I am back II

**fbfbfb** · 2013-06-07, 23:53

Very good, Nanich; glad you were able to successfully run the scans. You forgot to tell me how your computer is behaving at this stage. Please include this information in your next reply.

Please run the following scans

1. ESET Online Scanner

Note:

Disable any antivirus program and antispyware programs to avoid conflicts.
Run ESET Internet Explorer but, if using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted, then double click on it to install.
Please do not surf the internet while your security programs are disabled.
Let the scan run uninterrupted to avoid a stall.
Remember to enable your security programs when the scan has finished.

Run ESET Online Scanner from HERE.

Click the green ESET Online Scanner button.
Read the End User License Agreement and check the box YES, I accept the Terms of Use.
Click on the Start button next to it.
If prompted, allow the Add-On/Active X to install.

Under Computer scan settings:

Do not check Remove found threats
Check Scan Archives.
Click Advanced settings and select the following:

Scan potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth technology

Click Start. ESET will download updates, install itself, and begin scanning your computer. Please be patient as this scan could take up to a few hours to complete.
Wait for the scan to finish. When the scan completes, click List of found threats.
Click Export and save the file to your desktop using a unique name, such as ESETScan.
Copy and paste the contents of this report in your next reply.
Click the Back button.
Click the Finish button.

2. DDS

Please run DDS again and send me a fresh log.

3. Malwarebytes Log

I would like to examine the Malwarebytes log listing the 8 infections. Please open up MBAM and go to the Logs tab. Locate the log showing the infected files, copy and paste that report into your next reply.

**Nanich** · 2013-06-09, 07:27

Thanks. I am just starting the scan. It has been a few days and looks like it will not be finished for a few hours and until I wake up, so I thought I would like you know it will be tomorrow before I am finished.

Don

**Nanich** · 2013-06-09, 18:36

C:\Documents and Settings\Don\Application Data\SearchProtect\bin\ChromeModule.dll a variant of Win32/Conduit.SearchProtect.C application
C:\Documents and Settings\Don\Application Data\SearchProtect\bin\CltMngSvc.exe Win32/Conduit.SearchProtect.A application
C:\Documents and Settings\Don\Application Data\SearchProtect\bin\FirefoxModule.dll a variant of Win32/Conduit.SearchProtect.C application
C:\Documents and Settings\Don\Application Data\SearchProtect\bin\InternetExplorerModule.dll a variant of Win32/Conduit.SearchProtect.C application
C:\Documents and Settings\Don\Application Data\SearchProtect\bin\SPHook32.dll probably a variant of Win32/Conduit.SearchProtect.C application
C:\Documents and Settings\Don\Application Data\SearchProtect\ffprotect\application.js Win32/Conduit.SearchProtect.A application
C:\Documents and Settings\Don\Application Data\Sun\Java\Deployment\cache\6.0\10\b7799ca-50166c54 a variant of Win32/Kryptik.BCXO trojan
C:\Documents and Settings\Don\Application Data\Sun\Java\Deployment\cache\6.0\39\14a58aa7-5df6506f a variant of Win32/Kryptik.BCXO trojan
C:\Documents and Settings\Don\Application Data\Sun\Java\Deployment\cache\6.0\9\341af249-1e4c1d4b a variant of Win32/Kryptik.BCXO trojan
C:\Documents and Settings\Don\Local Settings\Application Data\Microsoft\Windows Live Mail\Hotmail\Junk e-mail\31B3463E-00003D38.eml HTML/Pharmacy.A trojan
C:\Documents and Settings\Don\Local Settings\temp\jar_cache1364093449645286197.tmp Java/Exploit.Agent.OML trojan
C:\Documents and Settings\Don\Local Settings\temp\jar_cache4386346603285378382.tmp Java/Exploit.Agent.OML trojan
C:\Documents and Settings\Don\Local Settings\temp\jar_cache5094616853861399607.tmp Java/Exploit.Agent.OML trojan
C:\Documents and Settings\Don\Local Settings\temp\SecondStepInstaller.exe multiple threats
C:\Program Files\SearchProtect\bin\ChromeModule.dll a variant of Win32/Conduit.SearchProtect.C application
C:\Program Files\SearchProtect\bin\FirefoxModule.dll a variant of Win32/Conduit.SearchProtect.C application
C:\Program Files\SearchProtect\bin\InternetExplorerModule.dll a variant of Win32/Conduit.SearchProtect.C application
C:\Program Files\SearchProtect\bin\SPHook32.dll probably a variant of Win32/Conduit.SearchProtect.C application
C:\Program Files\SearchProtect\ffprotect\application.js Win32/Conduit.SearchProtect.A application
C:\RECYCLER\S-1-5-18\$bf8ab89017d7b48fe2e69a05db75957f\U\80000000.@ Win32/Sirefef.FA trojan
C:\RECYCLER\S-1-5-18\$bf8ab89017d7b48fe2e69a05db75957f\U\800000cb.@ a variant of Win32/Sirefef.FL trojan
C:\System Volume Information\_restore{63A83696-D3B1-49B2-B970-71CBE9E79BD0}\RP1113\A0177580.dll Win32/Conduit.SearchProtect.A application
C:\System Volume Information\_restore{63A83696-D3B1-49B2-B970-71CBE9E79BD0}\RP1113\A0177581.exe Win32/Conduit.SearchProtect.A application
C:\System Volume Information\_restore{63A83696-D3B1-49B2-B970-71CBE9E79BD0}\RP1113\A0177582.dll Win32/Conduit.SearchProtect.A application
C:\System Volume Information\_restore{63A83696-D3B1-49B2-B970-71CBE9E79BD0}\RP1113\A0177583.dll Win32/Conduit.SearchProtect.A application
C:\System Volume Information\_restore{63A83696-D3B1-49B2-B970-71CBE9E79BD0}\RP1113\A0177584.dll Win32/Conduit.SearchProtect.A application
C:\System Volume Information\_restore{63A83696-D3B1-49B2-B970-71CBE9E79BD0}\RP1113\A0177585.exe Win32/Conduit.SearchProtect.A application
C:\System Volume Information\_restore{63A83696-D3B1-49B2-B970-71CBE9E79BD0}\RP1145\A0189121.dll Win32/Conduit.SearchProtect.A application
C:\System Volume Information\_restore{63A83696-D3B1-49B2-B970-71CBE9E79BD0}\RP1145\A0189122.dll Win32/Conduit.SearchProtect.A application
C:\System Volume Information\_restore{63A83696-D3B1-49B2-B970-71CBE9E79BD0}\RP1145\A0189123.dll Win32/Conduit.SearchProtect.A application
C:\System Volume Information\_restore{63A83696-D3B1-49B2-B970-71CBE9E79BD0}\RP1145\A0189124.exe Win32/Conduit.SearchProtect.A application
C:\System Volume Information\_restore{63A83696-D3B1-49B2-B970-71CBE9E79BD0}\RP1145\A0189125.dll Win32/Conduit.SearchProtect.A application
C:\System Volume Information\_restore{63A83696-D3B1-49B2-B970-71CBE9E79BD0}\RP1145\A0189126.exe Win32/Conduit.SearchProtect.A application
C:\System Volume Information\_restore{63A83696-D3B1-49B2-B970-71CBE9E79BD0}\RP1145\A0189127.dll a variant of Win32/Conduit.SearchProtect.C application
C:\System Volume Information\_restore{63A83696-D3B1-49B2-B970-71CBE9E79BD0}\RP1145\A0189128.exe a variant of Win32/Conduit.SearchProtect.B application
C:\System Volume Information\_restore{63A83696-D3B1-49B2-B970-71CBE9E79BD0}\RP1145\A0189130.dll a variant of Win32/Conduit.SearchProtect.C application
C:\System Volume Information\_restore{63A83696-D3B1-49B2-B970-71CBE9E79BD0}\RP1145\A0189131.dll a variant of Win32/Conduit.SearchProtect.C application
C:\System Volume Information\_restore{63A83696-D3B1-49B2-B970-71CBE9E79BD0}\RP1145\A0189134.dll probably a variant of Win32/Conduit.SearchProtect.C application
C:\System Volume Information\_restore{63A83696-D3B1-49B2-B970-71CBE9E79BD0}\RP1170\A0198912.exe Win32/Adware.FakeAV.G application
C:\System Volume Information\_restore{63A83696-D3B1-49B2-B970-71CBE9E79BD0}\RP1170\A0201930.exe Win32/Adware.1ClickDownload.W application
C:\_OTL\MovedFiles\05212013_214810\C_Documents and Settings\Don\Application Data\SearchProtect\bin\cltmng.exe a variant of Win32/Conduit.SearchProtect.B application
C:\_OTL\MovedFiles\05212013_214810\C_Program Files\Mozilla Firefox\components\sprotector.js Win32/Conduit.SearchProtect.A application
C:\_OTL\MovedFiles\05212013_214810\C_Program Files\SearchProtect\bin\cltmng.exe a variant of Win32/Conduit.SearchProtect.B application
C:\_OTL\MovedFiles\05272013_193927\C_Documents and Settings\LocalService\Application Data\SearchProtect\ffprotect\application.js Win32/Conduit.SearchProtect.A application
C:\_OTL\MovedFiles\05272013_193927\C_Documents and Settings\LocalService\Application Data\SearchProtect\ffprotect\nsprotector.js Win32/Conduit.SearchProtect.A application
C:\_OTL\MovedFiles\05272013_193927\C_Program Files\SearchProtect\bin\CltMngSvc.exe Win32/Conduit.SearchProtect.A application
C:\_OTL\MovedFiles\06122011_133813\C_Documents and Settings\Don\Application Data\Sun\Java\Deployment\cache\6.0\0\649e4dc0-1ce721d5 probably a variant of Java/TrojanDownloader.Agent.NCT trojan
C:\_OTL\MovedFiles\06122011_133813\C_Documents and Settings\Don\Application Data\Sun\Java\Deployment\cache\6.0\36\447ebda4-6f2e08b7 a variant of Java/Agent.BP trojan
C:\_OTL\MovedFiles\06122011_133813\C_Documents and Settings\Don\Application Data\Sun\Java\Deployment\cache\6.0\43\176ed76b-39617702 Java/Agent.AD trojan
C:\_OTL\MovedFiles\06122011_133813\C_Documents and Settings\Don\Application Data\Sun\Java\Deployment\cache\6.0\45\34b2d7ed-677d334e Java/TrojanDownloader.OpenConnection.CU trojan

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by Don at 9:32:28 on 2013-06-09
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.2228 [GMT -7:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: PC Tools Firewall Plus *Enabled*
.
============== Running Processes ================
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\Samsung\Kies\KiesTrayAgent.exe
C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe
C:\Documents and Settings\Don\Application Data\Dropbox\bin\Dropbox.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ca/
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [KiesPDLR] c:\program files\samsung\kies\external\firmwareupdate\KiesPDLR.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [KiesHelper] c:\program files\samsung\kies\KiesHelper.exe /s
mRun: [KiesTrayAgent] c:\program files\samsung\kies\KiesTrayAgent.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [ProfilerU] c:\program files\saitek\sd6\software\ProfilerU.exe
mRun: [SaiMfd] c:\program files\saitek\sd6\software\SaiMfd.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\don\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\don\application data\dropbox\bin\Dropbox.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: NameServer = 64.59.160.13 64.59.161.68
TCP: Interfaces\{7F78B2EB-7177-4840-97C8-62D965C16EE8} : DHCPNameServer = 64.59.160.13 64.59.161.68
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\27.0.1453.110\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\don\application data\mozilla\firefox\profiles\2qm8uqye.default-1367778406205\
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.145\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20125.0\npctrlui.dll
FF - plugin: c:\program files\ubisoft\ubisoft game launcher\npuplaypc.dll
FF - plugin: c:\program files\ubisoft\ubisoft game launcher\npuplaypchub.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_7_700_202.dll
FF - ExtSQL: 2013-05-27 05:16; {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}; c:\program files\mozilla firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
.
============= SERVICES / DRIVERS ===============
.
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [2012-9-21 177376]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2012-9-14 35552]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-6-12 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-6-12 307928]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2009-12-21 233136]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-6-12 19544]
R2 PCToolsFirewallPlus;PC Tools Firewall Plus;c:\program files\pc tools firewall plus\FWService.exe [2009-12-21 818432]
R2 Skype C2C Service;Skype C2C Service;c:\documents and settings\all users\application data\skype\toolbars\skype c2c service\c2c_service.exe [2013-5-14 3289208]
R3 iDispService;iDispService;c:\windows\system32\drivers\idisplayminiport.sys [2012-3-21 14248]
R3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter.sys [2009-12-21 70664]
R3 pctNDIS;PC Tools Driver;c:\windows\system32\drivers\pctNdis.sys [2009-12-21 58816]
R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [2009-12-21 115216]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S0 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2012-11-15 94048]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys --> c:\windows\system32\drivers\is3srv.sys [?]
S0 szkg5;szkg5;c:\windows\system32\drivers\szkg.sys --> c:\windows\system32\drivers\szkg.sys [?]
S0 szkgfs;szkgfs;c:\windows\system32\drivers\szkgfs.sys --> c:\windows\system32\drivers\szkgfs.sys [?]
S0 trodo;trodo;c:\windows\system32\drivers\glsyqnmg.sys --> c:\windows\system32\drivers\glsyqnmg.sys [?]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2012-10-2 159712]
S2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-6-12 42184]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1c9c62bfc4ddf28;Google Update Service (gupdate1c9c62bfc4ddf28);c:\program files\google\update\GoogleUpdate.exe [2009-4-25 133104]
S2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2012-10-16 418376]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-11-7 701512]
S2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [2009-12-21 88040]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-11-9 160944]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\drivers\ssudbus.sys [2011-10-8 77624]
S3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys [2011-10-8 20032]
S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\drivers\fantom.sys [2007-5-30 39424]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-11-7 22856]
S3 PCTFW-DNS;PCTools Firewall - DNS driver;c:\windows\system32\drivers\pctNdis-DNS.sys [2009-12-21 32680]
S3 SaiH0461;SaiH0461;c:\windows\system32\drivers\SaiH0461.sys [2010-2-19 132232]
S3 SMART SNMP Agent Service;SMART SNMP Agent Service;c:\program files\smart technologies\classroom teacher\smartsnmpagent.exe --> c:\program files\smart technologies\classroom teacher\SMARTSNMPAgent.exe [?]
S3 smrtdrv;SMART Technologies Inc. Mirror Driver;c:\windows\system32\drivers\smrtdrv.sys [2004-4-22 2432]
S3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\drivers\ssudmdm.sys [2011-10-8 181432]
.
=============== File Associations ===============
.
FileExt: .txt: Applications\NOTEPAD.EXE=c:\windows\system32\NOTEPAD.EXE %1 [UserChoice]
.
=============== Created Last 30 ================
.
2013-06-09 05:25:49 -------- d-----w- c:\program files\ESET
2013-06-06 03:59:55 -------- d-----w- c:\documents and settings\don\application data\9ahRf4fD
2013-05-23 02:54:28 -------- d-sh--w- c:\documents and settings\don\PrivacIE
2013-05-23 02:49:05 -------- d-sh--w- c:\documents and settings\don\IETldCache
2013-05-23 02:38:23 -------- d-----w- c:\windows\ie8updates
2013-05-23 02:34:58 -------- dc-h--w- c:\windows\ie8
2013-05-23 02:30:58 522240 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
2013-05-23 02:30:35 6144 -c----w- c:\windows\system32\dllcache\iecompat.dll
2013-05-23 02:30:32 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2013-05-23 02:30:31 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2013-05-23 02:30:31 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2013-05-14 20:31:10 6128760 ----a-w- c:\program files\mozilla firefox\extensions\{82af8dca-6de9-405d-bd5e-43525bdad38a}\components\SkypeFfComponent.dll
2013-05-14 20:31:10 6128760 ----a-w- c:\program files\mozilla firefox\browser\extensions\{82af8dca-6de9-405d-bd5e-43525bdad38a}\components\SkypeFfComponent.dll
2013-05-14 05:04:24 6224 ------w- C:\Br20F.tmp
.
==================== Find3M ====================
.
2013-05-14 21:07:12 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-14 21:07:12 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-04-16 22:17:15 920064 ----a-w- c:\windows\system32\wininet.dll
2013-04-16 22:17:14 43520 ------w- c:\windows\system32\licmgr10.dll
2013-04-16 22:17:14 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-04-12 23:28:55 385024 ------w- c:\windows\system32\html.iec
2013-04-10 01:31:19 1876352 ----a-w- c:\windows\system32\win32k.sys
2013-04-04 21:50:32 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-03-27 06:43:02 773968 ----a-w- c:\windows\system32\msvcr100.dll
2013-03-27 06:43:02 421200 ----a-w- c:\windows\system32\msvcp100.dll
.
============= FINISH: 9:33:20.09 ===============

The computer is working better. It again boots into normal mode. When the computer starts or after I leave it a bit I have troubles with clicking on the mouse. It does not seem to register. I end up having to use Alt-Tab to active windows.

Thanks again

Don

**Nanich** · 2013-06-09, 18:39

Here is the other log you asked for:

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.06.06.09

Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.6001.18702
Don :: DONPETERSON [administrator]

6/6/2013 7:24:57 PM
mbam-log-2013-06-06 (19-24-57).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 273059
Time elapsed: 15 minute(s), 54 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|SD2014 (Trojan.FakeAlert.ED) -> Data: C:\Documents and Settings\Don\Application Data\9ahRf4fD\9ahRf4fD.exe -> Quarantined and deleted successfully.
HKCU\Control Panel\don't load|wscui.cpl (Hijack.SecurityCenter) -> Data: No -> Quarantined and deleted successfully.

Registry Data Items Detected: 1
HKCR\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32| (Trojan.0Access) -> Bad: (C:\RECYCLER\S-1-5-18\$bf8ab89017d7b48fe2e69a05db75957f\n.) Good: (fastprox.dll) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 7
C:\Documents and Settings\Don\Application Data\9ahRf4fD\9ahRf4fD.exe (Trojan.FakeAlert.ED) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-746137067-606747145-682003330-1004\$bf8ab89017d7b48fe2e69a05db75957f\n (Trojan.0Access) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-18\$bf8ab89017d7b48fe2e69a05db75957f\n (Trojan.0Access) -> Delete on reboot.
C:\RECYCLER\S-1-5-21-746137067-606747145-682003330-1004\$RE63C507D (Trojan.Agent.ED) -> Quarantined and deleted successfully.
C:\Documents and Settings\Don\Local Settings\temp\24.tmp (Trojan.FakeAlert.ED) -> Quarantined and deleted successfully.
C:\Documents and Settings\Don\Local Settings\temp\pcmdrfiifbumolxlpyl.bfg (Malware.Packer.95) -> Quarantined and deleted successfully.
C:\Documents and Settings\Don\Local Settings\temp\xjmbxmpugoftlgtiwtn.bfg (Malware.Packer.95) -> Quarantined and deleted successfully.

(end)

**fbfbfb** · 2013-06-11, 02:53

Hello, Nanich.

Good work, and thank you for the logs. There are several items we need to take care of. Please run the following fix:

Please download OTL to your desktop from HERE or HERE.
Close all other applications and windows so that you have nothing open.
Double click on the icon on your desktop.

Note: Vista and Windows 7 users right-click and select Run As Administrator. If you receive a UAC prompt asking if you would like to continue running the program, you should press the Continue button.

Under Output, click Minimal Output to select it.
Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
Then click the Run Fix button at the top.

Code:

:OTL

:Files
C:\Documents and Settings\Don\Application Data\SearchProtect\bin\ChromeModule.dll
C:\Documents and Settings\Don\Application Data\SearchProtect\bin\CltMngSvc.exe
C:\Documents and Settings\Don\Application Data\SearchProtect\bin\FirefoxModule.dll
C:\Documents and Settings\Don\Application Data\SearchProtect\bin\InternetExplorerModule.dll
C:\Documents and Settings\Don\Application Data\SearchProtect\bin\SPHook32.dll
C:\Documents and Settings\Don\Application Data\SearchProtect\ffprotect\application.js
C:\Documents and Settings\Don\Application Data\Sun\Java\Deployment\cache\6.0\10\b7799ca-50166c54
C:\Documents and Settings\Don\Application Data\Sun\Java\Deployment\cache\6.0\39\14a58aa7-5df6506f C:\Documents and Settings\Don\Application Data\Sun\Java\Deployment\cache\6.0\9\341af249-1e4c1d4b C:\Documents and Settings\Don\Local Settings\Application Data\Microsoft\Windows Live Mail\Hotmail\Junk e-mail\31B3463E-00003D38.eml
C:\Documents and Settings\Don\Local Settings\temp\jar_cache1364093449645286197.tmp
C:\Documents and Settings\Don\Local Settings\temp\jar_cache4386346603285378382.tmp
C:\Documents and Settings\Don\Local Settings\temp\jar_cache5094616853861399607.tmp
C:\Documents and Settings\Don\Local Settings\temp\SecondStepInstaller.exe
C:\Program Files\SearchProtect\bin\ChromeModule.dll
C:\Program Files\SearchProtect\bin\FirefoxModule.dll
C:\Program Files\SearchProtect\bin\InternetExplorerModule.dll
C:\Program Files\SearchProtect\bin\SPHook32.dll
C:\Program Files\SearchProtect\ffprotect\application.js
C:\RECYCLER\S-1-5-18\$bf8ab89017d7b48fe2e69a05db75957f\U\80000000.@
C:\RECYCLER\S-1-5-18\$bf8ab89017d7b48fe2e69a05db75957f\U\800000cb.@

:Commands
[purity]
[CLEARALLRESTOREPOINTS]
[emptytemp]
[start explorer]
[Reboot]

Let the program run unhindered; it will reboot when it is done. If it does not, please reboot your system.
Post the new log in your next reply.

Mouse

If you have another computer, try your mouse there to see if the problem still exists.
Does the problem still exist if you are in Safe Mode?
Can you please give me specific details regarding this issue: is the problem with the left click? right click? both? always? sometimes? wireless mouse? etc.....

**Nanich** · 2013-06-13, 05:46

All processes killed
========== OTL ==========
========== FILES ==========
C:\Documents and Settings\Don\Application Data\SearchProtect\bin\ChromeModule.dll moved successfully.
C:\Documents and Settings\Don\Application Data\SearchProtect\bin\CltMngSvc.exe moved successfully.
C:\Documents and Settings\Don\Application Data\SearchProtect\bin\FirefoxModule.dll moved successfully.
C:\Documents and Settings\Don\Application Data\SearchProtect\bin\InternetExplorerModule.dll moved successfully.
C:\Documents and Settings\Don\Application Data\SearchProtect\bin\SPHook32.dll moved successfully.
C:\Documents and Settings\Don\Application Data\SearchProtect\ffprotect\application.js moved successfully.
File\Folder C:\Documents and Settings\Don\Application Data\Sun\Java\Deployment\cache\6.0\10\b7799ca-50166c54 not found.
File\Folder C:\Documents and Settings\Don\Application Data\Sun\Java\Deployment\cache\6.0\39\14a58aa7-5df6506f C:\Documents and Settings\Don\Application Data\Sun\Java\Deployment\cache\6.0\9\341af249-1e4c1d4b C:\Documents and Settings\Don\Local Settings\Application Data\Microsoft\Windows Live Mail\Hotmail\Junk e-mail\31B3463E-00003D38.eml not found.
C:\Documents and Settings\Don\Local Settings\temp\jar_cache1364093449645286197.tmp moved successfully.
C:\Documents and Settings\Don\Local Settings\temp\jar_cache4386346603285378382.tmp moved successfully.
C:\Documents and Settings\Don\Local Settings\temp\jar_cache5094616853861399607.tmp moved successfully.
C:\Documents and Settings\Don\Local Settings\temp\SecondStepInstaller.exe moved successfully.
C:\Program Files\SearchProtect\bin\ChromeModule.dll moved successfully.
C:\Program Files\SearchProtect\bin\FirefoxModule.dll moved successfully.
C:\Program Files\SearchProtect\bin\InternetExplorerModule.dll moved successfully.
C:\Program Files\SearchProtect\bin\SPHook32.dll moved successfully.
C:\Program Files\SearchProtect\ffprotect\application.js moved successfully.
C:\RECYCLER\S-1-5-18\$bf8ab89017d7b48fe2e69a05db75957f\U\80000000.@ moved successfully.
C:\RECYCLER\S-1-5-18\$bf8ab89017d7b48fe2e69a05db75957f\U\800000cb.@ moved successfully.
========== COMMANDS ==========
Unable to start System Restore Service. Error code 10

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->FireFox cache emptied: 14169828 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: Don
->Temp folder emptied: 2639657755 bytes
->Temporary Internet Files folder emptied: 569432239 bytes
->Java cache emptied: 5567028 bytes
->FireFox cache emptied: 53135752 bytes
->Google Chrome cache emptied: 6383089 bytes
->Flash cache emptied: 17994552 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 13493637 bytes
->Flash cache emptied: 610 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 187017196 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 9465 bytes

%systemdrive% .tmp files removed: 6224 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 257020276 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 705655582 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 1271481060 bytes

Total Files Cleaned = 5,475.00 mb

OTL by OldTimer - Version 3.2.69.0 log created on 06122013_193159

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

Mouse Stuff...

The clicking issue started when I first had problems. Once the system is running for a bit it is fine, but when I first log on or leave it for a few hours, it has troubles for a few seconds. I have to alt-tab to activate even the most front window and use tab and arrow keys to select things.

I use a wireless mouse.

Don

**fbfbfb** · 2013-06-14, 04:54

Hello, Nanich.

Thank you for the OTL log. Please work through the following tasks:

1. Create New System Restore Point

Click Start > Run > and copy and paste the following into the Run box:

%SystemRoot%\System 32\restore\rstrui.exe
Click OK.
Select Create Restore Point, then click Next.
Name your new restore point (something you will remember). Click Create.
When the screen confirms that the restore point has been created, click Close.

2. Delete Old Restore Points

Click Start > Run > and copy and paste the following into the Run box:

Cleanmgr
Choose to scan drive C:\ (if C:\ is your main drive).
At the top, click the More Options tab.
Click the Clean up… button in the System Restore box.
Click the Yes button.
When finished, click the Cancel button to exit.

3. OTL Scan

Please run OTL again and post a fresh log in your next reply.

Mouse Troubleshooting

Please read and work through the suggestions in the following Microsoft support documents HERE and HERE.

If your issue has still not been resolved, please send me the name and model of your wireless mouse.

**Nanich** · 2013-06-17, 06:03

I am still here! I might be a couple of days!

Don

------------------------------------------

Edit: http://forums.spybot.info/showthread...-I-am-back-III

**fbfbfb** · 2013-06-17, 06:47

OK, thanks for letting me know.

**fbfbfb** · 2013-06-20, 21:33

Hello, Nanich.

Have you set and cleared your old restore points? Have you run the OTL scan yet?

Thread: I am back II

Thread Tools

Display

I am back II

I am back II

I am back II

I am back II

Posting Permissions