Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

MBAM detected "Malware.Gen.EVI". OTL won't run [Solved]

Started by UnderSiege , Oct 12 2012 01:01 PM

  • This topic is locked This topic is locked

#16
UnderSiege
Posted 16 October 2012 - 01:32 PM

UnderSiege

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 104 posts
Hi, :)

Can you inform myself what exactly happens when you attempt run OTL(you mentioned prior occurs with all three versions), are any error messages displayed ?


I right click the OTL icon and "Run as Administrator" I then get a dialogue box which says:

"OTL has stopped working. A problem caused the program to stop working correctly. Windows will close the program and notify if a solution is available"


Odd - isn't it? It was the fact that OTL wouldn't run that prompted me to post this thread in the first place, as it can be a classic symptom of malware. Yet after all this investigation and scrutiny, it still won't work. Here is the relevant event from Event Manager:

Log Name: Application
Source: Application Error
Date: 16/10/2012 19:54:46
Event ID: 1000
Task Category: (100)
Level: Error
Keywords: Classic
User: N/A
Computer: Dad-PC
Description:
Faulting application OTL.exe, version 3.2.69.0, time stamp 0x2a425e19, faulting module kernel32.dll, version 6.0.6002.18449, time stamp 0x4da47967, exception code 0xc0000005, fault offset 0x000bfea5, process id 0x172c, application start time 0x01cdabcfb567137a.
Event Xml:
<Event xmlns="http://schemas.micro...08/events/event">
<System>
<Provider Name="Application Error" />
<EventID Qualifiers="0">1000</EventID>
<Level>2</Level>
<Task>100</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2012-10-16T18:54:46.000Z" />
<EventRecordID>91332</EventRecordID>
<Channel>Application</Channel>
<Computer>Dad-PC</Computer>
<Security />
</System>
<EventData>
<Data>OTL.exe</Data>
<Data>3.2.69.0</Data>
<Data>2a425e19</Data>
<Data>kernel32.dll</Data>
<Data>6.0.6002.18449</Data>
<Data>4da47967</Data>
<Data>c0000005</Data>
<Data>000bfea5</Data>
<Data>172c</Data>
<Data>01cdabcfb567137a</Data>
</EventData>
</Event>


I am wondering whether there is some perhaps some corruption in the system file kernel32.dll, but I shall defer to your advice.




Feasible it may be due to some faulting hardware but seen no indication of that. If it happens again my best advice would be post a topic in this part of the forum:-

Hardware, Components and Peripherals

Though it may be just one of those things, gremlins in the machine as they say

...

Thank you for the forum suggestion, though I am inclined to agree with you that this was spurious, unrelated event.



Update Mozilla Firefox:



I have deleted this program.



ESET Online Scanner:



This has detected two infections :o but perhaps they are not that malicious ? Here is the log file:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=2683b931fb4805498205cd6866966a8e
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-10-16 06:41:05
# local_time=2012-10-16 07:41:05 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=1029 16777214 0 1 58778723 58778723 0 0
# compatibility_mode=5892 16776574 100 100 27741054 187936036 0 0
# compatibility_mode=8192 67108863 100 0 559 559 0 0
# compatibility_mode=9217 16777214 75 4 158558 158558 0 0
# scanned=193043
# found=2
# cleaned=0
# scan_time=9557
C:\Users\Dad\Downloads\DriverSweeper_3.2.0.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I
C:\Users\Dad\Downloads\YouTubeDownloaderSetup34.exe a variant of Win32/Toolbar.Widgi application (unable to clean) 00000000000000000000000000000000 I


I very much appreciate the time and effort you are spending in helping me to resolve this problem - thanks. :)
  • 0

Advertisements

#17
Dakeyras
Posted 16 October 2012 - 02:16 PM

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,773 posts
Hi. :)

I very much appreciate the time and effort you are spending in helping me to resolve this problem - thanks. :)

You're most welcome and a pleasure to be of assistance!

Thank you for the forum suggestion, though I am inclined to agree with you that this was spurious, unrelated event.

Could well be...

I have deleted this program.

Fair play.

This has detected two infections :o but perhaps they are not that malicious ?

Both are false positive detections but since merely installers can be safely deleted.

Driver Sweeper as any such software of it's ilk are not actually that effective and can at times cause more problems rather than solve anything. Personally I would not use it but your choice to leave installed or not. If the latter merely create a System Restore Point and a new backup with say Erunt before using to err on the side of caution.

YouTube Downloader itself is not malicious but you had the Toolbar only installed which is and was removed earlier on in the malware removal process.

I am wondering whether there is some perhaps some corruption in the system file kernel32.dll, but I shall defer to your advice.

Carry out the below please then re-try OTL again.

Vista-System File Checker:

You may require your Vista DVD for the below.

  • Click on Start(Vista Orb).
  • Click on All Programs >> Accessories
  • Right click on Command Prompt and select Run as Administrator.
  • Click on Continue in the UAC prompt.
  • At the Command Prompt C:\Windows\System32> type in the following exactly:
  • CD C:\
  • Then depress the Enter/Return key, then type in the following exactly:
  • sfc /scannow
  • Then depress the Enter/Return key.
Note: This may take awhile to finish. When completed close the Administrator Command Prompt window, via typing Exit then depress the Enter/Return key.
  • 0

#18
UnderSiege
Posted 16 October 2012 - 03:29 PM

UnderSiege

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 104 posts
Hi :)

Driver Sweeper as any such software of it's ilk are not actually that effective and can at times cause more problems rather than solve anything. Personally I would not use it but your choice to leave installed or not. If the latter merely create a System Restore Point and a new backup with say Erunt before using to err on the side of caution.


System Restore Point created and new ERUNT backup taken. Driver Sweeper deleted.



Carry out the below please then re-try OTL again.

Vista-System File Checker:


I ran sfc /scannow and with the result:

"Windows Resource Protection found corrupt files but was unable to fix some of them details can be found in C:\Windows\Logs\CBS\CBS.log"


I copied the CBS file to the desktop and opened it with Notepad. It's huge - nearly 24 Mb, so I haven't posted it.

And OTL still did not run, but I think we are onto something here. Please advise what next - thanks
  • 0

#19
Dakeyras
Posted 16 October 2012 - 04:21 PM

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,773 posts
Hi. :)

Lets see if we are able to retrieve the CBS log for my review as follows...

Copy the below(highlight, right click and select copy)

findstr /c:"[SR]" %windir%\logs\cbs\cbs.log >sfcdetails.txt

  • Now click on Start(Vista Orb).
  • Click on All Programs >> Accessories
  • Right click on Command Prompt and select Run as Administrator.
  • Click on Continue in the UAC prompt.
  • At the Command Prompt C:\Windows\System32> type in the following exactly:
  • CD C:\
  • Still in the Admin' Command Prompt window, right click and select Paste
  • After C:\ appears, close the Admin' Command Prompt window.
Click on Start(Vista orb) >> Computer >> C:\ >> there should be a text file named sfcdetails.txt. Attach that in your next reply...

If too large to attach, send the aforementioned text file to a zipfile and try again(to zip it right click on sfcdetails.txt >> Send To >> Compressed(zipped) folder >> follow the prompts etc. The zipfile should now be on the desktop.

--------------

How to add an attachment to a new topic or reply
  • 0

#20
UnderSiege
Posted 17 October 2012 - 12:35 AM

UnderSiege

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 104 posts
Hi, :)

CBS log

All worked - only 28kb in size, so I have pasted it below:

2012-10-16 21:57:40, Info CSI 00000006 [SR] Verifying 100 (0x00000064) components
2012-10-16 21:57:40, Info CSI 00000007 [SR] Beginning Verify and Repair transaction
2012-10-16 21:57:44, Info CSI 00000009 [SR] Verify complete
2012-10-16 21:57:45, Info CSI 0000000a [SR] Verifying 100 (0x00000064) components
2012-10-16 21:57:45, Info CSI 0000000b [SR] Beginning Verify and Repair transaction
2012-10-16 21:57:49, Info CSI 0000000d [SR] Verify complete
2012-10-16 21:57:50, Info CSI 0000000e [SR] Verifying 100 (0x00000064) components
2012-10-16 21:57:50, Info CSI 0000000f [SR] Beginning Verify and Repair transaction
2012-10-16 21:57:51, Info CSI 00000011 [SR] Verify complete
2012-10-16 21:57:53, Info CSI 00000012 [SR] Verifying 100 (0x00000064) components
2012-10-16 21:57:53, Info CSI 00000013 [SR] Beginning Verify and Repair transaction
2012-10-16 21:57:53, Info CSI 00000015 [SR] Verify complete
2012-10-16 21:57:54, Info CSI 00000016 [SR] Verifying 100 (0x00000064) components
2012-10-16 21:57:54, Info CSI 00000017 [SR] Beginning Verify and Repair transaction
2012-10-16 21:57:55, Info CSI 00000019 [SR] Verify complete
2012-10-16 21:57:56, Info CSI 0000001a [SR] Verifying 100 (0x00000064) components
2012-10-16 21:57:56, Info CSI 0000001b [SR] Beginning Verify and Repair transaction
2012-10-16 21:57:57, Info CSI 0000001d [SR] Verify complete
2012-10-16 21:57:58, Info CSI 0000001e [SR] Verifying 100 (0x00000064) components
2012-10-16 21:57:58, Info CSI 0000001f [SR] Beginning Verify and Repair transaction
2012-10-16 21:57:59, Info CSI 00000021 [SR] Verify complete
2012-10-16 21:57:59, Info CSI 00000022 [SR] Verifying 100 (0x00000064) components
2012-10-16 21:57:59, Info CSI 00000023 [SR] Beginning Verify and Repair transaction
2012-10-16 21:58:00, Info CSI 00000025 [SR] Verify complete
2012-10-16 21:58:01, Info CSI 00000026 [SR] Verifying 100 (0x00000064) components
2012-10-16 21:58:01, Info CSI 00000027 [SR] Beginning Verify and Repair transaction
2012-10-16 21:58:02, Info CSI 00000029 [SR] Verify complete
2012-10-16 21:58:03, Info CSI 0000002a [SR] Verifying 100 (0x00000064) components
2012-10-16 21:58:03, Info CSI 0000002b [SR] Beginning Verify and Repair transaction
2012-10-16 21:58:04, Info CSI 0000002d [SR] Verify complete
2012-10-16 21:58:04, Info CSI 0000002e [SR] Verifying 100 (0x00000064) components
2012-10-16 21:58:04, Info CSI 0000002f [SR] Beginning Verify and Repair transaction
2012-10-16 21:58:05, Info CSI 00000031 [SR] Verify complete
2012-10-16 21:58:06, Info CSI 00000032 [SR] Verifying 100 (0x00000064) components
2012-10-16 21:58:06, Info CSI 00000033 [SR] Beginning Verify and Repair transaction
2012-10-16 21:58:07, Info CSI 00000035 [SR] Verify complete
2012-10-16 21:58:08, Info CSI 00000036 [SR] Verifying 100 (0x00000064) components
2012-10-16 21:58:08, Info CSI 00000037 [SR] Beginning Verify and Repair transaction
2012-10-16 21:58:09, Info CSI 00000039 [SR] Verify complete
2012-10-16 21:58:10, Info CSI 0000003a [SR] Verifying 100 (0x00000064) components
2012-10-16 21:58:10, Info CSI 0000003b [SR] Beginning Verify and Repair transaction
2012-10-16 21:58:11, Info CSI 0000003d [SR] Verify complete
2012-10-16 21:58:12, Info CSI 0000003e [SR] Verifying 100 (0x00000064) components
2012-10-16 21:58:12, Info CSI 0000003f [SR] Beginning Verify and Repair transaction
2012-10-16 21:58:13, Info CSI 00000041 [SR] Verify complete
2012-10-16 21:58:14, Info CSI 00000042 [SR] Verifying 100 (0x00000064) components
2012-10-16 21:58:14, Info CSI 00000043 [SR] Beginning Verify and Repair transaction
2012-10-16 21:58:14, Info CSI 00000045 [SR] Verify complete
2012-10-16 21:58:15, Info CSI 00000046 [SR] Verifying 100 (0x00000064) components
2012-10-16 21:58:15, Info CSI 00000047 [SR] Beginning Verify and Repair transaction
2012-10-16 21:58:17, Info CSI 00000049 [SR] Verify complete
2012-10-16 21:58:18, Info CSI 0000004a [SR] Verifying 100 (0x00000064) components
2012-10-16 21:58:18, Info CSI 0000004b [SR] Beginning Verify and Repair transaction
2012-10-16 21:58:18, Info CSI 0000004d [SR] Verify complete
2012-10-16 21:58:19, Info CSI 0000004e [SR] Verifying 100 (0x00000064) components
2012-10-16 21:58:19, Info CSI 0000004f [SR] Beginning Verify and Repair transaction
2012-10-16 21:58:20, Info CSI 00000051 [SR] Verify complete
2012-10-16 21:58:21, Info CSI 00000052 [SR] Verifying 100 (0x00000064) components
2012-10-16 21:58:21, Info CSI 00000053 [SR] Beginning Verify and Repair transaction
2012-10-16 21:58:22, Info CSI 00000055 [SR] Verify complete
2012-10-16 21:58:23, Info CSI 00000056 [SR] Verifying 100 (0x00000064) components
2012-10-16 21:58:23, Info CSI 00000057 [SR] Beginning Verify and Repair transaction
2012-10-16 21:58:24, Info CSI 00000059 [SR] Verify complete
2012-10-16 21:58:25, Info CSI 0000005a [SR] Verifying 100 (0x00000064) components
2012-10-16 21:58:25, Info CSI 0000005b [SR] Beginning Verify and Repair transaction
2012-10-16 21:58:26, Info CSI 0000005d [SR] Verify complete
2012-10-16 21:58:26, Info CSI 0000005e [SR] Verifying 100 (0x00000064) components
2012-10-16 21:58:26, Info CSI 0000005f [SR] Beginning Verify and Repair transaction
2012-10-16 21:58:28, Info CSI 00000061 [SR] Verify complete
2012-10-16 21:58:29, Info CSI 00000062 [SR] Verifying 100 (0x00000064) components
2012-10-16 21:58:29, Info CSI 00000063 [SR] Beginning Verify and Repair transaction
2012-10-16 21:58:30, Info CSI 00000065 [SR] Verify complete
2012-10-16 21:58:30, Info CSI 00000066 [SR] Verifying 100 (0x00000064) components
2012-10-16 21:58:30, Info CSI 00000067 [SR] Beginning Verify and Repair transaction
2012-10-16 21:58:32, Info CSI 00000069 [SR] Verify complete
2012-10-16 21:58:33, Info CSI 0000006a [SR] Verifying 100 (0x00000064) components
2012-10-16 21:58:33, Info CSI 0000006b [SR] Beginning Verify and Repair transaction
2012-10-16 21:58:34, Info CSI 0000006d [SR] Verify complete
2012-10-16 21:58:35, Info CSI 0000006e [SR] Verifying 100 (0x00000064) components
2012-10-16 21:58:35, Info CSI 0000006f [SR] Beginning Verify and Repair transaction
2012-10-16 21:58:36, Info CSI 00000071 [SR] Verify complete
2012-10-16 21:58:37, Info CSI 00000072 [SR] Verifying 100 (0x00000064) components
2012-10-16 21:58:37, Info CSI 00000073 [SR] Beginning Verify and Repair transaction
2012-10-16 21:58:38, Info CSI 00000075 [SR] Verify complete
2012-10-16 21:58:39, Info CSI 00000076 [SR] Verifying 100 (0x00000064) components
2012-10-16 21:58:39, Info CSI 00000077 [SR] Beginning Verify and Repair transaction
2012-10-16 21:58:41, Info CSI 00000079 [SR] Verify complete
2012-10-16 21:58:42, Info CSI 0000007a [SR] Verifying 100 (0x00000064) components
2012-10-16 21:58:42, Info CSI 0000007b [SR] Beginning Verify and Repair transaction
2012-10-16 21:58:43, Info CSI 0000007d [SR] Verify complete
2012-10-16 21:58:44, Info CSI 0000007e [SR] Verifying 100 (0x00000064) components
2012-10-16 21:58:44, Info CSI 0000007f [SR] Beginning Verify and Repair transaction
2012-10-16 21:58:45, Info CSI 00000081 [SR] Verify complete
2012-10-16 21:58:45, Info CSI 00000082 [SR] Verifying 100 (0x00000064) components
2012-10-16 21:58:45, Info CSI 00000083 [SR] Beginning Verify and Repair transaction
2012-10-16 21:58:46, Info CSI 00000085 [SR] Verify complete
2012-10-16 21:58:47, Info CSI 00000086 [SR] Verifying 100 (0x00000064) components
2012-10-16 21:58:47, Info CSI 00000087 [SR] Beginning Verify and Repair transaction
2012-10-16 21:58:50, Info CSI 00000089 [SR] Verify complete
2012-10-16 21:58:51, Info CSI 0000008a [SR] Verifying 100 (0x00000064) components
2012-10-16 21:58:51, Info CSI 0000008b [SR] Beginning Verify and Repair transaction
2012-10-16 21:58:55, Info CSI 0000008d [SR] Verify complete
2012-10-16 21:58:56, Info CSI 0000008e [SR] Verifying 100 (0x00000064) components
2012-10-16 21:58:56, Info CSI 0000008f [SR] Beginning Verify and Repair transaction
2012-10-16 21:58:59, Info CSI 00000091 [SR] Verify complete
2012-10-16 21:59:00, Info CSI 00000092 [SR] Verifying 100 (0x00000064) components
2012-10-16 21:59:00, Info CSI 00000093 [SR] Beginning Verify and Repair transaction
2012-10-16 21:59:05, Info CSI 00000096 [SR] Verify complete
2012-10-16 21:59:05, Info CSI 00000097 [SR] Verifying 100 (0x00000064) components
2012-10-16 21:59:05, Info CSI 00000098 [SR] Beginning Verify and Repair transaction
2012-10-16 21:59:09, Info CSI 0000009b [SR] Verify complete
2012-10-16 21:59:10, Info CSI 0000009c [SR] Verifying 100 (0x00000064) components
2012-10-16 21:59:10, Info CSI 0000009d [SR] Beginning Verify and Repair transaction
2012-10-16 21:59:14, Info CSI 0000009f [SR] Verify complete
2012-10-16 21:59:15, Info CSI 000000a0 [SR] Verifying 100 (0x00000064) components
2012-10-16 21:59:15, Info CSI 000000a1 [SR] Beginning Verify and Repair transaction
2012-10-16 21:59:22, Info CSI 000000a7 [SR] Verify complete
2012-10-16 21:59:23, Info CSI 000000a8 [SR] Verifying 100 (0x00000064) components
2012-10-16 21:59:23, Info CSI 000000a9 [SR] Beginning Verify and Repair transaction
2012-10-16 21:59:29, Info CSI 000000af [SR] Verify complete
2012-10-16 21:59:30, Info CSI 000000b0 [SR] Verifying 100 (0x00000064) components
2012-10-16 21:59:30, Info CSI 000000b1 [SR] Beginning Verify and Repair transaction
2012-10-16 21:59:35, Info CSI 000000b3 [SR] Verify complete
2012-10-16 21:59:35, Info CSI 000000b4 [SR] Verifying 100 (0x00000064) components
2012-10-16 21:59:35, Info CSI 000000b5 [SR] Beginning Verify and Repair transaction
2012-10-16 21:59:39, Info CSI 000000b7 [SR] Verify complete
2012-10-16 21:59:40, Info CSI 000000b8 [SR] Verifying 100 (0x00000064) components
2012-10-16 21:59:40, Info CSI 000000b9 [SR] Beginning Verify and Repair transaction
2012-10-16 21:59:45, Info CSI 000000bb [SR] Verify complete
2012-10-16 21:59:45, Info CSI 000000bc [SR] Verifying 100 (0x00000064) components
2012-10-16 21:59:45, Info CSI 000000bd [SR] Beginning Verify and Repair transaction
2012-10-16 21:59:53, Info CSI 000000bf [SR] Verify complete
2012-10-16 21:59:54, Info CSI 000000c0 [SR] Verifying 100 (0x00000064) components
2012-10-16 21:59:54, Info CSI 000000c1 [SR] Beginning Verify and Repair transaction
2012-10-16 22:00:02, Info CSI 000000c5 [SR] Verify complete
2012-10-16 22:00:03, Info CSI 000000c6 [SR] Verifying 100 (0x00000064) components
2012-10-16 22:00:03, Info CSI 000000c7 [SR] Beginning Verify and Repair transaction
2012-10-16 22:00:18, Info CSI 000000c9 [SR] Verify complete
2012-10-16 22:00:18, Info CSI 000000ca [SR] Verifying 100 (0x00000064) components
2012-10-16 22:00:18, Info CSI 000000cb [SR] Beginning Verify and Repair transaction
2012-10-16 22:00:32, Info CSI 000000cd [SR] Verify complete
2012-10-16 22:00:33, Info CSI 000000ce [SR] Verifying 100 (0x00000064) components
2012-10-16 22:00:33, Info CSI 000000cf [SR] Beginning Verify and Repair transaction
2012-10-16 22:00:37, Info CSI 000000d1 [SR] Verify complete
2012-10-16 22:00:38, Info CSI 000000d2 [SR] Verifying 100 (0x00000064) components
2012-10-16 22:00:38, Info CSI 000000d3 [SR] Beginning Verify and Repair transaction
2012-10-16 22:00:40, Info CSI 000000d5 [SR] Verify complete
2012-10-16 22:00:41, Info CSI 000000d6 [SR] Verifying 100 (0x00000064) components
2012-10-16 22:00:41, Info CSI 000000d7 [SR] Beginning Verify and Repair transaction
2012-10-16 22:00:43, Info CSI 000000d9 [SR] Verify complete
2012-10-16 22:00:44, Info CSI 000000da [SR] Verifying 100 (0x00000064) components
2012-10-16 22:00:44, Info CSI 000000db [SR] Beginning Verify and Repair transaction
2012-10-16 22:00:56, Info CSI 000000f9 [SR] Verify complete
2012-10-16 22:00:57, Info CSI 000000fa [SR] Verifying 100 (0x00000064) components
2012-10-16 22:00:57, Info CSI 000000fb [SR] Beginning Verify and Repair transaction
2012-10-16 22:01:00, Info CSI 000000fd [SR] Verify complete
2012-10-16 22:01:01, Info CSI 000000fe [SR] Verifying 100 (0x00000064) components
2012-10-16 22:01:01, Info CSI 000000ff [SR] Beginning Verify and Repair transaction
2012-10-16 22:01:04, Info CSI 00000101 [SR] Verify complete
2012-10-16 22:01:05, Info CSI 00000102 [SR] Verifying 100 (0x00000064) components
2012-10-16 22:01:05, Info CSI 00000103 [SR] Beginning Verify and Repair transaction
2012-10-16 22:01:08, Info CSI 00000105 [SR] Verify complete
2012-10-16 22:01:10, Info CSI 00000106 [SR] Verifying 100 (0x00000064) components
2012-10-16 22:01:10, Info CSI 00000107 [SR] Beginning Verify and Repair transaction
2012-10-16 22:01:15, Info CSI 00000109 [SR] Verify complete
2012-10-16 22:01:16, Info CSI 0000010a [SR] Verifying 100 (0x00000064) components
2012-10-16 22:01:16, Info CSI 0000010b [SR] Beginning Verify and Repair transaction
2012-10-16 22:01:25, Info CSI 0000010e [SR] Verify complete
2012-10-16 22:01:26, Info CSI 0000010f [SR] Verifying 100 (0x00000064) components
2012-10-16 22:01:26, Info CSI 00000110 [SR] Beginning Verify and Repair transaction
2012-10-16 22:01:29, Info CSI 00000112 [SR] Verify complete
2012-10-16 22:01:30, Info CSI 00000113 [SR] Verifying 100 (0x00000064) components
2012-10-16 22:01:30, Info CSI 00000114 [SR] Beginning Verify and Repair transaction
2012-10-16 22:01:33, Info CSI 00000116 [SR] Verify complete
2012-10-16 22:01:34, Info CSI 00000117 [SR] Verifying 100 (0x00000064) components
2012-10-16 22:01:34, Info CSI 00000118 [SR] Beginning Verify and Repair transaction
2012-10-16 22:01:41, Info CSI 0000011a [SR] Verify complete
2012-10-16 22:01:41, Info CSI 0000011b [SR] Verifying 100 (0x00000064) components
2012-10-16 22:01:41, Info CSI 0000011c [SR] Beginning Verify and Repair transaction
2012-10-16 22:01:46, Info CSI 0000011e [SR] Verify complete
2012-10-16 22:01:47, Info CSI 0000011f [SR] Verifying 100 (0x00000064) components
2012-10-16 22:01:47, Info CSI 00000120 [SR] Beginning Verify and Repair transaction
2012-10-16 22:01:55, Info CSI 00000122 [SR] Verify complete
2012-10-16 22:01:55, Info CSI 00000123 [SR] Verifying 100 (0x00000064) components
2012-10-16 22:01:55, Info CSI 00000124 [SR] Beginning Verify and Repair transaction
2012-10-16 22:02:08, Info CSI 00000149 [SR] Verify complete
2012-10-16 22:02:09, Info CSI 0000014a [SR] Verifying 100 (0x00000064) components
2012-10-16 22:02:09, Info CSI 0000014b [SR] Beginning Verify and Repair transaction
2012-10-16 22:02:17, Info CSI 0000014d [SR] Verify complete
2012-10-16 22:02:18, Info CSI 0000014e [SR] Verifying 100 (0x00000064) components
2012-10-16 22:02:18, Info CSI 0000014f [SR] Beginning Verify and Repair transaction
2012-10-16 22:02:40, Info CSI 00000151 [SR] Verify complete
2012-10-16 22:02:40, Info CSI 00000152 [SR] Verifying 100 (0x00000064) components
2012-10-16 22:02:40, Info CSI 00000153 [SR] Beginning Verify and Repair transaction
2012-10-16 22:02:54, Info CSI 00000155 [SR] Verify complete
2012-10-16 22:02:55, Info CSI 00000156 [SR] Verifying 100 (0x00000064) components
2012-10-16 22:02:55, Info CSI 00000157 [SR] Beginning Verify and Repair transaction
2012-10-16 22:03:05, Info CSI 00000159 [SR] Verify complete
2012-10-16 22:03:05, Info CSI 0000015a [SR] Verifying 100 (0x00000064) components
2012-10-16 22:03:05, Info CSI 0000015b [SR] Beginning Verify and Repair transaction
2012-10-16 22:03:12, Info CSI 0000015d [SR] Verify complete
2012-10-16 22:03:12, Info CSI 0000015e [SR] Verifying 100 (0x00000064) components
2012-10-16 22:03:12, Info CSI 0000015f [SR] Beginning Verify and Repair transaction
2012-10-16 22:03:17, Info CSI 00000161 [SR] Verify complete
2012-10-16 22:03:18, Info CSI 00000162 [SR] Verifying 100 (0x00000064) components
2012-10-16 22:03:18, Info CSI 00000163 [SR] Beginning Verify and Repair transaction
2012-10-16 22:03:23, Info CSI 00000166 [SR] Verify complete
2012-10-16 22:03:23, Info CSI 00000167 [SR] Verifying 100 (0x00000064) components
2012-10-16 22:03:23, Info CSI 00000168 [SR] Beginning Verify and Repair transaction
2012-10-16 22:03:39, Info CSI 0000016a [SR] Verify complete
2012-10-16 22:03:39, Info CSI 0000016b [SR] Verifying 100 (0x00000064) components
2012-10-16 22:03:39, Info CSI 0000016c [SR] Beginning Verify and Repair transaction
2012-10-16 22:03:47, Info CSI 0000016e [SR] Verify complete
2012-10-16 22:03:48, Info CSI 0000016f [SR] Verifying 100 (0x00000064) components
2012-10-16 22:03:48, Info CSI 00000170 [SR] Beginning Verify and Repair transaction
2012-10-16 22:03:55, Info CSI 00000172 [SR] Verify complete
2012-10-16 22:03:56, Info CSI 00000173 [SR] Verifying 100 (0x00000064) components
2012-10-16 22:03:56, Info CSI 00000174 [SR] Beginning Verify and Repair transaction
2012-10-16 22:04:02, Info CSI 00000176 [SR] Cannot repair member file [l:24{12}]"settings.ini" of Microsoft-Windows-Sidebar, Version = 6.0.6002.18005, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
2012-10-16 22:04:03, Info CSI 00000178 [SR] Cannot repair member file [l:24{12}]"settings.ini" of Microsoft-Windows-Sidebar, Version = 6.0.6002.18005, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
2012-10-16 22:04:03, Info CSI 00000179 [SR] This component was referenced by [l:158{79}]"Package_16_for_KB948465~31bf3856ad364e35~x86~~6.0.1.18005.948465-49_neutral_GDR"
2012-10-16 22:04:07, Info CSI 0000017b [SR] Verify complete
2012-10-16 22:04:08, Info CSI 0000017c [SR] Verifying 100 (0x00000064) components
2012-10-16 22:04:08, Info CSI 0000017d [SR] Beginning Verify and Repair transaction
2012-10-16 22:04:15, Info CSI 0000017f [SR] Verify complete
2012-10-16 22:04:15, Info CSI 00000180 [SR] Verifying 100 (0x00000064) components
2012-10-16 22:04:15, Info CSI 00000181 [SR] Beginning Verify and Repair transaction
2012-10-16 22:04:25, Info CSI 00000183 [SR] Verify complete
2012-10-16 22:04:26, Info CSI 00000184 [SR] Verifying 100 (0x00000064) components
2012-10-16 22:04:26, Info CSI 00000185 [SR] Beginning Verify and Repair transaction
2012-10-16 22:04:36, Info CSI 00000188 [SR] Verify complete
2012-10-16 22:04:36, Info CSI 00000189 [SR] Verifying 100 (0x00000064) components
2012-10-16 22:04:36, Info CSI 0000018a [SR] Beginning Verify and Repair transaction
2012-10-16 22:04:43, Info CSI 0000018c [SR] Verify complete
2012-10-16 22:04:44, Info CSI 0000018d [SR] Verifying 100 (0x00000064) components
2012-10-16 22:04:44, Info CSI 0000018e [SR] Beginning Verify and Repair transaction
2012-10-16 22:04:49, Info CSI 00000190 [SR] Verify complete
2012-10-16 22:04:49, Info CSI 00000191 [SR] Verifying 100 (0x00000064) components
2012-10-16 22:04:49, Info CSI 00000192 [SR] Beginning Verify and Repair transaction
2012-10-16 22:04:56, Info CSI 00000194 [SR] Verify complete
2012-10-16 22:04:57, Info CSI 00000195 [SR] Verifying 100 (0x00000064) components
2012-10-16 22:04:57, Info CSI 00000196 [SR] Beginning Verify and Repair transaction
2012-10-16 22:05:04, Info CSI 0000019b [SR] Verify complete
2012-10-16 22:05:05, Info CSI 0000019c [SR] Verifying 100 (0x00000064) components
2012-10-16 22:05:05, Info CSI 0000019d [SR] Beginning Verify and Repair transaction
2012-10-16 22:05:11, Info CSI 0000019f [SR] Verify complete
2012-10-16 22:05:12, Info CSI 000001a0 [SR] Verifying 100 (0x00000064) components
2012-10-16 22:05:12, Info CSI 000001a1 [SR] Beginning Verify and Repair transaction
2012-10-16 22:05:20, Info CSI 000001a3 [SR] Verify complete
2012-10-16 22:05:21, Info CSI 000001a4 [SR] Verifying 100 (0x00000064) components
2012-10-16 22:05:21, Info CSI 000001a5 [SR] Beginning Verify and Repair transaction
2012-10-16 22:05:25, Info CSI 000001a7 [SR] Verify complete
2012-10-16 22:05:26, Info CSI 000001a8 [SR] Verifying 100 (0x00000064) components
2012-10-16 22:05:26, Info CSI 000001a9 [SR] Beginning Verify and Repair transaction
2012-10-16 22:05:31, Info CSI 000001ab [SR] Verify complete
2012-10-16 22:05:32, Info CSI 000001ac [SR] Verifying 100 (0x00000064) components
2012-10-16 22:05:32, Info CSI 000001ad [SR] Beginning Verify and Repair transaction
2012-10-16 22:05:38, Info CSI 000001af [SR] Verify complete
2012-10-16 22:05:39, Info CSI 000001b0 [SR] Verifying 100 (0x00000064) components
2012-10-16 22:05:39, Info CSI 000001b1 [SR] Beginning Verify and Repair transaction
2012-10-16 22:05:44, Info CSI 000001b3 [SR] Verify complete
2012-10-16 22:05:44, Info CSI 000001b4 [SR] Verifying 100 (0x00000064) components
2012-10-16 22:05:44, Info CSI 000001b5 [SR] Beginning Verify and Repair transaction
2012-10-16 22:05:49, Info CSI 000001b7 [SR] Verify complete
2012-10-16 22:05:50, Info CSI 000001b8 [SR] Verifying 100 (0x00000064) components
2012-10-16 22:05:50, Info CSI 000001b9 [SR] Beginning Verify and Repair transaction
2012-10-16 22:06:07, Info CSI 000001bb [SR] Verify complete
2012-10-16 22:06:08, Info CSI 000001bc [SR] Verifying 100 (0x00000064) components
2012-10-16 22:06:08, Info CSI 000001bd [SR] Beginning Verify and Repair transaction
2012-10-16 22:06:11, Info CSI 000001bf [SR] Verify complete
2012-10-16 22:06:12, Info CSI 000001c0 [SR] Verifying 100 (0x00000064) components
2012-10-16 22:06:12, Info CSI 000001c1 [SR] Beginning Verify and Repair transaction
2012-10-16 22:06:19, Info CSI 000001cc [SR] Verify complete
2012-10-16 22:06:20, Info CSI 000001cd [SR] Verifying 73 (0x00000049) components
2012-10-16 22:06:20, Info CSI 000001ce [SR] Beginning Verify and Repair transaction
2012-10-16 22:06:23, Info CSI 000001d0 [SR] Verify complete
2012-10-16 22:06:23, Info CSI 000001d1 [SR] Repairing 1 components
2012-10-16 22:06:23, Info CSI 000001d2 [SR] Beginning Verify and Repair transaction
2012-10-16 22:06:23, Info CSI 000001d4 [SR] Cannot repair member file [l:24{12}]"settings.ini" of Microsoft-Windows-Sidebar, Version = 6.0.6002.18005, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
2012-10-16 22:06:23, Info CSI 000001d6 [SR] Cannot repair member file [l:24{12}]"settings.ini" of Microsoft-Windows-Sidebar, Version = 6.0.6002.18005, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
2012-10-16 22:06:23, Info CSI 000001d7 [SR] This component was referenced by [l:158{79}]"Package_16_for_KB948465~31bf3856ad364e35~x86~~6.0.1.18005.948465-49_neutral_GDR"
2012-10-16 22:06:23, Info CSI 000001d9 [SR] Repair complete
2012-10-16 22:06:23, Info CSI 000001da [SR] Committing transaction
2012-10-16 22:06:24, Info CSI 000001de [SR] Verify and Repair Transaction completed. All files and registry keys listed in this transaction have been successfully repaired
  • 0

#21
Dakeyras
Posted 17 October 2012 - 03:39 AM

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,773 posts
Hi. :)

All worked - only 28kb in size

Fair play, now according to my research that output is fine and no further action is required. Basically this appears to be a common problem with the Vista operating system...

Myself however think just to err on the side of caution we should perform one more task. So please carry out the below as follows...

Vista Startup Repair:

  • Bootup your computer from the Vista DVD.
  • If not sure how to, a very good tutorial can be read here
  • You will have to answer a few basic questions then select the option Repair your computer
  • At the the System Recovery Options screen click Windows Vista to highlight then Next>
  • You should now see the Searching for Problems...
  • Note: If given the option to Perform a System Restore, do not select and cancel the option.
  • If problems found let Startup Repair complete and follow the prompts.
Or you can launch Vista Startup Repair via this methodology:-

  • Re-boot(restart) the machine and during the POST(Power On Self Test) sequence continually depress Function Key 8(F8) to bring up the Advanced Boot Options screen.
  • Use the arrow keys to scroll down and select Repair your computer and depress the Enter/Return key.
  • You will have to answer a few basic questions then select the option Repair your computer
  • At the the System Recovery Options screen click Windows Vista to highlight then Next>
  • You should now see the Searching for Problems...
  • Note: If given the option to Perform a System Restore, do not select and cancel the option.
  • If problems found let Startup Repair complete and follow the prompts.
Next:

Try OTL again, if still a problem I am suspecting your machine just does not like the software, it happens and encountered similar in the past. In all probability I could never really pin point what that issue is but the main thing is your machine appears to be malware free...

Anyway let myself know when completed the above and if any further issues and or problems encountered, thank you.
  • 0

#22
UnderSiege
Posted 17 October 2012 - 07:04 AM

UnderSiege

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 104 posts
Hi,:)

Or you can launch Vista Startup Repair via this methodology:-


Startup Repair run and received the following dialogue box:

"Startup Repair could not detect a problem "

There was a Start Up Repair and Diagnosis log, but no indication where it might be saved. So..............

After rebooting I typed "Startup" in the Search box on the Start Menu Panel and this led me to a file "startup.txt" which I opened in Notepad and is posted below:

No HKCU:Run ehTray.exe C:\Windows\ehome\ehTray.exe
No HKCU:Run EPSON PX710W Series C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIFSE.EXE /FU "C:\Windows\TEMP\E_S2937.tmp" /EF "HKCU"
No HKCU:Run Shockwave Updater C:\Windows\system32\Adobe\Shockwave 11\SwHelper_1150600.exe -Update -1150600 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; GTB6.5; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729)" -"http://www.bbc.co.uk...e/garden2.shtml"
No HKCU:Run swg "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
No HKCU:Run TomTomHOME.exe "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe"
No HKCU:Run WMPNSCFG C:\Program Files\Windows Media Player\WMPNSCFG.exe
Yes HKLM:Run eRecoveryService
Yes HKLM:Run avast "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
No HKLM:Run Adobe ARM "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
No HKLM:Run Adobe Photo Downloader "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
No HKLM:Run Adobe Reader Speed Launcher "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
No HKLM:Run BCSSync "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
No HKLM:Run btbb_McciTrayApp "C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe"
No HKLM:Run EEventManager C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
No HKLM:Run HTC Sync "C:\Program Files\HTC\HTC Sync for BrewMP\AutoDetect.exe"
No HKLM:Run LogitechQuickCamRibbon "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide
No HKLM:Run MMReminderService C:\Program Files\Mindjet\MindManager 10\MMReminderService.exe
No HKLM:Run NvCplDaemon RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
No HKLM:Run NvMediaCenter RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
No HKLM:Run RemoteControl11 "C:\Program Files\CyberLink\PowerDVD11\PDVD11Serv.exe"
No HKLM:Run RtHDVCpl RtHDVCpl.exe
No HKLM:Run SearchSettings "C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe"
No HKLM:Run Skytel Skytel.exe
No HKLM:Run SmpcSys C:\Program Files\Packard Bell\SetupMyPC\SmpSys.exe
No HKLM:Run SunJavaUpdateSched "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
No HKLM:Run tsnp2std C:\Windows\tsnp2std.exe
No HKLM:Run Windows Defender %ProgramFiles%\Windows Defender\MSASCui.exe -hide
No Startup User Logitech . Product Registration.lnk C:\PROGRA~1\Logitech\LOGITE~1\eReg.exe /remind /language=ENG /_WFM="."


I appreciate this is not the Startup Repair and Diagnotic log, but rather a list of startup commands and their status. What intrigued me was the line : No HKLM:Run SunJavaUpdateSched "C:\Program Files\Common Files\Java\Java Update\jusched.exe". On exploring the C:\ drive, I find a Java Update folder with files. Of course, I only looked in the Program list in Control Panel and did not think to search more widely. Am I clear to delete C:\Program Files\Common Files\Java and all it sub-folders?


Try OTL again, if still a problem I am suspecting your machine just does not like the software, it happens and encountered similar in the past. In all probability I could never really pin point what that issue is but the main thing is your machine appears to be malware free...


Yes - on the balance of probablilies, OTL just seems to be incompatible with my machine and system. As you say, the important thing is to be free of malware.
  • 0

#23
godawgs
Posted 17 October 2012 - 08:15 AM

godawgs

    Teacher

  • Retired Staff
  • 8,228 posts
Hi UnderSeige, :wave:

My name is godawgs. Dakeyras will be away few the next few days attending to a personal matter and he asked me to express his apologies and cover this log for him.

I see that you are almost done. Your system is malware free and I just need to answer your last question and then we can clean up the tools that have been used.

...What intrigued me was the line : No HKLM:Run SunJavaUpdateSched "C:\Program Files\Common Files\Java\Java Update\jusched.exe". On exploring the C:\ drive, I find a Java Update folder with files. Of course, I only looked in the Program list in Control Panel and did not think to search more widely. Am I clear to delete C:\Program Files\Common Files\Java and all it sub-folders?

I see in an earlier post that you uninstalled Java. If that is the case you can delete the C:\Program Files\Common Files\Java folder and all of its sub-folders. You can also delete the following if present:
C:\Program Files\Java
C:\Program Files\Oracle
C:\Program Data\Sun

Yes - on the balance of probablilies, OTL just seems to be incompatible with my machine and system.

Not all tools will run on all systems. But I have seen instances when only a certain part of the OTL scan causes the tool not to run. This is really just for my own information but I would appreciate it if you would try this:

Step-1.

Posted Image OTL Scan

Please re-open OTL
  • Double click the Posted Image on your desktop. Vista /7 users right click and click Run as Administrator. Make sure all other windows are closed .
  • You will see a console like the one below:

    Posted Image

    NOTE: The image shows the Scan All Users and Include 64bit Scans boxes checked, but DO NOT check them.
  • Make sure the Output box at the top is set to Standard Output.
  • In the Drivers section click the radio button beside None.<---Important
  • Click the box beside LOP Check and Purity Check
  • Click the Posted Image button. Do not change any settings unless otherwise told to do so.
  • Let the scan run uninterrupted.
  • When the scan completes, it will open two notepad windows, OTL.Txt will be on the desktop and Extras.Txt will be minimized. These are saved in the same location as OTL.
  • Please copy the contents of these files, one at a time, and paste them into your reply. To do that:
  • On the .txt file Menu Bar click Edit then click Select All. This will highlight the contents of the file. Then click Copy.
  • Right-click inside the forum post window then click Paste.This will paste the contents of the .txt file in the in the post window.

If OTL ran, please post the OTL.txt log and the Extras.txt log. If it didn't run just let me know. Either way I will be back with cleanup instructions.

Thanks
  • 0

#24
UnderSiege
Posted 17 October 2012 - 11:39 AM

UnderSiege

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 104 posts
Hi godawgs :)

Dakeyras will be away few the next few days attending to a personal matter and he asked me to express his apologies and cover this log for him.

Many thanks for stepping in to cover for Dakeyras. I have sent him a PM to thank him for his help.


If that is the case you can delete the C:\Program Files\Common Files\Java folder and all of its sub-folders. You can also delete the following if present:
C:\Program Files\Java
C:\Program Files\Oracle
C:\Program Data\Sun

Folders deleted thanks.


If OTL ran, please post the OTL.txt log and the Extras.txt log. If it didn't run just let me know

I'm afraid none of the OTL versions ran.


Either way I will be back with cleanup instructions

Thanks - my desktop is looking fairly cluttered

Undersiege
  • 0

#25
godawgs
Posted 17 October 2012 - 05:24 PM

godawgs

    Teacher

  • Retired Staff
  • 8,228 posts
Hello again,

Many thanks for stepping in to cover for Dakeyras. I have sent him a PM to thank him for his help.

You are welcome and I'm sure Dakeyras will appreciate the PM.

I'm afraid none of the OTL versions ran.

Oh well, we tried.


OK! Well done. :thumbsup: Here is the best part of the process! The mullygrubs are gone! That's a technical term for your log(s) appear to be clean! If you have no further issues with your computer, please proceed with the housekeeping procedures outlined below.
The first thing we need to do is to remove all the tools that we have used. This is so that should you ever be re-infected, you will download updated versions.

Step-1.

Unstall ESET

If you didn't uninstall the ESET scanner after it ran, please follow the instructions below:

1. Please click the Start Orb, click Control Panel. Under the Programs heading click Uninstall a program
2. In the list of programs installed, locate the following program(s):

ESET online Scanner

3. Click on each program to highlight it and click Change/Remove. (Vista/7 users: right click the program and click Uninstall
4. After the programs have been uninstalled, close the Installed Programs window and the Control Panel.
5. Reboot the computer.

Delete the folders associated with the uninstalled programs.(Only do this if you uninstalled the program)

1. Using Windows Explorer (to get there right-click your Start button and click "Explore"), please delete the following folders(s) (if present):

C:\Program Files\ESET

2. Close Windows Explorer.

Step-2.

Uninstall ComboFix
  • Hold down the Windows key + R on your keyboard. This will display the Run dialogue box .
  • In the Run box, type in ComboFix /Uninstall (Notice the space between the "x" and "/") then click OK

    Posted Image
  • Follow the prompts on the screen.
  • A message should appear confirming that ComboFix was uninstalled
Step-3.

Uninstall AdwCleaner

Re-open AdwCleaner
  • Click the Uninstall button
  • Confirm with yes
Posted Image

Step-4.

Delete the following Files and Folders:

OTL.exe, OTL.com, OTL.scr and any other OTL files
DDS.scr
DSS.txt
Attach.txt
aswMBR.exe
aswMBR.txt
MBR.dat
CFScript.txt
C:\sfcdetails.txt

Delete any other .bat, .log, .reg, .txt, and any other files created during this process, and left on the desktop and empty the Recycle Bin.

Step-5.

Clear Cache/Temp Files
Posted Image Download TFC by OldTimer to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista or W7, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a few minutes. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.
Step-6.

Make a Fresh Restore Point, Clear the Old Restore Points, and Re-enable System Restore

The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected, but that's good news).

Note: Do not clear infected/old System Restore points before creating a new System Restore point first!

For Vista and Windows 7:
  • Click the Start Orb. Click Control Panel. Click System and Maintenance
  • Click System
  • In the left column under Tasks, click Advance System Settings and accept the warning if you get one
  • Click the System Protection Tab
  • In the Available Disks box put a ckeck mark in the box next to OS (?:) (System). Your drive letter will be shown in place of the ?

    Note: It may take some time for the system to populate the Available Disks box, so be patient.
  • Click the Create button at the bottom
  • Type in a name fo the restore point, i.e: Clean
  • Click Create
  • A small System Protection window will come up telling you a Restore Point is being created.
  • Another System Protection window will come up telling you the Restore Point has been created, click OK
  • Click OK again.
  • Close the Control Panel
Now we can purge the old Restore Points
  • Click Start(Windows 7 Orb), click Run (or press the Windows key and R together) to bring up the Run box.
  • Copy and Paste the following in the Run box:
    cleanmgr
  • Click OK
    A Disk Cleanup Options popup will open
    Posted Image
  • Click Files from all users on this computer
    A Drive Selection popup will open
    NOTE: You will not see this window unless you have more than one drive or partition on your computer.
    Posted Image
    If you chose Files from all users on this computer above, then click on Continue for UAC prompt.
  • Select the system drive, C:\ and click OK.
  • For a few moments the system will make some calculations
    Posted Image
  • The Disk Cleanup Window will open:
    Posted Image
  • Click the More Options tab.
  • Click the Clean up button under the System Restore and Shadow Copies section. (See screenshot below)
    Posted Image
  • In the Disk Cleanup dialog box, click Delete (See screenshot below).
    Posted Image
  • You will get a Disk Cleanup confirmation (See screenshot below)
    Posted Image
  • Click Delete Files, and then click OK.
Step-7.

Reset Hidden Files and Folders

For Vista and Windows 7
1. Click Start,click Control Panel.
2. Click Folder Options.... NOTE: If you are in the Category view, click Appearance, then Folder Options
3. On the Folder Options window click the View tab.
4. In the Advanced settings: box, Under Hidden files and folders, click the Do not show hidden files and folders button.
5. Click the Hide protected operating system files (Recommended) box.
6. Click Apply and then OK


Preventing Re-Infection


Below, I have included a number of recommendations for how to protect your computer against future malware infections.

:Keep Windows Updated:-Windows Updates are constantly being revised to combat the newest hacks and threats, Microsoft releases security updates that help your computer from becoming vulnerable. It is best if you have these set to download automatically.

Vista and Windows 7 Users:
1. Click Start> All Programs, from the list find Windows Update and click it.

:Turn On Automatic Updates:

Vista and Windows 7
1. Click Start> Control Panel. Click Security. Under Windows Update, Click Turn automatic on or off.
2. On the next page, under Important Updates, Click the Drop down arrow on the right side of the box and Click Install Updates Automatically(recommended).
If you click this setting, click to select the day and time for scheduled updates to occur. You can schedule Automatic Updates for any time of day. Remember, your computer must be on at the scheduled time for updates to be installed. After you set this option, Windows recognizes when you are online and uses your Internet connection to find updates on the Windows Update Web site or on the Microsoft Update Web site that apply to your computer. Updates are downloaded automatically in the background, and you are not notified or interrupted during this process. An icon appears in the notification area of your task bar when the updates are being downloaded. You can point to the icon to view the download status. To pause or to resume the download, right-click the icon, and then click Pause or Resume. When the download is completed, another message appears in the notification area so that you can review the updates that are scheduled for installation. If you choose not to install at that time, Windows starts the installation on your set schedule.

: Keep Adobe Reader Updated :
  • Open Adobe Reader
  • Click Help on the menu at the top
  • Click Check for Updates
  • Allow any updates to be downloaded and installed
NOTE: Whether you use Adobe Reader, Acrobat or Foxit Reader to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Click Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. Click OK Close program. It's the same for Foxit Reader except Preferences is under the Tools menu, and you uncheck Enable Javascript Actions.

:Web Browsers:

:Make your Internet Explorer more secure:
1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click once on the Security tab
3. Click once on the Internet icon so it becomes highlighted.
4. Click once on the Custom Level button.
5. Change the Download signed ActiveX controls to "Prompt"
6. Change the Download unsigned ActiveX controls to "Disable"
7. Change the Initialise and script ActiveX controls not marked as safe to "Disable"
8. Change the Installation of desktop items to "Prompt"
9. Change the Launching programs and files in an IFRAME to "Prompt"
10. When all these settings have been made, click on the OK button.
11. If it prompts you as to whether or not you want to save the settings, click the Yes button.
12. Next press the Apply button and then the OK to exit the Internet Properties page.

:Alternate Browsers:

If you use Firefox, I highly recommend these add-ons to keep your PC even more secure.
  • NoScript - for blocking ads and other potential website attacks
  • WebOfTrust - a safe surfing tool for your browser. Traffic-light rating symbols show which websites you can trust when you search, shop and surf on the Web.
  • McAfee SiteAdvisor - this tells you whether the sites you are about to visit are safe or not. A must if you do a lot of Googling
:Install the MVPs Hosts File: (Only needed for Firefox)
  • MVPS Hosts file-replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

Preventative programs that will help to keep the nasties away! We will start with Anti Spyware programs. I would advise getting a couple of them at least, and running a full scan at least once a month. Run Quick Scans at least once a week. Download the Free versions. And update the definitions before running scans.

========Anti Spyware========
  • Malwarebytes-Free Version- a powerful tool to search for and eliminate malware found on your computer.(You may already have this)
  • SUPERAntiSpyware Free Edition-another scanning tool to find and eliminate malware.
  • SpywareBlaster-to help prevent spyware from installing in the first place. A tutorial can be found here.
  • SpywareGuard-to catch and block spyware before it can execute. A tutorial can be found here.
  • WinPatrol - will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. Help file and tutorial can be found here.


It's a good idea to clear out all your temp files every now and again. This will help your computer from bogging down and slowing. It also can assist in getting rid of files that may contain malicious code that could re-infect your computer.

========TEMP File Cleaners========
  • TFC by OldTimer-A very powerful cleaning program for 32 and 64 bit OS. Note: You may have this already as part of the fixes you have run.
  • CleanUP-Click the Download CleanUP! link. There is also a Learn how to use CleanUP! link on this page.
:BACKUPS:
  • Keep a backup of your important files.-Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.
  • ERUNT-(Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
:Keep Installed Programs Up to Date:

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. Download and install the program and run it monthly:
Filehippo Update Checker

Finally, please read How did I Get Infected in the First Place(by Mr. Tony Klein and dvk01)

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For 24 hours or so. If Anything Comes Up - Just Come Back And Let Me Know

Stay Safe :wave:
godawgs
  • 0

Advertisements

#26
UnderSiege
Posted 18 October 2012 - 08:37 AM

UnderSiege

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 104 posts
Hi :)



Uninstall ComboFix

I think I should have disabled Avast Antivirus and Zone Alarms before I ran the uninstaller. Zone Alarms kept alerting to "Suspicious behaviour" from many different executions during the uninstall process, and IE got stuck in a close/re-open loop. Anyway, eventually got myself sorted out.


Clear Cache/Temp Files


TFC got its knickers in a twist as well, and I had use Task Manager (Ctrl-Alt-Del) to sort it all out. But got there in the end and no harm done.


Other than these 2 small hiccups, everything else went smoothly and my machine is running much faster! The advice about preventing infections is really very helpful.

I am happy for you to sign this thread off, but before I go, I would like to say that, yet again, Geeks to Go has been fanatastic. You guys give of your time and trouble, without seeking recompense, so that the rest of us can use the Internet as it should be used.

Edmund Burke said "All that is necessary for evil to triumph is for good men to do nothing" . Well, you guys are doing something, and it's something you can be proud of.

Best wishes and Good luck

Undersiege
  • 0

#27
godawgs
Posted 18 October 2012 - 09:24 AM

godawgs

    Teacher

  • Retired Staff
  • 8,228 posts
Hi UnderSeige,

I'm glad you got the hiccups sorted . You must have one of those machines....I've never run into a problem with ComboFix uninstalling. Usually the problem comes with it not running on some machines.
Same thing with TFC. It usually runs with no problems. The only problem I have seen/read about with it is sometimes it hangs during the reboot. It may just have been that it was the first time it was used on this machine. I would run it again in a week or so and if the problem happens again you can delete the program if you wish to.

With all of the researching and file downloading we do you can imagine how often we need to clean the temp files on our computers. I use TFC on a XP and Vista machine almost every other day and have never had a problem.

I am happy for you to sign this thread off, but before I go, I would like to say that, yet again, Geeks to Go has been fanatastic. You guys give of your time and trouble, without seeking recompense, so that the rest of us can use the Internet as it should be used.

Edmund Burke said "All that is necessary for evil to triumph is for good men to do nothing" . Well, you guys are doing something, and it's something you can be proud of.

Best wishes and Good luck

You're very welcome. On behalf of the G2G staff, thank you for the kind words. If you ever need us again just give us a shout. :)
  • 0

#28
godawgs
Posted 19 October 2012 - 09:12 PM

godawgs

    Teacher

  • Retired Staff
  • 8,228 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP