[SpySentinel]

• Download OTL to your desktop.
• Please rename OTL.exe to OTL.com
• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• When the window appears, underneath Output at the top change it to Minimal Output.
• Check the boxes beside LOP Check and Purity Check.
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
• When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTListIt2.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

• Download DDS by sUBs from one of the following links. Save it to your desktop.
  • DDS.scr
  • DDS.pif
• Double click on the DDS icon, allow it to run.
• A small box will open, with an explaination about the tool. No input is needed, the scan is running.
• Notepad will open with the results.
• Follow the instructions that pop up for posting the results.
• Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Edited by SpySentinel, 09 January 2010 - 11:08 PM.

[Advertisements]

It does the same thing. C:\Documents and Settings\Owner\Desktop\OTL.com.exe is not a valid Win32 application. i should also note that i have not been getting any ad.yieldmanager.com popups its been like this a while now maybe a week, it might have had something to do with me removing this from hijackthis:

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

i didnt mess with anything else this one just stood out and it didnt seem to effect anything on my computer when i removed it other than the fact that the popups havent been around. but regardless the executable problems only started happening when i started getting those popups.

Edited by applestew, 10 January 2010 - 09:47 AM.

[applestew]

It does the same thing. C:\Documents and Settings\Owner\Desktop\OTL.com.exe is not a valid Win32 application. i should also note that i have not been getting any ad.yieldmanager.com popups its been like this a while now maybe a week, it might have had something to do with me removing this from hijackthis:

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

i didnt mess with anything else this one just stood out and it didnt seem to effect anything on my computer when i removed it other than the fact that the popups havent been around. but regardless the executable problems only started happening when i started getting those popups.

Edited by applestew, 10 January 2010 - 09:47 AM.

[SpySentinel]

Were you able to run DDS?

[applestew]

No it does the same thing C:\Documents and Settings\Owner\Desktop\dds.scr is not a valid Win32 application, and the link to the other one seems to be broken.

Edited by applestew, 10 January 2010 - 11:48 PM.

[SpySentinel]

Sorry for the delay. I will be responding later tonight.

[SpySentinel]

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R3 - URLSearchHook: SearchHook Class - {BC86E1AB-EDA5-4059-938F-CE307B0C6F0A} - C:\Program Files\DeviceVM\Browser Configuration Utility\AddressBarSearch.dll

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot into safe mode.


Now please try running combofix.

[applestew]

Did as you said and then booted up in safemode it still says C:\Documents and settings\Owner\Desktop\Combofix.exe is not a valid Win32 application, also tried it as combo-fix and svchost.com with the same results

[SpySentinel]

Were you able to remove that R3 entry with HJT?

[applestew]

Yes

[SpySentinel]

• Right click on My Computer and select "Properties."
  
• In the System Properties, select the Hardware tab then Device Manager
  
• Double-click the IDE ATA / ATAPI controllers
  
• Double-click on Primary IDE Channel and Secondary IDE channel.
  
• In the tab "Advanced Settings, under the Device 0, ensure that the command is set to DMA if available and not PIO only.

[applestew]

Yep they were all on DMA, i noticed that under IDE ATA/ATAPI controllers there were two Primary IDE Channels and Two Secondary IDE Channels dont know if that is normal but they were all already on DMA non the less

[SpySentinel]

OK this file is big Print these instruction out so that you know what you are doing

Two programmes to download

First

ISOBurner this will allow you to burn REATOGO-X-PE ISO to a cd and make it bootable. Just install the programme, from there on in it is fairly automatic. Instructions

Second

• Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 292Mb in size so it may take some time to download.
• When downloaded double click and this will then open ISOBurner to burn the file to CD
• Reboot your system using the boot CD you just created.
  
  Note : If you do not know how to set your computer to boot from CD follow the steps here
  
• Your system should now display a REATOGO-X-PE desktop.
• Double-click on the OTLPE icon.
• When asked "Do you wish to load the remote registry", select Yes
• When asked "Do you wish to load remote user profile(s) for scanning", select Yes
• Ensure the box "Automatically Load All Remaining Users" is checked and press OK
• OTL should now start.
• Press Run Scan to start the scan.
• When finished, the file will be saved in drive C:\OTL.txt
• Copy this file to your USB drive if you do not have internet connection on this system
• Please post the contents of the C:\OTL.txt file in your reply.

[applestew]

Did everything like you said downloaded ISOBurner shows up with a blank command prompt icon couldn't open it because i cant run it, its doing the not a valid Win32 application thing. so i downloaded it on a different computer showed up with its own icon the right icon (the shield the box and the cd), ran perfectly as expected downloaded the other file double clicked it, it opened with the active iso burner, burned it cd loaded up my other computer(the one im having the problems with) double checked to see if boot up from cd was first priority in bios, it was so i let it do its thing after exiting setup it just did what it normally does it took me to the windows xp screen followed by the login password prompt. i went ahead and tried it on a different computer to see if it would work on that it did not so i was wondering if i should re download and burn it to another cd and try it again?

[emeraldnzl]

Hello applestew,

SpySentinel is busy elswhere so you will have to put up with me now.

Just so I know how things are; am I correct in assuming that while you have downloaded OTLPE twice you do in fact have it on your infected machine?

Also, that you are not having success in running it on that machine?

Couple of things here... firstly, sometimes the download can get interrupted and you don't get the whole file. Tell me what size the file is that is on your desktop.

secondly, there can be problems if you have SATA motherboard drives on your machine or some other unusual configuration. This tool is constantly being developed though and the very latest version can take care of most of that. Maybe it would be worth downloading the latest version to use.

What do you think?

[applestew]

Hi thanks for the assistance. Now that you mentioned it the file i downloaded, OTLPE.iso completed with 94.4 MB. I guess i didn't think anything of it it just completed there weren't any errors stating that it didn't fully download or anything lol. well i am re downloading it right now i will tell you how it goes and i will burn it on another disk

Edited by applestew, 22 January 2010 - 04:36 PM.