0

Its up to you. Youve been great for helping me and I will continue to follow your instructions. Im happy either way now that my wife's pic's wont be lost.

Fastest and easiest and most effective thing to do is to reinstall Windows. 'Course, you'll lose everything (programs, etc..) and will need to get updated/patched immediately.

-- Do you have your Windows Disk?

-- Give me a day or so to go back over the thread and get caught up. There have been some advances in fighting this particular malware since you last posted and we can try them and see how it shakes out.

PP :)

0

Ok. I will look for the disk and check back on here tomorrow.

0

Ok. I will look for the disk and check back on here tomorrow.

OK - That's probably best. If no disk, then I think the choice will be pretty obvious :)

0

So far I havnt had any luck finding the original one that came with that computer. The computer is Compaq but I have found the Windows XP Home SP1 Operating System CD that came with my HP notebook....would that work by chance? I also have a bare/very light version of windows XP that I put on disk from when I upgraded this old laptop from win98 to XP....I dont think I will be able to find the original though.

0

The computer is Compaq but I have found the Windows XP Home SP1 Operating System CD that came with my HP notebook....would that work by chance?

No - because of the licensing issues and M$ Windows Genuine Advantage, you'd not be able to get the critical updates and patches that are the first line of defense against infections such as this one.

You ought to be able to buy a new Windows XPsp3 OSdisk for $10 -$15.

Or, we can take another whack at cleaning this thing.

PP:)

0

Lets take another whack at it.

Where would I get the OS disk for that price though? Im sure I will need it eventually.

Edited by adub: n/a

1

Lets take another whack at it.

Where would I get the OS disk for that price though? Im sure I will need it eventually.

Well . . . That estimation was probably a bit low. I haven't priced XP recently, but I'd imagine you'll find it for significantly less than Vista or 7.

-- Let's have another try with MBAM.
Download a new version and transfer it to ill machine.
-- Also, download RKILL by Grinler. Download all four of these and place them on ill compy:
http://download.bleepingcomputer.com/grinler/rkill.pif
http://download.bleepingcomputer.com/grinler/rkill.scr
http://download.bleepingcomputer.com/grinler/rkill.com
http://download.bleepingcomputer.com/grinler/rkill.exe

First, run RKILL. You only need to run it once. If it runs successfully, a black screen will appear and then disappear.
If one doesn't run, try the next and so.

Once RKILL runs, immediately start MBAM and do the quick scan. Remove what it finds an post the log.

Let me know how you fare.

PP:)

Votes + Comments
I need popcorn, the suspense is making me so hungry :)
0

Ok I put all of this on the flash drive and went in to the cmd prompt and XCOPY all of them to my desk top. I ran the MS dos Icon rKill and the black window popped up saying somthing about removing malware. All of the shortcuts went away from the desk top for a min then they all came up again. As soon as they came up I immediatly started the MBam Set up..when it was setting up the error 272 started popping up...then when I tried to run the actual scan after set up I recieved the 272 hour just like before.

I got MBam From malwarebytes.com this time.

Edited by adub: n/a

0

As soon as they came up I immediatly started the MBam Set up..when it was setting up the error 272 started popping up...then when I tried to run the actual scan after set up I recieved the 272 hour just like before. . . .

OK - let's try whacking at this with a different tool:

Please Download Kaspersky's AVP Tool

-- Move AVP Tool to the Desktop of the ill computer.
-- Please boot to Safe Mode (tap F8 at reboot - Do Not use msconfig!)

Once in Safe Mode:
-- DoubleClick the AVP Tool setup file to run it.
Follow the prompts and it should install to your Desktop Folder
-- If you get a prompt for scanning in Safe Mode, click OK.
-- AVP Tool will open. Please select the Automatic Scan Tab
Be sure the following boxes are checked:
• System Memory
• Startup Objects
• Disk Boot Sectors.
• My Computer.
• All other drives

-- Please click the Scan Button.
AVP Tool should Neutralize any objects it finds. If some are left un-neutralized, Click the Neutralize All button.
Note: If an object cannot be neutralized, select DELETE at the prompt.

When finished, please click the Reports Button and save the log where you can find it easily. Please post that for me.
Also, let me know if you ran into any problems with these steps.
Note: AVP Tool should "self-uninstall," so be sure to save the log before closing the program.

PP:)

Edited by PhilliePhan: Nothing Important

0

I put it on my desktop then restarted the system in safe mode. when I restarted it asked me if I wanted to log in as administrator or compaq administrator. I chose administrator. When It loaded up the desktop the program wasnt on it. Im trying to log in as compaq admin now to see if its on there.

EDIT: all the files are on Compaq admin. Files are extracting now.
Scan is actually scanning...it looks like its going to take quit a while..but atleast this one is actually working :)

Edited by adub: n/a

0

It says start time: 11/18/2009 8:07 PM

Finish Time: 11/21/2009 3:27 PM

lol

1

It says start time: 11/18/2009 8:07 PM
Finish Time: 11/21/2009 3:27 PM
lol

Good grief!

Please run the AVP Tool again.
-- Click the Manual Cure Tab
-- Click the Collect system information Button and let it run
-- When it finishes, it will say Completed. Report saved to LOG\avptool_syscheck.zip

Please save the log and post it for me.

PP:)

0

The other scan is 50% complete and has been running for 16ish hrs...you want me to stop it to run another scan? or run this one at the same time?

Edit: so far it has detected 36 virus/malware.

Edited by adub: n/a

0

The other scan is 50% complete and has been running for 16ish hrs...you want me to stop it to run another scan? or run this one at the same time?

Edit: so far it has detected 36 virus/malware.

My bad - I didn't process that last post properly....

Let's definitely allow AVP Tool to finish this current scan and neutralize/delete the baddies.

Keep me posted on the progress.

PP:)

0

Ok. Well right now its at 54% and has been running for almost 24hrs. I think it will be done tomorrow right around the time I get home from work.

Still 36 detected threats.

Edited by adub: n/a

0

Ok. Well right now its at 54% and has been running for almost 24hrs. I think it will be done tomorrow right around the time I get home from work.

Still 36 detected threats.

OK . . . I guess it's in no hurry . . . I've never seen that before. LOL!

I really hope it gives us some good progress.

No rush. No worries. I'll be around.

PP:)

0

Ok thanks again. I guess tonight I will look around the site and figure out how to keep this from happening again.

0

Ok thanks again. I guess tonight I will look around the site and figure out how to keep this from happening again.

I'll be happy to suggest some things once we sort this mess out :)

PP

0

Ok now lets see if I can fit the report on here:
(I left the infected computer just how it was after the scan...its still on, still in safe mode and still has the scan info pulled up)

Scan
----
Scanned: 1333103
Detected: 39
Untreated: 0
Start time: 11/18/2009 8:07:12 PM
Duration: 1 days 20:02:19
Finish time: 11/20/2009 4:09:31 PM


Detected
--------
Status Object
------ ------
deleted: adware not-a-virus:AdWare.Win32.SearchIt.t File: C:\Documents and Settings\All Users\Application Data\AOL Downloads\lpaolcom_setupSTUS\comps\toolbar\toolbr.exe//WiseSFXDropper//WISE0015.BIN
deleted: Trojan program Backdoor.Win32.IRCBot.dd File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\770F4C7F.tmp//CryptFF
deleted: Trojan program Trojan-Downloader.Java.OpenConnection.at File: C:\Documents and Settings\Compaq_Administrator.JENNASPC\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmseria.jar-1290d05e-66b3b6cc.zip/vlocal.class
disinfected: Trojan program Trojan-Downloader.Java.OpenConnection.at File: C:\Documents and Settings\Compaq_Administrator.JENNASPC\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmseria.jar-1fc6f268-6ef990dc.zip
deleted: adware not-a-virus:AdWare.Win32.SearchIt.t File: C:\Program Files\AOL Toolbar\toolbar.dll
deleted: Trojan program Trojan.Win32.FraudPack.swc File: C:\Qoobox\Quarantine\C\WINDOWS\msa.exe.vir
deleted: Trojan program Packed.Win32.PECompact (modification) File: C:\Qoobox\Quarantine\C\WINDOWS\system32\net.net.vir//PE_Patch.PECompact//PecBundle//PECompact
deleted: Trojan program Packed.Win32.TDSS.z File: C:\Qoobox\Quarantine\C\WINDOWS\system32\rotscxhmsmwxtp.dll.vir
deleted: Trojan program Packed.Win32.TDSS.z File: C:\Qoobox\Quarantine\C\WINDOWS\system32\rotscxjdykmrmi.dll.vir
deleted: Trojan program Packed.Win32.TDSS.y File: C:\Qoobox\Quarantine\C\WINDOWS\system32\UACdahiwrtppf.dll.vir
deleted: Trojan program Trojan.Win32.TDSS.amwo File: C:\Qoobox\Quarantine\C\WINDOWS\system32\UACnsdrcunxkq.dll.vir
deleted: Trojan program Trojan.Win32.Tdss.anrc File: C:\Qoobox\Quarantine\C\WINDOWS\system32\UACoiaktqxumn.dll.vir
deleted: Trojan program Packed.Win32.TDSS.y File: C:\Qoobox\Quarantine\C\WINDOWS\system32\UACyhlcmkotsa.dll.vir
deleted: Trojan program Packed.Win32.TDSS.z File: C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\rotscxxyansxdt.sys.vir
deleted: Trojan program Rootkit.Win32.Agent.oxr File: C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\UACbocfkaftxs.sys.vir
deleted: Trojan program Packed.Win32.TDSS.z File: C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP108\A0016535.sys
deleted: Trojan program Packed.Win32.TDSS.z File: C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP108\A0016536.dll
deleted: Trojan program Packed.Win32.TDSS.z File: C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP108\A0016537.dll
deleted: Trojan program Rootkit.Win32.Agent.oxr File: C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP108\A0016538.sys
deleted: Trojan program Trojan.Win32.TDSS.amwo File: C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP108\A0016539.dll
deleted: Trojan program Trojan.Win32.Tdss.anrc File: C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP108\A0016540.dll
deleted: Trojan program Packed.Win32.TDSS.y File: C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP108\A0016541.dll
deleted: Trojan program Packed.Win32.TDSS.y File: C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP108\A0016542.dll
deleted: Trojan program Rootkit.Win32.PMax.e File: C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP108\A0016544.sys:1
deleted: Trojan program Rootkit.Win32.PMax.e File: C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP108\A0016558.sys:1
deleted: Trojan program Rootkit.Win32.PMax.e File: C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP108\A0016644.sys:1
deleted: Trojan program Rootkit.Win32.PMax.e File: C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP108\A0016654.sys:1
deleted: Trojan program Rootkit.Win32.PMax.e File: C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP108\A0016681.sys:1
deleted: Trojan program Trojan.Win32.Pakes.npx File: C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP108\A0016697.dll
deleted: Trojan program Trojan.Win32.FraudPack.swc File: C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP108\A0016803.exe
deleted: adware not-a-virus:AdWare.Win32.SearchIt.t File: C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP108\A0019174.exe//WiseSFXDropper//WISE0015.BIN
deleted: adware not-a-virus:AdWare.Win32.SearchIt.t File: C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP108\A0019175.dll
deleted: adware not-a-virus:AdWare.Win32.WeatherBug.a File: D:\I386\APPS\APP30816\src\CompaqPresario_Spring06.exe//WiseSFXDropper//WISE0015.BIN
deleted: adware not-a-virus:AdWare.Win32.WeatherBug.a File: D:\I386\APPS\APP30816\src\HPPavillion_Spring06.exe//WiseSFXDropper//WISE0015.BIN
deleted: adware not-a-virus:AdWare.Win32.WeatherBug.a File: D:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP108\A0019176.exe//WiseSFXDropper//WISE0015.BIN
deleted: adware not-a-virus:AdWare.Win32.WeatherBug.a File: D:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP108\A0019177.exe//WiseSFXDropper//WISE0015.BIN
deleted: adware not-a-virus:AdWare.Win32.SearchIt.t File: C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP108\A0019174.exe//WiseSFXDropper
deleted: adware not-a-virus:AdWare.Win32.WeatherBug.a File: D:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP108\A0019176.exe//WiseSFXDropper
deleted: adware not-a-virus:AdWare.Win32.WeatherBug.a File: D:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP108\A0019177.exe//WiseSFXDropper


Events
------
Time Name Status Reason
---- ---- ------ ------


Statistics
----------
Object Scanned Detected Untreated Deleted Moved to Quarantine Archives Packed files Password protected Corrupted
------ ------- -------- --------- ------- ------------------- -------- ------------ ------------------ ---------


Settings
--------
Parameter Value
--------- -----
Security Level Recommended
Action Prompt for action when the scan is complete
Run mode Manually
File types Scan all files
Scan only new and changed files No
Scan archives All
Scan embedded OLE objects All
Skip if object is larger than No
Skip if scan takes longer than No
Parse email formats No
Scan password-protected archives No
Enable iChecker technology No
Enable iSwift technology No
Show detected threats on "Detected" tab Yes
Rootkits search Yes
Deep rootkits search No
Use heuristic analyzer Yes


Quarantine
----------
Status Object Size Added
------ ------ ---- -----


Backup
------
Status Object Size
------ ------ ----

0

Ok now lets see if I can fit the report on here:
(I left the infected computer just how it was after the scan...its still on, still in safe mode and still has the scan info pulled up)

Well - The vast majority of what was removed were baddies that had been quarantined by combofix and things in System Restore.
So, I'd wager most if not all malware is now gone.

I'd like to try a couple things:
-- Please do the step in post #102 and attach the log for me.
-- What is the exact username you log on to the compy with?

PP:)

0

Well - The vast majority of what was removed were baddies that had been quarantined by combofix and things in System Restore.
So, I'd wager most if not all malware is now gone.

I'd like to try a couple things:
-- Please do the step in post #102 and attach the log for me.
-- What is the exact username you log on to the compy with?

PP:)

So do you want me to log in normally? I will have to log in to find the exact name. But compaq administrator was the one I had to log into when I used safe mode.

0

Exact Name:
Compaq_Administrator

going to look at post 102 now

0

Exact Name:
Compaq_Administrator

going to look at post 102 now

Great - I'm going to use the same procedure I'm using in another thread to try to restore permissions on the ill compy so we can get things to run.

PP:)

0

<AVZ_CollectSysInfo>
--------------------
Start time: 11/20/2009 6:12:52 PM
Duration: 00:04:11
Finish time: 11/20/2009 6:17:03 PM


<AVZ_CollectSysInfo>
--------------------
Time Event
---- -----
11/20/2009 6:12:53 PM Windows version: Microsoft Windows XP, Build=2600, SP="Service Pack 2"
11/20/2009 6:12:53 PM System Restore: enabled
11/20/2009 6:12:54 PM 1.1 Searching for user-mode API hooks
11/20/2009 6:12:54 PM Analysis: kernel32.dll, export table found in section .text
11/20/2009 6:12:54 PM Function kernel32.dll:CreateProcessA (99) intercepted, method ProcAddressHijack.GetProcAddress ->7C802367->61F03F42
11/20/2009 6:12:54 PM Hook kernel32.dll:CreateProcessA (99) blocked
11/20/2009 6:12:54 PM Function kernel32.dll:CreateProcessW (103) intercepted, method ProcAddressHijack.GetProcAddress ->7C802332->61F04040
11/20/2009 6:12:54 PM Hook kernel32.dll:CreateProcessW (103) blocked
11/20/2009 6:12:54 PM Function kernel32.dll:FreeLibrary (241) intercepted, method ProcAddressHijack.GetProcAddress ->7C80ABEE->61F041FC
11/20/2009 6:12:54 PM Hook kernel32.dll:FreeLibrary (241) blocked
11/20/2009 6:12:54 PM Function kernel32.dll:GetModuleFileNameA (372) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B4DF->61F040FB
11/20/2009 6:12:54 PM Hook kernel32.dll:GetModuleFileNameA (372) blocked
11/20/2009 6:12:54 PM Function kernel32.dll:GetModuleFileNameW (373) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B3E5->61F041A0
11/20/2009 6:12:54 PM Hook kernel32.dll:GetModuleFileNameW (373) blocked
11/20/2009 6:12:54 PM Function kernel32.dll:GetProcAddress (408) intercepted, method ProcAddressHijack.GetProcAddress ->7C80ADB0->61F04648
11/20/2009 6:12:54 PM Hook kernel32.dll:GetProcAddress (408) blocked
11/20/2009 6:12:54 PM Function kernel32.dll:LoadLibraryA (578) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D77->61F03C6F
11/20/2009 6:12:54 PM Hook kernel32.dll:LoadLibraryA (578) blocked
11/20/2009 6:12:54 PM >>> Functions LoadLibraryA - preventing AVZ process from being intercepted by address replacement !!)
11/20/2009 6:12:54 PM Function kernel32.dll:LoadLibraryExA (579) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D4F->61F03DAF
11/20/2009 6:12:54 PM Hook kernel32.dll:LoadLibraryExA (579) blocked
11/20/2009 6:12:54 PM >>> Functions LoadLibraryExA - preventing AVZ process from being intercepted by address replacement !!)
11/20/2009 6:12:54 PM Function kernel32.dll:LoadLibraryExW (580) intercepted, method ProcAddressHijack.GetProcAddress ->7C801AF1->61F03E5A
11/20/2009 6:12:54 PM Hook kernel32.dll:LoadLibraryExW (580) blocked
11/20/2009 6:12:54 PM Function kernel32.dll:LoadLibraryW (581) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AE5B->61F03D0C
11/20/2009 6:12:54 PM Hook kernel32.dll:LoadLibraryW (581) blocked
11/20/2009 6:12:54 PM IAT modification detected: LoadLibraryW - 00B40010<>7C80AE5B
11/20/2009 6:12:54 PM Analysis: ntdll.dll, export table found in section .text
11/20/2009 6:12:54 PM Analysis: user32.dll, export table found in section .text
11/20/2009 6:12:54 PM Analysis: advapi32.dll, export table found in section .text
11/20/2009 6:12:54 PM Analysis: ws2_32.dll, export table found in section .text
11/20/2009 6:12:54 PM Analysis: wininet.dll, export table found in section .text
11/20/2009 6:12:54 PM Analysis: rasapi32.dll, export table found in section .text
11/20/2009 6:12:54 PM Analysis: urlmon.dll, export table found in section .text
11/20/2009 6:12:54 PM Analysis: netapi32.dll, export table found in section .text
11/20/2009 6:12:55 PM 1.2 Searching for kernel-mode API hooks
11/20/2009 6:12:55 PM Driver loaded successfully
11/20/2009 6:12:55 PM SDT found (RVA=07C020)
11/20/2009 6:12:55 PM Kernel ntkrnlpa.exe found in memory at address 804D7000
11/20/2009 6:12:55 PM SDT = 80553020
11/20/2009 6:12:55 PM KiST = 80501B9C (284)
11/20/2009 6:12:58 PM Functions checked: 284, intercepted: 0, restored: 0
11/20/2009 6:12:58 PM 1.3 Checking IDT and SYSENTER
11/20/2009 6:12:58 PM Analysis for CPU 1
11/20/2009 6:12:58 PM Checking IDT and SYSENTER - complete
11/20/2009 6:12:58 PM 1.4 Searching for masking processes and drivers
11/20/2009 6:12:58 PM Checking not performed: extended monitoring driver (AVZPM) is not installed
11/20/2009 6:12:58 PM Driver loaded successfully
11/20/2009 6:12:58 PM 1.5 Checking of IRP handlers
11/20/2009 6:12:58 PM Checking - complete
11/20/2009 6:13:00 PM C:\WINDOWS\system32\iertutil.dll --> Suspicion for Keylogger or Trojan DLL
11/20/2009 6:13:00 PM C:\WINDOWS\system32\iertutil.dll>>> Behavioral analysis
11/20/2009 6:13:00 PM Behaviour typical for keyloggers not detected
11/20/2009 6:13:01 PM Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs
11/20/2009 6:13:07 PM >>> C:\Program Files\WildTangent\Apps\CDA\CDALogger0402.dll HSC: suspicion for Spy.WindTangent
11/20/2009 6:13:08 PM >>> C:\WINDOWS\wt\webdriver\4.1.1\webdriver.dll HSC: suspicion for Spy.WindTangent
11/20/2009 6:13:16 PM >> Services: potentially dangerous service allowed: RemoteRegistry (Remote Registry)
11/20/2009 6:13:16 PM >> Services: potentially dangerous service allowed: TermService (Terminal Services)
11/20/2009 6:13:16 PM >> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery Service)
11/20/2009 6:13:16 PM >> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
11/20/2009 6:13:16 PM >> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting Remote Desktop Sharing)
11/20/2009 6:13:16 PM >> Services: potentially dangerous service allowed: RDSessMgr (Remote Desktop Help Session Manager)
11/20/2009 6:13:16 PM > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
11/20/2009 6:13:16 PM >> Security: disk drives' autorun is enabled
11/20/2009 6:13:16 PM >> Security: administrative shares (C$, D$ ...) are enabled
11/20/2009 6:13:16 PM >> Security: anonymous user access is enabled
11/20/2009 6:13:16 PM >> Security: sending Remote Assistant queries is enabled
11/20/2009 6:13:21 PM >> Disable HDD autorun
11/20/2009 6:13:21 PM >> Disable autorun from network drives
11/20/2009 6:13:21 PM >> Disable CD/DVD autorun
11/20/2009 6:13:21 PM >> Disable removable media autorun
11/20/2009 6:13:21 PM System Analysis in progress
11/20/2009 6:17:02 PM System Analysis - complete
11/20/2009 6:17:02 PM Delete file:C:\Documents and Settings\Compaq_Administrator.JENNASPC\Desktop\Virus Removal Tool\is-7SFHJ\LOG\avptool_syscheck.htm
11/20/2009 6:17:02 PM Delete file:C:\Documents and Settings\Compaq_Administrator.JENNASPC\Desktop\Virus Removal Tool\is-7SFHJ\LOG\avptool_syscheck.xml
11/20/2009 6:17:03 PM Deleting service/driver: uti2otk3
11/20/2009 6:17:03 PM Delete file:C:\WINDOWS\system32\Drivers\uti2otk3.sys
11/20/2009 6:17:03 PM Deleting service/driver: uji2otk3
11/20/2009 6:17:03 PM Script executed without errors

0

Ok - let's have a go at this:

-- Download the attached FixIt.zip and Extract the FixIt Folder from the ZIP and place it on the ill computer.
In the FixIt Folder, you'll find RunThis.bat.
Run that and give it as long as it needs. A log will pop up - please post that for me.
As usual, let me know if any problems with the above.

Busy weekend upcoming - will check back as time permits.

PP:)

Edited by PhilliePhan: remove used attachment

0

This old computer is having alot of trouble with this big log file. I may have to go to another computer to post it.

0

It will not let me cut and paste it in here...it is a very big log. Ive tried it on 4 diffrent computers now. I quess I can email it or somthing but I couldnt get it to even pull up on 2 of the computers.

EDIT: It will let me cut and past it a little at a time but not if I select all. It is too big to do a little at a time though....I tried it for about 30 min and didnt even have an 1/8 of the log highlighted.

Edited by adub: n/a

0

It will not let me cut and paste it in here...it is a very big log. Ive tried it on 4 diffrent computers now. I quess I can email it or somthing but I couldnt get it to even pull up on 2 of the computers.

EDIT: It will let me cut and past it a little at a time but not if I select all. It is too big to do a little at a time though....I tried it for about 30 min and didnt even have an 1/8 of the log highlighted.

Can you zip it and attach it using the "manage attachments" button?

If not, highlight a bunch of it an post that for me - I'd like to see if it is throwing a bunch of errors.


Better yet, use the edit feature to search for "Elapsed time" - there should be Eight occurrences of this. When you find those, post me the block of data between Elapsed time and Last Done or Last Failed.

Here's an example:

Elapsed Time: 00 00:13:10
Done: 337110, Modified 337108, Failed 2, Syntax errors 0
Last Done : HKEY_LOCAL_MACHINE\SYSTEM........
Last Failed: HKEY_LOCAL_MACHINE....... 5 A
ccess is denied.

Hang in there - We may get this sorted by Christmas, LOL :)

PP

0

Ive been trying to attatch it but it doesnt look like its going to work on this old computer. I try a few more times and if it doesnt work I will try to go over to a friends to get it to work tomorrow.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.