Jump to content


Photo
- - - - -

problem acquiring OTL by OldTimer


  • This topic is locked This topic is locked
61 replies to this topic

#1 emsikatt

emsikatt

    Member

  • Members
  • PipPip
  • 32 posts
  • OS:Windows XP
  • AV:avg, malwarebytes, emsisoftemergency, mamutu
  • HIPS:ms firewall

Posted 09 July 2012 - 05:27 PM

@ http://support.emsis...1-wont-go-away/, In regards to a "getstyles!E1", where instructed to download OTL by OldTimer.

Page comes up as a 503 error.

I did find some mirrors to download 24960-OTL, BUT program would not run, showing an error. The only error report I could figure out how to copy is as follows:

[attachment=12481:error report ffb2_appcompat.txt]

<?xml version="1.0" encoding="UTF-16"?>
<DATABASE>
<EXE NAME="24960-OTL(1).exe" FILTER="GRABMI_FILTER_PRIVACY">
<MATCHING_FILE NAME="24960-OTL(1).exe" SIZE="595968" CHECKSUM="0xC4652E1F" BIN_FILE_VERSION="3.2.43.1" BIN_PRODUCT_VERSION="3.2.43.1" PRODUCT_VERSION="3.0.0.0" FILE_DESCRIPTION="" COMPANY_NAME="OldTimer Tools" PRODUCT_NAME="OTL" FILE_VERSION="3.2.43.1" ORIGINAL_FILENAME="OTL.exe" INTERNAL_NAME="OTL.exe" LEGAL_COPYRIGHT="" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x97BD8" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="3.2.43.1" UPTO_BIN_PRODUCT_VERSION="3.2.43.1" LINK_DATE="06/19/1992 22:22:17" UPTO_LINK_DATE="06/19/1992 22:22:17" VER_LANGUAGE="English (United States) [0x409]" />
<MATCHING_FILE NAME="24960-OTL.exe" SIZE="595968" CHECKSUM="0xC4652E1F" BIN_FILE_VERSION="3.2.43.1" BIN_PRODUCT_VERSION="3.2.43.1" PRODUCT_VERSION="3.0.0.0" FILE_DESCRIPTION="" COMPANY_NAME="OldTimer Tools" PRODUCT_NAME="OTL" FILE_VERSION="3.2.43.1" ORIGINAL_FILENAME="OTL.exe" INTERNAL_NAME="OTL.exe" LEGAL_COPYRIGHT="" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x97BD8" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="3.2.43.1" UPTO_BIN_PRODUCT_VERSION="3.2.43.1" LINK_DATE="06/19/1992 22:22:17" UPTO_LINK_DATE="06/19/1992 22:22:17" VER_LANGUAGE="English (United States) [0x409]" />
<MATCHING_FILE NAME="jre-7u5-windows-i586-iftw.exe" SIZE="893936" CHECKSUM="0xE0088601" BIN_FILE_VERSION="7.0.50.5" BIN_PRODUCT_VERSION="7.0.50.5" PRODUCT_VERSION="7.0.50.5" FILE_DESCRIPTION="Java™ Platform SE binary" COMPANY_NAME="Oracle Corporation" PRODUCT_NAME="Java™ Platform SE 7 U5" FILE_VERSION="7.0.50.5" ORIGINAL_FILENAME="jinstall.exe" INTERNAL_NAME="Setup Launcher" LEGAL_COPYRIGHT="Copyright © 2012" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0xE650C" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="7.0.50.5" UPTO_BIN_PRODUCT_VERSION="7.0.50.5" LINK_DATE="05/16/2012 02:38:35" UPTO_LINK_DATE="05/16/2012 02:38:35" VER_LANGUAGE="English (United States) [0x409]" />
</EXE>
<EXE NAME="kernel32.dll" FILTER="GRABMI_FILTER_THISFILEONLY">
<MATCHING_FILE NAME="kernel32.dll" SIZE="989696" CHECKSUM="0x2D998938" BIN_FILE_VERSION="5.1.2600.5781" BIN_PRODUCT_VERSION="5.1.2600.5781" PRODUCT_VERSION="5.1.2600.5781" FILE_DESCRIPTION="Windows NT BASE API Client DLL" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft® Windows® Operating System" FILE_VERSION="5.1.2600.5781 (xpsp_sp3_gdr.090321-1317)" ORIGINAL_FILENAME="kernel32" INTERNAL_NAME="kernel32" LEGAL_COPYRIGHT="© Microsoft Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0xFE572" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="5.1.2600.5781" UPTO_BIN_PRODUCT_VERSION="5.1.2600.5781" LINK_DATE="03/21/2009 14:06:58" UPTO_LINK_DATE="03/21/2009 14:06:58" VER_LANGUAGE="English (United States) [0x409]" />
</EXE>
<EXE NAME="kernel32.dll" FILTER="GRABMI_FILTER_THISFILEONLY">
<MATCHING_FILE NAME="kernel32.dll" SIZE="989696" CHECKSUM="0x2D998938" BIN_FILE_VERSION="5.1.2600.5781" BIN_PRODUCT_VERSION="5.1.2600.5781" PRODUCT_VERSION="5.1.2600.5781" FILE_DESCRIPTION="Windows NT BASE API Client DLL" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft® Windows® Operating System" FILE_VERSION="5.1.2600.5781 (xpsp_sp3_gdr.090321-1317)" ORIGINAL_FILENAME="kernel32" INTERNAL_NAME="kernel32" LEGAL_COPYRIGHT="© Microsoft Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0xFE572" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="5.1.2600.5781" UPTO_BIN_PRODUCT_VERSION="5.1.2600.5781" LINK_DATE="03/21/2009 14:06:58" UPTO_LINK_DATE="03/21/2009 14:06:58" VER_LANGUAGE="English (United States) [0x409]" />
</EXE>
</DATABASE>


Sorry If it is jibberish...

Do not have access to a computer that I can use to download to usb.

Is there another program that I can use? I think my hjt is still working, if that would be of any help.

thanks

#2 Elise

Elise

    Forum Veteran

  • Emsisoft Employee
  • 4380 posts
  • LocationRomania
  • OS:Windows 7 x64

Posted 10 July 2012 - 09:28 AM

The Geekstogo site, which mirrors OTL, was down yesterday, hence the error. It should work now though.

The official secondary mirror is: http://www.itxassoci...T-Tools/OTL.exe
Best regards,

Elise van Dorp [Malware Research]

Emsisoft Team - http://www.emsisoft.com

#3 emsikatt

emsikatt

    Member

  • Members
  • PipPip
  • 32 posts
  • OS:Windows XP
  • AV:avg, malwarebytes, emsisoftemergency, mamutu
  • HIPS:ms firewall

Posted 11 July 2012 - 07:01 PM

Thank you...I downloaded another OTL and tried to run it, but got another error:

<?xml version="1.0" encoding="UTF-16"?>
<DATABASE>
<EXE NAME="OTL.exe" FILTER="GRABMI_FILTER_PRIVACY">
<MATCHING_FILE NAME="OTL.exe" SIZE="595968" CHECKSUM="0x2978B06E" BIN_FILE_VERSION="3.2.53.1" BIN_PRODUCT_VERSION="3.2.53.1" PRODUCT_VERSION="3.0.0.0" FILE_DESCRIPTION="" COMPANY_NAME="OldTimer Tools" PRODUCT_NAME="OTL" FILE_VERSION="3.2.53.1" ORIGINAL_FILENAME="OTL.exe" INTERNAL_NAME="OTL.exe" LEGAL_COPYRIGHT="" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x922B5" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="3.2.53.1" UPTO_BIN_PRODUCT_VERSION="3.2.53.1" LINK_DATE="06/19/1992 22:22:17" UPTO_LINK_DATE="06/19/1992 22:22:17" VER_LANGUAGE="English (United States) [0x409]" />
</EXE>
<EXE NAME="kernel32.dll" FILTER="GRABMI_FILTER_THISFILEONLY">
<MATCHING_FILE NAME="kernel32.dll" SIZE="989696" CHECKSUM="0x2D998938" BIN_FILE_VERSION="5.1.2600.5781" BIN_PRODUCT_VERSION="5.1.2600.5781" PRODUCT_VERSION="5.1.2600.5781" FILE_DESCRIPTION="Windows NT BASE API Client DLL" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft® Windows® Operating System" FILE_VERSION="5.1.2600.5781 (xpsp_sp3_gdr.090321-1317)" ORIGINAL_FILENAME="kernel32" INTERNAL_NAME="kernel32" LEGAL_COPYRIGHT="© Microsoft Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0xFE572" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="5.1.2600.5781" UPTO_BIN_PRODUCT_VERSION="5.1.2600.5781" LINK_DATE="03/21/2009 14:06:58" UPTO_LINK_DATE="03/21/2009 14:06:58" VER_LANGUAGE="English (United States) [0x409]" />
</EXE>
<EXE NAME="kernel32.dll" FILTER="GRABMI_FILTER_THISFILEONLY">
<MATCHING_FILE NAME="kernel32.dll" SIZE="989696" CHECKSUM="0x2D998938" BIN_FILE_VERSION="5.1.2600.5781" BIN_PRODUCT_VERSION="5.1.2600.5781" PRODUCT_VERSION="5.1.2600.5781" FILE_DESCRIPTION="Windows NT BASE API Client DLL" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft® Windows® Operating System" FILE_VERSION="5.1.2600.5781 (xpsp_sp3_gdr.090321-1317)" ORIGINAL_FILENAME="kernel32" INTERNAL_NAME="kernel32" LEGAL_COPYRIGHT="© Microsoft Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0xFE572" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="5.1.2600.5781" UPTO_BIN_PRODUCT_VERSION="5.1.2600.5781" LINK_DATE="03/21/2009 14:06:58" UPTO_LINK_DATE="03/21/2009 14:06:58" VER_LANGUAGE="English (United States) [0x409]" />
</EXE>
</DATABASE>

Any suggestions?

thank you

#4 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 13453 posts
  • LocationDepauville, NY, USA
  • OS:Windows 7 x64
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 11 July 2012 - 09:15 PM

We need an actual error code/message. The contents of the XML file only tells us what crashed, not why it crashed.
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#5 emsikatt

emsikatt

    Member

  • Members
  • PipPip
  • 32 posts
  • OS:Windows XP
  • AV:avg, malwarebytes, emsisoftemergency, mamutu
  • HIPS:ms firewall

Posted 12 July 2012 - 06:52 PM

Thank you...

After "running otl", I get: "Exception EOleSusError in monule 24960-OTL.exe at 000584A5. Class not registered.


Another Notice opens over that, which says:

""Otl has encountered a problem and needs to close.""

I clicked on, ""to see what data this error rport contains--"

""Error signature

AppName 24960-otlexe AppVer. 3.2.43.1 ModName: kernel32.dll
ModVer. 5.1.2600.5781 Offset: 00012afb

This error report includes: information regarding the condition of OTL when the problem occurred:---""""

and goes on to explain their privacy policies. The error report that I have posted was from a link at the bottom of that notice.

Sorry, but that is all that I have....

Yesterday The "scan" in EmsisoftEmergencyKit would not scan! It would start full scan, then close. I ran Malwarebytes in "safe mode" and it found nothing. EmsisoftEmergencyKit would not scan in safe mode!

This morning it seems to be working again! It found trace !E1 again.

Does this thread/problem need to be somewhere else?

Thank you.....

#6 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 13453 posts
  • LocationDepauville, NY, USA
  • OS:Windows 7 x64
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 12 July 2012 - 06:57 PM

I am moving this support thread to the malware removal section of the forums.

Attach all logs from the tools that have ran so far.
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#7 emsikatt

emsikatt

    Member

  • Members
  • PipPip
  • 32 posts
  • OS:Windows XP
  • AV:avg, malwarebytes, emsisoftemergency, mamutu
  • HIPS:ms firewall

Posted 14 July 2012 - 01:14 AM

Here is emsisoft scan, a hjt scan, and a full malwarbytes scan. OTL still will not run.

Thank you

#8 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 13453 posts
  • LocationDepauville, NY, USA
  • OS:Windows 7 x64
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 14 July 2012 - 02:38 AM

Download ComboFix from one of these locations:

Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

Link 1
Link 2

* IMPORTANT !!! Save ComboFix to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    See HERE for help
  • Double click on Combo-Fix & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, ComboFix will produce a log.

Note:
1. Do not mouseclick combofix's window while it's running. That may cause it to stall!
2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)
  • ComboFix (C:\combofix.txt)
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#9 emsikatt

emsikatt

    Member

  • Members
  • PipPip
  • 32 posts
  • OS:Windows XP
  • AV:avg, malwarebytes, emsisoftemergency, mamutu
  • HIPS:ms firewall

Posted 14 July 2012 - 07:40 PM

Thank you....here are the logs that may be what you asked for:
[attachment=12574:ComboFix.txt]
[attachment=12575:ComboFix-quarantined-files.txt]

Also, I was not asked about " Microsoft Windows Recovery Console", so I assume that it is on my computer. How would I access it.

I found avg difficult to turn off. Had to search around for the correct place to do it. Clicking "exit" on the quick start menue just deleted that function.


Combo fix installed a folder in C drive, with an empty sub folder of N_ . Should I delete those folders?


Let me run computer for a day and then scan again to see what is going on....


thank you.

#10 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 13453 posts
  • LocationDepauville, NY, USA
  • OS:Windows 7 x64
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 14 July 2012 - 08:20 PM

Don't delete anything, unless you are told to so so. Your system is not malware free.

Now we need to use ComboFix to remove some stuff.
  • Make sure that the copy of ComboFix that you downloaded earlier is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
  • Open Notepad and copy/paste the text in the below code box into it
(make sure you scroll all the way down in the code box to get all lines selected ):
KillAll::

Driver::
cpuz134
DOPL
EIVNMC

File::
c:\windows\system32\REN1C7.tmp
c:\windows\system32\REN1C6.tmp
c:\windows\system32\REN4E.tmp
c:\windows\system32\REN4D.tmp
c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{9E897D0F-F804-41A3-966C-7BB6EB5B6BE8}\IconF7A21AF7.exe
c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{9E897D0F-F804-41A3-966C-7BB6EB5B6BE8}\IconD7F16134.exe
c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{9E897D0F-F804-41A3-966C-7BB6EB5B6BE8}\IconCF33A0CE.exe
c:\windows\9E897D0FF80441A3966C7BB6EB5B6BE8.TMP
  • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
  • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
  • You should have both the ComboFix and CFScript.txt icons on your Desktop.
  • Now use your mouse to drag CFScript.txt on top of ComboFix
    Posted Image
  • Follow the prompts.
  • When it finishes, a log will be produced named c:\combofix.txt
  • Attach teh new ComboFix log to your next reply
Note: DO NOT mouseclick combofix's window while it is running. That may cause it to stall.

The ComboFix folder should not be renamed since ComboFix and even we would have suspicions about it. Also when you uninstall CF, the folder would not be removed since it does not look for that folder name.
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#11 emsikatt

emsikatt

    Member

  • Members
  • PipPip
  • 32 posts
  • OS:Windows XP
  • AV:avg, malwarebytes, emsisoftemergency, mamutu
  • HIPS:ms firewall

Posted 15 July 2012 - 06:26 PM

Kevin, I am very sorry. I did not see your last reply until this morning. I ran emsisoft scan and malwarebytes again. emsisoft showed some infections, !E2 and getstyles traces in Registry. But I quarantined them.

I am sorry for not following very clear instructions, and allowing my compulsive nature to do what I have been doing to make me feel a bit more comfortable with computer problems. I have wasted your time and effort and I am sorry.

I tried to do what you last instructed, but Mamutu kept interrupting the combofix with warning boxes. I thought I had shut it off, but had only used start/stop under general settings, not start/stop under permissions.
The combofix scan dialog box dissappeared and after waiting an hour, I gave up.

Sould I uninstall combofix and start over?

I use the computer for email, reading , and watching online tv mostly. Isn't there a safer way to do this?

Thank you for your efforts.

#12 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 13453 posts
  • LocationDepauville, NY, USA
  • OS:Windows 7 x64
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 15 July 2012 - 08:04 PM

Instead of using ComboFix, we are goign to use antoher tool.

Download BlitzBlank and save it to your desktop. Open Blitzblank.exe

Click OK at the warning (and take note of it, this is a VERY powerful tool!).

Click the script tab and copy/paste the following text there:

DisableDriver:
	cpuz134
	DOPL
	EIVNMC
DeleteFile:
	c:\windows\system32\REN1C7.tmp
	c:\windows\system32\REN1C6.tmp
	c:\windows\system32\REN4E.tmp
	c:\windows\system32\REN4D.tmp
	"c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{9E897D0F-F804-41A3-966C-7BB6EB5B6BE8}\IconF7A21AF7.exe"
	"c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{9E897D0F-F804-41A3-966C-7BB6EB5B6BE8}\IconD7F16134.exe"
	"c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{9E897D0F-F804-41A3-966C-7BB6EB5B6BE8}\IconCF33A0CE.exe"
	c:\windows\9E897D0FF80441A3966C7BB6EB5B6BE8.TMP

Click Execute Now. Your computer will need to reboot in order to replace the files.

When done, attach the report created by Blitzblank.
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#13 emsikatt

emsikatt

    Member

  • Members
  • PipPip
  • 32 posts
  • OS:Windows XP
  • AV:avg, malwarebytes, emsisoftemergency, mamutu
  • HIPS:ms firewall

Posted 15 July 2012 - 10:42 PM

Kevin, It seems to have worked, dispite me....had some trouble finding the log....but, here is what I found.:

[attachment=12610:blitzblank.log]

I will not do anything til instructed!....thank you oh so very much for your patience and help.

#14 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 13453 posts
  • LocationDepauville, NY, USA
  • OS:Windows 7 x64
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 15 July 2012 - 11:24 PM

OK, that appears to have worked, let's double check to be sure. Run a fresh scan with OTL and attach the new OTL log with your next reply.
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#15 emsikatt

emsikatt

    Member

  • Members
  • PipPip
  • 32 posts
  • OS:Windows XP
  • AV:avg, malwarebytes, emsisoftemergency, mamutu
  • HIPS:ms firewall

Posted 16 July 2012 - 04:45 PM

Kevin, otl will still not run, so here are logs of what I did before:

[attachment=12633:a2scan_120715-200519.txt]


[attachment=12632:mbam-log-2012-07-16 (03-51-58).txt]


[attachment=12634:15 july hijackthis.log][attachment=12636:lCombo fix og.txt]


[attachment=12637:ComboFix-quarantined-files.txt]


Emsisoft scanner may have quarantined items when I closed it down....All I did was hit report/log.

Thank you

#16 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 13453 posts
  • LocationDepauville, NY, USA
  • OS:Windows 7 x64
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 16 July 2012 - 05:42 PM

Open Blitzblank.exe

Click OK at the warning (and take note of it, this is a VERY powerful tool!).

Click the script tab and copy/paste the following text there:

DeleteFile: 
    c:\docume~1\admini~1\locals~1\temp\dopl.exe
    c:\docume~1\ADMINI~1\LOCALS~1\Temp\EIVNMC.exe
    "c:\documents and settings\administrator\application data\adobe\rxsupply.sys"
    "c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXTBOX.JS"
    "c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UICORE.JS"
    "c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\USERTILE.JS"
    "c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXT.JS"
    "c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UIRESOURCE.JS"
    "c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\SAVEDUSER.JS"
    "c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\QUERYSTRING.JS"
    "c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\NEWUSERCOMM.JS"
    "c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\IMAGE.JS"
    "c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LOCALIZATION.JS"
    "c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\EXTERNALWRAPPER.JS"
    "c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS"
    "c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS"
    "c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS"
    "c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\DIVWRAPPER.JS"
    c:\windows\Setup1.exe
    c:\windows\Installer\{7C6999B2-1A35-4F2C-8DB7-3CB46B640CC9}\NewShortcut3_7C6999B21A354F2C8DB73CB46B640CC9.exe
    c:\windows\Installer\2b1427.msi
DeleteFolder: 
    c:\windows\9e897d0ff80441a3966c7bb6eb5b6be8.tmp
DisableDriver: 
    dopl
    eivnmc
    fsfilter
DeleteRegKey: 
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{963B125B-8B21-49A2-A3A8-E37092276531}

Click Execute Now. Your computer will need to reboot in order to replace the files.

When done, attach the report created by Blitzblank.
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#17 emsikatt

emsikatt

    Member

  • Members
  • PipPip
  • 32 posts
  • OS:Windows XP
  • AV:avg, malwarebytes, emsisoftemergency, mamutu
  • HIPS:ms firewall

Posted 16 July 2012 - 05:59 PM

Process hangs up...""Syntax error in line 2"""

#18 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 13453 posts
  • LocationDepauville, NY, USA
  • OS:Windows 7 x64
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 16 July 2012 - 06:09 PM

Use this:
DeleteFile:

        "c:\documents and settings\administrator\application data\adobe\rxsupply.sys"

        "c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXTBOX.JS"

        "c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UICORE.JS"

        "c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\USERTILE.JS"

        "c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXT.JS"

        "c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UIRESOURCE.JS"

        "c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\SAVEDUSER.JS"

        "c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\QUERYSTRING.JS"

        "c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\NEWUSERCOMM.JS"

        "c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\IMAGE.JS"

        "c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LOCALIZATION.JS"

        "c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\EXTERNALWRAPPER.JS"

        "c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS"

        "c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS"

        "c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS"

        "c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\DIVWRAPPER.JS"

        c:\windows\Setup1.exe

        c:\windows\Installer\{7C6999B2-1A35-4F2C-8DB7-3CB46B640CC9}\NewShortcut3_7C6999B21A354F2C8DB73CB46B640CC9.exe

        c:\windows\Installer\2b1427.msi

DeleteFolder:

        c:\windows\9e897d0ff80441a3966c7bb6eb5b6be8.tmp

DisableDriver:

        dopl

        eivnmc

        fsfilter

DeleteRegKey:

        HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{963B125B-8B21-49A2-A3A8-E37092276531}

Edited by ShadowPuterDude, 16 July 2012 - 06:59 PM.

Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#19 emsikatt

emsikatt

    Member

  • Members
  • PipPip
  • 32 posts
  • OS:Windows XP
  • AV:avg, malwarebytes, emsisoftemergency, mamutu
  • HIPS:ms firewall

Posted 16 July 2012 - 06:30 PM

Same problem, syntax error in line 2...Invalid file path.

Is a virus causing this error message....?

#20 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 13453 posts
  • LocationDepauville, NY, USA
  • OS:Windows 7 x64
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 16 July 2012 - 07:00 PM

I've edited the script removing the first 2 files. Run the edited fix.
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#21 emsikatt

emsikatt

    Member

  • Members
  • PipPip
  • 32 posts
  • OS:Windows XP
  • AV:avg, malwarebytes, emsisoftemergency, mamutu
  • HIPS:ms firewall

Posted 16 July 2012 - 07:41 PM

I saw no edited list, so I deleted these before running:

"c:\documents and settings\administrator\application data\adobe\rxsupply.sys"
"c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXTBOX.JS"


[attachment=12639:blitzblank.log]

sorry If what I am doing is causing the problems.

#22 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 13453 posts
  • LocationDepauville, NY, USA
  • OS:Windows 7 x64
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 16 July 2012 - 07:48 PM

I had already removed 2 lines at the top of the script. You were not supposed to edit anything.

The blitzblank log doesn't appear to be for the last fix I posted, it appears to the fix I posted yesterday.
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#23 emsikatt

emsikatt

    Member

  • Members
  • PipPip
  • 32 posts
  • OS:Windows XP
  • AV:avg, malwarebytes, emsisoftemergency, mamutu
  • HIPS:ms firewall

Posted 16 July 2012 - 09:32 PM

I am sorry, but I got the same error message when I tried that list, so I deleted the first two lines to get it to work and the program ran. I just couldn't find the correct log. Now I am getting an error for line 2 and 16, syntax error. sorry, I'm going in circles here and my mind is getting tired. Can I , for now quarantine the problems and start over with scans tonight?

thank you for your efforts and patience.

thankyou

#24 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 13453 posts
  • LocationDepauville, NY, USA
  • OS:Windows 7 x64
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 16 July 2012 - 10:13 PM

There's no error in the syntax of the fix. There's most likely some hidden characters being introduced during copy & paste.

Copy & Paste the contents of BlizBlankFix.txt, attached below, and run that.
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#25 emsikatt

emsikatt

    Member

  • Members
  • PipPip
  • 32 posts
  • OS:Windows XP
  • AV:avg, malwarebytes, emsisoftemergency, mamutu
  • HIPS:ms firewall

Posted 16 July 2012 - 10:40 PM

Sorry, same error.....I have tried several times, making sure that I don't pick up "space" before and after...Otherwise, I don't know how copy and paste could go wrong....sorry


thank you

#26 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 13453 posts
  • LocationDepauville, NY, USA
  • OS:Windows 7 x64
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 16 July 2012 - 10:48 PM

We are going to try using ComboFix, again, to remove this stuff.
  • Make sure that the copy of ComboFix that you downloaded earlier is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
  • Open Notepad and copy/paste the text in the below code box into it
(make sure you scroll all the way down in the code box to get all lines selected ):
KillAll::

Driver::
dopl
eivnmc
fsfilter

File::
c:\docume~1\admini~1\locals~1\temp\dopl.exe
c:\docume~1\ADMINI~1\LOCALS~1\Temp\EIVNMC.exe
c:\documents and settings\administrator\application data\adobe\rxsupply.sys
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXTBOX.JS
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UICORE.JS
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\USERTILE.JS
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXT.JS
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UIRESOURCE.JS
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\SAVEDUSER.JS
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\QUERYSTRING.JS
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\NEWUSERCOMM.JS
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\IMAGE.JS
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LOCALIZATION.JS
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\EXTERNALWRAPPER.JS
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\DIVWRAPPER.JS
c:\windows\Setup1.exe
c:\windows\Installer\{7C6999B2-1A35-4F2C-8DB7-3CB46B640CC9}\NewShortcut3_7C6999B21A354F2C8DB73CB46B640CC9.exe
c:\windows\Installer\2b1427.msi

Folder::
c:\windows\9e897d0ff80441a3966c7bb6eb5b6be8.tmp

Registry::
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{963B125B-8B21-49A2-A3A8-E37092276531}]

Quit::
  • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
  • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
  • You should have both the ComboFix and CFScript.txt icons on your Desktop.
  • Now use your mouse to drag CFScript.txt on top of ComboFix
    Posted Image
  • Follow the prompts.
  • When it finishes, a log will be produced named c:\combofix.txt
  • I will ask for this log below
Note: DO NOT mouseclick combofix's window while it is running. That may cause it to stall.

The ComboFix folder should not be renamed since ComboFix and even we would have suspicions about it. Also when you uninstall CF, the folder would not be removed since it does not look for that folder name.
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#27 emsikatt

emsikatt

    Member

  • Members
  • PipPip
  • 32 posts
  • OS:Windows XP
  • AV:avg, malwarebytes, emsisoftemergency, mamutu
  • HIPS:ms firewall

Posted 16 July 2012 - 11:35 PM

It did seem to work.....thank you

[attachment=12649:log.txt]

#28 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 13453 posts
  • LocationDepauville, NY, USA
  • OS:Windows 7 x64
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 16 July 2012 - 11:55 PM

Download Windows Repair by Tweaking.com to your desktop. Use the direct download link for the Portable version of Windows Repair by Tweaking.com

  • Double-click tweaking.com_windows_repair_aio.zip and extract the Tweaking.com - Windows Repair folder to your desktop.
  • Now open this folder and double-click Repair_Windows.exe.
  • Click the Start Repairs tab on the far right.
  • Click the Start button (bottom right)
    Note: When asked if you would like to create a restore point. It is recommended just in-case something does not go as planned.
  • Click Unselect All
  • Put a checkmark in the following items:
    • Reset Registry Permissions
    • Reset File Permissions
    • Remove Policies Set By Infections
    • Repair Winsock & DNS Cache
    • Repair Proxy Settings
    • Set Windows Services To Default Startup
    Note: Leave everything else unchecked
  • Put a checkmark in Restart System When Finished
  • Now click the Start button (bottom right)
Will OTL run now?
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#29 emsikatt

emsikatt

    Member

  • Members
  • PipPip
  • 32 posts
  • OS:Windows XP
  • AV:avg, malwarebytes, emsisoftemergency, mamutu
  • HIPS:ms firewall

Posted 17 July 2012 - 12:40 AM

OTL will not run....sorry

#30 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 13453 posts
  • LocationDepauville, NY, USA
  • OS:Windows 7 x64
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 17 July 2012 - 12:43 AM

Read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Double-click on TDSSKiller.exe to run the application.

    Posted Image
  • Click Change parameters

    Posted Image
  • Check the boxes next to Verify Driver Digital Signature and Detect TDLFS file system, then click OK

    Posted Image
  • Click on the Start Scan button to begin the scan and wait for it to finish.
    NOTE: Do not use the computer during the scan!
  • During the scan it will look similar to the image below:
    Posted Image
  • When it finishes, you will either see a report that no threats were found like below:
    Posted Image

    If no threats are found at this point, just click the Report selection on the top right of the form to generate a log. A log file report will pop which you can just close since the report file is already saved.
  • If any infection or suspected items are found, you will see a window similar to below:
    Posted Image
    • If you have files that are shown to fail signature check do not take any action on these. Make sure you select Skip. I will tell you what to do with these laater. They may not be issues at all.
    • If Suspicious objects are detected, the default action will be Skip. Leave the default set to Skip.
    • If Malicious objects are detected, they will show in the Scan results. TDSSKiller automatically selects an action (Cure or Delete) for malicious objects
      Make sure that Cure is selected. Important! - If Cure is not available, please choose Skip instead. Do not choose Delete unless instructed to do so.
  • Click Continue to apply selected actions.
  • A reboot may be required to complete disinfection. A window like the below will appear:
    Posted Image
    Reboot immediately if TDSSKiller states that one is needed.
  • Whether an infection is found or not, a log file should have already been created on your C: drive (or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run.
  • Attach this log to your next reply.

Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#31 emsikatt

emsikatt

    Member

  • Members
  • PipPip
  • 32 posts
  • OS:Windows XP
  • AV:avg, malwarebytes, emsisoftemergency, mamutu
  • HIPS:ms firewall

Posted 17 July 2012 - 01:20 AM

[attachment=12660:TDSSKiller.2.7.45.0_16.07.2012_18.56.36_log.txt]

didn't seem to find much....

thank you

#32 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 13453 posts
  • LocationDepauville, NY, USA
  • OS:Windows 7 x64
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 17 July 2012 - 01:40 AM

Changing tools.

Download avz4.zip from here
  • Unzip it to your desktop to a folder named avz4
  • Double click on AVZ.exe to run it.
  • Run an update by clicking the Auto Update button on the Right of the Log window: Posted Image
  • Click Start to begin the update
Note: If you receive an error message, chose a different source, then click Start again
  • After the update, from the "File" menu, choose "Standard Scripts"
  • Put a check next to item 2: Advanced System Investigation
  • Click Execute selected scripts
  • At the next prompt, click the OK button
  • Let the scan run and click "OK" when the completion prompt pops up
  • Now Close out of the Standard Scripts window, and exit AVZ
  • Navigate to the avz4 folder and locate the folder LOG
  • Inside the LOG folder you will find virusinfo_syscheck.htm, virusinfo_syscheck.htm and virusinfo_syscheck.zip
  • Attach the Compressed file, virusinfo_syscheck.zip, to your next reply.

Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#33 emsikatt

emsikatt

    Member

  • Members
  • PipPip
  • 32 posts
  • OS:Windows XP
  • AV:avg, malwarebytes, emsisoftemergency, mamutu
  • HIPS:ms firewall

Posted 17 July 2012 - 02:09 AM

Click Execute selected scripts


after that the scan ran, then program shut down and left a blank log text.
could not see any logs in the log folder....sorry

did not see this:
At the next prompt, click the OK button
  • Let the scan run and click "OK" when the completion prompt pops up
  • Now Close out of the Standard Scripts window, and exit AVZ
  • Navigate to the avz4 folder and locate the folder LOG
  • Inside the LOG folder you will find virusinfo_syscheck.htm, virusinfo_syscheck.htm and virusinfo_syscheck.zip
  • Attach the Compressed file, virusinfo_syscheck.zip, to your next reply.

thank you

#34 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 13453 posts
  • LocationDepauville, NY, USA
  • OS:Windows 7 x64
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 17 July 2012 - 03:43 AM

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      Alternate Zip Mirror 2
      Alternate Zip Mirror 3
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • Double click Posted Image or Posted Image on your desktop. If you are using Vista, please right-click and select run as administrator
  • When you have done this, close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Allow the gmer.sys driver to load if asked.
If it detects rootkit activity, you will receive a prompt to run a full scan. Click NO.

  • In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show all (Don't miss this one!)
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Attach the GMER log.
If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running
*Note*: Rootkit scans often produce false positives. Do NOT take any actions on <--- ROOKIT entries
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#35 emsikatt

emsikatt

    Member

  • Members
  • PipPip
  • 32 posts
  • OS:Windows XP
  • AV:avg, malwarebytes, emsisoftemergency, mamutu
  • HIPS:ms firewall

Posted 17 July 2012 - 06:30 PM

Sorry, I tried two downloaded programs. They both tried to run, but after ONE second they quit.

Earlier I tried to see if emsisoft or malwarebytes would scan. They ran for only a few seconds.

#36 emsikatt

emsikatt

    Member

  • Members
  • PipPip
  • 32 posts
  • OS:Windows XP
  • AV:avg, malwarebytes, emsisoftemergency, mamutu
  • HIPS:ms firewall

Posted 17 July 2012 - 07:42 PM

gmer began to scan in safe mode:
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Attach the GMER log.
But did not see a warning. Program stopped and rebooted computer.

#37 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 13453 posts
  • LocationDepauville, NY, USA
  • OS:Windows 7 x64
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 17 July 2012 - 10:54 PM

OK, let's give this a try.

Download Hitman Pro to your Desktop.

Press the CTRL key and double-click on Hitman Pro. Hitman Pro will shut down all unnecessary processes when ran this way.

If Hitman Pro wants to update, let it.

If Hitman Pro wants to download signatures, let it.

If Hitman Pro wants to remove something, let it.

Attach any logs produced by Hitman Pro.
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#38 emsikatt

emsikatt

    Member

  • Members
  • PipPip
  • 32 posts
  • OS:Windows XP
  • AV:avg, malwarebytes, emsisoftemergency, mamutu
  • HIPS:ms firewall

Posted 18 July 2012 - 12:42 AM

[attachment=12675:log.xml]

I'm not familiar with xml file, so I copied it to notepad, here:


[attachment=12676:hitman log.txt]

Thank you

#39 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 13453 posts
  • LocationDepauville, NY, USA
  • OS:Windows 7 x64
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 18 July 2012 - 02:14 AM

Download DDS by sUBs from one of the following links and save it to your desktop.
  • Disable any script blocking protection
  • Double click DDS icon to run the tool (may take up to 3 minutes to run)
  • When done, DDS.txt will open.
  • After a few moments, attach.txt will open in a second window.
  • Save both reports to your desktop.
---------------------------------------------------
  • Attach the DDS.txt report in your next reply
  • Attach the Attach.txt report to your reply

Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#40 emsikatt

emsikatt

    Member

  • Members
  • PipPip
  • 32 posts
  • OS:Windows XP
  • AV:avg, malwarebytes, emsisoftemergency, mamutu
  • HIPS:ms firewall

Posted 18 July 2012 - 07:03 PM

sorry, but I could not "zip" the files.....emsisoft and malwarbytes scans did not find anything last night.

[attachment=12688:dds.txt]

[attachment=12689:DDS attach.txt]

thank you for your help....

#41 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 13453 posts
  • LocationDepauville, NY, USA
  • OS:Windows 7 x64
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 18 July 2012 - 07:16 PM

Uninstall SpyHunter

Now we need to use ComboFix to remove some stuff.
  • Make sure that the copy of ComboFix that you downloaded earlier is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
  • Open Notepad and copy/paste the text in the below code box into it
(make sure you scroll all the way down in the code box to get all lines selected ):
KillAll::

File::
c:\windows\system32\drivers\uti2nzy4.sys
  • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
  • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
  • You should have both the ComboFix and CFScript.txt icons on your Desktop.
  • Now use your mouse to drag CFScript.txt on top of ComboFix
    Posted Image
  • Follow the prompts.
  • When it finishes, a log will be produced named c:\combofix.txt
  • I will ask for this log below
Note: DO NOT mouseclick combofix's window while it is running. That may cause it to stall.

The ComboFix folder should not be renamed since ComboFix and even we would have suspicions about it. Also when you uninstall CF, the folder would not be removed since it does not look for that folder name.
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#42 emsikatt

emsikatt

    Member

  • Members
  • PipPip
  • 32 posts
  • OS:Windows XP
  • AV:avg, malwarebytes, emsisoftemergency, mamutu
  • HIPS:ms firewall

Posted 18 July 2012 - 09:20 PM

[attachment=12694:log.txt]

thank you

#43 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 13453 posts
  • LocationDepauville, NY, USA
  • OS:Windows 7 x64
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 18 July 2012 - 10:25 PM

I definitely don't like the way that log looked. Some serious issues are showing that weren't showing earlier.

Run ComboFix and attach the new ComboFix log with your next reply.
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#44 emsikatt

emsikatt

    Member

  • Members
  • PipPip
  • 32 posts
  • OS:Windows XP
  • AV:avg, malwarebytes, emsisoftemergency, mamutu
  • HIPS:ms firewall

Posted 18 July 2012 - 11:15 PM

[attachment=12696:log.txt] Mamutu was interrupting the last scan with warnings, so this scan was taken after I uninstalled it.

I got this computer from ebay. It arrived with damaged cd and floppy drives. The seller ''cloned" the xp os to it, so maybe there is a built in problem?...idonno

It seems to be working okay. But I need to get some ID protection, which AVG doesn't have.

thank you

#45 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 13453 posts
  • LocationDepauville, NY, USA
  • OS:Windows 7 x64
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 18 July 2012 - 11:27 PM

The seller ''cloned" the xp os to it, so maybe there is a built in problem?

Cloned??? If the system did not come with a restore disc set or have a restore partition, then there is a very good chance that the copy of XP on this system is not legal.

We Need to Diagnose a Possible Problem with WGA
This may be preventing you from installing that service pack.
  • Please download MGADiag and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Push Posted Image
  • Push Posted Image
  • Go to Start -> Run and type in "Notepad"
  • Go to Edit -> Paste in notepad.
  • x out all of the numbers and letters in the line beginning with "Windows Product Key:"
  • Attach that log here.

Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#46 emsikatt

emsikatt

    Member

  • Members
  • PipPip
  • 32 posts
  • OS:Windows XP
  • AV:avg, malwarebytes, emsisoftemergency, mamutu
  • HIPS:ms firewall

Posted 19 July 2012 - 12:57 AM

I hope I understood your instructions about removing, x ing out numbers....

I have recovery discs, I think. Never have used them....I have a MS sticker on the machine.

Thats all I know about being legal....sorry if that is a problem.

thank you



[attachment=12699:wga.txt]

#47 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 13453 posts
  • LocationDepauville, NY, USA
  • OS:Windows 7 x64
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 19 July 2012 - 01:17 AM

OK, your copy of Windows is Genuine.

Let's keep digging and see if we can figure out what is broke.

Download Runscanner to your desktop and run it.
  • When the first page comes up select Beginner Mode
  • On the next page select Save a binary .Run file (Recommended) then click Start full scan at the top.
  • At this time Runscanner.exe may request access to the Internet through your firewall please allow it to do so, it will then run for two or three minutes.
  • On completion it will ask for a location to save the file and a name. It will do this for both the .run file and the log file
  • Call the .run file "Select a name" and save it to your desktop. You will see the .run file on your desktop. Zip that file and attach the zip file to your next reply.

Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#48 emsikatt

emsikatt

    Member

  • Members
  • PipPip
  • 32 posts
  • OS:Windows XP
  • AV:avg, malwarebytes, emsisoftemergency, mamutu
  • HIPS:ms firewall

Posted 19 July 2012 - 02:07 AM

sorry, I had to install a zip program, 7z, but could not get it to zip the .run file....can I rename the file?

was not allowed to attach run file...thank you

[attachment=12700:runscanner.log]

#49 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 13453 posts
  • LocationDepauville, NY, USA
  • OS:Windows 7 x64
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 19 July 2012 - 03:00 AM

A log file is not what I need. I need the run file. Right-click on the run file, navigate to 7-zip in the menu, and select "Add to runscanner.zip"
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#50 emsikatt

emsikatt

    Member

  • Members
  • PipPip
  • 32 posts
  • OS:Windows XP
  • AV:avg, malwarebytes, emsisoftemergency, mamutu
  • HIPS:ms firewall

Posted 19 July 2012 - 03:19 AM

sorry...I"ve never zipped a file, and all of the features are confusing. I hope this is usable.

thank you..

[attachment=12705:scanner.zip]




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users