Solved Major Adware Malware Spyware attack ails my XP laptop

February 2, 2013 at 09:59:26
Specs: WindowsXP, 2.4 gig/1gig
This time it's my Compaq R4000 Wi Fi laptop that's ailing.
Clicked on a flash ad on Face book that said I didn't have the plug in to play the video.
Turns out that it was bogus and all the nasties came flooding in.
FB has a so called removal but it doesn't work, or I wouldn't be here.
Did a reinstall of Mozilla, no change, ran Malewarebytes, no help, AVG, and superantispyware.
Went to use the Emsisoft Emergency Kit, and I can't get safe mode with networking, and have to get to safe mode by Start, Run, msconfig.
Pounding on F8 doesnt work.
I open I.E. and enter the Emsisoft Emergency Kit from bleepingcomputer in the browser and it doesnt come up.
Laptop runs fine until logged into FB then everything slows wayyyy down.
Today I get a small pop up on YouTube, FB, and Google saying, (NaN) Security Alerts Found. View Now - Close and it follows you as you scroll down the page. HELP!

See More: Major Adware Malware Spyware attack ails my XP laptop

Report •

✔ Best Answer
February 15, 2013 at 14:00:39
MrGoodguy, Johnw, Derek, thank you for all you've done for me.
I've had to go ahead with a total reinstall of Win XP.
Probably should have made that decision 2 days in.


#1
February 2, 2013 at 10:22:59
Hi soeastbiker,

Download AdwCleaner from this link:
http://www.bleepingcomputer.com/dow...
AdwCleaner Usage Instructions:
Using AdwCleaner is very simple. Simply download the program and run it. You will then be presented with a screen that contains a Search and Delete button. The Search button will cause AdwCleaner to search your computer for unwanted programs and then display a log showing the various files, folders, and registry entries used by these programs.
To delete these unwanted programs simply click on the Delete button, which will cause AdwCleaner to reboot your computer and remove the files and registry entries associated with the various adware that you are removing. On reboot, AdwCleaner will display a log showing the files, folders, and registry entries that were removed.
Please include the log in your next reply.

Please download and run Rougekiller from this link:
http://majorgeeks.com/RogueKiller_d...
Instructions:
•Please quit all programs
•Right-click the RogueKiller file and select "Run"
•Press: SCAN
•On the RogueKiller console, click the Registry tab.
•Make sure the entries there are checked. 
•Then, press the [Delete] button.
An RKreport Log (Mode: Delete) is created on the Desktop.
Please provide the RKreport Log in your reply.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#2
February 2, 2013 at 16:11:56
# AdwCleaner v2.109 - Logfile created 02/02/2013 at 19:03:11
# Updated 26/01/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Compaq - COMPAQ-A9C29542
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Compaq\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\DOCUME~1\Compaq\LOCALS~1\Temp\Uninstall.exe
File Deleted : C:\Program Files\Mozilla Firefox\searchplugins\avg-secure-search.xml
Folder Deleted : C:\DOCUME~1\Compaq\LOCALS~1\Temp\avg@toolbar
Folder Deleted : C:\Documents and Settings\All Users\Application Data\APN
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Viewpoint
Folder Deleted : C:\Program Files\OApps
Folder Deleted : C:\Program Files\Viewpoint

***** [Registry] *****

Key Deleted : HKCU\Software\Cr_Installer
Key Deleted : HKCU\Software\Crossrider
Key Deleted : HKCU\Software\InstalledBrowserExtensions
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0021804.BHO
Key Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0021804.BHO.1
Key Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0021804.Sandbox
Key Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0021804.Sandbox.1
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9DBB28C1-1925-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\Software\MetaStream
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ViewpointMediaPlayer
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@viewpoint.com/VMP
Key Deleted : HKLM\Software\Viewpoint

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v18.0.1 (en-US)

File : C:\Documents and Settings\Compaq\Application Data\Mozilla\Firefox\Profiles\hip24c2d.default\prefs.js

C:\Documents and Settings\Compaq\Application Data\Mozilla\Firefox\Profiles\hip24c2d.default\user.js ... Deleted !

Deleted : user_pref("extensions.crossriderapp21804.21804.InstallationThankYouPage", true);
Deleted : user_pref("extensions.crossriderapp21804.21804.InstallationTime", 1358021142);
Deleted : user_pref("extensions.crossriderapp21804.21804.InstallationUserSettings.searchUserConifrmation", fal[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.InstallationUserSettings.setHomepage", false);
Deleted : user_pref("extensions.crossriderapp21804.21804.InstallationUserSettings.setNewTab", false);
Deleted : user_pref("extensions.crossriderapp21804.21804.InstallationUserSettings.setSearch", false);
Deleted : user_pref("extensions.crossriderapp21804.21804.active", true);
Deleted : user_pref("extensions.crossriderapp21804.21804.addressbar", "");
Deleted : user_pref("extensions.crossriderapp21804.21804.addressbarenhanced", "");
Deleted : user_pref("extensions.crossriderapp21804.21804.backgroundjs", "\n\n//\n");
Deleted : user_pref("extensions.crossriderapp21804.21804.backgroundver", 18);
Deleted : user_pref("extensions.crossriderapp21804.21804.can_run_bg_code", true);
Deleted : user_pref("extensions.crossriderapp21804.21804.certdomaininstaller", "");
Deleted : user_pref("extensions.crossriderapp21804.21804.changeprevious", false);
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie.InstallationTime.expiration", "Fri Feb 01 2030[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie.InstallationTime.value", "1358021142");
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie.InstallerParams.expiration", "Fri Feb 01 2030 [...]
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie._GPL_aoi.expiration", "Fri Feb 01 2030 00:00:0[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie._GPL_aoi.value", "1358021142");
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie._GPL_cf_bu1.expiration", "Fri Feb 01 2030 00:0[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie._GPL_cf_bu1.value", "1359828956");
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie._GPL_country_code.expiration", "Sat Feb 09 201[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie._GPL_country_code.value", "%22US%22");
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie._GPL_crr.expiration", "Fri Feb 01 2030 00:00:0[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie._GPL_crr.value", "1359848331");
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie._GPL_currenttime.expiration", "Fri Feb 01 2030[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie._GPL_currenttime.value", "%221359648403%22");
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie._GPL_hotfix20111102645.expiration", "Fri Feb 0[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie._GPL_hotfix20111102645.value", "%221%22");
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie._GPL_installer_params.expiration", "Fri Feb 01[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie._GPL_installer_params.value", "%7B%22source_id[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie._GPL_installtime.expiration", "Fri Feb 01 2030[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie._GPL_installtime.value", "%221357677864%22");
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie._GPL_parent_zoneid.expiration", "Fri Feb 01 20[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie._GPL_parent_zoneid.value", "%2214019%22");
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie._GPL_pc_20120828.expiration", "Fri Feb 01 2030[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie._GPL_pc_20120828.value", "1358024417755");
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie._GPL_product_id.expiration", "Fri Feb 01 2030 [...]
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie._GPL_product_id.value", "%221175%22");
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie._GPL_sr[local.amazon.com].expiration", "Tue Fe[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie._GPL_sr[local.amazon.com].value", "1359493522"[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie._GPL_zoneid.expiration", "Fri Feb 01 2030 00:0[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie._GPL_zoneid.value", "%22130412%22");
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie.dbtest.expiration", "Fri Feb 01 2030 00:00:00 [...]
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie.dbtest.value", "1358021536320");
Deleted : user_pref("extensions.crossriderapp21804.21804.description", "Coupon Companion");
Deleted : user_pref("extensions.crossriderapp21804.21804.domain", "");
Deleted : user_pref("extensions.crossriderapp21804.21804.enablesearch", false);
Deleted : user_pref("extensions.crossriderapp21804.21804.fbremoteurl", "");
Deleted : user_pref("extensions.crossriderapp21804.21804.group", 0);
Deleted : user_pref("extensions.crossriderapp21804.21804.homepage", "");
Deleted : user_pref("extensions.crossriderapp21804.21804.iframe", false);
Deleted : user_pref("extensions.crossriderapp21804.21804.internaldb.InstallerIdentifiers.expiration", "Fri Feb[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.internaldb.InstallerIdentifiers.value", "%7B%22instal[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.internaldb.Resources_appVer.expiration", "Fri Feb 01 [...]
Deleted : user_pref("extensions.crossriderapp21804.21804.internaldb.Resources_appVer.value", "32");
Deleted : user_pref("extensions.crossriderapp21804.21804.internaldb.Resources_lastVersion.expiration", "Fri Fe[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.internaldb.Resources_lastVersion.value", "1");
Deleted : user_pref("extensions.crossriderapp21804.21804.internaldb.Resources_meta.expiration", "Fri Feb 01 20[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.internaldb.Resources_meta.value", "%7B%7D");
Deleted : user_pref("extensions.crossriderapp21804.21804.internaldb.Resources_nextCheck.expiration", "Sun Feb [...]
Deleted : user_pref("extensions.crossriderapp21804.21804.internaldb.Resources_nextCheck.value", "true");
Deleted : user_pref("extensions.crossriderapp21804.21804.internaldb.Resources_queue.expiration", "Fri Feb 01 2[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.internaldb.Resources_queue.value", "%7B%7D");
Deleted : user_pref("extensions.crossriderapp21804.21804.internaldb.Resources_remote_resources.expiration", "F[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.internaldb.Resources_remote_resources.value", "%7B%22[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.internaldb.SoftwareDetected.expiration", "Fri Feb 01 [...]
Deleted : user_pref("extensions.crossriderapp21804.21804.internaldb.SoftwareDetected.value", "%7B%22AnySoftwar[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.js", "\n\nif(\"undefined\"!=typeof _GPL_PLUGIN){var _[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.manifesturl", "");
Deleted : user_pref("extensions.crossriderapp21804.21804.name", "Coupon Companion Plugin");
Deleted : user_pref("extensions.crossriderapp21804.21804.newtab", "");
Deleted : user_pref("extensions.crossriderapp21804.21804.opensearch", "");
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_1.code", "appAPI._cr_config={appID:fun[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_1.name", "base");
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_1.ver", 3);
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_1000014.code", "Array.prototype.indexO[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_1000014.name", "GPL Plugin (Loader)");
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_1000014.ver", 15);
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_1000015.code", "var a=appAPI.db.getLis[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_1000015.name", "GPL Background (BG)");
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_1000015.ver", 20);
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_13.code", "(function(a){a.selectedText[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_13.name", "CrossriderAppUtils");
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_13.ver", 2);
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_14.code", "if(typeof(appAPI)===\"undef[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_14.name", "CrossriderUtils");
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_14.ver", 2);
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_16.code", "if((typeof isBackground===\[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_16.name", "FFAppAPIWrapper");
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_16.ver", 4);
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_17.code", "if(typeof window!==\"undefi[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_17.name", "jQuery");
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_17.ver", 3);
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_21.code", "var CrossriderDebugManager=[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_21.name", "debug");
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_21.ver", 3);
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_22.code", "(function(a){appAPI.queueMa[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_22.name", "resources");
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_22.ver", 2);
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_28.code", "var CrossriderInitializerPl[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_28.name", "initializer");
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_28.ver", 2);
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_4.code", "var jQuery = $jquery_171 = $[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_4.name", "jquery_1_7_1");
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_4.ver", 3);
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_47.code", "(function(){appAPI.ready=fu[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_47.name", "resources_background");
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_47.ver", 1);
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_64.code", "(function(){var h=\"__CR_EM[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_64.name", "appApiMessage");
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_64.ver", 1);
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_72.code", "if(appAPI.__should_activate[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_72.name", "appApiValidation");
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_72.ver", 1);
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_78.code", "if(typeof jQuery!==\"undefi[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_78.name", "CrossriderInfo");
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_78.ver", 2);
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins_lists.plugins_0", "4,14,78,16,64,47,72,100001[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins_lists.plugins_1", "17,14,78,13,16,64,4,1,21,2[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins_lists.plugins_5", "4,14,78,13,16,64,47,72");
Deleted : user_pref("extensions.crossriderapp21804.21804.pluginsurl", "hxxp://app-static.crossrider.com/plugin[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.pluginsversion", 29);
Deleted : user_pref("extensions.crossriderapp21804.21804.publisher", "215 Apps");
Deleted : user_pref("extensions.crossriderapp21804.21804.searchstatus", 0);
Deleted : user_pref("extensions.crossriderapp21804.21804.setnewtab", false);
Deleted : user_pref("extensions.crossriderapp21804.21804.settingsurl", "");
Deleted : user_pref("extensions.crossriderapp21804.21804.thankyou", "");
Deleted : user_pref("extensions.crossriderapp21804.21804.updateinterval", 360);
Deleted : user_pref("extensions.crossriderapp21804.21804.ver", 32);
Deleted : user_pref("extensions.crossriderapp21804.adsOldValue", -1);
Deleted : user_pref("extensions.crossriderapp21804.apps", "21804");
Deleted : user_pref("extensions.crossriderapp21804.bic", "13c30641836517c3bc443b801bc0cc58");
Deleted : user_pref("extensions.crossriderapp21804.cid", 21804);
Deleted : user_pref("extensions.crossriderapp21804.firstrun", false);
Deleted : user_pref("extensions.crossriderapp21804.hadappinstalled", true);
Deleted : user_pref("extensions.crossriderapp21804.installationdate", 1358021532);
Deleted : user_pref("extensions.crossriderapp21804.lastcheck", 22664139);
Deleted : user_pref("extensions.crossriderapp21804.lastcheckitem", 22664139);
Deleted : user_pref("extensions.crossriderapp21804.modetype", "production");
Deleted : user_pref("extensions.crossriderapp21804.reportInstall", true);
Deleted : user_pref("extensions.wecarereminder.merchHash", "{\"AFFILIATES\":{\"1-Sale-A-Day\":{\"name\":\"1 Sa[...]

File : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\w478eqv1.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [17628 octets] - [02/02/2013 19:01:31]
AdwCleaner[S1].txt - [17878 octets] - [02/02/2013 19:03:11]

########## EOF - C:\AdwCleaner[S1].txt - [17939 octets] ##########


Report •

#3
February 2, 2013 at 16:18:30
RogueKiller V8.4.4 [Feb 1 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/file...
Website : http://tigzy.geekstogo.com/roguekil...
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Compaq [Admin rights]
Mode : Remove -- Date : 02/02/2013 19:17:20
| ARK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 2 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : Updater21804.exe (C:\Documents and Settings\Compaq\Local Settings\Application Data\Updater21804\Updater21804.exe /extensionid=21804 /extensionname='Coupon Companion Plugin' /chromeid=jneaojaoiajhnemidnjhoempalnidbhj /stayidle /delay=300) -> DELETED
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: TOSHIBA MK1032GAX +++++
--- User ---
[MBR] b2d96f795aa5a0da5c66429d042af5a8
[BSP] b27197f8b11beb6c9e03a3b59b072627 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 95385 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2]_D_02022013_02d1917.txt >>
RKreport[1]_S_02022013_02d1916.txt ; RKreport[2]_D_02022013_02d1917.txt


Report •

Related Solutions

#4
February 2, 2013 at 16:22:09
Thanks for the logs, will have a quick read :)

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#5
February 2, 2013 at 16:26:32
Looking at the AdwCleaner log you have a few toolbars, we will Junkware Removal Tool (JRT) from this link: http://www.bleepingcomputer.com/dow...
Download, disable Antivirus realtime protection, run. It can take a while to run.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#6
February 2, 2013 at 16:27:07
I'm not logging out.
Need to let you know that I can no longer open the control panel.
I have a "My Pictures" slideshow/screensaver running that I cant shut off.

Report •

#7
February 2, 2013 at 16:29:06
OK, fixing to run JRT.

Report •

#8
February 2, 2013 at 16:36:15
So you haven't restarted your pc to allow AdwCleaner to remove what it found?

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#9
February 2, 2013 at 16:38:37
I may have, may not have.
Been restarting so much that I'm not keeping count.

JRT Log:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.6.1 (02.02.2013:1)
OS: Microsoft Windows XP x86
Ran by Compaq on Sat 02/02/2013 at 19:30:16.20
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


~~~ Services

~~~ Registry Values

Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{0633ee93-d776-472f-a0ff-e1416b8b2e3a}\\DisplayName
Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{0633ee93-d776-472f-a0ff-e1416b8b2e3a}\\URL

~~~ Registry Keys

Successfully deleted: [Registry Key] hkey_classes_root\clsid\{11111111-1111-1111-1111-110211181104}
Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{11111111-1111-1111-1111-110211181104}

~~~ Files

~~~ Folders

Successfully deleted: [Folder] "C:\Documents and Settings\All Users\application data\ytd video downloader"
Successfully deleted: [Folder] "C:\Documents and Settings\Compaq\Local Settings\Application Data\coupon companion plugin"
Successfully deleted: [Folder] "C:\Documents and Settings\Compaq\Local Settings\Application Data\updater21804"
Successfully deleted: [Folder] "C:\Program Files\coupon companion plugin"
Successfully deleted: [Folder] "C:\Documents and Settings\All Users\start menu\programs\ytd video downloader"

~~~ FireFox

Successfully deleted: [Folder] C:\Documents and Settings\Compaq\Application Data\mozilla\firefox\profiles\hip24c2d.default\extensions\extension21804@extension21804.com
Successfully deleted: [Folder] C:\Documents and Settings\Compaq\Application Data\mozilla\firefox\profiles\hip24c2d.default\extensions\plugin@selectionlinks.com
Successfully deleted the following from C:\Documents and Settings\Compaq\Application Data\mozilla\firefox\profiles\hip24c2d.default\prefs.js

user_pref("extensions.crossrider.bic", "13c30641836517c3bc443b801bc0cc58");
user_pref("extensions.crossriderapp21804.21804.InstallationTime", 1359850029);
user_pref("extensions.crossriderapp21804.21804.active", true);
user_pref("extensions.crossriderapp21804.21804.addressbar", "");
user_pref("extensions.crossriderapp21804.21804.addressbarenhanced", "");
user_pref("extensions.crossriderapp21804.21804.backgroundjs", "\n\n//\n");
user_pref("extensions.crossriderapp21804.21804.backgroundver", 20);
user_pref("extensions.crossriderapp21804.21804.can_run_bg_code", true);
user_pref("extensions.crossriderapp21804.21804.certdomaininstaller", "");
user_pref("extensions.crossriderapp21804.21804.changeprevious", false);
user_pref("extensions.crossriderapp21804.21804.cookie.InstallationTime.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Eastern Standard Time)");
user_pref("extensions.crossriderapp21804.21804.cookie.InstallationTime.value", "1359850029");
user_pref("extensions.crossriderapp21804.21804.cookie._GPL_aoi.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Eastern Standard Time)");
user_pref("extensions.crossriderapp21804.21804.cookie._GPL_aoi.value", "1359850029");
user_pref("extensions.crossriderapp21804.21804.cookie._GPL_arbitrary_code.expiration", "Sat Feb 02 2013 19:29:48 GMT-0500 (Eastern Standard Time)");
user_pref("extensions.crossriderapp21804.21804.cookie._GPL_arbitrary_code.value", "%22%28function%28%29%7B_GPL_PLUGIN.countryCode%26%26-1%3D%3D%5C%22DZ%20EG%20HR%20ID%20IR%20J
user_pref("extensions.crossriderapp21804.21804.cookie._GPL_blocklist.expiration", "Sat Feb 02 2013 19:29:48 GMT-0500 (Eastern Standard Time)");
user_pref("extensions.crossriderapp21804.21804.cookie._GPL_blocklist.value", "%22nonexistantdomain.com%22");
user_pref("extensions.crossriderapp21804.21804.cookie._GPL_cf_bu1.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Eastern Standard Time)");
user_pref("extensions.crossriderapp21804.21804.cookie._GPL_cf_bu1.value", "1359851358");
user_pref("extensions.crossriderapp21804.21804.cookie._GPL_country_code.expiration", "Sat Feb 09 2013 19:07:35 GMT-0500 (Eastern Standard Time)");
user_pref("extensions.crossriderapp21804.21804.cookie._GPL_country_code.value", "%22US%22");
user_pref("extensions.crossriderapp21804.21804.cookie._GPL_crr.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Eastern Standard Time)");
user_pref("extensions.crossriderapp21804.21804.cookie._GPL_crr.value", "1359851054");
user_pref("extensions.crossriderapp21804.21804.cookie._GPL_currenttime.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Eastern Standard Time)");
user_pref("extensions.crossriderapp21804.21804.cookie._GPL_currenttime.value", "%221359648544%22");
user_pref("extensions.crossriderapp21804.21804.cookie._GPL_hotfix20111102645.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Eastern Standard Time)");
user_pref("extensions.crossriderapp21804.21804.cookie._GPL_hotfix20111102645.value", "%221%22");
user_pref("extensions.crossriderapp21804.21804.cookie._GPL_installer_params.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Eastern Standard Time)");
user_pref("extensions.crossriderapp21804.21804.cookie._GPL_installer_params.value", "%7B%22source_id%22%3A%220%22%2C%22sub_id%22%3A%220%22%2C%22uzid%22%3A%220%22%7D");
user_pref("extensions.crossriderapp21804.21804.cookie._GPL_installtime.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Eastern Standard Time)");
user_pref("extensions.crossriderapp21804.21804.cookie._GPL_installtime.value", "%221359648544%22");
user_pref("extensions.crossriderapp21804.21804.cookie._GPL_parent_zoneid.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Eastern Standard Time)");
user_pref("extensions.crossriderapp21804.21804.cookie._GPL_parent_zoneid.value", "%2214019%22");
user_pref("extensions.crossriderapp21804.21804.cookie._GPL_pc_20120828.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Eastern Standard Time)");
user_pref("extensions.crossriderapp21804.21804.cookie._GPL_pc_20120828.value", "1359850078087");
user_pref("extensions.crossriderapp21804.21804.cookie._GPL_product_id.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Eastern Standard Time)");
user_pref("extensions.crossriderapp21804.21804.cookie._GPL_product_id.value", "%221175%22");
user_pref("extensions.crossriderapp21804.21804.cookie._GPL_sr[hrblock.com].expiration", "Sun Feb 03 2013 19:08:08 GMT-0500 (Eastern Standard Time)");
user_pref("extensions.crossriderapp21804.21804.cookie._GPL_sr[hrblock.com].value", "1359850088");
user_pref("extensions.crossriderapp21804.21804.cookie._GPL_zoneid.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Eastern Standard Time)");
user_pref("extensions.crossriderapp21804.21804.cookie._GPL_zoneid.value", "%22138709%22");
user_pref("extensions.crossriderapp21804.21804.cookie.dbtest.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Eastern Standard Time)");
user_pref("extensions.crossriderapp21804.21804.cookie.dbtest.value", "1359850054964");
user_pref("extensions.crossriderapp21804.21804.description", "Coupon Companion");
user_pref("extensions.crossriderapp21804.21804.domain", "");
user_pref("extensions.crossriderapp21804.21804.enablesearch", false);
user_pref("extensions.crossriderapp21804.21804.fbremoteurl", "");
user_pref("extensions.crossriderapp21804.21804.group", 0);
user_pref("extensions.crossriderapp21804.21804.homepage", "");
user_pref("extensions.crossriderapp21804.21804.iframe", false);
user_pref("extensions.crossriderapp21804.21804.internaldb.Resources_appVer.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Eastern Standard Time)");
user_pref("extensions.crossriderapp21804.21804.internaldb.Resources_appVer.value", "34");
user_pref("extensions.crossriderapp21804.21804.internaldb.Resources_lastVersion.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Eastern Standard Time)");
user_pref("extensions.crossriderapp21804.21804.internaldb.Resources_lastVersion.value", "1");
user_pref("extensions.crossriderapp21804.21804.internaldb.Resources_meta.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Eastern Standard Time)");
user_pref("extensions.crossriderapp21804.21804.internaldb.Resources_meta.value", "%7B%7D");
user_pref("extensions.crossriderapp21804.21804.internaldb.Resources_nextCheck.expiration", "Sun Feb 03 2013 01:07:16 GMT-0500 (Eastern Standard Time)");
user_pref("extensions.crossriderapp21804.21804.internaldb.Resources_nextCheck.value", "true");
user_pref("extensions.crossriderapp21804.21804.internaldb.Resources_queue.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Eastern Standard Time)");
user_pref("extensions.crossriderapp21804.21804.internaldb.Resources_queue.value", "%7B%7D");
user_pref("extensions.crossriderapp21804.21804.js", "\n\nif(\"undefined\"!=typeof _GPL_PLUGIN){var _GPL_=function(){_GPL_PLUGIN.started||_GPL_PLUGIN.prepare({pid:1175,baseCDN:
user_pref("extensions.crossriderapp21804.21804.manifesturl", "");
user_pref("extensions.crossriderapp21804.21804.name", "Coupon Companion Plugin");
user_pref("extensions.crossriderapp21804.21804.newtab", "");
user_pref("extensions.crossriderapp21804.21804.opensearch", "");
user_pref("extensions.crossriderapp21804.21804.plugins.plugin_1.code", "appAPI._cr_config={appID:function(){var a=appAPI.appInfo;if(a){return appAPI.appInfo.id;}else{return ap
user_pref("extensions.crossriderapp21804.21804.plugins.plugin_1.name", "base");
user_pref("extensions.crossriderapp21804.21804.plugins.plugin_1.ver", 3);
user_pref("extensions.crossriderapp21804.21804.plugins.plugin_1000014.code", "Array.prototype.indexOf||(Array.prototype.indexOf=function(b){if(void 0===this||null===this)throw
user_pref("extensions.crossriderapp21804.21804.plugins.plugin_1000014.name", "GPL Plugin (Loader)");
user_pref("extensions.crossriderapp21804.21804.plugins.plugin_1000014.ver", 15);
user_pref("extensions.crossriderapp21804.21804.plugins.plugin_1000015.code", "var a=appAPI.db.getList(),cf_ran=!1,_GPL_BG={vars:{},rules:{},started:!1,allowed:!1,log:function(
user_pref("extensions.crossriderapp21804.21804.plugins.plugin_1000015.name", "GPL Background (BG)");
user_pref("extensions.crossriderapp21804.21804.plugins.plugin_1000015.ver", 22);
user_pref("extensions.crossriderapp21804.21804.plugins.plugin_13.code", "(function(a){a.selectedText=function(e,c){function d(){if(window.getSelection){return window.getSelect
user_pref("extensions.crossriderapp21804.21804.plugins.plugin_13.name", "CrossriderAppUtils");
user_pref("extensions.crossriderapp21804.21804.plugins.plugin_13.ver", 2);
user_pref("extensions.crossriderapp21804.21804.plugins.plugin_14.code", "if(typeof(appAPI)===\"undefined\"){appAPI={};}var CR__bIsIEWindow=false;if(typeof window!==\"undefined
user_pref("extensions.crossriderapp21804.21804.plugins.plugin_14.name", "CrossriderUtils");
user_pref("extensions.crossriderapp21804.21804.plugins.plugin_14.ver", 2);
user_pref("extensions.crossriderapp21804.21804.plugins.plugin_16.code", "if((typeof isBackground===\"undefined\"||isBackground!=true)&&(typeof _firefoxVersion!==\"undefined\"&
user_pref("extensions.crossriderapp21804.21804.plugins.plugin_16.name", "FFAppAPIWrapper");
user_pref("extensions.crossriderapp21804.21804.plugins.plugin_16.ver", 4);
user_pref("extensions.crossriderapp21804.21804.plugins.plugin_17.code", "if(typeof window!==\"undefined\"){\n/*!\n * jQuery JavaScript Library v1.4.2\n * hxxp://jquery.com/\n
user_pref("extensions.crossriderapp21804.21804.plugins.plugin_17.name", "jQuery");
user_pref("extensions.crossriderapp21804.21804.plugins.plugin_17.ver", 3);
user_pref("extensions.crossriderapp21804.21804.plugins.plugin_21.code", "var CrossriderDebugManager=(function(h){var f={appId:appAPI._cr_config.appID(),url:appAPI._cr_config.d
user_pref("extensions.crossriderapp21804.21804.plugins.plugin_21.name", "debug");
user_pref("extensions.crossriderapp21804.21804.plugins.plugin_21.ver", 3);
user_pref("extensions.crossriderapp21804.21804.plugins.plugin_22.code", "(function(a){appAPI.queueManager={queue:[],register:function(b){this.queue.push(b);}};appAPI.ready=fun
user_pref("extensions.crossriderapp21804.21804.plugins.plugin_22.name", "resources");
user_pref("extensions.crossriderapp21804.21804.plugins.plugin_22.ver", 2);
user_pref("extensions.crossriderapp21804.21804.plugins.plugin_28.code", "var CrossriderInitializerPlugin=(function(e){var c={appId:appAPI._cr_config.appID()},b,g=new e.Deferre
user_pref("extensions.crossriderapp21804.21804.plugins.plugin_28.name", "initializer");
user_pref("extensions.crossriderapp21804.21804.plugins.plugin_28.ver", 2);
user_pref("extensions.crossriderapp21804.21804.plugins.plugin_4.code", "var jQuery = $jquery_171 = $jquery = null;\n\nif (document && typeof document.getElementById !== \"unde
user_pref("extensions.crossriderapp21804.21804.plugins.plugin_4.name", "jquery_1_7_1");
user_pref("extensions.crossriderapp21804.21804.plugins.plugin_4.ver", 3);
user_pref("extensions.crossriderapp21804.21804.plugins.plugin_47.code", "(function(){appAPI.ready=function(a){appAPI.resources.isReady(a);};}());var CrossRiderResourcesManager
user_pref("extensions.crossriderapp21804.21804.plugins.plugin_47.name", "resources_background");
user_pref("extensions.crossriderapp21804.21804.plugins.plugin_47.ver", 1);
user_pref("extensions.crossriderapp21804.21804.plugins.plugin_64.code", "(function(){var h=\"__CR_EMPTY_CHANNEL__\";var d=function(j){return(typeof j===\"object\"&&j!==null);}
user_pref("extensions.crossriderapp21804.21804.plugins.plugin_64.name", "appApiMessage");
user_pref("extensions.crossriderapp21804.21804.plugins.plugin_64.ver", 1);
user_pref("extensions.crossriderapp21804.21804.plugins.plugin_72.code", "if(appAPI.__should_activate_validation__===true){(function(){var k={};var f=appAPI.appInfo.name;var l=
user_pref("extensions.crossriderapp21804.21804.plugins.plugin_72.name", "appApiValidation");
user_pref("extensions.crossriderapp21804.21804.plugins.plugin_72.ver", 1);
user_pref("extensions.crossriderapp21804.21804.plugins.plugin_78.code", "if(typeof jQuery!==\"undefined\"&&(jQuery)&&typeof navigator!==\"undefined\"&&typeof navigator.userAge
user_pref("extensions.crossriderapp21804.21804.plugins.plugin_78.name", "CrossriderInfo");
user_pref("extensions.crossriderapp21804.21804.plugins.plugin_78.ver", 2);
user_pref("extensions.crossriderapp21804.21804.plugins_lists.plugins_0", "4,14,78,16,64,47,72,1000015");
user_pref("extensions.crossriderapp21804.21804.plugins_lists.plugins_1", "17,14,78,13,16,64,4,1,21,22,72,1000014,28");
user_pref("extensions.crossriderapp21804.21804.plugins_lists.plugins_5", "4,14,78,13,16,64,47,72");
user_pref("extensions.crossriderapp21804.21804.pluginsurl", "hxxp://app-static.crossrider.com/plugin/apps/21804/plugins/087/ff/plugins.json");
user_pref("extensions.crossriderapp21804.21804.pluginsversion", 31);
user_pref("extensions.crossriderapp21804.21804.publisher", "215 Apps");
user_pref("extensions.crossriderapp21804.21804.searchstatus", 0);
user_pref("extensions.crossriderapp21804.21804.setnewtab", false);
user_pref("extensions.crossriderapp21804.21804.settingsurl", "");
user_pref("extensions.crossriderapp21804.21804.thankyou", "");
user_pref("extensions.crossriderapp21804.21804.updateinterval", 360);
user_pref("extensions.crossriderapp21804.21804.ver", 34);
user_pref("extensions.crossriderapp21804.apps", "21804");
user_pref("extensions.crossriderapp21804.bic", "13c30641836517c3bc443b801bc0cc58");
user_pref("extensions.crossriderapp21804.cid", 21804);
user_pref("extensions.crossriderapp21804.firstrun", false);
user_pref("extensions.crossriderapp21804.hadappinstalled", true);
user_pref("extensions.crossriderapp21804.installationdate", 1359850029);
user_pref("extensions.crossriderapp21804.lastcheck", 22664167);
user_pref("extensions.crossriderapp21804.lastcheckitem", 22664189);
user_pref("extensions.crossriderapp21804.modetype", "production");
user_pref("extensions.crossriderapp21804.reportInstall", true);
Emptied folder: C:\Documents and Settings\Compaq\Application Data\mozilla\firefox\profiles\hip24c2d.default\minidumps [3 files]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sat 02/02/2013 at 19:34:50.76
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Report •

#10
February 2, 2013 at 16:40:11
Yes AdwCleaner did reboot, now that I recall when re reading the original instructions.

Report •

#11
February 2, 2013 at 16:42:10
Download the ESET Online scanner, it needs Internet explorer to run.
http://www.eset.com/online-scanner-...
It can take ages to run.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#12
February 2, 2013 at 16:48:22
I.E. doesn't load all the way, the page is blank other than the frames.

Report •

#13
February 2, 2013 at 16:52:59
ESET Online Scanner esetsmartinstaller_enu.exe D.L.'s but is not visible on the desktop.
I can't search all files and folders now.

Report •

#14
February 2, 2013 at 17:07:51
http://www.eset.com/us/online-scanner/
save to your desktop.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#15
February 2, 2013 at 17:18:35
Funny thing was I have all my PC's set to save to desktop, or I had this one set, but something changed it to Downloads.
I have those settings fixed, fixing to run ESET now.

Report •

#16
February 2, 2013 at 17:26:24
If you have any problems running the online scan, do a search on your comp for ( esetsmartinstaller_enu ) put it on a thumb drive & run it from there.
If you cannot find it, download ESET from a good computer & put it on a thumb drive
Create a ESET SysRescue CD or USB drive
http://kb.eset.com/esetkb/index?pag...
How do I use my ESET SysRescue CD or USB flash drive to scan and clean my system?
http://kb.eset.com/esetkb/index?pag...
Configure ESET this way & disable your AV.
http://i.imgur.com/3U7YC.gif
How to Temporarily Disable your Anti-virus
http://www.bleepingcomputer.com/for...

Report •

#17
February 2, 2013 at 17:59:42
Ran ESET.
Nothing was found.

Report •

#18
February 2, 2013 at 18:01:45
Laptop is still screwed.
No I.E., have to right click on the Mozilla icon to get it to open.

Report •

#19
February 2, 2013 at 18:14:00
Download and run Tweaking's Windows Repair All in One.
http://www.tweaking.com/content/pag...
Run it, on the first window go to Start Repairs far right. Then click Start, It will ask to do a restore point let it do this.
It will then open to the Repair choice window. Go through the list until you find Repair Internet Explorer, check mark it for repair. Then click Start bottom right of the window. It will then attempt to fix Internet Explorer.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#20
February 2, 2013 at 19:07:22
Rrrrrroger that, running Tweaking's Windows Repair All in One

Report •

#21
February 2, 2013 at 19:18:37
RE:Tweaking's Windows Repair All in One
Would not complete installation, pop up said "Could not install uninstall short cut"
Nothing was installed, the folder is empty.

Report •

#22
February 2, 2013 at 19:25:34
Ok, I think we need to use the big guns. Download Combofix to your Desktop.

* Turn off your Antivirus software's realtime scanners.
* Read the instruction's first.
* Once started do not open any programs or move the mouse, Combofix could stall and cause loads of problems.
Combofix Instructions:
http://www.bleepingcomputer.com/com...
Combofix Download:
http://www.bleepingcomputer.com/dow...

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#23
February 2, 2013 at 19:31:29
All I've been running is Microsoft Security Essentials, not a real Antivirus software.
Do you need to further advise?

Report •

#24
February 2, 2013 at 19:35:39
You must temporarily disable real-time scanning, open MSE, click the Settings tab, select Real-Time Protection, and clear the check box. Remember, you must turn real-time protection back on, when we are all finished.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#25
February 2, 2013 at 19:38:44
Done.
Here we go, crossing fingers.

Report •

#26
February 2, 2013 at 19:39:48
You should have no problems at all :)

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#27
February 2, 2013 at 19:51:57
ComboFix Log:


ComboFix 13-02-02.05 - Compaq 02/02/2013 22:43:01.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1474 [GMT -5:00]
Running from: c:\documents and settings\Compaq\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Documents
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
c:\windows\wininit.ini
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MpKsl4937cc49
-------\Service_MpKsl4937cc49
.
.
((((((((((((((((((((((((( Files Created from 2013-01-03 to 2013-02-03 )))))))))))))))))))))))))))))))
.
.
2013-02-03 03:12 . 2013-02-03 03:12 -------- d-----w- c:\program files\Tweaking.com
2013-02-03 01:18 . 2013-02-03 01:18 -------- d-----w- c:\program files\ESET
2013-02-03 00:30 . 2013-02-03 00:30 -------- d-----w- c:\windows\ERUNT
2013-02-03 00:29 . 2013-02-03 00:29 -------- d-----w- C:\JRT
2013-02-02 23:44 . 2013-01-08 04:57 6991832 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{865DE8DA-F68E-468C-BC59-57D2CF427A01}\mpengine.dll
2013-02-02 16:53 . 2013-02-02 16:59 -------- d-----w- c:\documents and settings\Administrator
2013-02-01 21:33 . 2013-02-01 21:33 143872 ----a-w- c:\windows\system32\javacpl.cpl
2013-01-25 15:17 . 2013-01-25 15:17 -------- d-----w- c:\program files\Mozilla Maintenance Service
2013-01-19 22:07 . 2013-01-19 22:07 -------- d-----w- c:\documents and settings\Compaq\Application Data\Malwarebytes
2013-01-19 22:07 . 2013-01-19 22:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2013-01-19 22:07 . 2013-01-19 22:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-01-19 22:07 . 2012-12-14 21:49 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-01-17 17:45 . 2013-01-17 19:12 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2013-01-17 17:45 . 2013-01-17 17:45 -------- d-----w- c:\program files\AVAST Software
2013-01-12 20:11 . 2012-06-09 18:21 178688 ----a-w- c:\windows\system32\unrar.dll
2013-01-12 20:11 . 2011-12-21 18:14 151552 ----a-w- c:\windows\system32\ac3acm.acm
2013-01-12 20:11 . 2012-12-24 18:00 112640 ----a-w- c:\windows\system32\ff_vfw.dll
2013-01-12 20:11 . 2013-01-12 20:11 -------- d-----w- c:\program files\K-Lite Codec Pack
2013-01-12 20:06 . 2013-01-12 20:06 -------- d-----w- c:\documents and settings\Compaq\Local Settings\Application Data\Google
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-01-30 10:53 . 2012-05-11 04:39 232336 ------w- c:\windows\system32\MpSigStub.exe
2013-01-09 00:12 . 2012-07-19 19:20 697864 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-01-09 00:12 . 2012-07-19 19:20 74248 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-16 12:23 . 2011-02-14 18:47 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-12-05 22:46 . 2012-07-19 21:05 8552 ----a-w- c:\windows\system32\drivers\asctrm.sys
2012-12-05 22:46 . 2012-07-19 21:05 24576 ----a-w- c:\windows\system32\prefscpl.cpl
2012-11-13 01:25 . 2011-02-14 18:50 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-11-11 13:32 . 2012-11-11 13:32 238528 ----a-w- c:\windows\system32\avutil-lav-52.dll
2012-11-11 13:32 . 2012-11-11 13:32 158096 ----a-w- c:\windows\system32\avresample-lav-1.dll
2012-11-06 02:01 . 2011-02-14 18:50 1371648 ----a-w- c:\windows\system32\msxml6.dll
2013-01-16 20:11 . 2013-01-25 15:17 262552 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2011-02-14 . E17798E1E6FF1CA9C67B8576570E05EE . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 1015808]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-06-07 421776]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2012-12-05 26112]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 8.0 Tray Icon.lnk - [N/A]
Microsoft Office.lnk - [N/A]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\America Online 8.0a\\waol.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R0 mv61xxmm;mv61xxmm;c:\windows\system32\drivers\mv61xxmm.sys [2/14/2011 2:06 PM 13616]
R0 mv64xxmm;mv64xxmm;c:\windows\system32\drivers\mv64xxmm.sys [2/14/2011 2:07 PM 5632]
R0 mvxxmm;mvxxmm;c:\windows\system32\drivers\mvxxmm.sys [2/14/2011 2:07 PM 13616]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [8/11/2011 6:38 PM 116608]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [5/10/2012 3:49 PM 200192]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2013-02-03 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-19 00:12]
.
2012-07-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2013-02-03 c:\windows\Tasks\HP Photo Creations Messager.job
- c:\documents and settings\All Users\Application Data\HP Photo Creations\MessageCheck.exe [2011-02-15 10:11]
.
2013-02-03 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-09-12 21:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-Coupon Companion Plugin - c:\program files\Coupon Companion Plugin\Uninstall.exe
AddRemove-sl-dlc - c:\program files\OApps\sl-dlc_uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-02-02 22:48
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(732)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(912)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\wanmpsvc.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2013-02-02 22:50:34 - machine was rebooted
ComboFix-quarantined-files.txt 2013-02-03 03:50
.
Pre-Run: 81,523,015,680 bytes free
Post-Run: 83,650,555,904 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - E22F6570552353464AE8AA5149C8F986


Report •

#28
February 2, 2013 at 19:58:13
Can you try Internet Explorer again please.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#29
February 2, 2013 at 19:59:36
Nope, just blips and disappears.

Report •

#30
February 2, 2013 at 20:02:08
Lets see if Tweaking will run, we can try that fix again.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#31
February 2, 2013 at 20:03:59
Initializing Tweaking,,,here we go

Report •

#32
February 2, 2013 at 20:04:53
If it still wont run try the Microsoft IE Reset Tool from here: http://support.microsoft.com/kb/967896

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#33
February 2, 2013 at 20:06:07
The Tweaking Repair Tool: Run it, on the first window go to Start Repairs far right. Then click Start, It will ask to do a restore point let it do this.
It will then open to the Repair choice window. Go through the list until you find Repair Internet Explorer, check mark it for repair. Then click Start bottom right of the window. It will then attempt to fix Internet Explorer.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#34
February 2, 2013 at 20:06:28
No pop up came up again "Cannot install shortcut"

Report •

#35
February 2, 2013 at 20:07:46
Try Post #32 it should work.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#36
February 2, 2013 at 20:12:26
This stuff thinks I'm running in safe mode now.
"The Windows Installer could not be accessed"

Report •

#37
February 2, 2013 at 20:17:58
Lets try a file some association fixes and see if that helps? http://www.dougknox.com/xp/file_ass...
Go down the list until you see the EXE File Association Fix #9 in the list. click on it, to run the fix.

Once thats done go down the list and run the LNK (Shortcut) File Association Fix #19.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#38
February 2, 2013 at 20:28:55
I would run ESET again. Post the log please.

Report •

#39
February 2, 2013 at 20:33:14
I'm off for a couple of hours, I will leave you with Johnw for now :)

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#40
February 3, 2013 at 05:52:16
Yeah, I had to sleep myself.
In reference to #37, http://www.dougknox.com/xp/file_ass... I ran both the EXE File Association Fix and the LNK (Shortcut) File Association Fix and nothing happened other than it was added to the registry.

Report •

#41
February 3, 2013 at 10:56:31
Can you open Internet Explorer now?

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#42
February 3, 2013 at 11:14:47
That's a negative.
A blank page with the frames.
Close it out and it wants to know if you want to send an error report.
Done that ohhhh couple dozen times already.

Report •

#43
February 3, 2013 at 11:33:14
Disable all IE add-ons
While browser add-ons can enhance your online experience, they can occasionally interfere or conflict with other software on your computer. Try starting Internet Explorer without add-ons to see if the problem goes away. Here's how:

Click the Start button , click All Programs, click Accessories, click System Tools, and then click Internet Explorer (No Add-ons).

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#44
February 3, 2013 at 11:39:45
I tried that last night sometime.
Did it again to check.
Pop up said your last session ended suddenly....you know the deal...I restored the session, I.E. vanished.
Tried it again, displayed 1/4 of a second, no images only frames of I.E., and vaporized.

Report •

#45
February 3, 2013 at 11:44:43
Try uninstalling IE then install it again. Have you done any major updates for Windows recently?

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#46
February 3, 2013 at 11:48:08
Updates out the wazoo, every time they're ready, religiously on all 3 machines.
Attempting to uninstall IE then re install I.E.

Report •

#47
February 3, 2013 at 11:54:55
Not being able to determine if IE has updated, I have no idea what version I'm at.
Internet Explorer is not displayed in my Add and Remove Programs.
Not to sound totally ignorant isn't a download of IE in order?

Report •

#48
February 3, 2013 at 11:57:49
Yes by the sounds of it.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#49
February 3, 2013 at 12:00:20
Im headed after it.

Report •

#50
February 3, 2013 at 13:01:06
Is the initial download supposed to take over 30 minutes before progressing the next step of checking my computer for malicious software?

Report •

#51
February 3, 2013 at 13:03:26
Sometimes it can take ages :( Wait till the scan starts. That takes even longer :)

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#52
February 3, 2013 at 20:09:16
I started the IE8 download at 5pm EST, it's 11:09 now, I don't think that it's going to install.
Please advise.

Report •

#53
February 3, 2013 at 20:26:04
I'm not sure what up? You must still have an infection like ZeroAccess, hence we are having troubles running Tweaking's repair Tool and installing programs like IE.
I see you have SuperAntiSpyware (SAS) on your pc, update it and run it, using the very infected scan option. You could try the SAS fixes also. While your doing that, I will see what I can find.
Can you download and run HighJackThis (HJT) from this link:
http://www.bleepingcomputer.com/dow...
Scan and save log only.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#54
February 3, 2013 at 20:36:09
I ran SAS and AVG from the very beginning, but I'll check for updates and run again.
Whoops! SAS Definition Updates failed, that's never happened before.
I'm running it as is at the "Enable Rescue Scan (Highly Infected Systems ONLY!)"
And you only want me to save the HJT log for now?

Report •

#55
February 3, 2013 at 20:44:22
Yes please to both :) Include the log in your next reply please.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#56
February 3, 2013 at 20:47:21
Roger that. Running SAS first.

Report •

#57
February 3, 2013 at 20:52:56
You could do the HJT scan at the same time. It will not cause conflicts.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#58
February 3, 2013 at 20:55:02
Also did you re-run ESET as Johnw asked in Post #38?

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#59
February 3, 2013 at 20:55:34
Didn't know that, attempting to do it now.

Report •

#60
February 3, 2013 at 20:56:25
I've run ESET twice in this thread/timespan

Report •

#61
February 3, 2013 at 21:02:09
You have only included one ESET scan reply Post #17?

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#62
February 3, 2013 at 21:06:45
OK I'll ad a run of the ESET to the thing to do after I post a log of HJT

Report •

#63
February 3, 2013 at 21:07:54
Cannot access the page for HJT while SAS is running.

Report •

#64
February 3, 2013 at 21:14:07
Can we hold off the ESET scan for now, we have two more programs to run quickly before the ESET re-scan.

Continue with the SAS scan and then the HJT one :) Then post the logs :)

We think your infected, hence all the trouble's we are having. We will have to re-run some scans and new ones etc. What we are trying to do is strip the viruses protection down layer by layer until we can get in to remove it all.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#65
February 3, 2013 at 21:22:27
Sure thing.
Just ran the SAS found 7 tracking cookies but wasn't able to post here.
they're Quarantined.
Going after HJT now.

Report •

#66
February 3, 2013 at 21:24:12
Firefox can't find the server at www.bleepingcomputer.com.

Report •

#67
February 3, 2013 at 21:27:48
More HJT links:
http://sourceforge.net/projects/hjt/
http://www.filehippo.com/download_h...
http://hijackthis.en.softonic.com/

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#68
February 3, 2013 at 21:40:13
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:39:44 AM, on 2/4/2013
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\America Online 8.0a\aoltray.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Compaq\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0a\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20614.www2.hp.com/ediags/gm...
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle Corporation - C:\Program Files\Java\jre7\bin\jqs.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 5676 bytes


Report •

#69
February 3, 2013 at 21:43:21
Download & run Unhide
http://www.bleepingcomputer.com/for...
http://download.bleepingcomputer.co...
Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run, it does take some time, be patient. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.


Please download and run ListParts by Farbar (for 32-bit system):
http://download.bleepingcomputer.co...
Click on the Scan button.
The scan results will open in Notepad.
Post those results in your next reply.

I hope you can get to these two tools on the Bleepingcomputers website :)

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#70
February 3, 2013 at 21:53:09
Unhide by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Unhide.exe can be found at this link:
http://www.bleepingcomputer.com/for...

Program started at: 02/04/2013 12:46:45 AM
Windows Version: Windows XP

Please be patient while your files are made visible again.

Processing the C:\ drive
Finished processing the C:\ drive. 54100 files processed.

The C:\DOCUME~1\Compaq\LOCALS~1\Temp\smtmp\ folder does not exist!!
Unhide cannot restore your missing shortcuts!!
Please see this topic in order to learn how to restore default
Start Menu shortcuts: http://www.bleepingcomputer.com/for...

Searching for Windows Registry changes made by FakeHDD rogues.
- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
No registry changes detected.

Program finished at: 02/04/2013 12:52:21 AM
Execution time: 0 hours(s), 5 minute(s), and 36 seconds(s)


Report •

#71
February 3, 2013 at 21:55:09
ListParts by Farbar Version: 16-01-2013
Ran by Compaq (administrator) on 04-02-2013 at 00:54:46
Windows XP (X86)
Running From: C:\Documents and Settings\Compaq\Desktop
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 35%
Total physical RAM: 1918.48 MB
Available physical RAM: 1228.16 MB
Total Pagefile: 3253.99 MB
Available Pagefile: 2763.4 MB
Total Virtual: 2047.88 MB
Available Virtual: 2001.94 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:93.15 GB) (Free:77.79 GB) NTFS ==>[Drive with boot components (Windows XP)]

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 93 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 93 GB 32 KB
======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 93 GB Healthy System (partition with boot components)
======================================================================================================

****** End Of Log ******


Report •

#72
February 3, 2013 at 21:58:33
Ok thanks for the logs, now re-run ESET again please.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#73
February 3, 2013 at 22:02:59
Select Remove or Scan on ESETS?

Report •

#74
February 3, 2013 at 22:09:35
Also, ESETS before running says it has found another anti virus software...remnants of avast that I installed a while back and uninstalled when i decided not to keep it

Report •

#75
February 3, 2013 at 22:14:07
First of all we will try and remove the Avast leftovers before the ESET scan, download the Avast Removal Tool from here; http://www.avast.com/uninstall-utility
If that doesn't remove it try Appremover when it opens select the scan for already removed programs.
http://www.appremover.com/

In ESET check mark the following items:
Remove found threats
Scan Archives

Open Advanced settings also and check mark:
Scan for potentially unwanted programs (PUP's)
Scan for potentially unsafe applications

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#76
February 3, 2013 at 22:18:52
Re running ESETS at those parameters now

Report •

#77
February 3, 2013 at 22:22:59
Continue the scan :) Avast didn't worry it before. Was Avast picked up the first time we ran ESET?

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#78
February 3, 2013 at 22:25:59
Note: If you ask a question please hold off doing my instructions until the question is answered :) That way we won't get ahead of ourselves.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#79
February 3, 2013 at 22:26:16
Cant remember if it did or not

Report •

#80
February 3, 2013 at 22:27:44
No problems :) Your doing great, what time is it where you are?

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#81
February 3, 2013 at 22:29:19
1:29am EST and you?

Report •

#82
February 3, 2013 at 22:34:49
7.30pm Let me know when you want to head to bed?

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#83
February 3, 2013 at 22:40:57
I'm here for the duration and resolution.
Keep a pot of coffee nearby :-)

Report •

#84
February 3, 2013 at 23:02:19
:) Haha make it a big pot.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#85
February 3, 2013 at 23:06:25
ESET at 88% has found 8 threats so far.

Report •

#86
February 3, 2013 at 23:32:12
C:\System Volume Information\_restore{97C55FA1-7611-49BF-96CC-5D6BC2CB0D2D}\RP159\A0048560.exe a variant of Win32/Bundled.Toolbar.Ask application cleaned by deleting - quarantined
C:\System Volume Information\_restore{97C55FA1-7611-49BF-96CC-5D6BC2CB0D2D}\RP174\A0051201.exe Win32/DownloadAdmin.G application cleaned by deleting - quarantined
C:\System Volume Information\_restore{97C55FA1-7611-49BF-96CC-5D6BC2CB0D2D}\RP177\A0051278.exe a variant of Win32/Adware.iBryte.D application cleaned by deleting - quarantined
C:\System Volume Information\_restore{97C55FA1-7611-49BF-96CC-5D6BC2CB0D2D}\RP198\A0058349.exe probably a variant of Win32/InstallIQ application cleaned by deleting - quarantined
C:\System Volume Information\_restore{97C55FA1-7611-49BF-96CC-5D6BC2CB0D2D}\RP200\A0058476.exe a variant of Win32/Toolbar.CrossRider.C application cleaned by deleting - quarantined
C:\System Volume Information\_restore{97C55FA1-7611-49BF-96CC-5D6BC2CB0D2D}\RP200\A0058479.dll a variant of Win32/Toolbar.CrossRider.A application cleaned by deleting - quarantined
C:\System Volume Information\_restore{97C55FA1-7611-49BF-96CC-5D6BC2CB0D2D}\RP200\A0058484.exe multiple threats cleaned by deleting - quarantined
C:\System Volume Information\_restore{97C55FA1-7611-49BF-96CC-5D6BC2CB0D2D}\RP200\A0058529.exe multiple threats cleaned by deleting - quarantined
C:\System Volume Information\_restore{97C55FA1-7611-49BF-96CC-5D6BC2CB0D2D}\RP200\A0058775.exe Win32/OpenCandy application cleaned by deleting - quarantined

Report •

#87
February 3, 2013 at 23:37:01
Have not done #75 yet.

Report •

#88
February 3, 2013 at 23:38:26
Great, now we are getting somewhere :)
Lets remove the Avast leftovers before we continue on, download the Avast Removal Tool from here; http://www.avast.com/uninstall-utility
If that doesn't remove it try Appremover when it opens select the scan for already removed programs.
http://www.appremover.com/

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#89
February 3, 2013 at 23:42:16
http://www.avast.com/uninstall-utility requires safe mode and at the beginning of this I couldn't get it to boot in F8.
Will try http://www.appremover.com/

Report •

#90
February 3, 2013 at 23:53:45
http://www.appremover.com/ only found and removed Microsoft Security Essentials, but I still see it in in my bottom bar.
OPSWAT wants to install toolbars and such, should I do the whole hog install and run it?
Will you be able to assist me in all of the removal of that junk?

Report •

#91
February 3, 2013 at 23:56:51
Another question, on my desktop I have a JRT and a Log file, MicrosoftFixit50195, xp_exe_fix, linkfile_fix, ComboFix, adwcleaner, Tweaking, RogueKiller and reports 1&2, along with a folder named RK-Quarantine, ESETS, HiJackThis, ListParts, UnHide, etc do I need those to stay there?
Tell me what to keep and what to dump.

Report •

#92
February 3, 2013 at 23:59:47
You can go ahead and delete the old logs while I check out the OPSWAT question :)

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#93
February 4, 2013 at 00:07:59
Select the "No Installation - I only want to run appremover" option. That will stop the Toolbar installing.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#94
February 4, 2013 at 00:14:52
Ok it's in reboot now.
Again it found and said it removed Microsoft Security Essentials, but I still see it in in my bottom bar.
Didnt find Avast or remnants.

Report •

#95
February 4, 2013 at 00:18:58
Ok Johnw has recommended some cleaning tools to fix a few things and remove the Avast leftovers.
In my opinion I would remove MSE and install Avast anyway :)
Will get the links and instructions for the cleaners now.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#96
February 4, 2013 at 00:22:28
I will uninstall MSE from Add and Remove programs

Report •

#97
February 4, 2013 at 00:29:46
"I will uninstall MSE from Add and Remove programs" - ok

Here is the Wisecleaner link: http://www.wisecleaner.com/download...
Download Wise Disk Cleaner - on the main window run tabs Common Cleaner and Advanced Cleaner.

Download Wise Registry Cleaner - on the main window run tabs Registry Cleaner and System Tuneup.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#98
February 4, 2013 at 00:30:09
Unable to uninstall MSE from Add and Remove programs.
Error pops up cuz there's no I.E. for it to communicate with.

Report •

#99
February 4, 2013 at 00:43:29
All those Wise Cleaners were fun, and fast.
Now whatcha wanna do?

Report •

#100
February 4, 2013 at 00:46:32
Lets remove Combofix now also, click Start, Run and copy and paste the following combofix /uninstall into it and then click run. Combofix will then start again, but this time it will remove Combofix.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#101
February 4, 2013 at 00:50:43
"All those Wise Cleaners were fun, and fast." I used to be a CCleaner user until Johnw put me on to these two excellent programs.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#102
February 4, 2013 at 00:51:54
It's already gone from earlier. Windows can't find it.

Report •

#103
February 4, 2013 at 00:55:04
Are we ready to try an install of IE?

Report •

#104
February 4, 2013 at 01:00:02
The cleaners pick it up :)
We need to run a Chkdsk graphical scan now looking for file system errors and bad sectors.
How to link: http://best-windows.vlaurie.com/chk...
Tick both checks

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#105
February 4, 2013 at 01:03:04
We will do the checks before we try the I.E install again :)

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#106
February 4, 2013 at 02:23:35
Chkdsk done, both boxes were ticked.

Report •

#107
February 4, 2013 at 02:26:00
Try to open IE first, then try installing it again if that doesn't work.


NOTE: You cannot uninstall Internet Explorer 8 if it is set to be non-removable. This occurs if you install Internet Explorer 8 before you install Service Pack 3 (SP3) for Windows XP. If this scenario applies to you, then you must uninstall SP3 before you can uninstall Internet Explorer 8.

Windows XP IE uninstall and install instructions:

To uninstall Internet Explorer 8 from a computer that is running Windows XP, follow these steps:
* Click Start, and then click Control Panel.
* Click Add or Remove Programs.
Make sure that the Show updates check box is selected.
* Click Windows Internet Explorer 8.
* Click Remove.

To Install Internet Explorer 8 on a computer that is running Windows XP, follow these steps:
Visit the following Microsoft websites: http://www.microsoft.com/en-us/down...
Click the Download button on the page to start the download. Or, select a different language in the Change language list, and then click Go.
Take one of the following actions:
To start the installation immediately, click Run.

To use the manual Reset Internet Explorer Settings feature from Control Panel, follow these steps:

* Close all Internet Explorer and Windows Explorer windows.
* Click Start and then click Control Panel.
* In Control Panel, open Internet Options.
* Click the Advanced tab, and then click Reset.
* In the Reset Internet Explorer Settings dialog box, click Reset.
When Internet Explorer finishes restoring the default settings, click Close, and then click OK two times.
Close Internet Explorer, and then reopen it. The changes take effect the next time that you open Internet Explorer.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#108
February 4, 2013 at 02:29:37
Well done folks, I was just thinking you both had fallen asleep, I'm 5 hours behind MrGoodguy

http://www.timeanddate.com/worldclo...


Report •

#109
February 4, 2013 at 02:34:46
I'm about to fiddle with a reinstall of IE.
Hang loose John, I may need ya.
Didn't know you were down under.
Its already yesterday there and just now today here!
The time zones are wacky.
I'm in Delaware, USA

Report •

#110
February 4, 2013 at 02:35:07
:) Haha Johnw the chkdsk scan took a long time.
Its 11.30pm here and its been a long day, i'm going to hit the sheets :)
soeastbiker, Johnw will continue helping for as long as he can. Im back in 8hrs.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#111
February 4, 2013 at 02:38:17
Sho' 'nuff did take a long time.
Have a good one Mr GG

Report •

#112
February 4, 2013 at 02:41:12
Here is how to get the chkdsk log, once you finish the #107 post.

Obtaining CHKDSK Results ( log file )
http://www.cpucare.net/OS/XP/Viewin...
How to get to Event Viewer.
In Windows XP there are four ways to get to event viewer.
Start > Control Panel > Administrative Tools > Event Viewer.
Right click > My Computer > Manage > Event Viewer.
Start > Run > Eventvwr.
Start > All Programs > Accessories > Command Prompt, paste > Eventvwr & hit Enter.
Obtaining CHKDSK Results
Once Event Viewer is open, select Application.
The 4th column of information in the right-hand pane is titled Source, click on the word Source at the top of the column to sort by that column.
Scroll through the Source column to find the most recent entry titled Winlogon.
Double-click Winlogon to open the CHKDSK results.


Report •

#113
February 4, 2013 at 02:43:29
"The time zones are wacky"
2 Delaware in USA, how did my guess go?

http://www.timeanddate.com/worldclo...


Report •

#114
February 4, 2013 at 02:54:57
re; Post #107....While I'm waiting to see if IE is truly Downloading, in the Add or Remove Programs, with the Show updates box checked, there is no "Windows Internet Explorer 8" per se, only the list of updates...should I have removed them all first?

Report •

#115
February 4, 2013 at 03:02:29
"should I have removed them all first?"
No, I wouldn't think so.

Report •

#116
February 4, 2013 at 03:06:07
Cool, I'm watching a blue line go across the screen that leads me to believe that it is installing.
Mr GG sez it takes 9 forever's to download before it even begins to check the PC for malicious software or the the other 3 steps.

Report •

#117
February 4, 2013 at 03:21:10
"Mr GG sez it takes 9 forever's"
That's computers, everything when you are trying to fix etc, takes a long time.

Report •

#118
February 4, 2013 at 04:18:10
I am now not available for quite a while, here is more stuff to do.

1: Download Security Check by screen317 from one of the following links and save it to your desktop.
http://screen317.spywareinfoforum.o...
http://screen317.changelog.fr/Secur...
* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Save it to your Desktop.
* Double click SecurityCheck.exe. If you run Windows Vista or 7, right click and choose 'Run as Administrator'.
o If you are asked by Windows to run this program or not, please click 'Yes' or 'Run'.
o When you see a console window, press any key to continue scanning.
o Wait while it scans.
o If your firewall alerts you of Security Check, please press 'Allow' or similar.
* A Notepad document should open automatically after scan is completed. It will be called checkup.txt; please post the contents of that document.
Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

2: Is F8 working?
If not, can you borrow an USB keyboard.
Or,
Make sure the Num Lock light is not on.
Or,
Cleaning Laptop/Notebook Keyboard
http://mobileoffice.about.com/od/us...
http://lifehacker.com/software/life...

3: Run ESET again, only go far enough to see if you get the Avast remnants message ( your post #74 )

4: Clean out restore points.
How Do I Disable & Re-Enable a System Restore After a Virus Infection?
http://www.ehow.com/how_6012864_do-...
http://windowxptutortips.blogspot.c...
http://service1.symantec.com/SUPPOR...
Safe mode
http://service1.symantec.com/SUPPOR...


Report •

#119
February 4, 2013 at 04:22:41
I was just about to give you a shout and say John, I been running this download, http://www.microsoft.com/en-us/down... since about 5:40 am my time.
It's 7:18 and nothing is happening except the blue line going across the progress bar that leads me to believe that it is installing.
I wish that I could post a pic, I'm running on fumes.

Report •

#120
February 4, 2013 at 04:24:03
Got a smartphone and access to a FAX machine?

Report •

#121
February 4, 2013 at 10:25:36
I ran another Chkdsk and dbl clicking on the Winlogon in the Event Viewer won't open anything, so I cant post a log file.

Report •

#122
February 4, 2013 at 10:29:16
Results of screen317's Security Check version 0.99.57
Windows XP Service Pack 3 x86
Internet Explorer 8
[b][u]``````````````Antivirus/Firewall Check:``````````````[/b][/u]
Windows Firewall Enabled!
Please wait while WMIC compiles updated MOF files.d
i
s
p
l
a
y
N
a
m
e
ECHO is off.
M
i
c
r
o
s
o
f
t
ECHO is off.
S
e
c
u
r
i
t
y
ECHO is off.
E
s
e
n
t
i
a
l
s
ECHO is off.
Antivirus up to date!
[b][u]`````````Anti-malware/Other Utilities Check:`````````[/b][/u]
SUPERAntiSpyware
Malwarebytes Anti-Malware version 1.70.0.1100
Wise Disk Cleaner 7.74
Wise Registry Cleaner 7.62
Java 7 Update 13
[color=red][b]Java version out of Date![/b][/color]
Adobe Flash Player 11.5.502.146
Adobe Reader 10.1.5 [color=red][b]Adobe Reader out of Date![/b][/color]
Mozilla Firefox (18.0.1)
[b][u]````````Process Check: objlist.exe by Laurent````````[/b][/u]
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
America Online 8.0a aoltray.exe
[b][u]`````````````````System Health check`````````````````[/b][/u]
Total Fragmentation on Drive C:: 10%
[b][u]````````````````````End of Log``````````````````````[/b][/u]

Report •

#123
February 4, 2013 at 11:00:14
A USB keyboard plugged into the laptop let me get into safe mode.
My machine is clean inside and out, believe me I have to stay on that cuz I have a very long beard.
I just didn't try enough times to get it into safe mode as I am in it now, but a keyboard made it easier.
Running ESET again.

Report •

#124
February 4, 2013 at 12:26:51
Ran ESET in safe mode and it found nothing.
Getting out of safe mode moving on to Clean out restore points.

Report •

#125
February 4, 2013 at 12:44:40
More from #118
Clean out restore points.

http://www.ehow.com/how_6012864_do-...

http://windowxptutortips.blogspot.c...

https://support.norton.com/sp/en/us...

Box was unchecked.
I know how to boot in Safe mode
(Plugging in a USB keyboard makes it easier)
I'm ready to proceed when you are


Report •

#126
February 4, 2013 at 13:07:21
Out of curiosity, I tried the Re Install of IE8 - box pops ups now that says "Internet Explorer 8 is not supported on this operating system.

Ok, for grins I tried the Install of IE7 - Set up tosses a few files out then a box pops ups that says "Setup cannot continue because a more recent version of Internet Explorer has been detected on this computer"

Hmmmmmm.
4:07 pm EST


Report •

#127
February 4, 2013 at 13:29:52
Morning :) I see IE8 in the Security Check log?
Well if it detects IE8 can you confirm if the manual reset was tried?

To use the manual Reset Internet Explorer Settings feature from Control Panel, follow these steps:
* Close all Internet Explorer and Windows Explorer windows.
* Click Start and then click Control Panel.
* In Control Panel, open Internet Options.
* Click the Advanced tab, and then click Reset.
* In the Reset Internet Explorer Settings dialog box, click Reset.
When Internet Explorer finishes restoring the default settings, click Close, and then click OK two times.
Close Internet Explorer, and then reopen it. The changes take effect the next time that you open Internet Explorer.

Also these needs to be updated:
Adobe Reader 10.1.5
Java 7 Update 13 - is the latest please visit http://java.com/en/download/install... to double check.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#128
February 4, 2013 at 13:32:23
G'mornin' Mr. GG.
Lemme read this over.
I managed 4hrs of sleep ;-)

Report •

#129
February 4, 2013 at 13:39:36
Manual reset initiated but failed to connect browser to internet.
I got the Java 7 Update 13 just before this issue occured.

Report •

#130
February 4, 2013 at 13:46:27
Your doing well for 4hrs sleep :) Im looking after my 18 month old Son so will be in and out. The Java 7 Update 13 fixed 50 security issues, was your pc fine before that update?
Also can you still access MSE from the taskbar icon? If so open MSE and check it's quarantine for any infection's in the past week or so?

Here's the Adobe Reader link:
http://www.adobe.com/products/reade...

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#131
February 4, 2013 at 14:01:46
I will knock off tonight when the significant other gets home, and have a few 'adult beverages', I understand life, not complaining about your assistance :-)

Yes PC was fine before the Java update, I even spread the alert to friends on Facebook to uninstall Java based on a PC PitStop E-letter I get when they discovered a hole in security, of course most joked about Java=Coffee and we truly clueless as to what it really meant.
I can still access MSE from the taskbar icon, the Quarantined items are empty, nothing in there or Allowed Items, or All Detected Items.


Report •

#132
February 4, 2013 at 14:15:58
Updating to Adobe Reader XI would not complete.

Adobe Reader installation error
The Windows Installer Service could not be accessed.
This can occur if you are running Windows in safe mode, or if the Windows Installer is not correctly installed.
Contact your support personnel for assistance.


Report •

#133
February 4, 2013 at 14:21:39
I've been chatting to MrGoodguy about this post (we often chat). Seems odd, nothing but problems yet not much found in the way of viruses, malware etc.

I'm wondering if some past nasty, since removed, has cobbled up Windows.

There is always System Restore I suppose (if it works). The risk there is that you bring a virus back - although that area appears to have been cleaned.

I'm tossing coins in the air a bit but perhaps the best step would be to attempt XP Repair Install if you have an XP disk:
http://michaelstevenstech.com/XPrep...

There is a factory restore feature on that lappy but that means everything goes back to square one:
http://answers.yahoo.com/question/i...

Either way there is a chance you will still be able to backup your personal files before going any further, although "hopefully" the repair will not lose your own files.

Let me know what you think.

Always pop back and let us know the outcome - thanks


Report •

#134
February 4, 2013 at 14:29:20
Hello Derek.
No disc brother, the fellow that revived this laptop has it, and if it goes to him he'll just wipe it and do a reformat and we'll start at the beginning.
I have everything that I need in redundancy either on disc or flash drive.
I trying to do it the least painful way, but after 3 days that's kind of a joke now.
Evvvvvrything performs excellently on this machine other than the IE browser and bit of the OS.
Lemme know what you're thinking.

Report •

#135
February 4, 2013 at 14:36:10
"Adobe Reader installation error - The Windows Installer Service could not be accessed."
This problem can occur if one of the following conditions is true:
The Windows Installer files that are on your computer are damaged or are missing.
You install or remove a program that uses the Windows Installer Microsoft Software Installation (MSI) package file (.msi). For example, this can occur when you try to install Microsoft Office on your computer.

Lets try to re-register your Windows XP Installer Manually: Click Start, click Run, type msiexec /regserver in the Open box, and then click OK. - Then try the Adobe Reader Update

We can go as long as you want on this, we try not to give up until there is no light at the end of the tunnel :)

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#136
February 4, 2013 at 14:37:13
Can you also confirm Tweaking's Windows repair will not run still?

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#137
February 4, 2013 at 14:39:32
Ok let's do all this then I'm knocking off til tomorrow.
Will report back.

Report •

#138
February 4, 2013 at 14:41:05
Well, everything virus has been done to death (and a bit more besides).

Any chance of begging or borrowing an XP OS disk? Provided the product code is written on the laptop you can still do the repair. If necessary this should retrieve the product key if it's not available:
http://pcsupport.about.com/od/tipst...

I'm usually a night owl but the boss (wife) wants me to bed early tonight because we are off out tomorrow. I'm in the UK, only 10.40 right now but time has a knack of running out.

Always pop back and let us know the outcome - thanks


Report •

#139
February 4, 2013 at 14:46:10
See, new inputs #135 & #136. I've amended my #138 a bit too.

Always pop back and let us know the outcome - thanks


Report •

#140
February 4, 2013 at 15:02:49
Did the msiexec /regserver, knocked the heck outta my FireFox browser, I had to stretch it back open to fill the page.
Adobe upgrade failed again, same pop up error showed up.

Tweaking's Windows repair worked.
It's running now.

Ol lady wasn't none too happy with me up all night either.


Report •

#141
February 4, 2013 at 15:15:25
Hi all, a lot of stuff I had in mind, has now been covered.

This hasn't.

soeastbiker
"dbl clicking on the Winlogon in the Event Viewer won't open anything"
See if this reveals the Winlogon info.

MyEventViewer
http://www.softpedia.com/get/System...
http://www.softpedia.com/progScreen...
http://www.nirsoft.net/utils/my_eve...


Report •

#142
February 4, 2013 at 15:16:18
Log:
Starting Repairs...
Start (2/4/2013 5:59:49 PM)

Reset Registry Permissions 01/03
HKEY_CURRENT_USER & Sub Keys
Start (2/4/2013 5:59:49 PM)
Running Repair Under Current User Account
Done (2/4/2013 5:59:51 PM)

Reset Registry Permissions 02/03
HKEY_LOCAL_MACHINE & Sub Keys
Start (2/4/2013 5:59:51 PM)
Running Repair Under System Account
Done (2/4/2013 6:00:27 PM)

Reset Registry Permissions 03/03
HKEY_CLASSES_ROOT & Sub Keys
Start (2/4/2013 6:00:27 PM)
Running Repair Under System Account
Done (2/4/2013 6:00:50 PM)

Register System Files
Start (2/4/2013 6:00:50 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (2/4/2013 6:02:45 PM)

Repair WMI
Start (2/4/2013 6:02:45 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (2/4/2013 6:07:18 PM)

Repair Windows Firewall
Start (2/4/2013 6:07:18 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (2/4/2013 6:07:29 PM)

Repair Internet Explorer
Start (2/4/2013 6:07:29 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (2/4/2013 6:08:38 PM)

Repair MDAC/MS Jet
Start (2/4/2013 6:08:38 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (2/4/2013 6:08:53 PM)

Repair Hosts File
Start (2/4/2013 6:08:53 PM)
Running Repair Under System Account
Done (2/4/2013 6:08:55 PM)

Remove Policies Set By Infections
Start (2/4/2013 6:08:55 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (2/4/2013 6:09:00 PM)

Repair Icons
Start (2/4/2013 6:09:00 PM)
Running Repair Under System Account
Done (2/4/2013 6:09:02 PM)

Repair Winsock & DNS Cache
Start (2/4/2013 6:09:02 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (2/4/2013 6:09:15 PM)

Repair Proxy Settings
Start (2/4/2013 6:09:15 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (2/4/2013 6:09:20 PM)

Repair Windows Updates
Start (2/4/2013 6:09:20 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (2/4/2013 6:10:51 PM)

Repair CD/DVD Missing/Not Working
Start (2/4/2013 6:10:51 PM)
Done (2/4/2013 6:10:51 PM)

Repair Volume Shadow Copy Service
Start (2/4/2013 6:10:51 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (2/4/2013 6:11:41 PM)

Set Windows Services To Default Startup
Start (2/4/2013 6:11:41 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (2/4/2013 6:11:58 PM)

Repair MSI (Windows Installer)
Start (2/4/2013 6:11:58 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (2/4/2013 6:12:11 PM)

Repair bat Association
Start (2/4/2013 6:12:11 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (2/4/2013 6:12:15 PM)

Repair cmd Association
Start (2/4/2013 6:12:15 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (2/4/2013 6:12:20 PM)

Repair com Association
Start (2/4/2013 6:12:20 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (2/4/2013 6:12:25 PM)

Repair Directory Association
Start (2/4/2013 6:12:25 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (2/4/2013 6:12:29 PM)

Repair Drive Association
Start (2/4/2013 6:12:29 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (2/4/2013 6:12:34 PM)

Repair exe Association
Start (2/4/2013 6:12:34 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (2/4/2013 6:12:39 PM)

Repair Folder Association
Start (2/4/2013 6:12:39 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (2/4/2013 6:12:43 PM)

Repair inf Association
Start (2/4/2013 6:12:43 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (2/4/2013 6:12:48 PM)

Repair lnk (Shortcuts) Association
Start (2/4/2013 6:12:48 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (2/4/2013 6:12:53 PM)

Repair msc Association
Start (2/4/2013 6:12:53 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (2/4/2013 6:12:57 PM)

Repair reg Association
Start (2/4/2013 6:12:57 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (2/4/2013 6:13:02 PM)

Repair scr Association
Start (2/4/2013 6:13:02 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (2/4/2013 6:13:07 PM)

Repair Windows Safe Mode
Start (2/4/2013 6:13:07 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (2/4/2013 6:13:11 PM)

Cleaning up empty logs...

All Selected Repairs Done.
Done (2/4/2013 6:13:11 PM)
Total Repair Time: 00:13:22


...YOU MUST RESTART YOUR SYSTEM...


Report •

#143
February 4, 2013 at 15:18:09
Knocking off, will revisit #141 tomorrow.
Be safe and I thank you

Report •

#144
February 4, 2013 at 15:18:22
soeastbiker
Do a search on "C" drive for i386 ( that's i for ink ) & see if you have a file about 500mb.

This will make it easier to find.

UltraSearch
http://www.softpedia.com/get/File-m...
http://www.softpedia.com/progScreen...
http://www.jam-software.com/ultrase...


Report •

#145
February 4, 2013 at 16:23:45
soeastbiker
"I wish that I could post a pic, I'm running on fumes"

Here are some programs that let you take a screenshot ( SS ) & then upload it. You then give us the link.

QipShot
http://www.softpedia.com/get/Multim...
http://www.softpedia.com/progScreen...
http://qip.ru/download_qipshot
Screen capture and image uploading in one.

Gyazo
http://www.softpedia.com/get/Multim...
http://www.softpedia.com/progScreen...
http://gyazo.com/en


Report •

#146
February 5, 2013 at 06:58:29
re:#145
That's good to know.
At the time of that entry I was going to send a snap of the IE8 Installer doing nothing, but for future reference, if needed, I'll try one.
Back to #141

Report •

#147
February 5, 2013 at 08:55:21
Winlogon Report....

Checking file system on C:
The type of the file system is NTFS.

A disk check has been scheduled.
Windows will now check the disk.
Cleaning up minor inconsistencies on the drive.
Cleaning up 7 unused index entries from index $SII of file 0x9.
Cleaning up 7 unused index entries from index $SDH of file 0x9.
Cleaning up 7 unused security descriptors.
CHKDSK is verifying Usn Journal...
Usn Journal verification completed.
CHKDSK is verifying file data (stage 4 of 5)...
File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
Free space verification is complete.

97675168 KB total disk space.
16157928 KB in 47816 files.
17000 KB in 7534 indexes.
0 KB in bad sectors.
174456 KB in use by the system.
65536 KB occupied by the log file.
81325784 KB available on disk.

4096 bytes in each allocation unit.
24418792 total allocation units on disk.
20331446 allocation units available on disk.

Internal Info:
c0 13 01 00 42 d8 00 00 75 20 01 00 00 00 00 00 ....B...u ......
21 1e 00 00 03 00 00 00 d8 02 00 00 00 00 00 00 !...............
22 20 48 02 00 00 00 00 c6 da d7 2c 00 00 00 00 " H........,....
8e 17 02 03 00 00 00 00 5e 24 f7 8d 02 00 00 00 ........^$......
02 61 db 3c 07 00 00 00 ca b5 6c 04 0a 00 00 00 .a.<......l.....
99 9e 36 00 00 00 00 00 90 38 07 00 c8 ba 00 00 ..6......8......
00 00 00 00 00 a0 33 da 03 00 00 00 6e 1d 00 00 ......3.....n...

Windows has finished checking your disk.
Please wait while your computer restarts.


Report •

#148
February 5, 2013 at 09:10:55
Johnw #144

Did a search on "C" drive using the UltraSearch for "i386" ( that's i for ink )
I did not have a file about 500mb.
It came up saying;
The search is complete. No Matching results have been found.
Caution! Only searched for files!


Report •

#149
February 5, 2013 at 09:30:03
Johnw #145
You aren't going to believe this but...

[QipShot
http://www.softpedia.com/get/Multim...
http://www.softpedia.com/progScreen...
http://qip.ru/download_qipshot
Screen capture and image uploading in one.]

Every one of these were in Russian so I went to;
The first Gyazo link;
Gyazo
http://www.softpedia.com/get/Multim...
Opening it, I ran the set-up and the IE8 Install window popped up so I went with it and picked and chose custom install components all the way through....DUUUUDE!!!! I didn't even get to see what Gyazo even looked like before my IE8 browser rose from the dead...explain that to me!
HAHAHAHAHAHA!
Now, it's fresh and alive, so I'm still calling it an evaluation stage to see if I'm free and clear.
Check back with ya'll later when you get up.


Report •

#150
February 5, 2013 at 11:14:22
My semi-victory was short lived.
Machine isn't reading audio or video discs.
Music in files won't play by dbl clicking them, but oddly enough will play in WMP by clicking on their album art or file.
Prior to the original issue, I had WMP set to play 'e v e r y t h i n g' on the planet if it were on disc.
Went into Add 'n Remove Programs and reset all the tickers that makes WMP default, uninstalled a codec pack to install and upgraded version, and allll kinds of grey boxes jumped up telling me about broken or missing files.
I have screenshots...
The old codec pack uninstalled when I clicked the missing file boxes away.
Installing the newer codecs, 4 LUA Errors popped up at the same time half way thru the Cnet prepping the installation, stopping the progress bar at it's halfway point.
I've got to get the Gyazo working or some image transfer happening.

Report •

#151
February 5, 2013 at 11:45:26
I evidently have broken and missing files.

None of the screenshot links had anything that would work on this PC, so I used a friends' website and hosting space to set up a page with the images.
Hope they come up for you.
Let me know when you've seen them so they can be taken down.



Report •

#152
Report •

#153
February 5, 2013 at 11:55:18
Doh!
Here's a curve ball for you, the laptop won't shut down or restart in the conventional manner!
I'm going to do a hard shut down, I may be speaking to you for the last time from this thing if it doesn't light back up.

Report •

#154
February 5, 2013 at 12:30:36
Just had both the IE8 and Mozilla browsers hi jacked by a Search bar called Snap.Do

http://forums.anvisoft.com/viewtopi...

All the buttons that link describes are disabled.
I await your return.


Report •

#155
February 5, 2013 at 12:52:05
Morning :)
Well things have started working again, maybe not well. But we are getting somewhere.
Try AdwCleaner and Junkware Removal Tool to remove Snap.do if that doesn't work we can go through the manual steps.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#156
February 5, 2013 at 12:57:16
You can use a free Mega.co.nz account for screenshot's, just include the files link addy, which next to the file you want us to look at. You get 50GB encrypted cloud storage as a bonus.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#157
February 5, 2013 at 13:01:36
I've gotten Snap.Do off of IE8 but it's still on the Mozilla browser.
You have seen the images at the link I gave
http://www.abateofde.com/computingd...
Im off to find the links for AdwCleaner and Junkware Removal Tool.

Report •

#158
February 5, 2013 at 13:05:34
AdwCleaner Download Link:
http://www.bleepingcomputer.com/dow...

Junkware Removal Tool Download link:
http://www.bleepingcomputer.com/dow...

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#159
February 5, 2013 at 13:10:20
AdwCleaner was sufficient to remove Snap.Do from Mozilla.

# AdwCleaner v2.111 - Logfile created 02/05/2013 at 16:04:12
# Updated 05/02/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Compaq - COMPAQ-A9C29542
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Compaq\Desktop\AdwCleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\Documents and Settings\Compaq\Application Data\Mozilla\Firefox\Profiles\hip24c2d.default\searchplugins\Web Search.xml
File Deleted : C:\END

***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{006EE092-9658-4FD6-BD8E-A21A348E59F5}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{31AD400D-1B06-4E33-A59A-90C2C140CBA0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{31AD400D-1B06-4E33-A59A-90C2C140CBA0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE07101B-46D4-4A98-AF68-0333EA26E113}
Key Deleted : HKCU\Software\SmartBar
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{006EE092-9658-4FD6-BD8E-A21A348E59F5}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{AE07101B-46D4-4A98-AF68-0333EA26E113}]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Search Page] = hxxp://feed.snap.do/?publisher=DownloadXYB&dpid=DownloadXYB&co=US&userid=08a8f78c-ba9b-4ec8-a180-5782cbb0bded&searchtype=ds&q={searchTerms} --> hxxp://www.google.com
Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Search Bar] = hxxp://feed.snap.do/?publisher=DownloadXYB&dpid=DownloadXYB&co=US&userid=08a8f78c-ba9b-4ec8-a180-5782cbb0bded&searchtype=ds&q={searchTerms} --> hxxp://www.google.com
Replaced : [HKCU\Software\Microsoft\Internet Explorer\Search - Default_Search_URL] = hxxp://feed.snap.do/?publisher=DownloadXYB&dpid=DownloadXYB&co=US&userid=08a8f78c-ba9b-4ec8-a180-5782cbb0bded&searchtype=ds&q={searchTerms} --> hxxp://www.google.com
Replaced : [HKCU\Software\Microsoft\Internet Explorer\Search - SearchAssistant] = hxxp://feed.snap.do/?publisher=DownloadXYB&dpid=DownloadXYB&co=US&userid=08a8f78c-ba9b-4ec8-a180-5782cbb0bded&searchtype=ds&q={searchTerms} --> hxxp://www.google.com

-\\ Mozilla Firefox v18.0.1 (en-US)

File : C:\Documents and Settings\Compaq\Application Data\Mozilla\Firefox\Profiles\hip24c2d.default\prefs.js

Deleted : user_pref("browser.search.selectedEngine", "Web Search");
Deleted : user_pref("browser.startup.homepage", "hxxp://feed.snap.do/?publisher=DownloadXYB&dpid=DownloadXYB&c[...]
Deleted : user_pref("keyword.URL", "hxxp://feed.snap.do/?publisher=DownloadXYB&dpid=DownloadXYB&co=US&userid=0[...]

File : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\w478eqv1.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [17628 octets] - [02/02/2013 19:01:31]
AdwCleaner[R2].txt - [1103 octets] - [02/02/2013 20:07:14]
AdwCleaner[R3].txt - [3388 octets] - [05/02/2013 16:03:50]
AdwCleaner[S1].txt - [18009 octets] - [02/02/2013 19:03:11]
AdwCleaner[S2].txt - [1164 octets] - [02/02/2013 20:07:34]
AdwCleaner[S3].txt - [3340 octets] - [05/02/2013 16:04:12]

########## EOF - C:\AdwCleaner[S3].txt - [3400 octets] ##########


Report •

#160
February 5, 2013 at 13:15:22
Can you give me the link to where you downloaded the K-Lite Video Codecs?

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#161
February 5, 2013 at 13:22:00
http://download.cnet.com/K-Lite-Meg...

I was running K-Lite Codec Pack 955 Full


Report •

#162
February 5, 2013 at 13:25:37
Also you can try running Wise Registry Cleaner before you try to install the K-Lite upgrade. This will remove any leftovers.
http://www.filehippo.com/download_k...

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#163
February 5, 2013 at 13:27:59
The Snap.Do search bar came from an Active X program I tried to install when attempting a Windows update.
The page wouldn't display as normally it would when they'd check to see what you had already.
So w/o Active X, or so the browser says, I can't get any updates if required, needed, or otherwise.

Report •

#164
February 5, 2013 at 13:29:15
I saw the Wise Registry Cleaner as a keeper anyway, it and the Disk Cleaner.;-)

Report •

#165
February 5, 2013 at 13:35:12
Ehhhh, no good.
That codec pack wont intstall w/o the errors popping up again.

Report •

#166
February 5, 2013 at 13:39:25
Now, I still have that Emsisoft Emergency Kit, it was very strong and effective in removing the ransomeware off of one of my desktops, I could put it on a flash drive and run it if you think it will help.

Report •

#167
February 5, 2013 at 13:45:06
I don't think we have a infection still, most likely damage caused from removing one.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#168
February 5, 2013 at 13:47:08
OK, that makes muuuuch more sense.

Report •

#169
February 5, 2013 at 13:53:12
Give us a list of everything not working?

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#170
February 5, 2013 at 14:02:06
Pretty much the drive isn't reading anything and if you go into My Music where my tunes are, clicking should bring up the WMP, but it doesn't, you have to open WMP and scroll and click on what's in the library, and checking Windows Updates.

Report •

#171
February 5, 2013 at 14:04:02
Oh, I forgot, the codecs won't install.

Report •

#172
February 5, 2013 at 14:17:52
I got the old codecs from file hippo to install, but drive still isn't reading audio or video, and isn't asking me what I want to open anything with.
Seems to me drivers are missing or corrupted.

Report •

#173
February 5, 2013 at 14:20:26
Download Ultra Virus Killer from this link: http://www.carifred.com/uvk/index.php
On the main window, select the UVK System Repair button. Then go through the fix list until you find the Fix and Enable Windows Update only. Double click it to run the repair.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#174
February 5, 2013 at 14:31:30
It's still asking me to install ActiveX control to view the page correctly, but the pop up bar isn't there.
Do you have a safe secure link to Active X?

Report •

#175
February 5, 2013 at 14:38:51
Just back home.

Re #170 (your Music not opening from files).

Right click any one of the files that are not opening. Select "Open With" and set it to Windows Media Player. If it isn't listed then browse to the final exe in this path and associate it with that:
"C:\Program Files\Windows Media Player\wmplayer.exe"

This should only be done with files that were previously working with WMP.
If more than one music file extension will not open you will have to repeat it for each file type.

Always pop back and let us know the outcome - thanks


Report •

#176
February 5, 2013 at 14:52:02
All the music is already in the library and plays from WMP, but I highlighted them all and clicked on Add to WMP list anyway.
I followed this path C:\Program Files\Windows Media Player\wmplayer.exe and I have no wmplayer.exe displaying in that folder, only a wmplayer application.

Report •

#177
February 5, 2013 at 14:53:31
* Open the Internet Explorer browser and click the "Tools" menu option.

* Select "Internet Options" and click the "Security" tab.

* Click the "Custom level..." button and then scroll down to the "ActiveX controls and plug-ins" section in the "Security Settings - Internet Zone" window.

* Check the "Prompt" button under "Download signed ActiveX controls" and the "Enable" button under "Run ActiveX controls and plug-ins."

* Click on "OK" and then "OK" again to save the new settings.

* Click on the "Install" button when prompted to accept an ActiveX control by a website, or click the "Information Bar" on top of the browser and select "Install ActiveX." The ActiveX control will be downloaded and installed automatically.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#178
February 5, 2013 at 15:01:07
They were already ticked.
Nothing came up to Install Active X

Report •

#179
February 5, 2013 at 15:05:22
* Open the Internet Explorer browser and click the "Tools" menu option.

* Select "Internet Options" and click the "Security" tab.

* Click the Reset All Zones to Default Level button.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#180
February 5, 2013 at 15:09:59
You're gonna hate this.
The Reset All Zones to Default Level button is dead, like no hyperlink.

Report •

#181
February 5, 2013 at 15:12:06
Ahhh, if I adjust the Security level slider down to nothing, the Reset All Zones to Default Level button comes alive.
Do I dare do it that way?

Report •

#182
February 5, 2013 at 15:15:35
No don't bother doing it, it just means they are already set to Default settings :)

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#183
February 5, 2013 at 15:29:31
Try the Microsoft Update fix tool which also fixes ActiveX: http://support.microsoft.com/kb/971058

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#184
February 5, 2013 at 15:35:14
It came up with Windows Update components must be repaired and Fix Status says Fixed with an arrow inside of a green circle.
Let's see if that's for real when I close it.

Report •

#185
February 5, 2013 at 15:38:17
Nope, still wants to ask for Active X.

Report •

#186
February 5, 2013 at 15:39:41
Went to do a reboot and it still wont take the command to Restart.

Report •

#187
February 5, 2013 at 15:45:11
Re #176

I meant file associations with an actual music file (such as yourtune.wma), rather than "adding to WMP library". The path I gave was off my XP using WMP11. Maybe you have a different version installed elsewhere. You can get the path and exe file by right clicking your WMP icon (target).

No matter if you prefer to prioritize on other things right now.

Always pop back and let us know the outcome - thanks


Report •

#188
February 5, 2013 at 15:48:40
I am using WMP11, but yes there are other priorities.

Report •

#189
February 5, 2013 at 15:59:57
To fix shutdown download CAT.exe from this link: http://sourceforge.net/projects/cri...
On the first window select Fix Shutdown, then click the Apply Checked Fixes button.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#190
February 5, 2013 at 16:05:54
On the first window selecting Fix Shutdown doesn't exist.


Report •

#191
February 5, 2013 at 16:29:29
I'm knockin off for the evening fellers.
Think on that shutdown and restart thing for me.
-Peace

Report •

#192
February 5, 2013 at 16:30:43
I haven't used it in a while, the More Fixes/Tweaks tab :)

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#193
February 5, 2013 at 16:31:19
"On the first window selecting Fix Shutdown doesn't exist"

http://i.imgur.com/wTkoNrL.gif


Report •

#194
February 5, 2013 at 16:41:54
Hi all. I'm going out for the day.

soeastbiker
I downloaded both QipShot & Gyazo.

With Gyazo, it puts a shortcut on the desktop. double click on it, then hold the left mouse button down, move it around the area you want to capture & then let the mouse button go. Immediately a web page opens.

Give us that link.


Report •

#195
February 6, 2013 at 01:59:58
soeastbiker, you appear to be making far too many mistakes, slow down & read what you are installing, instead of click, click, click.
Malware Prevention
http://www.malwarevault.com/prevent...
"There is no magic involved. The majority of malware is installed by the user themselves"

I would also use Softpedia, instead of CNet. Cnet are loading just about all their downloads with unwanted stuff.
Softpedia warns you if the program has unnecessary extras ( Refer SS ) They themselves, do not load any unwanted stuff.

K-Lite Mega Codec Pack Update 9.7.4 Build 2013.01.28 / 9.7.0
http://www.softpedia.com/get/Multim...
Users are advised to pay attention while installing this ad-supported application:
· Offers to change the homepage for web browsers installed in the system
· Offers to change the default search engine for web browsers installed in the system
· Offers to install StartNow Toolbar that the program does not require to fully function
SS of above.
http://i.imgur.com/CSBplyA.gif


Report •

#196
February 6, 2013 at 06:39:05
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~ CAT Summary Log - Date: 2013.02.06 @ 0936 hrs ~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--- CAT Version: 1.1 ---

=============== Repairing shutdown... ===============
Writing to registry: "HKEY_CURRENT_USER\Control Panel\DesktopAutoEndTasks"... Successful.
Writing to registry: "HKEY_CURRENT_USER\Control Panel\DesktopWaitToKillAppTimeout"... Successful.
Writing to registry: "HKEY_CURRENT_USER\Control Panel\DesktopHungAppTimeout"... Successful.
Writing to registry: "HKEY_USERS\.DEFAULT\Control Panel\DesktopAutoEndTasks"... Successful.
Writing to registry: "HKEY_USERS\.DEFAULT\Control Panel\DesktopWaitToKillAppTimeout"... Successful.
Writing to registry: "HKEY_USERS\.DEFAULT\Control Panel\DesktopHungAppTimeout"... Successful.
Writing to registry: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ControlWaitToKillServiceTimeout"... Successful.
Writing to registry: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory ManagementClearPageFileAtShutdown"... Successful.
============= Shutdown Repair Complete ==============

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~ CAT Summary Log End - Date: 2013.02.06 @ 0936 hrs ~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

---------------------------------------------------------------------


Report •

#197
February 6, 2013 at 07:08:32
#194
Turned out that the CAT.exe I had was ver. 1.1, your image shows Beta ver 0.6.7.0

http://gyazo.com/06e3f9ec3219dec851...

http://gyazo.com/d7627cb9428d4db58d...

#195
No more CNet.
When I got the Snap.Do search bar, I specifically unchecked all but the program that I was trying to D.L. and it still installed.
I know what you're saying, if you don't watch what you're doing eventually your entire page could become rancid toolbars and search bars.
The updated K-Lite Codec pack is gone, and the older version that worked on here, and my desktop PC's, K-Lite Codec Pack 955 Full, is back on here.


Report •

#198
February 6, 2013 at 07:10:55
Laptop reboots now via conventional mouse command.

Report •

#199
February 6, 2013 at 07:37:04
Upon reboot, a yellow Windows update icon (as it should when an update is available) appeared in the bottom bar and I installed 2 pieces of something that went so fast that I couldn't see what it was.
If I click on Start then Windows Update, it goes to http://www.update.microsoft.com/mic...
and for a split second the "Checking if your computer has the latest versions, blah, blah, blah" shows up then is quickly replaced with
http://gyazo.com/e38a9e644244aefe2e...
but the IE Information Bar isn't there to click on.

#183
Try the Microsoft Update fix tool which also fixes ActiveX: http://support.microsoft.com/kb/971058

http://gyazo.com/01e57f4e7c0e543895...

#194
'Preciate the instructions on how to use the Gyazo.


Report •

#200
February 6, 2013 at 08:07:48
Went back to UVK.
http://gyazo.com/3cf69376bfea522245...

No dice.
This still comes up...
http://gyazo.com/e38a9e644244aefe2e...


Report •

#201
February 6, 2013 at 08:30:08
Disc drive still no longer reads any media and no ActiveX is pretty much where I'm at.

Report •

#202
February 6, 2013 at 12:23:35
Check Add-ons in IE8 ActiveX is enabled:

check to see if ActiveX Controls is disabled.
under Tools on Internet Explorer
manage add-ons
enable or disable add-ons
look for ActiveX Control under Type. Enable it if it is disabled.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#203
February 6, 2013 at 12:33:21
Add-ons in IE8 are enabled, but I don't see any ActiveX Controls under the Add-On Types.


Report •

#204
Report •

#205
February 6, 2013 at 12:39:28
Sorry was doing it from memory, I run Linux :)

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#206
February 6, 2013 at 13:17:03
soeastbiker
Yea, now you are really getting into the swing of things.

Is ActiveX the only problem now?


Report •

#207
February 6, 2013 at 13:20:17
That, and it doesn't read audio or video discs any longer.

Report •

#208
February 6, 2013 at 13:33:22
"That, and it doesn't read audio or video discs any longer"
Ok, one thing at a time, small steps.

1: Launch Internet Explorer.
2: Select Tools from the menu bar at the top of the page.
3: Select Internet Options.
4: Select the Security tab.
5: Select Custom Level.
6: Select Enable for the option “Download signed ActiveX controls”.
7: Click OK to close Security Settings.
8: Click OK to close Internet Options.
9: Restart Internet Explorer for the changes to take effect.

Now try updates.


Report •

#209
February 6, 2013 at 13:38:04
"Turned out that the CAT.exe I had was ver. 1.1, your image shows Beta ver 0.6.7.0"
Ok, what I did, was right click on the image on his download page & saved it to my desktop.
http://sourceforge.net/projects/cri...

http://i.imgur.com/fxKWzYq.gif


Report •

#210
Report •

#211
February 6, 2013 at 13:57:30
"Re opening IE"
Yep, try Updates & lets see if you can get them. I use > Custom.

Your Activex settings can always be reset back to recommended.


Report •

#212
February 6, 2013 at 14:04:40
Custom Updates.
http://blogs.conchango.com/marlondu...

Report •

#213
February 6, 2013 at 14:04:51
Custom is checking for the latest updates.....

Report •

#214
Report •

#215
February 6, 2013 at 14:10:21
"Custom is checking for the latest updates....."
Beautiful, could be lots of stuff you don't want, SS if you want us to look at, you may have to use the scroll bar & do more than one SS.

Also, give us a look at what driver updates it has.

http://imageshack.us/photo/my-image...


Report •

#216
February 6, 2013 at 14:18:25
Wasn't much showing in the Custom scan.

http://gyazo.com/e21cbb5454e9233e9e...


Report •

#217
February 6, 2013 at 14:25:55
"Wasn't much showing in the Custom scan"
Ok, I usually update that driver.

Report •

#218
February 6, 2013 at 14:27:14
"doesn't read audio or video discs any longer"
SS of Device Manager please.

Report •

#219
February 6, 2013 at 14:30:20
Looked like the Wi Fi and Ethernet.

http://gyazo.com/ca125788ad0260f88f...

SS of Device Manager coming up.


Report •

#220
Report •

#221
February 6, 2013 at 14:41:05
"Looked like the Wi Fi and Ethernet"
Yep.
http://i.imgur.com/pVpzhZe.gif

Report •

#222
February 6, 2013 at 14:45:27
http://i.imgur.com/XKXkI1Q.gif

Report •

#223
February 6, 2013 at 14:49:58
I didn't get in as last time.

http://gyazo.com/cebdd7b0691688372f...


Report •

#224
Report •

#225
February 6, 2013 at 14:55:48
http://i.imgur.com/Hj9jSLF.gif

Report •

#226
February 6, 2013 at 14:58:24
You do know that IE is still displaying this, right?

http://gyazo.com/ab4708a569a55b9c82...


Report •

#227
February 6, 2013 at 14:58:28
"doesn't read audio or video discs any longer"
Do a reboot & see if it is working.

Report •

#228
February 6, 2013 at 15:01:24
Test Your ActiveX Installation
http://www.pcpitstop.com/testax.asp

Report •

#229
February 6, 2013 at 15:04:02
"You do know that IE is still displaying this, right?"
Click that yellow bar & fix.

Report •

#230
February 6, 2013 at 15:07:53
#227
Nope. No read of anything.

Report •

#231
February 6, 2013 at 15:11:11
"Nope. No read of anything"
Is the light coming on when you insert a CD?

Was it working before your infections?


Report •

#232
February 6, 2013 at 15:11:23
#228
http://gyazo.com/e884b974dd0aa6eb8e...

Report •

#233
February 6, 2013 at 15:14:47
#231
The light is coming on when I insert a CD, blinking then it goes out.

It was working magnificently 2 weeks before the infections.

As I said wayyyy back, if it was on disc, it played it through WMP before the infections.


Report •

#234
February 6, 2013 at 15:15:07
#232
Click the yellow bar.

Report •

#235
February 6, 2013 at 15:17:34
Yellow bar clicked.

http://gyazo.com/eb40ef1c214f445310...


Report •

#236
February 6, 2013 at 15:27:47
I just looked in Add and Remove Programs with Show Updates clicked, and I only see up to SP2

Report •

#237
February 6, 2013 at 15:34:02
"Yellow bar clicked"
Back to one thing at a time.

Enable AutoRun. Download this onto your desktop, right click & hit > Merge. Reboot & test CD.
http://www.kellys-korner-xp.com/reg...


Report •

#238
February 6, 2013 at 15:55:28
It will play audio, video, and other discs if I left click on My Computer and when the drive displays a disc, right click n it and click Play.

Report •

#239
February 6, 2013 at 16:04:53
"It will play audio, video, and other discs if I left click on My Computer and when the drive displays a disc, right click n it and click Play."

Is that after doing the AutoRun fix?


Report •

#240
February 6, 2013 at 16:07:51
I'm not positive, that being the first time that I tried it manually.

Report •

#241
February 6, 2013 at 16:11:40
Ok, try this.

Have you rebooted?

http://support.microsoft.com/kb/314060


Report •

#242
February 6, 2013 at 16:28:46
Yes rebooted.
Ran the DVD fixer, when it got to the point that it opened the drive door I stuffed a disc in and my player didn't automatically pop up, I had to manually make it play.

Report •

#243
February 6, 2013 at 16:42:08
SS of the AutoPlay tab please.

Open My Computer or Explorer
Right-click the CD-ROM drive or other drive and click Properties.
Click the AutoPlay tab.


Report •

#244
Report •

#245
February 6, 2013 at 16:49:35
Ok, go down the bottom & click on the prompt message & click > Apply.

Reboot & test again.


Report •

#246
February 6, 2013 at 17:04:56
More to try.

http://gyazo.com/35ab47f41406d57e38...
Restore Defaults & click > Apply.

The AutoRun feature or the AutoPlay feature does not work when you insert a CD-ROM in the CD drive
http://support.microsoft.com/kb/330135
Try > Method 2: Make sure that AutoPlay is turned on


Report •

#247
February 6, 2013 at 17:05:41
Did it, Rebooted, tested again, same results, had to fire up video maually via My Computer.
Dig it man, I have a early a.m. tommorow, not to mention side trip errands afterwards.
I gots ta go.
See if you concur and can give me some homework...

No Auto Run on discs - Manual, yes, which is an improvement.
No Active X to display the Windows Update page to display Custom or Express.
No SP3, which there used to be.


Report •

#248
February 6, 2013 at 17:09:22
Note to self, check #246

Report •

#249
February 6, 2013 at 17:12:44
" not to mention side trip errands afterwards"
Ditto. Thursday am here, jobs to get done.

Report •

#250
February 7, 2013 at 00:53:20
"I just looked in Add and Remove Programs with Show Updates clicked, and I only see up to SP2"
Download XP SP3, I suspect some parts are missing from your previous install of SP3.
Keep it, we will probably need it for the future.
If it installs correctly, go to MS Updates again & get all the latest fixes. Don't do too many at a time. If any won't install, try again later.
http://www.microsoft.com/download/e...

Report •

#251
February 7, 2013 at 12:56:48
#246
Hit Restore Defaults in the DVD-RW Drive (D:) Properties and clicked Apply.

http://support.microsoft.com/kb/330135
Try > Method 2: Make sure that AutoPlay is turned on

Backed up and restored the registry manually as requested.
The value for Autorun was 1.
At HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
The value was "dd"
I typed 91 in the Value data box.
Hexadecimal was already ticked.
Rebooted to determine whether the issue was resolved.
Situation unchanged, manual play only.

Moving on to method 3.
In the navigation pane, under Data, if the value for allocatecdroms was set to 0.

Moving on to step 5.
The drive is compatible and the methods in this article did not help, going to the “Next Steps” section.

"If these methods did not help you, you might want to ask someone you know for help...."
That what I'm a-doin' ;-)
I clicked on the IE icon by mistake, it loaded, and Snap.Do is back.


Report •

#252
February 7, 2013 at 13:48:30
"I clicked on the IE icon by mistake, it loaded, and Snap.Do is back"
Back to post #155
You didn't run Junkware Removal Tool


Report •

#253
February 7, 2013 at 13:53:34
Still working on #250, bout to wind it up now.
Yes, I killed Snap.Do with JRT, it's back again and on the end of the task list.

Report •

#254
February 7, 2013 at 14:02:48
"Still working on #250, bout to wind it up now"
Good one, that is your best next move, straight over the top of whatever is installed at the moment, no need to uninstall anything.

Report •

#255
February 7, 2013 at 14:09:44
"Yes, I killed Snap.Do with JRT, it's back again and on the end of the task list"
Did you look in Control Panel?
If in uninstall, uninstall it.

Report •

#256
February 7, 2013 at 14:13:38
Or, Open Internet Explorer. Go to Tools → Manage Add-ons.

Report •

#257
February 7, 2013 at 14:14:56
#250
Downloaded XP SP3 from http://www.microsoft.com/en-us/down...
Saved it to Desktop as everything I do starts out.
Ran it to Install it, appeared to be a complete install as it asked me to reboot.

On reboot a DOS System 32 box popped up but disappeared.

Going to the the Updates page, the real deal CUSTOM and EXPRESS buttons displayed, but was quickly replaced with the request to have ActiveX installed.

Yellow shield in bottom bar appeared and had 4 Security updates installed from it.
Rebooted and tried the Updates page to see if it would display properly, nope it still wants ActiveX.
Discs not auto running yet.

Ran JRT it didn't kill Snap.Do, fired up AdwCleaner ran it, Snap.Do still hanging around.


Report •

#258
February 7, 2013 at 14:15:31
JRT

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.6.2 (02.02.2013:2)
OS: Microsoft Windows XP x86
Ran by Compaq on Thu 02/07/2013 at 17:01:15.25
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


~~~ Services

~~~ Registry Values

Successfully repaired: [Registry Value] hkey_current_user\software\microsoft\internet explorer\searchurl\\Default
Successfully repaired: [Registry Value] hkey_users\S-1-5-21-1123561945-1482476501-1417001333-1003\software\microsoft\internet explorer\searchurl\\Default
Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\searchurl\\Default

~~~ Registry Keys

~~~ Files

~~~ Folders

~~~ FireFox

Emptied folder: C:\Documents and Settings\Compaq\Application Data\mozilla\firefox\profiles\hip24c2d.default\minidumps [1 files]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Thu 02/07/2013 at 17:05:50.42
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Report •

#259
February 7, 2013 at 14:16:11
AdwCleaner

# AdwCleaner v2.111 - Logfile created 02/07/2013 at 17:10:12
# Updated 05/02/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Compaq - COMPAQ-A9C29542
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Compaq\Desktop\AdwCleaner(1).exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted : C:\Documents and Settings\All Users\Application Data\APN

***** [Registry] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v18.0.2 (en-US)

File : C:\Documents and Settings\Compaq\Application Data\Mozilla\Firefox\Profiles\hip24c2d.default\prefs.js

[OK] File is clean.

File : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\w478eqv1.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [17628 octets] - [02/02/2013 19:01:31]
AdwCleaner[R2].txt - [1103 octets] - [02/02/2013 20:07:14]
AdwCleaner[R3].txt - [3388 octets] - [05/02/2013 16:03:50]
AdwCleaner[R4].txt - [1420 octets] - [07/02/2013 17:09:54]
AdwCleaner[S1].txt - [18009 octets] - [02/02/2013 19:03:11]
AdwCleaner[S2].txt - [1164 octets] - [02/02/2013 20:07:34]
AdwCleaner[S3].txt - [3469 octets] - [05/02/2013 16:04:12]
AdwCleaner[S4].txt - [1353 octets] - [07/02/2013 17:10:12]

########## EOF - C:\AdwCleaner[S4].txt - [1413 octets] ##########


Report •

#260
February 7, 2013 at 14:25:37
Didn't find it in control panel

http://gyazo.com/c3f0fd292b9e168dfb...

No Snap.Do listed


Report •

#261
February 7, 2013 at 14:33:51
"Didn't find it in control panel'
Did you look in add/remove as well?

Report •

#262
February 7, 2013 at 14:51:59
Googling snap.do ( there are trillions of combinations when trying to sort out computer problems ) I have selected these sites to use . The trick in selecting a site is to find those that don't try somewhere on their page, to get money, for a fix.

http://botcrawl.com/how-to-remove-s...

http://www.host1free.com/snap-do-br...

Update & run all your other infection tools ( quick scan ) as well, including your AV.


Report •

#263
February 8, 2013 at 05:31:54
#261
"Didn't find it in control panel'
Did you look in add/remove as well?

That's what I meant, but not at the time, but it has since been killed on IE again.


Report •

#264
February 8, 2013 at 11:55:55
Ok, lets recap please.

SS of System Properties, as per this link.
http://screenshots.leeindy.com/syst...


Report •

#265
February 8, 2013 at 12:04:57
Johnw

I have to wait til tomorrow or as late as Monday, maybe Tuesday to proceed due to the weather forecast.
I must acquire rock salt and sand, check generator, etc.
Please leave this thread when it is.
I will be back.


Report •

#266
February 8, 2013 at 12:10:52
Ok soeastbiker, our weather is the exact opposite, stinking hot.

Report •

#267
February 8, 2013 at 13:07:41
Could use that hot weather here in UK.

Report •

#268
February 8, 2013 at 15:45:50
We get 9 months of sunshine a year in our patch Derek, even our winter is quite mild, very few nights go to minus, frost is as bad as it gets.

We have a swimming pool & reverse cycle air con, for me, all I need to do is use the pool to keep cool. The wife likes both.

Here is our 7 day forecast.
http://i.imgur.com/wfFDpFH.gif


Report •

#269
February 8, 2013 at 15:51:23
I'm so fussy - think I would find those temps a bit too high.

Report •

#270
February 8, 2013 at 15:59:57
Yep, some of our ex UK friends love it, some don't.

Report •

#271
February 15, 2013 at 14:00:39
✔ Best Answer
MrGoodguy, Johnw, Derek, thank you for all you've done for me.
I've had to go ahead with a total reinstall of Win XP.
Probably should have made that decision 2 days in.

Report •

#272
February 15, 2013 at 14:13:56
:) Thanks for letting us know.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#273
February 15, 2013 at 15:41:38
Hi soeastbiker, that was a lot of snow.

Guessed you must have been reinstalling.

How did you go getting the MS updates?


Report •

Ask Question