[Crika]

Ok I am trying to follow the simple steps of posting, but my computer REFUSES to let me run OTL. Let me just post in order what all I HAVE done than maybe someone can figure out what I must be doing wrong...

This was my first post and the steps I started with.

Since then I saved OTL but when I tried to run it I get the classic "I'm sorry but this program has experienced an error and has to close.."
Followed the link to Malware removers
Tried to save exehelper, but Mcafee kept killing it before I could even run it.
Succesfully saved/ran rkill
succesfully saved/ran MBAM (free version)
After running that and it finding a ton of crap, I clicked "remove selected" which was all of it.
When my computer was trying to restart however it froze with an error:

Microsoft Visual C ++ Runtime Library
Runtime Error
Program: C:\programfiles\commonfiles\Mcafee\mcSvcHost\McSvcHost.exe
R6025
-Pure Virtual Function Call

Manually shut down and started up my computer.
Re-downloaded OTL-still can't run it.
Ran MBAM again for the heck of it and the only thing left was something called Pup.funwebproducts

I don't understand why OTL seems to be the only thing that won't run, I assume I must be missing something?

[Advertisements]

Lets try another variant then

Download OTS to your Desktop and double-click on it to run it

• Make sure you close all other programs and don't use the PC while the scan runs.
• Select All Users
• Under additional scans select the following
  Reg - Disabled MS Config Items
  Reg - Drivers32
  Reg - NetSvcs
  Reg - SafeBoot Minimal
  Reg - Shell Spawning
  Evnt - EventViewer Logs (Last 10 Errors)
  File - Lop Check
  
  
• Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
• When the scan is complete Notepad will open with the report file loaded in it.
• Please attach the log in your next post.

[Essexboy]

Lets try another variant then

Download OTS to your Desktop and double-click on it to run it

• Make sure you close all other programs and don't use the PC while the scan runs.
• Select All Users
• Under additional scans select the following
  Reg - Disabled MS Config Items
  Reg - Drivers32
  Reg - NetSvcs
  Reg - SafeBoot Minimal
  Reg - Shell Spawning
  Evnt - EventViewer Logs (Last 10 Errors)
  File - Lop Check
  
  
• Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
• When the scan is complete Notepad will open with the report file loaded in it.
• Please attach the log in your next post.

[Crika]

Yeah that did the exact same thing...as soon as I click on OTL that error pops up. Would it help at all if I coppied any error numbers or anything?

Ok I just realized I keep calling it OTL instead of OTS...as if i don't sound cluless enough...

Edited by Crika, 07 April 2011 - 03:04 PM.

[Essexboy]

Yes please as this sounds a tad weird

[Crika]

Error Signature

AppName: ots.com AppVer: 3.1.42.0 ModName: kernel32.dll
ModVer: 5.1.2600.5781 Offset: 00012afb

Contents:

<?xml version="1.0" encoding="UTF-16"?>
<DATABASE>
<EXE NAME="OTS.com" FILTER="GRABMI_FILTER_PRIVACY">
<MATCHING_FILE NAME="rkill.exe" SIZE="1006778" CHECKSUM="0x5266072A" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" LINK_DATE="03/15/2010 06:27:50" UPTO_LINK_DATE="03/15/2010 06:27:50" />
<MATCHING_FILE NAME="TFC.exe" SIZE="446464" CHECKSUM="0x289427F5" BIN_FILE_VERSION="3.1.7.0" BIN_PRODUCT_VERSION="3.1.7.0" PRODUCT_VERSION="1.0.0.0" FILE_DESCRIPTION="" COMPANY_NAME="OldTimer Tools" PRODUCT_NAME="TFC" FILE_VERSION="3.1.7.0" ORIGINAL_FILENAME="TFC.exe" INTERNAL_NAME="TFC.exe" LEGAL_COPYRIGHT="" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x6EC07" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="3.1.7.0" UPTO_BIN_PRODUCT_VERSION="3.1.7.0" LINK_DATE="06/19/1992 22:22:17" UPTO_LINK_DATE="06/19/1992 22:22:17" VER_LANGUAGE="English (United States) [0x409]" />
<MATCHING_FILE NAME="Unused Desktop Shortcuts\792248d6ad421d577132c2b648bbed45_scc_trial_na.exe" SIZE="215659728" CHECKSUM="0xF5C982FF" BIN_FILE_VERSION="14.0.0.162" BIN_PRODUCT_VERSION="14.0.0.0" PRODUCT_VERSION="14.0" FILE_DESCRIPTION="Setup.exe" COMPANY_NAME="Macrovision Corporation" PRODUCT_NAME="InstallShield" FILE_VERSION="14.0.162" ORIGINAL_FILENAME="Setup.exe" INTERNAL_NAME="Setup" LEGAL_COPYRIGHT="Copyright © 2007 Macrovision Corporation" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0xCDAC97E" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="14.0.0.162" UPTO_BIN_PRODUCT_VERSION="14.0.0.0" LINK_DATE="04/19/2007 00:08:20" UPTO_LINK_DATE="04/19/2007 00:08:20" VER_LANGUAGE="English (United States) [0x409]" />
<MATCHING_FILE NAME="Unused Desktop Shortcuts\AdbeRdr708_en_US.exe" SIZE="21290704" CHECKSUM="0xEAFC236D" BIN_FILE_VERSION="0.0.0.0" BIN_PRODUCT_VERSION="0.0.0.0" PRODUCT_VERSION=" " COMPANY_NAME=" " PRODUCT_NAME=" " FILE_VERSION=" " LEGAL_COPYRIGHT=" " VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x1458918" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="0.0.0.0" UPTO_BIN_PRODUCT_VERSION="0.0.0.0" LINK_DATE="03/21/2006 10:50:28" UPTO_LINK_DATE="03/21/2006 10:50:28" VER_LANGUAGE="Language Neutral [0x0]" />
<MATCHING_FILE NAME="Unused Desktop Shortcuts\ascii_art_generator_setup.exe" SIZE="691859" CHECKSUM="0x25970260" BIN_FILE_VERSION="0.0.0.0" BIN_PRODUCT_VERSION="0.0.0.0" PRODUCT_VERSION="" FILE_DESCRIPTION="ASCII Art Generator Setup " COMPANY_NAME="ASCII Art Generator, Inc. " PRODUCT_NAME="" FILE_VERSION=" " ORIGINAL_FILENAME="" INTERNAL_NAME="" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="0.0.0.0" UPTO_BIN_PRODUCT_VERSION="0.0.0.0" LINK_DATE="06/19/1992 22:22:17" UPTO_LINK_DATE="06/19/1992 22:22:17" VER_LANGUAGE="English (United States) [0x409]" />
<MATCHING_FILE NAME="Unused Desktop Shortcuts\InstallIMVU_409.0_st_g.exe" SIZE="72728" CHECKSUM="0xE6DD0750" MODULE_TYPE="WIN32" PE_CHECKSUM="0x1812E" LINKER_VERSION="0x0" LINK_DATE="10/20/2006 13:20:20" UPTO_LINK_DATE="10/20/2006 13:20:20" />
<MATCHING_FILE NAME="Unused Desktop Shortcuts\sims2ep2_patch.exe" SIZE="19072283" CHECKSUM="0x2753C89E" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" LINK_DATE="01/17/2006 23:43:45" UPTO_LINK_DATE="01/17/2006 23:43:45" />
<MATCHING_FILE NAME="Unused Desktop Shortcuts\TravianCropFinder2.05.exe" SIZE="356352" CHECKSUM="0xE1C266DB" BIN_FILE_VERSION="2.5.0.0" BIN_PRODUCT_VERSION="2.5.0.0" PRODUCT_VERSION="2.05.0.0" FILE_DESCRIPTION="TravianCropFinder" COMPANY_NAME="DFU" PRODUCT_NAME="TravianCropFinder" FILE_VERSION="2.05.0.0" ORIGINAL_FILENAME="TravianCropFinder.exe" INTERNAL_NAME="TravianCropFinder.exe" LEGAL_COPYRIGHT="Copyright © CS 2008" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="2.5.0.0" UPTO_BIN_PRODUCT_VERSION="2.5.0.0" LINK_DATE="12/06/2008 16:19:41" UPTO_LINK_DATE="12/06/2008 16:19:41" VER_LANGUAGE="Language Neutral [0x0]" />
<MATCHING_FILE NAME="Unused Desktop Shortcuts\Adobe Reader 9 Installer\AIRShareInstaller.exe" SIZE="198032" CHECKSUM="0x1091547B" BIN_FILE_VERSION="1.0.0.1" BIN_PRODUCT_VERSION="1.0.0.1" PRODUCT_VERSION="1, 0, 0, 1" FILE_DESCRIPTION="AIRShareInstaller" COMPANY_NAME="Adobe Systems" PRODUCT_NAME=" AIRShareInstaller Application" FILE_VERSION="1, 0, 0, 1" ORIGINAL_FILENAME="AIRShareInstaller.exe" INTERNAL_NAME="AIRShareInstaller" LEGAL_COPYRIGHT="Copyright 2008 Adobe Systems Incorporated. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x3B75D" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="1.0.0.1" UPTO_BIN_PRODUCT_VERSION="1.0.0.1" LINK_DATE="06/12/2008 07:10:30" UPTO_LINK_DATE="06/12/2008 07:10:30" VER_LANGUAGE="English (United States) [0x409]" />
<MATCHING_FILE NAME="Unused Desktop Shortcuts\Adobe Reader 9 Installer\Setup.exe" SIZE="308584" CHECKSUM="0xBC725A65" BIN_FILE_VERSION="3.0.4.1" BIN_PRODUCT_VERSION="3.0.4.1" PRODUCT_VERSION="3.0.4.1" FILE_DESCRIPTION="Adobe Bootstrapper for Chaining Installations" COMPANY_NAME="Adobe Systems Incorporated" PRODUCT_NAME="Bootstrapper Big" FILE_VERSION="3.0.4.1" ORIGINAL_FILENAME="Setup.exe" INTERNAL_NAME="Setup.exe" LEGAL_COPYRIGHT="Copyright © 2008 Adobe Systems Incorporated. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x5752C" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="3.0.4.1" UPTO_BIN_PRODUCT_VERSION="3.0.4.1" LINK_DATE="06/12/2008 07:10:48" UPTO_LINK_DATE="06/12/2008 07:10:48" VER_LANGUAGE="English (United States) [0x409]" />
<MATCHING_FILE NAME="Unused Desktop Shortcuts\Adobe Reader 9 Installer\AIR\Adobe AIR Installer.exe" SIZE="6848789" CHECKSUM="0x114C2A0D" BIN_FILE_VERSION="2.0.0.20" BIN_PRODUCT_VERSION="2.0.0.20" PRODUCT_VERSION="2.0.0.20 " COMPANY_NAME=" " PRODUCT_NAME="NOSSO® " FILE_VERSION="2.0.0.20 " LEGAL_COPYRIGHT=" " VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="2.0.0.20" UPTO_BIN_PRODUCT_VERSION="2.0.0.20" LINK_DATE="01/07/2008 16:19:09" UPTO_LINK_DATE="01/07/2008 16:19:09" VER_LANGUAGE="Language Neutral [0x0]" />
<MATCHING_FILE NAME="Unused Desktop Shortcuts\Adobe Reader 9 Installer\AIR\nosso_air.exe" SIZE="211784" CHECKSUM="0x8C091694" BIN_FILE_VERSION="2.0.0.20" BIN_PRODUCT_VERSION="2.0.0.20" PRODUCT_VERSION="2.0.0.20" FILE_DESCRIPTION="NOSSO®" COMPANY_NAME="NOS Microsystems Ltd." PRODUCT_NAME="NOSSO®" FILE_VERSION="2.0.0.20" LEGAL_COPYRIGHT="Copyright © 2008 by NOS Microsystems Ltd." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x3DCAA" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="2.0.0.20" UPTO_BIN_PRODUCT_VERSION="2.0.0.20" LINK_DATE="01/07/2008 16:19:09" UPTO_LINK_DATE="01/07/2008 16:19:09" VER_LANGUAGE="Language Neutral [0x0]" />
<MATCHING_FILE NAME="Unused Desktop Shortcuts\Adobe Reader 9 Installer\READER9\AcroRead.msi" SIZE="1812480" CHECKSUM="0x2C2931B3" />
<MATCHING_FILE NAME="Unused Desktop Shortcuts\Adobe Reader 9 Installer\READER9\Setup.exe" SIZE="341352" CHECKSUM="0xC0210658" BIN_FILE_VERSION="4.0.0.1" BIN_PRODUCT_VERSION="4.0.0.1" PRODUCT_VERSION="4.0.0.1" FILE_DESCRIPTION="Adobe Bootstrapper for Single Installation" COMPANY_NAME="Adobe Systems Incorporated" PRODUCT_NAME="Bootstrapper Small" FILE_VERSION="4.0.0.1" ORIGINAL_FILENAME="Setup.exe" INTERNAL_NAME="Setup.exe" LEGAL_COPYRIGHT="Copyright © 2008 Adobe Systems Incorporated. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x56D39" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="4.0.0.1" UPTO_BIN_PRODUCT_VERSION="4.0.0.1" LINK_DATE="06/12/2008 07:10:29" UPTO_LINK_DATE="06/12/2008 07:10:29" VER_LANGUAGE="English (United States) [0x409]" />
<MATCHING_FILE NAME="Unused Desktop Shortcuts\NCH Swift Sound\WavePad\uninst.exe" SIZE="696324" CHECKSUM="0x71FD9492" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" LINK_DATE="01/27/2044 23:42:15" UPTO_LINK_DATE="01/27/2044 23:42:15" />
<MATCHING_FILE NAME="Unused Desktop Shortcuts\NCH Swift Sound\WavePad\wavepad.exe" SIZE="696324" CHECKSUM="0x71FD9492" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" LINK_DATE="01/27/2044 23:42:15" UPTO_LINK_DATE="01/27/2044 23:42:15" />
</EXE>
<EXE NAME="kernel32.dll" FILTER="GRABMI_FILTER_THISFILEONLY">
<MATCHING_FILE NAME="kernel32.dll" SIZE="989696" CHECKSUM="0x2D998938" BIN_FILE_VERSION="5.1.2600.5781" BIN_PRODUCT_VERSION="5.1.2600.5781" PRODUCT_VERSION="5.1.2600.5781" FILE_DESCRIPTION="Windows NT BASE API Client DLL" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft® Windows® Operating System" FILE_VERSION="5.1.2600.5781 (xpsp_sp3_gdr.090321-1317)" ORIGINAL_FILENAME="kernel32" INTERNAL_NAME="kernel32" LEGAL_COPYRIGHT="© Microsoft Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0xFE572" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="5.1.2600.5781" UPTO_BIN_PRODUCT_VERSION="5.1.2600.5781" LINK_DATE="03/21/2009 14:06:58" UPTO_LINK_DATE="03/21/2009 14:06:58" VER_LANGUAGE="English (United States) [0x409]" />
</EXE>
<EXE NAME="kernel32.dll" FILTER="GRABMI_FILTER_THISFILEONLY">
<MATCHING_FILE NAME="kernel32.dll" SIZE="989696" CHECKSUM="0x2D998938" BIN_FILE_VERSION="5.1.2600.5781" BIN_PRODUCT_VERSION="5.1.2600.5781" PRODUCT_VERSION="5.1.2600.5781" FILE_DESCRIPTION="Windows NT BASE API Client DLL" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft® Windows® Operating System" FILE_VERSION="5.1.2600.5781 (xpsp_sp3_gdr.090321-1317)" ORIGINAL_FILENAME="kernel32" INTERNAL_NAME="kernel32" LEGAL_COPYRIGHT="© Microsoft Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0xFE572" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="5.1.2600.5781" UPTO_BIN_PRODUCT_VERSION="5.1.2600.5781" LINK_DATE="03/21/2009 14:06:58" UPTO_LINK_DATE="03/21/2009 14:06:58" VER_LANGUAGE="English (United States) [0x409]" />
</EXE>
</DATABASE>


BLAH that's a lot...

[Essexboy]

OK colour me confused - as that does not make sense as it starts refering to TFC

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

[Crika]

Is it easier to do these as attachments or copy/paste?

 log.txt   11.54KB   324 downloads

ComboFix 11-04-04.02 - Carissa 04/07/2011 16:42:17.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.766.447 [GMT -5:00]
Running from: c:\documents and settings\Carissa\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Carissa\Recent\Thumbs.db
c:\documents and settings\Carissa\System
c:\documents and settings\Carissa\System\win_qs.jqx
c:\windows\COUPon~1.ocx
c:\windows\Downloaded Program Files\f3initialsetup1.0.0.6.inf
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
c:\windows\Downloaded Program Files\temp
c:\windows\Fonts\Shakirafont.exe
c:\windows\system32\Temp
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MYWEBSEARCHSERVICE
-------\Service_usnjsvc
.
.
((((((((((((((((((((((((( Files Created from 2011-03-07 to 2011-04-07 )))))))))))))))))))))))))))))))
.
.
2011-04-07 18:56 . 2011-04-07 18:56 -------- d-----w- c:\documents and settings\Carissa\Application Data\Malwarebytes
2011-04-07 18:56 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-07 18:56 . 2011-04-07 18:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-07 18:56 . 2011-04-07 18:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-07 18:56 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-05 21:15 . 2011-04-05 21:15 -------- d-----w- c:\documents and settings\Carissa\Application Data\Auslogics
2011-04-05 21:14 . 2011-04-05 21:14 -------- d-----w- c:\program files\Auslogics
2011-04-05 17:41 . 2011-04-05 17:41 388096 ----a-r- c:\documents and settings\Carissa\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-04-05 17:41 . 2011-04-05 17:41 -------- d-----w- c:\program files\Trend Micro
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-18 22:36 . 2011-03-03 21:30 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-18 22:36 . 2011-03-03 21:30 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-09 13:53 . 2002-08-29 10:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2002-08-29 10:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2002-08-29 10:00 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2002-08-29 10:00 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2002-08-29 10:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"basicsmssmenu"="c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 169328]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-01-17 1193848]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-10 7311360]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2003-5-21 24576]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=
.
R1 aiptektp;HyperPen;c:\windows\SYSTEM32\DRIVERS\aiptektp.sys [1/8/2008 9:27 PM 22272]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\SYSTEM32\DRIVERS\mfetdi2k.sys [3/6/2011 9:17 PM 84072]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [3/6/2011 9:17 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [3/6/2011 9:17 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [3/6/2011 9:18 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\SYSTEM32\mfevtps.exe [3/6/2011 8:55 PM 141792]
R2 mrtRate;mrtRate;c:\windows\SYSTEM32\DRIVERS\MrtRate.sys [5/21/2003 10:11 PM 34712]
R3 cfwids;McAfee Inc. cfwids;c:\windows\SYSTEM32\DRIVERS\cfwids.sys [3/6/2011 9:17 PM 55840]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\SYSTEM32\DRIVERS\mfefirek.sys [3/6/2011 9:17 PM 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [3/6/2011 9:17 PM 88544]
R3 NETGEAR_WG311T_SERVICE;NETGEAR WG311T Wireless Adapter Service;c:\windows\SYSTEM32\DRIVERS\wg311tn5.sys [9/24/2005 11:40 AM 344448]
S3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\SYSTEM32\AWINDIS5.SYS [9/4/2004 3:29 PM 16194]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [3/6/2011 9:17 PM 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\SYSTEM32\DRIVERS\mferkdet.sys [3/6/2011 9:17 PM 84264]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-07 c:\windows\Tasks\McAfee.com Update Check (D19C3V21-48765uyegkidy4).job
- c:\progra~1\McAfee.com\Agent\mcupdate.exe [2003-08-14 22:15]
.
2011-04-07 c:\windows\Tasks\McAfee.com Update Check (D19C3V21-Carissa).job
- c:\progra~1\McAfee.com\Agent\mcupdate.exe [2003-08-14 22:15]
.
2011-04-07 c:\windows\Tasks\McAfee.com Update Check (D19C3V21-default).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe [2003-08-14 22:15]
.
2011-04-07 c:\windows\Tasks\McAfee.com Update Check (D19C3V21-Guest).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe [2003-08-14 22:15]
.
2011-04-07 c:\windows\Tasks\McAfee.com Update Check (D19C3V21-Owner).job
- c:\progra~1\McAfee.com\Agent\mcupdate.exe [2003-08-14 22:15]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.geekstogo.com/forum/forum/5-windows-xp-2000-2003-nt/
uDefault_Search_URL = hxxp://search.msn.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: c:\progra~1\COMMON~1\BTLINK\btlink.dll//iemenu
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Carissa\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-07 17:08
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1964)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Seagate\Basics\Service\SyncServicesBasics.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\windows\System32\wbem\wmiapsrv.exe
c:\progra~1\mcafee\msc\mcupdmgr.exe
.
**************************************************************************
.
Completion time: 2011-04-07 17:22:46 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-07 22:22
.
Pre-Run: 27,200,622,592 bytes free
Post-Run: 27,223,371,776 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
.
- - End Of File - - D7B66F185334B63FB632DF212639BF59

[Essexboy]

Either way is easy for me

Could you delete OTL and OTS from your desktop please and then download a fresh copy - see if it runs

Download OTL to your Desktop

[Crika]

Same Error....


AppName: otl.exe AppVer: 3.2.22.3 ModName: kernel32.dll
ModVer: 5.1.2600.5781 Offset: 00012afb

[Essexboy]

I think I will ask OT about this - back in a bit. Meanwhile what are your current problems ?

[Essexboy]

OK possible solution. Before you run OTL could you disable McAfee or put OTL in the exception list for it

[Crika]

BLAH

Same thing...

Ok to be honest I don't know that much about my McAfee, it just came with the ATT service...I disabled the real time scanner and the firewall, which is all i could figure out how to do. I can't find a way to add any exceptions, I even searched through the HELP files...

The only problem (I know about) with my computer is that it was running really slow, but just the few steps you guys have had me do so far has already helped a bit.

If it's really a big deal I can just live with this...I hate to be a headache!

[Essexboy]

Well I feel you are clear of malware It is just a bit niggly - so I will download McAfee to my VM and try it out there

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View Tab.
• Under the Hidden files and folders heading select Do not show hidden files and folders.
• Click Yes to confirm.
• Click OK.

SPRING CLEAN

Download and run Puran Disc Defragmenter
For the first run I would recommend a boot defrag and disk check




Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

Malwarebytes. Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

• Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe

[Essexboy]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.