MS Removal Tool

View previous topic View next topic Go down

MS Removal Tool

Post by davisfamily22 on Sun 24 Apr 2011, 9:44 am

I have been looking at the other post for this with the same issues. MS Removal disabled my AVIRA and MALWAREBYTES, and all drives (cd, dvd, and usb) .Reloaded malwarebytes from your link with a current definition in safe mode. Ran quick scan and full. Does not detect. Everything has to be started from the run prompt. AVIRA updates and then MS Removal disables it before it can scan. I have run avira and malwarebytes manually. No dice. Then tried Spybot. It found like 20 things. Selected Fix. Did not get rid of MS Removal Tool. I can go through all the OTL stuff but most of the related posts where MS RT is not removed by Malware bytes show it using some combofix. I downloaded the AVIRA Rescue program on my other pc, however, it will not boot on this computer-- says drive not enabled.

davisfamily22

Newbie Surfer
Newbie Surfer

Posts : 7
Joined : 2011-04-24
Operating System : windows xp

View user profile

Back to top Go down

Re: MS Removal Tool

Post by davisfamily22 on Sun 24 Apr 2011, 10:18 am

OTL Extras logfile created on: 4/23/2011 6:14:37 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\otl
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 88.00% Memory free
5.00 Gb Paging File | 5.00 Gb Available in Paging File | 96.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.72 Gb Total Space | 432.28 Gb Free Space | 92.82% Space Free | Partition Type: NTFS

Computer Name: D32K5JC1 | User Name: Gabi | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_CURRENT_USER\SOFTWARE\Classes\]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\SAFE\SAFE.mde" = C:\Program Files\SAFE\SAFE.mde:*:Enabled:SAFE -- ()
"H:\SAFE Private 2002 mde\SAFE 2002.mde" = H:\SAFE Private 2002 mde\SAFE 2002.mde:*:Disabled:SAFE 2002
"C:\Program Files\SAFE\Safe DB.mdb" = C:\Program Files\SAFE\Safe DB.mdb:*:Disabled:Safe DB -- ()
"C:\Program Files\SAFE\SAFE Work.mdb" = C:\Program Files\SAFE\SAFE Work.mdb:*:Disabled:SAFE Work -- ()
"C:\Program Files\Verizon\VSP\ServicepointService.exe" = C:\Program Files\Verizon\VSP\ServicepointService.exe:*:Enabled:Servicepoint Service -- (Radialpoint Inc.)
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\Google\Google Earth\client\googleearth.exe" = C:\Program Files\Google\Google Earth\client\googleearth.exe:*:Enabled:Google Earth -- (Google)
"C:\Program Files\LEGO Media\Games\LEGO Chess\Lego Chess.exe" = C:\Program Files\LEGO Media\Games\LEGO Chess\Lego Chess.exe:*:Enabled:Lego Chess -- (Krisalis Software)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{08E81ABD-79F7-49C2-881F-FD6CB0975693}" = Roxio Creator Data
"{09760D42-E223-42AD-8C3E-55B47D0DDAC3}" = Roxio Creator DE
"{0DC86BEC-5CE3-413A-BB61-C40A3D186B24}" = Scan
"{14BEB6DF-A499-4A38-8E06-E173BCD5C087}" = ScannerCopy
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{17293791-C82E-476C-9997-9A0FF234A19B}" = HP Product Assistant
"{181821B7-82AA-44DA-9DAF-EF254CCB670A}" = Fax
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{19A71C4F-94D9-44EA-AC98-FF8A045273AB}" = iSqFt Full Viewer V4.01
"{1AD5F465-8282-4DAD-B957-E09C0B783D18}" = InstantShare
"{1B680FBA-E317-4E93-AF43-3B59798A4BE0}" = Copy
"{1D1977A9-2FDC-4E83-BE82-3478256342D4}" = AT&T Dial Connection Manager
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1F54DAFA-9261-4A62-B59D-6C9F26B48FE4}" = Roxio Creator Tools
"{20FBC0A0-3160-4F14-83ED-3A74BB6B8C31}" = TrayApp
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{272EC8BA-5A08-4ea1-A189-684466A06B02}" = cp_dwShrek2Albums1
"{294EAADF-E50F-4DD8-AD8D-19587EA10512}" = Modem Diagnostic Tool
"{2E8428AD-6CD2-4031-916A-3CF9BBF2DEC9}" = Unload
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7
"{342C7C88-D335-4bc2-8CF1-281857629CE2}" = HP PSC & OfficeJet 4.7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3762DB2D-71BD-421F-9E55-C74DA7DF4D07}" = CueTour
"{391E18CE-7D3B-45E9-A8F0-34E77F14F47A}" = ProductContext
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{413CEBC4-ABA1-4AC4-ADFB-69FA195F09AB}" = 7300_Help
"{442BE28B-782B-4DC0-B490-E70A403B1C69}" = Readme
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{5B049B61-0684-460E-A5F2-5EC314590344}" = Mavis Beacon Teaches Typing 18
"{5E8D588F-307C-4250-B622-26969027319A}" = PanoStandAlone
"{62230596-37E5-4618-A329-0D21F529A86F}" = Browser Address Error Redirector
"{644D04A2-C682-4FD5-977D-03B804C4B9C5}" = CreativeProjects
"{646A65DD-23FC-418E-B9F0-E0500FB42CB1}" = PhotoGallery
"{64FC0C98-B035-4530-B15D-3D30610B6DF1}" = HP Software Update
"{655CB07D-C944-40BE-B93F-55957CAC7625}" = AiO_Scan
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
"{68963635-14A4-48D9-B431-DF3A74D1AAE1}" = Destinations
"{6D48CC96-AC7C-449F-BD06-7C52A791848B}" = 7400
"{700A6597-3CE6-49C1-AA75-846B24CDA66D}" = BufferChm
"{724517BD-1DE1-4986-BFCA-C1DFD379E3BC}" = cp_dwShrek2Cards1
"{73A4F29F-31AC-4EBD-AA1B-0CC5F18C8F83}" = Roxio Creator Audio
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{7AD25C9F-9957-4D1C-95EF-9BCD09F6D31B}" = HPSystemDiagnostics
"{7BDD6642-76D6-49F7-9157-6100E5C75B97}" = Vz In Home Agent
"{7F34A21F-2DEB-4598-BB19-611D6BD24271}" = Managed DirectX (0900)
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{843E82A0-15CE-4587-9BF0-8C07FF90094D}" = Where in the USA is Carmen Sandiego for schools
"{84CDF5A8-1D57-4B69-BAB6-1F11D8923375}" = SkinsHP1
"{85CFD253-38AE-4DB1-ACB7-F0F4C791990D}" = AiOSoftware
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{87841AF8-C785-42FF-A76E-CC0F0C2816CC}" = ATI Catalyst Control Center
"{8BC3B99B-A6BE-4A0B-8535-B1B94BA4B1B1}" = DocProc
"{8C0B406B-DF08-49EF-8702-FA45752C135F}" = Verizon Download Manager
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{901C0409-6000-11D3-8CFE-0050048383C9}" = Microsoft Access 2002 Runtime
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{9EDE7573-F2B0-4FAC-8928-A7E9381BCB91}" = ArcSoft MediaImpression for Kodak
"{9EF5B77F-703E-4953-9DA9-186E28A62568}" = 7300Trb
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A5B9D22C-755A-4AC6-9904-875E80838BB6}" = CP_AtenaShokunin1Config
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A92000000001}" = Adobe Reader 9.2
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B43357AA-3A6D-4D94-B56E-43C44D09E548}" = Microsoft .NET Framework (English)
"{B6A26DE5-F2B5-4D58-9570-4FC760E00FCD}" = Roxio Creator Copy
"{B911B811-BA3E-46D4-90F8-6F3338359651}" = Director
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C768790F-04FB-11E0-9B2C-001AA037B01E}" = Google Earth
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDFCF124-115F-4976-8BF4-08C89187A146}" = WebReg
"{CE0C8CC5-E396-442B-A50E-D1D374A9E820}" = DocumentViewer
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CE33EC58-5DFB-4560-9D33-1E7942E0554F}" = HP Deskjet 9800
"{DB299A0A-69B8-4DD2-BB76-A17CF14CE649}" = Lets Ride Corral Club
"{E3BFEE55-39E2-4BE0-B966-89FE583822C1}" = Dell Support Center (Support Software)
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{E67E4B20-5A8A-41B3-9A15-088CB7A09B36}" = Insaniquarium
"{ED439A64-F018-4DD4-8BA5-328D85AB09AB}" = Roxio Creator DE
"{F04CDF62-C0EF-4A5D-8D6B-50BD496C2685}" = Hunting Unlimited 2010
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{FC22D020-3005-4715-8DF9-F3EDE81DEB3D}" = CreativeProjectsTemplates
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Amazon Trail 3rd Edition" = Amazon Trail 3rd Edition
"ATI Display Driver" = ATI Display Driver
"Auction Client" = Auction Client
"Avira AntiVir Desktop" = Avira AntiVir Premium
"Busytown" = Busytown Uninstall
"Caillou's Alphabet" = Caillou's Alphabet
"Candy Land" = Candy Land
"CGABCV11" = Curious George ABCs
"CGELAV11" = Curious George Learning Games
"CNXT_MODEM_PCI_HSF" = Conexant D850 PCI V.92 Modem
"Coffee Tycoon" = Coffee Tycoon
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Dreamship Tales" = Dreamship Tales
"EPSON Printer and Utilities" = EPSON Printer Software
"Google Chrome" = Google Chrome
"Google Desktop" = Google Desktop
"GoToAssist" = GoToAssist 8.0.0.514
"GoToAssist Express Customer" = GoToAssist Customer 1.5.0.258
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"Hot Wheels Mechanix" = Hot Wheels® Mechanix
"hp Deskjet 9800 series" = HP Deskjet 9800 Series
"HP Photo & Imaging" = HP Image Zone 4.7
"ie8" = Windows Internet Explorer 8
"InstallShield_{DB299A0A-69B8-4DD2-BB76-A17CF14CE649}" = Lets Ride Corral Club
"JSLG_PH" = JumpStart Learning Games Phonics
"JumpStart Animal Adventures" = JumpStart Animal Adventures
"JumpStart Explorers" = JumpStart Explorers
"LEGO Racers" = LEGO Racers
"LEGO Stunt Rally" = LEGO Stunt Rally
"LegoChessDeInstKey" = LEGO Chess
"Little Bear Preschool Thinking Adventures" = Little Bear Preschool Thinking Adventures
"Little Bear(TM) Rainy Day Activities" = Little Bear(TM) Rainy Day Activities
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Marine Life Tycoon" = Marine Life Tycoon
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework Full v1.0.3705 (1033)" = Microsoft .NET Framework (English) v1.0.3705
"Moon Tycoon" = Moon Tycoon
"Ocean Explorer Tycoon" = Ocean Explorer Tycoon
"ODEUNST #1" = SAFE
"Oregon Trail 5" = Oregon Trail 5
"Peggle Nights 1.0" = Peggle Nights 1.0
"Personalized Learning Center" = Personalized Learning Center
"PHONICS" = JumpStart Phonics
"Picasa 3" = Picasa 3
"PROSet" = Intel(R) PRO Network Connections Drivers
"Quarter Mile Math Level 1" = Quarter Mile Math Level 1
"QuickTime" = QuickTime
"RadialpointClientGateway_is1" = Verizon Servicepoint 3.5.18
"Reader Rabbit Learn To Read With Phonics" = Reader Rabbit Learn To Read With Phonics
"Reader Rabbit Personalized 2nd Grade" = Reader Rabbit Personalized 2nd Grade
"Reader Rabbit Preschool" = Reader Rabbit Preschool
"Reader Rabbit(R) I Can Read! With Phonics" = Reader Rabbit(R) I Can Read! With Phonics
"Rescue Heroes Hurricane Havoc" = Rescue Heroes Hurricane Havoc
"Richard Scarry's Best Activity Center Ever" = Richard Scarry's Best Activity Center Ever
"RollerCoaster Tycoon Setup" = Roll
"RRF.exe" = Reader Rabbit's 1st Grade
"RRTW32.EXE" = Reader Rabbit's Toddler
"SAFE Private Company" = SAFE Private Company 10.0
"SearchAssist" = SearchAssist
"Shockwave" = Shockwave
"Tax Forms Helper 2009_is1" = Tax Forms Helper 2009 9.0
"Thomas & Friends - Trouble on the Tracks" = Thomas & Friends - Trouble on the Tracks
"Tonka Construction 2" = Tonka Construction 2
"Tonka Garage" = Tonka Garage
"Tonka Raceway" = Tonka Raceway
"Tonka Workshop" = Tonka Workshop
"Treasures of Knowledge" = Treasures of Knowledge
"Verizon High Speed Internet_is1" = Verizon High Speed Internet
"Verizon Yahoo! Applications" = Verizon Yahoo! Applications
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Mail Advisor" = Yahoo! Mail Advisor
"Yahoo! Search Defender" = Yahoo! Search Protection
"Yahoo! Software Update" = Yahoo! Software Update

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Yahoo! BrowserPlus" = Yahoo! BrowserPlus 2.9.8

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/19/2011 11:08:19 AM | Computer Name = D32K5JC1 | Source = Application Hang | ID = 1002
Description = Hanging application LittleBear.exe, version 1.0.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ OSession Events ]
Error - 8/25/2009 1:18:52 AM | Computer Name = D32K5JC1 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 471703
seconds with 7680 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 4/23/2011 5:56:56 PM | Computer Name = D32K5JC1 | Source = Service Control Manager | ID = 7034
Description = The ArcSoft Connect Daemon service terminated unexpectedly. It has
done this 1 time(s).

Error - 4/23/2011 5:56:56 PM | Computer Name = D32K5JC1 | Source = Service Control Manager | ID = 7034
Description = The ServicepointService service terminated unexpectedly. It has done
this 1 time(s).

Error - 4/23/2011 5:56:56 PM | Computer Name = D32K5JC1 | Source = Service Control Manager | ID = 7034
Description = The Yahoo! Updater service terminated unexpectedly. It has done this
1 time(s).

Error - 4/23/2011 5:56:56 PM | Computer Name = D32K5JC1 | Source = Service Control Manager | ID = 7034
Description = The Pml Driver HPZ12 service terminated unexpectedly. It has done
this 1 time(s).

Error - 4/23/2011 5:56:56 PM | Computer Name = D32K5JC1 | Source = Service Control Manager | ID = 7034
Description = The SupportSoft Sprocket Service (DellSupportCenter) service terminated
unexpectedly. It has done this 1 time(s).

Error - 4/23/2011 5:56:56 PM | Computer Name = D32K5JC1 | Source = Service Control Manager | ID = 7034
Description = The SupportSoft Sprocket Service (verizondm) service terminated unexpectedly.
It has done this 1 time(s).

Error - 4/23/2011 5:56:56 PM | Computer Name = D32K5JC1 | Source = Service Control Manager | ID = 7034
Description = The SupportSoft Repair Service (verizondm) service terminated unexpectedly.
It has done this 1 time(s).

Error - 4/23/2011 6:04:05 PM | Computer Name = D32K5JC1 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 4/23/2011 6:05:04 PM | Computer Name = D32K5JC1 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
avgio avipbb Cdrom Fips Imapi intelppm redbook ssmdrv

Error - 4/23/2011 7:14:07 PM | Computer Name = D32K5JC1 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}


< End of report >

davisfamily22

Newbie Surfer
Newbie Surfer

Posts : 7
Joined : 2011-04-24
Operating System : windows xp

View user profile

Back to top Go down

Re: MS Removal Tool

Post by Belahzur on Sun 24 Apr 2011, 1:16 pm

Can you post the main OTL.txt as well?


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: MS Removal Tool

Post by davisfamily22 on Sun 24 Apr 2011, 1:51 pm

OTL logfile created on: 4/23/2011 6:14:37 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\otl
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 88.00% Memory free
5.00 Gb Paging File | 5.00 Gb Available in Paging File | 96.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.72 Gb Total Space | 432.28 Gb Free Space | 92.82% Space Free | Partition Type: NTFS

Computer Name: D32K5JC1 | User Name: Gabi | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/04/23 18:14:25 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\otl\OTL.com
PRC - [2008/04/14 07:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2011/04/23 18:14:25 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\otl\OTL.com
MOD - [2010/08/23 11:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2011/03/16 22:21:33 | 000,269,480 | ---- | M] (Avira GmbH) [Auto | Stopped] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2011/03/08 09:48:43 | 000,421,032 | ---- | M] (Avira GmbH) [Auto | Stopped] -- C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE -- (AntiVirWebService)
SRV - [2011/01/17 10:30:38 | 000,161,144 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files\Citrix\GoToAssist Express Customer\258\g2ax_service.exe -- (GoToAssist Express Customer)
SRV - [2011/01/17 01:40:56 | 000,339,624 | ---- | M] (Avira GmbH) [Auto | Stopped] -- C:\Program Files\Avira\AntiVir Desktop\avmailc.exe -- (AntiVirMailService)
SRV - [2011/01/17 01:40:56 | 000,135,336 | ---- | M] (Avira GmbH) [Auto | Stopped] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2010/12/20 18:08:58 | 000,363,344 | ---- | M] (Malwarebytes Corporation) [Auto | Stopped] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2010/09/29 07:00:24 | 000,185,640 | ---- | M] (SupportSoft, Inc.) [Auto | Stopped] -- C:\Program Files\VERIZONDM\bin\tgsrvc.exe -- (tgsrvc_verizondm) SupportSoft Repair Service (verizondm)
SRV - [2010/09/29 07:00:16 | 000,206,120 | ---- | M] (SupportSoft, Inc.) [Auto | Stopped] -- C:\Program Files\VERIZONDM\bin\sprtsvc.exe -- (sprtsvc_verizondm) SupportSoft Sprocket Service (verizondm)
SRV - [2010/03/18 12:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
SRV - [2010/03/16 17:28:50 | 000,689,392 | ---- | M] (Radialpoint Inc.) [Auto | Stopped] -- C:\Program Files\Verizon\VSP\ServicepointService.exe -- (ServicepointService)
SRV - [2009/01/03 13:33:38 | 000,016,680 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe -- (GoToAssist)
SRV - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Stopped] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/10/04 14:58:04 | 000,201,968 | ---- | M] (SupportSoft, Inc.) [Auto | Stopped] -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_DellSupportCenter) SupportSoft Sprocket Service (DellSupportCenter)
SRV - [2004/09/29 12:14:36 | 000,069,632 | ---- | M] (HP) [Auto | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - [2011/03/16 22:21:34 | 000,137,656 | ---- | M] (Avira GmbH) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2011/01/17 01:40:56 | 000,061,960 | ---- | M] (Avira GmbH) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2010/12/20 18:08:40 | 000,020,952 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2009/05/11 13:49:19 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Stopped] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2009/05/11 11:12:49 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2008/09/24 22:12:06 | 000,084,992 | ---- | M] (ATI Research Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\AtiHdmi.sys -- (AtiHdmiService)
DRV - [2008/09/24 22:11:52 | 003,007,488 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2008/07/01 17:13:26 | 000,985,472 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2008/07/01 17:13:26 | 000,731,264 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2008/07/01 17:13:24 | 000,267,520 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2007/11/06 14:22:00 | 000,036,224 | ---- | M] (ArcSoft Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\ArcCD.sys -- (ArcCD)
DRV - [2007/07/16 21:48:54 | 004,403,712 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2007/04/25 09:55:02 | 000,134,912 | ---- | M] (ArcSoft Inc.) [File_System | Disabled | Stopped] -- C:\WINDOWS\System32\drivers\ArcUdfs.sys -- (ArcUdfs)
DRV - [2006/11/10 16:05:00 | 000,018,688 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\afc.sys -- (Afc)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = [You must be registered and logged in to see this link.]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = [You must be registered and logged in to see this link.]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = [You must be registered and logged in to see this link.]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = [You must be registered and logged in to see this link.]

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = [You must be registered and logged in to see this link.]
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: ([2008/04/14 07:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
O2 - BHO: (Yahooo Search Protection) - {25BC7718-0BFA-40EA-B381-4B2D9732D686} - C:\Program Files\Yahoo!\Search Protection\ysp.dll (Yahoo! Inc.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.6209.1142\swg.dll (Google Inc.)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (Dell Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)
O4 - HKLM..\Run: [AT&T Dial Connection Manager] C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe (AT&T)
O4 - HKLM..\Run: [ATICCC] C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe ()
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [dellsupportcenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [HPWQTOOLBOX] C:\Program Files\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\HPWQTBX.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [printutil] File not found
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [VERIZONDM] C:\Program Files\VERIZONDM\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [VerizonServicepoint.exe] C:\Program Files\Verizon\VSP\VerizonServicepoint.exe (Verizon)
O4 - HKLM..\Run: [YMailAdvisor] C:\Program Files\Yahoo!\Common\YMailAdvisor.exe (Yahoo! Inc.)
O4 - HKCU..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKCU..\Run: [Spyware Doctor] File not found
O4 - HKCU..\RunOnce: [bDi24500gPpEn24500] C:\Documents and Settings\All Users\Application Data\bDi24500gPpEn24500\bDi24500gPpEn24500.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe (Hewlett-Packard Co.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll (Google Inc.)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll (Sun Microsystems, Inc.)
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira GmbH)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira GmbH)
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira GmbH)
O15 - HKLM\..Trusted Domains: isqft.com ([www] https in Trusted sites)
O15 - HKCU\..Trusted Domains: isqft.com ([www] https in Trusted sites)
O15 - HKCU\..Trusted Domains: localhost ([]http in Local intranet)
O15 - HKCU\..Trusted Ranges: GD ([http] in Local intranet)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_07)
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} [You must be registered and logged in to see this link.] (CBSTIEPrint Class)
O16 - DPF: {BEA7310D-06C4-4339-A784-DC3804819809} [You must be registered and logged in to see this link.] (Photo Upload Plugin Class)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_07)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 68.238.96.12
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\GoToAssist: DllName - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll - C:\Program Files\Citrix\GoToAssist\514\g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
O20 - Winlogon\Notify\GoToAssist Express Customer: DllName - C:\Program Files\Citrix\GoToAssist Express Customer\258\g2ax_winlogon.dll - C:\Program Files\Citrix\GoToAssist Express Customer\258\g2ax_winlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Gabi\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Gabi\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/04/25 16:29:32 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{56de0d6f-df68-11dd-aa05-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{56de0d6f-df68-11dd-aa05-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{56de0d6f-df68-11dd-aa05-806d6172696f}\Shell\AutoRun\command - "" = D:\CD_Start.exe
O33 - MountPoints2\{e1b83514-0864-11e0-aa5e-00219b1ccb89}\Shell - "" = AutoRun
O33 - MountPoints2\{e1b83514-0864-11e0-aa5e-00219b1ccb89}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{e1b83514-0864-11e0-aa5e-00219b1ccb89}\Shell\AutoRun\command - "" = I:\MI.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/04/23 18:14:10 | 000,000,000 | ---D | C] -- C:\otl
[2011/04/23 15:57:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Gabi\Application Data\Malwarebytes
[2011/04/23 15:57:07 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/04/23 15:57:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/04/23 15:57:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/04/23 15:57:04 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/04/23 15:57:04 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/04/23 15:05:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy
[2011/04/23 15:05:26 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2011/04/23 15:05:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2011/04/23 14:55:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2011/04/23 14:47:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools
[2011/04/22 20:09:10 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2011/04/22 18:19:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\ServicePackFiles
[2011/04/22 18:15:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Gabi\Start Menu\Programs\Catalina Marketing Corp
[2011/04/22 18:15:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Gabi\Application Data\Catalina Marketing Corp
[2011/04/22 16:56:25 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2011/04/21 23:21:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\bDi24500gPpEn24500
[2011/03/25 18:48:06 | 004,284,416 | ---- | C] (Google Inc.) -- C:\WINDOWS\System32\GPhotos.scr
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/04/23 17:03:47 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/04/23 17:03:17 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/04/23 16:55:17 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/04/23 16:49:37 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/04/23 15:57:07 | 000,000,786 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/04/23 15:05:29 | 000,000,953 | ---- | M] () -- C:\Documents and Settings\Gabi\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2011/04/23 15:05:29 | 000,000,935 | ---- | M] () -- C:\Documents and Settings\Gabi\Desktop\Spybot - Search & Destroy.lnk
[2011/04/22 18:50:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/04/22 17:40:02 | 001,228,854 | ---- | M] () -- C:\fsqwr.bmp
[2011/04/20 23:45:37 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\Gabi\Desktop\Microsoft Office Word 2007.lnk
[2011/04/15 20:26:12 | 000,022,528 | ---- | M] () -- C:\Documents and Settings\Gabi\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/04/13 03:22:22 | 000,185,816 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/04/13 03:05:56 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/04/13 03:05:04 | 000,478,694 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/04/13 03:05:04 | 000,087,134 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/03/26 12:50:33 | 000,001,793 | ---- | M] () -- C:\Documents and Settings\Gabi\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/03/25 18:48:06 | 004,284,416 | ---- | M] (Google Inc.) -- C:\WINDOWS\System32\GPhotos.scr
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/04/23 15:57:07 | 000,000,786 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/04/23 15:05:29 | 000,000,953 | ---- | C] () -- C:\Documents and Settings\Gabi\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2011/04/23 15:05:29 | 000,000,935 | ---- | C] () -- C:\Documents and Settings\Gabi\Desktop\Spybot - Search & Destroy.lnk
[2011/04/21 23:57:56 | 001,228,854 | ---- | C] () -- C:\fsqwr.bmp
[2011/04/05 18:34:35 | 000,002,053 | ---- | C] () -- C:\Documents and Settings\Gabi\Desktop\Little Bear(TM) Rainy Day Activities (2).lnk
[2011/01/17 00:01:42 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\YCRWin32.dll
[2010/12/01 14:09:41 | 000,000,046 | ---- | C] () -- C:\WINDOWS\QTW.INI
[2010/12/01 14:08:37 | 000,000,130 | ---- | C] () -- C:\WINDOWS\AP_XPLR.INI
[2010/06/09 08:21:40 | 000,000,669 | ---- | C] () -- C:\WINDOWS\hegames.ini
[2010/04/21 16:34:45 | 000,000,057 | ---- | C] () -- C:\WINDOWS\TONKA_GR.INI
[2010/04/16 09:18:13 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/04/08 17:13:13 | 000,000,058 | ---- | C] () -- C:\WINDOWS\Tonka_Raceway.INI
[2010/01/29 17:02:07 | 000,000,397 | R--- | C] () -- C:\WINDOWS\hpw9800k.ini
[2010/01/29 17:02:06 | 000,102,400 | R--- | C] () -- C:\WINDOWS\scrub2k.exe
[2010/01/29 17:00:56 | 000,000,092 | ---- | C] () -- C:\WINDOWS\hpdj9800.ini
[2010/01/29 17:00:44 | 000,001,367 | ---- | C] () -- C:\WINDOWS\mariner.ini
[2010/01/20 10:59:05 | 000,000,182 | ---- | C] () -- C:\WINDOWS\System32\EBPPORT.DAT
[2009/12/15 10:21:22 | 000,000,058 | ---- | C] () -- C:\WINDOWS\cgabc.ini
[2009/11/12 16:29:27 | 000,000,523 | ---- | C] () -- C:\WINDOWS\TCII.ini
[2009/10/29 13:04:19 | 000,000,057 | ---- | C] () -- C:\WINDOWS\TONKA_W.INI
[2009/10/26 14:40:30 | 000,000,231 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2009/09/24 17:25:25 | 000,000,058 | ---- | C] () -- C:\WINDOWS\cgela.ini
[2009/06/09 17:02:54 | 000,056,320 | ---- | C] () -- C:\WINDOWS\System32\iyvu9_32.dll
[2009/05/12 15:27:58 | 000,000,770 | ---- | C] () -- C:\WINDOWS\ka.ini
[2009/05/11 15:11:22 | 000,068,951 | ---- | C] () -- C:\WINDOWS\hpoins05.dat
[2009/05/11 15:11:22 | 000,019,696 | ---- | C] () -- C:\WINDOWS\hpomdl05.dat
[2009/02/07 00:29:54 | 000,036,620 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2009/02/06 00:33:35 | 000,022,528 | ---- | C] () -- C:\Documents and Settings\Gabi\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/01/27 17:21:47 | 000,001,194 | ---- | C] () -- C:\WINDOWS\EReg077.dat
[2009/01/27 17:19:42 | 000,000,335 | ---- | C] () -- C:\WINDOWS\TLCAPPS.INI
[2009/01/22 13:44:13 | 000,000,000 | ---- | C] () -- C:\WINDOWS\SETUP32.INI
[2009/01/14 13:15:09 | 000,000,578 | ---- | C] () -- C:\WINDOWS\PowerReg.dat
[2009/01/14 13:15:02 | 000,045,568 | ---- | C] () -- C:\WINDOWS\UniFish3.exe
[2009/01/10 17:53:31 | 000,000,944 | ---- | C] () -- C:\Documents and Settings\Gabi\Application Data\wklnhst.dat
[2009/01/10 17:52:13 | 000,000,127 | ---- | C] () -- C:\Documents and Settings\Gabi\Local Settings\Application Data\fusioncache.dat
[2009/01/03 19:22:53 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ativpsrm.bin
[2009/01/03 15:18:38 | 003,107,788 | ---- | C] () -- C:\WINDOWS\System32\ativvaxx.dat
[2009/01/03 15:18:38 | 003,107,788 | ---- | C] () -- C:\WINDOWS\System32\ativva5x.dat
[2009/01/03 15:18:38 | 000,887,724 | ---- | C] () -- C:\WINDOWS\System32\ativva6x.dat
[2009/01/03 15:18:38 | 000,168,883 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2009/01/03 15:18:38 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\ATIODE.exe
[2009/01/03 15:18:38 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\ATIODCLI.exe
[2009/01/03 15:18:34 | 000,876,544 | ---- | C] () -- C:\WINDOWS\System32\TEACico2.dll
[2009/01/03 15:18:32 | 000,077,824 | ---- | C] () -- C:\WINDOWS\setpwr32.exe
[2009/01/03 15:17:55 | 000,001,155 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2009/01/03 13:36:44 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/04/25 16:31:41 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2008/04/25 16:27:18 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2008/04/25 16:26:32 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2008/04/25 11:16:24 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2008/04/25 11:16:22 | 000,478,694 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2008/04/25 11:16:22 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2008/04/25 11:16:22 | 000,087,134 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2008/04/25 11:16:22 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2008/04/25 11:16:22 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2008/04/25 11:16:21 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2008/04/25 11:16:20 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2008/04/25 11:16:18 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2008/04/25 11:16:18 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2008/04/25 11:16:13 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2008/04/25 11:16:11 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2008/04/25 04:22:39 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2008/04/25 04:21:52 | 000,185,816 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2006/03/28 12:10:42 | 000,197,120 | ---- | C] () -- C:\WINDOWS\patchw32.dll
[2006/03/28 12:10:38 | 000,034,816 | ---- | C] () -- C:\WINDOWS\patch.exe
[1997/11/17 17:13:16 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll

< End of report >

davisfamily22

Newbie Surfer
Newbie Surfer

Posts : 7
Joined : 2011-04-24
Operating System : windows xp

View user profile

Back to top Go down

Re: MS Removal Tool

Post by davisfamily22 on Sun 24 Apr 2011, 1:52 pm

Sorry didn't realize that there were two logs

davisfamily22

Newbie Surfer
Newbie Surfer

Posts : 7
Joined : 2011-04-24
Operating System : windows xp

View user profile

Back to top Go down

Re: MS Removal Tool

Post by davisfamily22 on Sun 24 Apr 2011, 4:27 pm

I deleted a folder created about the time that the infection started it was in C:/documents and settings/all users/ startup menu . It started with bpi or dpi something. I rebooted the computer and no MS removal

davisfamily22

Newbie Surfer
Newbie Surfer

Posts : 7
Joined : 2011-04-24
Operating System : windows xp

View user profile

Back to top Go down

Re: MS Removal Tool

Post by davisfamily22 on Sun 24 Apr 2011, 5:22 pm

Malwarebytes found the MS removal tool(aka: trojanfakealert) after a full scan after deleting the folder in the startup menu. Here is the infected file location from the Malwarebytes log.
Files Infected:
c:\system volume information\_restore{45b5e8b9-949a-471e-999d-f381da56a2d3}\RP477\A0029935.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
c:\system volume information\_restore{45b5e8b9-949a-471e-999d-f381da56a2d3}\RP477\A0031296.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
Hope this helps you help someone else. Thanks again.

davisfamily22

Newbie Surfer
Newbie Surfer

Posts : 7
Joined : 2011-04-24
Operating System : windows xp

View user profile

Back to top Go down

Re: MS Removal Tool

Post by Belahzur on Tue 26 Apr 2011, 5:43 am

Hello.

Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    :OTL
    O4 - HKCU..\RunOnce: [bDi24500gPpEn24500] C:\Documents and Settings\All Users\Application Data\bDi24500gPpEn24500\bDi24500gPpEn24500.exe ()
    O33 - MountPoints2\{56de0d6f-df68-11dd-aa05-806d6172696f}\Shell - "" = AutoRun
    O33 - MountPoints2\{56de0d6f-df68-11dd-aa05-806d6172696f}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{56de0d6f-df68-11dd-aa05-806d6172696f}\Shell\AutoRun\command - "" = D:\CD_Start.exe
    O33 - MountPoints2\{e1b83514-0864-11e0-aa5e-00219b1ccb89}\Shell - "" = AutoRun
    O33 - MountPoints2\{e1b83514-0864-11e0-aa5e-00219b1ccb89}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{e1b83514-0864-11e0-aa5e-00219b1ccb89}\Shell\AutoRun\command - "" = I:\MI.exe

    :files
    C:\Documents and Settings\All Users\Application Data\bDi24500gPpEn24500


  • Return to OTL, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: MS Removal Tool

Post by davisfamily22 on Wed 27 Apr 2011, 5:56 pm

In short could you explain what the above thread will do. Thanks

davisfamily22

Newbie Surfer
Newbie Surfer

Posts : 7
Joined : 2011-04-24
Operating System : windows xp

View user profile

Back to top Go down

Re: MS Removal Tool

Post by Belahzur on Thu 28 Apr 2011, 3:36 am

Copy and paste the script in bold text into the custom/scans fixes bit of OTL, then press "Run Fix"


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: MS Removal Tool

Post by Sponsored content Today at 9:46 am


Sponsored content


Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum