Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Browsers will not open

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Browsers will not open

Unread postby z147 » December 6th, 2011, 8:07 pm

Hello pgmigg,

I hope this is not a duplicate but I sent this previously and don't see it.

F. Let's take this one first. IE and Firefox open fine. I can navigate the web etc. Outlook, Office iTunes fine. I tried to open Google Chrome and the message about needing to close came up. Additionally, after I did some additional time on the web it seems something is still not right. When each and every time I do a search for something the first time I click on any of the results I'm taken to some sort of advertising site. So it looks like the computer is not 100% free of problems.

A. Do you have any problems executing the instructions? No
Contents of the most recent MBAM log file See Below
Contents of OTL-fix.txt log file created after OTL Fix Script run See Below
Contents of SystemLook.txt log file See Below
Contents of OTL.txt log file created after after OTL Standard scan See Below

MBAM
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8323

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/6/2011 1:57:43 PM
mbam-log-2011-12-06 (13-57-43).txt

Scan type: Full scan (C:\|)
Objects scanned: 248983
Time elapsed: 32 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\AZ\local settings\Temp\2F.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\AZ\local settings\Temp\~!#21.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\AZ\local settings\Temp\~!#23.tmp (Rootkit.0Access) -> Quarantined and deleted successfully.
c:\documents and settings\AZ\local settings\Temp\~!#29.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\all users\Desktop\privacy protection.lnk (Malware.Trace) -> Quarantined and deleted successfully.

OTL fix
All processes killed
========== PROCESSES ==========
========== REGISTRY ==========
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2421}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2421}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2421}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2421}\ not found.
Registry key HKEY_USERS\S-1-5-21-1275210071-1604221776-839522115-1007\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2421}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2421}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache\\C:\PROGRA~1\WINDOW~4\Datamngr\DATAMN~1.EXE not found.
Registry value HKEY_USERS\S-1-5-21-1275210071-1604221776-839522115-1007\Software\Microsoft\Windows\ShellNoRoam\MUICache\\C:\PROGRA~1\WINDOW~4\Datamngr\DATAMN~1.EXE not found.
========== FILES ==========
File\Folder C:\WINDOWS\Prefetch\SEARCHQU TOOLBAR UNINSTALL.EX-0A4036A9.pf not found.
C:\Documents and Settings\AZ\Cookies\az@searchqu[1].txt moved successfully.
C:\Documents and Settings\AZ\Application Data\searchquband folder moved successfully.
C:\Documents and Settings\BZ\Application Data\searchquband folder moved successfully.
C:\Documents and Settings\BZ\Application Data\searchqutoolbar\weather folder moved successfully.
C:\Documents and Settings\BZ\Application Data\searchqutoolbar\coupons folder moved successfully.
C:\Documents and Settings\BZ\Application Data\searchqutoolbar folder moved successfully.
C:\Documents and Settings\AZ\AppData\LocalLow\DataMngr folder moved successfully.
C:\Documents and Settings\BZ\AppData\LocalLow\DataMngr folder moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Administrator.ANDREW-PC
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Andrew

User: AZ
->Temp folder emptied: 1052187 bytes
->Temporary Internet Files folder emptied: 195699733 bytes
->Java cache emptied: 18469 bytes
->FireFox cache emptied: 38879057 bytes
->Flash cache emptied: 2743 bytes

User: BZ
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 101960 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 26190 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 225.00 mb

Error: Unable to interpret <[CREATERESTOREPOINTS]> in the current context!

[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: Administrator.ANDREW-PC
->Flash cache emptied: 0 bytes

User: All Users

User: Andrew

User: AZ
->Flash cache emptied: 0 bytes

User: BZ
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


[EMPTYJAVA]

User: Administrator

User: Administrator.ANDREW-PC

User: All Users

User: Andrew

User: AZ
->Java cache emptied: 0 bytes

User: BZ
->Java cache emptied: 0 bytes

User: Default User

User: LocalService

User: NetworkService
->Java cache emptied: 0 bytes

Total Java Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.31.0 log created on 12062011_160042

Files\Folders moved on Reboot...
C:\Documents and Settings\AZ\Local Settings\Temporary Internet Files\Content.IE5\3XQK55NJ\results[1].htm moved successfully.
File move failed. C:\Documents and Settings\AZ\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat scheduled to be moved on reboot.

Registry entries deleted on Reboot...

SystemLook
SystemLook 30.07.11 by jpshortstuff
Log created at 16:07 on 06/12/2011 by AZ
Administrator - Elevation successful

========== filefind ==========

Searching for "*Searchqu*"
C:\_OTL\MovedFiles\12042011_143259\C_DOCUME~1\AZ\LOCALS~1\Temp\searchqutoolbar-manifest.xml --a---- 9422 bytes [06:34 12/07/2011] [06:34 12/07/2011] BDD9BB687211DB7604A64BCA36531350
C:\_OTL\MovedFiles\12062011_160042\C_Documents and Settings\AZ\Cookies\az@searchqu[1].txt --a---- 579 bytes [22:36 29/11/2011] [22:36 29/11/2011] FAF6FFAF4299741117CE35AE1A8F4D4B

Searching for "*datamngr*"
No files found.

========== folderfind ==========

Searching for "*Searchqu*"
C:\_OTL\MovedFiles\12062011_160042\C_Documents and Settings\AZ\Application Data\searchquband d------ [21:08 02/08/2011]
C:\_OTL\MovedFiles\12062011_160042\C_Documents and Settings\BZ\Application Data\searchquband d------ [21:32 12/09/2011]
C:\_OTL\MovedFiles\12062011_160042\C_Documents and Settings\BZ\Application Data\searchqutoolbar d------ [21:00 06/12/2011]

Searching for "*datamngr*"
C:\_OTL\MovedFiles\12062011_160042\C_Documents and Settings\AZ\AppData\LocalLow\DataMngr d------ [21:08 02/08/2011]
C:\_OTL\MovedFiles\12062011_160042\C_Documents and Settings\BZ\AppData\LocalLow\DataMngr d------ [21:32 12/09/2011]

========== Regfind ==========

Searching for "Searchqu"
No data found.

Searching for "datamngr"
No data found.

-= EOF =-

OLT Scan
OTL logfile created on: 12/6/2011 4:22:02 PM - Run 4
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\AZ\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

895.48 Mb Total Physical Memory | 423.11 Mb Available Physical Memory | 47.25% Memory free
2.12 Gb Paging File | 1.70 Gb Available in Paging File | 80.09% Paging File free
Paging file location(s): C:\pagefile.sys 1344 2688 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 127.99 Gb Total Space | 61.71 Gb Free Space | 48.22% Space Free | Partition Type: NTFS

Computer Name: ANDREW-PC | User Name: AZ | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/12/04 14:19:04 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\AZ\Desktop\OTL.exe
PRC - [2011/06/15 14:16:48 | 000,997,920 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2011/04/27 14:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
PRC - [2011/04/08 11:59:52 | 000,507,624 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Common Files\Java\Java Update\jucheck.exe
PRC - [2009/04/24 01:57:42 | 001,025,320 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Common Files\SupportSoft\bin\bcont.exe
PRC - [2009/04/07 09:13:10 | 000,673,616 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Program Files\Epson Software\Event Manager\EEventManager.exe
PRC - [2008/04/24 12:26:18 | 000,202,560 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
PRC - [2008/04/24 12:25:22 | 000,202,560 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/12/19 18:23:20 | 000,094,208 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe


========== Modules (No Company Name) ==========

MOD - [2010/12/30 10:48:23 | 000,051,716 | ---- | M] () -- C:\WINDOWS\system32\pdf995mon.dll
MOD - [2010/11/17 13:16:56 | 000,067,872 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2009/03/12 15:45:32 | 000,135,168 | ---- | M] () -- C:\Program Files\Epson Software\Event Manager\Assistants\Scan Assistant\ScanEngine.dll
MOD - [2008/11/21 13:58:42 | 000,057,344 | ---- | M] () -- C:\Program Files\Epson Software\Event Manager\Assistants\Scan Assistant\Satwain.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2011/04/27 14:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV - [2008/04/24 12:26:18 | 000,202,560 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe -- (sprtsvc_ddoctorv2) SupportSoft Sprocket Service (ddoctorv2)
SRV - [2006/12/19 18:23:20 | 000,094,208 | ---- | M] (SEIKO EPSON CORPORATION) [Auto | Running] -- C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe -- (EpsonBidirectionalService)


========== Driver Services (SafeList) ==========

DRV - [2011/12/06 16:02:33 | 000,029,904 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{935D74D5-3065-4672-9124-68E95DDCAAD7}\MpKsl9cec545f.sys -- (MpKsl9cec545f)
DRV - [2011/12/06 13:59:43 | 000,029,904 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{935D74D5-3065-4672-9124-68E95DDCAAD7}\MpKsl46ef1d87.sys -- (MpKsl46ef1d87)
DRV - [2006/01/25 16:24:30 | 001,149,888 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2005/04/20 11:00:56 | 002,317,696 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2005/04/12 11:42:16 | 000,011,904 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\srvkp.sys -- (SiSkp)
DRV - [2005/04/12 11:08:44 | 000,247,296 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sisgrp.sys -- (SiS315)
DRV - [2004/08/03 22:31:36 | 000,032,768 | ---- | M] (SiS Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sisnic.sys -- (SISNIC)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page =
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page =
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1275210071-1604221776-839522115-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
IE - HKU\S-1-5-21-1275210071-1604221776-839522115-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
IE - HKU\S-1-5-21-1275210071-1604221776-839522115-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-1275210071-1604221776-839522115-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 8F B3 A7 67 4E B3 CC 01 [binary data]
IE - HKU\S-1-5-21-1275210071-1604221776-839522115-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Search Results"
FF - prefs.js..browser.search.order.1: "Search Results"
FF - prefs.js..browser.search.selectedEngine: "Search Results"
FF - prefs.js..browser.startup.homepage: "http://news.google.com/"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}:6.0.26
FF - prefs.js..keyword.URL: "http://dts.search-results.com/sr?src=ffb&appid=0&systemid=421&q="

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG10\Firefox4\
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\avg@igeared: C:\Program Files\AVG\AVG10\Toolbar\Firefox\avg@igeared
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.23\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/11/12 11:13:55 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.23\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/11/12 11:13:52 | 000,000,000 | ---D | M]

[2011/12/04 14:27:47 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\AZ\Application Data\Mozilla\Extensions
[2011/12/04 14:57:17 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\AZ\Application Data\Mozilla\Firefox\Profiles\yx8detvg.default\extensions
[2011/08/02 16:07:41 | 000,002,497 | -H-- | M] () -- C:\Documents and Settings\AZ\Application Data\Mozilla\Firefox\Profiles\yx8detvg.default\searchplugins\SearchResults.xml
[2011/12/04 15:25:41 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/07/13 07:49:52 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
[2011/07/13 07:49:40 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/07/13 07:49:39 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2011/08/02 16:07:41 | 000,002,497 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\SearchResults.xml

O1 HOSTS File: ([2011/07/09 13:25:18 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll (Sonic Solutions)
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ddoctorv2] C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [EEventManager] C:\Program Files\Epson Software\Event Manager\EEventManager.exe (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [SiSPower] C:\WINDOWS\System32\SiSPower.dll (Silicon Integrated Systems Corporation)
O4 - HKU\S-1-5-21-1275210071-1604221776-839522115-1007..\Run: [Desktop Software] C:\Program Files\Common Files\SupportSoft\bin\bcont.exe (SupportSoft, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1275210071-1604221776-839522115-1007\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1275210071-1604221776-839522115-1007\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-1275210071-1604221776-839522115-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1275210071-1604221776-839522115-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1275210071-1604221776-839522115-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/ ... ontrol.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} https://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab (HP Download Manager)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 75.75.75.75 75.75.76.76
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{DE038714-5CDA-49F1-A43C-B066D60146DF}: DhcpNameServer = 75.75.75.75 75.75.76.76
O18 - Protocol\Handler\avgsecuritytoolbar {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/12/23 19:56:21 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/12/06 13:02:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ERUNT
[2011/12/06 13:01:59 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2011/12/06 12:52:34 | 000,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\AZ\Desktop\erunt-setup.exe
[2011/12/04 14:32:59 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/12/04 14:21:27 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\AZ\Desktop\OTL.exe
[2011/11/29 18:25:18 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
[2011/11/29 18:15:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2011/11/29 17:39:12 | 000,000,000 | --SD | C] -- C:\zzz28210z
[2011/11/12 11:12:39 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\AZ\Recent

========== Files - Modified Within 30 Days ==========

[2011/12/06 16:24:03 | 000,000,878 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/12/06 16:07:33 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2011/12/06 16:03:06 | 000,000,874 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/12/06 16:02:28 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/12/06 13:02:02 | 000,000,611 | ---- | M] () -- C:\Documents and Settings\AZ\Desktop\NTREGOPT.lnk
[2011/12/06 13:02:02 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\AZ\Desktop\ERUNT.lnk
[2011/12/06 12:50:26 | 000,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\AZ\Desktop\erunt-setup.exe
[2011/12/06 11:11:20 | 000,002,521 | ---- | M] () -- C:\Documents and Settings\AZ\Desktop\Microsoft Office Outlook 2003.lnk
[2011/12/06 11:08:49 | 000,000,124 | ---- | M] () -- C:\Documents and Settings\AZ\Desktop\restore.vbs
[2011/12/06 10:58:35 | 000,013,002 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/12/04 15:45:39 | 000,000,059 | ---- | M] () -- C:\WINDOWS\wpd99.drv
[2011/12/04 15:43:42 | 000,109,046 | ---- | M] () -- C:\Documents and Settings\AZ\Desktop\ATT 1011-1111.pdf
[2011/12/04 15:41:00 | 000,108,740 | ---- | M] () -- C:\Documents and Settings\AZ\Desktop\ATT wireless 911-1011.pdf
[2011/12/04 15:38:31 | 000,102,248 | ---- | M] () -- C:\Documents and Settings\AZ\Desktop\ATT 911-1011.pdf
[2011/12/04 15:23:00 | 000,408,687 | ---- | M] () -- C:\Documents and Settings\AZ\Desktop\Comcast 2011-11-21_bill.pdf
[2011/12/04 14:19:13 | 000,139,264 | ---- | M] () -- C:\Documents and Settings\AZ\Desktop\SystemLook.exe
[2011/12/04 14:19:04 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\AZ\Desktop\OTL.exe
[2011/12/03 13:49:06 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/12/02 09:34:27 | 000,023,624 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2011/12/01 10:54:16 | 000,002,497 | ---- | M] () -- C:\Documents and Settings\AZ\Desktop\Microsoft Office Word 2003.lnk
[2011/11/29 22:26:43 | 000,168,058 | ---- | M] () -- C:\Documents and Settings\AZ\Desktop\silicon project _2_.pdf
[2011/11/29 22:26:05 | 000,010,767 | ---- | M] () -- C:\Documents and Settings\AZ\Desktop\outbind 2-00000000C4FA11FF0739AB4491209FC2502EA629E4A02A00 .pdf
[2011/11/29 16:25:02 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/11/16 21:26:28 | 000,001,813 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2011/11/13 11:31:42 | 000,314,508 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/11/13 11:31:42 | 000,040,836 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

========== Files Created - No Company Name ==========

[2011/12/06 13:02:02 | 000,000,611 | ---- | C] () -- C:\Documents and Settings\AZ\Desktop\NTREGOPT.lnk
[2011/12/06 13:02:02 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\AZ\Desktop\ERUNT.lnk
[2011/12/06 11:08:49 | 000,000,124 | ---- | C] () -- C:\Documents and Settings\AZ\Desktop\restore.vbs
[2011/12/04 15:43:40 | 000,109,046 | ---- | C] () -- C:\Documents and Settings\AZ\Desktop\ATT 1011-1111.pdf
[2011/12/04 15:40:59 | 000,108,740 | ---- | C] () -- C:\Documents and Settings\AZ\Desktop\ATT wireless 911-1011.pdf
[2011/12/04 15:38:29 | 000,102,248 | ---- | C] () -- C:\Documents and Settings\AZ\Desktop\ATT 911-1011.pdf
[2011/12/04 15:22:59 | 000,408,687 | ---- | C] () -- C:\Documents and Settings\AZ\Desktop\Comcast 2011-11-21_bill.pdf
[2011/12/04 14:21:40 | 000,139,264 | ---- | C] () -- C:\Documents and Settings\AZ\Desktop\SystemLook.exe
[2011/11/29 22:26:41 | 000,168,058 | ---- | C] () -- C:\Documents and Settings\AZ\Desktop\silicon project _2_.pdf
[2011/11/29 22:26:03 | 000,010,767 | ---- | C] () -- C:\Documents and Settings\AZ\Desktop\outbind 2-00000000C4FA11FF0739AB4491209FC2502EA629E4A02A00 .pdf
[2011/11/29 18:16:23 | 000,023,624 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2011/08/02 16:07:34 | 000,484,352 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[2011/07/11 07:59:42 | 000,015,050 | -HS- | C] () -- C:\Documents and Settings\AZ\Local Settings\Application Data\fw3ij32ar784e3d2
[2011/07/11 07:59:42 | 000,015,050 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\fw3ij32ar784e3d2
[2011/06/24 08:40:08 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/06/04 10:36:15 | 000,001,416 | -HS- | C] () -- C:\Documents and Settings\AZ\Local Settings\Application Data\ygy31p65xq2icc
[2011/06/04 10:36:15 | 000,001,416 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\ygy31p65xq2icc
[2011/05/20 08:10:51 | 000,001,376 | -HS- | C] () -- C:\Documents and Settings\AZ\Local Settings\Application Data\h52x83l386po06s4q40er033a1tc4n1234a34ye07
[2011/05/20 08:10:51 | 000,001,376 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\h52x83l386po06s4q40er033a1tc4n1234a34ye07
[2011/05/16 13:53:42 | 000,001,284 | -HS- | C] () -- C:\Documents and Settings\AZ\Local Settings\Application Data\3k6qy7jn2x21n
[2011/05/16 13:53:42 | 000,001,284 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\3k6qy7jn2x21n
[2011/05/12 22:21:39 | 000,005,120 | ---- | C] () -- C:\Documents and Settings\AZ\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/05/03 15:11:35 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\AZ\Local Settings\Application Data\prvlcl.dat
[2011/04/26 16:43:18 | 000,000,144 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\~18014004r
[2011/04/26 16:43:17 | 000,000,128 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\~18014004
[2011/04/26 16:43:11 | 000,000,336 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\18014004
[2011/02/03 13:50:56 | 000,054,996 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/12/30 10:48:59 | 000,000,028 | ---- | C] () -- C:\WINDOWS\pdf995.ini
[2010/12/30 10:48:24 | 000,000,059 | ---- | C] () -- C:\WINDOWS\wpd99.drv
[2010/12/30 10:48:23 | 000,051,716 | ---- | C] () -- C:\WINDOWS\System32\pdf995mon.dll
[2010/12/28 11:37:49 | 000,000,000 | ---- | C] () -- C:\WINDOWS\EEventManager.INI
[2010/12/24 11:55:26 | 000,073,220 | ---- | C] () -- C:\WINDOWS\System32\EPPICPrinterDB.dat
[2010/12/24 11:55:26 | 000,031,053 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern131.dat
[2010/12/24 11:55:26 | 000,029,114 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern1.dat
[2010/12/24 11:55:26 | 000,027,417 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern121.dat
[2010/12/24 11:55:26 | 000,021,021 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern3.dat
[2010/12/24 11:55:26 | 000,015,670 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern5.dat
[2010/12/24 11:55:26 | 000,013,280 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern2.dat
[2010/12/24 11:55:26 | 000,010,673 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern4.dat
[2010/12/24 11:55:26 | 000,004,943 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern6.dat
[2010/12/24 11:55:26 | 000,001,140 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_PT.dat
[2010/12/24 11:55:26 | 000,001,140 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_BP.dat
[2010/12/24 11:55:26 | 000,001,137 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_ES.dat
[2010/12/24 11:55:26 | 000,001,130 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_FR.dat
[2010/12/24 11:55:26 | 000,001,130 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_CF.dat
[2010/12/24 11:55:26 | 000,001,104 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_EN.dat
[2010/12/24 11:55:26 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2010/12/24 03:04:58 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/12/24 03:00:03 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010/12/24 02:51:05 | 000,000,512 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2010/12/23 20:31:34 | 000,095,248 | ---- | C] () -- C:\WINDOWS\System32\VGAunistlog.ini
[2010/12/23 20:31:33 | 000,103,579 | ---- | C] () -- C:\WINDOWS\VGAsetup.ini
[2010/12/23 20:21:07 | 000,156,672 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2010/12/23 20:21:07 | 000,040,448 | ---- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2010/12/23 19:57:32 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2010/12/23 19:54:26 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2010/12/23 13:45:54 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/12/23 13:45:10 | 000,260,640 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008/03/31 04:03:00 | 000,001,120 | ---- | C] () -- C:\WINDOWS\System32\E_ADDNET.DAT
[2004/09/24 02:55:28 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\sis660.bin
[2004/09/22 14:17:35 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/08/02 14:20:40 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2003/11/26 16:10:18 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\sis741.bin
[2003/11/26 16:10:12 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\sis760.bin
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/08/18 07:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/18 07:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2001/08/18 07:00:00 | 000,314,508 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2001/08/18 07:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2001/08/18 07:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2001/08/18 07:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2001/08/18 07:00:00 | 000,040,836 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2001/08/18 07:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2001/08/18 07:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/08/18 07:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2001/08/18 07:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

< End of report >
z147
Regular Member
 
Posts: 47
Joined: July 2nd, 2011, 12:13 pm
Advertisement
Register to Remove

Re: Browsers will not open

Unread postby z147 » December 7th, 2011, 9:09 am

Hello pgmigg

After the last cleaning I checked a few applications on the computer and browsed the web enough to see if I could navigate without problems. I decided to leave the computer on during night. I woke up to "Firewall Warning" and "Privacy Protection has detected of leak of your files to the Internet..." and "tfswctrl.exe is infected with W32/Blaster.worm". No access to the web. Browsers won't open, outlook wont' stay open. z147
z147
Regular Member
 
Posts: 47
Joined: July 2nd, 2011, 12:13 pm

Re: Browsers will not open

Unread postby pgmigg » December 7th, 2011, 11:24 am

Hello z147,
When each and every time I do a search for something the first time I click on any of the results I'm taken to some sort of advertising site. So it looks like the computer is not 100% free of problems.

I woke up to "Firewall Warning" and "Privacy Protection has detected of leak of your files to the Internet..." and "tfswctrl.exe is infected with W32/Blaster.worm". No access to the web. Browsers won't open, outlook wont' stay open.

We are still not finished yet, so let continue...

Step 0.
ERUNT - Run to make a full backup:
This will create a full backup of your registry. ERUNT can be used to restore the registry from this backup, if needed.
  1. Please navigate to Start -> All Programs -> ERUNT, then double-click ERUNT from the menu.
  2. Click on OK within the pop-up menu.
  3. In the next menu under C:\WINDOWS\ERDNT\DD-MM-YYYY under Backup options make sure both the following are selected:
    • System registry.
    • Current user registry.
  4. Next click on OK at the prompt, then reply Yes.
    After a short duration the Registry backup is complete! pop-up message will appear.
  5. Now click on OK. A registry backup has now been created.
< STOP > If you did not successfully complete this step. < STOP > Do not continue with any other steps, post back and let me know!

Step 1.
Download and Run ComboFix
  1. Please download ComboFix from one of the following links.

    Link 1.

    Link 2.

    **IMPORTANT !!! Save ComboFix.exe to your Desktop**
  2. Please disable any Antivirus and Firewall you have active, as shown in this topic. Please close all open application windows.
  3. Double click on ComboFix.exe and follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  5. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console
Image
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Image

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use!
ComboFix SHOULD NOT be used unless requested by a forum helper.


Please include in your next reply:
  1. Do you have any problems executing the instructions?
  2. Contents of ComboFix.txt log file
  3. Do you see any changes in computer behavior?

Thanks,
pgmigg
User avatar
pgmigg
MRU Teacher
MRU Teacher
 
Posts: 3181
Joined: July 8th, 2008, 1:25 pm
Location: GMT-05:00

Re: Browsers will not open

Unread postby z147 » December 8th, 2011, 2:21 pm

pgmigg,

I have 2 issues now. I can't turn MS Security Essentials (XP Home Security 2012) back on and it blocks access to the web. It wants me to purchase or register. I also still receieve a message suggesting a spyware attack.
z147
Regular Member
 
Posts: 47
Joined: July 2nd, 2011, 12:13 pm

Re: Browsers will not open

Unread postby z147 » December 8th, 2011, 2:33 pm

pgigg,

XP Home Security tells me Outlook and iTunes are infected with Trojan-BK.Win32.Keylogger.gen and won't allow access to the internet.
z147
Regular Member
 
Posts: 47
Joined: July 2nd, 2011, 12:13 pm

Re: Browsers will not open

Unread postby pgmigg » December 9th, 2011, 12:17 pm

Hello z147,
I can't turn MS Security Essentials (XP Home Security 2012) back on and it blocks access to the web. It wants me to purchase or register. I also still receieve a message suggesting a spyware attack.
XP Home Security tells me Outlook and iTunes are infected with Trojan-BK.Win32.Keylogger.gen and won't allow access to the internet.

The "XP Home Security 2012" is a fake anti-spyware program that simulates a system scan and reports false scan results.
Now we will try to remove it...

Please read carefully my instructions below and print it out because your Internet access may be interrupted during processing...

Please go to the CLEAN computer and download couple of tools!

Rkill - Download
Note: If your security software warns about Rkill, please ignore and allow the download to continue.
  • Please download Rkill... by Grinler (download page will open in a new tab or browser window) and click on the Download Now button labeled iExplore.exe download link . When you are prompted where to save it, please save it on your Desktop.
  • It is possible that you will have problems running RKill. So please download the other renamed versions of RKill from the rkill download page too. All of the files are renamed copies of RKill, which you can try instead.
  • Please note that the download page will open in a new browser window or tab.

ComboFix - Download
Please download ComboFix from one of the following links.

Link 1.
Link 2.

**IMPORTANT !!! Save ComboFix.exe to your Desktop**

Please copy all downloaded files via flash drive or CD/DVD to the infected PC and save them on the Desktop too. Then you need to try to run my instructions on infected computer:

Step 0.
ERUNT - Run to make a full backup:
This will create a full backup of your registry. ERUNT can be used to restore the registry from this backup, if needed.
  1. Please navigate to Start -> All Programs -> ERUNT, then double-click ERUNT from the menu.
  2. Click on OK within the pop-up menu.
  3. In the next menu under C:\WINDOWS\ERDNT\DD-MM-YYYY under Backup options make sure both the following are selected:
    • System registry.
    • Current user registry.
  4. Next click on OK at the prompt, then reply Yes.
    After a short duration the Registry backup is complete! pop-up message will appear.
  5. Now click on OK. A registry backup has now been created.
< STOP > If you did not successfully complete this step. < STOP > Do not continue with any other steps, post back and let me know!

Step 1.
Rkill
  1. Double click on the iExplore.exe Desktop icon in order to automatically attempt to stop any processes associated with XP Home Security 2012 and other Rogue programs. Please be patient while the program looks for various malware programs and ends them.
  2. A command window will open then disappear upon completion, this is normal.
    1. If you having problems running this version of RKill, you need to run all other renamed versions of RKill sequentially.
    2. If the next one does not work too, repeat the process until the tool runs.
    3. If no version of Rkill would run, please let me know.
    Do not reboot your machine until asked to do so.
    When finished, Notepad will open with a log file, automatically saved at C:\rkill.log.
  3. Please copy and paste the contents of the rkill.log file, in your next reply.
    Please leave Rkill on the Desktop unless instructed otherwise.
Note: If you get an alert that Rkill is infected, ignore it. The alert is a fake warning given by the rogue software, trying to "protect" itself from being terminated or removed. If you see such a warning, leave the warning on the screen, then run Rkill again. By not closing the warning, this sometimes allows you to bypass the malware's attempt to protect itself, so that Rkill can perform its routine.


Step 2.
Malwarebytes' Anti-Malware Rerun
  1. Please start MBAM (Malwarebytes' Anti-Malware) again.
    You must be connected to the Internet to obtain any updates.
  2. Press the Update tab, then press the Check for Updates button. <<---Important!
    Once any updates are installed or you get the message that you are up-to-date
  3. Press the Scanner tab and select FULL SCAN this time, then press the Scan button. This kind of scan will take a while, so please be patient!
    When the scan finishes...
  4. Check all items except any items (if present) in the C:\System Volume Information folder. Then click on Remove Selected.
  5. Let MBAM remove what it can... If there are files to be deleted on reboot, please reboot the machine so MBAM can finish the removal.
    If you rebooted, then you'll need to start MBAM again.
  6. Press the LOG tab and locate the most current log file.
    Please copy and paste the most recent log (from this new run) in your next reply.

Step 3.
ComboFix - Run
  1. Please disable any Antivirus and Firewall you have active, as shown in this topic. Please close all open application windows.
  2. Double click on ComboFix.exe and follow the prompts.
  3. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  4. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console
Image
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Image

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use!
ComboFix SHOULD NOT be used unless requested by a forum helper.


Please include in your next reply:
  1. Do you have any problems executing the instructions?
  2. Contents of rkill.log file
  3. Contents of the most recent MBAM log file
  4. Contents of ComboFix.txt log file
  5. Do you see any changes in computer behavior?

Thanks,
pgmigg
User avatar
pgmigg
MRU Teacher
MRU Teacher
 
Posts: 3181
Joined: July 8th, 2008, 1:25 pm
Location: GMT-05:00

Re: Browsers will not open

Unread postby z147 » December 10th, 2011, 3:23 pm

pgmigg,

the fake sw won't allow ERUNT to open. What can we do?
Thanks.

z147
z147
Regular Member
 
Posts: 47
Joined: July 2nd, 2011, 12:13 pm

Re: Browsers will not open

Unread postby pgmigg » December 11th, 2011, 10:41 am

Hello z147,
the fake sw won't allow ERUNT to open. What can we do?

Please skip ERUNT step and begin from Step 1 (Rkill) instead.

Let me know how it is going...

Thanks,
pgmigg
User avatar
pgmigg
MRU Teacher
MRU Teacher
 
Posts: 3181
Joined: July 8th, 2008, 1:25 pm
Location: GMT-05:00

Re: Browsers will not open

Unread postby z147 » December 12th, 2011, 10:09 pm

pgmigg,

Instructions executed fine. Contents of files below. The system ran fine last night and today except that I was still being redirected during my first click after a search. I left the system on for a few hours without any activity and nothing opened. When I got back the fake XP security was back up with no access to the internet.

So, it looks like I'm back to square one. stuck z147

rkill

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 12/11/2011 at 12:39:32.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:

C:\Documents and Settings\AZ\Local Settings\Application Data\ooe.exe
C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
C:\Documents and Settings\AZ\Desktop\Security\1210\rkill.com


Rkill completed on 12/11/2011 at 12:40:47.

MBAM

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8352

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/11/2011 1:57:37 PM
mbam-log-2011-12-11 (13-57-37).txt

Scan type: Full scan (C:\|)
Objects scanned: 262699
Time elapsed: 41 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\AZ\Local Settings\Application Data\ooe.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\AZ\Local Settings\Application Data\ooe.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\AZ\Local Settings\Application Data\ooe.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\AZ\application data\Sun\Java\deployment\cache\6.0\53\78e403b5-70a6ae7a (Trojan.FakeMS) -> Quarantined and deleted successfully.
c:\documents and settings\AZ\local settings\application data\ooe.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\AZ\local settings\temp\0.6754183022984983.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
c:\documents and settings\AZ\local settings\temp\0.8830849364615687.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\AZ\local settings\temp\425.9845.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\documents and settings\all users\application data\baec.tmp.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\documents and settings\all users\application data\privacy.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Combo Fix

ComboFix 11-12-06.02 - AZ 12/11/2011 14:21:07.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.895.262 [GMT -5:00]
Running from: c:\documents and settings\AZ\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((( Files Created from 2011-11-11 to 2011-12-11 )))))))))))))))))))))))))))))))
.
.
2011-12-11 18:59 . 2011-12-11 18:59 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8E3B0F7D-EDDC-4500-AB84-05EA5101CE77}\MpKsl6fee125d.sys
2011-12-11 18:59 . 2011-12-11 18:59 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8E3B0F7D-EDDC-4500-AB84-05EA5101CE77}\offreg.dll
2011-12-08 00:38 . 2011-11-21 10:47 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8E3B0F7D-EDDC-4500-AB84-05EA5101CE77}\mpengine.dll
2011-12-08 00:30 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-12-08 00:30 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-12-06 18:01 . 2011-12-06 18:02 -------- d-----w- c:\program files\ERUNT
2011-12-04 19:32 . 2011-12-04 19:32 -------- d-----w- C:\_OTL
2011-11-29 23:25 . 2011-11-29 23:25 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-11-29 23:16 . 2011-12-02 14:34 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-11-29 23:15 . 2011-11-29 23:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-11-29 22:39 . 2011-11-29 22:40 -------- d-----w- C:\zzz28210z
2011-11-12 16:15 . 2011-11-12 16:15 -------- d-----w- c:\windows\system32\wbem\Repository
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-21 10:47 . 2011-07-24 15:34 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-10-10 14:22 . 2010-12-24 00:54 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06 . 2001-08-18 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 16:41 . 2011-09-26 16:41 611328 ------w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41 . 2001-08-18 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41 . 2001-08-18 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2011-12-07_23.54.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-12-11 19:00 . 2011-12-11 19:00 16384 c:\windows\Temp\Perflib_Perfdata_768.dat
- 2010-12-24 02:09 . 2010-11-03 13:12 46080 c:\windows\system32\tzchange.exe
+ 2010-12-24 02:09 . 2011-07-08 13:49 46080 c:\windows\system32\tzchange.exe
+ 2011-09-26 12:33 . 2010-07-05 13:15 17272 c:\windows\system32\spmsg.dll
+ 2001-08-18 12:00 . 2011-08-22 23:48 66560 c:\windows\system32\mshtmled.dll
- 2001-08-18 12:00 . 2011-04-25 16:11 66560 c:\windows\system32\mshtmled.dll
- 2009-03-08 09:31 . 2011-04-25 16:11 55296 c:\windows\system32\msfeedsbs.dll
+ 2009-03-08 09:31 . 2011-08-22 23:48 55296 c:\windows\system32\msfeedsbs.dll
- 2001-08-18 12:00 . 2011-04-25 16:11 43520 c:\windows\system32\licmgr10.dll
+ 2001-08-18 12:00 . 2011-08-22 23:48 43520 c:\windows\system32\licmgr10.dll
+ 2001-08-18 12:00 . 2011-08-22 23:48 25600 c:\windows\system32\jsproxy.dll
- 2001-08-18 12:00 . 2011-04-25 16:11 25600 c:\windows\system32\jsproxy.dll
+ 2001-08-18 12:00 . 2011-07-08 14:02 10496 c:\windows\system32\drivers\ndistapi.sys
+ 2010-12-24 03:47 . 2011-08-22 23:48 12800 c:\windows\system32\dllcache\xpshims.dll
- 2010-12-24 03:47 . 2011-04-25 16:11 12800 c:\windows\system32\dllcache\xpshims.dll
+ 2001-08-18 12:00 . 2011-09-26 16:41 20480 c:\windows\system32\dllcache\oleaccrc.dll
- 2009-03-08 09:31 . 2011-04-25 16:11 66560 c:\windows\system32\dllcache\mshtmled.dll
+ 2009-03-08 09:31 . 2011-08-22 23:48 66560 c:\windows\system32\dllcache\mshtmled.dll
- 2010-12-24 03:47 . 2011-04-25 16:11 55296 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2010-12-24 03:47 . 2011-08-22 23:48 55296 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2009-03-08 09:34 . 2011-08-22 23:48 43520 c:\windows\system32\dllcache\licmgr10.dll
- 2009-03-08 09:34 . 2011-04-25 16:11 43520 c:\windows\system32\dllcache\licmgr10.dll
- 2009-03-08 09:33 . 2011-04-25 16:11 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2009-03-08 09:33 . 2011-08-22 23:48 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2009-12-14 07:08 . 2011-04-26 11:07 33280 c:\windows\system32\dllcache\csrsrv.dll
- 2009-12-14 07:08 . 2010-12-09 14:30 33280 c:\windows\system32\dllcache\csrsrv.dll
- 2001-08-18 12:00 . 2010-12-09 14:30 33280 c:\windows\system32\csrsrv.dll
+ 2001-08-18 12:00 . 2011-04-26 11:07 33280 c:\windows\system32\csrsrv.dll
+ 2011-12-08 11:59 . 2011-04-25 16:11 12800 c:\windows\ie8updates\KB2586448-IE8\xpshims.dll
+ 2011-12-08 11:59 . 2011-04-25 16:11 66560 c:\windows\ie8updates\KB2586448-IE8\mshtmled.dll
+ 2011-12-08 11:59 . 2011-04-25 16:11 55296 c:\windows\ie8updates\KB2586448-IE8\msfeedsbs.dll
+ 2011-12-08 11:59 . 2011-04-25 16:11 43520 c:\windows\ie8updates\KB2586448-IE8\licmgr10.dll
+ 2011-12-08 11:59 . 2011-04-25 16:11 25600 c:\windows\ie8updates\KB2586448-IE8\jsproxy.dll
+ 2010-12-24 01:46 . 2009-04-02 04:02 604160 c:\windows\system32\wmspdmod.dll
- 2010-12-24 01:46 . 2009-01-31 00:34 604160 c:\windows\system32\WMSPDMOD.dll
+ 2010-12-24 01:46 . 2009-07-14 04:43 286208 c:\windows\system32\wmpdxm.dll
- 2001-08-18 12:00 . 2010-06-18 17:45 293376 c:\windows\system32\winsrv.dll
+ 2001-08-18 12:00 . 2011-06-20 17:44 293376 c:\windows\system32\winsrv.dll
- 2001-08-18 12:00 . 2011-04-25 16:11 916480 c:\windows\system32\wininet.dll
+ 2001-08-18 12:00 . 2011-08-22 23:48 916480 c:\windows\system32\wininet.dll
- 2001-08-18 12:00 . 2009-03-08 09:34 105984 c:\windows\system32\url.dll
+ 2001-08-18 12:00 . 2011-08-22 23:48 105984 c:\windows\system32\url.dll
- 2001-08-18 12:00 . 2011-04-25 16:11 206848 c:\windows\system32\occache.dll
+ 2001-08-18 12:00 . 2011-08-22 23:48 206848 c:\windows\system32\occache.dll
+ 2001-08-18 12:00 . 2011-08-22 23:48 611840 c:\windows\system32\mstime.dll
- 2001-08-18 12:00 . 2011-04-25 16:11 611840 c:\windows\system32\mstime.dll
+ 2009-03-08 09:32 . 2011-08-22 23:48 602112 c:\windows\system32\msfeeds.dll
- 2009-03-08 09:32 . 2011-04-25 16:11 602112 c:\windows\system32\msfeeds.dll
- 2009-01-31 00:33 . 2009-01-31 00:33 317440 c:\windows\system32\MP4SDECD.dll
+ 2009-01-31 00:33 . 2010-03-30 17:24 317440 c:\windows\system32\mp4sdecd.dll
- 2001-08-18 12:00 . 2011-04-25 16:11 184320 c:\windows\system32\iepeers.dll
+ 2001-08-18 12:00 . 2011-08-22 23:48 184320 c:\windows\system32\iepeers.dll
- 2001-08-18 12:00 . 2011-04-25 16:11 387584 c:\windows\system32\iedkcs32.dll
+ 2001-08-18 12:00 . 2011-08-22 23:48 387584 c:\windows\system32\iedkcs32.dll
+ 2001-08-18 12:00 . 2011-08-22 11:56 174080 c:\windows\system32\ie4uinit.exe
+ 2010-12-23 18:45 . 2011-12-08 12:20 260640 c:\windows\system32\FNTCACHE.DAT
- 2010-12-23 18:45 . 2011-04-14 07:19 260640 c:\windows\system32\FNTCACHE.DAT
+ 2010-12-24 00:53 . 2011-06-24 14:10 139656 c:\windows\system32\drivers\rdpwd.sys
- 2010-12-24 00:53 . 2008-04-14 10:43 139656 c:\windows\system32\drivers\rdpwd.sys
- 2001-08-18 12:00 . 2011-04-29 16:19 456320 c:\windows\system32\drivers\mrxsmb.sys
+ 2001-08-18 12:00 . 2011-07-15 13:29 456320 c:\windows\system32\drivers\mrxsmb.sys
- 2001-08-18 12:00 . 2011-02-16 13:22 138496 c:\windows\system32\drivers\afd.sys
+ 2001-08-18 12:00 . 2011-08-17 13:49 138496 c:\windows\system32\drivers\afd.sys
+ 2010-12-24 02:09 . 2009-04-02 04:02 604160 c:\windows\system32\dllcache\wmspdmod.dll
- 2010-12-24 02:09 . 2009-01-31 00:34 604160 c:\windows\system32\dllcache\WMSPDMOD.dll
+ 2010-12-24 02:09 . 2009-07-14 04:43 286208 c:\windows\system32\dllcache\wmpdxm.dll
- 2010-06-18 17:45 . 2010-06-18 17:45 293376 c:\windows\system32\dllcache\winsrv.dll
+ 2010-06-18 17:45 . 2011-06-20 17:44 293376 c:\windows\system32\dllcache\winsrv.dll
- 2010-04-16 16:09 . 2011-04-25 16:11 916480 c:\windows\system32\dllcache\wininet.dll
+ 2010-04-16 16:09 . 2011-08-22 23:48 916480 c:\windows\system32\dllcache\wininet.dll
+ 2009-03-08 09:34 . 2011-08-22 23:48 105984 c:\windows\system32\dllcache\url.dll
- 2009-03-08 09:34 . 2009-03-08 09:34 105984 c:\windows\system32\dllcache\url.dll
+ 2001-08-18 12:00 . 2011-09-26 16:41 220160 c:\windows\system32\dllcache\oleacc.dll
- 2009-03-08 09:34 . 2011-04-25 16:11 206848 c:\windows\system32\dllcache\occache.dll
+ 2009-03-08 09:34 . 2011-08-22 23:48 206848 c:\windows\system32\dllcache\occache.dll
+ 2009-03-08 09:32 . 2011-08-22 23:48 611840 c:\windows\system32\dllcache\mstime.dll
- 2009-03-08 09:32 . 2011-04-25 16:11 611840 c:\windows\system32\dllcache\mstime.dll
- 2010-12-24 03:47 . 2011-04-25 16:11 602112 c:\windows\system32\dllcache\msfeeds.dll
+ 2010-12-24 03:47 . 2011-08-22 23:48 602112 c:\windows\system32\dllcache\msfeeds.dll
- 2010-12-24 02:35 . 2011-04-29 16:19 456320 c:\windows\system32\dllcache\mrxsmb.sys
+ 2010-12-24 02:35 . 2011-07-15 13:29 456320 c:\windows\system32\dllcache\mrxsmb.sys
+ 2010-03-30 17:24 . 2010-03-30 17:24 317440 c:\windows\system32\dllcache\mp4sdecd.dll
- 2010-01-29 15:01 . 2011-05-02 15:31 692736 c:\windows\system32\dllcache\inetcomm.dll
+ 2010-01-29 15:01 . 2011-10-10 14:22 692736 c:\windows\system32\dllcache\inetcomm.dll
- 2010-12-24 03:47 . 2011-04-25 16:11 247808 c:\windows\system32\dllcache\ieproxy.dll
+ 2010-12-24 03:47 . 2011-08-22 23:48 247808 c:\windows\system32\dllcache\ieproxy.dll
+ 2010-04-16 16:09 . 2011-08-22 23:48 184320 c:\windows\system32\dllcache\iepeers.dll
- 2010-04-16 16:09 . 2011-04-25 16:11 184320 c:\windows\system32\dllcache\iepeers.dll
- 2010-12-24 03:47 . 2011-04-25 16:11 743424 c:\windows\system32\dllcache\iedvtool.dll
+ 2010-12-24 03:47 . 2011-08-22 23:48 743424 c:\windows\system32\dllcache\iedvtool.dll
+ 2009-03-08 19:09 . 2011-08-22 23:48 387584 c:\windows\system32\dllcache\iedkcs32.dll
- 2009-03-08 19:09 . 2011-04-25 16:11 387584 c:\windows\system32\dllcache\iedkcs32.dll
+ 2009-03-08 09:32 . 2011-08-22 11:56 174080 c:\windows\system32\dllcache\ie4uinit.exe
+ 2011-09-28 07:06 . 2011-09-28 07:06 599040 c:\windows\system32\dllcache\crypt32.dll
+ 2008-06-20 11:40 . 2011-08-17 13:49 138496 c:\windows\system32\dllcache\afd.sys
- 2008-06-20 11:40 . 2011-02-16 13:22 138496 c:\windows\system32\dllcache\afd.sys
+ 2011-12-08 11:59 . 2011-04-25 16:11 916480 c:\windows\ie8updates\KB2586448-IE8\wininet.dll
+ 2011-12-08 11:59 . 2009-03-08 09:34 105984 c:\windows\ie8updates\KB2586448-IE8\url.dll
+ 2011-12-08 11:59 . 2010-07-05 13:16 382840 c:\windows\ie8updates\KB2586448-IE8\spuninst\updspapi.dll
+ 2011-12-08 11:59 . 2010-07-05 13:15 231288 c:\windows\ie8updates\KB2586448-IE8\spuninst\spuninst.exe
+ 2011-12-08 11:59 . 2011-04-25 16:11 206848 c:\windows\ie8updates\KB2586448-IE8\occache.dll
+ 2011-12-08 11:59 . 2011-04-25 16:11 611840 c:\windows\ie8updates\KB2586448-IE8\mstime.dll
+ 2011-12-08 11:59 . 2011-04-25 16:11 602112 c:\windows\ie8updates\KB2586448-IE8\msfeeds.dll
+ 2011-12-08 11:59 . 2011-04-25 16:11 247808 c:\windows\ie8updates\KB2586448-IE8\ieproxy.dll
+ 2011-12-08 11:59 . 2011-04-25 16:11 184320 c:\windows\ie8updates\KB2586448-IE8\iepeers.dll
+ 2011-12-08 11:59 . 2011-04-25 16:11 743424 c:\windows\ie8updates\KB2586448-IE8\iedvtool.dll
+ 2011-12-08 11:59 . 2011-04-25 16:11 387584 c:\windows\ie8updates\KB2586448-IE8\iedkcs32.dll
+ 2011-12-08 11:59 . 2011-04-25 12:01 173568 c:\windows\ie8updates\KB2586448-IE8\ie4uinit.exe
+ 2010-12-24 02:35 . 2011-07-15 13:29 456320 c:\windows\Driver Cache\i386\mrxsmb.sys
- 2010-12-24 02:35 . 2011-04-29 16:19 456320 c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2001-08-18 12:00 . 2010-04-06 09:52 2462720 c:\windows\system32\WMVCore.dll
+ 2001-08-18 12:00 . 2011-09-06 13:20 1858944 c:\windows\system32\win32k.sys
+ 2001-08-18 12:00 . 2011-08-22 23:48 1212416 c:\windows\system32\urlmon.dll
+ 2001-08-18 12:00 . 2011-10-03 08:35 5971456 c:\windows\system32\mshtml.dll
+ 2009-03-08 09:32 . 2011-08-22 23:48 2000384 c:\windows\system32\iertutil.dll
+ 2010-12-24 02:07 . 2010-04-06 09:52 2462720 c:\windows\system32\dllcache\WMVCore.dll
+ 2010-05-02 05:22 . 2011-09-06 13:20 1858944 c:\windows\system32\dllcache\win32k.sys
+ 2010-04-16 16:09 . 2011-08-22 23:48 1212416 c:\windows\system32\dllcache\urlmon.dll
+ 2010-04-16 16:09 . 2011-10-03 08:35 5971456 c:\windows\system32\dllcache\mshtml.dll
+ 2010-12-24 03:47 . 2011-08-22 23:48 2000384 c:\windows\system32\dllcache\iertutil.dll
+ 2011-12-08 11:59 . 2011-04-25 16:11 1211904 c:\windows\ie8updates\KB2586448-IE8\urlmon.dll
+ 2011-12-08 11:59 . 2011-05-30 22:19 5964800 c:\windows\ie8updates\KB2586448-IE8\mshtml.dll
+ 2011-12-08 11:59 . 2011-04-25 16:11 1991680 c:\windows\ie8updates\KB2586448-IE8\iertutil.dll
+ 2010-12-24 01:46 . 2010-08-26 04:36 10841088 c:\windows\system32\wmp.dll
+ 2010-12-24 03:04 . 2011-10-28 03:04 50295240 c:\windows\system32\MRT.exe
+ 2009-03-08 09:39 . 2011-08-23 22:48 11081728 c:\windows\system32\ieframe.dll
- 2009-03-08 09:39 . 2011-04-26 14:11 11081728 c:\windows\system32\ieframe.dll
+ 2010-12-24 02:09 . 2010-08-26 04:36 10841088 c:\windows\system32\dllcache\wmp.dll
+ 2010-12-24 03:47 . 2011-08-23 22:48 11081728 c:\windows\system32\dllcache\ieframe.dll
- 2010-12-24 03:47 . 2011-04-26 14:11 11081728 c:\windows\system32\dllcache\ieframe.dll
+ 2011-12-08 11:59 . 2011-04-26 14:11 11081728 c:\windows\ie8updates\KB2586448-IE8\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Desktop Software"="c:\program files\Common Files\SupportSoft\bin\bcont.exe" [2009-04-24 1025320]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSPower"="SiSPower.dll" [2005-04-12 49152]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-04-07 673616]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-30 15:45 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON WorkForce 600(Network)]
2008-03-05 11:00 188928 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_FATIEKA.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Epson Software\\Event Manager\\EEventManager.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5910:TCP"= 5910:TCP:vnc5910
.
R1 MpKsl6fee125d;MpKsl6fee125d;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8E3B0F7D-EDDC-4500-AB84-05EA5101CE77}\MpKsl6fee125d.sys [12/11/2011 1:59 PM 29904]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/19/2011 7:45 AM 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [8/19/2011 7:45 AM 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL6FEE125D
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]
.
2011-12-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-19 12:45]
.
2011-12-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-19 12:45]
.
2011-12-11 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 19:39]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://news.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -
FF - ProfilePath - c:\documents and settings\AZ\Application Data\Mozilla\Firefox\Profiles\yx8detvg.default\
FF - prefs.js: browser.search.selectedEngine - Search Results
FF - prefs.js: browser.startup.homepage - hxxp://news.google.com/
FF - prefs.js: keyword.URL - hxxp://dts.search-results.com/sr?src=ff ... mid=421&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-11 14:53
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3276)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\jscript.dll
c:\windows\system32\Macromed\Flash\Flash10l.ocx
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\Dxtrans.dll
c:\windows\system32\Dxtmsft.dll
c:\windows\system32\ImgUtil.dll
c:\windows\system32\pngfilt.dll
c:\program files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
.
Completion time: 2011-12-11 15:08:33
ComboFix-quarantined-files.txt 2011-12-11 20:08
ComboFix2.txt 2011-12-08 00:09
ComboFix3.txt 2011-07-09 18:26
.
Pre-Run: 64,666,808,320 bytes free
Post-Run: 65,673,224,192 bytes free
.
- - End Of File - - 5A4A66501E9E2927A09F6C1791B6843F
z147
Regular Member
 
Posts: 47
Joined: July 2nd, 2011, 12:13 pm

Re: Browsers will not open

Unread postby pgmigg » December 14th, 2011, 2:33 am

Hello z147,
So, it looks like I'm back to square one.

Please don't upset so much. You computer is infected hardly but it will be treated and clean. Let continue...

Note: Continue surfing the Web until I will say that you computer is clean is DANGEROUS!

Please be sure that your current antivirus software Microsoft Security Essentials is up to date. Tell me if you cannot update it.

Please read carefully my instructions below and print it out because your Internet access may be interrupted during processing...

Step 1.
FixNCR.reg
Some infections can change settings on the computer, so when you launch an executable (.exe) file, it will instead launch the infection.
To fix this we must alter the registry entries altered by the infection.

  1. Please download FixNCR.reg
    Download from a clean computer using a CD/DVD (recommended), external drive, flash drive.
  2. Insert the removable device into the infected computer and open the folder, with the drive letter associated with it.
    You should see the FixNCR.reg file that you downloaded.
  3. Double-click on the FixNCR.reg file to fix the Registry on your infected computer.
  4. You may receive a prompt indicating the process has completed ... if prompted, Click OK.
    You should now be able to run your normal programs... proceed to the next step.

Note: Below you can see two steps 2A and 2B for creation of full registry backup and System Restore Point. If you could not run 2A, please try to run 2B. You don't need to run both of them, if the 2A will be successful. Please let me know if you cannot run both of these steps! Otherwise please proceed to Step 3.

Step 2A.
ERUNT - Run to make a full backup:
This will create a full backup of your registry. ERUNT can be used to restore the registry from this backup, if needed.
  1. Please navigate to Start -> All Programs -> ERUNT, then double-click ERUNT from the menu.
  2. Click on OK within the pop-up menu.
  3. In the next menu under C:\WINDOWS\ERDNT\DD-MM-YYYY under Backup options make sure both the following are selected:
    • System registry.
    • Current user registry.
  4. Next click on OK at the prompt, then reply Yes.
    After a short duration the Registry backup is complete! pop-up message will appear.
  5. Now click on OK. A registry backup has now been created.

Step 2B.
Create System Restore Point
  1. Click Start.
  2. Select All Programs -> Accessories -> System Tools, then press System Restore.
  3. At the Welcome screen select Create a restore point and then press Next.
  4. In the description box, type a name to describe this restore point.
      System Restore automatically adds (to your description) the current date and time.
  5. Click Create to finish creating this restore point.
  6. Click Close to exit System Restore.
Unless you use some other method to create system restore points, it is advisable to leave this feature ON and active.

Step 3.
Rkill
  1. Double click on the iExplore.exe Desktop icon in order to automatically attempt to stop any processes associated with XP Home Security 2012 and other Rogue programs. Please be patient while the program looks for various malware programs and ends them.
  2. A command window will open then disappear upon completion, this is normal.
    1. If you having problems running this version of RKill, you need to run all other renamed versions of RKill sequentially.
    2. If the next one does not work too, repeat the process until the tool runs.
    3. If no version of Rkill would run, please let me know.
    Do not reboot your machine until asked to do so.
    When finished, Notepad will open with a log file, automatically saved at C:\rkill.log.
  3. Please copy and paste the contents of the rkill.log file, in your next reply.
    Please leave Rkill on the Desktop unless instructed otherwise.
Note: If you get an alert that Rkill is infected, ignore it. The alert is a fake warning given by the rogue software, trying to "protect" itself from being terminated or removed. If you see such a warning, leave the warning on the screen, then run Rkill again. By not closing the warning, this sometimes allows you to bypass the malware's attempt to protect itself, so that Rkill can perform its routine.


Step 4.
Malwarebytes' Anti-Malware Update and Rerun
  1. Please start MBAM (Malwarebytes' Anti-Malware) again.
    You must be connected to the Internet to obtain any updates.
  2. Press the Update tab, then press the Check for Updates button. <<---Important!
    Once any updates are installed or you get the message that you are up-to-date
  3. Press the Scanner tab and select FULL SCAN this time, then press the Scan button. This kind of scan will take a while, so please be patient!
    When the scan finishes...
  4. Check all items except any items (if present) in the C:\System Volume Information folder. Then click on Remove Selected.
  5. Let MBAM remove what it can... If there are files to be deleted on reboot, please reboot the machine so MBAM can finish the removal.
    If you rebooted, then you'll need to start MBAM again.
  6. Press the LOG tab and locate the most current log file.
    Please copy and paste the most recent log (from this new run) in your next reply.

Please include in your next reply:
  1. Do you have any problems executing the instructions?
  2. Could you update Microsoft Security Essentials?
  3. Contents of rkill.log file
  4. Contents of the most recent MBAM log file
  5. Do you see any changes in computer behavior?

Thanks,
pgmigg
User avatar
pgmigg
MRU Teacher
MRU Teacher
 
Posts: 3181
Joined: July 8th, 2008, 1:25 pm
Location: GMT-05:00

Re: Browsers will not open

Unread postby z147 » December 14th, 2011, 11:29 am

pgmigg,

I will not surf the web until you state it's OK.

Microsoft Security Essentials will not open so it cannot be updated.

Apparently, I have another fake security program now called Security Sphere 2012

z147
z147
Regular Member
 
Posts: 47
Joined: July 2nd, 2011, 12:13 pm

Re: Browsers will not open

Unread postby pgmigg » December 15th, 2011, 4:56 pm

Hello z147,
Apparently, I have another fake security program now called Security Sphere 2012

Existence of this infection enforced me to change previous set of steps...

Note: Continue surfing the Web until I will say that you computer is clean is DANGEROUS!

Please read carefully my instructions below and print it out because your Internet access may be interrupted during processing...

Note: Below you can see two steps 1A and 1B for creation of full registry backup and System Restore Point. If you could not run 1A, please try to run 1B. You don't need to run both of them, if the 1A will be successful. Please let me know if you cannot run both of these steps! Otherwise please proceed to Step 2.

Step 1A.
ERUNT - Run to make a full backup:
This will create a full backup of your registry. ERUNT can be used to restore the registry from this backup, if needed.
  1. Please navigate to Start -> All Programs -> ERUNT, then double-click ERUNT from the menu.
  2. Click on OK within the pop-up menu.
  3. In the next menu under C:\WINDOWS\ERDNT\DD-MM-YYYY under Backup options make sure both the following are selected:
    • System registry.
    • Current user registry.
  4. Next click on OK at the prompt, then reply Yes.
    After a short duration the Registry backup is complete! pop-up message will appear.
  5. Now click on OK. A registry backup has now been created.

Step 1B.
Create System Restore Point
  1. Click Start.
  2. Select All Programs -> Accessories -> System Tools, then press System Restore.
  3. At the Welcome screen select Create a restore point and then press Next.
  4. In the description box, type a name to describe this restore point.
      System Restore automatically adds (to your description) the current date and time.
  5. Click Create to finish creating this restore point.
  6. Click Close to exit System Restore.
Unless you use some other method to create system restore points, it is advisable to leave this feature ON and active.

Step 2.
FixNCR.reg
Some infections can change settings on the computer, so when you launch an executable (.exe) file, it will instead launch the infection.
To fix this we must alter the registry entries altered by the infection.

  1. Please download FixNCR.reg
    Download from a clean computer using a CD/DVD (recommended), external drive, flash drive.
  2. Insert the removable device into the infected computer and open the folder, with the drive letter associated with it.
    You should see the FixNCR.reg file that you downloaded.
  3. Double-click on the FixNCR.reg file to fix the Registry on your infected computer.
  4. You may receive a prompt indicating the process has completed ... if prompted, Click OK.
    You should now be able to run your normal programs... proceed to the next step.

Step 3.
Check - Reset Proxy settings
Malware can alter your proxy settings. If altered, it can affect your ability to browse or download tools required for disinfection.

Internet Explorer Proxy settings:
  1. Open Internet Explorer > click Tools > Internet Options > Connections tab.
  2. Click the LAN Settings... button and uncheck "Use a proxy server for your LAN"
    or change the settings to the proxy you normally use if you previously reconfigured it.
  3. Remove any unknown addresses from the Address box. 80 is the default Port so it does not have to be changed.
  4. Click OK... then click OK again.
  5. Close Internet Explorer and -restart- the computer.
  6. An example of how to do this with screenshots can be found in steps 3-7 under the section Automated Removal Instructions... in this guide.

Firefox Proxy settings:
  1. Open Firefox, click Tools > Options > Advanced and click the Network Tab.
  2. Under the Connection section click on the Settings... button.
  3. Under Configure Proxies to Access the Internet, check No proxy. This is the default option if you don't use a proxy.
  4. Click OK... then click OK again.
  5. Close Firefox and -restart- the computer.

For other browsers, please refer to How to configure browser proxy settings.

Step 4.
TDSSKiller - Rootkit Removal Tool - Scan only
  1. Double-click on TDSSKiller.exe to run the tool for known TDSS/TDL variants.
    If TDSSKiller does not run, please rename it. Right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. zarodinu.com).
    If you don't see file extensions, please see: How to change the file extension.
  2. Click the Start Scan button. Do not use the computer during the scan!
  3. If the scan completes with nothing found, click Close to exit.
  4. If malicious objects are found, they will show in the "Scan results - Select action for found objects" and offer 3 options.
    • Please select Skip instead of Cure (default).
  5. Then click Continue, then Close and then Close again.
  6. A log file named TDSSKiller_version_dd.mm.yyyy_hh.mm.ss_log.txt will be created and saved to the root directory (usually Local Disk C:).
  7. Copy and paste the contents of that file in your next reply.

Please include in your next reply:
  1. Do you have any problems executing the instructions?
  2. Could you run steps 1A or 1B successfully?
  3. Contents of TDSSKiller_version_dd.mm.yyyy_hh.mm.ss_log.txt file
  4. Do you see any changes in computer behavior?

Thanks,
pgmigg
User avatar
pgmigg
MRU Teacher
MRU Teacher
 
Posts: 3181
Joined: July 8th, 2008, 1:25 pm
Location: GMT-05:00

Re: Browsers will not open

Unread postby z147 » December 16th, 2011, 9:56 am

pgmigg,

1A. ERUNT will not open.
1B. When I go to All Programs -> Accessories -> System Tools System Restore is not there. The only thing that is there is "Internet Explorer (no Add-ons)" I cannot even do a search for System Restore. Also, by mistake I tried to run FixNCR from both a CD and an external drive. The program wouldn't even show up on the CD and would not open from the external drive.

z147
z147
Regular Member
 
Posts: 47
Joined: July 2nd, 2011, 12:13 pm

Re: Browsers will not open

Unread postby z147 » December 16th, 2011, 12:08 pm

pgmigg,

Would going back to a restore point in Safe Mode do anything? should I try?

z147
z147
Regular Member
 
Posts: 47
Joined: July 2nd, 2011, 12:13 pm

Re: Browsers will not open

Unread postby pgmigg » December 17th, 2011, 2:11 am

Hello z147,
Also, by mistake I tried to run FixNCR from both a CD and an external drive. The program wouldn't even show up on the CD and would not open from the external drive.

Please answer some questions:
  1. Could you download successfully the FixNCR.reg and TDSSKiller.exe files from a non-infected computer to CD or external drive?
  2. If yes... Could you see both files on CD or external drive?
    Note: The FixNCR is not an executable file - it is a registry file, that should be double clicked or right clicked and merged with the registry.
  3. Could you copied successfully both files to the infected computer's DESKTOP. !!! DESKTOP as the target location is very important !!!

Thanks,
pgmigg
User avatar
pgmigg
MRU Teacher
MRU Teacher
 
Posts: 3181
Joined: July 8th, 2008, 1:25 pm
Location: GMT-05:00
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 45 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware