Solved Internet Explorer gets Hyjacked and Microsoft Security Essentials gets disabled

Trying again after removing some strange characters found in OTL.txt file

*** OTL.txt

All processes killed
========== OTL ==========
Service AppMgmt stopped successfully!
Service AppMgmt deleted successfully!
File %SystemRoot%\System32\appmgmts.dll not found.
Service WDICA stopped successfully!
Service WDICA deleted successfully!
Service PDRFRAME stopped successfully!
Service PDRFRAME deleted successfully!
Service PDRELI stopped successfully!
Service PDRELI deleted successfully!
Service PDFRAME stopped successfully!
Service PDFRAME deleted successfully!
Service PDCOMP stopped successfully!
Service PDCOMP deleted successfully!
Service PCIDump stopped successfully!
Service PCIDump deleted successfully!
Service lbrtfdc stopped successfully!
Service lbrtfdc deleted successfully!
Service i2omgmt stopped successfully!
Service i2omgmt deleted successfully!
Service Changer stopped successfully!
Service Changer deleted successfully!
Service catchme stopped successfully!
Service catchme deleted successfully!
File C:\DOCUME~1\BILLHE~1\LOCALS~1\Temp\catchme.sys not found.
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@Apple.com/iTunes,version=\ deleted successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\FRST\Quarantine\Install\{825e1174-a405-eeb0-f6ca-438f3ffa937f}\\\\{825e1174-a405-eeb0-f6ca-438f3ffa937f} folder moved successfully.
C:\FRST\Quarantine\Install\{825e1174-a405-eeb0-f6ca-438f3ffa937f}\\\ folder moved successfully.
C:\FRST\Quarantine\Install\{825e1174-a405-eeb0-f6ca-438f3ffa937f}\\ folder moved successfully.
C:\FRST\Quarantine\Install\{825e1174-a405-eeb0-f6ca-438f3ffa937f}\ folder moved successfully.
C:\FRST\Quarantine\Install\{825e1174-a405-eeb0-f6ca-438f3ffa937f} folder moved successfully.
Folder move failed. C:\FRST\Quarantine\Install\Install\{825e1174-a405-eeb0-f6ca-438f3ffa937f}\ \ \\{825e1174-a405-eeb0-f6ca-438f3ffa937f} scheduled to be moved on reboot.
C:\FRST\Quarantine\Install\Install\{825e1174-a405-eeb0-f6ca-438f3ffa937f}\ \ \ folder moved successfully.
Folder move failed. C:\FRST\Quarantine\Install\Install\{825e1174-a405-eeb0-f6ca-438f3ffa937f}\ \ scheduled to be moved on reboot.
Folder move failed. C:\FRST\Quarantine\Install\Install\{825e1174-a405-eeb0-f6ca-438f3ffa937f}\ scheduled to be moved on reboot.
Folder move failed. C:\FRST\Quarantine\Install\Install\{825e1174-a405-eeb0-f6ca-438f3ffa937f} scheduled to be moved on reboot.
Folder move failed. C:\FRST\Quarantine\Install\Install scheduled to be moved on reboot.
Folder move failed. C:\FRST\Quarantine\Install scheduled to be moved on reboot.
Folder move failed. C:\FRST\Quarantine scheduled to be moved on reboot.
C:\FRST\Logs folder moved successfully.
C:\FRST\Hives\Users\00000002 folder moved successfully.
C:\FRST\Hives\Users\00000001 folder moved successfully.
C:\FRST\Hives\Users folder moved successfully.
C:\FRST\Hives folder moved successfully.
C:\FRST folder moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Google Chrome cache emptied: 8629336 bytes

User: All Users

User: Bill Hebert
->Temp folder emptied: 4273173 bytes
->Temporary Internet Files folder emptied: 19530233 bytes
->Java cache emptied: 25277 bytes
->Google Chrome cache emptied: 72904501 bytes
->Flash cache emptied: 15761019 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Guest User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Java cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 9568390 bytes
->Flash cache emptied: 42072 bytes

User: NetworkService
->Temp folder emptied: 60835990 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2176856 bytes
%systemroot%\System32 .tmp files removed: 374671 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 2585921 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 19225962 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 2569130 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 208.00 mb


[EMPTYJAVA]

User: Administrator

User: All Users

User: Bill Hebert
->Java cache emptied: 0 bytes

User: Default User

User: Guest User
->Java cache emptied: 0 bytes

User: LocalService

User: NetworkService

Total Java Files Cleaned = 0.00 mb


[EMPTYFLASH]

User: Administrator

User: All Users

User: Bill Hebert
->Flash cache emptied: 0 bytes

User: Default User

User: Guest User

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 10152013_183206
Files\Folders moved on Reboot...
File\Folder C:\FRST\Quarantine\Install\Install\{825e1174-a405-eeb0-f6ca-438f3ffa937f}\ \ \\{825e1174-a405-eeb0-f6ca-438f3ffa937f} not found!
File\Folder C:\FRST\Quarantine\Install\Install\{825e1174-a405-eeb0-f6ca-438f3ffa937f}\ \ not found!
File\Folder C:\FRST\Quarantine\Install\Install\{825e1174-a405-eeb0-f6ca-438f3ffa937f}\ not found!
File\Folder C:\FRST\Quarantine\Install\Install\{825e1174-a405-eeb0-f6ca-438f3ffa937f} not found!
File\Folder C:\FRST\Quarantine\Install\Install not found!
File\Folder C:\FRST\Quarantine\Install not found!
File\Folder C:\FRST\Quarantine not found!
PendingFileRenameOperations files...
Registry entries deleted on Reboot...

*** checkup.txt

Results of screen317's Security Check version 0.99.74
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Microsoft Security Essentials
`````````Anti-malware/Other Utilities Check:`````````
MVPS Hosts File
Spybot - Search & Destroy
Malwarebytes Anti-Malware version 1.75.0.1300
Java 7 Update 17
Java version out of Date!
Adobe Reader 9 Adobe Reader out of Date!
Google Chrome 30.0.1599.66
Google Chrome 30.0.1599.69
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
Malwarebytes Anti-Malware mbamservice.exe
Malwarebytes Anti-Malware mbamgui.exe
Malwarebytes' Anti-Malware mbamscheduler.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 24% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````
*** fss.txt

Farbar Service Scanner Version: 13-09-2013
Ran by Bill Hebert (administrator) on 15-10-2013 at 18:41:12
Running from "C:\Documents and Settings\Bill Hebert\Desktop"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============
Firewall Disabled Policy:
==================

System Restore:
============
System Restore Disabled Policy:
========================

Security Center:
============

Windows Update:
============
Windows Autoupdate Disabled Policy:
============================

Other Services:
==============
Checking ServiceDll of RemoteAccess: ATTENTION!=====> Unable to open RemoteAccess registry key. The service key does not exist.

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
Extra List:
=======
Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
0x0700000005000000010000000200000003000000040000000600000007000000
IpSec Tag value is correct.
**** End of log ****

*** eset.txt

C:\System Volume Information\_restore{A922DAD0-5883-4DEF-A7EC-C4C1492A8F91}\RP905\A0065786.exe a variant of Win32/Kryptik.BLXE trojan cleaned by deleting - quarantined
E:\My Downloads\YouTube Downloader\FFDShow_Setup.exe a variant of Win32/Adware.iBryte.C application cleaned by deleting - quarantined
 
redtarget.gif
Try TFC from safe mode.

redtarget.gif
Update Adobe Reader

You can download it from https://www.techspot.com/downloads/2083-adobe-reader-dc.html
After installing the latest Adobe Reader, uninstall all previous versions (if present).
Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

Alternatively, you can uninstall Adobe Reader and install one of two free alternatives:

- Foxit PDF Reader from HERE.
It's a much smaller file to download and uses a lot less resources than Adobe Reader.
Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or any other garbage.

- PDF-XChange Viewer: http://www.tracker-software.com/product/pdf-xchange-viewer

redtarget.gif
1. Update your Java version here: https://www.techspot.com/downloads/6463-java-se.html
Alternate download: http://www.java.com/en/download/manual.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: If you're running 64-bit system make sure you install BOTH, 32-bit and 64-bit Java.

Note 3: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

2. Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it.
  • Run JavaRa.exe (Vista and 7 users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Do NOT post JavaRa log.

redtarget.gif
FSS shows one registry key missing.

Following steps involve registry editing. Please create new restore point before proceeding!!!
How to: http://www.smartestcomputing.us.com/topic/63983-how-to-create-new-restore-point-all-windows/

Download RemoteAccess.reg file from here: http://download.bleepingcomputer.com/win-services/xp/RemoteAccess.reg
Double click on RemoteAccess.reg file and confirm the prompt.
Restart computer.
Post new FSS log.
 
Broni,

Ran TFC in Safe Mode - file copied below
Able to uninstall Acrobat Reader 9.0 - Note below
Able to install and run new Acrobat Reader 11
Able to load new Java version and remove all older versions
Created new Restore Point
Ran RemoteAccess and created a new FSS file - file copied below

*** Did have one problem: Current Acrobat Reader was version 9.0 and wanted to be updated so I updated it to v 9.5.5 and I thought I was fine. Tried to run it and it locked up my computer. Had to reboot and it went into a Check System mode. Indicated there were two link issues and two file issues. Screen went away before I could write the info down. On reboot, I noticed that the Desktop icons now paint very slowly and it takes a long time for the icon symbols to paint. I then installed AR 11.0 and performed all the other tasks requested with no isssues. But the slow painting of Icon Symbols has occured on every reboot since the System Check ran.

====================================================
Getting user folders.

Stopping running processes.

Emptying Temp folders.


User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes

User: All Users

User: Bill Hebert
->Temp folder emptied: 260149 bytes
->Temporary Internet Files folder emptied: 19402341 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 492 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Guest User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 19702 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 72136 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes

Emptying RecycleBin. Do not interrupt.

RecycleBin emptied: 0 bytes
Process complete!

Total Files Cleaned = 19.00 mb
======================================================

Farbar Service Scanner Version: 13-09-2013
Ran by Bill Hebert (administrator) on 17-10-2013 at 11:46:43
Running from "C:\Documents and Settings\Bill Hebert\Desktop"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============
Firewall Disabled Policy:
==================

System Restore:
============
System Restore Disabled Policy:
========================

Security Center:
============

Windows Update:
============
Windows Autoupdate Disabled Policy:
============================

Other Services:
==============

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
Extra List:
=======
Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
0x0700000005000000010000000200000003000000040000000600000007000000
IpSec Tag value is correct.
**** End of log ****
 
Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following:

Code: 
:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[emptyjava]
[CLEARALLRESTOREPOINTS]
[Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

  • Double-click OTL.exe to start the program.
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the CLEANUP button
  • Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure Windows Updates are current.

4. If any trojans, rootkits or bootkits were listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Check if your browser plugins are up to date.
Firefox - https://www.mozilla.org/en-US/plugincheck/
other browsers: https://browsercheck.qualys.com/ (click on "Launch a quick scan now" link)

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

8. Run Temporary File Cleaner (TFC), AdwCleaner and Junkware Removal Tool (JRT) weekly.

9. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

10. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

11. (Windows XP only) Run defrag at your convenience.

12. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

13. Read:
How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html
Simple and easy ways to keep your computer safe and secure on the Internet: http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

14. Please, let me know, how your computer is doing.
 
Broni,

Microsoft Security Essentials indicated I needed to do an updated scan.
I ran the scan and the program found 4 severe threats.
C:\_OTL\Movedfiles\C_FRST\Quarantine\Install\\\\
Named:
Trojan: Win32\Sirefef.AN
Trojan: Win32\Sirefef!cfg
Trojan: Win32\Sirefef.AG
Trojan: Win32\Sirefef

Should I Appy Action - Remove
or
should I ignore as they could be inert now in a quarantine state in the C:\_OTL directory
 
You can ignore those findings.
All files were already quarantined by FRST and moved by OTL.
After running step 2 they'll be gone.
 
Broni,

I did not see the new post from you before running Microsoft Security Essentials.
Should I run - Remove - before I run the new OTL run you just posted?
 
Broni,

Ran OTL - Run Fix with the copied text and program locked at killing processes - DO NOT INTERRUPT...
rebooted
Disabled Microsoft Essentials Antivirus andRran OTL - Run Fix again and it locked up again at the same point
Should I try in Safe Mode?
 
Broni,

Was able to complete all the tasks above. I have 3 things to review with you.

1) I deleted ALL programs and files we added to Desktop except Malwarebytes. Do I also delete all other directories and files that were generated on C:\ drive.
C:\_OTL\MovedFiles
C:\ADWCleaner\Quarantine
C:\OTLRun
C:\Documents and Settings\Bill Hebert\Desktop\mbar\Data

2) A new problem was created on machine when I ran:
https://browsercheck.qualys.com
It indiated I needed to enable Java to run the scan which was my current version Version 7 Update 45 which was recently installed.
Program indicated I needed to update my versions on Adobe Reader and QuickTime which I did through there site with no issue.
I now have a new problem:
-- I rebooted and I try to open my IE Browser and it does not open. Nothing happens for quite awhile,... Then my MSE Firewall pops up and says it is not turned on and I need to turn it on. After awhile longer the browser does come up very slowly. I then go into MSE Firewall and it says it is Active? I can open some websites. I then tried to go back into https://browsercheck.qualys.com to see if their were other updates and it wil not let me go to that browser page?

How do I get my IE browser back to running normal again?

3) Copied are the OTL log as well as the logs from new AdwCleaner and JRT runs. Malwarebytes did not flag anything

*** OTL log
All processes killed
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes

User: All Users

User: Bill Hebert
->Temp folder emptied: 6399341 bytes
->Temporary Internet Files folder emptied: 12929383 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 602 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Guest User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 8476 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 15574 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 4290863940 bytes

Total Files Cleaned = 4,111.00 mb


[EMPTYFLASH]

User: Administrator

User: All Users

User: Bill Hebert
->Flash cache emptied: 0 bytes

User: Default User

User: Guest User

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService

Total Flash Files Cleaned = 0.00 mb


[EMPTYJAVA]

User: Administrator

User: All Users

User: Bill Hebert
->Java cache emptied: 0 bytes

User: Default User

User: Guest User
->Java cache emptied: 0 bytes

User: LocalService

User: NetworkService

Total Java Files Cleaned = 0.00 mb

Unable to start System Restore Service. Error code 10

OTL by OldTimer - Version 3.2.69.0 log created on 10182013_102402
Files\Folders moved on Reboot...
PendingFileRenameOperations files...
Registry entries deleted on Reboot...
***ADWCleaner log
# AdwCleaner v3.008 - Report created 18/10/2013 at 13:35:04
# Updated 17/10/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Bill Hebert - BILLS-MACHINE
# Running from : C:\Documents and Settings\Bill Hebert\Desktop\AdwCleaner.exe
# Option : Clean
***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{2CE4D4CF-B278-4126-AD1E-B622DA2E8339}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2CE4D4CF-B278-4126-AD1E-B622DA2E8339}
***** [ Browsers ] *****
-\\ Internet Explorer v8.0.6001.18702

-\\ Google Chrome v30.0.1599.101
[ File : C:\Documents and Settings\Bill Hebert\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]

[ File : C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]

*************************
AdwCleaner[R0].txt - [5756 octets] - [14/10/2013 12:47:23]
AdwCleaner[R1].txt - [1251 octets] - [18/10/2013 13:30:28]
AdwCleaner[S0].txt - [5925 octets] - [14/10/2013 12:51:06]
AdwCleaner[S1].txt - [1176 octets] - [18/10/2013 13:35:04]
########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [1236 octets] ##########
*** JRT Log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.7 (10.15.2013:3)
OS: Microsoft Windows XP x86
Ran by Bill Hebert on Fri 10/18/2013 at 13:41:59.00
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


~~~ Services

~~~ Registry Values

~~~ Registry Keys

~~~ Files

~~~ Folders

~~~ Chrome
Successfully deleted: [Folder] C:\Documents and Settings\Bill Hebert\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 10/18/2013 at 13:46:54.17
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
1. Some of them should be gone after running OTL Cleanup (step 2).
If if it didn't happen you can remove those manually.

2. Reset Internet Explorer.
Go here: http://support.microsoft.com/kb/923737 and run "FixIt" procedure.
You can use ANY browser to download "FixIt" file.
Make sure you follow ALL steps listed there.
 
Broni,
The C:\_OTL\MovedFiles\ directory will not delete,...
I had to run OTL Cleanup in Safe Mode and it did not really look like it deleted or cleaned up very much after the reboot. I had to delete allot of files manually.
This is the directory that has the quarantined - Trojan:Win32/Sirefef - files in it.
They keep getting flagged as Severe Threats when I run MSE scan.
Should I try running OTL Cleanup again and this time in Normal mode?
 
Try Unlocker to delete _OTL folder.

Download, and install Unlocker: http://www.emptyloop.com/unlocker/
Restart computer.
It'll install under right click menu.

Open Windows Explorer.
Navigate to offending folder/file.

Right click on a folder/file. Click Unlocker
Select Delete from drop-down menu:

p4025001.gif


Click OK.
A folder/file will refuse to be deleted, but Unlocker will give you an option to delete on reboot:

p4038487.gif


Click Yes.
Restart computer.
 
Broni,

The download is indicating I must install a program called - Delta Toolbar - and this is something I do not want to add to my system as I am trying to keep it free of all these extras they ask to load and take up space on IE page.

Is there an option in the install menu I can get to in order to skip over delta Toolbar install? Options?
 
Broni,
I just remembered,...

I did use a few USB drives that had some of my data on them in the initial stages when I could not get IE access on my infected machine and had to use my laptop to get and send files back to you.
.
What should I run to make sure the USB drives are not infected,...
 
Broni,
I did notice this statement in my final OTL run log file
Unable to start System Restore Service. Error code 10
Does this mean their is an issue with my System Restore?
 
Broni,

- System running really fast now.
- You were able to get me back all the disk capacity that was getting gobbled up.
- PSI did not run sucessfully on my machine - It would hang in the last stage where it was creating a report file - Got message that it could not continue to run a script as it was slowing down my machine so I removed the program.
- Uninstaller ran fine and I was able to delete the _OTL files.
- Ran a final scan with MSE and still get the (4) Trojan:Win32/Sirefef threats even after the _OTL files are removed and then removed again from the Recycle Bin. I go to do a folder search for the directory Win32/ and Windows Search will let me enter the directory Win32 to try to locate it and I can not find the Start button in Windows Search window to find where the folder us? I do not remember ever having that problem in previous searches I have done.
 
Broni,
It was the old C:\_OTL directory I had deleted with Uninstaller.
After a few runs of MSE I was able to get the files to no longer be flagged.
Looks like they were inside MSE as C:\_OTL was gone,...

Cleaning USB drives and trying Restore tomorrow
Looks like we are almost done,...
 
Broni,
Looks like we are done!!! (y)

System running really good now and tested all my programs and they all run fine.
Was able to scan all USB drives I had to use during cleaning process and they came back clean.
Turns out System Restore indicated it was turned off. I turned it back on and was able to create a new clean restore point.

A few closing questions: :confused:

1) I noticed under System Restore Settings - Remote Tab - That this was enabled - Is it safer to have this disabled?

2) When I was working with MSE to remove the 4 Trojan quarantined files on _OTL directory, I saw on Microsoft Windows site a scanning program called Microsoft Security Scanner - Do you have an opinion on this program?

3) I have too many programs running in up startup and services menus and I would like to understand how disabling them through msconfig program would impact (better or worse) the security/safety of my computer.
*** I know I should not touch MSC in startup menu and any essential services.
But the others like ATI, Java, Adobe, ArcSoft, Quicktime, Google, Messenger, Windows Search, I am not sure of,... Any thoughts,...
 
1. It really doesn't matter. It must be enabled if you ever want someone to tale remote look at your computer.

2. Never used it.

3. You have plenty of RAM so number of startups shouldn't be crucial.
If you want to play there anyway never use "msconfig" as startup control.
It's a troubleshooting tool.
Instead use Autoruns: http://www.techrepublic.com/blog/th...move-unnecessary-startup-tasks-with-autoruns/
To identify which programs you need to have as startups and which not check this page: http://www.bleepingcomputer.com/startups/

Good luck and stay safe :)
 
You must log in or register to reply here.

Similar threads

TS Dealmaster
  • Locked
This deal gets you Windows 11 Pro for $29
Replies
0
Views
690
TS Dealmaster
TS Dealmaster
TS Dealmaster
  • Locked
Microsoft Office deal gets you a lifetime license for just $39, also Windows 11 Pro for...
Replies
0
Views
505
TS Dealmaster
TS Dealmaster
midian182
Former Microsoft dev says Windows Start menu's performance is "comically bad," even with monster PC
2 3
Replies
52
Views
657
user478318
user478318

Latest posts

Back