61 replies to this topic

[emsikatt]

@ http://support.emsis...1-wont-go-away/, In regards to a "getstyles!E1", where instructed to download OTL by OldTimer.

Page comes up as a 503 error.

I did find some mirrors to download 24960-OTL, BUT program would not run, showing an error. The only error report I could figure out how to copy is as follows:

 error report ffb2_appcompat.txt   7.82K   21 downloads

<?xml version="1.0" encoding="UTF-16"?>
<DATABASE>
<EXE NAME="24960-OTL(1).exe" FILTER="GRABMI_FILTER_PRIVACY">
<MATCHING_FILE NAME="24960-OTL(1).exe" SIZE="595968" CHECKSUM="0xC4652E1F" BIN_FILE_VERSION="3.2.43.1" BIN_PRODUCT_VERSION="3.2.43.1" PRODUCT_VERSION="3.0.0.0" FILE_DESCRIPTION="" COMPANY_NAME="OldTimer Tools" PRODUCT_NAME="OTL" FILE_VERSION="3.2.43.1" ORIGINAL_FILENAME="OTL.exe" INTERNAL_NAME="OTL.exe" LEGAL_COPYRIGHT="" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x97BD8" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="3.2.43.1" UPTO_BIN_PRODUCT_VERSION="3.2.43.1" LINK_DATE="06/19/1992 22:22:17" UPTO_LINK_DATE="06/19/1992 22:22:17" VER_LANGUAGE="English (United States) [0x409]" />
<MATCHING_FILE NAME="24960-OTL.exe" SIZE="595968" CHECKSUM="0xC4652E1F" BIN_FILE_VERSION="3.2.43.1" BIN_PRODUCT_VERSION="3.2.43.1" PRODUCT_VERSION="3.0.0.0" FILE_DESCRIPTION="" COMPANY_NAME="OldTimer Tools" PRODUCT_NAME="OTL" FILE_VERSION="3.2.43.1" ORIGINAL_FILENAME="OTL.exe" INTERNAL_NAME="OTL.exe" LEGAL_COPYRIGHT="" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x97BD8" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="3.2.43.1" UPTO_BIN_PRODUCT_VERSION="3.2.43.1" LINK_DATE="06/19/1992 22:22:17" UPTO_LINK_DATE="06/19/1992 22:22:17" VER_LANGUAGE="English (United States) [0x409]" />
<MATCHING_FILE NAME="jre-7u5-windows-i586-iftw.exe" SIZE="893936" CHECKSUM="0xE0088601" BIN_FILE_VERSION="7.0.50.5" BIN_PRODUCT_VERSION="7.0.50.5" PRODUCT_VERSION="7.0.50.5" FILE_DESCRIPTION="Java™ Platform SE binary" COMPANY_NAME="Oracle Corporation" PRODUCT_NAME="Java™ Platform SE 7 U5" FILE_VERSION="7.0.50.5" ORIGINAL_FILENAME="jinstall.exe" INTERNAL_NAME="Setup Launcher" LEGAL_COPYRIGHT="Copyright © 2012" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0xE650C" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="7.0.50.5" UPTO_BIN_PRODUCT_VERSION="7.0.50.5" LINK_DATE="05/16/2012 02:38:35" UPTO_LINK_DATE="05/16/2012 02:38:35" VER_LANGUAGE="English (United States) [0x409]" />
</EXE>
<EXE NAME="kernel32.dll" FILTER="GRABMI_FILTER_THISFILEONLY">
<MATCHING_FILE NAME="kernel32.dll" SIZE="989696" CHECKSUM="0x2D998938" BIN_FILE_VERSION="5.1.2600.5781" BIN_PRODUCT_VERSION="5.1.2600.5781" PRODUCT_VERSION="5.1.2600.5781" FILE_DESCRIPTION="Windows NT BASE API Client DLL" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft® Windows® Operating System" FILE_VERSION="5.1.2600.5781 (xpsp_sp3_gdr.090321-1317)" ORIGINAL_FILENAME="kernel32" INTERNAL_NAME="kernel32" LEGAL_COPYRIGHT="© Microsoft Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0xFE572" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="5.1.2600.5781" UPTO_BIN_PRODUCT_VERSION="5.1.2600.5781" LINK_DATE="03/21/2009 14:06:58" UPTO_LINK_DATE="03/21/2009 14:06:58" VER_LANGUAGE="English (United States) [0x409]" />
</EXE>
<EXE NAME="kernel32.dll" FILTER="GRABMI_FILTER_THISFILEONLY">
<MATCHING_FILE NAME="kernel32.dll" SIZE="989696" CHECKSUM="0x2D998938" BIN_FILE_VERSION="5.1.2600.5781" BIN_PRODUCT_VERSION="5.1.2600.5781" PRODUCT_VERSION="5.1.2600.5781" FILE_DESCRIPTION="Windows NT BASE API Client DLL" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft® Windows® Operating System" FILE_VERSION="5.1.2600.5781 (xpsp_sp3_gdr.090321-1317)" ORIGINAL_FILENAME="kernel32" INTERNAL_NAME="kernel32" LEGAL_COPYRIGHT="© Microsoft Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0xFE572" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="5.1.2600.5781" UPTO_BIN_PRODUCT_VERSION="5.1.2600.5781" LINK_DATE="03/21/2009 14:06:58" UPTO_LINK_DATE="03/21/2009 14:06:58" VER_LANGUAGE="English (United States) [0x409]" />
</EXE>
</DATABASE>


Sorry If it is jibberish...

Do not have access to a computer that I can use to download to usb.

Is there another program that I can use? I think my hjt is still working, if that would be of any help.

thanks

[Elise]

The Geekstogo site, which mirrors OTL, was down yesterday, hence the error. It should work now though.

The official secondary mirror is: http://www.itxassoci...T-Tools/OTL.exe

[emsikatt]

Thank you...I downloaded another OTL and tried to run it, but got another error:

<?xml version="1.0" encoding="UTF-16"?>
<DATABASE>
<EXE NAME="OTL.exe" FILTER="GRABMI_FILTER_PRIVACY">
<MATCHING_FILE NAME="OTL.exe" SIZE="595968" CHECKSUM="0x2978B06E" BIN_FILE_VERSION="3.2.53.1" BIN_PRODUCT_VERSION="3.2.53.1" PRODUCT_VERSION="3.0.0.0" FILE_DESCRIPTION="" COMPANY_NAME="OldTimer Tools" PRODUCT_NAME="OTL" FILE_VERSION="3.2.53.1" ORIGINAL_FILENAME="OTL.exe" INTERNAL_NAME="OTL.exe" LEGAL_COPYRIGHT="" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x922B5" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="3.2.53.1" UPTO_BIN_PRODUCT_VERSION="3.2.53.1" LINK_DATE="06/19/1992 22:22:17" UPTO_LINK_DATE="06/19/1992 22:22:17" VER_LANGUAGE="English (United States) [0x409]" />
</EXE>
<EXE NAME="kernel32.dll" FILTER="GRABMI_FILTER_THISFILEONLY">
<MATCHING_FILE NAME="kernel32.dll" SIZE="989696" CHECKSUM="0x2D998938" BIN_FILE_VERSION="5.1.2600.5781" BIN_PRODUCT_VERSION="5.1.2600.5781" PRODUCT_VERSION="5.1.2600.5781" FILE_DESCRIPTION="Windows NT BASE API Client DLL" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft® Windows® Operating System" FILE_VERSION="5.1.2600.5781 (xpsp_sp3_gdr.090321-1317)" ORIGINAL_FILENAME="kernel32" INTERNAL_NAME="kernel32" LEGAL_COPYRIGHT="© Microsoft Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0xFE572" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="5.1.2600.5781" UPTO_BIN_PRODUCT_VERSION="5.1.2600.5781" LINK_DATE="03/21/2009 14:06:58" UPTO_LINK_DATE="03/21/2009 14:06:58" VER_LANGUAGE="English (United States) [0x409]" />
</EXE>
<EXE NAME="kernel32.dll" FILTER="GRABMI_FILTER_THISFILEONLY">
<MATCHING_FILE NAME="kernel32.dll" SIZE="989696" CHECKSUM="0x2D998938" BIN_FILE_VERSION="5.1.2600.5781" BIN_PRODUCT_VERSION="5.1.2600.5781" PRODUCT_VERSION="5.1.2600.5781" FILE_DESCRIPTION="Windows NT BASE API Client DLL" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft® Windows® Operating System" FILE_VERSION="5.1.2600.5781 (xpsp_sp3_gdr.090321-1317)" ORIGINAL_FILENAME="kernel32" INTERNAL_NAME="kernel32" LEGAL_COPYRIGHT="© Microsoft Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0xFE572" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="5.1.2600.5781" UPTO_BIN_PRODUCT_VERSION="5.1.2600.5781" LINK_DATE="03/21/2009 14:06:58" UPTO_LINK_DATE="03/21/2009 14:06:58" VER_LANGUAGE="English (United States) [0x409]" />
</EXE>
</DATABASE>

Any suggestions?

thank you

[ShadowPuterDude]

We need an actual error code/message. The contents of the XML file only tells us what crashed, not why it crashed.

[emsikatt]

Thank you...

After "running otl", I get: "Exception EOleSusError in monule 24960-OTL.exe at 000584A5. Class not registered.


Another Notice opens over that, which says:

""Otl has encountered a problem and needs to close.""

I clicked on, ""to see what data this error rport contains--"

""Error signature

AppName 24960-otlexe AppVer. 3.2.43.1 ModName: kernel32.dll
ModVer. 5.1.2600.5781 Offset: 00012afb

This error report includes: information regarding the condition of OTL when the problem occurred:---""""

and goes on to explain their privacy policies. The error report that I have posted was from a link at the bottom of that notice.

Sorry, but that is all that I have....

Yesterday The "scan" in EmsisoftEmergencyKit would not scan! It would start full scan, then close. I ran Malwarebytes in "safe mode" and it found nothing. EmsisoftEmergencyKit would not scan in safe mode!

This morning it seems to be working again! It found trace !E1 again.

Does this thread/problem need to be somewhere else?

Thank you.....

[ShadowPuterDude]

I am moving this support thread to the malware removal section of the forums.

Attach all logs from the tools that have ran so far.

[emsikatt]

Here is emsisoft scan, a hjt scan, and a full malwarbytes scan. OTL still will not run.

Thank you

Attached Files

•  13 july a2scan_120713-155755.txt   1.28K   32 downloads
•  mbam-log-2012-07-13 (17-42-11).txt   3.61K   36 downloads
•  13 july hijackthis.log   4.62K   31 downloads

[ShadowPuterDude]

Download ComboFix from one of these locations:

Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

Link 1
Link 2

* IMPORTANT !!! Save ComboFix to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  See HERE for help
• Double click on Combo-Fix & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, ComboFix will produce a log.

Note:
1. Do not mouseclick combofix's window while it's running. That may cause it to stall!
2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

• ComboFix (C:\combofix.txt)

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

[emsikatt]

Thank you....here are the logs that may be what you asked for:
 ComboFix.txt   16.6K   29 downloads
 ComboFix-quarantined-files.txt   652bytes   21 downloads

Also, I was not asked about " Microsoft Windows Recovery Console", so I assume that it is on my computer. How would I access it.

I found avg difficult to turn off. Had to search around for the correct place to do it. Clicking "exit" on the quick start menue just deleted that function.


Combo fix installed a folder in C drive, with an empty sub folder of N_ . Should I delete those folders?


Let me run computer for a day and then scan again to see what is going on....


thank you.

[ShadowPuterDude]

Don't delete anything, unless you are told to so so. Your system is not malware free.

Now we need to use ComboFix to remove some stuff.

• Make sure that the copy of ComboFix that you downloaded earlier is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it

(make sure you scroll all the way down in the code box to get all lines selected ):

KillAll::

Driver::
cpuz134
DOPL
EIVNMC

File::
c:\windows\system32\REN1C7.tmp
c:\windows\system32\REN1C6.tmp
c:\windows\system32\REN4E.tmp
c:\windows\system32\REN4D.tmp
c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{9E897D0F-F804-41A3-966C-7BB6EB5B6BE8}\IconF7A21AF7.exe
c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{9E897D0F-F804-41A3-966C-7BB6EB5B6BE8}\IconD7F16134.exe
c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{9E897D0F-F804-41A3-966C-7BB6EB5B6BE8}\IconCF33A0CE.exe
c:\windows\9E897D0FF80441A3966C7BB6EB5B6BE8.TMP

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFScript.txt on top of ComboFix
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• Attach teh new ComboFix log to your next reply

Note: DO NOT mouseclick combofix's window while it is running. That may cause it to stall.

The ComboFix folder should not be renamed since ComboFix and even we would have suspicions about it. Also when you uninstall CF, the folder would not be removed since it does not look for that folder name.

[emsikatt]

Kevin, I am very sorry. I did not see your last reply until this morning. I ran emsisoft scan and malwarebytes again. emsisoft showed some infections, !E2 and getstyles traces in Registry. But I quarantined them.

I am sorry for not following very clear instructions, and allowing my compulsive nature to do what I have been doing to make me feel a bit more comfortable with computer problems. I have wasted your time and effort and I am sorry.

I tried to do what you last instructed, but Mamutu kept interrupting the combofix with warning boxes. I thought I had shut it off, but had only used start/stop under general settings, not start/stop under permissions.
The combofix scan dialog box dissappeared and after waiting an hour, I gave up.

Sould I uninstall combofix and start over?

I use the computer for email, reading , and watching online tv mostly. Isn't there a safer way to do this?

Thank you for your efforts.

[ShadowPuterDude]

Instead of using ComboFix, we are goign to use antoher tool.

Download BlitzBlank and save it to your desktop. Open Blitzblank.exe

Click OK at the warning (and take note of it, this is a VERY powerful tool!).

Click the script tab and copy/paste the following text there:

DisableDriver:
	cpuz134
	DOPL
	EIVNMC
DeleteFile:
	c:\windows\system32\REN1C7.tmp
	c:\windows\system32\REN1C6.tmp
	c:\windows\system32\REN4E.tmp
	c:\windows\system32\REN4D.tmp
	"c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{9E897D0F-F804-41A3-966C-7BB6EB5B6BE8}\IconF7A21AF7.exe"
	"c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{9E897D0F-F804-41A3-966C-7BB6EB5B6BE8}\IconD7F16134.exe"
	"c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{9E897D0F-F804-41A3-966C-7BB6EB5B6BE8}\IconCF33A0CE.exe"
	c:\windows\9E897D0FF80441A3966C7BB6EB5B6BE8.TMP

Click Execute Now. Your computer will need to reboot in order to replace the files.

When done, attach the report created by Blitzblank.

[emsikatt]

Kevin, It seems to have worked, dispite me....had some trouble finding the log....but, here is what I found.:

 blitzblank.log   3.19K   26 downloads

I will not do anything til instructed!....thank you oh so very much for your patience and help.

[ShadowPuterDude]

OK, that appears to have worked, let's double check to be sure. Run a fresh scan with OTL and attach the new OTL log with your next reply.

[emsikatt]

Kevin, otl will still not run, so here are logs of what I did before:

 a2scan_120715-200519.txt   1.15K   35 downloads


 mbam-log-2012-07-16 (03-51-58).txt   2.05K   33 downloads


 15 july hijackthis.log   4.92K   25 downloads  lCombo fix og.txt   18.73K   40 downloads


 ComboFix-quarantined-files.txt   652bytes   27 downloads


Emsisoft scanner may have quarantined items when I closed it down....All I did was hit report/log.

Thank you

[ShadowPuterDude]

Open Blitzblank.exe

Click OK at the warning (and take note of it, this is a VERY powerful tool!).

Click the script tab and copy/paste the following text there:

DeleteFile: 
    c:\docume~1\admini~1\locals~1\temp\dopl.exe
    c:\docume~1\ADMINI~1\LOCALS~1\Temp\EIVNMC.exe
    "c:\documents and settings\administrator\application data\adobe\rxsupply.sys"
    "c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXTBOX.JS"
    "c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UICORE.JS"
    "c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\USERTILE.JS"
    "c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXT.JS"
    "c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UIRESOURCE.JS"
    "c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\SAVEDUSER.JS"
    "c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\QUERYSTRING.JS"
    "c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\NEWUSERCOMM.JS"
    "c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\IMAGE.JS"
    "c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LOCALIZATION.JS"
    "c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\EXTERNALWRAPPER.JS"
    "c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS"
    "c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS"
    "c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS"
    "c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\DIVWRAPPER.JS"
    c:\windows\Setup1.exe
    c:\windows\Installer\{7C6999B2-1A35-4F2C-8DB7-3CB46B640CC9}\NewShortcut3_7C6999B21A354F2C8DB73CB46B640CC9.exe
    c:\windows\Installer\2b1427.msi
DeleteFolder: 
    c:\windows\9e897d0ff80441a3966c7bb6eb5b6be8.tmp
DisableDriver: 
    dopl
    eivnmc
    fsfilter
DeleteRegKey: 
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{963B125B-8B21-49A2-A3A8-E37092276531}

Click Execute Now. Your computer will need to reboot in order to replace the files.

When done, attach the report created by Blitzblank.

[emsikatt]

Process hangs up...""Syntax error in line 2"""

[ShadowPuterDude]

Use this:

DeleteFile:

        "c:\documents and settings\administrator\application data\adobe\rxsupply.sys"

        "c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXTBOX.JS"

        "c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UICORE.JS"

        "c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\USERTILE.JS"

        "c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXT.JS"

        "c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UIRESOURCE.JS"

        "c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\SAVEDUSER.JS"

        "c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\QUERYSTRING.JS"

        "c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\NEWUSERCOMM.JS"

        "c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\IMAGE.JS"

        "c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LOCALIZATION.JS"

        "c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\EXTERNALWRAPPER.JS"

        "c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS"

        "c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS"

        "c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS"

        "c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\DIVWRAPPER.JS"

        c:\windows\Setup1.exe

        c:\windows\Installer\{7C6999B2-1A35-4F2C-8DB7-3CB46B640CC9}\NewShortcut3_7C6999B21A354F2C8DB73CB46B640CC9.exe

        c:\windows\Installer\2b1427.msi

DeleteFolder:

        c:\windows\9e897d0ff80441a3966c7bb6eb5b6be8.tmp

DisableDriver:

        dopl

        eivnmc

        fsfilter

DeleteRegKey:

        HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{963B125B-8B21-49A2-A3A8-E37092276531}

Edited by ShadowPuterDude, 16 July 2012 - 06:59 PM.

[emsikatt]

Same problem, syntax error in line 2...Invalid file path.

Is a virus causing this error message....?

[ShadowPuterDude]

I've edited the script removing the first 2 files. Run the edited fix.

[emsikatt]

I saw no edited list, so I deleted these before running:

"c:\documents and settings\administrator\application data\adobe\rxsupply.sys"
"c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXTBOX.JS"


 blitzblank.log   3.22K   28 downloads

sorry If what I am doing is causing the problems.

[ShadowPuterDude]

I had already removed 2 lines at the top of the script. You were not supposed to edit anything.

The blitzblank log doesn't appear to be for the last fix I posted, it appears to the fix I posted yesterday.

[emsikatt]

I am sorry, but I got the same error message when I tried that list, so I deleted the first two lines to get it to work and the program ran. I just couldn't find the correct log. Now I am getting an error for line 2 and 16, syntax error. sorry, I'm going in circles here and my mind is getting tired. Can I , for now quarantine the problems and start over with scans tonight?

thank you for your efforts and patience.

thankyou

[ShadowPuterDude]

There's no error in the syntax of the fix. There's most likely some hidden characters being introduced during copy & paste.

Copy & Paste the contents of BlizBlankFix.txt, attached below, and run that.

Attached Files

•  BlitzBlankFix.txt   2.29K   37 downloads

[emsikatt]

Sorry, same error.....I have tried several times, making sure that I don't pick up "space" before and after...Otherwise, I don't know how copy and paste could go wrong....sorry


thank you

[ShadowPuterDude]

We are going to try using ComboFix, again, to remove this stuff.

• Make sure that the copy of ComboFix that you downloaded earlier is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it

(make sure you scroll all the way down in the code box to get all lines selected ):

KillAll::

Driver::
dopl
eivnmc
fsfilter

File::
c:\docume~1\admini~1\locals~1\temp\dopl.exe
c:\docume~1\ADMINI~1\LOCALS~1\Temp\EIVNMC.exe
c:\documents and settings\administrator\application data\adobe\rxsupply.sys
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXTBOX.JS
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UICORE.JS
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\USERTILE.JS
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXT.JS
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UIRESOURCE.JS
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\SAVEDUSER.JS
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\QUERYSTRING.JS
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\NEWUSERCOMM.JS
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\IMAGE.JS
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LOCALIZATION.JS
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\EXTERNALWRAPPER.JS
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\DIVWRAPPER.JS
c:\windows\Setup1.exe
c:\windows\Installer\{7C6999B2-1A35-4F2C-8DB7-3CB46B640CC9}\NewShortcut3_7C6999B21A354F2C8DB73CB46B640CC9.exe
c:\windows\Installer\2b1427.msi

Folder::
c:\windows\9e897d0ff80441a3966c7bb6eb5b6be8.tmp

Registry::
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{963B125B-8B21-49A2-A3A8-E37092276531}]

Quit::

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFScript.txt on top of ComboFix
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note: DO NOT mouseclick combofix's window while it is running. That may cause it to stall.

The ComboFix folder should not be renamed since ComboFix and even we would have suspicions about it. Also when you uninstall CF, the folder would not be removed since it does not look for that folder name.

[emsikatt]

It did seem to work.....thank you

 log.txt   22.15K   21 downloads

[ShadowPuterDude]

Download Windows Repair by Tweaking.com to your desktop. Use the direct download link for the Portable version of Windows Repair by Tweaking.com

• Double-click tweaking.com_windows_repair_aio.zip and extract the Tweaking.com - Windows Repair folder to your desktop.
• Now open this folder and double-click Repair_Windows.exe.
• Click the Start Repairs tab on the far right.
• Click the Start button (bottom right)
  Note: When asked if you would like to create a restore point. It is recommended just in-case something does not go as planned.
• Click Unselect All
• Put a checkmark in the following items:
  
  • Reset Registry Permissions
  • Reset File Permissions
  • Remove Policies Set By Infections
  • Repair Winsock & DNS Cache
  • Repair Proxy Settings
  • Set Windows Services To Default Startup
  Note: Leave everything else unchecked
• Put a checkmark in Restart System When Finished
• Now click the Start button (bottom right)

Will OTL run now?

[emsikatt]

OTL will not run....sorry

[ShadowPuterDude]

Read carefully and follow these steps.

• Download TDSSKiller and save it to your Desktop.
• Double-click on TDSSKiller.exe to run the application.
  
  
• Click Change parameters
  
  
• Check the boxes next to Verify Driver Digital Signature and Detect TDLFS file system, then click OK
  
  
• Click on the Start Scan button to begin the scan and wait for it to finish.
  NOTE: Do not use the computer during the scan!
  
• During the scan it will look similar to the image below:
  
  
• When it finishes, you will either see a report that no threats were found like below:
  
  
  If no threats are found at this point, just click the Report selection on the top right of the form to generate a log. A log file report will pop which you can just close since the report file is already saved.
  
• If any infection or suspected items are found, you will see a window similar to below:
  
  
  • If you have files that are shown to fail signature check do not take any action on these. Make sure you select Skip. I will tell you what to do with these laater. They may not be issues at all.
  • If Suspicious objects are detected, the default action will be Skip. Leave the default set to Skip.
  • If Malicious objects are detected, they will show in the Scan results. TDSSKiller automatically selects an action (Cure or Delete) for malicious objects
    Make sure that Cure is selected. Important! - If Cure is not available, please choose Skip instead. Do not choose Delete unless instructed to do so.
• Click Continue to apply selected actions.
  
• A reboot may be required to complete disinfection. A window like the below will appear:
  
  Reboot immediately if TDSSKiller states that one is needed.
  
• Whether an infection is found or not, a log file should have already been created on your C: drive (or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run.
  
• Attach this log to your next reply.

[emsikatt]

 TDSSKiller.2.7.45.0_16.07.2012_18.56.36_log.txt   633.5K   27 downloads

didn't seem to find much....

thank you

[ShadowPuterDude]

Changing tools.

Download avz4.zip from here

• Unzip it to your desktop to a folder named avz4
• Double click on AVZ.exe to run it.
• Run an update by clicking the Auto Update button on the Right of the Log window:
• Click Start to begin the update

Note: If you receive an error message, chose a different source, then click Start again

• After the update, from the "File" menu, choose "Standard Scripts"
• Put a check next to item 2: Advanced System Investigation
• Click Execute selected scripts
• At the next prompt, click the OK button
• Let the scan run and click "OK" when the completion prompt pops up
• Now Close out of the Standard Scripts window, and exit AVZ
• Navigate to the avz4 folder and locate the folder LOG
• Inside the LOG folder you will find virusinfo_syscheck.htm, virusinfo_syscheck.htm and virusinfo_syscheck.zip
• Attach the Compressed file, virusinfo_syscheck.zip, to your next reply.

[emsikatt]

Click Execute selected scripts


after that the scan ran, then program shut down and left a blank log text.
could not see any logs in the log folder....sorry

did not see this:
At the next prompt, click the OK button

• Let the scan run and click "OK" when the completion prompt pops up
• Now Close out of the Standard Scripts window, and exit AVZ
• Navigate to the avz4 folder and locate the folder LOG
• Inside the LOG folder you will find virusinfo_syscheck.htm, virusinfo_syscheck.htm and virusinfo_syscheck.zip
• Attach the Compressed file, virusinfo_syscheck.zip, to your next reply.

thank you

[ShadowPuterDude]

Download and Run Scan with GMER

We will use GMER to scan for rootkits.

• Please download GMER from one of the following locations, and save it to your desktop:
  
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zip Mirror
    Alternate Zip Mirror 2
    Alternate Zip Mirror 3
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
• Double click or on your desktop. If you are using Vista, please right-click and select run as administrator
• When you have done this, close all running programs.
  There is a small chance this application may crash your computer so save any work you have open.
• Allow the gmer.sys driver to load if asked.

If it detects rootkit activity, you will receive a prompt to run a full scan. Click NO.

• In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
  
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show all (Don't miss this one!)
• Click on and wait for the scan to finish.
• If you see a rootkit warning window, click OK.
• Push and save the logfile to your desktop.
• Attach the GMER log.

If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running
*Note*: Rootkit scans often produce false positives. Do NOT take any actions on <--- ROOKIT entries

[emsikatt]

Sorry, I tried two downloaded programs. They both tried to run, but after ONE second they quit.

Earlier I tried to see if emsisoft or malwarebytes would scan. They ran for only a few seconds.

[emsikatt]

gmer began to scan in safe mode:

• Click on and wait for the scan to finish.
• If you see a rootkit warning window, click OK.
• Push and save the logfile to your desktop.
• Attach the GMER log.

But did not see a warning. Program stopped and rebooted computer.

[ShadowPuterDude]

OK, let's give this a try.

Download Hitman Pro to your Desktop.

Press the CTRL key and double-click on Hitman Pro. Hitman Pro will shut down all unnecessary processes when ran this way.

If Hitman Pro wants to update, let it.

If Hitman Pro wants to download signatures, let it.

If Hitman Pro wants to remove something, let it.

Attach any logs produced by Hitman Pro.

[emsikatt]

 log.xml   1.86K   28 downloads

I'm not familiar with xml file, so I copied it to notepad, here:


 hitman log.txt   783bytes   25 downloads

Thank you

[ShadowPuterDude]

Download DDS by sUBs from one of the following links and save it to your desktop.

• • DDS.scr
  • DDS.pif
• Disable any script blocking protection
• Double click DDS icon to run the tool (may take up to 3 minutes to run)
• When done, DDS.txt will open.
• After a few moments, attach.txt will open in a second window.
• Save both reports to your desktop.

---------------------------------------------------

• Attach the DDS.txt report in your next reply
• Attach the Attach.txt report to your reply

[emsikatt]

sorry, but I could not "zip" the files.....emsisoft and malwarbytes scans did not find anything last night.

 dds.txt   11.48K   26 downloads

 DDS attach.txt   12.06K   26 downloads

thank you for your help....

[ShadowPuterDude]

Uninstall SpyHunter

Now we need to use ComboFix to remove some stuff.

• Make sure that the copy of ComboFix that you downloaded earlier is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it

(make sure you scroll all the way down in the code box to get all lines selected ):

KillAll::

File::
c:\windows\system32\drivers\uti2nzy4.sys

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFScript.txt on top of ComboFix
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note: DO NOT mouseclick combofix's window while it is running. That may cause it to stall.

The ComboFix folder should not be renamed since ComboFix and even we would have suspicions about it. Also when you uninstall CF, the folder would not be removed since it does not look for that folder name.

[emsikatt]

 log.txt   17.59K   27 downloads

thank you

[ShadowPuterDude]

I definitely don't like the way that log looked. Some serious issues are showing that weren't showing earlier.

Run ComboFix and attach the new ComboFix log with your next reply.

[emsikatt]

 log.txt   16.07K   21 downloads Mamutu was interrupting the last scan with warnings, so this scan was taken after I uninstalled it.

I got this computer from ebay. It arrived with damaged cd and floppy drives. The seller ''cloned" the xp os to it, so maybe there is a built in problem?...idonno

It seems to be working okay. But I need to get some ID protection, which AVG doesn't have.

thank you

[ShadowPuterDude]

The seller ''cloned" the xp os to it, so maybe there is a built in problem?

Cloned??? If the system did not come with a restore disc set or have a restore partition, then there is a very good chance that the copy of XP on this system is not legal.

We Need to Diagnose a Possible Problem with WGA
This may be preventing you from installing that service pack.

• Please download MGADiag and save it to your desktop.
• Double click the icon on your desktop.
• Push
• Push
• Go to Start -> Run and type in "Notepad"
• Go to Edit -> Paste in notepad.
• x out all of the numbers and letters in the line beginning with "Windows Product Key:"
• Attach that log here.

[emsikatt]

I hope I understood your instructions about removing, x ing out numbers....

I have recovery discs, I think. Never have used them....I have a MS sticker on the machine.

Thats all I know about being legal....sorry if that is a problem.

thank you



 wga.txt   3.85K   20 downloads

[ShadowPuterDude]

OK, your copy of Windows is Genuine.

Let's keep digging and see if we can figure out what is broke.

Download Runscanner to your desktop and run it.

• When the first page comes up select Beginner Mode
• On the next page select Save a binary .Run file (Recommended) then click Start full scan at the top.
• At this time Runscanner.exe may request access to the Internet through your firewall please allow it to do so, it will then run for two or three minutes.
• On completion it will ask for a location to save the file and a name. It will do this for both the .run file and the log file
• Call the .run file "Select a name" and save it to your desktop. You will see the .run file on your desktop. Zip that file and attach the zip file to your next reply.

[emsikatt]

sorry, I had to install a zip program, 7z, but could not get it to zip the .run file....can I rename the file?

was not allowed to attach run file...thank you

 runscanner.log   14.49K   31 downloads

[ShadowPuterDude]

A log file is not what I need. I need the run file. Right-click on the run file, navigate to 7-zip in the menu, and select "Add to runscanner.zip"

[emsikatt]

sorry...I"ve never zipped a file, and all of the features are confusing. I hope this is usable.

thank you..

 scanner.zip   202.61K   28 downloads