Issues in brief, then details:
Cannot open Internet Options. Administrator in safe mode can’t access the Internet. Scans found and quarantined MediaPlex, Trojan.FakeAlert, PUM.Hijack.HomePageControl. Strange behavior at a shopping site. Have previously been unable to complete an update of IE8 (using XP Pro).

I’ve got a few things happening, and I’m not sure which is causing what. So please excuse me if this is either too much or not the appropriate information.

I discovered a couple of days ago, that I cannot access Internet Options in either the Control Panel or IE Tools>Options, either as a user with administrator privileges or as Administrator, in safe mode. I don’t know how long this problem has been present.

There is still an Internet Options icon in the Control Panel, but when I click on it, a box flickers on the screen for a split second, and doesn’t stay onscreen.

I normally have Internet Options locked inside IE, using Spybot’s IE Tweaks and more recently, SpywareBlaster settings, too. I tried unblocking access to Internet Options from IE’s Tools>Options and from SpywareBlaster settings, but when I select Options, again a box blinks on the screen, but doesn’t remain up.

Also, after discovering this problem, first time I logged into safe mode, as Administrator, I could access the Internet, but the second time I logged into safe mode as Administrator, I could not connect to the Internet.

I first realized I couldn’t bring up Internet Options, when I tried to access it right after I’d visited an online shopping site, which I believe is legit, but had a strange experience, with it. I went to enter a test account (not my real info), just so it would tell me the shipping charges, and found that I appeared to actually be *in* someone else’s registered account! I tried to set up my own test account, changing all the info, and it had not asked for any payment method info yet. Instead of asking me to choose the shipping mode, which it was supposed to do next, it said, “Order accepted”! I immediately contacted the website through their online contact form, and asked them to cancel the order (which I assume was charged to the other customer) and to contact me about using their site.

However, since problems immediately arose, I’ve been afraid to go to my yahoo email.
*By the way, is it safe to use online email, at this point?

I notice now, too, that when I hover the pointer over My Computer, in the Start menu, along with Local Disc (:C), the DVD drive, My Documents and Shared Documents, there’s an icon for the Control Panel. Am I that inobservant, that I never noticed that there, before, or is that not normally there?

A scan with Spybot S&D brought up MediaPlex tracking cookie as a threat, which had not appeared before in recent or previous scans. I then downloaded and ran Malwarebytes, which found:
Trojan.FakeAlert and
PUM.Hijack.HomePageControl.
But I wonder if the PUM is only detecting my setting for locking IE Tools>Options, with IE Tweaks? The same PUM seemed to reappear in the Malwarebytes scan, after I reapplied the setting. Avira scans didn’t detect any problems.

All three of these malwares were quarantined by Spybot S&D and Malwarebytes, and now scans by them are clean. Avira scans are still clean.

I tried a System Restore twice, only going back about 10 days the first time, and then 12 days back, and the non-access to Internet Options is still present.

The other possible factor is that within the past 3 months or so, I’ve tried a couple of times to update IE8, the last time fairly recently, but the updates wouldn’t complete. I already had IE8, but there seemed to be a slightly more recent version, and with XP, I can’t go to IE9. But when the update automatically restarted the computer and try to apply personal preferences to IE, it would hang and never complete. I had to cold boot it, as I recall. I gather that it may be my user profiles are not set up correctly, so that I’m updating IE in my normal user account, which has administrative privileges, but it wants to update in the Administrator account, which perhaps should be sharing the user preferences with the other account, but it isn’t. I don't know how to fix that.

Some programs requiring Administrator’s privileges do recognize this user account as having them.

In any case, the IE updates not completing and issues between the Administrator and user accounts may have something to do with Internet Options access, I don’t know. Again, Internet Options currently won’t open in either user account.

Lastly, I haven’t been able to run ESET’s online scanner. When I tried to run it, it told me I need administrator’s privileges, even though this account has them. I tried the suggestion on the ESET FAQ, to change the registry key and eliminate a possible killbit, but found that the long key number mentioned is not under LOCAL_MACHINE/SOFTWARE, etc, in my registry. In my registry, it’s under HKEY_USERS. In a search of my registry, no “compatibility flags” was found.

Thank you very much, for your expertise and attention to helping me with this!


My fresh DDS.txt report, attach.txt attached:


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by user at 11:08:29 on 2011-12-06
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1357 [GMT -8:00]
.
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Online Armor Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\Program Files\Tall Emu\Online Armor\OAcat.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Tall Emu\Online Armor\OAhlp.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.safer-networking.org/en/index.html
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRunOnce: [SpybotDeletingB3393] command.com /c del "c:\windows\SchedLgU.Txt"
uRunOnce: [SpybotDeletingD6191] cmd.exe /c del "c:\windows\SchedLgU.Txt"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [@OnlineArmor GUI] "c:\program files\tall emu\online armor\oaui.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [PD0630 STISvc] RunDLL32.exe P0630Pin.dll,RunDLL32EP 513
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
mRunOnce: [SpybotDeletingA3123] command.com /c del "c:\windows\SchedLgU.Txt"
mRunOnce: [SpybotDeletingC9596] cmd.exe /c del "c:\windows\SchedLgU.Txt"
StartupFolder: c:\docume~1\user\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1250215367203
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1250221790218
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
TCP: Interfaces\{D32D97C7-A7FE-48E4-9546-8EC79641D39E} : DhcpNameServer = 192.168.0.1 205.171.3.25
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - c:\progra~1\tallem~1\online~1\oaevent.dll
Hosts: 127.0.0.1 www.spywareinfo.com (http://www.spywareinfo.com)
.
============= SERVICES / DRIVERS ===============
.
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-4-7 11608]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2010-4-8 228216]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2010-4-8 24440]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2010-4-8 29560]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-4-7 136360]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-4-7 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-4-7 66616]
R2 OAcat;Online Armor Helper Service;c:\program files\tall emu\online armor\oacat.exe [2010-4-8 1284600]
R2 SvcOnlineArmor;Online Armor;c:\program files\tall emu\online armor\oasrv.exe [2010-4-8 3364856]
S0 cerc6;cerc6; [x]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\flashplayerupdateservice.exe --> c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [?]
S3 P0630VID;Creative WebCam Live!;c:\windows\system32\drivers\P0630Vid.sys [2010-10-28 91841]
.
=============== Created Last 30 ================
.
2011-12-06 12:18:18 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-06 12:02:19 -------- d-----w- c:\program files\ERUNT Registry Backup Tool
2011-12-06 00:58:25 -------- d-----w- c:\documents and settings\user\local settings\application data\Sun
2011-12-06 00:39:56 128000 ----a-w- c:\windows\system32\javacpl.cpl
2011-12-05 18:42:13 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-12-05 18:42:13 -------- d-----w- c:\windows\system32\wbem\Repository
2011-12-04 21:07:07 -------- d-----w- c:\documents and settings\user\application data\Malwarebytes
2011-12-04 21:06:54 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-12-04 21:06:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-01 13:38:03 -------- d-----w- c:\program files\SpywareBlaster(2)
.
==================== Find3M ====================
.
2011-12-06 00:39:32 544656 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-01 19:32:54 69792 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-01 19:32:54 417952 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2011-10-21 15:30:37 516692 ----a-w- c:\windows\vampsUninst.exe
2011-10-21 15:30:06 1903021 ----a-w- c:\windows\vamps.scr
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 18:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 18:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 18:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
.
============= FINISH: 11:10:45.30 ===============

Hi I_dream_of_Mercury,

Firstly, welcome to the Safer-Networking Malware Removal Forum. :)
My name is Scolabar, and I'll be helping you with your malware problems.
Logs can take a while to research, so please be patient.
If you no longer require help i would be grateful if you would let me know.

I am currently working under the guidance of teachers, everything I post to you, will need to be reviewed by them.
This additional review process can add some extra time to my responses, but hopefully not too much. ;)

Please note the following important guidelines before proceeding:
The instructions that will be provided are for YOUR computer and system only!
Using these instructions on a different computer can cause damage to that computer and possibly render it inoperable!
If you have any questions or do not understand something, please do not hesitate to ask, don't guess or assume.
Only post your problem at One help site. Applying fixes from multiple help sites can cause problems.
Only reply to this thread, do not start another. Please, continue responding, until I give you the All Clean.
Absence of symptoms does not necessarily mean that everything is clear.
DO NOT run any other fix or removal tools unless instructed to do so!
DO NOT install any other software (or hardware) during the cleaning process. This adds more items to be researched.
Print each set of instructions, if possible. Your Internet connection will not be available during some fix processes.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Note: No Reply Within 3 Days Will Result In Your Topic Being Closed!
Please Note: If you haven't done so already, please read this topic "BEFORE You POST"(Please read this Procedure Before Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288) where the conditions for receiving help here are explained.


Please be aware that removing Malware is a hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.
In light of this, it would be advisable for you to back up any important files and folders that you don't want to lose before we start.

Backup Your Data - Windows XP (http://support.microsoft.com/kb/308422)
If you follow these guidelines, things should proceed smoothly. :)
I am currently reviewing your log and will return, as soon as possible, with additional instructions.

Thank you for your patience.

Scolabar

Scolabar, hi, and thanks so much for taking on my case! :) I definitely still require help.

To update, about 20 hours ago, I ran Avira and it found TR/Fake.Rean.3192, and quarantined it. Other problems are about the same status as when I last posted.

(Malwarebytes did again find and quarantine PUM.HiJack.HomePageControl, but I also tried, again, to drop the restriction on opening Internet Options inside IE, as I described before, so not sure if that's what's causing that.)

I wonder if you could tell me whether I can currently safely or securely use Yahoo email, visit known websites, and make an online payment with PayPal? I'm especially anxious to make a payment for two things, with PayPal, and to use my email, because the matters are time-sensitive. I don't know if there's any secure way to do those things on someone else's computer or on a public computer.

I'll check back frequently, for your new instructions :)

Hi I_dream_of_Mercury,

This is just a quick update to let you know I am waiting for a Teacher to check over my next set of instructions.
As you will no doubt appreciate, the Teachers are very busy. Please bear with us.

In answer to your question:

I wonder if you could tell me whether I can currently safely or securely use Yahoo email, visit known websites, and make an online payment with PayPal?At this stage I think it should be OK to use Yahoo email (as long as you steer clear of including anything of a confidential nature in your correspondence for the time being) and browse known good websites. However, my advice to you would be not to use any online payment system until the computer has been confirmed to be clear of infection. I would also advise not using anyone else's or any public computer to make any payments either. I would be inclined to phone the supplier(s) direct and make any payments over the phone, if possible, for the time being.

Thank you again for your patience. :)

Scolabar

Hi I_dream_of_Mercury,

Thank you again for your patience. :)

Please read these instructions carefully before executing and perform the steps, in the order given.
lf you have any questions about or problems with, executing these instructions, <STOP> do not proceed, post back with the question or problem before going any further.

Before we proceed please make sure any open programs are closed.

Step 1:
Spybot - Search & Destroy Log

I would like to see the contents of the last Spybot - Search & Destroy log which shows infections cleaned up.
You should be able to retrieve the log using the following instructions:

Launch Spybot S&D.
Switch to Advanced Mode.
Navigate to Tools > View Report.
Click on View Previous Report to access older / automatically generated reports.
Click on Export to save the report to a text file to your Desktop.
Please Copy and Paste the entire contents of the Spybot S&D exported log file into your next reply
Step 2:
MalwareBytes' AntiMalware Log

I would also like to see the contents of the last MalwareBytes' AntiMalware log which shows infections cleaned up.
You should be able to retrieve the log from the following location:
C:\Documents and Settings\Account Name\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Please Copy and Paste the entire contents of mbam-log-date (time).txt into your next reply.

Step 3:
TDSSKiller - Scan

Please download TDSSKiller.exe (http://support.kaspersky.com/downloads/utils/tdsskiller.exe) by Kaspersky and save it to your Desktop. <-Important!!!
Double-click on TDSSKiller.exe to launch it.
If TDSSKiller does not run rename the program file. Right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. pq2f9hnw.com).
If you don't see file extensions, please see: How to change the file extension (http://www.mediacollege.com/microsoft/windows/extension-change.html).
Click the Start Scan button. Do not use the computer during the scan!
When the scan has finished, if it finds anything please click on the drop down arrow next to Cure and select Skip
Now click on Report to open the log file created by TDSSKiller.
The log file named TDSSKiller_version_dd.mm.yyyy_hh.mm.ss_log.txt is created and saved to the root directory. (Usually C: drive).
Copy and Paste the entire contents of the TDSSKiller_version_dd.mm.yyyy_hh.mm.ss_log.txt file into your next reply.
PLEASE DO NOT TRY TO FIX ANYTHING AT THIS STAGE.

Step 4:
Include in Next Post

Did you have any problems carrying out the instructions?
Spybot S&D exported log file.
mbam-log-date (time).txt.
TDSSKiller_version_dd.mm.yyyy_hh.mm.ss_log.txt.
Do you have the original Windows installation media for your PC?
Scolabar
--------------------------------------------------------------------------
No Reply Within 3 Days Will Result In Your Topic Being Closed

Scolabar, hi,

Here's the requested material, and a little more info, at the bottom:

Included in this post, per your instructions:

1. Did you have any problems carrying out the instructions?

The instructions were clear and easy to carry out. I did wonder whether to include info about a couple of infections detected within the past few days, which are not on the reports you requested, so I went ahead and added the info at the bottom of this post, just in cast it's useful.


2. Spybot S&D exported log file.

Spybot Search and Destroy Log, the last log which shows infections cleaned up. To be clear, I’ve run the program since, but this is the last time and the only time, since noticing symptoms of infection, that it’s shown any infections or threats:


--- Report generated: 2011-12-04 10:49 ---

MediaPlex: Tracking cookie (Internet Explorer: user) (Cookie, fixed)



--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2010-04-07 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2011-03-18 Includes\Adware.sbi (*)
2011-11-15 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2010-12-14 Includes\Dialer.sbi (*)
2011-11-29 Includes\DialerC.sbi (*)
2011-02-24 Includes\HeavyDuty.sbi (*)
2011-03-29 Includes\Hijackers.sbi (*)
2011-10-04 Includes\HijackersC.sbi (*)
2010-09-15 Includes\iPhone.sbi (*)
2010-12-14 Includes\Keyloggers.sbi (*)
2011-09-27 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2011-11-15 Includes\Malware.sbi (*)
2011-11-29 Includes\MalwareC.sbi (*)
2011-02-24 Includes\PUPS.sbi (*)
2011-10-11 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2011-02-24 Includes\Security.sbi (*)
2011-05-03 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2011-10-18 Includes\Spyware.sbi (*)
2011-10-18 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2011-09-28 Includes\Trojans.sbi (*)
2011-11-28 Includes\TrojansC-02.sbi (*)
2011-11-29 Includes\TrojansC-03.sbi (*)
2011-11-29 Includes\TrojansC-04.sbi (*)
2011-11-29 Includes\TrojansC-05.sbi (*)
2011-11-09 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll


3. mbam-log-date (time).txt.

Malwarebytes, last log that shows infections cleaned up:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8322

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/7/2011 12:26:46 PM
mbam-log-2011-12-07 (12-26-46).txt

Scan type: Quick scan
Objects scanned: 182973
Time elapsed: 9 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\control panel\Homepage (PUM.Hijack.HomePageControl) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

4. TDSSKiller_version_dd.mm.yyyy_hh.mm.ss_log.txt.

18:57:50.0031 3868 TDSS rootkit removing tool 2.6.22.0 Dec 7 2011 13:21:06
18:57:52.0031 3868 ============================================================
18:57:52.0031 3868 Current date / time: 2011/12/09 18:57:52.0031
18:57:52.0031 3868 SystemInfo:
18:57:52.0031 3868
18:57:52.0031 3868 OS Version: 5.1.2600 ServicePack: 3.0
18:57:52.0031 3868 Product type: Workstation
18:57:52.0031 3868 ComputerName: USER-PC
18:57:52.0031 3868 UserName: user
18:57:52.0031 3868 Windows directory: C:\WINDOWS
18:57:52.0031 3868 System windows directory: C:\WINDOWS
18:57:52.0031 3868 Processor architecture: Intel x86
18:57:52.0031 3868 Number of processors: 2
18:57:52.0031 3868 Page size: 0x1000
18:57:52.0031 3868 Boot type: Normal boot
18:57:52.0031 3868 ============================================================
18:57:56.0359 3868 Initialize success
18:58:19.0046 0172 ============================================================
18:58:19.0046 0172 Scan started
18:58:19.0046 0172 Mode: Manual;
18:58:19.0046 0172 ============================================================
18:58:19.0468 0172 Abiosdsk - ok
18:58:19.0468 0172 abp480n5 - ok
18:58:19.0546 0172 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
18:58:19.0546 0172 ACPI - ok
18:58:19.0593 0172 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
18:58:19.0593 0172 ACPIEC - ok
18:58:19.0609 0172 adpu160m - ok
18:58:19.0671 0172 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
18:58:19.0687 0172 aec - ok
18:58:19.0734 0172 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
18:58:19.0750 0172 AFD - ok
18:58:19.0765 0172 Aha154x - ok
18:58:19.0765 0172 aic78u2 - ok
18:58:19.0781 0172 aic78xx - ok
18:58:19.0796 0172 AliIde - ok
18:58:19.0812 0172 amsint - ok
18:58:19.0828 0172 asc - ok
18:58:19.0843 0172 asc3350p - ok
18:58:19.0859 0172 asc3550 - ok
18:58:19.0921 0172 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
18:58:19.0921 0172 AsyncMac - ok
18:58:19.0937 0172 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
18:58:19.0937 0172 atapi - ok
18:58:19.0953 0172 Atdisk - ok
18:58:20.0156 0172 ati2mtag (7452ab1a89f43785d20a10066bc3b73a) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
18:58:20.0218 0172 ati2mtag - ok
18:58:20.0328 0172 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
18:58:20.0343 0172 Atmarpc - ok
18:58:20.0375 0172 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
18:58:20.0390 0172 audstub - ok
18:58:20.0562 0172 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
18:58:20.0562 0172 avgio - ok
18:58:20.0593 0172 avgntflt (1e4114685de1ffa9675e09c6a1fb3f4b) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
18:58:20.0593 0172 avgntflt - ok
18:58:20.0625 0172 avipbb (0f78d3dae6dedd99ae54c9491c62adf2) C:\WINDOWS\system32\DRIVERS\avipbb.sys
18:58:20.0640 0172 avipbb - ok
18:58:20.0687 0172 b57w2k (241474d01380e9ed41d4c07f4f5fd401) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
18:58:20.0687 0172 b57w2k - ok
18:58:20.0765 0172 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
18:58:20.0765 0172 Beep - ok
18:58:20.0812 0172 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
18:58:20.0828 0172 cbidf2k - ok
18:58:20.0875 0172 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
18:58:20.0875 0172 CCDECODE - ok
18:58:20.0890 0172 cd20xrnt - ok
18:58:20.0937 0172 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
18:58:20.0937 0172 Cdaudio - ok
18:58:20.0968 0172 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
18:58:20.0968 0172 Cdfs - ok
18:58:21.0031 0172 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
18:58:21.0046 0172 Cdrom - ok
18:58:21.0046 0172 cerc6 - ok
18:58:21.0062 0172 Changer - ok
18:58:21.0078 0172 CmdIde - ok
18:58:21.0109 0172 Cpqarray - ok
18:58:21.0125 0172 dac2w2k - ok
18:58:21.0125 0172 dac960nt - ok
18:58:21.0171 0172 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
18:58:21.0171 0172 Disk - ok
18:58:21.0218 0172 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
18:58:21.0234 0172 dmboot - ok
18:58:21.0296 0172 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
18:58:21.0312 0172 dmio - ok
18:58:21.0343 0172 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
18:58:21.0343 0172 dmload - ok
18:58:21.0406 0172 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
18:58:21.0406 0172 DMusic - ok
18:58:21.0421 0172 dpti2o - ok
18:58:21.0468 0172 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
18:58:21.0468 0172 drmkaud - ok
18:58:21.0531 0172 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
18:58:21.0546 0172 Fastfat - ok
18:58:21.0562 0172 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
18:58:21.0562 0172 Fdc - ok
18:58:21.0578 0172 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
18:58:21.0593 0172 Fips - ok
18:58:21.0593 0172 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
18:58:21.0609 0172 Flpydisk - ok
18:58:21.0640 0172 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
18:58:21.0640 0172 FltMgr - ok
18:58:21.0671 0172 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
18:58:21.0671 0172 Fs_Rec - ok
18:58:21.0687 0172 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
18:58:21.0703 0172 Ftdisk - ok
18:58:21.0734 0172 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
18:58:21.0734 0172 Gpc - ok
18:58:21.0812 0172 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
18:58:21.0812 0172 hidusb - ok
18:58:21.0828 0172 hpn - ok
18:58:21.0906 0172 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
18:58:21.0921 0172 HTTP - ok
18:58:21.0937 0172 i2omgmt - ok
18:58:21.0953 0172 i2omp - ok
18:58:21.0984 0172 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys
18:58:22.0000 0172 i8042prt - ok
18:58:22.0046 0172 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
18:58:22.0046 0172 Imapi - ok
18:58:22.0062 0172 ini910u - ok
18:58:22.0078 0172 IntelIde - ok
18:58:22.0125 0172 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
18:58:22.0125 0172 intelppm - ok
18:58:22.0156 0172 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
18:58:22.0156 0172 Ip6Fw - ok
18:58:22.0187 0172 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
18:58:22.0187 0172 IpFilterDriver - ok
18:58:22.0203 0172 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
18:58:22.0218 0172 IpInIp - ok
18:58:22.0265 0172 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
18:58:22.0265 0172 IpNat - ok
18:58:22.0281 0172 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
18:58:22.0296 0172 IPSec - ok
18:58:22.0328 0172 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
18:58:22.0328 0172 IRENUM - ok
18:58:22.0359 0172 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
18:58:22.0359 0172 isapnp - ok
18:58:22.0406 0172 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
18:58:22.0406 0172 Kbdclass - ok
18:58:22.0468 0172 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
18:58:22.0468 0172 kbdhid - ok
18:58:22.0562 0172 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
18:58:22.0562 0172 kmixer - ok
18:58:22.0593 0172 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
18:58:22.0593 0172 KSecDD - ok
18:58:22.0609 0172 lbrtfdc - ok
18:58:22.0671 0172 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
18:58:22.0671 0172 mnmdd - ok
18:58:22.0734 0172 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
18:58:22.0750 0172 Modem - ok
18:58:22.0750 0172 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
18:58:22.0765 0172 Mouclass - ok
18:58:22.0796 0172 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
18:58:22.0796 0172 mouhid - ok
18:58:22.0812 0172 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
18:58:22.0812 0172 MountMgr - ok
18:58:22.0828 0172 mraid35x - ok
18:58:22.0859 0172 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
18:58:22.0875 0172 MRxDAV - ok
18:58:22.0953 0172 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
18:58:22.0953 0172 MRxSmb - ok
18:58:22.0968 0172 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
18:58:22.0968 0172 Msfs - ok
18:58:23.0015 0172 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
18:58:23.0031 0172 MSKSSRV - ok
18:58:23.0046 0172 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
18:58:23.0046 0172 MSPCLOCK - ok
18:58:23.0078 0172 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
18:58:23.0078 0172 MSPQM - ok
18:58:23.0125 0172 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
18:58:23.0140 0172 mssmbios - ok
18:58:23.0218 0172 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
18:58:23.0218 0172 MSTEE - ok
18:58:23.0234 0172 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
18:58:23.0234 0172 Mup - ok
18:58:23.0281 0172 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
18:58:23.0281 0172 NABTSFEC - ok
18:58:23.0328 0172 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
18:58:23.0328 0172 NDIS - ok
18:58:23.0375 0172 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
18:58:23.0375 0172 NdisIP - ok
18:58:23.0421 0172 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
18:58:23.0421 0172 NdisTapi - ok
18:58:23.0484 0172 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
18:58:23.0484 0172 Ndisuio - ok
18:58:23.0500 0172 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
18:58:23.0515 0172 NdisWan - ok
18:58:23.0562 0172 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
18:58:23.0578 0172 NDProxy - ok
18:58:23.0578 0172 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
18:58:23.0593 0172 NetBIOS - ok
18:58:23.0703 0172 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
18:58:23.0718 0172 NetBT - ok
18:58:23.0750 0172 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
18:58:23.0750 0172 Npfs - ok
18:58:23.0781 0172 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
18:58:23.0796 0172 Ntfs - ok
18:58:23.0812 0172 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
18:58:23.0828 0172 Null - ok
18:58:23.0875 0172 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
18:58:23.0875 0172 NwlnkFlt - ok
18:58:23.0906 0172 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
18:58:23.0906 0172 NwlnkFwd - ok
18:58:23.0937 0172 OADevice (da5e5a2026eeef52d94fcb760e171752) C:\WINDOWS\system32\drivers\OADriver.sys
18:58:23.0937 0172 OADevice - ok
18:58:23.0968 0172 OAmon (3524dd1f24bd0114eaa98048d76075c1) C:\WINDOWS\system32\drivers\OAmon.sys
18:58:23.0968 0172 OAmon - ok
18:58:24.0046 0172 OAnet (e57d9d511e837ef56f93ec29f1ff730d) C:\WINDOWS\system32\drivers\OAnet.sys
18:58:24.0062 0172 OAnet - ok
18:58:24.0109 0172 P0630VID (74446252eeae950240972108bbac2fbd) C:\WINDOWS\system32\DRIVERS\P0630Vid.sys
18:58:24.0125 0172 P0630VID - ok
18:58:24.0171 0172 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
18:58:24.0171 0172 Parport - ok
18:58:24.0187 0172 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
18:58:24.0187 0172 PartMgr - ok
18:58:24.0234 0172 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
18:58:24.0250 0172 ParVdm - ok
18:58:24.0281 0172 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
18:58:24.0281 0172 PCI - ok
18:58:24.0296 0172 PCIDump - ok
18:58:24.0312 0172 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
18:58:24.0312 0172 PCIIde - ok
18:58:24.0343 0172 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
18:58:24.0359 0172 Pcmcia - ok
18:58:24.0359 0172 PDCOMP - ok
18:58:24.0375 0172 PDFRAME - ok
18:58:24.0390 0172 PDRELI - ok
18:58:24.0390 0172 PDRFRAME - ok
18:58:24.0406 0172 perc2 - ok
18:58:24.0421 0172 perc2hib - ok
18:58:24.0484 0172 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
18:58:24.0500 0172 PptpMiniport - ok
18:58:24.0515 0172 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
18:58:24.0515 0172 Ptilink - ok
18:58:24.0531 0172 ql1080 - ok
18:58:24.0546 0172 Ql10wnt - ok
18:58:24.0546 0172 ql12160 - ok
18:58:24.0562 0172 ql1240 - ok
18:58:24.0578 0172 ql1280 - ok
18:58:24.0593 0172 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
18:58:24.0593 0172 RasAcd - ok
18:58:24.0609 0172 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
18:58:24.0625 0172 Rasl2tp - ok
18:58:24.0625 0172 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
18:58:24.0640 0172 RasPppoe - ok
18:58:24.0656 0172 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
18:58:24.0656 0172 Raspti - ok
18:58:24.0671 0172 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
18:58:24.0687 0172 Rdbss - ok
18:58:24.0703 0172 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
18:58:24.0703 0172 RDPCDD - ok
18:58:24.0750 0172 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
18:58:24.0765 0172 rdpdr - ok
18:58:24.0828 0172 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
18:58:24.0843 0172 RDPWD - ok
18:58:24.0906 0172 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
18:58:24.0921 0172 redbook - ok
18:58:24.0984 0172 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
18:58:25.0000 0172 Secdrv - ok
18:58:25.0078 0172 senfilt (b9c7617c1e8ab6fdff75d3c8dafcb4c8) C:\WINDOWS\system32\drivers\senfilt.sys
18:58:25.0109 0172 senfilt - ok
18:58:25.0125 0172 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
18:58:25.0125 0172 serenum - ok
18:58:25.0140 0172 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
18:58:25.0156 0172 Serial - ok
18:58:25.0171 0172 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
18:58:25.0187 0172 Sfloppy - ok
18:58:25.0203 0172 Simbad - ok
18:58:25.0296 0172 smwdm (c6d9959e493682f872a639b6ec1b4a08) C:\WINDOWS\system32\drivers\smwdm.sys
18:58:25.0312 0172 smwdm - ok
18:58:25.0312 0172 Sparrow - ok
18:58:25.0343 0172 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
18:58:25.0343 0172 splitter - ok
18:58:25.0406 0172 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
18:58:25.0406 0172 sr - ok
18:58:25.0484 0172 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
18:58:25.0484 0172 Srv - ok
18:58:25.0546 0172 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
18:58:25.0562 0172 ssmdrv - ok
18:58:25.0609 0172 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
18:58:25.0609 0172 streamip - ok
18:58:25.0625 0172 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
18:58:25.0640 0172 swenum - ok
18:58:25.0640 0172 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
18:58:25.0656 0172 swmidi - ok
18:58:25.0671 0172 symc810 - ok
18:58:25.0687 0172 symc8xx - ok
18:58:25.0703 0172 sym_hi - ok
18:58:25.0703 0172 sym_u3 - ok
18:58:25.0750 0172 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
18:58:25.0765 0172 sysaudio - ok
18:58:25.0859 0172 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
18:58:25.0890 0172 Tcpip - ok
18:58:25.0921 0172 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
18:58:25.0921 0172 TDPIPE - ok
18:58:25.0937 0172 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
18:58:25.0953 0172 TDTCP - ok
18:58:26.0000 0172 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
18:58:26.0000 0172 TermDD - ok
18:58:26.0031 0172 TosIde - ok
18:58:26.0093 0172 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
18:58:26.0109 0172 Udfs - ok
18:58:26.0125 0172 ultra - ok
18:58:26.0187 0172 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
18:58:26.0203 0172 Update - ok
18:58:26.0281 0172 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
18:58:26.0281 0172 usbccgp - ok
18:58:26.0328 0172 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
18:58:26.0328 0172 usbehci - ok
18:58:26.0375 0172 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
18:58:26.0375 0172 usbhub - ok
18:58:26.0421 0172 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
18:58:26.0421 0172 USBSTOR - ok
18:58:26.0484 0172 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
18:58:26.0500 0172 usbuhci - ok
18:58:26.0515 0172 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
18:58:26.0515 0172 VgaSave - ok
18:58:26.0531 0172 ViaIde - ok
18:58:26.0546 0172 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
18:58:26.0546 0172 VolSnap - ok
18:58:26.0562 0172 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
18:58:26.0578 0172 Wanarp - ok
18:58:26.0578 0172 WDICA - ok
18:58:26.0609 0172 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
18:58:26.0625 0172 wdmaud - ok
18:58:26.0765 0172 WpdUsb (c60dc16d4e406810fad54b98dc92d5ec) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
18:58:26.0765 0172 WpdUsb - ok
18:58:26.0843 0172 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
18:58:26.0843 0172 WSTCODEC - ok
18:58:26.0875 0172 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
18:58:26.0875 0172 WudfPf - ok
18:58:26.0906 0172 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
18:58:26.0906 0172 WudfRd - ok
18:58:26.0937 0172 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
18:58:27.0093 0172 \Device\Harddisk0\DR0 - ok
18:58:27.0093 0172 Boot (0x1200) (b7afa9d472cd08105950e19bca8d8db4) \Device\Harddisk0\DR0\Partition0
18:58:27.0093 0172 \Device\Harddisk0\DR0\Partition0 - ok
18:58:27.0093 0172 ============================================================
18:58:27.0093 0172 Scan finished
18:58:27.0093 0172 ============================================================
18:58:27.0109 0384 Detected object count: 0
18:58:27.0109 0384 Actual detected object count: 0


5. Do you have the original Windows installation media for your PC?

I don't have it, unfortunately. The computer does have the tag on it.



(I'm adding this bit of info about a couple of infections detected within the past few days, only after I first noticed signs of infection, just in case it's useful:

I've been running daily scans with Avira antivirus. On Dec. 7, 2011, Avira antivirus found TR/Fake.Rean.3192, one detection, which is quarantined. That's the only detection by Avira, since a long time before the first signs of infection. Avira scans since that one are clean.

Also,
this is the first Malwarebytes log I ran, after noticing symptoms of infection, just because it’s got an extra malware detection on it:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8310

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/4/2011 1:19:09 PM
mbam-log-2011-12-04 (13-19-09).txt

Scan type: Quick scan
Objects scanned: 180542
Time elapsed: 8 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\control panel\Homepage (PUM.Hijack.HomePageControl) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\user\local settings\Temp\upd.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. )


Thanks for your continued help! I'm continuing to check back frequently, for your next instructions.

Hi I_dream_of_Mercury,

Thank you again for your patience. :)

Again, please remember to read the instructions below carefully before executing and perform the steps, in the order given.
If you have any questions about or problems executing these instructions, <STOP> do not proceed, post back with the question or problem before going any further.

Before we proceed please make sure any open programs are closed.

Step 1:
Avira Anti-Virus Scan Report

Please provide the last Avira Anti-Virus scan report from 7th December.

Right-click the red umbrella icon in the system tray and click Start Antivir.
In the left pane, click on Overview, then click on Reports.
There will be reports titled Update and reports titled Scan. Find the report from 7th December in the list titled Scan.
Click on the Report File button, or Right-click the report and choose Display Report.
The report contents will be displayed in Notepad.
Please Copy and Paste the contents of Avira Anti-Virus Scan Report into your next reply.
Step 2:
aswMBR - Scan

Please download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) © Avast Software ( 511KB ) and Save it to your Desktop.
Double-click on aswMBR.exe to launch the program.
Click on the Scan button to start the scan.
On completion of the scan the following message will be displayed: "Scan finished successfully". Click on the Save log button.
You will be prompted to save a file named aswMBR.txt. Save it to your Desktop.
Please Copy and Paste the contents of aswMBR.txt into your next reply.
Please Note: A file will be created and placed on your desktop when you execute aswMBR, named MBR.dat. This is a copy of your MBR record, before any changes are made, it can be used to recover the MBR record to it's previous condition, if problems exist after changes.

Step 3:
OTL - Scan

Please download OTL (http://oldtimer.geekstogo.com/OTL.exe) by Old Timer. Save it to your Desktop.
Double-click on OTL.exe to run the program.
Under Output, ensure that the Standard Output option is selected.
Under the Extra Registry section, select the Use SafeList option.
Click the Scan All Users checkbox.
Note: Please leave the remaining selections on the default settings.
Click the LOP Check and Purity Check checkboxes.
Then click on the Run Scan button in the top left-hand corner of the program window.
When done, two Notepad files will automatically open:
OTL.txt <-- Will be opened, maximized.
Extras.txt <-- Will be minimized on task bar.
Please Copy and Paste the entire contents of both OTL.txt and Extras.txt files into your next reply.
Step 4:
Include in Next Post

Did you have any problems carrying out the instructions?
Avira Anti-Virus Scan Report.
aswMBR.txt.
OTL.txt.
Extras.txt.
Scolabar
--------------------------------------------------------------------------
No Reply Within 3 Days Will Result In Your Topic Being Closed

Please advise:

Scolabar, hi,

The aswMBR scan, your step 2, didn't go as described, and I need to know what to do before I proceed.

First, when I went to double click on aswMBR.exe icon, on my desktop, OnlineArmor firewall reported, "aswMBR.sys wants to start automatically with your computer". I clicked accept, figuring that I'd accept anything the program wants to do, but I believe I unclicked "Remember this decision," because I have Avira running, already, and thought it would create a conflict. Since it's not the regular Avast antivirus, I didn't expect it to was to run automatically, later.

(At this point, I should mention that when you have said, "Before we proceed please make sure any open programs are closed," it didn't occur to me to shut down my security software. Am I supposed to be deactivating my antivirus, Spybot S&D Resident, SpywareBlaster, or my OnlineArmor firewall?)

Then, aswMBR asked to update its virus definitions. I agreed and let it download those.

I then clicked Scan, and it scanned for only a couple of minutes, then said it was scanning TDSSKiller.

aswMBR appeared to hang upon scanning TDSSKiller. It said it was scanning TDSSKiller as the last item at the bottom of what it had already scanned for exactly 20 minutes, then the screen froze (the clock froze and the mouse pointer wouldn't move) and the computer became unresponsive. The screen remained up, as it was before it hung. (Of course, the message that the scan was completed was never displayed.)

I let it sit for 34 minutes, hoping the program would catch up with itself, before trying to raise Task Manager with CNTRL+ALT_DEL. The computer remained unresponsive. I eventually had to actually unplug the computer, in order to restart.

ALL OF THE FOLLOWING IS AFTER aswMBR HUNG, AND THE COMPUTER WAS REBOOTED:

Upon restart, OnlineArmor reported that it blocked AUTOBACK.EXE. OnlineArmor says,

"Status: Ask
Program name: AUTOBACK.EXE
Name: AUTOBACK.EXE,0.0.0.0,(0.0.0.0)
First Detected: 12/07/11 12:34:38
Trust Level: Unknown"
When I right-clicked on this line of info, in OnlineArmor, and chose Copy to Clipboard, it copied this:

AUTOBACK.EXE, 0.0.0.0, (0.0.0.0)
C:\Program Files\ERUNT\AUTOBACK.EXE
Hash(MD5): E00DE20F0F6BED5CD2160247DDC9443B
No log appeared to have been created from the first aswMBR scan, or at least there was nothing on the Desktop.

I clicked to start aswMBR.exe again, not intending to rescan but in hopes of getting some log or error message regarding the first scan. Again, a message from OnlineArmor said it asked for permission to start automatically, and I allowed, after unclicking, "Remember my decision."

The first time I restarted aswMBR.exe after reboot, it said it failed to initialize, which might be because it was waiting for me to respond to the firewall request for aswMBR.exe to run automatically. I asked for a log, which did not include info from the first scan, just this:

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-12-10 19:59:46
-----------------------------
19:59:46.953 OS Version: Windows 5.1.2600 Service Pack 3
19:59:46.953 Number of processors: 2 586 0x403
19:59:46.953 ComputerName: USER-PC UserName: user
20:00:47.390 Initialze error C0000034 - driver not loaded
20:00:58.343 AVAST engine defs: 11121001
20:02:56.328 The log file has been saved successfully to "C:\Documents and Settings\user\Desktop\aswMBR.txt"

The second time, aswMBR.exe initialized successfully. I didn't scan. I created a log again:

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-12-10 20:05:09
-----------------------------
20:05:09.921 OS Version: Windows 5.1.2600 Service Pack 3
20:05:09.921 Number of processors: 2 586 0x403
20:05:09.921 ComputerName: USER-PC UserName: user
20:05:21.125 Initialize success
20:05:27.625 AVAST engine defs: 11121001
20:37:38.093 The log file has been saved successfully to "C:\Documents and Settings\user\Desktop\aswMBR 2.txt"


So, I'll have to wait for more information from you, before I can proceed.

Regarding Avira's report from Dec. 7, here's that log. To be clear,
this is not the last scan by Avira, but it's the last Avira scan to detect an infection, and the only Avira scan with a detection since the first symptoms of infection. As I reported below, for the first few days after signs of infection, Avira scans were clean, then this, on Dec. 7th:


Avira AntiVir Personal
Report file date: Wednesday, December 07, 2011 10:03

Scanning for 3542348 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - Free Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : USER-PC

Version information:
BUILD.DAT : 10.2.0.690 35934 Bytes 6/22/2011 18:07:00
AVSCAN.EXE : 10.3.0.7 484008 Bytes 6/28/2011 16:25:09
AVSCAN.DLL : 10.0.5.0 47464 Bytes 6/28/2011 16:25:09
LUKE.DLL : 10.3.0.5 45416 Bytes 6/28/2011 16:25:10
LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 06:40:49
AVSCPLR.DLL : 10.3.0.7 119656 Bytes 6/28/2011 16:25:11
AVREG.DLL : 10.3.0.7 90472 Bytes 6/28/2011 16:25:10
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 16:05:36
VBASE001.VDF : 7.11.0.0 13342208 Bytes 12/14/2010 10:19:52
VBASE002.VDF : 7.11.3.0 1950720 Bytes 2/9/2011 16:13:30
VBASE003.VDF : 7.11.5.225 1980416 Bytes 4/7/2011 12:48:11
VBASE004.VDF : 7.11.8.178 2354176 Bytes 5/31/2011 13:21:53
VBASE005.VDF : 7.11.10.251 1788416 Bytes 7/7/2011 20:17:30
VBASE006.VDF : 7.11.13.60 6411776 Bytes 8/16/2011 10:09:51
VBASE007.VDF : 7.11.15.106 2389504 Bytes 10/5/2011 20:40:15
VBASE008.VDF : 7.11.18.32 2132992 Bytes 11/24/2011 16:03:27
VBASE009.VDF : 7.11.18.33 2048 Bytes 11/24/2011 16:03:27
VBASE010.VDF : 7.11.18.34 2048 Bytes 11/24/2011 16:03:28
VBASE011.VDF : 7.11.18.35 2048 Bytes 11/24/2011 16:03:28
VBASE012.VDF : 7.11.18.36 2048 Bytes 11/24/2011 16:03:28
VBASE013.VDF : 7.11.18.89 204800 Bytes 11/28/2011 19:54:58
VBASE014.VDF : 7.11.18.145 143872 Bytes 12/1/2011 12:39:57
VBASE015.VDF : 7.11.18.180 173056 Bytes 12/2/2011 13:31:07
VBASE016.VDF : 7.11.18.208 164864 Bytes 12/5/2011 13:57:48
VBASE017.VDF : 7.11.18.239 177152 Bytes 12/6/2011 22:03:11
VBASE018.VDF : 7.11.18.240 2048 Bytes 12/6/2011 22:03:12
VBASE019.VDF : 7.11.18.241 2048 Bytes 12/6/2011 22:03:12
VBASE020.VDF : 7.11.18.242 2048 Bytes 12/6/2011 22:03:12
VBASE021.VDF : 7.11.18.243 2048 Bytes 12/6/2011 22:03:12
VBASE022.VDF : 7.11.18.244 2048 Bytes 12/6/2011 22:03:13
VBASE023.VDF : 7.11.18.245 2048 Bytes 12/6/2011 22:03:13
VBASE024.VDF : 7.11.18.246 2048 Bytes 12/6/2011 22:03:13
VBASE025.VDF : 7.11.18.247 2048 Bytes 12/6/2011 22:03:13
VBASE026.VDF : 7.11.18.248 2048 Bytes 12/6/2011 22:03:14
VBASE027.VDF : 7.11.18.249 2048 Bytes 12/6/2011 22:03:14
VBASE028.VDF : 7.11.18.250 2048 Bytes 12/6/2011 22:03:14
VBASE029.VDF : 7.11.18.251 2048 Bytes 12/6/2011 22:03:14
VBASE030.VDF : 7.11.18.252 2048 Bytes 12/6/2011 22:03:15
VBASE031.VDF : 7.11.19.20 88064 Bytes 12/7/2011 18:02:35
Engineversion : 8.2.6.128
AEVDF.DLL : 8.1.2.2 106868 Bytes 10/25/2011 19:03:56
AESCRIPT.DLL : 8.1.3.88 479611 Bytes 12/5/2011 17:50:22
AESCN.DLL : 8.1.7.2 127349 Bytes 11/22/2010 12:26:13
AESBX.DLL : 8.2.4.5 434549 Bytes 12/5/2011 17:50:24
AERDL.DLL : 8.1.9.15 639348 Bytes 9/9/2011 03:46:30
AEPACK.DLL : 8.2.14.4 741752 Bytes 12/5/2011 17:50:18
AEOFFICE.DLL : 8.1.2.21 201084 Bytes 12/5/2011 17:50:12
AEHEUR.DLL : 8.1.3.3 3871095 Bytes 12/5/2011 17:50:10
AEHELP.DLL : 8.1.18.0 254327 Bytes 10/25/2011 19:03:18
AEGEN.DLL : 8.1.5.15 405878 Bytes 12/5/2011 17:49:46
AEEMU.DLL : 8.1.3.0 393589 Bytes 11/22/2010 12:23:32
AECORE.DLL : 8.1.24.0 196983 Bytes 10/25/2011 19:03:13
AEBB.DLL : 8.1.1.0 53618 Bytes 4/23/2010 15:10:33
AVWINLL.DLL : 10.0.0.0 19304 Bytes 1/14/2010 19:03:38
AVPREF.DLL : 10.0.3.2 44904 Bytes 6/28/2011 16:25:09
AVREP.DLL : 10.0.0.10 174120 Bytes 5/17/2011 13:58:35
AVARKT.DLL : 10.0.26.1 255336 Bytes 6/28/2011 16:25:09
AVEVTLOG.DLL : 10.0.0.9 203112 Bytes 6/28/2011 16:25:09
SQLITE3.DLL : 3.6.19.0 355688 Bytes 1/28/2010 19:57:58
AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/16/2010 22:38:56
NETNT.DLL : 10.0.0.0 11624 Bytes 2/19/2010 21:41:00
RCIMAGE.DLL : 10.0.0.35 2589544 Bytes 6/28/2011 16:25:08
RCTEXT.DLL : 10.0.64.0 97640 Bytes 6/28/2011 16:25:08

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: Default
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: Advanced
Deviating risk categories...........: +APPL,+PCK,+PFS,+SPR,

Start of the scan: Wednesday, December 07, 2011 10:03

Starting search for hidden objects.

The scan of running processes will be started
Scan process 'rsmsink.exe' - '30' Module(s) have been scanned
Scan process 'dllhost.exe' - '47' Module(s) have been scanned
Scan process 'vssvc.exe' - '50' Module(s) have been scanned
Scan process 'avscan.exe' - '72' Module(s) have been scanned
Scan process 'avcenter.exe' - '71' Module(s) have been scanned
Scan process 'TeaTimer.exe' - '46' Module(s) have been scanned
Scan process 'msdtc.exe' - '42' Module(s) have been scanned
Scan process 'dllhost.exe' - '62' Module(s) have been scanned
Scan process 'jqs.exe' - '35' Module(s) have been scanned
Scan process 'ccc.exe' - '162' Module(s) have been scanned
Scan process 'SearchIndexer.exe' - '61' Module(s) have been scanned
Scan process 'OAhlp.exe' - '55' Module(s) have been scanned
Scan process 'RunDLL32.exe' - '43' Module(s) have been scanned
Scan process 'svchost.exe' - '36' Module(s) have been scanned
Scan process 'wuauclt.exe' - '47' Module(s) have been scanned
Scan process 'MOM.exe' - '60' Module(s) have been scanned
Scan process 'oaui.exe' - '57' Module(s) have been scanned
Scan process 'avgnt.exe' - '61' Module(s) have been scanned
Scan process 'smax4pnp.exe' - '45' Module(s) have been scanned
Scan process 'ctfmon.exe' - '35' Module(s) have been scanned
Scan process 'alg.exe' - '35' Module(s) have been scanned
Scan process 'svchost.exe' - '41' Module(s) have been scanned
Scan process 'avshadow.exe' - '28' Module(s) have been scanned
Scan process 'MDM.EXE' - '24' Module(s) have been scanned
Scan process 'avguard.exe' - '56' Module(s) have been scanned
Scan process 'sched.exe' - '47' Module(s) have been scanned
Scan process 'spoolsv.exe' - '57' Module(s) have been scanned
Scan process 'Explorer.EXE' - '170' Module(s) have been scanned
Scan process 'oasrv.exe' - '64' Module(s) have been scanned
Scan process 'OAcat.exe' - '32' Module(s) have been scanned
Scan process 'svchost.exe' - '42' Module(s) have been scanned
Scan process 'svchost.exe' - '34' Module(s) have been scanned
Scan process 'Ati2evxx.exe' - '33' Module(s) have been scanned
Scan process 'svchost.exe' - '32' Module(s) have been scanned
Scan process 'svchost.exe' - '173' Module(s) have been scanned
Scan process 'svchost.exe' - '41' Module(s) have been scanned
Scan process 'svchost.exe' - '53' Module(s) have been scanned
Scan process 'Ati2evxx.exe' - '30' Module(s) have been scanned
Scan process 'lsass.exe' - '64' Module(s) have been scanned
Scan process 'services.exe' - '29' Module(s) have been scanned
Scan process 'winlogon.exe' - '78' Module(s) have been scanned
Scan process 'csrss.exe' - '16' Module(s) have been scanned
Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '1064' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\Documents and Settings\user\Local Settings\Temp\jar_cache489517355002911589.tmp
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Documents and Settings\user\Local Settings\Temp\jar_cache489517355002911589.tmp
[DETECTION] Is the TR/Fake.Rean.3192 Trojan

Beginning disinfection:
C:\Documents and Settings\user\Local Settings\Temp\jar_cache489517355002911589.tmp
[DETECTION] Is the TR/Fake.Rean.3192 Trojan
[NOTE] The file was moved to the quarantine directory under the name '4c37185f.qua'.


End of the scan: Wednesday, December 07, 2011 11:20
Used time: 1:14:53 Hour(s)

The scan has been done completely.

7080 Scanned directories
282431 Files were scanned
1 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
1 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
282430 Files not concerned
5329 Archives were scanned
0 Warnings
1 Notes
553989 Objects were scanned with rootkit scan
0 Hidden objects were found

[End of Avira scan]


I'll be checking back frequently, for your next instructions. Thanks for your continued help!

Hi I_dream_of_Mercury,

Apologies for the inconvenience :sad: and thank you for the Avira report.

Please delete the TDSSKiller.exe file on your Desktop.

Temporarily disable the real-time protection of your security software: Avira Antivir, Online Armor and Spybot S&D referring to This Howto Topic (http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/490111-how-disable-your-security-applications.html), if necessary. SpywareBlaster does not need to be disabled. ;)

Then try running aswMBR again and the remaining steps.

Scolabar
--------------------------------------------------------------------------
No Reply Within 3 Days Will Result In Your Topic Being Closed

Hi, again! Thanks for help getting the scans completed.


Included:


1. Did you have any problems carrying out the instructions?

ha, A bit, this time. After I disabled the three security softwares, and aswMBR was running, a scheduled daily Avira scan launched. Although I stopped it before it could scan anything, and although the guard was disabled, Windows shut down in self-defense, and I had to bring it all up again and start over.

2. Avira Anti-Virus Scan Report.

You've already received this, copied and pasted below, into post #8 of this thread.

3. aswMBR.txt.


aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-12-11 10:11:34
-----------------------------
10:11:34.515 OS Version: Windows 5.1.2600 Service Pack 3
10:11:34.515 Number of processors: 2 586 0x403
10:11:34.515 ComputerName: USER-PC UserName: user
10:11:36.375 Initialize success
10:12:04.234 AVAST engine defs: 11121001
10:12:13.046 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
10:12:13.062 Disk 0 Vendor: SAMSUNG_HD160JJ/P ZM100-34 Size: 152587MB BusType: 3
10:12:13.078 Disk 0 MBR read successfully
10:12:13.093 Disk 0 MBR scan
10:12:13.171 Disk 0 Windows XP default MBR code
10:12:13.187 Disk 0 scanning sectors +312480315
10:12:13.312 Disk 0 scanning C:\WINDOWS\system32\drivers
10:12:33.125 Service scanning
10:12:35.250 Modules scanning
10:12:46.609 Disk 0 trace - called modules:
10:12:46.640 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys
10:12:46.656 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89dd4ab8]
10:12:46.671 3 CLASSPNP.SYS -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-e[0x89e21d98]
10:12:48.453 AVAST engine scan C:\WINDOWS
10:13:06.125 AVAST engine scan C:\WINDOWS\system32
10:18:07.000 AVAST engine scan C:\WINDOWS\system32\drivers
10:18:30.250 AVAST engine scan C:\Documents and Settings\user
10:45:50.156 AVAST engine scan C:\Documents and Settings\All Users
10:52:31.687 Scan finished successfully
10:53:42.312 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\user\Desktop\MBR.dat"
10:53:42.328 The log file has been saved successfully to "C:\Documents and Settings\user\Desktop\aswMBR 1.txt"
10:56:39.734 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\user\Desktop\MBR.dat"
10:56:39.765 The log file has been saved successfully to "C:\Documents and Settings\user\Desktop\aswMBR.txt"


[B]4. OTL.txt.

OTL logfile created on: 12/11/2011 11:06:22 AM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\user\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.42 Gb Available Physical Memory | 71.15% Memory free
3.85 Gb Paging File | 3.27 Gb Available in Paging File | 85.08% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 148.93 Gb Total Space | 117.29 Gb Free Space | 78.75% Space Free | Partition Type: NTFS
Drive D: | 559.46 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: USER-PC | User Name: user | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/12/11 11:03:56 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user\Desktop\OTL.exe
PRC - [2011/12/05 16:39:34 | 000,161,664 | ---- | M] (Oracle Corporation) -- C:\Program Files\Java\jre7\bin\jqs.exe
PRC - [2011/06/28 08:25:09 | 000,269,480 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2011/04/26 23:04:15 | 000,136,360 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2010/11/02 06:24:58 | 000,281,768 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2010/04/20 03:42:10 | 003,065,848 | ---- | M] (Tall Emu) -- C:\Program Files\Tall Emu\Online Armor\oahlp.exe
PRC - [2010/04/20 03:42:08 | 006,678,008 | ---- | M] (Tall Emu) -- C:\Program Files\Tall Emu\Online Armor\oaui.exe
PRC - [2010/04/20 03:42:08 | 003,364,856 | ---- | M] (Tall Emu) -- C:\Program Files\Tall Emu\Online Armor\oasrv.exe
PRC - [2010/04/20 03:42:08 | 001,284,600 | ---- | M] (Tall Emu) -- C:\Program Files\Tall Emu\Online Armor\oacat.exe
PRC - [2010/01/14 20:11:00 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2008/04/14 04:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (No Company Name) ==========

MOD - [2011/10/14 14:43:38 | 011,800,576 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web\60df958ca96c9b8945f836759b6abd34\System.Web.ni.dll
MOD - [2011/10/14 14:41:35 | 000,971,264 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\bce0720436dc6cb76006377f295ea365\System.Configuration.ni.dll
MOD - [2011/10/14 14:39:37 | 000,025,600 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Accessibility\d86a3346c3d90ff12d0df9d7726f3ece\Accessibility.ni.dll
MOD - [2011/10/14 14:11:18 | 005,450,752 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\70cacc44f0b4257f6037eda7a59a0aeb\System.Xml.ni.dll
MOD - [2011/10/14 14:11:09 | 012,430,848 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\71a2ae9ad561a62181cbd9fb11e9de7a\System.Windows.Forms.ni.dll
MOD - [2011/10/14 14:10:49 | 001,587,200 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\c10bea3c4bb7ef654651141bf9419090\System.Drawing.ni.dll
MOD - [2011/10/14 14:08:36 | 007,950,848 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\af39f6e644af02873b9bae319f2bfb13\System.ni.dll
MOD - [2011/10/14 14:08:09 | 011,490,816 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\ca87ba84221991839abbe7d4bc9c6721\mscorlib.ni.dll
MOD - [2011/10/14 14:06:04 | 000,303,104 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
MOD - [2010/01/28 11:57:58 | 000,355,688 | ---- | M] () -- C:\Program Files\Avira\AntiVir Desktop\sqlite3.dll
MOD - [2009/08/13 19:26:02 | 001,728,512 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DisplaysManager.Graphics.Wizard\2.0.3358.38385__90ba9c70f846762e\CLI.Aspect.DisplaysManager.Graphics.Wizard.dll
MOD - [2009/08/13 19:26:02 | 000,491,520 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.TransCode.Graphics.Wizard\2.0.3358.38459__90ba9c70f846762e\CLI.Aspect.TransCode.Graphics.Wizard.dll
MOD - [2009/08/13 19:26:02 | 000,290,816 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Caste.Graphics.Runtime\2.0.3358.38368__90ba9c70f846762e\CLI.Caste.Graphics.Runtime.dll
MOD - [2009/08/13 19:26:02 | 000,204,800 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.InfoCentre.Graphics.Wizard\2.0.3358.38387__90ba9c70f846762e\CLI.Aspect.InfoCentre.Graphics.Wizard.dll
MOD - [2009/08/13 19:26:02 | 000,077,824 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceTV.Graphics.Runtime\2.0.3358.38441__90ba9c70f846762e\CLI.Aspect.DeviceTV.Graphics.Runtime.dll
MOD - [2009/08/13 19:26:02 | 000,073,728 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Caste.Graphics.Dashboard\2.0.3358.38376__90ba9c70f846762e\CLI.Caste.Graphics.Dashboard.dll
MOD - [2009/08/13 19:26:02 | 000,069,632 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceCV.Graphics.Runtime\2.0.3358.38423__90ba9c70f846762e\CLI.Aspect.DeviceCV.Graphics.Runtime.dll
MOD - [2009/08/13 19:26:02 | 000,040,960 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Caste.Graphics.Wizard\2.0.3358.38381__90ba9c70f846762e\CLI.Caste.Graphics.Wizard.dll
MOD - [2009/08/13 19:26:02 | 000,036,864 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceProperty.Graphics.Runtime\2.0.3358.38410__90ba9c70f846762e\CLI.Aspect.DeviceProperty.Graphics.Runtime.dll
MOD - [2009/08/13 19:26:02 | 000,020,480 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.HotkeysHandling.Graphics.Runtime\2.0.3358.38376__90ba9c70f846762e\CLI.Aspect.HotkeysHandling.Graphics.Runtime.dll
MOD - [2009/08/13 19:26:01 | 000,364,544 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.Radeon3D.Graphics.Dashboard\2.0.3358.38428__90ba9c70f846762e\CLI.Aspect.Radeon3D.Graphics.Dashboard.dll
MOD - [2009/08/13 19:26:01 | 000,139,264 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.Welcome.Graphics.Dashboard\2.0.3358.38460__90ba9c70f846762e\CLI.Aspect.Welcome.Graphics.Dashboard.dll
MOD - [2009/08/13 19:26:01 | 000,106,496 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.VPURecover.Graphics.Dashboard\2.0.3358.38386__90ba9c70f846762e\CLI.Aspect.VPURecover.Graphics.Dashboard.dll
MOD - [2009/08/13 19:26:01 | 000,094,208 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.Radeon3D.Graphics.Wizard\2.0.3358.38428__90ba9c70f846762e\CLI.Aspect.Radeon3D.Graphics.Wizard.dll
MOD - [2009/08/13 19:26:01 | 000,061,440 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.Radeon3D.Graphics.Runtime\2.0.3358.38427__90ba9c70f846762e\CLI.Aspect.Radeon3D.Graphics.Runtime.dll
MOD - [2009/08/13 19:26:01 | 000,028,672 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.VPURecover.Graphics.Runtime\2.0.3358.38386__90ba9c70f846762e\CLI.Aspect.VPURecover.Graphics.Runtime.dll
MOD - [2009/08/13 19:25:59 | 000,811,008 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.MMVideo.Graphics.Dashboard\2.0.3358.38412__90ba9c70f846762e\CLI.Aspect.MMVideo.Graphics.Dashboard.dll
MOD - [2009/08/13 19:25:59 | 000,712,704 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DisplaysManager.Graphics.Dashboard\2.0.3358.38377__90ba9c70f846762e\CLI.Aspect.DisplaysManager.Graphics.Dashboard.dll
MOD - [2009/08/13 19:25:59 | 000,589,824 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DisplaysColour2.Graphics.Dashboard\2.0.3358.38387__90ba9c70f846762e\CLI.Aspect.DisplaysColour2.Graphics.Dashboard.dll
MOD - [2009/08/13 19:25:59 | 000,405,504 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.MMVideo.Graphics.Wizard\2.0.3358.38435__90ba9c70f846762e\CLI.Aspect.MMVideo.Graphics.Wizard.dll
MOD - [2009/08/13 19:25:59 | 000,225,280 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.InfoCentre.Graphics.Dashboard\2.0.3358.38387__90ba9c70f846762e\CLI.Aspect.InfoCentre.Graphics.Dashboard.dll
MOD - [2009/08/13 19:25:59 | 000,126,976 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DisplaysOptions.Graphics.Dashboard\2.0.3358.38421__90ba9c70f846762e\CLI.Aspect.DisplaysOptions.Graphics.Dashboard.dll
MOD - [2009/08/13 19:25:59 | 000,081,920 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.MMVideo.Graphics.Runtime\2.0.3358.38412__90ba9c70f846762e\CLI.Aspect.MMVideo.Graphics.Runtime.dll
MOD - [2009/08/13 19:25:59 | 000,040,960 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DisplaysColour2.Graphics.Runtime\2.0.3358.38391__90ba9c70f846762e\CLI.Aspect.DisplaysColour2.Graphics.Runtime.dll
MOD - [2009/08/13 19:25:59 | 000,036,864 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DisplaysOptions.Graphics.Runtime\2.0.3358.38420__90ba9c70f846762e\CLI.Aspect.DisplaysOptions.Graphics.Runtime.dll
MOD - [2009/08/13 19:25:58 | 000,450,560 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceDFP.Graphics.Dashboard\2.0.3358.38407__90ba9c70f846762e\CLI.Aspect.DeviceDFP.Graphics.Dashboard.dll
MOD - [2009/08/13 19:25:58 | 000,438,272 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceCRT.Graphics.Dashboard\2.0.3358.38411__90ba9c70f846762e\CLI.Aspect.DeviceCRT.Graphics.Dashboard.dll
MOD - [2009/08/13 19:25:58 | 000,065,536 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceDFP.Graphics.Runtime\2.0.3358.38411__90ba9c70f846762e\CLI.Aspect.DeviceDFP.Graphics.Runtime.dll
MOD - [2009/08/13 19:25:58 | 000,040,960 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceCRT.Graphics.Runtime\2.0.3358.38411__90ba9c70f846762e\CLI.Aspect.DeviceCRT.Graphics.Runtime.dll
MOD - [2009/08/13 19:25:58 | 000,032,768 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceLCD.Graphics.Runtime\2.0.3358.38422__90ba9c70f846762e\CLI.Aspect.DeviceLCD.Graphics.Runtime.dll
MOD - [2009/08/13 19:25:58 | 000,020,480 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\AEM.Plugin.Hotkeys.Shared\2.0.3309.28617__90ba9c70f846762e\AEM.Plugin.Hotkeys.Shared.dll
MOD - [2009/08/13 19:25:58 | 000,020,480 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\AEM.Actions.CCAA.Shared\2.0.3309.28608__90ba9c70f846762e\AEM.Actions.CCAA.Shared.dll
MOD - [2009/08/13 19:25:58 | 000,016,384 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\AEM.Plugin.WinMessages.Shared\2.0.3309.28629__90ba9c70f846762e\AEM.Plugin.WinMessages.Shared.dll
MOD - [2009/08/13 19:25:57 | 000,016,384 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\AEM.Plugin.REG.Shared\2.0.3309.28645__90ba9c70f846762e\AEM.Plugin.REG.Shared.dll
MOD - [2009/08/13 19:25:57 | 000,016,384 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\AEM.Plugin.GD.Shared\2.0.3309.28647__90ba9c70f846762e\AEM.Plugin.GD.Shared.dll
MOD - [2009/08/13 19:25:57 | 000,016,384 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\AEM.Plugin.EEU.Shared\2.0.3309.28627__90ba9c70f846762e\AEM.Plugin.EEU.Shared.dll
MOD - [2009/08/13 19:25:57 | 000,016,384 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\AEM.Plugin.DPPE.Shared\2.0.3309.28647__90ba9c70f846762e\AEM.Plugin.DPPE.Shared.dll
MOD - [2009/08/13 19:25:57 | 000,007,168 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\atixclib\1.0.0.0__90ba9c70f846762e\atixclib.dll
MOD - [2009/08/13 19:25:56 | 000,073,728 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Foundation\2.0.3309.28604__90ba9c70f846762e\CLI.Foundation.dll
MOD - [2009/08/13 19:25:56 | 000,061,440 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Caste.Graphics.Shared\2.0.3309.28618__90ba9c70f846762e\CLI.Caste.Graphics.Shared.dll
MOD - [2009/08/13 19:25:56 | 000,045,056 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\DEM.Graphics.I0601\2.0.2573.17685__90ba9c70f846762e\DEM.Graphics.I0601.dll
MOD - [2009/08/13 19:25:56 | 000,032,768 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\LOG.Foundation\2.0.3309.28601__90ba9c70f846762e\LOG.Foundation.dll
MOD - [2009/08/13 19:25:56 | 000,028,672 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\NEWAEM.Foundation\2.0.3309.28603__90ba9c70f846762e\NEWAEM.Foundation.dll
MOD - [2009/08/13 19:25:56 | 000,028,672 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Foundation.XManifest\2.0.3309.28669__90ba9c70f846762e\CLI.Foundation.XManifest.dll
MOD - [2009/08/13 19:25:56 | 000,020,480 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\DEM.OS.I0602\2.0.3309.28630__90ba9c70f846762e\DEM.OS.I0602.dll
MOD - [2009/08/13 19:25:56 | 000,020,480 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Component.Wizard.Shared\2.0.3309.28620__90ba9c70f846762e\CLI.Component.Wizard.Shared.dll
MOD - [2009/08/13 19:25:56 | 000,020,480 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Component.Dashboard.Shared\2.0.3309.28617__90ba9c70f846762e\CLI.Component.Dashboard.Shared.dll
MOD - [2009/08/13 19:25:56 | 000,020,480 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Component.Client.Shared\2.0.3309.28611__90ba9c70f846762e\CLI.Component.Client.Shared.dll
MOD - [2009/08/13 19:25:56 | 000,016,384 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\MOM.Foundation\2.0.3309.28626__90ba9c70f846762e\MOM.Foundation.dll
MOD - [2009/08/13 19:25:56 | 000,016,384 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\DEM.OS\2.0.3309.28645__90ba9c70f846762e\DEM.OS.dll
MOD - [2009/08/13 19:25:56 | 000,016,384 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\DEM.Graphics.I0706\2.0.2743.23304__90ba9c70f846762e\DEM.Graphics.I0706.dll
MOD - [2009/08/13 19:25:56 | 000,016,384 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\DEM.Graphics\2.0.3309.28630__90ba9c70f846762e\DEM.Graphics.dll
MOD - [2009/08/13 19:25:56 | 000,016,384 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\DEM.Foundation\2.0.2573.17684__90ba9c70f846762e\DEM.Foundation.dll
MOD - [2009/08/13 19:25:56 | 000,016,384 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Component.Runtime.Shared\2.0.3309.28617__90ba9c70f846762e\CLI.Component.Runtime.Shared.dll
MOD - [2009/08/13 19:25:56 | 000,016,384 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Caste.Graphics.Wizard.Shared\2.0.3309.28631__90ba9c70f846762e\CLI.Caste.Graphics.Wizard.Shared.dll
MOD - [2009/08/13 19:25:55 | 000,053,248 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.Radeon3D.Graphics.Shared\2.0.3309.28636__90ba9c70f846762e\CLI.Aspect.Radeon3D.Graphics.Shared.dll
MOD - [2009/08/13 19:25:55 | 000,040,960 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.TransCode.Graphics.Shared\2.0.3309.28644__90ba9c70f846762e\CLI.Aspect.TransCode.Graphics.Shared.dll
MOD - [2009/08/13 19:25:55 | 000,020,480 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.VPURecover.Graphics.Shared\2.0.3309.28631__90ba9c70f846762e\CLI.Aspect.VPURecover.Graphics.Shared.dll
MOD - [2009/08/13 19:25:55 | 000,016,384 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Caste.Graphics.Dashboard.Shared\2.0.3309.28630__90ba9c70f846762e\CLI.Caste.Graphics.Dashboard.Shared.dll
MOD - [2009/08/13 19:25:54 | 000,065,536 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceTV.Graphics.Shared\2.0.3309.28636__90ba9c70f846762e\CLI.Aspect.DeviceTV.Graphics.Shared.dll
MOD - [2009/08/13 19:25:54 | 000,053,248 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.MMVideo.Graphics.Shared\2.0.3309.28634__90ba9c70f846762e\CLI.Aspect.MMVideo.Graphics.Shared.dll
MOD - [2009/08/13 19:25:54 | 000,053,248 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceCRT.Graphics.Shared\2.0.3309.28634__90ba9c70f846762e\CLI.Aspect.DeviceCRT.Graphics.Shared.dll
MOD - [2009/08/13 19:25:54 | 000,049,152 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceDFP.Graphics.Shared\2.0.3309.28634__90ba9c70f846762e\CLI.Aspect.DeviceDFP.Graphics.Shared.dll
MOD - [2009/08/13 19:25:54 | 000,040,960 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceCV.Graphics.Shared\2.0.3309.28636__90ba9c70f846762e\CLI.Aspect.DeviceCV.Graphics.Shared.dll
MOD - [2009/08/13 19:25:54 | 000,032,768 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceProperty.Graphics.Shared\2.0.3309.28624__90ba9c70f846762e\CLI.Aspect.DeviceProperty.Graphics.Shared.dll
MOD - [2009/08/13 19:25:54 | 000,028,672 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DisplaysColour2.Graphics.Shared\2.0.3309.28632__90ba9c70f846762e\CLI.Aspect.DisplaysColour2.Graphics.Shared.dll
MOD - [2009/08/13 19:25:54 | 000,028,672 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceLCD.Graphics.Shared\2.0.3309.28630__90ba9c70f846762e\CLI.Aspect.DeviceLCD.Graphics.Shared.dll
MOD - [2009/08/13 19:25:54 | 000,028,672 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.CustomFormats.Graphics.Shared\2.0.3309.28627__90ba9c70f846762e\CLI.Aspect.CustomFormats.Graphics.Shared.dll
MOD - [2009/08/13 19:25:54 | 000,024,576 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DisplaysOptions.Graphics.Shared\2.0.3309.28635__90ba9c70f846762e\CLI.Aspect.DisplaysOptions.Graphics.Shared.dll
MOD - [2009/08/13 19:25:54 | 000,020,480 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.HotkeysHandling.Graphics.Shared\2.0.3309.28630__90ba9c70f846762e\CLI.Aspect.HotkeysHandling.Graphics.Shared.dll
MOD - [2009/08/13 19:25:54 | 000,020,480 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\APM.Foundation\2.0.3309.28626__90ba9c70f846762e\APM.Foundation.dll
MOD - [2009/08/13 19:25:53 | 000,045,056 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\AEM.Plugin.Source.Kit.Server\2.0.3358.38467__90ba9c70f846762e\AEM.Plugin.Source.Kit.Server.dll
MOD - [2009/08/13 19:25:53 | 000,024,576 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\ACE.Graphics.DisplaysManager.Shared\2.0.2573.17685__90ba9c70f846762e\ACE.Graphics.DisplaysManager.Shared.dll
MOD - [2009/08/13 19:25:53 | 000,016,384 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\AEM.Server.Shared\2.0.3309.28617__90ba9c70f846762e\AEM.Server.Shared.dll
MOD - [2009/08/13 19:25:53 | 000,014,848 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\AxInterop.WBOCXLib\1.0.0.0__90ba9c70f846762e\AxInterop.WBOCXLib.dll
MOD - [2009/08/13 19:25:53 | 000,013,312 | ---- | M] () -- C:\WINDOWS\assembly\GAC\Interop.WBOCXLib\1.0.0.0__90ba9c70f846762e\Interop.WBOCXLib.dll
MOD - [2009/08/13 19:25:53 | 000,007,168 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Component.Runtime.Extension.EEU\2.0.3358.38363__90ba9c70f846762e\CLI.Component.Runtime.Extension.EEU.dll
MOD - [2009/08/13 19:25:52 | 000,106,496 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\MOM.Implementation\2.0.3358.38454__90ba9c70f846762e\MOM.Implementation.dll
MOD - [2009/08/13 19:25:52 | 000,061,440 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\LOG.Foundation.Implementation\2.0.3358.38452__90ba9c70f846762e\LOG.Foundation.Implementation.dll
MOD - [2009/08/13 19:25:52 | 000,040,960 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Foundation.Private\2.0.3309.28608__90ba9c70f846762e\CLI.Foundation.Private.dll
MOD - [2009/08/13 19:25:52 | 000,032,768 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\LOG.Foundation.Private\2.0.3309.28614__90ba9c70f846762e\LOG.Foundation.Private.dll
MOD - [2009/08/13 19:25:52 | 000,024,576 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Component.Wizard.Shared.Private\2.0.3309.28627__90ba9c70f846762e\CLI.Component.Wizard.Shared.Private.dll
MOD - [2009/08/13 19:25:52 | 000,020,480 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\ResourceManagement.Foundation.Private\2.0.3309.28612__90ba9c70f846762e\ResourceManagement.Foundation.Private.dll
MOD - [2009/08/13 19:25:52 | 000,020,480 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\LOG.Foundation.Implementation.Private\2.0.3309.28626__90ba9c70f846762e\LOG.Foundation.Implementation.Private.dll
MOD - [2009/08/13 19:25:51 | 000,405,504 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Component.Wizard\2.0.3358.38381__90ba9c70f846762e\CLI.Component.Wizard.dll
MOD - [2009/08/13 19:25:51 | 000,081,920 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Component.Runtime\2.0.3358.38365__90ba9c70f846762e\CLI.Component.Runtime.dll
MOD - [2009/08/13 19:25:51 | 000,057,344 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Component.SkinFactory\2.0.3358.38367__90ba9c70f846762e\CLI.Component.SkinFactory.dll
MOD - [2009/08/13 19:25:51 | 000,045,056 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Component.Runtime.Shared.Private\2.0.3309.28628__90ba9c70f846762e\CLI.Component.Runtime.Shared.Private.dll
MOD - [2009/08/13 19:25:51 | 000,020,480 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Component.Dashboard.Shared.Private\2.0.3309.28624__90ba9c70f846762e\CLI.Component.Dashboard.Shared.Private.dll
MOD - [2009/08/13 19:25:48 | 001,142,784 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Component.Dashboard\2.0.3358.38372__90ba9c70f846762e\CLI.Component.Dashboard.dll
MOD - [2009/08/13 19:25:48 | 000,040,960 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Component.Client.Shared.Private\2.0.3309.28621__90ba9c70f846762e\CLI.Component.Client.Shared.Private.dll
MOD - [2009/08/13 19:25:48 | 000,028,672 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CCC.Implementation\2.0.3358.38453__90ba9c70f846762e\CCC.Implementation.dll
MOD - [2009/08/13 19:25:48 | 000,020,480 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\CLI.Caste.Graphics.Runtime.Shared.Private\2.0.3309.28637__90ba9c70f846762e\CLI.Caste.Graphics.Runtime.Shared.Private.dll
MOD - [2009/08/13 19:25:47 | 000,081,920 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\ATIDEMOS\2.0.3358.38366__90ba9c70f846762e\ATIDEMOS.dll
MOD - [2009/08/13 19:25:47 | 000,061,440 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\APM.Server\2.0.3358.38365__90ba9c70f846762e\APM.Server.dll
MOD - [2009/08/13 19:25:47 | 000,045,056 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\AEM.Server\2.0.3358.38364__90ba9c70f846762e\AEM.Server.dll
MOD - [2009/08/13 19:25:47 | 000,032,768 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\ATICCCom\2.0.0.0__90ba9c70f846762e\ATICCCom.dll
MOD - [2008/11/18 12:25:08 | 000,016,384 | R--- | M] () -- C:\Program Files\ATI Technologies\ATI.ACE\Branding\Branding.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (getPlusHelper) getPlus(R)
SRV - File not found [On_Demand | Stopped] -- -- (AdobeFlashPlayerUpdateSvc)
SRV - [2011/12/05 16:39:34 | 000,161,664 | ---- | M] (Oracle Corporation) [Auto | Running] -- C:\Program Files\Java\jre7\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2011/06/28 08:25:09 | 000,269,480 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2011/04/26 23:04:15 | 000,136,360 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2010/04/20 03:42:08 | 003,364,856 | ---- | M] (Tall Emu) [Auto | Running] -- C:\Program Files\Tall Emu\Online Armor\oasrv.exe -- (SvcOnlineArmor)
SRV - [2010/04/20 03:42:08 | 001,284,600 | ---- | M] (Tall Emu) [Auto | Running] -- C:\Program Files\Tall Emu\Online Armor\OAcat.exe -- (OAcat)


========== Driver Services (SafeList) ==========

DRV - [2011/06/28 08:25:10 | 000,138,192 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2011/06/28 08:25:10 | 000,066,616 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2010/04/20 03:13:30 | 000,024,440 | ---- | M] (Tall Emu) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\OAmon.sys -- (OAmon)
DRV - [2010/04/20 03:13:14 | 000,029,560 | ---- | M] (Tall Emu Pty Ltd) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\OAnet.sys -- (OAnet)
DRV - [2010/04/20 03:13:10 | 000,228,216 | ---- | M] (Tall Emu) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\OADriver.sys -- (OADevice)
DRV - [2009/05/11 10:49:19 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2009/05/11 08:12:49 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009/03/13 12:23:44 | 003,565,568 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005/06/05 17:44:05 | 000,091,841 | R--- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\P0630Vid.sys -- (P0630VID)
DRV - [2005/03/17 15:30:10 | 000,132,608 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2004/09/17 08:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1708537768-839522115-1644491937-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.safer-networking.org/en/index.html
IE - HKU\S-1-5-21-1708537768-839522115-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_2_202_18.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre7\bin\new_plugin\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=1.1.11: C:\Program Files\VideoLAN\VLC\npvlc.dll (the VideoLAN Team)



O1 HOSTS File: ([2011/12/07 03:27:59 | 000,438,884 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com (http://www.007guard.com)
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com (http://www.008k.com)
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com (http://www.00hq.com)
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com (http://www.032439.com)
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com (http://www.0scan.com)
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com (http://www.1000gratisproben.com)
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com (http://www.1001namen.com)
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com (http://www.100888290cs.com)
O1 - Hosts: 127.0.0.1 www.100sexlinks.com (http://www.100sexlinks.com)
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com (http://www.10sek.com)
O1 - Hosts: 127.0.0.1 www.1-2005-search.com (http://www.1-2005-search.com)
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 15096 more lines...
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O4 - HKLM..\Run: [@OnlineArmor GUI] C:\Program Files\Tall Emu\Online Armor\oaui.exe (Tall Emu)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()
O4 - HKLM..\Run: [PD0630 STISvc] C:\WINDOWS\System32\P0630Pin.dll (Creative Technology Ltd.)
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" File not found
O4 - Startup: C:\Documents and Settings\user\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1708537768-839522115-1644491937-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1708537768-839522115-1644491937-1003\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-1708537768-839522115-1644491937-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKU\S-1-5-21-1708537768-839522115-1644491937-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: _NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1250215367203 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1250221790218 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab (Java Plug-in 1.7.0_01)
O16 - DPF: {CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab (Java Plug-in 1.7.0_01)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab (Java Plug-in 1.7.0_01)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (get_atlcom Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1 205.171.3.25
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D32D97C7-A7FE-48E4-9546-8EC79641D39E}: DhcpNameServer = 192.168.0.1 205.171.3.25
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\user\Application Data\IrfanView\IrfanView_Wallpaper.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\user\Application Data\IrfanView\IrfanView_Wallpaper.bmp
O28 - HKLM ShellExecuteHooks: {4F07DA45-8170-4859-9B5F-037EF2970034} - C:\Program Files\Tall Emu\Online Armor\oaevent.dll (Tall Emu)
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/08/13 17:40:10 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2004/08/04 04:00:00 | 000,000,110 | R--- | M] () - D:\AUTORUN.INF -- [ CDFS ]
O33 - MountPoints2\{9bbdad96-50a8-11df-94ed-001372e0b300}\Shell - "" = AutoRun
O33 - MountPoints2\{9bbdad96-50a8-11df-94ed-001372e0b300}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{9bbdad96-50a8-11df-94ed-001372e0b300}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/12/11 11:03:51 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\user\Desktop\OTL.exe
[2011/12/10 18:17:03 | 001,916,416 | ---- | C] (AVAST Software) -- C:\Documents and Settings\user\Desktop\aswMBR.exe
[2011/12/06 11:03:28 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\user\Desktop\dds.com
[2011/12/06 10:57:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ERUNT
[2011/12/06 10:56:32 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2011/12/06 04:18:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/12/06 04:18:18 | 000,022,216 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/12/06 04:08:09 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/12/06 04:02:19 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT Registry Backup Tool
[2011/12/05 16:58:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Local Settings\Application Data\Sun
[2011/12/05 16:39:56 | 000,214,408 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javaws.exe
[2011/12/05 16:39:56 | 000,173,960 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javaw.exe
[2011/12/05 16:39:56 | 000,173,960 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\java.exe
[2011/12/05 16:39:56 | 000,128,000 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javacpl.cpl
[2011/12/05 16:36:01 | 020,197,256 | ---- | C] (Oracle Corporation) -- C:\Documents and Settings\user\Desktop\jre-7u1-windows-i586.exe
[2011/12/05 10:41:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\SpywareBlaster
[2011/12/04 13:07:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Application Data\Malwarebytes
[2011/12/04 13:06:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/12/04 13:06:46 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/12/01 05:38:03 | 000,000,000 | ---D | C] -- C:\Program Files\SpywareBlaster(2)
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[152 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[137 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/12/11 11:08:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2011/12/11 11:03:56 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user\Desktop\OTL.exe
[2011/12/11 10:56:39 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\user\Desktop\MBR.dat
[2011/12/11 10:53:58 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\user\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Word 2003.lnk
[2011/12/11 10:07:41 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/12/11 10:05:06 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/12/10 19:58:08 | 000,153,102 | ---- | M] () -- C:\Documents and Settings\user\Desktop\OnlineArmor message after aswMBR hung requiring reboot.jpg
[2011/12/10 18:17:03 | 001,916,416 | ---- | M] (AVAST Software) -- C:\Documents and Settings\user\Desktop\aswMBR.exe
[2011/12/09 08:41:14 | 000,002,513 | ---- | M] () -- C:\Documents and Settings\user\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Excel 2003.lnk
[2011/12/07 03:27:59 | 000,438,884 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/12/06 11:03:33 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\user\Desktop\dds.com
[2011/12/06 10:58:02 | 000,000,767 | ---- | M] () -- C:\Documents and Settings\user\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2011/12/06 10:57:45 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\user\Desktop\ERUNT.lnk
[2011/12/06 10:36:23 | 000,006,997 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2011/12/06 04:18:27 | 000,000,802 | ---- | M] () -- C:\Documents and Settings\user\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
[2011/12/06 04:18:27 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/12/06 03:52:57 | 000,513,320 | ---- | M] () -- C:\Documents and Settings\user\Desktop\erunt.zip
[2011/12/05 16:39:33 | 000,214,408 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javaws.exe
[2011/12/05 16:39:33 | 000,173,960 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javaw.exe
[2011/12/05 16:39:33 | 000,173,960 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\java.exe
[2011/12/05 16:39:33 | 000,128,000 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javacpl.cpl
[2011/12/05 16:39:32 | 000,544,656 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\deployJava1.dll
[2011/12/05 16:36:01 | 020,197,256 | ---- | M] (Oracle Corporation) -- C:\Documents and Settings\user\Desktop\jre-7u1-windows-i586.exe
[2011/12/05 09:56:43 | 000,438,796 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20111207-032759.backup
[2011/12/05 08:22:20 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/12/01 05:30:48 | 000,438,796 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20111205-095643.backup
[2011/11/24 21:54:52 | 000,438,705 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20111201-053048.backup
[2011/11/21 09:28:14 | 000,004,625 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/11/21 09:28:10 | 000,526,522 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/11/21 09:28:10 | 000,096,892 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/11/21 08:53:35 | 000,000,134 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Internet Explorer Troubleshooting.url
[2011/11/16 07:51:50 | 000,438,653 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20111124-215452.backup
[2011/11/15 01:41:03 | 000,294,661 | ---- | M] () -- C:\Documents and Settings\user\My Documents\glove - found_leather_glove Yahoo acct info.jpg
[2011/11/15 01:38:56 | 000,161,439 | ---- | M] () -- C:\Documents and Settings\user\My Documents\gloves - lost gloves similar image - cropped.jpg
[2011/11/15 00:19:24 | 000,202,521 | ---- | M] () -- C:\Documents and Settings\user\My Documents\gloves - lost gloves similar image.jpg
[2011/11/14 18:06:26 | 000,001,743 | ---- | M] () -- C:\Documents and Settings\user\My Documents\gloves lost Monday 11-14-2011.gif
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[152 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[137 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/12/11 10:53:42 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\user\Desktop\MBR.dat
[2011/12/10 19:58:08 | 000,153,102 | ---- | C] () -- C:\Documents and Settings\user\Desktop\OnlineArmor message after aswMBR hung requiring reboot.jpg
[2011/12/06 10:58:02 | 000,000,767 | ---- | C] () -- C:\Documents and Settings\user\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2011/12/06 10:57:45 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\user\Desktop\ERUNT.lnk
[2011/12/06 04:18:27 | 000,000,802 | ---- | C] () -- C:\Documents and Settings\user\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
[2011/12/06 04:18:27 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/12/06 03:52:51 | 000,513,320 | ---- | C] () -- C:\Documents and Settings\user\Desktop\erunt.zip
[2011/12/05 08:22:20 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/11/21 08:34:18 | 000,000,134 | ---- | C] () -- C:\Documents and Settings\user\Desktop\Internet Explorer Troubleshooting.url
[2011/11/15 01:41:03 | 000,294,661 | ---- | C] () -- C:\Documents and Settings\user\My Documents\glove - found_leather_glove Yahoo acct info.jpg
[2011/11/15 01:38:56 | 000,161,439 | ---- | C] () -- C:\Documents and Settings\user\My Documents\gloves - lost gloves similar image - cropped.jpg
[2011/11/15 00:19:24 | 000,202,521 | ---- | C] () -- C:\Documents and Settings\user\My Documents\gloves - lost gloves similar image.jpg
[2011/11/15 00:17:12 | 000,001,743 | ---- | C] () -- C:\Documents and Settings\user\My Documents\gloves lost Monday 11-14-2011.gif
[2011/07/25 19:52:35 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\MSVCRT10.DLL
[2011/03/09 20:49:29 | 000,516,692 | ---- | C] () -- C:\WINDOWS\vampsUninst.exe
[2010/10/18 21:45:26 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/10/09 02:41:37 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2010/08/18 09:20:29 | 000,000,664 | ---- | C] () -- C:\Documents and Settings\user\Local Settings\Application Data\d3d9caps.dat
[2010/07/30 18:45:27 | 000,012,288 | ---- | C] () -- C:\Documents and Settings\user\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/07 04:41:11 | 000,006,997 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/08/13 19:43:13 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/08/13 17:53:30 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ativpsrm.bin
[2009/08/13 17:52:17 | 000,593,920 | ---- | C] () -- C:\WINDOWS\System32\ati2sgag.exe
[2009/08/13 17:51:34 | 003,107,788 | ---- | C] () -- C:\WINDOWS\System32\ativva5x.dat
[2009/08/13 17:51:34 | 000,887,724 | ---- | C] () -- C:\WINDOWS\System32\ativva6x.dat
[2009/08/13 17:51:34 | 000,182,995 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2009/08/13 17:42:19 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2009/08/13 17:36:53 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2009/08/13 10:30:17 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/08/13 10:28:58 | 000,270,984 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008/05/26 20:59:42 | 000,018,904 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschematrivial.bin
[2008/05/26 20:59:40 | 000,106,605 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschema.bin
[2008/04/14 04:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2008/04/14 04:00:00 | 000,526,522 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2008/04/14 04:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2008/04/14 04:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2008/04/14 04:00:00 | 000,096,892 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2008/04/14 04:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2008/04/14 04:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2008/04/14 04:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2008/04/14 04:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2008/04/14 04:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2007/09/27 09:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 09:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 09:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2005/04/15 08:52:33 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2005/04/15 08:52:33 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2003/01/07 14:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2010/07/25 09:47:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\OnlineArmor
[2011/12/09 23:53:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2011/10/06 06:27:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\ElevatedDiagnostics
[2010/04/29 22:15:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Foxit Software
[2010/04/13 09:08:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\IrfanView
[2010/04/08 07:18:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\OnlineArmor
[2009/08/13 18:16:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Windows Desktop Search
[2010/04/08 01:35:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Windows Search

========== Purity Check ==========



========== Files - Unicode (All) ==========
[2010/11/21 15:23:22 | 000,022,170 | ---- | M] ()(C:\Documents and Settings\user\My Documents\? -MIYAVI- ? Official Site ?MYV382TOKYO_com?.htm) -- C:\Documents and Settings\user\My Documents\雅 -MIYAVI- 新 Official Site 【MYV382TOKYO_com】.htm
[2010/11/21 15:23:22 | 000,022,170 | ---- | C] ()(C:\Documents and Settings\user\My Documents\? -MIYAVI- ? Official Site ?MYV382TOKYO_com?.htm) -- C:\Documents and Settings\user\My Documents\雅 -MIYAVI- 新 Official Site 【MYV382TOKYO_com】.htm

========== Alternate Data Streams ==========

@Alternate Data Stream - 88 bytes -> C:\Documents and Settings\user\Desktop\avira_antivir_personal_en.exe:SummaryInformation
@Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
< End of report >

[B]...I'll have to add the OTL Extras.txt to a new post, as this is over the maximum characters. :)

...this post is to finish responding to your most recent instructions, as my last post got too near the maximum characters.

5. Extras.txt.

OTL Extras logfile created on: 12/11/2011 11:06:22 AM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\user\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.42 Gb Available Physical Memory | 71.15% Memory free
3.85 Gb Paging File | 3.27 Gb Available in Paging File | 85.08% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 148.93 Gb Total Space | 117.29 Gb Free Space | 78.75% Space Free | Partition Type: NTFS
Drive D: | 559.46 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: USER-PC | User Name: user | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_USERS\S-1-5-21-1708537768-839522115-1644491937-1003\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [MediaMonkey.1Play] -- "C:\Program Files\MediaMonkey\MediaMonkey.exe" "%1" (Ventis Media Inc.)
Directory [MediaMonkey.2PlayNext] -- "C:\Program Files\MediaMonkey\MediaMonkey.exe" /NEXT "%1" (Ventis Media Inc.)
Directory [MediaMonkey.3Enqueue] -- "C:\Program Files\MediaMonkey\MediaMonkey.exe" /ADD "%1" (Ventis Media Inc.)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center
"{058B32E2-6310-4359-B2D4-1988390C3B83}" = Broadcom Advanced Control Suite
"{06A90A28-39A7-641D-1777-EEC4FCD37148}" = CCC Help German
"{0DE4D7E2-2BB6-0C34-079C-2174F2FB1754}" = Skins
"{12E763EC-DB68-3A23-6D6F-0BF9CE7A4C55}" = Catalyst Control Center Graphics Full New
"{146E4151-3CDB-6635-776A-87019FB5DDD4}" = Catalyst Control Center Graphics Light
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83217001FF}" = Java(TM) 7 Update 1
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{612C34C7-5E90-47D8-9B5C-0F717DD82726}" = swMSM
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{763EA1A1-2B40-E43E-11F3-0F332644CA8B}" = Catalyst Control Center Graphics Full Existing
"{786D6B8A-E4E6-E457-C302-2FAA028570ED}" = ccc-core-preinstall
"{824A5A2C-0C30-529E-3842-745B57EAD3F3}" = ccc-utility
"{849D3A6B-736F-652B-0C33-A52A39E645ED}" = Catalyst Control Center Core Implementation
"{84A4274F-FA55-6B07-2DAD-735D923E7A94}" = CCC Help Turkish
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{86EB9D10-657B-955C-BB7E-9EA97871BA79}" = CCC Help Chinese Standard
"{87D76335-6ED0-41DE-404E-65218CADE654}" = CCC Help Japanese
"{8C359752-1032-767B-B9C9-AA523A03779A}" = CCC Help English
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{9319D53F-A5D7-384F-BBC8-935C5A49595C}" = CCC Help Chinese Traditional
"{9370A8CE-2DD8-3DAA-71FA-DB65B50DEB10}" = CCC Help Portuguese
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A7DFAB44-4FEF-E98A-5311-5B4679FD5B99}" = CCC Help Italian
"{A9744990-2B78-4D33-3238-54F2723990E6}" = Catalyst Control Center Graphics Previews Common
"{B1A5C653-F1C5-DB2F-4519-BDDDD2B3C144}" = ccc-core-static
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B7F54262-AB66-44B3-88BF-9FC69941B643}" = Broadcom Gigabit Integrated Controller
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C2561DC1-1F1C-2657-53FF-DF1F91B3DEB3}" = CCC Help Korean
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CF101D4A-E149-7A06-C59F-73DBA726991A}" = CCC Help Spanish
"{E481DB0E-52F2-4EE0-9BDA-9EE173FA6EA2}" = Catalyst Control Center - Branding
"{E795D604-32D8-03F2-0A5B-B2350747934F}" = CCC Help French
"{E90C87F7-8167-FDF4-0444-960FE6473100}" = Catalyst Control Center Localization All
"{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
"{EFDB5A5D-9A06-023E-574B-9CB3C25CE7B8}" = CCC Help Hungarian
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.6
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"Creative PD0630" = Creative WebCam Live! Driver (1.02.03.0606)
"ERUNT_is1" = ERUNT 1.1j
"Foxit Reader" = Foxit Reader
"ie8" = Windows Internet Explorer 8
"InterActual Player" = InterActual Player
"IrfanView" = IrfanView (remove only)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.2.1300
"MediaMonkey_is1" = MediaMonkey 3.2
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"OnlineArmor_is1" = Online Armor 4.0
"SpywareBlaster_is1" = SpywareBlaster 4.5
"vamps" = vampsƒXƒNƒŠ�[ƒ“ƒZ�[ƒo�[
"VLC media player" = VLC media player 1.1.11
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinRAR archiver" = WinRAR 4.00 beta 3 (32-bit)
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/5/2011 2:23:29 PM | Computer Name = USER-PC | Source = Windows Search Service | ID = 3058
Description = The application cannot be initialized. Context: Windows Application
Details:
The
content index metadata cannot be read. (0xc0041801)

Error - 12/5/2011 2:44:02 PM | Computer Name = USER-PC | Source = JavaQuickStarterService | ID = 1
Description =

Error - 12/5/2011 2:44:10 PM | Computer Name = USER-PC | Source = Windows Search Service | ID = 7040
Description = The search service has detected corrupted data files in the index.
The service will attempt to automatically correct this problem by rebuilding the
index. Context: Windows Application, SystemIndex Catalog Details: 0xc0041801 (0xc0041801)

Error - 12/5/2011 2:44:10 PM | Computer Name = USER-PC | Source = Windows Search Service | ID = 3029
Description = The plug-in in <Search.TripoliIndexer> cannot be initialized. Context:
Windows Application, SystemIndex Catalog Details: The content index cannot be read.
(0xc0041800)

Error - 12/5/2011 2:44:10 PM | Computer Name = USER-PC | Source = Windows Search Service | ID = 3028
Description = The gatherer object cannot be initialized. Context: Windows Application,
SystemIndex Catalog Details: The content index cannot be read. (0xc0041800)

Error - 12/5/2011 2:44:10 PM | Computer Name = USER-PC | Source = Windows Search Service | ID = 3058
Description = The application cannot be initialized. Context: Windows Application
Details:
The
content index cannot be read. (0xc0041800)

Error - 12/6/2011 9:06:09 AM | Computer Name = USER-PC | Source = Avira AntiVir | ID = 4118
Description = EXCEPTION calling function <Scan> for the file C:\Documents and Settings\user\My
Documents\My Pictures\hyde DVD's 11-09-2011\hyde DVD purchases - photos\hyde Faith
discs - bits of something sticky on each 1 IM000599.jpg [ACCESS_VIOLATION Exception!!
EIP = 0x1b73952] Please inform Avira and submit the appropriate file!

Error - 12/7/2011 4:31:50 PM | Computer Name = USER-PC | Source = Windows Search Service | ID = 3024
Description = The update cannot be started because the content sources cannot be
accessed. Fix the errors and try the update again. Context: Application, SystemIndex
Catalog

Error - 12/8/2011 2:42:37 PM | Computer Name = USER-PC | Source = Avira AntiVir | ID = 4118
Description = EXCEPTION calling function <Scan> for the file C:\Documents and Settings\user\My
Documents\My Pictures\hyde DVD's 11-09-2011\hyde DVD purchases - photos\Heather
Briefman hyde DVD's purchase - before opening - pressure from shipping IM000560.jpg
[ACCESS_VIOLATION Exception!! EIP = 0x1b73952] Please inform Avira and submit the
appropriate file!

Error - 12/11/2011 2:07:34 PM | Computer Name = USER-PC | Source = ESENT | ID = 490
Description = svchost (876) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

[ System Events ]
Error - 12/11/2011 1:40:00 PM | Computer Name = USER-PC | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort1, did not respond within the timeout
period.

Error - 12/11/2011 1:40:32 PM | Computer Name = USER-PC | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort1, did not respond within the timeout
period.

Error - 12/11/2011 1:40:32 PM | Computer Name = USER-PC | Source = atapi | ID = 262155
Description = The driver detected a controller error on \Device\Ide\IdePort1.

Error - 12/11/2011 1:41:57 PM | Computer Name = USER-PC | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort1, did not respond within the timeout
period.

Error - 12/11/2011 1:42:15 PM | Computer Name = USER-PC | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort1, did not respond within the timeout
period.

Error - 12/11/2011 1:43:19 PM | Computer Name = USER-PC | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort1, did not respond within the timeout
period.

Error - 12/11/2011 1:43:27 PM | Computer Name = USER-PC | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort1, did not respond within the timeout
period.

Error - 12/11/2011 1:45:39 PM | Computer Name = USER-PC | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort1, did not respond within the timeout
period.

Error - 12/11/2011 1:51:06 PM | Computer Name = USER-PC | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort1, did not respond within the timeout
period.

Error - 12/11/2011 2:20:37 PM | Computer Name = USER-PC | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort1, did not respond within the timeout
period.


< End of report >

[B]It seems like a lot of work, reviewing this! Thanks for your efforts.

Hi I_dream_of_Mercury,

Thank you for the logs and feedback. :bigthumb:

Again, please remember to read the instructions below carefully before executing and perform the steps, in the order given.
If you have any questions about or problems executing these instructions, <STOP> do not proceed, post back with the question or problem before going any further.

Before we proceed please make sure any open programs are closed.

Step 1:
Program Query:

Are you aware of having installed the following program?

vampsƒXƒNƒŠ�[ƒ“ƒZ�[ƒo�[
If so, please clarify what the program is used for.

Step 2:
Reset IE8:

Please download Microsoft FixIt (http://download.microsoft.com/download/3/1/7/317254BC-6C9D-4532-827A-827041404428/MicrosoftFixit50195.msi) and save it to the desktop.
Double-click on MicrosoftFixit50195.exe select I Agree and click on Next.
Follow the on-screen prompts.
You may delete MicrosoftFixit50195.exe when finished and or keep it if any problems in the future with IE8.
Next time IE8 is launched you will be prompted to reapply settings again, this is normal.
Please Note: Any add-ons will require to be reapplied after the above reset.

Step 3:
OTL - Script

Next we need to run an OTL script.

Please temporarily disable your Anti-virus real-time protection. If active, it could impact the online scan. Refer to This Howto Topic (http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/490111-how-disable-your-security-applications.html), if necessary.

Double-click on OTL.exe to launch the program.
Copy and Paste the following code into the http://billy-oneal.com/Canned%20Speeches/speechimages/OTL/customFix.png textbox. Do not include the word Code.


:OTL
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" File not found
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-1708537768-839522115-1644491937-1003\Software\Policies\Microsoft\Internet Explorer\Restrictions present
@Alternate Data Stream - 88 bytes -> C:\Documents and Settings\user\Desktop\avira_antivir_personal_en.exe:SummaryInformation
@Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[152 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[137 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

:Files
ipconfig /flushdns /c

:Commands
[PURITY]
[emptyjava]
[EMPTYTEMP]
[RESETHOSTS]
[CREATERESTOREPOINT]
Then click the Run Fix button at the top.
Click on the OK button.
OTL may ask to reboot the machine. Please do so if asked.
The report should appear in Notepad after the reboot.
Please Copy and Paste the contents of that report into your next reply.
Step 4:
Check Hard Disk For Errors

Click on Start and select Run.
Then Copy and Paste the following command into the box and then click on the OK button:

cmd /c chkdsk c: |find /v "percent" >> "%userprofile%\desktop\checkhd.txt"A blank command window will open on your Desktop, then close in a few minutes. This is normal.
A file and icon named checkhd.txt should appear on your Desktop.
Please Copy and Paste the contents of the checkhd.txt file into your next reply.
Step 5:
Include in Next Post

Did you have any problems carrying out the instructions?
Are you aware of having installed the program: vamps? If so, please clarify what the program is used for.
OTL.txt.
checkhd.txt.
How is the computer now running?
Scolabar
--------------------------------------------------------------------------
No Reply Within 3 Days Will Result In Your Topic Being Closed

Scolabar, hi!

I've just tried running Microsoft Fixit, and the message says, "This Microsoft Fix it failed to process."

I was careful to follow your instructions. I saved Microsoft Fixit from the link, onto my desktop. With all programs closed, including disabling security software, I double-clicked on the icon on the desktop, checked I agree, then clicked Next. A screen came up saying it was processing this Microsoft Fixit, and when the processing was done, it went to the screen that says, "This Microsoft Fix it failed to process." I tried it three times.

I'm wondering if this has anything to do with how my user profiles are set up, or how they're set up in relationship to each other. The profile I normally use has administrative rights. Microsoft says that if you can bring up Date and Time Properties controls, you have administrative rights, and I can do that, in this profile. If I add favorites or settings to my regular user profile, those favorites or settings don't show up in the Administrator's IE - should they?

So, for example, if my current user profile has administrative rights, do I need to ask it to "Run as the Administrator," when running Microsoft Fixit? And if I ask it to run as the Administrator, will that be a problem, since last I checked, the Administrator had lost connectivity to the Internet in Safe Mode?

I wondered about the profiles being at issue previously, when I tried to update from IE8 to a newer version of IE8, and it hung at the point in the process where it applied personal preferences If I recall correctly, it wanted me to run the update as the Administrator, but of course I was normally using IE as another user, and could only log on as Administrator in Safe Mode. So I wondered if IE got confused about applying another user profile's preferences to the IE update, when the update was originally run as the Administrator.

ha, But maybe I'm totally off about all that!

Please advise how I should proceed, next. Thank you for your continued help!


And here's the answer to
Step 1:
Program Query:

"Are you aware of having installed the following program?

vampsƒXƒNƒŠ�[ƒ“ƒZ�[ƒo�["
This is a screensaver, and the origin is Japanese. The characters after the word "vamps" I presume are substitutes for Japanese characters, because somehow the program name didn't convert to the correct font.

I notice that it doesn't display by that name, vampsƒXƒNƒŠ�[ƒ“ƒZ�[ƒo�[ , anymore. The screensaver itself, now is just "vamps.scr" - or whatever the screensaver file type is. I may have renamed it from the file name you're quoting, but I'm not sure - this also may have been the name of the installer. I hope it's not causing any problems, because I'd like to keep it, if it's not harmful.

Hi I_dream_of_Mercury,

Thank you for the feedback and the information about the vamps program. :thumbright:

Regarding your questions relating to your user profiles, you should be running all the instructions I am providing from within your account that has administrative privileges.


If I add favorites or settings to my regular user profile, those favorites or settings don't show up in the Administrator's IE - should they?No, they will only be available in your regular user profile.


I wondered about the profiles being at issue previously, when I tried to update from IE8 to a newer version of IE8, and it hung at the point in the process where it applied personal preferences If I recall correctly, it wanted me to run the update as the Administrator, but of course I was normally using IE as another user, and could only log on as Administrator in Safe Mode. So I wondered if IE got confused about applying another user profile's preferences to the IE update, when the update was originally run as the Administrator.If you have multiple user accounts on your system, you should log out of all accounts, log back in to an account with administrative privileges in order to carry out any program installations and/or system and program updates.

Please Confirm: Is this Before IE8 update KB2586448 10-13-2011 the point after which you started experiencing problems with IE and accessing the Internet Options?

Next, please make sure Spybot's TeaTimer is disabled and then try running the instructions again.
If that does not work, please let me know and we will try a different tack. ;)

Scolabar
--------------------------------------------------------------------------
No Reply Within 3 Days Will Result In Your Topic Being Closed

Hi,

As confirmed in my last post, I've already performed these instructions.

I disabled security software, per your previous instructions (disabled Tea Timer, Avira Antivir Guard, and Online Armor's Program Guard, HIPS features, and the firewall, did not disable SpywareBlaster), and ran the Microsoft Fixit from the desktop, while in a user account with administrative privileges. I tried this several times.

I log into one user account, on the Welcome/login screen, so there's just one user account logged in, unless something needs to be done about the ASP.NET user account or the account named Administrator.

After receiving your most recent message, I did look online, trying to see if I needed to do anything with the ASP.NET user account. In case it made any difference, I enabled automatic login, by running "control userpasswords2" and unchecking "Users must enter a user name and password to use this computer" option.

I logged out and back in, made sure the security software was still disabled, and tried to run Microsoft Fixit three more times. As before, "This Microsoft Fixit failed to process."


You asked: Please Confirm: Is this Before IE8 update KB2586448 10-13-2011 the point after which you started experiencing problems with IE and accessing the Internet Options?

I'm not sure of your question. Did the problems with IE and accessing Internet Options start after that 10-13-2011 update?

I'm sorry to say I don't know the exact order of some of these events.

I don't know when my system first lost access to Internet Options. (I first discovered it Dec. 4, as I mentioned.) I do use Internet Options occasionally, and I'd be surprised if it was almost 2 months before I noticed that I couldn't access it, especially because I tried updating IE8 itself, at the time of the 10-13 update, and I would think that would have caused me to open Internet Options at least once, after the update failed to complete, just to check things. But I'm not certain.

I tried to update IE8 twice, within the past few months. I'm not sure if 10-13 was the first or second time. I normally keep notes on such things, but all I can find right now, are some favorites I created on 10-12 and 10-13, trying to find out how to solve the problem with IE8 update's behavior. I see that problems created by updating IE8 are pretty common.

Both times, the update appeared to install, IE updater restarted the computer, and at the beginning of start up, when it tried to apply personal preferences to IE, it continued to run indefinitely, and would never complete. I had to turn the computer off manually and restart, to get back in.


Some other small changes I've noticed very recently, but hadn't thought to mention:

I can no longer drag and drop highlighted text, when entering text online, as with online email or entering this message. Normally, I can, but recently I have to cut and paste. This might have developed right after the 10-13 update, but again, I'm not sure.

Often, recently, when I go to save something, the computer plays that sort of "plunk" sound, as if you did something wrong. It does still let me save.

Often, recently, between one and three of the images on a page won't load. It's not that the images are too heavy. Even if they're thumbnail size and the rest of the page loads quickly, I often have to refresh the page one or more times, in order for all the images to load. This is a new development. This might have started with my latest update of Flash player, though.

Launching programs and performing most actions has slowed, not extremely but noticeably.

In the past few days, since working on the computer, sometimes computer sounds such as the Windows music played at start up, is sputtering, not playing smoothly.


I notice that in some of your new instructions, you mention the Java updater. I don't know if it's related to this, but to let you know, I intentionally turned off the Java auto updater. I'd read that Java had been bundling third party stuff in their automatic updates, so that users didn't get a chance to refuse them, and also that the automatic updater was presenting a security vulnerability, so I've been just checking for updates every few weeks and updating manually. I'll follow whatever instructions you have, I just wanted to let you know why that's not enabled.

Thanks very much for your continued help. I'll be checking back for new instructions.

Hi I_dream_of_Mercury,

Thank you for the feedback and patience. :)

I needed to make sure that TeaTimer had not been re-enabled and was preventing the running of the Microsoft Fixit tool.
Thank you for the confirmation. :thumbright:


In case it made any difference, I enabled automatic login, by running "control userpasswords2" and unchecking "Users must enter a user name and password to use this computer" option.
I would strongly advise that you revert this change, if you haven't already done so. ;)

OK, let's try a different approach. :)

Again, please remember to read the instructions below carefully before executing and perform the steps, in the order given.
If you have any questions about or problems executing these instructions, <STOP> do not proceed, post back with the question or problem before going any further.

Before we proceed please make sure any open programs are closed.

Step 1:
ComboFix


Do NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be used under the guidance and supervision of an expert, NOT for general public or personal use. Using this tool incorrectly could lead to serious problems with your operating system such as preventing it from ever starting again. This site, sUBs and myself will not be responsible for any damage caused to your machine by misusing or running ComboFix on your own.
You will not have Internet access when you execute ComboFix. All open windows will need to be closed!

Please download http://i526.photobucket.com/albums/cc345/MPKwings/ComboFixicon1.gifComboFix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) by © sUBs and save it to your Desktop. <<--- IMPORTANT!!
Alternate download site is available here (http://www.infospyware.net/antimalware/combofix/).
Please disable any Anti-Virus, Anti-Spyware and Firewall programs you have active, as shown in this topic (http://www.bleepingcomputer.com/forums/topic114351.html). Please close all open application windows.
Note: ** Only ** when the above two items in Step 2 have been dealt with should you proceed with the following steps:
Double-click on Combofix.exe to start the program. If you receive the "Open File - Security Warning" message, click on the Run button.
Reply Yes to the Disclaimer prompt.
The ComboFix program screen will then appear, indicating the program is preparing to run. ComboFix will then by begin creating a System Restore Point and then backup your Registry.
With malware infections being as they are today, it is strongly recommended to have Microsoft Windows Recovery Console installed on your computer before attempting any malware removal. This will allow the computer to be booted up into a special recovery/repair mode that will provide the ability to recover the situation should your computer encounter a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
http://img.photobucket.com/albums/v666/sUBs/Query_RC.gif
**Please Note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v666/sUBs/RC_successful.gif
Then click on the Yes button to continue.
Note: Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash!
When the program has finished ComboFix will produce a log file called combofix.txt which will automatically open in Notepad.
Please Copy and Paste the entire contents of the combofix.txt file into your next reply.
** REMEMBER ** Re-Enable your Anti-Virus, Anti-Spyware and Firewall programs before reconnecting to the Internet!

Step 2:
Include in Next Post

Did you have any problems carrying out the instructions?
combofix.txt.
How is the computer now running?

Scolabar
--------------------------------------------------------------------------
No Reply Within 3 Days Will Result In Your Topic Being Closed

Thanks for your continued support!

1. Did you have any problems carrying out the instructions?

The instructions were clear and easy to follow, except that I notice that this info, http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.html, differs somewhat from this info, http://www.bleepingcomputer.com/forums/topic114351.html (http://www.bleepingcomputer.com/forums/topic114351.html) , regarding what’s required in order to disable Spybot S&D.

By the way, I did try disabling it by the instructions at the second link, and tried again, to run Microsoft Fixit, before running ComboFix, but it still didn’t process.

ComboFix was easier to run than I expected.



2. combofix.txt:

ComboFix 11-12-13.03 - user 12/14/2011 12:24:01.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1472 [GMT -8:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Online Armor Firewall *Disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\user\Recent\Thumbs.db
c:\program files\Internet Explorer\SET4.tmp
c:\program files\Internet Explorer\SET5.tmp
c:\program files\Internet Explorer\SET6.tmp
c:\program files\Internet Explorer\SET6C.tmp
c:\program files\Internet Explorer\SET6D.tmp
c:\program files\Internet Explorer\SET7.tmp
c:\program files\Internet Explorer\SET8.tmp
c:\program files\Internet Explorer\SET9.tmp
c:\windows\CSC\d6
.
.
((((((((((((((((((((((((( Files Created from 2011-11-14 to 2011-12-14 )))))))))))))))))))))))))))))))
.
.
2011-12-06 18:56 . 2011-12-06 18:58 -------- d-----w- c:\program files\ERUNT
2011-12-01 13:38 . 2011-12-05 18:20 -------- d-----w- c:\program files\SpywareBlaster(2)
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-06 00:39 . 2010-05-02 18:06 544656 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-01 19:32 . 2011-11-01 19:31 69792 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-01 19:32 . 2011-11-01 19:31 417952 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2011-10-21 15:30 . 2011-03-10 04:49 516692 ----a-w- c:\windows\vampsUninst.exe
2011-10-21 15:30 . 2011-03-10 04:49 1903021 ----a-w- c:\windows\vamps.scr
2011-10-10 14:22 . 2009-08-14 01:37 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06 . 2008-04-14 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 18:41 . 2008-07-30 02:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 18:41 . 2008-04-14 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 18:41 . 2008-04-14 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-03-13 61440]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-02 281768]
"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2010-04-20 6678008]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PD0630 STISvc"="P0630Pin.dll" [2005-06-05 36864]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
.
c:\documents and settings\user\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2010-04-20 925688]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
.
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [4/8/2010 7:17 AM 228216]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [4/8/2010 7:17 AM 24440]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [4/8/2010 7:17 AM 29560]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/7/2010 11:34 PM 136360]
R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [4/8/2010 7:17 AM 1284600]
R2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [4/8/2010 7:17 AM 3364856]
S0 cerc6;cerc6; [x]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe --> c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [?]
S3 P0630VID;Creative WebCam Live!;c:\windows\system32\drivers\P0630Vid.sys [10/28/2010 9:41 AM 91841]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.safer-networking.org/en/index.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SunJavaUpdateSched - c:\program files\Common Files\Java\Java Update\jusched.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-14 12:39
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(448)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2011-12-14 12:42:51
ComboFix-quarantined-files.txt 2011-12-14 20:42
.
Pre-Run: 126,004,785,152 bytes free
Post-Run: 126,164,434,944 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 0185036CB0AB85242BF73B397D4FDFB6



[B]3. How is the computer now running?


So far, there's no apparent improvement :P

Internet Options hasn’t become accessible, yet.

The computer’s still moving quite slowly - if anything, a little slower than before ComboFix. It takes it much longer than usual to do anything, and much longer than usual to reboot.
(It’s become markedly slower in the past few days, since loading new programs and performing scans, than it was as a result of whatever problems it has. Maybe the additional slow down is to be expected.)

I’m still unable to drag and drop highlighted text, in IE.

I haven’t tried logging into Safe Mode as Administrator, to see whether it’s regained access to the Internet. It still had connectivity right after I discovered signs of infection, then mysteriously lost it, for no apparent reason. I’m kind of afraid to log back into that account, yet, for fear that somehow it will negatively affect the other user account, when I log back in.

Now, when I hover the pointer over Control Panel or My Computer, in the Start menu, it doesn’t bring up the contents, as it normally does. I have to click on My Computer or Control Panel, for it to bring up a separate Explorer window, with the contents of those.

I tried running Microsoft Fixit again, after ComboFix, and it still didn't process.


Something that I hadn't noticed until the last few days, is that Spybot S&D hasn't been giving me notification of changes in a long time. When I change the status of TeaTimer or change the start up menu, it used to give notification.


Does ComboFix seem to have found and fixed something significant?

An additional questions: I've got Windows updates that just came in, waiting to be installed. Shall I install them now?

(My response to your most recent instructions is below.)

Hi I_dream_of_Mercury,

Thanks for the update. :bigthumb:

Please DO NOT process any Windows Updates until your system is confirmed to be clear of infection.

Scolabar

Hi I_dream_of_Mercury,

Thank you again for the feedback and log. :)


The instructions were clear and easy to follow, except that I notice that this info, http://www.techsupportforum.com/foru...ns-490111.html, differs somewhat from this info, http://www.bleepingcomputer.com/forums/topic114351.html , regarding what’s required in order to disable Spybot S&D.

By the way, I did try disabling it by the instructions at the second link, and tried again, to run Microsoft Fixit, before running ComboFix, but it still didn’t process.Thank you for the update. However, please can I ask you to simply follow the instructions that I provide. This will avoid any potential problems/confusion and ensure that we reach a conclusion sooner rather than later. ;)


ComboFix was easier to run than I expected.Don't be fooled. This is a powerful tool that can do some serious damage to a computer system in the hands of someone other than a trained expert. ;)


The computer’s still moving quite slowly - if anything, a little slower than before ComboFix. It takes it much longer than usual to do anything, and much longer than usual to reboot.This is to be expected initially after the use of ComboFix.


Something that I hadn't noticed until the last few days, is that Spybot S&D hasn't been giving me notification of changes in a long time. When I change the status of TeaTimer or change the start up menu, it used to give notification.This is almost certainly because we have disabled TeaTimer for the time being, so that it won't interfere with any of the fixes. ;)

Again, please remember to read the instructions below carefully before executing and perform the steps, in the order given.
If you have any questions about or problems executing these instructions, <STOP> do not proceed, post back with the question or problem before going any further.

Before we proceed please make sure any open programs are closed.

Step 1:
ERUNT

I notice you already have ERUNT installed on your system. Let's use this tool to make a backup of the Registry before we proceed.

Double-click on the ERUNT program desktop icon to launch the program.
Choose a location for the backup. Note: the default location is C:\WINDOWS\ERDNT\DD-MM-YYYY (where DD-MM-YYYY is the date of the backup) which is fine.
under Backup options make sure both of the first two options: System registry and Current user registry are checked.
Click on the Yes button to allow the folder to be created.
After a short duration the Registry backup is complete! pop-up message will appear.
Now click on OK. A registry backup has now been created.
< STOP > If you are unable to complete this step successfully, < STOP > do not continue with any fix steps, let me know immediately in your next post!

Step 2:
ComboFix - CFScript

WARNING!
This script is for THIS user and computer ONLY!
Using this tool incorrectly could damage your Operating System thereby preventing it from starting again!

You will not have Internet access when you execute ComboFix. All open windows will need to be closed!

Click on Start > Run.
In the text entry box type:Notepad
Then click on the OK button.
This will open an empty Notepad file.
Copy and Paste the contents of the box below into the Notepad window:

KillAll::

Driver::
cerc6


Save the file to your Desktop as CFScript.txt
Please disable any Antivirus or Firewall you have active, as shown in this topic (http://www.bleepingcomputer.com/forums/topic114351.html). Please close all open application windows.
Drag the CFScript.txt (icon) onto the ComboFix.exe icon as shown in the image below:

http://i526.photobucket.com/albums/cc345/MPKwings/ComboFixScriptDrag.gif

This will cause ComboFix to run again.
Note: Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash!
Do Not touch your computer when ComboFix is running!
When the program has finished ComboFix will produce a log file called combofix.txt which will automatically open in Notepad.
Please Copy and Paste the entire contents of the combofix.txt file into your next reply.
** REMEMBER ** Re-Enable your Antivirus, Anti-Spyware and Firewall programs before reconnecting to the Internet!

Step 3:
OTL - Script

Next we need to run an OTL script.

Please temporarily disable your Anti-virus real-time protection. If active, it could impact the online scan. Refer to This Howto Topic (http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/490111-how-disable-your-security-applications.html), if necessary.

Double-click on OTL.exe to launch the program.
Copy and Paste the following code into the http://billy-oneal.com/Canned%20Speeches/speechimages/OTL/customFix.png textbox. Do not include the word Code.


:OTL
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-1708537768-839522115-1644491937-1003\Software\Policies\Microsoft\Internet Explorer\Restrictions present
@Alternate Data Stream - 88 bytes -> C:\Documents and Settings\user\Desktop\avira_antivir_personal_en.exe:SummaryInformation
@Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[152 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[137 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

:Files
ipconfig /flushdns /c

:Commands
[PURITY]
[emptyjava]
[EMPTYTEMP]
[RESETHOSTS]
[CREATERESTOREPOINT]
Then click the Run Fix button at the top.
Click on the OK button.
OTL may ask to reboot the machine. Please do so if asked.
The report should appear in Notepad after the reboot.
Please Copy and Paste the contents of that report into your next reply.
Step 4:
Include in Next Post

Did you have any problems carrying out the instructions?
combofix.txt.
OTL.txt.
Is there any improvement in how the computer is now running?

Scolabar
--------------------------------------------------------------------------
No Reply Within 3 Days Will Result In Your Topic Being Closed

Hi, again! Thanks for the new instructions. I hope these huge reports are not as endless to dredge through as they look


Don't be fooled. [ComboFix] is a powerful tool that can do some serious damage to a computer system in the hands of someone other than a trained expert. ;)

Don't worry - I won't be using it without expert direction! With luck, not at all, in future :D

1. Did you have any problems carrying out the instructions?

Well, it was *exciting* :D

A couple of unexpected things happened.

As soon as I dropped CFScript.txt into ComboFix, ComboFix asked to update. Despite the warning not to touch anything after it started running, I had to give it an answer. I hope I was right to say, Yes. It updated, then brought up the agreement screen, and appeared to run as it did previously, except that it rebooted after.

OTL complete...but not for a long time. OTL ran the fix quickly, then said, "Processing complete!" I was very pleased about that, until it sat there with that message on the screen, nothing but OTL and the wallpaper, and nothing else happened. I let it sit like that for almost 2 hours, with no idea whether it was going to do anything else or was just stuck. I agonized all that time, whether I'd have to turn the computer off to get back in, before it finally displayed the box where you click OK, and eventually asked to reboot. Thank Heavens!


I notice you already have ERUNT installed on your system. Let's use this tool to make a backup of the Registry before we proceed.

(I installed ERUNT before running DDS logs, per Tashi's "Before you post" instructions: http://forums.spybot.info/showpost.php?p=1150&postcount=2 :)

After OTL ran and rebooted, upon startup, OnlineArmor firewall blocked ERUNT's AUTOBACK.EXE trying to run. When, if ever, should I allow this program to run?

Just to note, in case others encounter it, Avira re-enables itself, upon reboot. Disabling antivirus, antimalware, and firewall, every time I disable OnlineArmor, it needs to reboot, so I have to remember to disable Avira *after*.

Also, a little anomaly: Each time ComboFix runs, it deselects an item in the Restricted Sites of SpywareBlaster, Item Name: AntiMalware Guard, Address: antimalwareguard.com, and disables protection from it. I see online, that some others have noticed it, too.


2. combofix.txt.

ComboFix 11-12-15.02 - user 12/15/2011 12:14:56.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1611 [GMT -8:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\user\Desktop\cfscript.txt
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Online Armor Firewall *Disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_cerc6
.
.
((((((((((((((((((((((((( Files Created from 2011-11-15 to 2011-12-15 )))))))))))))))))))))))))))))))
.
.
2011-12-06 18:56 . 2011-12-06 18:58 -------- d-----w- c:\program files\ERUNT
2011-12-01 13:38 . 2011-12-05 18:20 -------- d-----w- c:\program files\SpywareBlaster(2)
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-06 00:39 . 2010-05-02 18:06 544656 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-01 19:32 . 2011-11-01 19:31 69792 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-01 19:32 . 2011-11-01 19:31 417952 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2011-10-21 15:30 . 2011-03-10 04:49 516692 ----a-w- c:\windows\vampsUninst.exe
2011-10-21 15:30 . 2011-03-10 04:49 1903021 ----a-w- c:\windows\vamps.scr
2011-10-10 14:22 . 2009-08-14 01:37 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06 . 2008-04-14 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 18:41 . 2008-07-30 02:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 18:41 . 2008-04-14 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 18:41 . 2008-04-14 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-12-14_20.39.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-12-15 20:28 . 2011-12-15 20:28 16384 c:\windows\temp\Perflib_Perfdata_650.dat
+ 2011-12-15 20:01 . 2011-12-15 20:01 208896 c:\windows\ERDNT\AutoBackup\12-15-2011\Users\00000002\UsrClass.dat
+ 2011-12-15 20:01 . 2005-10-20 20:02 163328 c:\windows\ERDNT\AutoBackup\12-15-2011\ERDNT.EXE
+ 2011-12-15 20:04 . 2011-12-15 20:04 208896 c:\windows\ERDNT\12-15-2011\Users\00000002\UsrClass.dat
+ 2011-12-15 20:04 . 2005-10-20 20:02 163328 c:\windows\ERDNT\12-15-2011\ERDNT.EXE
+ 2011-12-15 20:01 . 2011-12-15 20:01 9789440 c:\windows\ERDNT\AutoBackup\12-15-2011\Users\00000001\ntuser.dat
+ 2011-12-15 20:04 . 2011-12-15 20:04 9789440 c:\windows\ERDNT\12-15-2011\Users\00000001\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-03-13 61440]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-02 281768]
"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2010-04-20 6678008]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PD0630 STISvc"="P0630Pin.dll" [2005-06-05 36864]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
.
c:\documents and settings\user\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2010-04-20 925688]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
.
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [4/8/2010 7:17 AM 228216]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [4/8/2010 7:17 AM 24440]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [4/8/2010 7:17 AM 29560]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/7/2010 11:34 PM 136360]
R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [4/8/2010 7:17 AM 1284600]
R2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [4/8/2010 7:17 AM 3364856]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe --> c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [?]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 P0630VID;Creative WebCam Live!;c:\windows\system32\drivers\P0630Vid.sys [10/28/2010 9:41 AM 91841]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.safer-networking.org/en/index.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-15 12:31
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(456)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(156)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\RunDLL32.exe
c:\program files\Tall Emu\Online Armor\OAhlp.exe
.
**************************************************************************
.
Completion time: 2011-12-15 12:36:47 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-15 20:36
ComboFix2.txt 2011-12-14 20:42
.
Pre-Run: 125,884,575,744 bytes free
Post-Run: 125,860,433,920 bytes free
.
- - End Of File - - 7C4D9C6086869F88F02B1F6541D66939






3. OTL.txt.

All processes killed
========== OTL ==========
Registry key HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions\ not found.
Registry key HKEY_USERS\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions\ not found.
Registry key HKEY_USERS\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions\ not found.
Registry key HKEY_USERS\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions\ not found.
Registry key HKEY_USERS\S-1-5-21-1708537768-839522115-1644491937-1003\Software\Policies\Microsoft\Internet Explorer\Restrictions\ not found.
ADS C:\Documents and Settings\user\Desktop\avira_antivir_personal_en.exe:SummaryInformation deleted successfully.
Unable to delete ADS C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34 .
C:\WINDOWS\SET3.tmp deleted successfully.
C:\WINDOWS\SET4.tmp deleted successfully.
C:\WINDOWS\SET8.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET29.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET2A.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET2B.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET2C.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET2D.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET2E.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET2F.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET30.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET31.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET32.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET33.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET35.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET36.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET37.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET38.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET39.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET3A.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET3B.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET3C.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET3D.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET3E.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET3F.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET40.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET41.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET42.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET43.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET44.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET45.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET46.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET47.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET48.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET49.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET4A.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET4B.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET4C.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET4D.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET4E.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET4F.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET50.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET51.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET52.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET53.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET54.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET55.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET56.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET57.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET58.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET59.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET5A.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET5C.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET5D.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET5E.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET5F.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET60.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET61.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET62.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET63.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET64.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET65.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET66.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET67.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET68.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET69.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET6A.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET6B.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET6C.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET6D.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET6E.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET6F.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET70.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET71.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET72.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET73.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET74.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET75.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET76.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET77.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET78.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET79.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET7A.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET7B.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET7C.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET7D.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET7E.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET7F.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET80.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET81.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET83.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET84.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET85.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET86.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET87.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET88.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET89.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET8A.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET8B.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET8C.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET8D.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET8E.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET8F.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET90.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET91.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET92.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET93.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET94.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET95.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET96.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET97.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET98.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET99.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET9A.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET9B.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET9C.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET9D.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET9E.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET9F.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETA0.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETA1.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETA2.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETA3.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETA4.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETA5.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETA6.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETA7.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETA8.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETA9.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETAA.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETAB.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETAC.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETAD.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETAE.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETAF.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETB0.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETB1.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETB2.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETB3.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETB4.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETB5.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETB6.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETB7.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETB8.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETB9.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETBA.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETBB.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETBC.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETBD.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETBE.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETBF.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETC0.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETC1.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETC2.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETC3.tmp deleted successfully.
C:\WINDOWS\System32\CONFIG.TMP deleted successfully.
C:\WINDOWS\System32\SET10.tmp deleted successfully.
C:\WINDOWS\System32\SET11.tmp deleted successfully.
C:\WINDOWS\System32\SET12.tmp deleted successfully.
C:\WINDOWS\System32\SET13.tmp deleted successfully.
C:\WINDOWS\System32\SET14.tmp deleted successfully.
C:\WINDOWS\System32\SET15.tmp deleted successfully.
C:\WINDOWS\System32\SET16.tmp deleted successfully.
C:\WINDOWS\System32\SET17.tmp deleted successfully.
C:\WINDOWS\System32\SET18.tmp deleted successfully.
C:\WINDOWS\System32\SET19.tmp deleted successfully.
C:\WINDOWS\System32\SET1A.tmp deleted successfully.
C:\WINDOWS\System32\SET1B.tmp deleted successfully.
C:\WINDOWS\System32\SET1C.tmp deleted successfully.
C:\WINDOWS\System32\SET1D.tmp deleted successfully.
C:\WINDOWS\System32\SET1E.tmp deleted successfully.
C:\WINDOWS\System32\SET1F.tmp deleted successfully.
C:\WINDOWS\System32\SET20.tmp deleted successfully.
C:\WINDOWS\System32\SET21.tmp deleted successfully.
C:\WINDOWS\System32\SET22.tmp deleted successfully.
C:\WINDOWS\System32\SET23.tmp deleted successfully.
C:\WINDOWS\System32\SET24.tmp deleted successfully.
C:\WINDOWS\System32\SET25.tmp deleted successfully.
C:\WINDOWS\System32\SET26.tmp deleted successfully.
C:\WINDOWS\System32\SET27.tmp deleted successfully.
C:\WINDOWS\System32\SET28.tmp deleted successfully.
C:\WINDOWS\System32\SET29.tmp deleted successfully.
C:\WINDOWS\System32\SET2A.tmp deleted successfully.
C:\WINDOWS\System32\SET2B.tmp deleted successfully.
C:\WINDOWS\System32\SET2C.tmp deleted successfully.
C:\WINDOWS\System32\SET2D.tmp deleted successfully.
C:\WINDOWS\System32\SET2E.tmp deleted successfully.
C:\WINDOWS\System32\SET2F.tmp deleted successfully.
C:\WINDOWS\System32\SET30.tmp deleted successfully.
C:\WINDOWS\System32\SET31.tmp deleted successfully.
C:\WINDOWS\System32\SET32.tmp deleted successfully.
C:\WINDOWS\System32\SET33.tmp deleted successfully.
C:\WINDOWS\System32\SET34.tmp deleted successfully.
C:\WINDOWS\System32\SET35.tmp deleted successfully.
C:\WINDOWS\System32\SET36.tmp deleted successfully.
C:\WINDOWS\System32\SET37.tmp deleted successfully.
C:\WINDOWS\System32\SET38.tmp deleted successfully.
C:\WINDOWS\System32\SET39.tmp deleted successfully.
C:\WINDOWS\System32\SET3A.tmp deleted successfully.
C:\WINDOWS\System32\SET3B.tmp deleted successfully.
C:\WINDOWS\System32\SET3C.tmp deleted successfully.
C:\WINDOWS\System32\SET3D.tmp deleted successfully.
C:\WINDOWS\System32\SET3E.tmp deleted successfully.
C:\WINDOWS\System32\SET3F.tmp deleted successfully.
C:\WINDOWS\System32\SET40.tmp deleted successfully.
C:\WINDOWS\System32\SET41.tmp deleted successfully.
C:\WINDOWS\System32\SET42.tmp deleted successfully.
C:\WINDOWS\System32\SET43.tmp deleted successfully.
C:\WINDOWS\System32\SET44.tmp deleted successfully.
C:\WINDOWS\System32\SET45.tmp deleted successfully.
C:\WINDOWS\System32\SET46.tmp deleted successfully.
C:\WINDOWS\System32\SET47.tmp deleted successfully.
C:\WINDOWS\System32\SET48.tmp deleted successfully.
C:\WINDOWS\System32\SET49.tmp deleted successfully.
C:\WINDOWS\System32\SET4A.tmp deleted successfully.
C:\WINDOWS\System32\SET4B.tmp deleted successfully.
C:\WINDOWS\System32\SET4C.tmp deleted successfully.
C:\WINDOWS\System32\SET4D.tmp deleted successfully.
C:\WINDOWS\System32\SET4E.tmp deleted successfully.
C:\WINDOWS\System32\SET4F.tmp deleted successfully.
C:\WINDOWS\System32\SET50.tmp deleted successfully.
C:\WINDOWS\System32\SET51.tmp deleted successfully.
C:\WINDOWS\System32\SET52.tmp deleted successfully.
C:\WINDOWS\System32\SET53.tmp deleted successfully.
C:\WINDOWS\System32\SET54.tmp deleted successfully.
C:\WINDOWS\System32\SET55.tmp deleted successfully.
C:\WINDOWS\System32\SET56.tmp deleted successfully.
C:\WINDOWS\System32\SET57.tmp deleted successfully.
C:\WINDOWS\System32\SET58.tmp deleted successfully.
C:\WINDOWS\System32\SET59.tmp deleted successfully.
C:\WINDOWS\System32\SET5A.tmp deleted successfully.
C:\WINDOWS\System32\SET5B.tmp deleted successfully.
C:\WINDOWS\System32\SET5C.tmp deleted successfully.
C:\WINDOWS\System32\SET5D.tmp deleted successfully.
C:\WINDOWS\System32\SET5E.tmp deleted successfully.
C:\WINDOWS\System32\SET5F.tmp deleted successfully.
C:\WINDOWS\System32\SET60.tmp deleted successfully.
C:\WINDOWS\System32\SET61.tmp deleted successfully.
C:\WINDOWS\System32\SET62.tmp deleted successfully.
C:\WINDOWS\System32\SET63.tmp deleted successfully.
C:\WINDOWS\System32\SET64.tmp deleted successfully.
C:\WINDOWS\System32\SET65.tmp deleted successfully.
C:\WINDOWS\System32\SET66.tmp deleted successfully.
C:\WINDOWS\System32\SET67.tmp deleted successfully.
C:\WINDOWS\System32\SET68.tmp deleted successfully.
C:\WINDOWS\System32\SET69.tmp deleted successfully.
C:\WINDOWS\System32\SET6A.tmp deleted successfully.
C:\WINDOWS\System32\SET6B.tmp deleted successfully.
C:\WINDOWS\System32\SET6C.tmp deleted successfully.
C:\WINDOWS\System32\SET6F.tmp deleted successfully.
C:\WINDOWS\System32\SET7.tmp deleted successfully.
C:\WINDOWS\System32\SET70.tmp deleted successfully.
C:\WINDOWS\System32\SET71.tmp deleted successfully.
C:\WINDOWS\System32\SET72.tmp deleted successfully.
C:\WINDOWS\System32\SET73.tmp deleted successfully.
C:\WINDOWS\System32\SET74.tmp deleted successfully.
C:\WINDOWS\System32\SET75.tmp deleted successfully.
C:\WINDOWS\System32\SET76.tmp deleted successfully.
C:\WINDOWS\System32\SET77.tmp deleted successfully.
C:\WINDOWS\System32\SET78.tmp deleted successfully.
C:\WINDOWS\System32\SET79.tmp deleted successfully.
C:\WINDOWS\System32\SET7A.tmp deleted successfully.
C:\WINDOWS\System32\SET7B.tmp deleted successfully.
C:\WINDOWS\System32\SET7C.tmp deleted successfully.
C:\WINDOWS\System32\SET7D.tmp deleted successfully.
C:\WINDOWS\System32\SET7E.tmp deleted successfully.
C:\WINDOWS\System32\SET7F.tmp deleted successfully.
C:\WINDOWS\System32\SET8.tmp deleted successfully.
C:\WINDOWS\System32\SET80.tmp deleted successfully.
C:\WINDOWS\System32\SET81.tmp deleted successfully.
C:\WINDOWS\System32\SET82.tmp deleted successfully.
C:\WINDOWS\System32\SET83.tmp deleted successfully.
C:\WINDOWS\System32\SET84.tmp deleted successfully.
C:\WINDOWS\System32\SET85.tmp deleted successfully.
C:\WINDOWS\System32\SET86.tmp deleted successfully.
C:\WINDOWS\System32\SET87.tmp deleted successfully.
C:\WINDOWS\System32\SET88.tmp deleted successfully.
C:\WINDOWS\System32\SET89.tmp deleted successfully.
C:\WINDOWS\System32\SET8A.tmp deleted successfully.
C:\WINDOWS\System32\SET8B.tmp deleted successfully.
C:\WINDOWS\System32\SET8C.tmp deleted successfully.
C:\WINDOWS\System32\SET8D.tmp deleted successfully.
C:\WINDOWS\System32\SET8E.tmp deleted successfully.
C:\WINDOWS\System32\SET8F.tmp deleted successfully.
C:\WINDOWS\System32\SET9.tmp deleted successfully.
C:\WINDOWS\System32\SET90.tmp deleted successfully.
C:\WINDOWS\System32\SETA.tmp deleted successfully.
C:\WINDOWS\System32\SETB.tmp deleted successfully.
C:\WINDOWS\System32\SETC.tmp deleted successfully.
C:\WINDOWS\System32\SETD.tmp deleted successfully.
C:\WINDOWS\System32\SETE.tmp deleted successfully.
C:\WINDOWS\System32\SETF.tmp deleted successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\user\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\user\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYJAVA]

User: Administrator

User: All Users

User: Default User

User: LocalService

User: NetworkService

User: user
->Java cache emptied: 38543413 bytes

Total Java Files Cleaned = 37.00 mb


[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 456 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: user
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 2776744 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 13267 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 3.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
Restore point Set: OTL Restore Point (0)

OTL by OldTimer - Version 3.2.31.0 log created on 12152011_125111

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...





4. Is there any improvement in how the computer is now running?

I do seem to see a little improvement in IE's speed. This is the only improvement I observe, so far.

Other than this, everything is as I reported at the end of the instructions just before these, including no access to Internet Options.

I did also notice, when I went to insert a link in this post, that it brought up what I presume is a dialogue box, but the box was empty, inside. I turned off my pop-up blocker, and tried again, but it still doesn't work.

:thanks:

Hi I_dream_of_Mercury,

Thank you again for all your feedback. You did the right thing to allow ComboFix to update. Thanks also for your patience with the OTL script. :bigthumb:


After OTL ran and rebooted, upon startup, OnlineArmor firewall blocked ERUNT's AUTOBACK.EXE trying to run. When, if ever, should I allow this program to run?
You can always run ERUNT manually at a time that suits you - before the installation of programs/updates, for example. There is no real need to backup up your Registry every time you log on. This is a decision for you to make.

Again, please remember to read the instructions below carefully before executing and perform the steps, in the order given.
If you have any questions about or problems executing these instructions, <STOP> do not proceed, post back with the question or problem before going any further.

Before we proceed please make sure any open programs are closed.

Step 1:
Re-Run ERUNT

Please backup the registry with ERUNT again before proceeding.

Step 2:
ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan.


Please Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted. Then right-click on it and select "Run as Administrator" to install.
Please temporarily disable your Anti-virus real-time protection. If active, it could impact the online scan. Refer to This Howto Topic (http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/490111-how-disable-your-security-applications.html), if necessary.
** Make sure you are using an account that has Administrative privileges **

Double-click on either the IE or FF icon in the Start Menu or Quick Launch Bar to launch your web browser.
Then go to ESET Online Scanner (http://www.eset.com/us/online-scanner/run) - © ESET (All Rights Reserved) to run an online scan.
Click on the Run ESET Online Scanner button.
Check the box next to "YES, I accept the Terms of Use."

Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
When prompted allow the Add-On/Active X to install.
Make sure that the options:
Remove found threats is UNCHECKED
Scan archives is CHECKED
Then click on Advanced Settings and select the following options:
Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology
Click on the Start button.
ESET scanner will begin to download the virus signatures database. When the signatures have been downloaded, the scan will start automatically.
Do not touch either the Mouse or Keyboard during the scan otherwise it may stall.
Wait for the scan to finish. It may take a while but, again, please be patient.
When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
Now click on the Finish button.
Use Notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
Copy and Paste the entire contents of log.txt into your next reply.
Remember to re-enable your Anti-virus protection before continuing!

Step 3:
Include in Next Post

Did you have any problems carrying out the instructions?
ESET log results.

Scolabar
--------------------------------------------------------------------------
No Reply Within 3 Days Will Result In Your Topic Being Closed

Scolabar, hi! I'm posting this quickly to see if I can catch you while you're still around -

I see that I'm to run ESET, and so you may have already answered this question, because I mentioned my problem with ESET online scan in my first post, but:

When I tried to run ESET online scan just previous to getting help on this forum, it said I needed to be an administrator, even though my account is administative. A remedy they suggest in ESET's FAQ didn't work, when I tried it. - please see my first post for details.

Do you have a way of correcting this problem with ESET, so I can run it?

Thanks for your help!

1. Did you have any problems carrying out the instructions?

Hi! I was relieved to find that ESET's online scanner allowed me to use it, this time.

The instructions were clear and easy to follow, thanks.

2. ESET log results:

ESETSmartInstaller@High (ESETSmartInstaller@High) as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=01bf77cf2a9c46478f590efa830757c8
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-12-16 10:15:40
# local_time=2011-12-16 02:15:40 (-0800, Pacific Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1797 16775141 100 93 0 60486983 0 0
# compatibility_mode=6401 16777213 66 100 0 51380267 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=76634
# found=0
# cleaned=0
# scan_time=8147

Hi I_dream_of_Mercury,

Well done. :thumright: Now let's see if we can resolve that No Access to 5nternet Options issue. ;)

Again, please remember to read the instructions below carefully before executing and perform the steps, in the order given.
If you have any questions about or problems executing these instructions, <STOP> do not proceed, post back with the question or problem before going any further.

Before we proceed please make sure any open programs are closed.

Step 1:
Re-Run ERUNT

Please backup the registry with ERUNT again before proceeding.

Step 2:
Registry Fix

Please temporarily disable your Anti-virus real-time protection. If active, it could impact the following fixes. Refer to This Howto Topic (http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/490111-how-disable-your-security-applications.html), if necessary.
** Make sure you are using an account that has Administrative privileges **

Click on Start > Run.
In the text entry box type:

notepad


Then click on the OK button.
This will open an empty Notepad file.
Copy and Paste the contents of the box below into the Notepad window:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions]
"NoBrowserOptions"=dword:00000000


Make sure there are NO blank lines before Windows Registry Editor Version 5.00..
Click Format and ensure Wordwrap is Unchecked.
Save as fix1.reg to the Desktop.
Save as file type All Files or it won't work.
Double-click on the fix1.reg file on your Desktop. When prompted to merge click on the Yes button.
Wait approximately 30 seconds and then Reboot the computer to complete the fix.
Please confirm whether or not the No Access to Internet Options issue has been resolved.
Remember to re-enable your Anti-virus application after running the above fix!

Step 3:
Include in Next Post

Did you have any problems carrying out the instructions?
Has the Registry Fix resolved the No Access to Internet Options issue?
How is the computer now running?

Scolabar
--------------------------------------------------------------------------
No Reply Within 3 Days Will Result In Your Topic Being Closed

Scolabar, hi,

1. Did you have any problems carrying out the instructions?

The instructions were easy to follow.

2. Has the Registry Fix resolved the No Access to Internet Options issue?

I still don't have access to Internet Options :sad:

I followed the instructions carefully - I disabled OnlineArmor, Resident/Tea Timer, and Avira, made sure there was no blank line or space before the code, that Notepad had Wordwrap unchecked, changed to All Files when I saved, named it fix1.reg. The message I got didn't use the word "merge," but I did say yes to the prompt to proceed. In just a second, it displayed a box saying it was successful. I waited about 30 seconds, then rebooted.

Neither Tools>Options from inside IE nor the Control Panel access it.

Although I've confirmed that my current user account has administrative privileges, when it didn't work, I tried logging in as Administrator, which requires Safe Mode, on XP. It still didn't work.

I noticed, before (and after) running fix1.reg, that there's now no Internet Options icon in Administrator's Control Panel. I cannot turn Avira on, as the Administrator in Safe Mode - I don't know whether that's normal or not.


2. How is the computer now running?

The computer's running faster than it was :) Programs launch more quickly and it performs without lagging, as far as I can tell so far.

Some other recent symptoms since the infection and working on the computer are still the same, such as not being able to drag and drop text online, and computer sounds sputtering instead of playing smoothly. I've just noticed that although I can turn Pop-up Blocker on and off, I can't access the Pop-up Blocker Settings. One website that was displaying strange behavior, but which is a well-known and normally trusted site, is still acting strange for me.


A question: Is it alright for me to clean up usage tracks with Spybot S&D, right now?

Thanks very much for your continued help ;)



Hi I_dream_of_Mercury,

Well done. :thumright: Now let's see if we can resolve that No Access to 5nternet Options issue. ;)

Again, please remember to read the instructions below carefully before executing and perform the steps, in the order given.
If you have any questions about or problems executing these instructions, <STOP> do not proceed, post back with the question or problem before going any further.

Before we proceed please make sure any open programs are closed.

Step 1:
Re-Run ERUNT

Please backup the registry with ERUNT again before proceeding.

Step 2:
Registry Fix

Please temporarily disable your Anti-virus real-time protection. If active, it could impact the following fixes. Refer to This Howto Topic (http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/490111-how-disable-your-security-applications.html), if necessary.
** Make sure you are using an account that has Administrative privileges **


Click on Start > Run.
In the text entry box type:


notepad


Then click on the OK button.
This will open an empty Notepad file.
Copy and Paste the contents of the box below into the Notepad window:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions]
"NoBrowserOptions"=dword:00000000


Make sure there are NO blank lines before Windows Registry Editor Version 5.00..
Click Format and ensure Wordwrap is Unchecked.
Save as fix1.reg to the Desktop.
Save as file type All Files or it won't work.
Double-click on the fix1.reg file on your Desktop. When prompted to merge click on the Yes button.
Wait approximately 30 seconds and then Reboot the computer to complete the fix.
Please confirm whether or not the No Access to Internet Options issue has been resolved.
Remember to re-enable your Anti-virus application after running the above fix!

Step 3:
Include in Next Post


Did you have any problems carrying out the instructions?
Has the Registry Fix resolved the No Access to Internet Options issue?
How is the computer now running?

Scolabar
--------------------------------------------------------------------------
No Reply Within 3 Days Will Result In Your Topic Being Closed

Hi I_dream_of_Mercury,

Thanks you for all the feedback once again. :)

The Registry Fix should have resolved your Internet Options access issue. I am beginning to wonder whether a possible hardware issue might be responsible for the Internet Explorer and other issues you are continuing to experience. Let's run another


Is it alright for me to clean up usage tracks with Spybot S&D, right now?Please wait until after you have completed the instructions below before proceeding with the Spybot cleanup. ;)

Again, please remember to read the instructions below carefully before executing and perform the steps, in the order given.
If you have any questions about or problems executing these instructions, <STOP> do not proceed, post back with the question or problem before going any further.

Before we proceed please make sure any open programs are closed.

Step 1:
Backup All User Data

Please make sure all user data is backed up to an external device: hard drive, DVD or CD, before proceeding.

Step 2:
Check Hard Disk For Errors

Click on Start and select Run.
Then Copy and Paste the following command into the box and then click on the OK button:

cmd /c chkdsk c: |find /v "percent" >> "%userprofile%\desktop\checkhd.txt"A blank command window will open on your Desktop, then close in a few minutes. This is normal.
A file and icon named checkhd.txt should appear on your Desktop.
Please Copy and Paste the contents of the checkhd.txt file into your next reply.

Step 3:
Include in Next Post

Did you have any problems carrying out the instructions?
checkhd.txt.

Scolabar
--------------------------------------------------------------------------
No Reply Within 3 Days Will Result In Your Topic Being Closed

Scolabar, thanks for your reply.

I'm a little embarrassed to confess that I'm only familiar with saving documents to an external device, such as a flash drive, or transferring music to an mp3 player, not doing a user data backup.

In the course of treating this computer, I've saved only the most important files to a flash drive and saved System State to the internal drive, but haven't done a full external backup of user data, so far.

So,
1. Would you please point me to instructions for properly backing up user data, as you instructed, to an external device?

2. Is a flash drive alright for doing this backup?

3. How big is the backup, not counting My Documents, likely to be, if it's possible to estimate, so I can anticipate enough space on the external device?

4. Can the same external drive be used to back up both pc's and Macs? I ask because I might take this opportunity to get a new external drive, and want to consider how much I want to invest in one, in case I get an Apple product, in future.

Thanks for your help and information.

Hi I_dream_of_Mercury,

In answer to your questions:


Would you please point me to instructions for properly backing up user data, as you instructed, to an external device?The information on how to backup your data was provided at the end of my initial reply. ;)


Backup Your Data - Windows XP (http://support.microsoft.com/kb/308422)

Is a flash drive alright for doing this backup?That depends on the volume of data you need to backup and the size of your flash drive. Personally, I would only recommend backing up to flash drives if you have no other alternative. They are the modern equivalent of the old floppy disks, in my view. An external hard drive or DVD's would be preferable.


How big is the backup, not counting My Documents, likely to be, if it's possible to estimate, so I can anticipate enough space on the external device?Essentially, your user data data is the contents of your entire User Account directory which in your case would be: C:\Documents and Settings\user. To find out the full size of that directory you may need to need to Show All Files/Folders (- see instructions below). Then navigate to the C:\Documents and Settings directory and then right-click on the user directory and select Properties from the pop-up menu. In the Properties window the amount of actual data to be backed is shown under Size:. The Size on Disk: information will tell you how much space the data actually takes up on the storage device (- C: drive in this case). This can vary depending on the size of the storage device.

Show Hidden Files and Folders

Enable the Show Hidden Files and Folders option, like this:

Click Start. Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide extensions for known file types. option.
Uncheck the Hide protected operating system files (recommended) option.
Click Apply to set. Click OK.
Note: To Disable the Show Hidden Files and Folders option simply revert and save the options.

Can the same external drive be used to back up both pc's and Macs?Yes. For optimum performance simply create two separate partitions on the external drive: one for Windows (NTFS format) and one for Mac (HFS+ format). Any external drive can be used, bearing in mind that very few PC's have FireWire ports so USB2 is likely to be the common denominator. You can then use the flash drive to transfer data as required between the two operating systems.

Scolabar
--------------------------------------------------------------------------
No Reply Within 3 Days Will Result In Your Topic Being Closed

Hi, again!

First, here's the checkhd.txt:

The type of the file system is NTFS.
WARNING! F parameter not specified.
Running CHKDSK in read-only mode.
CHKDSK is verifying files (stage 1 of 3)...
CHKDSK is verifying indexes (stage 2 of 3)...
CHKDSK is verifying security descriptors (stage 3 of 3)...
CHKDSK is verifying Usn Journal...
Usn Journal verification completed.
Correcting errors in the Volume Bitmap.
Windows found problems with the file system.
Run CHKDSK with the /F (fix) option to correct these.
156167864 KB total disk space.
33767296 KB in 91796 files.
35900 KB in 6791 indexes.
0 KB in bad sectors.
206596 KB in use by the system.
65536 KB occupied by the log file.
122158072 KB available on disk.
4096 bytes in each allocation unit.
39041966 total allocation units on disk.
30539518 allocation units available on disk.



The information on how to backup your data was provided at the end of my initial reply. ;)

I did follow those directions, when responding to your initial reply! I had already saved the most important of My Documents to an external device (a flash drive), upon suspicion of infection. The instructions said to select the drives you want to back up, and to select System State, so I did a backup of System State. The Backup Utility said, "Choose a place to save your backup," and Browse opened to C:\Backup Files Folder, by default, so I saved it there.

This time, when you mentioned user data and external device, and since you were talking about doing something with the hardware, I thought I must need to back up more than My Documents and System State. As I confessed, I'm not knowledgeable about backups beyond getting a copy of My Documents to an external device. I'm sure I'm negligent in this.

I don't know whether to go into detail about backing up, this time. Basically, the first time I tried, it falsely reported that the medium was full, when it was not nearly full, and aborted the backup. So the next try, I selected files to backup, in the folder you indicated, C:\Documents and Settings\user, leaving out My Documents, so that the file was a fraction the size, and the backup completed. I don't know whether the false report about the drive being full is a problem with the Backup Utility, or with the flash drive.

Thanks for info about flash drives and external hard drives :) I'll get a portable external hard drive as soon as I'm able.

Hi I_dream_of_Mercury,

Thanks you for the log and feedback. :)

Congratulations your computer now appears to be malware free! :)

I can now confirm that any computer issues you may still be experiencing are not malware-related.

Not A Malware Issue

I recommend you try a good System/Hardware Help Forum. Some suggested links are provided below. ;)
These sites have a variety of experts, that are better equipped to investigate and resolve these kinds of issues.

Good System/Hardware Help Forums
Computer Trouble (http://forum.computertrouble.co.uk/index.php)
GeekstoGo (http://www.geekstogo.com/forum/Windows-XP-2000-2003-NT-f5.html)
NutNWorks (http://www.nutnworks.com/forums/forumdisplay.php?f=60)
TechSupportGuy (http://forums.techguy.org/21-windows-nt-2000-xp/)
Whatthetech (http://forums.whatthetech.com/forums.html)
Free registration may be required in order to post at these forums and will only take a few minutes. :)


Now that your computer appears to clear of malware infection we need to tidy a few things up and deal with a few remaining items:

Step 1:
Housekeeping

It's now time for some housekeeping. Please follow the instructions below to remove the tools we have used to clean up your computer.


OTL - Cleanup

Right-click on OTL.exe and select the Run As Administrator option to launch the program. If you receive a UAC prompt, please allow it.
This will remove most, if not all, of the tools we used to clean your PC.
Close all other programs apart from OTL as this step will require a reboot.
On the OTL main screen, press the CleanUp! button.
Click on the Yes button at the prompt and then allow the program to reboot your computer.
Remove Tools Used

You can now safely delete the tools used in cleaning up the infection. Please remove the following tools from your system along with any related .zip files.

aswMBR.exe
fix1.reg
MicrosoftFixit50195.exe
Please Note: These tools are updated on a regular basis and so, if required in future, should be downloaded afresh under supervision.
Step 2:
Create Clean System Restore Point

Create a new, clean System Restore point which be used in the event of future system problems:

Click on Start > All Programs > Accessories > System Tools > System Restore.
Select the Create a restore point option then click on Next.
You can name your new Restore Point something like All Clean, for example, and then select Create.
Once the Restore Point has been created you can click on Close.
Now remove old, infected System Restore points:
Next click on Start > Run.
Copy and Paste the following command into the text entry box:

cleanmgr
Then click on the OK button.
Make sure the boxes for Recycle Bin, Temporary Files and Temporary Internet Files are checked. You can choose to check other boxes if you wish but they are not required.
Select the More Options tab, under System Restore and click on the Clean up... button and reply Yes to the prompt.
Click on the OK button and the Yes button to confirm.
Step 3:
Security Vulnerabilities

I cannot stress how important it is to keep your security software up-to-date. In particular, if you don't keep your Operating System and Internet Explorer up-to-date the computer will be open to re-infection. Since we have been working on your computer the following software has been updated. ;)


Outdated Java SE Runtime Environment (JRE)

Please download from HERE (http://java.sun.com/javase/downloads/index.jsp):

Find Java SE 7u2.
Click on the Download JRE button to the right.
Choose the correct Platform and Multi-language. Next, check the box that says I agree to the Java SE Runtime Environment 6 License Agreement.
Click on the Continue button.
Click on the filename under Windows Offline Installation and save it to your Desktop.
Close all active windows.
Double-click on the installer file and follow the prompts to install the program.
Step 4:
Improve Your Computer's Security


Foxit Reader
Please remember to check for updates on a regular basis. You can do this by launching the program and selecting Check for Updates Now from the Help menu. Checking for Foxit Reader updates can also be configured automatically by clicking on the Preferences button at the bottom of the Foxit Reader Updates window and selecting either the Each Week or Each Month option. Keeping this software up-to-date will help to ensure your system remains malware free.

Spybot S&D
Please remember to re-enable TeaTimer. Ensure the program is updated on a regular basis and run a scan once every couple of weeks. This will help you to keep your computer clear of malware free.
Please Note: If you consider TeaTimer to be somewhat intrusive you may prefer to keep this feature of the Spybot S&D product disabled. In addition, you may need to disable Spybot S&D's TeaTimer anyway before running other security tools to avoid any conflicts or interference.

MalwareBytes' AntiMalware
It is worth keeping MalwareBytes' AntiMalware on your system. Updating the program and running a scan once every couple of weeks will help you to keep malware free.

Below are some additional (free) programs, that can help improve your computer's security.
Many feel that having a "layered" protection scheme is beneficial, you'll have to decide what works best for your situation. You may like to give them a try. :)


Alternative Web Browser
Many malware exploits are directed at users of Internet Explorer. Try using a different web browser instead: Mozilla Firefox (http://www.mozilla.com/en-US/firefox/) or Opera (http://www.opera.com/download/)

SiteAdvisor
SiteAdvisor is a toolbar for Microsoft Internet Explorer and Mozilla Firefox which alerts you if you're about to enter a potentially dangerous website.
You can find more information and download it from Here (http://www.siteadvisor.com/).

Panda USB Vaccine
Protect your computer from removable or USB drive infections with Panda USB Vaccine. It is an effective method of preventing the spread of malware.
You can download and learn more about this product from Here (http://www.pandasecurity.com/homeusers/downloads/usbvaccine/).
Step 5:
Further Guidelines

Please follow these simple guidelines in order to help keep your computer more secure:


Update your Anti-virus program and other programs regularly.
Online Secunia Software Inspector (http://secunia.com/vulnerability_scanning/online/) - Copyright © Secunia.
Refer to F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html) - Copyright © F-Secure Corporation.

Visit Microsoft often
Keep on top of critical updates, as well as other updates for your computer.
How to configure and use Automatic Updates in Windows XP (http://support.microsoft.com/kb/306525)
Using Windows Update for Windows XP (http://www.microsoft.com/windows/downloads/windowsupdate/learn/windowsxp.mspx)
Microsoft Update Home (http://www.update.microsoft.com)

Read, stay informed.
To help minimize the chances of becoming re-infected, please read:
Computer Security - a short guide to staying safer online (http://www.malwareremoval.com/forum/viewtopic.php?p=557960#p557960)

If your computer is running slowly after your clean up, please read:
What to do if your Computer is running slowly (http://www.malwareremoval.com/tutorials/runningslowly.php)
Please confirm that you have completed the cleanup steps and reviewed the rest of the post.
Once your reply has been received, unless there are other malware questions or concerns, this topic will be closed as resolved.

Stay Safe! :santa:
Scolabar
--------------------------------------------------------------------------
No Reply Within 3 Days Will Result In Your Topic Being Closed

OTL Cleanup has now been running for 7 hours, without rebooting. It displays the message, "Processing [deleteself]...".

Could this possibly be correct or normal?

I shut down every program, including Spybot S&D TeaTimer/Resident, Avira, and OnlineArmor firewall, before and during running OTL.exe Cleanup. I let it run for 6 3/4 hours before coming online to ask what to do about this. I only have 32GB total on the hard drive, 12GB of which is My Documents, so it's not as if it's plowing through a massive system.

Task Manager says it's running.

Please advise.

Hi I_dream_of_Mercury,

Apologies for the inconvenience. :)

Firstly, please stop the OTL Cleanup process using the Task Manager.

Below is a replacement set of instructions for Step 1 of my previous post.
Before we proceed please make sure any other open programs are closed.

Step 1:
Housekeeping

It's now time for some housekeeping. Please follow the instructions below to remove the tools we have used to clean up your computer.


ComboFix - Uninstall

Please Download CF_Uninstall.exe (http://download.bleepingcomputer.com/sUBs/CF_UNINST.EXE) and Save it to your Desktop.
Alternate Download (http://compendiate.net/sUBs/Beta/CF_UNINST.EXE)
Double-click on CF_Uninstall.exe to run the program.
This should complete the uninstallation of ComboFix.
Note: Please let me know if you encounter any problems.

Remove Tools Used

You can now safely delete the tools used in cleaning up the infection. Please remove the following tools from your system along with any related .zip files.


aswMBR.exe
fix1.reg
MicrosoftFixit50195.exe
OTL.exe

Please Note: These tools are updated on a regular basis and so, if required in future, should be downloaded afresh under supervision.

Step 2:
Continuation

Please continue with Step 2 onwards as provided in my previous set of instructions.
Again, please let me know if you experience any problems.

Scolabar

Hi I_dream_of_Mercury,

I hope you had an enjoyable and relaxing day, yesterday. :santa:

It has been over 48 hours since my last post.

Do you still need help?
Do you need more time?
Are you having problems following my instructions?
In line with Safer-Networking's policy, topics will be closed after 3 days without a response.
If you do not reply within the next 24 hours, this topic will be closed.

Scolabar
--------------------------------------------------------------------------
No Reply Within 3 Days Will Result In Your Topic Being Closed

This topic has been archived due to inactivity.

If it has been three days or more since your last post, and the helper assisting you posted a response to which you did not reply, your thread will not be re-opened. At that point, if you still require help, please start a new topic and include a new DDS log with a link to your previous thread. Please do not add any logs that might have been requested previously, you would be starting fresh.

If it has been less than three days since your last response and you need the thread re-opened, please send your helper a private message (pm). A valid, working link to the closed topic is required.