Thread for StubbornMom

Not having an OTL scan can hurt. Let me get someone. They’ll have other tools you can use that might help and run.

[Edit]: I have an idea, however I cannot ask you to do it. I’ve tested it, but without knowing any details about your OS and other info I can’t do it. Please wait for someone to come. I’ve asked someone to render aid to you. It might take a hour or two before they can help you

Would a DDS scan do any better than an OTL? I mean, if one can’t get it to work.

Davido,

if I had to guess it’s a rootkit blocking the file. Every remover has different preferences. I will leave it up to whoever. They’ll know better then I will

whats a DDS? cant hurt.
OPS is Windows 7 Home Premium

Malwarebytes has the rootkit detector/remover, should I download that?

I think you should wait, Alan said he would inform a removal expert who will walk you through what to do :slight_smile:

atieclxx.exe shows up when I look up services running. I tried to delete it denied me access, tried to block and was back running. Do you know what that is?

Hi all,

Would a DDS scan do any better than an OTL? I mean, if one can't get it to work.

Both OTL and DDS tools are diagnostic tools in nature. The difference is in the following.

DDS will show the basic things, when I say basic I mean those items that helper need to read. DDS is a non-invasive tool and it does not perform any changes to the system and its purely serves as a diagnostic tool. Many security forums use the DDS tool as a primary diagnostic tool as it allows the helper to quickly read logs and gives the freedom to decide which tool to use next.

OTL is a tool which has more to show in log as it such has a fix abilities. OTL unlike DDS has a very low whitelist and this why the log is a bit longer.
OTL displays detailed system info while DDS shows the basics that helper can read and decide which tool to perform as follows.

As for example, if user have ZeroAccess rootkit, DDS will show just one line and valid helper knows that that line represents the active rootkit in system.
OTL shall attempt to read all ZeroAccess loading point and entries because as such a tool has a fix and should be able to view the rootkit (if able to see).
But yet again, DDS owed ​​much to ComboFix.

So, both tools have their advantages and disadvantages, point of use is a matter of habit.


@stubbornmom
If OTL doesn’t work, run this tool:

Please download Farbar Recovery Scan Tool (
http://www.mcshield.net/personal/magna86/Images/FRST_canned.png
) by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

this is 3rd try. Keeps throwing me out of this forum saying it “web page is not available”

wont let me send other reports/logs, throws me out of this forum, saying it is unavailable. Is there an email I can send to?

hi, upload it to wikisend.com and post the download link. You got Addition in here. Try to get the FRST.txt file

hows this

stubbornmom,

FRST outputs shows no malware activity. If FRST says you’re clean, then you probably are. I say “probably” as there is always the possibility that a rootkit is hiding from detection and from our tools.

For this reason, we go the extra AntiRootKit check using GMER. If there is something hiding itself, GMER shall tell us that …

Please download GMER, the RootKit Detector tool from the link below and save it to your Desktop:

[url=http://www2.gmer.net/download.php][b]Gmer download link [/b][/url]
Note: file will be random named

Double-clicking to run GMER.

[*]Wait for initial scan to finish - if there is any query, click No;
[*]Click [ Scan ] button and wait until the full scan is complete;
[*]Click [ Save … ]- save the report to the Desktop (named ARK );

[*]Then click the >>> button and select Autostart card;
[*]Click [ Scan ] button;
[*] After quick scan, click Copy button;
[*]Open notepad and Paste text. Save report to the Desktop (named autostart )

> Attach here both Gmer logreports. (ARK.txt and autostart.txt)

did incorrect name, sorry hope I did nt screw up

The name does not matter.
It is more like aesthetics + indicates that the log is the primary (ARK.txt or in your case gmer.txt) and which is secondary (autostart.txt).

Btw, it’s missing autostart.txt. ;D

Re-run GMER > after initial scan click “>>>” tab > autostart tab > scan > copy > save log …

edit: typo

GMER 2.1.19163 - http://www.gmer.net
Autostart scan 2014-01-03 16:06:26
Windows 6.1.7601 Service Pack 1

AdobeARMservice@ = “C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe”
avast! Antivirus@ = “C:\Program Files\AVAST Software\Avast\AvastSvc.exe”
avast! Firewall@ = “C:\Program Files\AVAST Software\Avast\afwServ.exe”
gupdate@ = “C:\Program Files (x86)\Google\Update\GoogleUpdate.exe” /svc
IconMan_R@ = “C:\Program Files (x86)\Realtek\Realtek USB 2.0 Card Reader\RIconMan.exe”
TosCoSrv@ = “C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe”
wltrysvc@ = “C:\Program Files\Broadcom\Broadcom 802.11 Network Adapter\WLTRYSVC.EXE” “C:\Program Files\Broadcom\Broadcom 802.11 Network Adapter\bcmwltry.exe”
WMPNetworkSvc@ = “%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe” /file not found/

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@Broadcom Wireless Manager UIC:\Program Files\Broadcom\Broadcom 802.11 Network Adapter\WLTRAY.exe = C:\Program Files\Broadcom\Broadcom 802.11 Network Adapter\WLTRAY.exe
@TPwrMain%ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE /file not found/ = %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE /file not found/
@TCrdMainC:\Program Files\TOSHIBA\Hotkey\TCrdMain_Win8.exe = C:\Program Files\TOSHIBA\Hotkey\TCrdMain_Win8.exe
@ETDCtrl%ProgramFiles%\Elantech\ETDCtrl.exe /file not found/ = %ProgramFiles%\Elantech\ETDCtrl.exe /file not found/
ShellServiceObjectDelayLoad@WebCheck =

HKLM\Software\Classes.hta@ = C:\Windows\SysWOW64\mshta.exe “%1” %*

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{E6FB5E20-DE35-11CF-9C87-00AA005127ED} /WebCheck/(null) =
@{2F603045-309F-11CF-9774-0020AFD0CFF6} /Synaptics Control Panel/(null) =
@{0066D4B3-8DE0-4D08-AA83-EDD50E2431F0} /ELAN Control Panel/%ProgramFiles%\Elantech\ETDMcpl.dll /file not found/ = %ProgramFiles%\Elantech\ETDMcpl.dll /file not found/
@{472083B0-C522-11CF-8763-00608CC02F24} /avast/C:\Program Files\AVAST Software\Avast\ashShA64.dll = C:\Program Files\AVAST Software\Avast\ashShA64.dll

HKLM\Software\Classes*\shellex\ContextMenuHandlers\avast@{472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\AVAST Software\Avast\ashShA64.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
avast@{472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\AVAST Software\Avast\ashShA64.dll
MBAMShlExt@{57CE581A-0CB6-4266-9CA0-19364C90A0B3} = C:\Program Files (x86)\Malwarebytes’ Anti-Malware\mbamext.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{318A227B-5E9F-45bd-8999-7F8F10CA4CF5}C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll = C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
@{AA58ED58-01DD-4d91-8333-CF10577473F7}C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll = C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://go.microsoft.com/fwlink/p/?LinkId=255141 = http://go.microsoft.com/fwlink/p/?LinkId=255141
@Start Pagehttp://go.microsoft.com/fwlink/p/?LinkId=255141 = http://go.microsoft.com/fwlink/p/?LinkId=255141
@Local PageC:\Windows\System32\blank.htm = C:\Windows\System32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttps://www.google.com/ = https://www.google.com/
@Local PageC:\Windows\system32\blank.htm = C:\Windows\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Handler\ms-help@CLSID = {314111c7-a502-11d2-bbca-00c04f8ec294} /file not found/

---- EOF - GMER 2.1 ----
wouldnt let me save, kept saying sent to clipboard

sorry posting results the way I did. COuldnt get it to save, kept saying it was already saved on clipboard
Does everything look OK?

No need to apologize, I personally love when logs are copied into the post. Due to the length of the logs we require from user to post the logs as an attachment.

GMER logs are clean. As FRST and GMER does not show the malware presence, you may remove used tool.

Good workman always cleans up after himself.
The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

Thanks, your help is much appreciated def faster. I still cannot activate Avast Virus, or open file containing license.

Can’t tell where is the problem. Try for start just to re-install avast.