I am not familiar with how to send logs so if you need anything like that, I'm sorry you'll need to explain how to do it plus I can't even get onto my email or anything.
Thank You for your time!
Dawn
Thank You for your time!
Dawn
Trouble removing disk antivirus pro
- Thread starter winddancer
- Start date
Fiery
Level 1
- Jan 11, 2011
- 2,007
Hi and welcome to MalwareTips! 
I'm Fiery and I would gladly assist you in removing the malware on your computer.
Before we start:
<hr>
Do you have another PC where you can download tools and transfer the files to the infected PC using an USB? Also, try this to see if you are able to access the internet.
Start your computer in Safe Mode with Networking.
<br>
<img title="Safe Mode with Networking screen" src="http://malwaretips.com/images/removalguide/safemode.jpg" alt="[Image: Safemode.jpg]" width="539" height="292" border="0" /></li>
</ol>
Download OTL by Old Timer from here and save it to your Desktop.
If you don't know how to attach the files, please follow the instructions here: http://malwaretips.com/Thread-How-to-use-the-attachment-system?pid=16072#pid16072
I'm Fiery and I would gladly assist you in removing the malware on your computer.
Before we start:
- Note that the removal process is not immediate. Depending on the severity of your infection, it could take a long time.
- Malware removal can be dangerous. I cannot guarantee the safety of your system as malware can be unpredictable. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system. Therefore, I would advise you to backup all your important files before we start.
- Please be patient and stay with me until I give you the green lights and inform you that your PC is clean.
- Some tools may be flagged by your antivirus as harmful. Rest assure that ALL the tools we use are safe, the detections are false positives.
- The absence of symptoms does not mean your PC is fully disinfected.
- If you are unclear about the instructions, please stop and ask. Following the steps in the order that I post them in is vital.
- Lastly, if you have requested help on other sites, that will delay and hinder the removal process. Please only stick to one site.
<hr>
Do you have another PC where you can download tools and transfer the files to the infected PC using an USB? Also, try this to see if you are able to access the internet.
Start your computer in Safe Mode with Networking.
- Remove all floppy disks, CDs, and DVDs from your computer, and then <>restart your computer</>.</li>
[*]<>Tap the "F8 key" continuously</> until you get the Advanced Boot Options screen.</li>
[*]On the Advanced Boot Options screen, use the arrow keys to <>highlight Safe Mode with Networking</> , and then <>press ENTER</>.
<br>
<img title="Safe Mode with Networking screen" src="http://malwaretips.com/images/removalguide/safemode.jpg" alt="[Image: Safemode.jpg]" width="539" height="292" border="0" /></li>
</ol>
Download OTL by Old Timer from here and save it to your Desktop.
- Double click on OTL.exe to run it.
- Click the Scan All Users checkbox.
- Check the boxes beside LOP Check and Purity Check
- Click on Run Scan at the top left hand corner.
- When done, two Notepad files will open.
- OTL.txt <-- Will be opened
- Extra.txt <-- Will be minimized
- Please attach the contents of these 2 Notepad files in your next reply.
If you don't know how to attach the files, please follow the instructions here: http://malwaretips.com/Thread-How-to-use-the-attachment-system?pid=16072#pid16072
Last edited by a moderator:
Hello Fiery and Thank You for your time. I was able to get on the laptop using the F8 and online as well. I have also generated the two logs as well and they are attached for you to see. Please let me know what will be next when you have the time. It is 1 am here so I will be turning in soon.
Thank You,
Dawn
[attachment=3954][attachment=3953]
Thank You,
Dawn
[attachment=3954][attachment=3953]
Fiery said:Hi and welcome to MalwareTips!
I'm Fiery and I would gladly assist you in removing the malware on your computer.
Before we start:
- Note that the removal process is not immediate. Depending on the severity of your infection, it could take a long time.
- Malware removal can be dangerous. I cannot guarantee the safety of your system as malware can be unpredictable. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system. Therefore, I would advise you to backup all your important files before we start.
- Please be patient and stay with me until I give you the green lights and inform you that your PC is clean.
- Some tools may be flagged by your antivirus as harmful. Rest assure that ALL the tools we use are safe, the detections are false positives.
- The absence of symptoms does not mean your PC is fully disinfected.
- If you are unclear about the instructions, please stop and ask. Following the steps in the order that I post them in is vital.
- Lastly, if you have requested help on other sites, that will delay and hinder the removal process. Please only stick to one site.
<hr>
Do you have another PC where you can download tools and transfer the files to the infected PC using an USB? Also, try this to see if you are able to access the internet.
Start your computer in Safe Mode with Networking.
- Remove all floppy disks, CDs, and DVDs from your computer, and then <>restart your computer</>.</li>
[*]<>Tap the "F8 key" continuously</> until you get the Advanced Boot Options screen.</li>
[*]On the Advanced Boot Options screen, use the arrow keys to <>highlight Safe Mode with Networking</> , and then <>press ENTER</>.
<br>
<img title="Safe Mode with Networking screen" src="http://malwaretips.com/images/removalguide/safemode.jpg" alt="[Image: Safemode.jpg]" width="539" height="292" border="0" /></li>
</ol>
Download OTL by Old Timer from here and save it to your Desktop.
- Double click on OTL.exe to run it.
- Click the Scan All Users checkbox.
- Check the boxes beside LOP Check and Purity Check
- Click on Run Scan at the top left hand corner.
- When done, two Notepad files will open.
- OTL.txt <-- Will be opened
- Extra.txt <-- Will be minimized
- Please attach the contents of these 2 Notepad files in your next reply.
If you don't know how to attach the files, please follow the instructions here: http://malwaretips.com/Thread-How-to-use-the-attachment-system?pid=16072#pid16072
Last edited by a moderator:
Fiery
Level 1
- Jan 11, 2011
- 2,007
Hi
Open OTL. Under custom scan/fixes, copy and paste the following:
Then click Run Fix. Post the log afterwards.
Download TDSSkiller from here
Post the log after (usually C:\ folder in the form of TDSSKiller.[Version]_[Date]_[Time]_log.txt
Download Malwarebytes Anti-Rootkit from here to your Desktop
Open OTL. Under custom scan/fixes, copy and paste the following:
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.22find.com/newtab?utm_source=b&utm_medium=mlv&from=mlv&uid=ST98823A_3PK0GLL2XXXX3PK0GLL2&ts=1360290257
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.22find.com/newtab?utm_source=b&utm_medium=mlv&from=mlv&uid=ST98823A_3PK0GLL2XXXX3PK0GLL2&ts=1360290257
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search.22find.com/web/?utm_source=b&utm_medium=mlv&from=mlv&uid=ST98823A_3PK0GLL2XXXX3PK0GLL2&ts=1360290259
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.22find.com/web/?utm_source=b&utm_medium=mlv&from=mlv&uid=ST98823A_3PK0GLL2XXXX3PK0GLL2&ts=1360290259
IE - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD21}: "URL" = http://dts.search-results.com/sr?src=ieb&appid=221&systemid=1&sr=0&q={searchTerms}
IE - HKU\.DEFAULT\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD21}: "URL" = http://dts.search-results.com/sr?src=ieb&appid=221&systemid=1&sr=0&q={searchTerms}
IE - HKU\S-1-5-18\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD21}: "URL" = http://dts.search-results.com/sr?src=ieb&appid=221&systemid=1&sr=0&q={searchTerms}
IE - HKU\S-1-5-21-3615664846-1967934640-507609581-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.22find.com/newtab?utm_source=b&utm_medium=mlv&from=mlv&uid=ST98823A_3PK0GLL2XXXX3PK0GLL2&ts=1360290257
IE - HKU\S-1-5-21-3615664846-1967934640-507609581-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.22find.com/newtab?utm_source=b&utm_medium=mlv&from=mlv&uid=ST98823A_3PK0GLL2XXXX3PK0GLL2&ts=1360290257
IE - HKU\S-1-5-21-3615664846-1967934640-507609581-1005\..\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}: "URL" = http://search.22find.com/web/?utm_source=b&utm_medium=mlv&from=mlv&uid=ST98823A_3PK0GLL2XXXX3PK0GLL2&ts=1360290259
IE - HKU\S-1-5-21-3615664846-1967934640-507609581-1005\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD21}: "URL" = http://dts.search-results.com/sr?src=ieb&appid=221&systemid=1&sr=0&q={searchTerms}
FF - prefs.js..browser.search.defaultenginename: "22find"
FF - prefs.js..browser.search.order.1: "22find"
FF - prefs.js..browser.search.selectedEngine: "22find"
[2012/06/29 16:01:02 | 000,000,686 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\searchresultstb.xml
[2012/05/17 20:45:53 | 000,002,515 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\Search_Results.xml
O4 - HKLM..\Run: [qeshel] C:\Documents and Settings\Dawn\Application Data\qeshel.dll ()
O4 - HKLM..\Run: [CheckRun22find_uninstaller] C:\Documents and Settings\Dawn\Application Data\CheckRun22find.exe ()
O4 - HKLM..\Run: [dpneip] C:\Documents and Settings\Dawn\Application Data\dpneip.dll (Graphics Co., Ltd.)
O4 - HKLM..\Run: [wuvtcp] C:\Documents and Settings\Dawn\Application Data\wuvtcp.dll ()
O4 - HKU\S-1-5-21-3615664846-1967934640-507609581-1005..\Run: [cvpkmbqm] C:\Documents and Settings\Dawn\Local Settings\Application Data\xmnsvqif.exe (Sqikkmj)
O4 - HKU\S-1-5-21-3615664846-1967934640-507609581-1005..\RunOnce: [3C946E6B620E104D00003C9431DC1532] C:\Documents and Settings\All Users\Application Data\3C946E6B620E104D00003C9431DC1532\3C946E6B620E104D00003C9431DC1532.exe ()
[2013/03/19 00:16:01 | 000,006,537 | ---- | M] () -- C:\Documents and Settings\Dawn\Local Settings\Application Data\1f1d6ba3-23b2-4e15-82a7-a14baac0b137.crx
[2013/03/17 22:06:40 | 000,046,499 | ---- | M] () -- C:\Documents and Settings\Dawn\Local Settings\Application Data\viwxipdd
[2013/03/17 21:59:39 | 000,407,040 | ---- | M] () -- C:\Documents and Settings\Dawn\Local Settings\Application Data\bxnxubqv.exe
[2013/03/17 21:58:45 | 000,635,392 | ---- | M] () -- C:\Documents and Settings\Dawn\Application Data\qeshel.dll
[2013/03/17 21:57:30 | 000,171,520 | ---- | M] () -- C:\Documents and Settings\Dawn\Application Data\wuvtcp.dll
[2013/03/17 02:35:00 | 000,000,456 | ---- | M] () -- C:\WINDOWS\tasks\Driver Robot.job
:Files
ipconfig /flushdns /c
:Commands
[EMPTYTEMP]
[RESETHOSTS]
Then click Run Fix. Post the log afterwards.
Download TDSSkiller from here
- Double-Click on TDSSKiller.exe to run the application
- When TDSSkiller opens, click change parameters , check the box next to Loaded modules . A reboot will be required.
- After reboot, TDSSKiller will run again. Click Change parameters again and make sure everything is checked.
- click Start scan .
- If a suspicious object is detected, the default action will be Skip, click on Continue. (If it saids TDL4/TDSS file system, select delete)
- If malicious objects are found, ensure Cure (default) is selected, then click Continue and Reboot now to finish the cleaning process.
Post the log after (usually C:\ folder in the form of TDSSKiller.[Version]_[Date]_[Time]_log.txt
Download Malwarebytes Anti-Rootkit from here to your Desktop
- Unzip the contents to a folder on your Desktop.
- Open the folder where the contents were unzipped and run mbar.exe
- Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
- Make sure there is a check next to Create Restore Point and click the Cleanup button to remove any threats. Reboot if prompted to do so.
- After the reboot, perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If there are threats, click Cleanup once more and reboot.
- When done, please post the two logs in the MBAR folder(mbar-log.txt and system-log.txt)
This attachment is the first log requested from the copy and paste in OTL under custom scan/fixes. Required a reboot and it is running now in regular mode letting me online. Moving onto TDSSkiller now.
Well, its not allowing me to attach that file, although it is the same type of file the other two were (txt). Do you want me to paste it into here?
Well, its not allowing me to attach that file, although it is the same type of file the other two were (txt). Do you want me to paste it into here?
All processes killed
========== OTL ==========
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Default_Page_URL| /E : value set successfully!
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully!
HKLM\SOFTWARE\Microsoft\Internet Explorer\Search\\CustomizeSearch| /E : value set successfully!
HKLM\SOFTWARE\Microsoft\Internet Explorer\Search\\SearchAssistant| /E : value set successfully!
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD21}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9BB47C17-9C68-4BB3-B188-DD9AF0FD21}\ not found.
Registry key HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD21}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9BB47C17-9C68-4BB3-B188-DD9AF0FD21}\ not found.
Registry key HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD21}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9BB47C17-9C68-4BB3-B188-DD9AF0FD21}\ not found.
HKU\S-1-5-21-3615664846-1967934640-507609581-1005\SOFTWARE\Microsoft\Internet Explorer\Main\\Default_Page_URL| /E : value set successfully!
HKU\S-1-5-21-3615664846-1967934640-507609581-1005\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully!
Registry key HKEY_USERS\S-1-5-21-3615664846-1967934640-507609581-1005\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{33BB0A4E-99AF-4226-BDF6-49120163DE86}\ not found.
Registry key HKEY_USERS\S-1-5-21-3615664846-1967934640-507609581-1005\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD21}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9BB47C17-9C68-4BB3-B188-DD9AF0FD21}\ not found.
Prefs.js: "22find" removed from browser.search.defaultenginename
Prefs.js: "22find" removed from browser.search.order.1
Prefs.js: "22find" removed from browser.search.selectedEngine
C:\Program Files\Mozilla Firefox\searchplugins\searchresultstb.xml moved successfully.
C:\Program Files\Mozilla Firefox\searchplugins\Search_Results.xml moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\qeshel deleted successfully.
C:\Documents and Settings\Dawn\Application Data\qeshel.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\CheckRun22find_uninstaller deleted successfully.
C:\Documents and Settings\Dawn\Application Data\CheckRun22find.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\dpneip deleted successfully.
C:\Documents and Settings\Dawn\Application Data\dpneip.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\wuvtcp deleted successfully.
C:\Documents and Settings\Dawn\Application Data\wuvtcp.dll moved successfully.
Registry value HKEY_USERS\S-1-5-21-3615664846-1967934640-507609581-1005\Software\Microsoft\Windows\CurrentVersion\Run\\cvpkmbqm deleted successfully.
C:\Documents and Settings\Dawn\Local Settings\Application Data\xmnsvqif.exe moved successfully.
Registry value HKEY_USERS\S-1-5-21-3615664846-1967934640-507609581-1005\Software\Microsoft\Windows\CurrentVersion\RunOnce\\3C946E6B620E104D00003C9431DC1532 deleted successfully.
C:\Documents and Settings\All Users\Application Data\3C946E6B620E104D00003C9431DC1532\3C946E6B620E104D00003C9431DC1532.exe moved successfully.
C:\Documents and Settings\Dawn\Local Settings\Application Data\1f1d6ba3-23b2-4e15-82a7-a14baac0b137.crx moved successfully.
C:\Documents and Settings\Dawn\Local Settings\Application Data\viwxipdd moved successfully.
C:\Documents and Settings\Dawn\Local Settings\Application Data\bxnxubqv.exe moved successfully.
File C:\Documents and Settings\Dawn\Application Data\qeshel.dll not found.
File C:\Documents and Settings\Dawn\Application Data\wuvtcp.dll not found.
C:\WINDOWS\tasks\Driver Robot.job moved successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Could not flush the DNS Resolver Cache: Function failed during execution.
C:\Documents and Settings\Dawn\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Dawn\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
[EMPTYTEMP]
User: A & T
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 1201529 bytes
->Java cache emptied: 11666990 bytes
->FireFox cache emptied: 65862513 bytes
->Flash cache emptied: 107021 bytes
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: All Users
User: Dawn
->Temp folder emptied: 15094 bytes
->Temporary Internet Files folder emptied: 1607327 bytes
->Java cache emptied: 45224166 bytes
->FireFox cache emptied: 71096759 bytes
->Google Chrome cache emptied: 6304961 bytes
->Flash cache emptied: 42148 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 41661 bytes
User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33237 bytes
->Java cache emptied: 89722339 bytes
->FireFox cache emptied: 45228813 bytes
->Flash cache emptied: 268049 bytes
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 189433 bytes
User: NetworkService
->Temp folder emptied: 16172 bytes
->Temporary Internet Files folder emptied: 49554 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 19652 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 37382 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 117839 bytes
RecycleBin emptied: 2909 bytes
Total Files Cleaned = 323.00 mb
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
OTL by OldTimer - Version 3.2.69.0 log created on 03192013_142950
Files\Folders moved on Reboot...
PendingFileRenameOperations files...
Registry entries deleted on Reboot...
========== OTL ==========
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Default_Page_URL| /E : value set successfully!
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully!
HKLM\SOFTWARE\Microsoft\Internet Explorer\Search\\CustomizeSearch| /E : value set successfully!
HKLM\SOFTWARE\Microsoft\Internet Explorer\Search\\SearchAssistant| /E : value set successfully!
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD21}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9BB47C17-9C68-4BB3-B188-DD9AF0FD21}\ not found.
Registry key HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD21}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9BB47C17-9C68-4BB3-B188-DD9AF0FD21}\ not found.
Registry key HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD21}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9BB47C17-9C68-4BB3-B188-DD9AF0FD21}\ not found.
HKU\S-1-5-21-3615664846-1967934640-507609581-1005\SOFTWARE\Microsoft\Internet Explorer\Main\\Default_Page_URL| /E : value set successfully!
HKU\S-1-5-21-3615664846-1967934640-507609581-1005\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully!
Registry key HKEY_USERS\S-1-5-21-3615664846-1967934640-507609581-1005\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{33BB0A4E-99AF-4226-BDF6-49120163DE86}\ not found.
Registry key HKEY_USERS\S-1-5-21-3615664846-1967934640-507609581-1005\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD21}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9BB47C17-9C68-4BB3-B188-DD9AF0FD21}\ not found.
Prefs.js: "22find" removed from browser.search.defaultenginename
Prefs.js: "22find" removed from browser.search.order.1
Prefs.js: "22find" removed from browser.search.selectedEngine
C:\Program Files\Mozilla Firefox\searchplugins\searchresultstb.xml moved successfully.
C:\Program Files\Mozilla Firefox\searchplugins\Search_Results.xml moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\qeshel deleted successfully.
C:\Documents and Settings\Dawn\Application Data\qeshel.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\CheckRun22find_uninstaller deleted successfully.
C:\Documents and Settings\Dawn\Application Data\CheckRun22find.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\dpneip deleted successfully.
C:\Documents and Settings\Dawn\Application Data\dpneip.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\wuvtcp deleted successfully.
C:\Documents and Settings\Dawn\Application Data\wuvtcp.dll moved successfully.
Registry value HKEY_USERS\S-1-5-21-3615664846-1967934640-507609581-1005\Software\Microsoft\Windows\CurrentVersion\Run\\cvpkmbqm deleted successfully.
C:\Documents and Settings\Dawn\Local Settings\Application Data\xmnsvqif.exe moved successfully.
Registry value HKEY_USERS\S-1-5-21-3615664846-1967934640-507609581-1005\Software\Microsoft\Windows\CurrentVersion\RunOnce\\3C946E6B620E104D00003C9431DC1532 deleted successfully.
C:\Documents and Settings\All Users\Application Data\3C946E6B620E104D00003C9431DC1532\3C946E6B620E104D00003C9431DC1532.exe moved successfully.
C:\Documents and Settings\Dawn\Local Settings\Application Data\1f1d6ba3-23b2-4e15-82a7-a14baac0b137.crx moved successfully.
C:\Documents and Settings\Dawn\Local Settings\Application Data\viwxipdd moved successfully.
C:\Documents and Settings\Dawn\Local Settings\Application Data\bxnxubqv.exe moved successfully.
File C:\Documents and Settings\Dawn\Application Data\qeshel.dll not found.
File C:\Documents and Settings\Dawn\Application Data\wuvtcp.dll not found.
C:\WINDOWS\tasks\Driver Robot.job moved successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Could not flush the DNS Resolver Cache: Function failed during execution.
C:\Documents and Settings\Dawn\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Dawn\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
[EMPTYTEMP]
User: A & T
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 1201529 bytes
->Java cache emptied: 11666990 bytes
->FireFox cache emptied: 65862513 bytes
->Flash cache emptied: 107021 bytes
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: All Users
User: Dawn
->Temp folder emptied: 15094 bytes
->Temporary Internet Files folder emptied: 1607327 bytes
->Java cache emptied: 45224166 bytes
->FireFox cache emptied: 71096759 bytes
->Google Chrome cache emptied: 6304961 bytes
->Flash cache emptied: 42148 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 41661 bytes
User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33237 bytes
->Java cache emptied: 89722339 bytes
->FireFox cache emptied: 45228813 bytes
->Flash cache emptied: 268049 bytes
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 189433 bytes
User: NetworkService
->Temp folder emptied: 16172 bytes
->Temporary Internet Files folder emptied: 49554 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 19652 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 37382 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 117839 bytes
RecycleBin emptied: 2909 bytes
Total Files Cleaned = 323.00 mb
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
OTL by OldTimer - Version 3.2.69.0 log created on 03192013_142950
Files\Folders moved on Reboot...
PendingFileRenameOperations files...
Registry entries deleted on Reboot...
Here are the three logs from running MBAR. First run showed 4 threats, second showed none. Is there anything else I need to do?
Fiery
Level 1
- Jan 11, 2011
- 2,007
Not quite done, still got a few more steps.
Please download Malwarebytes' Anti-Malware from here to your desktop.
Double click OTL again
Please download Malwarebytes' Anti-Malware from here to your desktop.
- Double-click mbam-setup.exe and follow the prompts to install the program.
- At the end, be sure a checkmark is placed next to
- Update Malwarebytes' Anti-Malware
- and Launch Malwarebytes' Anti-Malware
- then click Finish.
- If an update is found, it will download and install the latest version.
- When it prompts you to try their 30-day trail, click decline
- Once the program has loaded, select Perform quick scan, then click Scan.
- When the scan is complete, click OK, then Show Results to view the results.
- Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
- When completed, a log will open in Notepad. please copy and paste the log into your next reply
- If you accidently close it, the log file is saved here and will be named like this:
- C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Double click OTL again
- Click the Scan All Users checkbox.
- Press Run Scan and attach the log again
Ran MBAM (copied and pasted below) and then OTL (attached). Mbam shows 17 items in the quarantine list, do you want to see these or do you want me to delete these? There is also a trojan in my microsoft security essentials quarantine~same question. Whats next?
Log from MBAM:
Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org
Database version: v2013.03.19.10
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 7.0.5730.13
Dawn :: PC207082390625 [administrator]
3/19/2013 8:19:12 PM
mbam-log-2013-03-19 (20-19-12).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 280174
Time elapsed: 9 minute(s), 20 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
Log from MBAM:
Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org
Database version: v2013.03.19.10
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 7.0.5730.13
Dawn :: PC207082390625 [administrator]
3/19/2013 8:19:12 PM
mbam-log-2013-03-19 (20-19-12).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 280174
Time elapsed: 9 minute(s), 20 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
Fiery
Level 1
- Jan 11, 2011
- 2,007
Yes, delete all the quarantined files and folders in MBAM and MSE. Almost done, there are some adware we should clean out.
Open OTL. Under custom scan/fixes, copy and paste the following:
Then click Run Fix. Let your PC reboot to normal mode if prompted. A new log will be created automatically, post the content in the next reply.
Please download AdwCleaner by Xplode onto your desktop.
Download Security Check by screen317 from here or here.
Open OTL. Under custom scan/fixes, copy and paste the following:
Then click Run Fix. Let your PC reboot to normal mode if prompted. A new log will be created automatically, post the content in the next reply.
Please download AdwCleaner by Xplode onto your desktop.
- Close all open programs and internet browsers.
- Double click on AdwCleaner.exe to run the tool(For Vista or Windows 7, right-click and select Run as Administrator to start)
- Click delete
- Please post the content of that logfile with your next reply.
- You can find the logfile at C:\AdwCleaner[S1].txt
Download Security Check by screen317 from here or here.
- Save it to your Desktop.
- Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
- A notepad document should open automatically called checkup.txt.
- Please post the contents of that document in your next reply. Please do not attach it!
Hello,
I did the OTL fix, the log is below. I have been trying to get AdwCleaner by Xplode with the link you provided but having some trouble. I click on the link for the download and it doesn't do anything. I then registered for a free account with them thinking that could be the issue but that didn't help either. What am I doing wrong? Nothing comes up saying its downloading or asks where I want it to download to, not sure what the issue is. So that is where I am stuck at in your previous instructions.
Here is the OTL fix log:
========== OTL ==========
Service CouponXplorer_5zService stopped successfully!
Service CouponXplorer_5zService deleted successfully!
C:\Program Files\CouponXplorer_5z\bar\1.bin\5zbarsvc.exe moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@CouponXplorer_5z.com/Plugin\ deleted successfully.
C:\Program Files\CouponXplorer_5z\bar\1.bin\NP5zStub.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\5zffxtbr@CouponXplorer_5z.com not found.
C:\Program Files\CouponXplorer_5z\bar\1.bin\chrome folder moved successfully.
C:\Program Files\CouponXplorer_5z\bar\1.bin folder moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\CouponXplorer Search Scope Monitor deleted successfully.
File C:\Program Files\CouponXplorer_5z\bar\1.bin\5zSrchMn.exe not found.
C:\Documents and Settings\A & T\Application Data\searchresultstb\widgets_cache folder moved successfully.
C:\Documents and Settings\A & T\Application Data\searchresultstb\weather folder moved successfully.
C:\Documents and Settings\A & T\Application Data\searchresultstb\shopping folder moved successfully.
C:\Documents and Settings\A & T\Application Data\searchresultstb\games folder moved successfully.
C:\Documents and Settings\A & T\Application Data\searchresultstb\chrome\widgets\net.vmn.www.RadioBeta folder moved successfully.
C:\Documents and Settings\A & T\Application Data\searchresultstb\chrome\widgets folder moved successfully.
C:\Documents and Settings\A & T\Application Data\searchresultstb\chrome\content\widgets\net.vmn.www.Shopzilla folder moved successfully.
C:\Documents and Settings\A & T\Application Data\searchresultstb\chrome\content\widgets folder moved successfully.
C:\Documents and Settings\A & T\Application Data\searchresultstb\chrome\content folder moved successfully.
C:\Documents and Settings\A & T\Application Data\searchresultstb\chrome folder moved successfully.
C:\Documents and Settings\A & T\Application Data\searchresultstb folder moved successfully.
C:\Documents and Settings\All Users\Application Data\Babylon folder moved successfully.
C:\Documents and Settings\Dawn\Application Data\Babylon folder moved successfully.
========== FILES ==========
C:\Program Files\CouponXplorer_5z\bar\Settings folder moved successfully.
C:\Program Files\CouponXplorer_5z\bar\Message folder moved successfully.
C:\Program Files\CouponXplorer_5z\bar\IE9Mesg folder moved successfully.
C:\Program Files\CouponXplorer_5z\bar\gen1 folder moved successfully.
C:\Program Files\CouponXplorer_5z\bar folder moved successfully.
C:\Program Files\CouponXplorer_5z folder moved successfully.
OTL by OldTimer - Version 3.2.69.0 log created on 03192013_234758
I did the OTL fix, the log is below. I have been trying to get AdwCleaner by Xplode with the link you provided but having some trouble. I click on the link for the download and it doesn't do anything. I then registered for a free account with them thinking that could be the issue but that didn't help either. What am I doing wrong? Nothing comes up saying its downloading or asks where I want it to download to, not sure what the issue is. So that is where I am stuck at in your previous instructions.
Here is the OTL fix log:
========== OTL ==========
Service CouponXplorer_5zService stopped successfully!
Service CouponXplorer_5zService deleted successfully!
C:\Program Files\CouponXplorer_5z\bar\1.bin\5zbarsvc.exe moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@CouponXplorer_5z.com/Plugin\ deleted successfully.
C:\Program Files\CouponXplorer_5z\bar\1.bin\NP5zStub.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\5zffxtbr@CouponXplorer_5z.com not found.
C:\Program Files\CouponXplorer_5z\bar\1.bin\chrome folder moved successfully.
C:\Program Files\CouponXplorer_5z\bar\1.bin folder moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\CouponXplorer Search Scope Monitor deleted successfully.
File C:\Program Files\CouponXplorer_5z\bar\1.bin\5zSrchMn.exe not found.
C:\Documents and Settings\A & T\Application Data\searchresultstb\widgets_cache folder moved successfully.
C:\Documents and Settings\A & T\Application Data\searchresultstb\weather folder moved successfully.
C:\Documents and Settings\A & T\Application Data\searchresultstb\shopping folder moved successfully.
C:\Documents and Settings\A & T\Application Data\searchresultstb\games folder moved successfully.
C:\Documents and Settings\A & T\Application Data\searchresultstb\chrome\widgets\net.vmn.www.RadioBeta folder moved successfully.
C:\Documents and Settings\A & T\Application Data\searchresultstb\chrome\widgets folder moved successfully.
C:\Documents and Settings\A & T\Application Data\searchresultstb\chrome\content\widgets\net.vmn.www.Shopzilla folder moved successfully.
C:\Documents and Settings\A & T\Application Data\searchresultstb\chrome\content\widgets folder moved successfully.
C:\Documents and Settings\A & T\Application Data\searchresultstb\chrome\content folder moved successfully.
C:\Documents and Settings\A & T\Application Data\searchresultstb\chrome folder moved successfully.
C:\Documents and Settings\A & T\Application Data\searchresultstb folder moved successfully.
C:\Documents and Settings\All Users\Application Data\Babylon folder moved successfully.
C:\Documents and Settings\Dawn\Application Data\Babylon folder moved successfully.
========== FILES ==========
C:\Program Files\CouponXplorer_5z\bar\Settings folder moved successfully.
C:\Program Files\CouponXplorer_5z\bar\Message folder moved successfully.
C:\Program Files\CouponXplorer_5z\bar\IE9Mesg folder moved successfully.
C:\Program Files\CouponXplorer_5z\bar\gen1 folder moved successfully.
C:\Program Files\CouponXplorer_5z\bar folder moved successfully.
C:\Program Files\CouponXplorer_5z folder moved successfully.
OTL by OldTimer - Version 3.2.69.0 log created on 03192013_234758
Fiery,
I don't know what my problem is but I am still not able to download AdwCleaner from BleepingComputer! It says if the file does not start loading in a few seconds click here, so I do that and it says the link expired so I go back to the downloads page and go thru the security section and find it and click on it and same thing. No box comes up asking to save the file or where to save it, nothing. ??? I have tried your older link again and your newer one as well. Thanks.
I don't know what my problem is but I am still not able to download AdwCleaner from BleepingComputer! It says if the file does not start loading in a few seconds click here, so I do that and it says the link expired so I go back to the downloads page and go thru the security section and find it and click on it and same thing. No box comes up asking to save the file or where to save it, nothing. ??? I have tried your older link again and your newer one as well. Thanks.
Fiery
Level 1
- Jan 11, 2011
- 2,007
See if this works
http://download.bleepingcomputer.com/dl/666275a3aba5a40a2898d9ba102ab64f/5150fa71/windows/security/security-utilities/a/adwcleaner/AdwCleaner.exe
If that doesn't work let's use another tool.
Please download Junkware Removal Tool to your desktop from here
http://download.bleepingcomputer.com/dl/666275a3aba5a40a2898d9ba102ab64f/5150fa71/windows/security/security-utilities/a/adwcleaner/AdwCleaner.exe
If that doesn't work let's use another tool.
Please download Junkware Removal Tool to your desktop from here
- Turn off your antivirus software now to avoid potential conflicts
- Double-click to run the tool. For Windows Vista or 7 users, right-click the file and select Run as Administrator
- The tool will open and start scanning your system
- Please be patient as this can take a while to complete depending on your system's specifications
- On completion, a log (JRT.txt) will be saved to your desktop and will automatically open
- Post the contents of JRT.txt into your next reply
Hello,
I ended up using JRT. Log is pasted below. Do you want me to still run SecurityCheck.exe from your instructions above? Or is there something else?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.7.3 (03.23.2013:1)
OS: Microsoft Windows XP x86
Ran by Dawn on Mon 03/25/2013 at 23:02:41.03
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~ Services
~~~ Registry Values
Successfully repaired: [Registry Value] hkey_current_user\software\microsoft\internet explorer\searchscopes\\DefaultScope
Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\searchscopes\\DefaultScope
Successfully repaired: [Registry Value] hkey_users\.default\software\microsoft\internet explorer\searchscopes\\DefaultScope
Successfully repaired: [Registry Value] hkey_users\s-1-5-18\software\microsoft\internet explorer\searchscopes\\DefaultScope
Successfully repaired: [Registry Value] hkey_users\s-1-5-19\software\microsoft\internet explorer\searchscopes\\DefaultScope
Successfully repaired: [Registry Value] hkey_users\s-1-5-20\software\microsoft\internet explorer\searchscopes\\DefaultScope
Successfully repaired: [Registry Value] hkey_users\S-1-5-21-3615664846-1967934640-507609581-1005\software\microsoft\internet explorer\searchscopes\\DefaultScope
Successfully repaired: [Registry Value] hkey_current_user\software\microsoft\internet explorer\searchscopes\{0633ee93-d776-472f-a0ff-e1416b8b2e3a}\\DisplayName
Successfully repaired: [Registry Value] hkey_current_user\software\microsoft\internet explorer\searchscopes\{0633ee93-d776-472f-a0ff-e1416b8b2e3a}\\URL
Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{0633ee93-d776-472f-a0ff-e1416b8b2e3a}\\DisplayName
Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{0633ee93-d776-472f-a0ff-e1416b8b2e3a}\\URL
~~~ Registry Keys
Successfully deleted: [Registry Key] hkey_local_machine\software\babylon
Successfully deleted: [Registry Key] hkey_current_user\software\blabbers
Successfully deleted: [Registry Key] hkey_current_user\software\browsercompanion
Successfully deleted: [Registry Key] hkey_current_user\software\cr_installer
Successfully deleted: [Registry Key] hkey_current_user\software\crossrider
Successfully deleted: [Registry Key] hkey_current_user\software\datamngr
Successfully deleted: [Registry Key] hkey_current_user\software\zugo
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\appid\dnu.exe
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\bbylntlbr.bbylntlbrhlpr
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\bbylntlbr.bbylntlbrhlpr.1
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\dnupdate
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\dnupdater.downloaduibrowser
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\dnupdater.downloaduibrowser.1
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\dnupdater.downloadupdcontroller
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\dnupdater.downloadupdcontroller.1
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\prod.cap
Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{02478d38-c3f9-4efb-9b51-7695eca05670}
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{28387537-e3f9-4ed7-860c-11e69af4a8a0}
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{2eecd738-5844-4a99-b4b6-146bf802613b}
Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{3bd44f0e-0596-4008-aee0-45d47e3a8f0e}
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{65c72339-fb1d-4155-84e1-9afacee02d6f}
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{e46c8196-b634-44a1-af6e-957c64278ab1}
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{b9c7ce32-da91-43c2-b7e9-0e9aafc675cd}
Successfully deleted: [Registry Key] "hkey_current_user\software\apn pip"
Successfully deleted: [Registry Key] "hkey_current_user\software\pip"
Successfully deleted: [Registry Key] "hkey_local_machine\software\pip"
~~~ Files
Successfully deleted: [File] "C:\Program Files\mozilla firefox\plugins\npdnu.dll"
Successfully deleted: [File] "C:\Program Files\mozilla firefox\plugins\npdnu.xpt"
Successfully deleted: [File] "C:\Program Files\mozilla firefox\plugins\npcouponprinter.dll"
Successfully deleted: [File] "C:\Program Files\mozilla firefox\plugins\npmozcouponprinter.dll"
~~~ Folders
Successfully deleted: [Folder] "C:\Documents and Settings\All Users\application data\boost_interprocess"
Successfully deleted: [Folder] "C:\Documents and Settings\Dawn\appdata\locallow\datamngr"
Successfully deleted: [Folder] "C:\Documents and Settings\Dawn\Local Settings\Application Data\babylon"
Successfully deleted: [Folder] "C:\Program Files\couponalert_2pei"
Successfully deleted: [Folder] "C:\Program Files\coupons"
Successfully deleted: [Folder] "C:\Program Files\imesh applications"
Successfully deleted: [Folder] "C:\Program Files\optimizer pro"
Successfully deleted: [Folder] "C:\Program Files\Common Files\software update utility"
~~~ FireFox
Successfully deleted: [File] C:\Documents and Settings\Dawn\Application Data\mozilla\firefox\profiles\kf5h65yy.default\user.js
Successfully deleted the following from C:\Documents and Settings\Dawn\Application Data\mozilla\firefox\profiles\kf5h65yy.default\prefs.js
user_pref("aol_toolbar.surf.date", "206");
user_pref("aol_toolbar.surf.lastDate", "25");
user_pref("aol_toolbar.surf.lastMonth", "2");
user_pref("aol_toolbar.surf.lastYear", "2013");
user_pref("aol_toolbar.surf.month", "2153");
user_pref("aol_toolbar.surf.prevMonth", "1123");
user_pref("aol_toolbar.surf.total", "193394");
user_pref("aol_toolbar.surf.week", "206");
user_pref("aol_toolbar.surf.year", "6689");
user_pref("aolmail_toolbar.default.search.url", "hxxp://search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aolmail-chromesbox-en-us&tb_uuid=20110505020801
user_pref("aolmail_toolbar.search.searchtype", "web");
user_pref("browser.search.defaultengine", "Ask.com");
user_pref("browser.search.defaulturl", "hxxp://search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aolmail-chromesbox-en-us&tb_uuid=20110505020801282&tb_oi
user_pref("extensions.BabylonToolbar.admin", false);
user_pref("extensions.BabylonToolbar.aflt", "babsst");
user_pref("extensions.BabylonToolbar.babExt", "");
user_pref("extensions.BabylonToolbar.babTrack", "affID=112049&tt=050412_30b");
user_pref("extensions.BabylonToolbar.bbDpng", 14);
user_pref("extensions.BabylonToolbar.dfltLng", "en");
user_pref("extensions.BabylonToolbar.dfltSrch", true);
user_pref("extensions.BabylonToolbar.hmpg", true);
user_pref("extensions.BabylonToolbar.id", "3c8f104d0000000000000014a5a5128b");
user_pref("extensions.BabylonToolbar.instlDay", "15446");
user_pref("extensions.BabylonToolbar.instlRef", "sst");
user_pref("extensions.BabylonToolbar.keyWordUrl", "hxxp://search.babylon.com/?affID=112049&tt=050412_30b&babsrc=KW_ss&mntrId=3c8f104d0000000000000014a5a5128b&q=");
user_pref("extensions.BabylonToolbar.lastDP", 14);
user_pref("extensions.BabylonToolbar.lastVrsnTs", "1.5.3.1712:41:46");
user_pref("extensions.BabylonToolbar.mntrFFxVrsn", "3.0");
user_pref("extensions.BabylonToolbar.newTab", false);
user_pref("extensions.BabylonToolbar.newTabUrl", "hxxp://search.babylon.com/?babsrc=NT_bb");
user_pref("extensions.BabylonToolbar.noFFXTlbr", false);
user_pref("extensions.BabylonToolbar.prdct", "BabylonToolbar");
user_pref("extensions.BabylonToolbar.propectorlck", 99444603);
user_pref("extensions.BabylonToolbar.prtkDS", 0);
user_pref("extensions.BabylonToolbar.prtkHmpg", 0);
user_pref("extensions.BabylonToolbar.prtnrId", "babylon");
user_pref("extensions.BabylonToolbar.ptch_0717", true);
user_pref("extensions.BabylonToolbar.smplGrp", "azb");
user_pref("extensions.BabylonToolbar.srcExt", "ss");
user_pref("extensions.BabylonToolbar.tlbrId", "base");
user_pref("extensions.BabylonToolbar.vrsn", "1.5.3.17");
user_pref("extensions.BabylonToolbar.vrsnTs", "1.5.3.1712:41:46");
user_pref("extensions.BabylonToolbar.vrsni", "1.5.3.17");
user_pref("extensions.BabylonToolbar_i.aflt", "babsst");
user_pref("extensions.BabylonToolbar_i.babExt", "");
user_pref("extensions.BabylonToolbar_i.babTrack", "affID=112049&tt=050412_30b");
user_pref("extensions.BabylonToolbar_i.hardId", "3c8f104d0000000000000014a5a5128b");
user_pref("extensions.BabylonToolbar_i.id", "3c8f104d0000000000000014a5a5128b");
user_pref("extensions.BabylonToolbar_i.instlDay", "15446");
user_pref("extensions.BabylonToolbar_i.instlRef", "sst");
user_pref("extensions.BabylonToolbar_i.newTab", false);
user_pref("extensions.BabylonToolbar_i.prdct", "BabylonToolbar");
user_pref("extensions.BabylonToolbar_i.prtnrId", "babylon");
user_pref("extensions.BabylonToolbar_i.smplGrp", "none");
user_pref("extensions.BabylonToolbar_i.srcExt", "ss");
user_pref("extensions.BabylonToolbar_i.tlbrId", "base");
user_pref("extensions.BabylonToolbar_i.vrsn", "1.5.3.17");
user_pref("extensions.BabylonToolbar_i.vrsnTs", "1.5.3.1712:41:46");
user_pref("extensions.BabylonToolbar_i.vrsni", "1.5.3.17");
user_pref("extensions.crossrider.bic", "13a0e32d252c8f19462cec7eb84e7020");
user_pref("extensions.spamfreesearch.dspNew", "blekko");
user_pref("extensions.spamfreesearch.hmpgUrl", "hxxp://blekko.com/ws/?source=d5c421e4&tbp=homepage&u=3c8f104d0000000000000014a5a5128b");
user_pref("extensions.spamfreesearch.hpNew", "hxxp://blekko.com/ws/?source=d5c421e4&tbp=homepage&u=3c8f104d0000000000000014a5a5128b");
user_pref("extensions.spamfreesearch.keyWordUrl", "hxxp://blekko.com/ws/?source=d5c421e4&tbp=rbox&u=3c8f104d0000000000000014a5a5128b&q=");
user_pref("extensions.spamfreesearch.keywordurl", "hxxp://blekko.com/ws/?source=d5c421e4&tbp=rbox&u=3c8f104d0000000000000014a5a5128b&q=");
user_pref("extensions.spamfreesearch.prtnrId", "blekko");
user_pref("extensions.spamfreesearch.prtnrid", "blekko");
user_pref("extensions.spamfreesearch.srchPrvdr", "blekko");
user_pref("extensions.spamfreesearch.srchprvdr", "blekko");
user_pref("extensions.spamfreesearch.tlbrSrchUrl", "hxxp://blekko.com/ws/?source=d5c421e4&tbp=main&u=3c8f104d0000000000000014a5a5128b&q=");
user_pref("extensions.spamfreesearch.tlbrsrchurl", "hxxp://blekko.com/ws/?source=d5c421e4&tbp=main&u=3c8f104d0000000000000014a5a5128b&q=");
user_pref("extensions.toolbar.mindspark._5mMembers_.homepage", "hxxp://home.mywebsearch.com/index.jhtml?ptb=48294B0B-4335-4B1E-B7E9-0C6CA0CA243D&n=77edc20b&ptnrS=ZUxdm080YYus&
user_pref("extensions.toolbar.mindspark._5mMembers_.hp.user.defined", true);
user_pref("extensions.toolbar.mindspark._5mMembers_.initialized", true);
user_pref("extensions.toolbar.mindspark._5mMembers_.installation.installDate", "2012070411");
user_pref("extensions.toolbar.mindspark._5mMembers_.installation.partnerId", "ZUxdm080YYus");
user_pref("extensions.toolbar.mindspark._5mMembers_.installation.partnerSubId", "COKTu76sgLECFQoHnQod9xqd8g");
user_pref("extensions.toolbar.mindspark._5mMembers_.installation.success", true);
user_pref("extensions.toolbar.mindspark._5mMembers_.installation.toolbarId", "48294B0B-4335-4B1E-B7E9-0C6CA0CA243D");
user_pref("extensions.toolbar.mindspark._5mMembers_.lastActivePing", "1344011740841");
user_pref("extensions.toolbar.mindspark._5mMembers_.weather.location", "20170");
user_pref("extensions.toolbar.mindspark.lastInstalled", "myfuncards@mindspark.com");
user_pref("gamescom_toolbar.search.searchtype", "web");
user_pref("keyword.URL", "hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=843&invocationType=tb50-ff-aolmail-ab-en-us&tb_uuid=20110505020801282&tb_oid=12-10-2009&
Emptied folder: C:\Documents and Settings\Dawn\Application Data\mozilla\firefox\profiles\kf5h65yy.default\minidumps [8 files]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 03/25/2013 at 23:14:15.56
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I ended up using JRT. Log is pasted below. Do you want me to still run SecurityCheck.exe from your instructions above? Or is there something else?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.7.3 (03.23.2013:1)
OS: Microsoft Windows XP x86
Ran by Dawn on Mon 03/25/2013 at 23:02:41.03
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~ Services
~~~ Registry Values
Successfully repaired: [Registry Value] hkey_current_user\software\microsoft\internet explorer\searchscopes\\DefaultScope
Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\searchscopes\\DefaultScope
Successfully repaired: [Registry Value] hkey_users\.default\software\microsoft\internet explorer\searchscopes\\DefaultScope
Successfully repaired: [Registry Value] hkey_users\s-1-5-18\software\microsoft\internet explorer\searchscopes\\DefaultScope
Successfully repaired: [Registry Value] hkey_users\s-1-5-19\software\microsoft\internet explorer\searchscopes\\DefaultScope
Successfully repaired: [Registry Value] hkey_users\s-1-5-20\software\microsoft\internet explorer\searchscopes\\DefaultScope
Successfully repaired: [Registry Value] hkey_users\S-1-5-21-3615664846-1967934640-507609581-1005\software\microsoft\internet explorer\searchscopes\\DefaultScope
Successfully repaired: [Registry Value] hkey_current_user\software\microsoft\internet explorer\searchscopes\{0633ee93-d776-472f-a0ff-e1416b8b2e3a}\\DisplayName
Successfully repaired: [Registry Value] hkey_current_user\software\microsoft\internet explorer\searchscopes\{0633ee93-d776-472f-a0ff-e1416b8b2e3a}\\URL
Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{0633ee93-d776-472f-a0ff-e1416b8b2e3a}\\DisplayName
Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{0633ee93-d776-472f-a0ff-e1416b8b2e3a}\\URL
~~~ Registry Keys
Successfully deleted: [Registry Key] hkey_local_machine\software\babylon
Successfully deleted: [Registry Key] hkey_current_user\software\blabbers
Successfully deleted: [Registry Key] hkey_current_user\software\browsercompanion
Successfully deleted: [Registry Key] hkey_current_user\software\cr_installer
Successfully deleted: [Registry Key] hkey_current_user\software\crossrider
Successfully deleted: [Registry Key] hkey_current_user\software\datamngr
Successfully deleted: [Registry Key] hkey_current_user\software\zugo
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\appid\dnu.exe
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\bbylntlbr.bbylntlbrhlpr
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\bbylntlbr.bbylntlbrhlpr.1
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\dnupdate
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\dnupdater.downloaduibrowser
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\dnupdater.downloaduibrowser.1
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\dnupdater.downloadupdcontroller
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\dnupdater.downloadupdcontroller.1
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\prod.cap
Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{02478d38-c3f9-4efb-9b51-7695eca05670}
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{28387537-e3f9-4ed7-860c-11e69af4a8a0}
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{2eecd738-5844-4a99-b4b6-146bf802613b}
Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{3bd44f0e-0596-4008-aee0-45d47e3a8f0e}
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{65c72339-fb1d-4155-84e1-9afacee02d6f}
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{e46c8196-b634-44a1-af6e-957c64278ab1}
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{b9c7ce32-da91-43c2-b7e9-0e9aafc675cd}
Successfully deleted: [Registry Key] "hkey_current_user\software\apn pip"
Successfully deleted: [Registry Key] "hkey_current_user\software\pip"
Successfully deleted: [Registry Key] "hkey_local_machine\software\pip"
~~~ Files
Successfully deleted: [File] "C:\Program Files\mozilla firefox\plugins\npdnu.dll"
Successfully deleted: [File] "C:\Program Files\mozilla firefox\plugins\npdnu.xpt"
Successfully deleted: [File] "C:\Program Files\mozilla firefox\plugins\npcouponprinter.dll"
Successfully deleted: [File] "C:\Program Files\mozilla firefox\plugins\npmozcouponprinter.dll"
~~~ Folders
Successfully deleted: [Folder] "C:\Documents and Settings\All Users\application data\boost_interprocess"
Successfully deleted: [Folder] "C:\Documents and Settings\Dawn\appdata\locallow\datamngr"
Successfully deleted: [Folder] "C:\Documents and Settings\Dawn\Local Settings\Application Data\babylon"
Successfully deleted: [Folder] "C:\Program Files\couponalert_2pei"
Successfully deleted: [Folder] "C:\Program Files\coupons"
Successfully deleted: [Folder] "C:\Program Files\imesh applications"
Successfully deleted: [Folder] "C:\Program Files\optimizer pro"
Successfully deleted: [Folder] "C:\Program Files\Common Files\software update utility"
~~~ FireFox
Successfully deleted: [File] C:\Documents and Settings\Dawn\Application Data\mozilla\firefox\profiles\kf5h65yy.default\user.js
Successfully deleted the following from C:\Documents and Settings\Dawn\Application Data\mozilla\firefox\profiles\kf5h65yy.default\prefs.js
user_pref("aol_toolbar.surf.date", "206");
user_pref("aol_toolbar.surf.lastDate", "25");
user_pref("aol_toolbar.surf.lastMonth", "2");
user_pref("aol_toolbar.surf.lastYear", "2013");
user_pref("aol_toolbar.surf.month", "2153");
user_pref("aol_toolbar.surf.prevMonth", "1123");
user_pref("aol_toolbar.surf.total", "193394");
user_pref("aol_toolbar.surf.week", "206");
user_pref("aol_toolbar.surf.year", "6689");
user_pref("aolmail_toolbar.default.search.url", "hxxp://search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aolmail-chromesbox-en-us&tb_uuid=20110505020801
user_pref("aolmail_toolbar.search.searchtype", "web");
user_pref("browser.search.defaultengine", "Ask.com");
user_pref("browser.search.defaulturl", "hxxp://search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aolmail-chromesbox-en-us&tb_uuid=20110505020801282&tb_oi
user_pref("extensions.BabylonToolbar.admin", false);
user_pref("extensions.BabylonToolbar.aflt", "babsst");
user_pref("extensions.BabylonToolbar.babExt", "");
user_pref("extensions.BabylonToolbar.babTrack", "affID=112049&tt=050412_30b");
user_pref("extensions.BabylonToolbar.bbDpng", 14);
user_pref("extensions.BabylonToolbar.dfltLng", "en");
user_pref("extensions.BabylonToolbar.dfltSrch", true);
user_pref("extensions.BabylonToolbar.hmpg", true);
user_pref("extensions.BabylonToolbar.id", "3c8f104d0000000000000014a5a5128b");
user_pref("extensions.BabylonToolbar.instlDay", "15446");
user_pref("extensions.BabylonToolbar.instlRef", "sst");
user_pref("extensions.BabylonToolbar.keyWordUrl", "hxxp://search.babylon.com/?affID=112049&tt=050412_30b&babsrc=KW_ss&mntrId=3c8f104d0000000000000014a5a5128b&q=");
user_pref("extensions.BabylonToolbar.lastDP", 14);
user_pref("extensions.BabylonToolbar.lastVrsnTs", "1.5.3.1712:41:46");
user_pref("extensions.BabylonToolbar.mntrFFxVrsn", "3.0");
user_pref("extensions.BabylonToolbar.newTab", false);
user_pref("extensions.BabylonToolbar.newTabUrl", "hxxp://search.babylon.com/?babsrc=NT_bb");
user_pref("extensions.BabylonToolbar.noFFXTlbr", false);
user_pref("extensions.BabylonToolbar.prdct", "BabylonToolbar");
user_pref("extensions.BabylonToolbar.propectorlck", 99444603);
user_pref("extensions.BabylonToolbar.prtkDS", 0);
user_pref("extensions.BabylonToolbar.prtkHmpg", 0);
user_pref("extensions.BabylonToolbar.prtnrId", "babylon");
user_pref("extensions.BabylonToolbar.ptch_0717", true);
user_pref("extensions.BabylonToolbar.smplGrp", "azb");
user_pref("extensions.BabylonToolbar.srcExt", "ss");
user_pref("extensions.BabylonToolbar.tlbrId", "base");
user_pref("extensions.BabylonToolbar.vrsn", "1.5.3.17");
user_pref("extensions.BabylonToolbar.vrsnTs", "1.5.3.1712:41:46");
user_pref("extensions.BabylonToolbar.vrsni", "1.5.3.17");
user_pref("extensions.BabylonToolbar_i.aflt", "babsst");
user_pref("extensions.BabylonToolbar_i.babExt", "");
user_pref("extensions.BabylonToolbar_i.babTrack", "affID=112049&tt=050412_30b");
user_pref("extensions.BabylonToolbar_i.hardId", "3c8f104d0000000000000014a5a5128b");
user_pref("extensions.BabylonToolbar_i.id", "3c8f104d0000000000000014a5a5128b");
user_pref("extensions.BabylonToolbar_i.instlDay", "15446");
user_pref("extensions.BabylonToolbar_i.instlRef", "sst");
user_pref("extensions.BabylonToolbar_i.newTab", false);
user_pref("extensions.BabylonToolbar_i.prdct", "BabylonToolbar");
user_pref("extensions.BabylonToolbar_i.prtnrId", "babylon");
user_pref("extensions.BabylonToolbar_i.smplGrp", "none");
user_pref("extensions.BabylonToolbar_i.srcExt", "ss");
user_pref("extensions.BabylonToolbar_i.tlbrId", "base");
user_pref("extensions.BabylonToolbar_i.vrsn", "1.5.3.17");
user_pref("extensions.BabylonToolbar_i.vrsnTs", "1.5.3.1712:41:46");
user_pref("extensions.BabylonToolbar_i.vrsni", "1.5.3.17");
user_pref("extensions.crossrider.bic", "13a0e32d252c8f19462cec7eb84e7020");
user_pref("extensions.spamfreesearch.dspNew", "blekko");
user_pref("extensions.spamfreesearch.hmpgUrl", "hxxp://blekko.com/ws/?source=d5c421e4&tbp=homepage&u=3c8f104d0000000000000014a5a5128b");
user_pref("extensions.spamfreesearch.hpNew", "hxxp://blekko.com/ws/?source=d5c421e4&tbp=homepage&u=3c8f104d0000000000000014a5a5128b");
user_pref("extensions.spamfreesearch.keyWordUrl", "hxxp://blekko.com/ws/?source=d5c421e4&tbp=rbox&u=3c8f104d0000000000000014a5a5128b&q=");
user_pref("extensions.spamfreesearch.keywordurl", "hxxp://blekko.com/ws/?source=d5c421e4&tbp=rbox&u=3c8f104d0000000000000014a5a5128b&q=");
user_pref("extensions.spamfreesearch.prtnrId", "blekko");
user_pref("extensions.spamfreesearch.prtnrid", "blekko");
user_pref("extensions.spamfreesearch.srchPrvdr", "blekko");
user_pref("extensions.spamfreesearch.srchprvdr", "blekko");
user_pref("extensions.spamfreesearch.tlbrSrchUrl", "hxxp://blekko.com/ws/?source=d5c421e4&tbp=main&u=3c8f104d0000000000000014a5a5128b&q=");
user_pref("extensions.spamfreesearch.tlbrsrchurl", "hxxp://blekko.com/ws/?source=d5c421e4&tbp=main&u=3c8f104d0000000000000014a5a5128b&q=");
user_pref("extensions.toolbar.mindspark._5mMembers_.homepage", "hxxp://home.mywebsearch.com/index.jhtml?ptb=48294B0B-4335-4B1E-B7E9-0C6CA0CA243D&n=77edc20b&ptnrS=ZUxdm080YYus&
user_pref("extensions.toolbar.mindspark._5mMembers_.hp.user.defined", true);
user_pref("extensions.toolbar.mindspark._5mMembers_.initialized", true);
user_pref("extensions.toolbar.mindspark._5mMembers_.installation.installDate", "2012070411");
user_pref("extensions.toolbar.mindspark._5mMembers_.installation.partnerId", "ZUxdm080YYus");
user_pref("extensions.toolbar.mindspark._5mMembers_.installation.partnerSubId", "COKTu76sgLECFQoHnQod9xqd8g");
user_pref("extensions.toolbar.mindspark._5mMembers_.installation.success", true);
user_pref("extensions.toolbar.mindspark._5mMembers_.installation.toolbarId", "48294B0B-4335-4B1E-B7E9-0C6CA0CA243D");
user_pref("extensions.toolbar.mindspark._5mMembers_.lastActivePing", "1344011740841");
user_pref("extensions.toolbar.mindspark._5mMembers_.weather.location", "20170");
user_pref("extensions.toolbar.mindspark.lastInstalled", "myfuncards@mindspark.com");
user_pref("gamescom_toolbar.search.searchtype", "web");
user_pref("keyword.URL", "hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=843&invocationType=tb50-ff-aolmail-ab-en-us&tb_uuid=20110505020801282&tb_oid=12-10-2009&
Emptied folder: C:\Documents and Settings\Dawn\Application Data\mozilla\firefox\profiles\kf5h65yy.default\minidumps [8 files]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 03/25/2013 at 23:14:15.56
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Fiery
Level 1
- Jan 11, 2011
- 2,007
Ok, that's fine than. I will provide further instructions after you finish this scan
Run Eset NOD32 Online AntiVirus here
Note: You will need to use Internet Explorer for this scan.
Vista / 7 users: You will need to to right-click on the Internet Explorer icon and select Run as Administrator
Run Eset NOD32 Online AntiVirus here
Note: You will need to use Internet Explorer for this scan.
Vista / 7 users: You will need to to right-click on the Internet Explorer icon and select Run as Administrator
- Tick the box next to YES, I accept the Terms of Use.
- Click Start
- When asked, allow the activex control to install
- Disable your current antivirus software. You can usually do this with its Notfication Tray icon near the clock.
- Make sure that the option "Remove found threats" is Un-checked, and the following Advance Settings are Checked
- Scan unwanted applications
- Scan for potentially unsafe applications
- Enable Anti-Stealth Technology
- Click Scan
- Wait for the scan to finish
- When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
- Save that text file on your desktop. Copy and paste the contents of that log in your next reply to this topic.
- The log can also be found in logfile located at C:\Program Files\ESET\Eset Online Scanner\log.txt
Hello,
Finished your instructions. Eset found 9 threats still. I have copied and pasted the log below. Do I uninstall Eset on close?
Thank You
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=8
# iexplore.exe=7.00.6000.17123 (vista_gdr.130201-1235)
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=77cded0eda9e1b4c8355e7e173055f39
# engine=13491
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2013-03-27 01:22:21
# local_time=2013-03-26 09:22:21 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=5892 16777213 88 94 2427634 20099300 0 0
# scanned=78775
# found=9
# cleaned=0
# scan_time=6160
sh=C8DED0AFA32298CDB08647AF889073CF6C9AD31D ft=1 fh=c71c001171d0e4db vn="Win32/Adware.SystemSecurity.AL application" ac=I fn="C:\_OTL\MovedFiles\03192013_142950\C_Documents and Settings\All Users\Application Data\3C946E6B620E104D00003C9431DC1532\3C946E6B620E104D00003C9431DC1532.exe"
sh=46764F16A4E15AA24C5126D40B0322623A96084F ft=1 fh=d0e799f6db30dc88 vn="a variant of Win32/Medfos.MA trojan" ac=I fn="C:\_OTL\MovedFiles\03192013_142950\C_Documents and Settings\Dawn\Application Data\dpneip.dll"
sh=C1FAF6EB414926502DFCD698D4240BDDBEC92F01 ft=1 fh=ac8b8dfa2e430784 vn="a variant of Win32/Medfos.MA trojan" ac=I fn="C:\_OTL\MovedFiles\03192013_142950\C_Documents and Settings\Dawn\Application Data\qeshel.dll"
sh=16071E3ECF0D35E80159D61AA71DA7AC850111E3 ft=1 fh=31f9f0b9aec21c1a vn="a variant of Win32/Medfos.MD trojan" ac=I fn="C:\_OTL\MovedFiles\03192013_142950\C_Documents and Settings\Dawn\Application Data\wuvtcp.dll"
sh=BAEFCB03679575349E01668C4F0938643BAAA022 ft=1 fh=45ba6b521529362d vn="a variant of Win32/Toolbar.MyWebSearch.A application" ac=I fn="C:\_OTL\MovedFiles\03192013_234758\C_Program Files\CouponXplorer_5z\bar\1.bin\5zdatact.dll"
sh=53F3044159FFCF82C746898941DBE3DC2AC9A24C ft=1 fh=09fa8c8598e549f8 vn="probably a variant of Win32/Toolbar.MyWebSearch.B application" ac=I fn="C:\_OTL\MovedFiles\03192013_234758\C_Program Files\CouponXplorer_5z\bar\1.bin\5zhtmlmu.dll"
sh=A62045168FE92EC16E7764ECD96F592D2D63BB7C ft=1 fh=681e62fc23c41c6e vn="probably a variant of Win32/Toolbar.MyWebSearch application" ac=I fn="C:\_OTL\MovedFiles\03192013_234758\C_Program Files\CouponXplorer_5z\bar\1.bin\5zPlugin.dll"
sh=857980A7B7AB77FF8E34A090CCD76B8BA628E7E4 ft=1 fh=6c9ac10ea3ee1cdd vn="a variant of Win32/Toolbar.MyWebSearch.P application" ac=I fn="C:\_OTL\MovedFiles\03192013_234758\C_Program Files\CouponXplorer_5z\bar\1.bin\5zskin.dll"
sh=A8B583E2BFA2B7E04C3719FF000CCF7151AEEA7F ft=1 fh=c7c54f98ed54b65c vn="probably a variant of Win32/Toolbar.MyWebSearch.F application" ac=I fn="C:\_OTL\MovedFiles\03192013_234758\C_Program Files\CouponXplorer_5z\bar\1.bin\T8HTML.DLL"
Finished your instructions. Eset found 9 threats still. I have copied and pasted the log below. Do I uninstall Eset on close?
Thank You
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=8
# iexplore.exe=7.00.6000.17123 (vista_gdr.130201-1235)
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=77cded0eda9e1b4c8355e7e173055f39
# engine=13491
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2013-03-27 01:22:21
# local_time=2013-03-26 09:22:21 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=5892 16777213 88 94 2427634 20099300 0 0
# scanned=78775
# found=9
# cleaned=0
# scan_time=6160
sh=C8DED0AFA32298CDB08647AF889073CF6C9AD31D ft=1 fh=c71c001171d0e4db vn="Win32/Adware.SystemSecurity.AL application" ac=I fn="C:\_OTL\MovedFiles\03192013_142950\C_Documents and Settings\All Users\Application Data\3C946E6B620E104D00003C9431DC1532\3C946E6B620E104D00003C9431DC1532.exe"
sh=46764F16A4E15AA24C5126D40B0322623A96084F ft=1 fh=d0e799f6db30dc88 vn="a variant of Win32/Medfos.MA trojan" ac=I fn="C:\_OTL\MovedFiles\03192013_142950\C_Documents and Settings\Dawn\Application Data\dpneip.dll"
sh=C1FAF6EB414926502DFCD698D4240BDDBEC92F01 ft=1 fh=ac8b8dfa2e430784 vn="a variant of Win32/Medfos.MA trojan" ac=I fn="C:\_OTL\MovedFiles\03192013_142950\C_Documents and Settings\Dawn\Application Data\qeshel.dll"
sh=16071E3ECF0D35E80159D61AA71DA7AC850111E3 ft=1 fh=31f9f0b9aec21c1a vn="a variant of Win32/Medfos.MD trojan" ac=I fn="C:\_OTL\MovedFiles\03192013_142950\C_Documents and Settings\Dawn\Application Data\wuvtcp.dll"
sh=BAEFCB03679575349E01668C4F0938643BAAA022 ft=1 fh=45ba6b521529362d vn="a variant of Win32/Toolbar.MyWebSearch.A application" ac=I fn="C:\_OTL\MovedFiles\03192013_234758\C_Program Files\CouponXplorer_5z\bar\1.bin\5zdatact.dll"
sh=53F3044159FFCF82C746898941DBE3DC2AC9A24C ft=1 fh=09fa8c8598e549f8 vn="probably a variant of Win32/Toolbar.MyWebSearch.B application" ac=I fn="C:\_OTL\MovedFiles\03192013_234758\C_Program Files\CouponXplorer_5z\bar\1.bin\5zhtmlmu.dll"
sh=A62045168FE92EC16E7764ECD96F592D2D63BB7C ft=1 fh=681e62fc23c41c6e vn="probably a variant of Win32/Toolbar.MyWebSearch application" ac=I fn="C:\_OTL\MovedFiles\03192013_234758\C_Program Files\CouponXplorer_5z\bar\1.bin\5zPlugin.dll"
sh=857980A7B7AB77FF8E34A090CCD76B8BA628E7E4 ft=1 fh=6c9ac10ea3ee1cdd vn="a variant of Win32/Toolbar.MyWebSearch.P application" ac=I fn="C:\_OTL\MovedFiles\03192013_234758\C_Program Files\CouponXplorer_5z\bar\1.bin\5zskin.dll"
sh=A8B583E2BFA2B7E04C3719FF000CCF7151AEEA7F ft=1 fh=c7c54f98ed54b65c vn="probably a variant of Win32/Toolbar.MyWebSearch.F application" ac=I fn="C:\_OTL\MovedFiles\03192013_234758\C_Program Files\CouponXplorer_5z\bar\1.bin\T8HTML.DLL"
Similar threads
- Locked
