Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet hijacker isearch.fanastigames and loss of desktop icons and apps.


  • This topic is locked This topic is locked
38 replies to this topic

#1 deloria

deloria

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:09:00 AM

Posted 25 June 2013 - 11:56 PM

Hi folks,

When I booted up my computer this morning, more than half of my desktop icons were missing, the sound didn't work, many apps weren't available (like Windows Media Player), and startup items were missing from the task bar.  A message balloon popped up in the task bar area telling me that spybot had blocked an attempt to add a toolbar.    In addition, my homepage was changed to isearch.fantastigames...but I was able to change it to something else and it appeared to stick.  I looked for toolbar addons and didn't see any unusual ones, but I noted that the default web search was for the fantastigames and the live search was something else.  I removed the live search option but it won't let me remove the web search.  I am able to use my AVG search and it works for the most part, but I have to watch that the isearch.fantastigames....doesn't pop up and take over.  I couldn't restore back to an earlier date either, although I attempted twice to go back to a time I knew it worked.  It went through the process but told me it was incomplete and no files were changed.  I also looked in the add/remove files but didn't see anything that didn't belong.

 

I have run a full antivirus scan with AVG and also Malwarebytes (5 hrs. later).  I don't appear to have any malicious issues or viruses, and I am using Windows XP.  I ran the RKill and it found no issues (however it did terminate two processes in the windows system and allowed me permission to edit my host files).  I deleted a startup file that had no title (found with msconfig).  Initially it said I didn't have permission to make the change, but after a restart the file no longer showed up, and the sound came back.  I also ran unhide.exe hoping the files that were hidden would show up.  It told me there was no temp\smtmp folder.   I've read and researched and am now stuck.  Is there someone who can help me figure out what the heck is going on so I can fix this crazy issue.  It acts like a virus or malware, but it's hidden.  I would truly appreciate any help you can provide.  Thank you for your time.

 

JD

 



BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:00 AM

Posted 26 June 2013 - 12:32 AM

Hi -

Lets start with a few scans first. You can post these one at a time if it is easier for you -

 

Download Security Check by Screen317 from HERE
* Save it to your Desktop.
* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Note: If a security program requests permission to access the Internet, allow it to do so.

 

 

Next : Please download MiniToolBox, Save it to your desktop and run it.
Close any Firefox browsers you may have open
Checkmark the following boxes:
•Flush DNS
•Report IE Proxy Settings
•Reset IE Proxy Settings
•Report FF Proxy Settings
•Reset FF Proxy Settings
•List content of Hosts
•List IP configuration
•List last 10 Event Viewer log
•List Installed Programs
•List Users, Partitions and Memory size.
•List Minidump Files
 
Click Go and copy / paste the result (Result.txt).

 

 

Next : Please download AdwCleaner by Xplode onto your desktop.

*Close all open programs and internet browsers.

*Note- Your computer will be rebooted automatically
*Double click on adwcleaner.exe to run the tool.
*Click on Delete.
*Confirm each time with Ok.
*A text file will open after the restart.

*Please post the contents of that logfile with your next reply.
*You can find the logfile at C:\AdwCleaner[S1].txt as well.

 

 

Next : Please download Junkware Removal Tool by thisisu to your desktop
Shut down your protection software now to avoid potential conflicts.
Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.

 

Make sure you enable your Antivirus program(s) when completed

 

 

Next : Please download SUPERAntiSpyware to desktop. Check for latest updates if not done during the download.

Run a Quick Scan only and wait for the results
You can check "Remove" for any infections found.

The program may ask you to Reboot if several infections are found.
 Copy / Paste the Report log back here when finished -

 

 

Thank You -



#3 deloria

deloria
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:09:00 AM

Posted 26 June 2013 - 07:12 PM

Results of screen317's Security Check version 0.99.68  
 Windows XP Service Pack 3 x86   
 Internet Explorer 8 Out of date! 
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
 AVG 2013     
 AVG Security Toolbar    
 AVG 2013     
`````````Anti-malware/Other Utilities Check:````````` 
 MVPS Hosts File  
 Out of date HijackThis  installed! 
 SpywareBlaster 4.1    
 Spybot - Search & Destroy 
 Secunia PSI (3.0.0.6005)   
 Malwarebytes Anti-Malware version 1.75.0.1300  
 HijackThis 2.0.2    
 Java Web Start   
 Java™ 6 Update 45  
 Java 7 Update 21  
 Java version out of Date! 
 Adobe Reader 8  
 Adobe Reader XI  
 Google Chrome 27.0.1453.116  
 Google Chrome 28.0.1500.52  
````````Process Check: objlist.exe by Laurent````````  
 Norton ccSvcHst.exe 
 AVG avgwdsvc.exe 
 AVG avgrsx.exe 
 AVG avgnsx.exe 
 AVG avgemc.exe 
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C:: 8% 
````````````````````End of Log`````````````````````` 
 
 
The computer is running like a slug at this point and I have another "new toolbar notification" in the task bar telling me that settings alerter has blocked an attempt to add a new toolbar to your browser.  I will run each of the scans and post them individually.  Thanks for your help on this.  I truly appreciate your efforts to get my files back.

 



#4 deloria

deloria
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:09:00 AM

Posted 26 June 2013 - 07:28 PM

MiniToolBox by Farbar  Version: 16-06-2013
Ran by Owner (administrator) on 26-06-2013 at 17:17:40
Running from "C:\Documents and Settings\TEMP\Desktop"
Microsoft Windows XP Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************
 
========================= Flush DNS: ===================================
 
 
Windows IP Configuration
 
 
 
Successfully flushed the DNS Resolver Cache.
 
 
========================= IE Proxy Settings: ============================== 
 
Proxy is not enabled.
No Proxy Server is set.
 
"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Hosts content: =================================
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 www.1001namen.com
127.0.0.1 1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
 
There are 15224 more lines starting with "127.0.0.1"
 
========================= IP Configuration: ================================
 
Realtek RTL8139/810x Family Fast Ethernet NIC = Local Area Connection (Connected)
 
 
# ---------------------------------- 
# Interface IP Configuration         
# ---------------------------------- 
pushd interface ip
 
 
# Interface IP Configuration for "Local Area Connection"
 
set address name="Local Area Connection" source=dhcp 
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp
 
 
popd
# End of interface IP configuration
 
 
 
 
Windows IP Configuration
 
 
 
        Host Name . . . . . . . . . . . . : Deloria
 
        Primary Dns Suffix  . . . . . . . : 
 
        Node Type . . . . . . . . . . . . : Broadcast
 
        IP Routing Enabled. . . . . . . . : No
 
        WINS Proxy Enabled. . . . . . . . : No
 
        DNS Suffix Search List. . . . . . : Home
 
 
 
Ethernet adapter Local Area Connection:
 
 
 
        Connection-specific DNS Suffix  . : Home
 
        Description . . . . . . . . . . . : Realtek RTL8139/810x Family Fast Ethernet NIC
 
        Physical Address. . . . . . . . . : 00-0E-A6-0F-D4-54
 
        Dhcp Enabled. . . . . . . . . . . : Yes
 
        Autoconfiguration Enabled . . . . : Yes
 
        IP Address. . . . . . . . . . . . : 192.168.1.104
 
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
 
        Default Gateway . . . . . . . . . : 192.168.1.1
 
        DHCP Server . . . . . . . . . . . : 192.168.1.1
 
        DNS Servers . . . . . . . . . . . : 192.168.0.1
 
                                            205.171.2.25
 
        Lease Obtained. . . . . . . . . . : Wednesday, June 26, 2013 4:25:30 PM
 
        Lease Expires . . . . . . . . . . : Thursday, June 27, 2013 4:25:30 PM
 
Server:  modem.Home
Address:  192.168.0.1
 
Name:    google.com
Addresses:  173.194.33.2, 173.194.33.7, 173.194.33.0, 173.194.33.4
 173.194.33.5, 173.194.33.1, 173.194.33.8, 173.194.33.9, 173.194.33.6
 173.194.33.3, 173.194.33.14
 
 
 
Pinging google.com [173.194.33.7] with 32 bytes of data:
 
 
 
Reply from 173.194.33.7: bytes=32 time=28ms TTL=56
 
Reply from 173.194.33.7: bytes=32 time=27ms TTL=56
 
 
 
Ping statistics for 173.194.33.7:
 
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
 
Approximate round trip times in milli-seconds:
 
    Minimum = 27ms, Maximum = 28ms, Average = 27ms
 
Server:  modem.Home
Address:  192.168.0.1
 
Name:    yahoo.com
Addresses:  206.190.36.45, 98.139.183.24, 98.138.253.109
 
 
 
Pinging yahoo.com [98.139.183.24] with 32 bytes of data:
 
 
 
Reply from 98.139.183.24: bytes=32 time=118ms TTL=50
 
Reply from 98.139.183.24: bytes=32 time=129ms TTL=52
 
 
 
Ping statistics for 98.139.183.24:
 
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
 
Approximate round trip times in milli-seconds:
 
    Minimum = 118ms, Maximum = 129ms, Average = 123ms
 
 
 
Pinging 127.0.0.1 with 32 bytes of data:
 
 
 
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
 
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
 
 
 
Ping statistics for 127.0.0.1:
 
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
 
Approximate round trip times in milli-seconds:
 
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
 
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 0e a6 0f d4 54 ...... Realtek RTL8139/810x Family Fast Ethernet NIC - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1   192.168.1.104  20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1  1
      192.168.1.0    255.255.255.0    192.168.1.104   192.168.1.104  20
    192.168.1.104  255.255.255.255        127.0.0.1       127.0.0.1  20
    192.168.1.255  255.255.255.255    192.168.1.104   192.168.1.104  20
        224.0.0.0        240.0.0.0    192.168.1.104   192.168.1.104  20
  255.255.255.255  255.255.255.255    192.168.1.104   192.168.1.104  1
Default Gateway:       192.168.1.1
===========================================================================
Persistent Routes:
  None
 
========================= Event log errors: ===============================
 
Application errors:
==================
Error: (06/25/2013 07:10:23 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.
 
Error: (06/25/2013 07:14:20 AM) (Source: Windows Search Service) (User: )
Description: The application cannot be initialized.
 
Context: Windows Application
 
 
Details:
The content index metadata cannot be read.   (0xc0041801)
 
Error: (06/25/2013 07:14:20 AM) (Source: Windows Search Service) (User: )
Description: The gatherer object cannot be initialized.
 
Context: Windows Application, SystemIndex Catalog
 
 
Details:
The content index metadata cannot be read.   (0xc0041801)
 
Error: (06/25/2013 07:14:20 AM) (Source: Windows Search Service) (User: )
Description: The plug-in in <Search.TripoliIndexer> cannot be initialized.
 
Context: Windows Application, SystemIndex Catalog
 
 
Details:
Element not found.   (0x80070490)
 
Error: (06/25/2013 07:14:16 AM) (Source: Windows Search Service) (User: )
Description: The plug-in in <Search.JetPropStore> cannot be initialized.
 
Context: Windows Application, SystemIndex Catalog
 
 
Details:
The content index metadata cannot be read.   (0xc0041801)
 
Error: (06/25/2013 07:14:16 AM) (Source: Windows Search Service) (User: )
Description: The Windows Search Service cannot load the property store information.
 
Context: Windows Application, SystemIndex Catalog
 
 
Details:
0x%08x (0xc0041800 - The content index cannot be read.  )
 
Error: (06/25/2013 07:14:16 AM) (Source: Windows Search Service) (User: )
Description: The search service has detected corrupted data files in the index. The service will attempt to automatically correct this problem by rebuilding the index.
 
 
Details:
The content index metadata cannot be read.   (0xc0041801)
 
Error: (06/25/2013 07:14:16 AM) (Source: Windows Search Service) (User: )
Description: The Windows Search Service cannot open the Jet property store.
 
 
Details:
The content index cannot be read.   (0xc0041800)
 
Error: (06/25/2013 07:14:16 AM) (Source: ESENT) (User: )
Description: SearchIndexer (2076) Database recovery/restore failed with unexpected error -501.
 
Error: (06/25/2013 07:14:15 AM) (Source: ESENT) (User: )
Description: SearchIndexer (2076) Corruption was detected during soft recovery in logfile C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS.log. The failing checksum record is located at position END. Data not matching the log-file fill pattern first appeared in sector 97 (0x00000061). This logfile has been damaged and is unusable.
 
 
System errors:
=============
Error: (06/26/2013 04:48:13 PM) (Source: Service Control Manager) (User: )
Description: The BBUpdate service failed to start due to the following error: 
%%1053
 
Error: (06/26/2013 04:48:13 PM) (Source: Service Control Manager) (User: )
Description: Timeout (30000 milliseconds) waiting for the BBUpdate service to connect.
 
Error: (06/26/2013 04:47:45 PM) (Source: DCOM) (User: NT AUTHORITY)
Description: DCOM got error "%%1053" attempting to start the service BBUpdate with arguments "-Service"
in order to run the server:
{D6381B4A-D254-46EB-9018-A62E0F4BA6BA}
 
Error: (06/26/2013 04:26:15 PM) (Source: Service Control Manager) (User: )
Description: The mrtRate service failed to start due to the following error: 
%%2
 
Error: (06/25/2013 07:10:56 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load: 
agp440
nv_agp
SISAGP
viaagp1
 
Error: (06/25/2013 07:10:49 PM) (Source: Service Control Manager) (User: )
Description: The mrtRate service failed to start due to the following error: 
%%2
 
Error: (06/25/2013 00:35:38 PM) (Source: Service Control Manager) (User: )
Description: The mrtRate service failed to start due to the following error: 
%%2
 
Error: (06/25/2013 00:26:19 PM) (Source: Service Control Manager) (User: )
Description: The mrtRate service failed to start due to the following error: 
%%2
 
Error: (06/25/2013 07:15:10 AM) (Source: Service Control Manager) (User: )
Description: The Windows Search service terminated with service-specific error 2147749155 (0x80040D23).
 
Error: (06/25/2013 07:14:10 AM) (Source: Service Control Manager) (User: )
Description: The mrtRate service failed to start due to the following error: 
%%2
 
 
Microsoft Office Sessions:
=========================
Error: (06/25/2013 07:10:23 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis operation returned because the timeout period expired.
 
Error: (06/25/2013 07:14:20 AM) (Source: Windows Search Service)(User: )
Description: Context: Windows Application
 
 
Details:
The content index metadata cannot be read.   (0xc0041801)
 
Error: (06/25/2013 07:14:20 AM) (Source: Windows Search Service)(User: )
Description: Context: Windows Application, SystemIndex Catalog
 
 
Details:
The content index metadata cannot be read.   (0xc0041801)
 
Error: (06/25/2013 07:14:20 AM) (Source: Windows Search Service)(User: )
Description: Context: Windows Application, SystemIndex Catalog
 
 
Details:
Element not found.   (0x80070490)
Search.TripoliIndexer
 
Error: (06/25/2013 07:14:16 AM) (Source: Windows Search Service)(User: )
Description: Context: Windows Application, SystemIndex Catalog
 
 
Details:
The content index metadata cannot be read.   (0xc0041801)
Search.JetPropStore
 
Error: (06/25/2013 07:14:16 AM) (Source: Windows Search Service)(User: )
Description: Context: Windows Application, SystemIndex Catalog
 
 
Details:
0x%08x (0xc0041800 - The content index cannot be read.  )
 
Error: (06/25/2013 07:14:16 AM) (Source: Windows Search Service)(User: )
Description: 
Details:
The content index metadata cannot be read.   (0xc0041801)
 
Error: (06/25/2013 07:14:16 AM) (Source: Windows Search Service)(User: )
Description: 
Details:
The content index cannot be read.   (0xc0041800)
JET_errLogFileCorrupt, Log file is corrupt??????ù???¯?]???¯???S?¯A?¯?]?????????????????????????????????????????????????????????????????????S??????????????????????????R????????????p????????????p?????????????????????????S?????P??????????????????P????????????¯?O???é?è?¯???¯?¯?S???£
 
Error: (06/25/2013 07:14:16 AM) (Source: ESENT)(User: )
Description: SearchIndexer2076-501
 
Error: (06/25/2013 07:14:15 AM) (Source: ESENT)(User: )
Description: SearchIndexer2076C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS.logEND97 (0x00000061)
 
 
=========================== Installed Programs ============================
 
Adobe Flash Player 11 ActiveX (Version: 11.7.700.224)
Adobe Reader XI (11.0.03) (Version: 11.0.03)
Amazing Adventures Around the World (Version: 1.0.0.5)
Amazing Adventures The Lost Tomb (Version: 1.0.0.4)
American Greetings® Print! Premium 2
Apple Application Support (Version: 1.4.1)
Apple Software Update (Version: 2.1.1.116)
AVG 2013 (Version: 13.0.3204)
AVG 2013 (Version: 13.0.3345)
AVG 2013 (Version: 2013.0.3345)
AVG Security Toolbar (Version: 15.3.0.11)
Bejeweled 2 Deluxe
Bing Bar (Version: 7.2.233.0)
Blackhawk Striker from Hewlett-Packard Desktops (remove only)
Blasterball 2 from Hewlett-Packard Desktops (remove only)
Blood Ties (Version: 1.0.0.0)
Bounce from Hewlett-Packard Desktops (remove only)
Burger Rush (Version: 1.0.0.0)
Cannonballs from Hewlett-Packard Desktops (remove only)
Canon Camera Access Library (Version: 8.1.1.17)
Canon Camera Support Core Library (Version: 7.3.1.6)
Canon Camera Window DC_DV 5 for ZoomBrowser EX (Version: 5.4.5.17)
Canon Camera Window DC_DV 6 for ZoomBrowser EX (Version: 6.2.0.8)
Canon Camera Window MC 6 for ZoomBrowser EX (Version: 6.1.0.7)
Canon G.726 WMP-Decoder (Version: 1.0.1.3)
Canon MovieEdit Task for ZoomBrowser EX (Version: 2.2.0.13)
Canon RAW Image Task for ZoomBrowser EX (Version: 2.3.0.11)
Canon RemoteCapture Task for ZoomBrowser EX (Version: 1.5.0.5)
Canon Utilities EOS Utility (Version: 1.0.3.17)
Canon Utilities PhotoStitch (Version: 3.1.17.41)
Canon Utilities ZoomBrowser EX (Version: 5.6.0.27)
CLUE Classic (Version: 1.0.0.0)
Coby Media Manager (Version: 1.0.3002)
Compatibility Pack for the 2007 Office system (Version: 12.0.6612.1000)
CreativeProjects (Version: 5.30.0.136)
Director (Version: 5.30.0.131)
Easy Internet Sign-up (Version: FE UI-2.1.0.847)
Excavation from Hewlett-Packard Desktops (remove only)
Five Card Frenzy from Hewlett-Packard Desktops (remove only)
GameHouse
GemMaster 3 from Hewlett-Packard Desktops (remove only)
Google Chrome (Version: 28.0.1500.52)
Google Earth (Version: 7.0.3.8542)
Google Update Helper (Version: 1.3.21.145)
HijackThis 2.0.2 (Version: 2.0.2)
Honeycombs from Hewlett-Packard Desktops (remove only)
HP Deskjet Preloaded Printer Drivers (Version: 8.3.3.0)
HP Instant Support
HP Organize
HP Photo & Imaging 3.0 (Version: 3.0)
HP Photo and Imaging 2.0 - Photosmart Cameras (Version: 2.0.0000)
HP Unload DLL Patch (Version: 1.00.0000)
HP Update (Version: 5.003.001.001)
HPImageZone (Version: 1.03.00)
HPIZ Fix2 (Version: 1.00.01)
hpmdtab (Version: 2.0.464.1592)
HpSdpAppCoreApp (Version: 2.00.0000)
HPSystemDiagnostics (Version: 1.4.0.0)
IncrediMail (Version: 6.2.6.4878)
IncrediMail 2.0 (Version: 6.2.6.4878)
InstantShare (Version: 3.0.0.10)
InstantShareAlert (Version: 1.00.0000)
Intel® Extreme Graphics Driver
IntelliMover Data Transfer Demo
InterVideo WinDVD Player (Version: 4.0-B11.389)
Java 7 Update 21 (Version: 7.0.210)
Java Auto Updater (Version: 2.1.9.0)
Java Web Start
Java™ 6 Update 45 (Version: 6.0.450)
Jewel Quest Mysteries (Version: 1.2.0.0)
Junk Mail filter update (Version: 14.0.8089.726)
KBD
Lucy's Expedition (Version: 1.0.0.43)
Magentic (Version:  1.3.1.837)
Malwarebytes Anti-Malware version 1.75.0.1300 (Version: 1.75.0.1300)
Mars Rover from Hewlett-Packard Desktops (remove only)
Memories Disc Creator 2.0 (Version: 2.0.464.1592)
MetaFrame Presentation Server Web Client for Win32
MGI PhotoSuite 4 (Remove Only)
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 1.1 Security Update (KB2698023)
Microsoft .NET Framework 1.1 Security Update (KB2742597)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Choice Guard (Version: 2.0.48.0)
Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2003 (Version: 11.0.50)
Microsoft Money 2003 System Pack (Version: 11.0.80)
Microsoft National Language Support Downlevel APIs
Microsoft Office Live Add-in 1.5 (Version: 2.0.4024.1)
Microsoft Office XP Professional with FrontPage (Version: 10.0.6626.0)
Microsoft Plus! for Windows XP (Version: 1.00.01.0732)
Microsoft Silverlight (Version: 5.1.20125.0)
Microsoft SQL Server 2005 Compact Edition [ENU] (Version: 3.1.0000)
Microsoft Sync Framework Runtime Native v1.0 (x86) (Version: 1.0.1215.0)
Microsoft Sync Framework Services Native v1.0 (x86) (Version: 1.0.1215.0)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (Version: 10.0.40219)
Microsoft Visual J# .NET Redistributable Package 1.1 (Version: 1.1.4322)
Microsoft Web Publishing Wizard 1.52
Microsoft Works 7.0 (Version: 07.02.0620)
MSVCRT (Version: 14.0.1468.721)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 4.0 SP3 Parser (KB2721691) (Version: 4.30.2114.0)
MSXML 4.0 SP3 Parser (KB2758694) (Version: 4.30.2117.0)
MSXML 4.0 SP3 Parser (Version: 4.30.2100.0)
MUSICMATCH® Jukebox
Norton PC Checkup (Version: 2.0.3.271)
NVIDIA Gart Driver
NVIDIA Windows 2000/XP Display Drivers
OmniPass
Orbital from Hewlett-Packard Desktops (remove only)
Otto from Hewlett-Packard Desktops (remove only)
Photo Notifier and Animation Creator (Version: 1.0.0.1009)
Photo Organizer
PhotoGallery (Version: 5.30.0.136)
PhotoMail Maker (Version: 6.0.0.1007)
Photosmart 140,240,7200,7600,7700,7900 Series (Version: 2.0)
Platypus
Platypus II (Version: 1.0.0.0)
Polar Bowler from Hewlett-Packard Desktops (remove only)
PrintScreen (Version: 5.30.0.131)
Private Eye Greatest Unsolved Mysteries (Version: 1.0.0.3)
PS2
PSShortcutsP (Version: 1.00.0000)
Python 2.2 combined Win32 extensions
Python 2.2.1 (Version: 2.2.1)
QFolder (Version: 1.00.0000)
Quicken 2003 New User Edition (Version: 12.00.0000)
QuickProjects (Version: 5.30.0.131)
QuickTime (Version: 7.73.80.64)
RecordNow! (Version: 6.0.0)
Rhapsody Player Engine (Version: 1.0.690)
S3Display
S3Gamma2
S3Info2
S3Overlay
Sansa Media Converter
Scrapbook Paige (Version: 1.0.0.0)
Secunia PSI (3.0.0.6005) (Version: 3.0.0.6005)
Segoe UI (Version: 14.0.4327.805)
Settings Alerter (Version: 4.5.0.5054)
Shangri La 2 Deluxe (Version: 1.0.0.0)
SkinsHP1 (Version: 5.30.0.131)
SkinsHP2 (Version: 5.30.0.136)
Slyder from Hewlett-Packard Desktops (remove only)
Sonic Update Manager (Version: 2.80)
SpamSubtract
Spelling Dictionaries Support For Adobe Reader 8 (Version: 8.0.0)
Spybot - Search & Destroy (Version: 1.6.2)
SpywareBlaster 4.1 (Version: 4.1.0)
STX from Hewlett-Packard Desktops (remove only)
TextTwist 2
The Hidden Object Show Season 2 (Version: 2.0.2.0)
The Mystery of the Crystal Portal (Version: 1.0.0.0)
The Nightshift Code (Version: 1.0.0.76)
toolkit
TrayApp (Version: 5.30.0.131)
Unload (Version: 3.0.0)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB971930) (Version: 1)
Update for Windows Internet Explorer 8 (KB976662) (Version: 1)
Update for Windows Internet Explorer 8 (KB976749) (Version: 1)
Update for Windows Internet Explorer 8 (KB980182) (Version: 1)
Update for Windows Internet Explorer 8 (KB980302) (Version: 1)
Update for Windows XP (KB2141007) (Version: 1)
Update for Windows XP (KB2345886) (Version: 1)
Update for Windows XP (KB2467659) (Version: 1)
Update for Windows XP (KB2541763) (Version: 1)
Update for Windows XP (KB2607712) (Version: 1)
Update for Windows XP (KB2616676) (Version: 1)
Update for Windows XP (KB2641690) (Version: 1)
Update for Windows XP (KB2661254-v2) (Version: 2)
Update for Windows XP (KB2718704) (Version: 1)
Update for Windows XP (KB2736233) (Version: 1)
Update for Windows XP (KB2749655) (Version: 1)
Update for Windows XP (KB951072-v2) (Version: 2)
Update for Windows XP (KB951978) (Version: 1)
Update for Windows XP (KB955759) (Version: 1)
Update for Windows XP (KB955839) (Version: 1)
Update for Windows XP (KB961503) (Version: 1)
Update for Windows XP (KB967715) (Version: 1)
Update for Windows XP (KB968389) (Version: 1)
Update for Windows XP (KB971029) (Version: 1)
Update for Windows XP (KB971737) (Version: 1)
Update for Windows XP (KB973687) (Version: 1)
Update for Windows XP (KB973815) (Version: 1)
Updates from HP
Virtual Warfare from Hewlett-Packard Desktops (remove only)
WebFldrs XP (Version: 9.50.6513)
Weblink
Webshots Desktop
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0069.2)
Windows Internet Explorer 7 (Version: 20061027.150806)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Live Call (Version: 14.0.8064.0206)
Windows Live Communications Platform (Version: 14.0.8098.930)
Windows Live Essentials (Version: 14.0.8089.0726)
Windows Live Essentials (Version: 14.0.8089.726)
Windows Live Family Safety (Version: 14.0.8093.805)
Windows Live Mail (Version: 14.0.8089.0726)
Windows Live Messenger (Version: 14.0.8089.0726)
Windows Live Photo Gallery (Version: 14.0.8081.709)
Windows Live Sign-in Assistant (Version: 5.000.818.5)
Windows Live Sync (Version: 14.0.8089.726)
Windows Live Upload Tool (Version: 14.0.8014.1029)
Windows Live Writer (Version: 14.0.8089.0726)
Windows Media Format 11 runtime
Windows Media Player 11
Windows Search 4.0 (Version: 04.00.6001.503)
Windows XP Service Pack 3 (Version: 20080414.031525)
 
========================= Memory info: ===================================
 
Percentage of memory in use: 77%
Total physical RAM: 503.52 MB
Available physical RAM: 111.85 MB
Total Pagefile: 1230.73 MB
Available Pagefile: 523.07 MB
Total Virtual: 2047.88 MB
Available Virtual: 1975.22 MB
 
========================= Partitions: =====================================
 
2 Drive c: (HP_PAVILION) (Fixed) (Total:68.96 GB) (Free:18.9 GB) NTFS
3 Drive d: (HP_RECOVERY) (Fixed) (Total:5.55 GB) (Free:0.96 GB) FAT32
 
========================= Users: ========================================
 
User accounts for \\DELORIA
 
Administrator            ASPNET                   Guest                    
HelpAssistant            Owner                    SUPPORT_388945a0         
SUPPORT_fddfa904         
 
========================= Minidump Files ==================================
 
C:\WINDOWS\Minidump\Mini110106-01.dmp
C:\WINDOWS\Minidump\Mini110812-01.dmp
C:\WINDOWS\Minidump\Mini112604-01.dmp
 
**** End of log ****
 

 



#5 deloria

deloria
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:09:00 AM

Posted 26 June 2013 - 07:47 PM

# AdwCleaner v2.303 - Logfile created 06/26/2013 at 17:35:11
# Updated 08/06/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Owner - DELORIA
# Boot Mode : Normal
# Running from : C:\Documents and Settings\TEMP\Desktop\adwcleaner.exe
# Option [Delete]
 
 
***** [Services] *****
 
 
***** [Files / Folders] *****
 
Deleted on reboot : C:\Documents and Settings\TEMP\Local Settings\Application Data\AVG Secure Search
Deleted on reboot : C:\Documents and Settings\TEMP\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof
Deleted on reboot : C:\Program Files\Common Files\AVG Secure Search
Folder Deleted : C:\Documents and Settings\All Users\Application Data\AVG Secure Search
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Tarma Installer
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Trymedia
Folder Deleted : C:\Documents and Settings\TEMP\Application Data\AVG Secure Search
Folder Deleted : C:\Documents and Settings\TEMP\Application Data\iWin
Folder Deleted : C:\Program Files\AVG Secure Search
Folder Deleted : C:\Program Files\Trymedia
 
***** [Registry] *****
 
Data Deleted : HKLM\..\Windows [AppInit_DLLs] = C:\PROGRA~1\SETTIN~1\Datamngr\datamngr.dll
Data Deleted : HKLM\..\Windows [AppInit_DLLs] = C:\PROGRA~1\SETTIN~1\Datamngr\IEBHO.dll
Key Deleted : HKCU\Software\AVG Secure Search
Key Deleted : HKCU\Software\DataMngr
Key Deleted : HKCU\Software\DataMngr_Toolbar
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{F2D6C718-7E52-428E-8852-365C4B1A6E36}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F2D6C718-7E52-428E-8852-365C4B1A6E36}
Key Deleted : HKLM\Software\AVG Secure Search
Key Deleted : HKLM\Software\AVG Security Toolbar
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{1FDFF5A2-7BB1-48E1-8081-7236812B12B2}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D97A8234-F2A2-4AD4-91D5-FECDB2C553AF}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\BrowserConnection.dll
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ViProtocol.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.BrowserWndAPI
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.BrowserWndAPI.1
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.PugiObj
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.PugiObj.1
Key Deleted : HKLM\SOFTWARE\Classes\BrowserConnection.Loader
Key Deleted : HKLM\SOFTWARE\Classes\BrowserConnection.Loader.1
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{933B95E2-E7B7-4AD9-B952-7AC336682AE3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B658800C-F66E-4EF3-AB85-6C0C227862A9}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CC5AD34C-6F10-4CB3-B74A-C2DD4D5060A3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F2D6C718-7E52-428E-8852-365C4B1A6E36}
Key Deleted : HKLM\SOFTWARE\Classes\iLividIEHelper.DNSGuard
Key Deleted : HKLM\SOFTWARE\Classes\iLividIEHelper.DNSGuard.1
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Deleted : HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\viprotocol
Key Deleted : HKLM\SOFTWARE\Classes\S
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{74FB6AFD-DD77-4CEB-83BD-AB2B63E63C93}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE.1
Key Deleted : HKLM\Software\DataMngr
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof
Key Deleted : HKLM\Software\ImInstaller
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\AVG Secure Search
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F2D6C718-7E52-428E-8852-365C4B1A6E36}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C6FDD0C3-266A-4DC3-B459-28C697C44CDC}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG Secure Search
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin
Key Deleted : HKLM\Software\Tarma Installer
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{95B7759C-8C7F-4BF1-B163-73684A933233}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [10]
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [DataMngr]
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [vProt]
Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [Avg@toolbar]
 
***** [Internet Browsers] *****
 
-\\ Internet Explorer v8.0.6001.18702
 
Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls - Tabs] = hxxp://isearch.avg.com/tab?cid={56954E6B-169F-4E3C-8CD0-070DE22BF3C0}&mid=92e6cbdc97dc47d08262d147e0eb3da7-cd2d14fcc3f619692a999401742e9d0b45eeb165&lang=en&ds=AVG&pr=fr&d=2012-05-20 08:51:34&pid=avg&sg=0&v=15.3.0.11&sap=nt --> hxxp://www.google.com
 
-\\ Google Chrome v28.0.1500.52
 
*************************
 
AdwCleaner[S1].txt - [7284 octets] - [26/06/2013 17:35:11]
 
########## EOF - C:\AdwCleaner[S1].txt - [7344 octets] ##########
 

 



#6 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:00 AM

Posted 26 June 2013 - 07:54 PM

Hi -

A few quick items so far -

 Norton ccSvcHst.exe > (Norton PC Checkup (Version: 2.0.3.271) < < Ask if you wish to have the Norton uninstall directions.
Java™ 6 Update 45 (Version: 6.0.450)
Java 7 Update 21 (Version: 7.0.210) < < Current version is now Version 7 Update 25. Please remove (uninstall) all old versions -
If you have a Java icon in Control Panel, the second tab is to Update.

 

mvps.org is no longer recommending Spybot S&D or Ad-Aware due to poor testing results. See Here - (scroll down and read under Freeware Antispyware Products).

Uninstall instructions ->
System settings protector is Teatimer.When you go to Tools/Resident and uncheck Resident "Teatimer",that is supposed to stop Teatimer from running.
Go to Advanced Mode,Tools,Resident,uncheck Resident "Sdhelper" and Resident "Teatimer".
After that's done,right-click an empty area of the taskbar on your computer, and then click Task Manager.Scroll through the Processes listed in the Processes tab,and if Teatimer.exe is listed in there,right click it and end the process.
If that works ok,try uninstalling again.
The window that pops up asking if you're sure if you'd like to Uninstall Spybot is normal.Just press Yes to continue.

 

One or 2 of the programs I left may remove this, as it is not a safe program to use -
Unless you use IncrediMail (Version: 6.2.6.4878), this should be removed as it contains Spyware to track your movements, and to redirect your Home Pages.

 

EDITED as we overposted ach other -


Edited by noknojon, 26 June 2013 - 07:57 PM.


#7 deloria

deloria
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:09:00 AM

Posted 26 June 2013 - 08:02 PM

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.9.4 (05.06.2013:1)
OS: Microsoft Windows XP x86
Ran by Owner on Wed 06/26/2013 at 17:52:32.31
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL
 
 
 
~~~ Registry Keys
 
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2465}
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
Failed to delete: [Folder] "C:\Documents and Settings\All Users\application data\wincert"
Successfully deleted: [Folder] "C:\Documents and Settings\TEMP\appdata\locallow\datamngr"
Successfully deleted: [Folder] "C:\Documents and Settings\All Users\start menu\programs\hot deals"
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 06/26/2013 at 17:57:31.20
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

The machine seems to be running better at this point, but my icons and files are still missing.  Hopefully that will come back later.  I have one more scan to run.  I'll be back.....



#8 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:00 AM

Posted 26 June 2013 - 08:22 PM

Open Control Panel > Add/Remove < Look for any item that seems to have isearch.fantastigames or any odd name.

Remove anything that you are not sure of, or post a list back here so I can see them first -

As it is not directly listed in Programs, you have installed it with one or more of the listed games you show there.

 

Thanks -


Edited by noknojon, 26 June 2013 - 08:25 PM.


#9 deloria

deloria
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:09:00 AM

Posted 26 June 2013 - 08:34 PM

SUPERAntiSpyware Scan Log
 
Generated 06/26/2013 at 06:23 PM
 
Application Version : 5.6.1020
 
Core Rules Database Version : 10566
Trace Rules Database Version: 8378
 
Scan type       : Quick Scan
Total Scan Time : 00:14:45
 
Operating System Information
Windows XP Home Edition 32-bit, Service Pack 3 (Build 5.01.2600)
Administrator
 
Memory items scanned      : 436
Memory threats detected   : 0
Registry items scanned    : 32056
Registry threats detected : 0
File items scanned        : 9435
File threats detected     : 31
 
Adware.Tracking Cookie
accounts.google.com [ C:\DOCUMENTS AND SETTINGS\TEMP\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
accounts.google.com [ C:\DOCUMENTS AND SETTINGS\TEMP\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
accounts.google.com [ C:\DOCUMENTS AND SETTINGS\TEMP\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.doubleclick.net [ C:\DOCUMENTS AND SETTINGS\TEMP\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.atdmt.com [ C:\DOCUMENTS AND SETTINGS\TEMP\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.atdmt.com [ C:\DOCUMENTS AND SETTINGS\TEMP\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
track.prd.inpwrd.com [ C:\DOCUMENTS AND SETTINGS\TEMP\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.serving-sys.com [ C:\DOCUMENTS AND SETTINGS\TEMP\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.serving-sys.com [ C:\DOCUMENTS AND SETTINGS\TEMP\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.kontera.com [ C:\DOCUMENTS AND SETTINGS\TEMP\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.doubleclick.net [ C:\DOCUMENTS AND SETTINGS\TEMP\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.imrworldwide.com [ C:\DOCUMENTS AND SETTINGS\TEMP\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.imrworldwide.com [ C:\DOCUMENTS AND SETTINGS\TEMP\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
bs.serving-sys.com [ C:\DOCUMENTS AND SETTINGS\TEMP\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.serving-sys.com [ C:\DOCUMENTS AND SETTINGS\TEMP\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.serving-sys.com [ C:\DOCUMENTS AND SETTINGS\TEMP\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.serving-sys.com [ C:\DOCUMENTS AND SETTINGS\TEMP\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
C:\Documents and Settings\TEMP\Cookies\G0ZFPCAS.txt [ /kontera.com ]
C:\Documents and Settings\TEMP\Cookies\ZLBQHOSU.txt [ /questionmarket.com ]
C:\Documents and Settings\TEMP\Cookies\PN3B2165.txt [ /lucidmedia.com ]
C:\Documents and Settings\TEMP\Cookies\FTF0RWMC.txt [ /www.googleadservices.com ]
C:\Documents and Settings\TEMP\Cookies\0LGAPPXM.txt [ /atdmt.com ]
C:\Documents and Settings\TEMP\Cookies\URQO0PJP.txt [ /accounts.youtube.com ]
C:\Documents and Settings\TEMP\Cookies\CB0ZRDTG.txt [ /c.atdmt.com ]
C:\Documents and Settings\TEMP\Cookies\TPJGJ9EY.txt [ /accounts.google.com ]
C:\Documents and Settings\TEMP\Cookies\67NFEVMN.txt [ /ru4.com ]
C:\Documents and Settings\TEMP\Cookies\GJ3HZDSD.txt [ /ads.bleepingcomputer.com ]
C:\Documents and Settings\TEMP\Cookies\0ADRRJWC.txt [ /doubleclick.net ]
C:\Documents and Settings\TEMP\Cookies\Q6WNPNLX.txt [ /ad.yieldmanager.com ]
C:\Documents and Settings\TEMP\Cookies\MCZSYI85.txt [ /www.googleadservices.com ]
C:\Documents and Settings\TEMP\Cookies\UGSNEB3P.txt [ /serving-sys.com ]
 

It looks like it only found cookies which I'm in the process of removing.  I noticed that many of the names of my "missing" files flew by while it was scanning.  The files appear to have an additional extension on them of either link or lnk (shortcuts??).  I'm not sure where they are, but is there a way to do some kind of mass removal of that extension??  



#10 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:00 AM

Posted 26 June 2013 - 08:54 PM

Ok

Was there any items listed in the Malwarebytes (MBAM) scan that you can pull up ??

Open the program > Logs (at the top) > look for the scan as they are dated in order of scan -

 

I do not see CCleaner listed, but did you have / use it at all recently ? This can cause one of your problems -



#11 deloria

deloria
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:09:00 AM

Posted 26 June 2013 - 09:33 PM

I planned to use CCleaner at some point, but haven't installed it yet.  MBAM had a handful of Pups and a couple of files I recognized as not being a big deal.  I removed them with the scan.

 

 I removed Spybot, Incredimail, and Java ™ 6 update 45.  I'm in the process of updating Java.  Are you suggesting that I remove Norton checkup?  It isn't a good app?  

 

I've checked over every one of the file names in the control panel add/remove area and there are no unusual files there.  In addition, most of the games are many years old and none have been installed recently.  I need to restart my computer to complete the Spybot uninstall so I will do that soon.  I probably will not be back to this site tonight.  

 

I still have no idea how I got this virus/malware because I haven't downloaded anything or clicked on any ads in the time frame that it had the issue.  I never got a hit from AVG, and the last day that it worked, I didn't even surf the web.  Usually, I know exactly what happened as soon as I did it.  

 

Many of my files still appear to be missing (even though I know they are here somewhere) and desktop shortcuts are still gone (and quick launch).   Some of my applications and settings have been changed or are missing.  I needed to reconfigure the media player as though it was never setup. When I tried to open Excel, it acted like it had never been set up before either.  Next steps??  

 

Thanks again for all your help.  My computer seems to be operating better already.  I'm using Chrome instead of IE at this point as it doesn't seem to have the redirect issue (or maybe that's fixed now).    



#12 deloria

deloria
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:09:00 AM

Posted 26 June 2013 - 09:40 PM

Here is the log from the last scan I ran.
 
Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
 
Database version: v2013.06.25.10
 
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Owner :: DELORIA [administrator]
 
6/25/2013 3:40:22 PM
mbam-log-2013-06-25 (15-40-22).txt
 
Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 509304
Time elapsed: 2 hour(s), 59 minute(s), 55 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)

 

 

 

 



#13 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:00 AM

Posted 26 June 2013 - 10:00 PM

Ok - MBAM is clean -

The option to remove Norton is yours, but I have WinPatrol (free) running and it warns about hijackers etc.

 

I know the time zones are out for us, so when you can, I will leave another scanner or 2 to try -

 

 

You said that you ran rKill, and this often repairs these corrupted Ink / exe links. Please retry another scan.

 

Please download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them.
NOTE : You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

If normal mode still doesn't work, run the tool from safe mode.
When the scan is done Notepad will open with rKill log.
Post it in your next reply.
NOTE. rKill.txt log will also be present on your desktop.
NOTE Do NOT wrap your logs in "quote" or "code" brackets.

 

 

Finally : Run a Disk Check on your C: drive in Windows XP:
•Click Start and open My Computer
•Right-click on C: (or your hard drive letter) and select Properties
•Click on the Tools tab
•Under Error-checking click the Check Now... button
•Mark the 2 boxes next to Automatically fix file system errors and Scan for and attempt recovery of bad sectors
•Click on the Start button
•When the message box pops up, click OK to Schedule disk check and Restart your computer
•Once your computer restarts it will check the drive, don't press any keys so that it is allowed to do so

This will take about 1 hour (on average) but please let it run if it lasts a bit longer

 

A couple of hours work for your free time - B)

 

Thanks -



#14 deloria

deloria
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:09:00 AM

Posted 27 June 2013 - 07:07 PM

Rkill 2.5.3 by Lawrence Abrams (Grinler)
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 06/27/2013 04:56:13 PM in x86 mode.
Windows Version: Microsoft Windows XP Service Pack 3
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * C:\windows\system\hpsysdrv.exe (PID: 3420) [WD-HEUR]
 * C:\WINDOWS\System32\hphmon05.exe (PID: 3524) [WD-HEUR]
 
2 proccesses terminated!
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * No issues found.
 
Checking Windows Service Integrity: 
 
 * No issues found.
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * Cannot edit the HOSTS file.
 * Permissions Fixed. Administrators can now edit the HOSTS file.
 
 * HOSTS file entries found: 
 
  127.0.0.1 localhost
  127.0.0.1 www.007guard.com
  127.0.0.1 007guard.com
  127.0.0.1 008i.com
  127.0.0.1 www.008k.com
  127.0.0.1 008k.com
  127.0.0.1 www.00hq.com
  127.0.0.1 00hq.com
  127.0.0.1 010402.com
  127.0.0.1 www.032439.com
  127.0.0.1 032439.com
  127.0.0.1 www.0scan.com
  127.0.0.1 0scan.com
  127.0.0.1 1000gratisproben.com
  127.0.0.1 www.1000gratisproben.com
  127.0.0.1 www.1001namen.com
  127.0.0.1 1001namen.com
  127.0.0.1 100888290cs.com
  127.0.0.1 www.100888290cs.com
  127.0.0.1 100sexlinks.com
 
  20 out of 15244 HOSTS entries shown.
  Please review HOSTS file for further entries.
 
Program finished at: 06/27/2013 04:58:53 PM
Execution time: 0 hours(s), 2 minute(s), and 40 seconds(s)
 

No missing files show up yet.  I'll run the other scan shortly.  I'll also uninstall Norton checkup.  Do you have a safe place to direct me to download WinPatrol?  I don't trust many of the download sites that I'm sent to because they may be malware downloads which I've experienced before (and now).  Thanks.



#15 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:00 AM

Posted 27 June 2013 - 08:03 PM

Read Information Here
Direct Download here http://www.winpatrol.com/download.html

 

Has anything improved at all yet with IE ??






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users