.G application
C:\Documents and Settings\Dawn May 2012 Restore\My Documents\My Download Files\free-file-viewer.exe a variant of Win32/InstallIQ application
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1662\A0195921.exe a variant of Win32/InstallCore.AZ application
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1662\A0196008.exe a variant of Win32/InstallCore.A application
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1662\A0196025.exe Win32/DownWare.E application
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1704\A0200268.exe a variant of Win32/Kryptik.BFVY trojan
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1704\A0200272.dll a variant of Win32/Medfos.SO trojan
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1704\A0200273.dll a variant of Win32/Medfos.SO trojan
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1710\A0203419.exe a variant of Win32/Kryptik.BGKW trojan
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1710\A0203420.exe a variant of Win32/Kryptik.BGKW trojan
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1712\A0205440.dll a variant of Win32/Toolbar.CrossRider.A application
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1712\A0205444.exe multiple threats
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1712\A0205446.dll Win32/Wajam.A application
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1712\A0205448.exe Win32/Wajam.A application
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1716\A0205921.dll Win32/24x7Help.A application
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1716\A0205931.exe a variant of Win32/Adware.iBryte.G application

I will wait for your next update to do anymore! Thanks again for all your help!

Roxie
  • 0

#36
godawgs
Posted 30 July 2013 - 09:16 AM

godawgs

    Teacher

  • Retired Staff
  • 8,228 posts
Thanks for the clarification. The ESET scan found set up files in the Downloads folder that come bundled with unwanted toolbars and adware and that's why they were flagged. It also found the malicious files in the system restore points that MBAM found.
As for the programs that come bundled with toolbars, adware and other potentially unwanted programs: most free programs now come bundled with unwanted programs like toolbars that contain adware. Unfortunately it's how they can remain "free". But you don't have to install them when you install the program you downloaded. When the installation begins you will be presented with a list of the bundled programs that have a check mark in the box beside them for inclusion in the set up. Just uncheck the boxes beside bundled programs, like the Ask toolbar, or the Bing bar, or the McAfee Security Scan, etc; and they won't be installed. On some installations these bundled programs don't show on the "Default Installation" page. But there should be an option for "Custom Installation" and if you click it the bundled programs should show up there and you can remove the check marks so they don't install.
Most of these programs aren't malicious but do contain adware and some will hijack the browser's home page and default search engine, as you have seen.
But a lot of the programs like the ones in the system restore points are malicious i.e; a variant of Win32/Kryptik.BFVY trojan, a variant of Win32/Medfos.SO trojan, a variant of Win32/Toolbar.CrossRider.A application, Win32/Wajam.A application. That is why we will be clearing all of the old system restore point during the cleanup process.

I an gonna do one more OTL fix to remove the set up files in the Downloads folder and the Wajam extension in Chrome. Then we are gonna check for any programs that should be updated. After that is done, if no issues remain, we will be ready to clean up our tools and I will give you some suggestions for keeping the computer more secure.


Step-1.

Posted Image OTL Fix

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

1. Please copy all of the text in the quote box below (Do Not copy the word Quote. To do this, highlight everything
inside the quote box (except the word Quote) , right click and click Copy.

[:COMMANDS
[createrestorepoint]

:FILES
C:\Documents and Settings\Dawn\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jpmbfleldcgkldadpdinhjjopdfpjfjp
C:\Documents and Settings\Dawn\My Documents\Downloads\PDFWriterSetup (1).exe
C:\Documents and Settings\Dawn\My Documents\Downloads\PDFWriterSetup.exe
C:\Documents and Settings\Dawn\My Documents\Downloads\ZipOpenerSetup.exe
C:\Documents and Settings\Dawn\My Documents\My Download Files\free-file-viewer.exe
C:\Documents and Settings\Dawn\My Documents\My Download Files\Google_Chrome_Setup.exe
C:\Documents and Settings\Dawn May 2012 Restore\My Documents\My Download Files\free-file-viewer.exe

:COMMANDS
[emptytemp]


Warning: This fix is relevant for this system and no other. If you are not this user, DO NOT follow these directions as they could damage the workings of your system.

2. Please re-open Posted Image on your desktop. To do that:
  • XP users: Double click the icon.
3. Place the mouse pointer inside the Posted Image textbox, right click and click Paste. This will put the above script inside the textbox.
4. Click the Posted Image button.
5. Let the program run unhindered.
6. OTL may ask to reboot the machine. Please do so if asked.
7. Click the Posted Image button.
8. A report will open. Copy and Paste that report in your next reply.
9. If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, (where mmddyyyy_hhmmss is the date of the tool run).


Step-2.

Run Security Check

Download Security Check from here or here and save it to the Desktop.
  • Double click the SecurityCheck icon Posted Image to run the application.
  • Follow the onscreen instructions inside of the black box.

    Posted Image
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Step-3.

Things For Your Next Post:
Please post the logs in the order requested. Do Not attach the logs unless I request it.
1. The OTL fixes log
2. The checkup.txt log
3. Tell me if any other issues remain.
  • 0

#37
Racingal60
Posted 30 July 2013 - 10:39 AM

Racingal60

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
OK - here you go:

OTL Log:

All processes killed
Error: Unable to interpret <[:COMMANDS> in the current context!
Error: Unable to interpret <[createrestorepoint]> in the current context!
========== FILES ==========
File\Folder C:\Documents and Settings\Dawn\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jpmbfleldcgkldadpdinhjjopdfpjfjp not found.
C:\Documents and Settings\Dawn\My Documents\Downloads\PDFWriterSetup (1).exe moved successfully.
C:\Documents and Settings\Dawn\My Documents\Downloads\PDFWriterSetup.exe moved successfully.
C:\Documents and Settings\Dawn\My Documents\Downloads\ZipOpenerSetup.exe moved successfully.
C:\Documents and Settings\Dawn\My Documents\My Download Files\free-file-viewer.exe moved successfully.
C:\Documents and Settings\Dawn\My Documents\My Download Files\Google_Chrome_Setup.exe moved successfully.
C:\Documents and Settings\Dawn May 2012 Restore\My Documents\My Download Files\free-file-viewer.exe moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Dawn
->Temp folder emptied: 1568022 bytes
->Temporary Internet Files folder emptied: 19897770 bytes
->Google Chrome cache emptied: 141770063 bytes
->Flash cache emptied: 598 bytes

User: Dawn May 2012 Restore

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Gina Dorr
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 717 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 75938 bytes

Total Files Cleaned = 156.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 07302013_113019

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

Security Check log:

Results of screen317's Security Check version 0.99.71
Windows XP x86
Out of date service pack!!
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Please wait while WMIC compiles updated MOF files.d
i
s
p
l
a
y
N
a
m
e
ECHO is off.
S
y
m
a
n
t
e
c
ECHO is off.
E
n
d
p
o
i
n
t
ECHO is off.
P
r
o
t
e
c
t
i
o
n
ECHO is off.
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Ad-Aware
Malwarebytes Anti-Malware version 1.75.0.1300
CCleaner
Java™ 7
Java version out of Date!
Adobe Reader 10.1.7 Adobe Reader out of Date!
Google Chrome 28.0.1500.72
````````Process Check: objlist.exe by Laurent````````
Norton ccSvcHst.exe
Ad-Aware AAWService.exe is disabled!
Ad-Aware AAWTray.exe is disabled!
Symantec AntiVirus Smc.exe
Symantec AntiVirus Rtvscan.exe
Symantec AntiVirus SmcGui.exe
Microsoft Small Business Business Contact Manager BcmSqlStartupSvc.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: %
````````````````````End of Log``````````````````````


The computer seems to be running better. It is much faster and I do not get the tabs when I open chrome. How does it look to you? :)

Roxie
  • 0

#38
godawgs
Posted 30 July 2013 - 12:15 PM

godawgs

    Teacher

  • Retired Staff
  • 8,228 posts
It looks good. I am going to give you some directions for updating programs that are know for security vulnerabilities. Then we will clean up the tools used and wrap this puppy up :thumbsup:
SecurityCheck is giving a false positive on the Windows Service Pack. It says the Service Pack is out of date but clearly you have the latest SP for XP installed.

Posted Image JAVA Advice
WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article and this article.
I would recommend that you completely uninstall Java unless you need it to run an important software or need it to play games on-line.
In that instance I would recommend that you only use Firefox or Chrome to visit those sites and do the following:If you still want to update your Java, follow the instructions below:

A.
Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older versions of Java components and update:

  • Download the latest version of the Java Runtime Environment (JRE) Version from Here or Here and save it to your desktop.
  • Look for "Java Platform, Standard Edition". You will see the current Java version and update number under listed under the heading. Example: The newest update is Java SE 7u25
  • Click the "JRE" Download button.
  • On the JSE Downloads page, click the button to "Accept License Agreement".
  • Under the Java SE Runtime Environment 7u25 heading:
    To install the version for your system:
    • For Windows 32 bit systems, look for Windows x86 Offline 30.25MB, click the jre-7u25-windows-i586.exe file and save it to your desktop. Do Not run it from the Java site.
  • Close any programs you may have running - especially your web browser.

B.
Uninstall all versions of Java

  • Click Start > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Click to (highlight) any Java item. These may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE or J2SE
    The versions I see on the computer are:
    • Java™ 7
  • Click the Remove or Change/Remove button and follow the on screen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
    -- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
C.
Install the latest JAVA

Back on your desktop:
  • Double-click on the jre-7u25-windows-i586.exe file to install the newest version.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version. It's on the Update tab in Java in the

[Note:] The Java Quick Starter (JQS.exe) adds a service to improve the initial start up time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > You will have to be in Classic View to see Java(It looks like a coffee cup). Double-click on Java click the Advanced Tab click Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.


Update Adobe Reader

Earlier versions of Adobe Reader have known security flaws so it is recommended that you update your copy.
  • Go to Start > Control Panel > Add/Remove Programs
  • Remove ALL instances of Adobe Reader
  • Re-boot your computer as required.
  • Once ALL versions of Adobe Reader have been uninstalled, download the latest version of Adobe Reader from Here.
  • Remove the check mark next to Yes, install McAfee Security Scan Plus-optional box.
  • Click the Download Now button to download Adobe Reader and follow the directions.
Alternative Option: After uninstalling Adobe Reader, you could try installing Foxit Reader from HERE. Foxit Reader is a much smaller program. It has fewer add-ons therefore loads more quickly.
NOTE: When installing FoxitReader, be careful not to install anything to do with AskBar.



OK! Well done. :thumbsup: Here is the best part of the process! The mullygrubs are gone! That's a technical term for your log(s) appear to be clean! If you have no further issues with your computer, please proceed with the housekeeping procedures outlined below.
The first thing we need to do is to remove all the tools that we have used. This is so that should you ever be re-infected, you will download updated versions.

If you didn't uninstall ESET after running the program we will do it now.

Step-1.

Uninstall ESET

1. Please click Start > Control Panel > Add/Remove Programs
2. In the list of programs installed, locate the following program(s):

ESET

3. Click on the program to highlight it and click Change/Remove.
4. After the program has been uninstalled, close the Installed Programs window and the Control Panel.
5. Reboot the computer.

Delete the folders associated with the uninstalled programs.(Only do this if you uninstalled the program)

1. Using Windows Explorer (to get there right-click your Start button and click "Explore"), please delete the following folders(s) (if present):

C:\ProgramFiles\ESET

2. Close Windows Explorer.

Step-2.

Uninstall AdwCleaner

Re-open AdwCleaner
  • Click the Uninstall button
  • Confirm with yes
Posted Image

Step-3.

Uninstall ComboFix
  • Click Start, then Run. This will display the Run dialogue box .
  • In the Run box, type in ComboFix /Uninstall (Notice the space between the "x" and "/") then click OK

    Posted Image
  • Follow the prompts on the screen.
  • A message should appear confirming that ComboFix was uninstalled
Step-4.

OTL Cleanup

1. Please re-open Posted Image on your desktop.
  • Be sure all other programs are closed as this step will require a reboot.
  • Click on Posted Image
  • You will be prompted to reboot your system. Please do so.
The above process will remove most/all of the tools used and logs created during the cleanup process. After it is finished, OTL will remove itself. This is so that if you are ever infected again you will download the most current copy of the tool.

Step-5.

Delete the following Files and Folders (If Present):

FILES
MBR.dat
MbrScan.log
JRT.exe
JRT.txt
SecurityCheck.exe
checkup.txt
jre-7u25-windows-i586.exe
The Adobe Reader setup file

FOLDERS
mbar-1.06.0.1004.zip
mbar

Delete any other .bat, .log, .reg, .txt, and any other files created during this process, and left on the desktop and empty the Recycle Bin.

Step-6.

Reset Hidden Files and Folders

1. Click Start.
2. Open My Computer.
4. Select the Tools menu and click Folder Options.
5. Select the View tab.
6. Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
7. Click the Hide protected operating system files (recommended) option. Click Yes to confirm. Click OK.

Step-7.

Make a Fresh Restore Point, Clear the Old Restore Points, and Re-enable System Restore

The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected, but that's good news).

Note: Do not clear infected/old System Restore points before creating a new System Restore point first!

Windows XP
  • Click Start > All Programs > Accessories > System tools > System Restore. The System Restore Wizard opens.
  • Note: If the System Restore Wizard does not open, the System Restore feature may be turned off. To turn System Restore on, follow these steps:
  • Click Start, click Control Panel, and then double-click System.
  • Click the System Restore tab.
  • Make sure that the Turn off System Restore check box is not selected. Or, make sure that the Turn off System Restore on all drives check box is not selected.
  • Click OK.
[*] On the dialogue box that appears select Create a Restore Point
[*] Click NEXT
[*] Enter a name e.g. Clean
[*] Click CREATE
[*] Close System Restore[/list]Turn OFF System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
    Restart your computer.
Turn ON System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • UN-Check Turn off System Restore.
  • Click Apply, and then click OK.
    System Restore will now be active again.


Preventing Re-Infection

Below, I have included a number of recommendations for how to protect your computer against future malware infections.

:Keep Windows Updated:-Windows Updates are constantly being revised to combat the newest hacks and threats. Microsoft releases security updates that help your computer from becoming vulnerable.
Please either enable Automatic Updates or get into the habit of checking Windows Update regularly. They usually have security updates every month. You can set Windows to notify you of Updates so that you can choose, but only do this if you believe you are able to understand which ones are needed. This is a crucial security measure.

XP Users: You must use Internet Explorer to Update Windows.

1. Click Start> All Programs, in the programs window that comes up, look for Windows Update toward the top of the list and click it.

:Turn On Automatic Updates:

XP Users:
1. Click Start, click Run, type sysdm.cpl, and then press ENTER.
2. Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article and this article.
I would recommend that you completely uninstall Java unless you need it to run an important software or need it to play games on-line.
In that instance I would recommend that you only use Firefox or Chrome to visit those sites and do the following:If you still want to keep Java
  • Click the Start button
  • Click Control Panel
  • Double Click Java - Looks like a coffee cup. You may have to switch to Classical View on the upper left of the Control Panel to see it.
  • Click the Update tab
  • Click Update Now
  • Allow any updates to be downloaded and installed
: Keep Adobe Reader Updated :
  • Open Adobe Reader
  • Click Help on the menu at the top
  • Click Check for Updates
  • Allow any updates to be downloaded and installed
NOTE: Whether you use Adobe Reader, Acrobat or Foxit Reader to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Click Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. Click OK Close program. It's the same for Foxit Reader except Preferences is under the Tools menu, and you uncheck Enable Javascript Actions.

NOTE: Many installers offer third-party downloads that are installed automatically when you do not uncheck certain checkboxes. While most of the time not being malicious you usually do not want these on your computer. Be careful during the installation process and you will avoid seeing tons of new unwanted toolbars in your favorite web browser.

:Web Browsers:

:Make your Internet Explorer more secure:
1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click once on the Security tab
3. Click once on the Internet icon so it becomes highlighted.
4. Click once on the Custom Level button.
5. Change the Download signed ActiveX controls to "Prompt"
6. Change the Download unsigned ActiveX controls to "Disable"
7. Change the Initialise and script ActiveX controls not marked as safe to "Disable"
8. Change the Installation of desktop items to "Prompt"
9. Change the Launching programs and files in an IFRAME to "Prompt"
10. When all these settings have been made, click on the OK button.
11. If it prompts you as to whether or not you want to save the settings, click the Yes button.
12. Next press the Apply button and then the OK to exit the Internet Properties page.

This webpage is worth bookmarking/reading for future reference:
Securing Your Web Browser

:Alternate Browsers:

If you use Firefox, I highly recommend these add-ons to keep your PC even more secure.
  • NoScript - for blocking ads and other potential website attacks
  • WebOfTrust - a safe surfing tool for your browser. Traffic-light rating symbols show which websites you can trust when you search, shop and surf on the Web.
  • McAfee SiteAdvisor - this tells you whether the sites you are about to visit are safe or not. A must if you do a lot of Googling
:Install the MVPs Hosts File:
  • MVPS Hosts file-replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

Preventative programs that will help to keep the nasties away! We will start with Anti Spyware programs. I would advise getting a couple of them at least, and running a full scan at least once a month. Run Quick Scans at least once a week. Download the Free versions. And update the definitions before running scans.

========Anti Spyware========
  • Malwarebytes-Free Version- a powerful tool to search for and eliminate malware found on your computer.
  • SUPERAntiSpyware Free Edition-another scanning tool to find and eliminate malware.
  • SpywareBlaster-to help prevent spyware from installing in the first place. A tutorial can be found here.
  • SpywareGuard-to catch and block spyware before it can execute. A tutorial can be found here.
  • WinPatrol - will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. Help file and tutorial can be found here.
It's a good idea to clear out all your temp files every now and again. This will help your computer from bogging down and slowing. It also can assist in getting rid of files that may contain malicious code that could re-infect your computer.

========TEMP File Cleaners========
  • TFC by OldTimer-A very powerful cleaning program for 32 and 64 bit OS. Note: You may have this already as part of the fixes you have run.
  • CleanUP-Click the Download CleanUP! link. There is also a Learn how to use CleanUP! link on this page.
:BACKUPS:
  • Keep a backup of your important files.-Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.
  • ERUNT-(Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
:Keep Installed Programs Up to Date:

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities.
A program that will do this is listed below. Download and install the program and run it monthly:
Filehippo Update Checker

Finally, please read How did I get infected in the first place? by Mr. Tony Cline

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

IF I have helped you and you want to say "thanks", you can do that by clicking the Rep+ button at the bottom right of this post. :)

I Will Keep This Open For 24 hours or so. If Anything Comes Up - Just Come Back And Let Me Know

Stay Safe :wave:
godawgs
  • 1

#39
Racingal60
Posted 30 July 2013 - 12:42 PM

Racingal60

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
One Quick question...Do I need to update my Java and Adobe? New York Life's software will only let us update to version 7 (which I think is what she has.) If we go any newer we are unable to use some of their programs. :( Same thing goes for Adobe. I can check with NYL's tech support - but I'm pretty sure I have the most up-to-date software (since they usually provide us with the software.)

Let me know.

Roxie
  • 0

#40
godawgs
Posted 30 July 2013 - 06:52 PM

godawgs

    Teacher

  • Retired Staff
  • 8,228 posts
Hi,

I'm sorry I suggested updating those programs. If the company's software won't support anything higher than Java 7 and Adobe Reader 10.1.7 then you should not update those programs or you risk breaking the NY Life software. Normally we don't work on company computers without an ok from the company IT department, but I was not aware that this was a company computer until we were well into the cleaning process. Just be aware that the computers with the outdated versions of Java and Adobe reader are at greater risk because of the security vulnerabilities inherent in those programs.

Since you can't update those programs please continue with the clean up procedures.
  • 0

Advertisements

#41
Racingal60
Posted 02 August 2013 - 01:13 PM

Racingal60

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
GoDawgs - thank you again for your help. If I have any other problems I will let you know! Computer seems to be running very well now.

Roxie
  • 0

#42
godawgs
Posted 05 August 2013 - 11:47 AM

godawgs

    Teacher

  • Retired Staff
  • 8,228 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP