[cybertech]

Download OTS.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTS on your desktop.

1. Close any open browsers.
2. If your Real protection or Antivirus intervenes with OTS, allow it to run.
3. Open the OTS folder and double-click on OTS.exe to start the program.
4. In Additional Scans section put a check in Disabled MS Config Items and EventViewer logs
5. Now click the Run Scan button on the toolbar.
6. The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
7. When the scan is complete Notepad will open with the report file loaded in it.
8. Save that notepad file

Use the Reply button, scroll down to the attachments section and attach the notepad file here.

NOTE: The only people who can see attachments in the HJT forum are: the thread starter, Admins & Mods, and HJT Helpers & Trainees.

[robhic]

OK, I downloaded and ran the OTS program as directed. I have attached the OTS.txt log/file for you to view.

A couple of notes:

- C is obviously main drive

- I added a second/slave drive earlier this year and that is drive F

- I also have an external drive used for all backups and saving stuff. It is drive G

I didn't know if that was relevant but I saw the F and G drives listed in the OTS.txt and thought I'd mention what they were.

Thank you for your quick and detailed help.

Robert

[cybertech]

Start OTS. Copy/Paste the information in the Code box below into the pane where it says Paste fix here and then click the Run Fix button.

Code:

[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
YN -> yaywwwWM -> Reg Error: Value error.

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.
Post that information back here.


Run HijackThis and click on "Config" and then on the "Misc Tools" button.
If you're viewing HijackThis from the Main Menu then click on "Open the Misc Tools Section".
Click on the "Open Uninstall Manager" button.
Click the "Save List" button.
Copy and paste that list here.

[robhic]

Cybertech:

I just ran the programs as you instructed. Here are the logs. (attached)

And thanks for your time and help.

Robert

[cybertech]

You're welcome!!!


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Upgrading Java:

• Download the latest version of Java SE Runtime Environment JRE 6 Update 17.
• Click the "Download" button to the right.
• Select your Platform and check the box that says: " I agree to the Java SE Runtime Environment 6u17 with JavaFX 1 License Agreement".
• Click on Continue.
• Click on the link to download Windows Offline Installation (jre-6u17-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java version.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on the download to install the newest version. (Vista users, right click on the jre-6u17windows-i586.exe and select "Run as an Administrator.")

Go to add/remove programs and remove these:
Google Update Helper
J2SE Runtime Environment 5.0 Update 1
Java 2 Runtime Environment, SE v1.4.2_03
OpenDNS Updater 2.2


After you have done all of that please post a new hijackthis log.

[robhic]

Cybertech

OK, I did all as you instructed above except the "Google Update Helper" which I could not find. Everything else was deleted/uninstalled and the new Java installed.

So far, it looks like all is well. The last screen (Windows is Shutting Down and Saving Your Settings) seems a bit slower than it originally was. It is still faster than it was when we started this thread but slower, nonetheless.

Is the Google Update Helper important? If so, where could it be? I used add/remove programs AND "Revo Uninstaller" and it didn't show up on either.

IAC, this is substantially faster shutting down than before. Can we leave this thread as "in progress" instead of "solved" for another day or so? Until I hear back from you and go through a few more startups and shutdowns?

Thank you SO much for all your time and help here. I appreciate it. New Hijack This log attached.

Robert

[robhic]

I replied too fast. When I logged out earlier the computer got to the "Windows is shutting down" screen quickly and then it hung (as I mention above) at that screen longer than it used to.

So, it looks like the remnants of the infection (which I didn't know I even had) got removed but the original problem remains. Observations:

- When I logged out earlier, I was at a "restart computer now" or "restart later" screen. I hit "restart now" and the computer went to the shutdown screen quickly. Then it hung.

- If I go through the shutdown sequence of "Start > Run: shutdown -f -s -t 0" the computer goes to the shutdown screen (as above) before it hangs.

- If I hit the usual "Start > turn off computer" it hangs for a LONG time before the screen with "log off, shutdown, restart" appears and then hangs at that screen like above.

I hope this tells you something because this puzzles the heck outta me!

So it looks like I'm back where I started except with some infection removed...

Advise? Thanks.

Robert

[cybertech]

Perhaps removing or disabling some of the Anti-Malware would be a place to start looking for a solution to the shutdown problem. Also don't overlook your AUTOBACK which is backing up each time the system boots.

WinPatrol
Lavasoft Ad-Aware
a-squared Free


FreeRAM XP Pro is one I would try removing also. Some swear by it but others think it's of no value. Best to let the OS manage it's own RAM.


One more thing is I see you are running things from multiple drives. This is one thing I have found really slowed down my machine.

[robhic]

Quote:

Originally Posted by cybertech

Perhaps removing or disabling some of the Anti-Malware would be a place to start looking for a solution to the shutdown problem. Also don't overlook your AUTOBACK which is backing up each time the system boots.

WinPatrol
Lavasoft Ad-Aware
a-squared Free


FreeRAM XP Pro is one I would try removing also. Some swear by it but others think it's of no value. Best to let the OS manage it's own RAM.


One more thing is I see you are running things from multiple drives. This is one thing I have found really slowed down my machine.

I removed Ad-Aware, disabled WinPatrol and a-squared. I couldn't find FreeRAM in add-remove programs or Revo Installer. It also doesn't have unistall the program WITH the program so I disabled it, too.

I have "system restore" disabled to give me more space on my C drive so the ERUNDT "AUTOBACK" program is the only method I have which allows me to restore the registry after mistakes (of which I have many ). I hesitate to mess with it.

Using the box with "restart now" or "restart later" after running some applications or typing "shutdown -f -s -t 0" in the START > run box allows the system to shut down to the "saving windows settings" screen almost immediately. Then it hangs.

If I go thru the normal shutdown sequence using "START > Turn off computer" the computer freezes there for a loooong time and then gives me the 3 boxes to turn off, log off or restart where it hangs, again, but for a shorter duration.

It looks like you've cleared all the malware stuff from my system. Should I now go back to the Windows XP section with my original post about shutdown problems and start again with the new, malware-free system?

Also, OTS put some entry in my G: drive (external for all backups, etc.) and it won't let me delete it. Is that something I should leave alone? I saved the OTS program in case I would need it again.

IAC, I appreciate all you have done and all the time you spent here so thanks a bunch for all your help. What next?

Robert

[cybertech]

What did OTS put on the G drive?

[robhic]

Here is a copy:

[Registry - Safe List]
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\yaywwwWM\ deleted successfully.
< End of fix log >
OTS by OldTimer - Version 3.1.6.0 fix logfile created on 11242009_085644

But this was in the OTS file I saved. The file I noticed yesterday "_OTS" that wouldn't allow deletion now has one file in it titled "moved files" that it is now empty. Gremlins at work here!

So my question is now moot because all were empty and I was able to delete them (except the one pasted above). I'll hold onto the OTS program and this log above in case it's ever needed again.

Should I now edit my original "Computer won't shut down" post and retry back in the WIndows XP forum? Mark this current post "solved"?

Again, thanks for the help.

Robert

[cybertech]

OTS is not a tool to keep around. You should remove all of the tools I requested you to download and/or folders associated with them now. It is pointless to keep them tools around as they are updated so frequently that the tools can be outdated within a few days, sometimes within just hours.


Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Turn off System Restore.

• On the Desktop, right-click My Computer.
• Click Properties.
• Click the System Restore tab.
• Check Turn off System Restore.
• Click Apply, and then click OK.

2. Restart your computer.

3. Turn ON System Restore.

• On the Desktop, right-click My Computer.
• Click Properties.
• Click the System Restore tab.
• UN-Check Turn off System Restore.
• Click Apply, and then click OK.

System Restore will now be active again.



NEXT

• Start OTS
• Click the CleanUp button
  • OTS will download a small file from the Internet. If a security program or firewall warns you of this allow it to download.
  • OTS will delete any tools downloaded and files/folders created and then ask you to reboot so it can remove itself.
• Click Yes.

Now you should Clean up your PC


If you have no other malware problems I can help you with feel free to use the Mark Solved button at the top of the page.

[robhic]

Quote:

Originally Posted by cybertech

NEXT

• Start OTS
• Click the CleanUp button
  • OTS will download a small file from the Internet. If a security program or firewall warns you of this allow it to download.
  • OTS will delete any tools downloaded and files/folders created and then ask you to reboot so it can remove itself.
• Click Yes.

Now you should Clean up your PC


If you have no other malware problems I can help you with feel free to use the Mark Solved button at the top of the page.

I re-enabled "System Restore" as you said in your reply, restarted the computer and ran OTS, again, as instructed. The rest, I don't know...

OTS ran, but I don't know what it was supposed to remove from the system. When I restarted, all folders/files in the folder containing OTS were still present, as well as about 8 files (AUTOEXE.BAT, BOOT.INI, CONFIG.SYS) and 5 or so other files/folders in the folder on my G: drive (external for backups, etc.) that displayed very light, almost transparent.

Are these the files/folders that should have been removed? If so, can I delete them along with OTS itself?

I then ran the cleanup procedures as you indicated and finished with all that. It ran a CHKDSK and found some things to remove/fix and I guess it did so.

So all you instructed to do is done. I also turned "System Restore" back 'off'.

Please let me know if this went as you expected and if I should delete those transparent files.

Once again, thank you for ALL you have done and ALL your time. I appreciate it!

Robert

[cybertech]

Quote:

Originally Posted by robhic

When I restarted, all folders/files in the folder containing OTS were still present, as well as about 8 files (AUTOEXE.BAT, BOOT.INI, CONFIG.SYS) and 5 or so other files/folders in the folder on my G: drive (external for backups, etc.) that displayed very light, almost transparent.
Robert

The 8 files have nothing to do with OTS. You can delete the OTS folder.


You're welcome!

[cybertech]

Per your *report* I have marked this thread as Open and removed Solved.

Quote:

Originally Posted by robhic

Should I now edit my original "Computer won't shut down" post and retry back in the WIndows XP forum? Mark this current post "solved"?

It was my understanding you were going to the XP forum. Please note Only members who are deemed qualified to remove malware may post to security related threads.

In other words if you still want help with malware I can help you here. If you want general XP support you need to post in the XP forum.


If you have no other malware problems I can help you with feel free to use the Mark Solved button at the top of the page. If you have malware and/or virus problems please let me know so we can continue this thread.