No access to Internet Options, connectivity problem, and other problems

[I_dream_of_Mercury]

Hi, again! Thanks for the new instructions. I hope these huge reports are not as endless to dredge through as they look

Don't be fooled. [ComboFix] is a powerful tool that can do some serious damage to a computer system in the hands of someone other than a trained expert.

Don't worry - I won't be using it without expert direction! With luck, not at all, in future

1. Did you have any problems carrying out the instructions?

Well, it was *exciting*

A couple of unexpected things happened.

As soon as I dropped CFScript.txt into ComboFix, ComboFix asked to update. Despite the warning not to touch anything after it started running, I had to give it an answer. I hope I was right to say, Yes. It updated, then brought up the agreement screen, and appeared to run as it did previously, except that it rebooted after.

OTL complete...but not for a long time. OTL ran the fix quickly, then said, "Processing complete!" I was very pleased about that, until it sat there with that message on the screen, nothing but OTL and the wallpaper, and nothing else happened. I let it sit like that for almost 2 hours, with no idea whether it was going to do anything else or was just stuck. I agonized all that time, whether I'd have to turn the computer off to get back in, before it finally displayed the box where you click OK, and eventually asked to reboot. Thank Heavens!

I notice you already have ERUNT installed on your system. Let's use this tool to make a backup of the Registry before we proceed.

(I installed ERUNT before running DDS logs, per Tashi's "Before you post" instructions: http://forums.spybot.info/showpost.php?p=1150&postcount=2

After OTL ran and rebooted, upon startup, OnlineArmor firewall blocked ERUNT's AUTOBACK.EXE trying to run. When, if ever, should I allow this program to run?

Just to note, in case others encounter it, Avira re-enables itself, upon reboot. Disabling antivirus, antimalware, and firewall, every time I disable OnlineArmor, it needs to reboot, so I have to remember to disable Avira *after*.

Also, a little anomaly: Each time ComboFix runs, it deselects an item in the Restricted Sites of SpywareBlaster, Item Name: AntiMalware Guard, Address: antimalwareguard.com, and disables protection from it. I see online, that some others have noticed it, too.


2. combofix.txt.

ComboFix 11-12-15.02 - user 12/15/2011 12:14:56.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1611 [GMT -8:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\user\Desktop\cfscript.txt
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Online Armor Firewall *Disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_cerc6
.
.
((((((((((((((((((((((((( Files Created from 2011-11-15 to 2011-12-15 )))))))))))))))))))))))))))))))
.
.
2011-12-06 18:56 . 2011-12-06 18:58 -------- d-----w- c:\program files\ERUNT
2011-12-01 13:38 . 2011-12-05 18:20 -------- d-----w- c:\program files\SpywareBlaster(2)
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-06 00:39 . 2010-05-02 18:06 544656 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-01 19:32 . 2011-11-01 19:31 69792 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-01 19:32 . 2011-11-01 19:31 417952 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2011-10-21 15:30 . 2011-03-10 04:49 516692 ----a-w- c:\windows\vampsUninst.exe
2011-10-21 15:30 . 2011-03-10 04:49 1903021 ----a-w- c:\windows\vamps.scr
2011-10-10 14:22 . 2009-08-14 01:37 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06 . 2008-04-14 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 18:41 . 2008-07-30 02:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 18:41 . 2008-04-14 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 18:41 . 2008-04-14 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-12-14_20.39.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-12-15 20:28 . 2011-12-15 20:28 16384 c:\windows\temp\Perflib_Perfdata_650.dat
+ 2011-12-15 20:01 . 2011-12-15 20:01 208896 c:\windows\ERDNT\AutoBackup\12-15-2011\Users\00000002\UsrClass.dat
+ 2011-12-15 20:01 . 2005-10-20 20:02 163328 c:\windows\ERDNT\AutoBackup\12-15-2011\ERDNT.EXE
+ 2011-12-15 20:04 . 2011-12-15 20:04 208896 c:\windows\ERDNT\12-15-2011\Users\00000002\UsrClass.dat
+ 2011-12-15 20:04 . 2005-10-20 20:02 163328 c:\windows\ERDNT\12-15-2011\ERDNT.EXE
+ 2011-12-15 20:01 . 2011-12-15 20:01 9789440 c:\windows\ERDNT\AutoBackup\12-15-2011\Users\00000001\ntuser.dat
+ 2011-12-15 20:04 . 2011-12-15 20:04 9789440 c:\windows\ERDNT\12-15-2011\Users\00000001\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-03-13 61440]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-02 281768]
"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2010-04-20 6678008]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PD0630 STISvc"="P0630Pin.dll" [2005-06-05 36864]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
.
c:\documents and settings\user\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2010-04-20 925688]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
.
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [4/8/2010 7:17 AM 228216]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [4/8/2010 7:17 AM 24440]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [4/8/2010 7:17 AM 29560]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/7/2010 11:34 PM 136360]
R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [4/8/2010 7:17 AM 1284600]
R2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [4/8/2010 7:17 AM 3364856]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe --> c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [?]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 P0630VID;Creative WebCam Live!;c:\windows\system32\drivers\P0630Vid.sys [10/28/2010 9:41 AM 91841]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.safer-networking.org/en/index.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-15 12:31
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(456)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(156)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\RunDLL32.exe
c:\program files\Tall Emu\Online Armor\OAhlp.exe
.
**************************************************************************
.
Completion time: 2011-12-15 12:36:47 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-15 20:36
ComboFix2.txt 2011-12-14 20:42
.
Pre-Run: 125,884,575,744 bytes free
Post-Run: 125,860,433,920 bytes free
.
- - End Of File - - 7C4D9C6086869F88F02B1F6541D66939






3. OTL.txt.

All processes killed
========== OTL ==========
Registry key HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions\ not found.
Registry key HKEY_USERS\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions\ not found.
Registry key HKEY_USERS\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions\ not found.
Registry key HKEY_USERS\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions\ not found.
Registry key HKEY_USERS\S-1-5-21-1708537768-839522115-1644491937-1003\Software\Policies\Microsoft\Internet Explorer\Restrictions\ not found.
ADS C:\Documents and Settings\user\Desktop\avira_antivir_personal_en.exe:SummaryInformation deleted successfully.
Unable to delete ADS C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34 .
C:\WINDOWS\SET3.tmp deleted successfully.
C:\WINDOWS\SET4.tmp deleted successfully.
C:\WINDOWS\SET8.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET29.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET2A.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET2B.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET2C.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET2D.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET2E.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET2F.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET30.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET31.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET32.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET33.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET35.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET36.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET37.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET38.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET39.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET3A.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET3B.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET3C.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET3D.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET3E.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET3F.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET40.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET41.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET42.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET43.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET44.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET45.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET46.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET47.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET48.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET49.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET4A.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET4B.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET4C.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET4D.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET4E.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET4F.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET50.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET51.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET52.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET53.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET54.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET55.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET56.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET57.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET58.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET59.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET5A.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET5C.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET5D.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET5E.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET5F.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET60.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET61.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET62.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET63.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET64.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET65.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET66.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET67.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET68.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET69.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET6A.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET6B.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET6C.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET6D.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET6E.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET6F.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET70.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET71.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET72.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET73.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET74.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET75.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET76.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET77.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET78.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET79.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET7A.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET7B.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET7C.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET7D.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET7E.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET7F.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET80.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET81.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET83.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET84.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET85.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET86.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET87.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET88.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET89.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET8A.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET8B.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET8C.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET8D.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET8E.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET8F.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET90.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET91.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET92.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET93.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET94.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET95.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET96.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET97.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET98.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET99.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET9A.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET9B.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET9C.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET9D.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET9E.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET9F.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETA0.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETA1.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETA2.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETA3.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETA4.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETA5.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETA6.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETA7.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETA8.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETA9.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETAA.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETAB.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETAC.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETAD.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETAE.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETAF.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETB0.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETB1.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETB2.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETB3.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETB4.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETB5.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETB6.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETB7.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETB8.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETB9.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETBA.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETBB.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETBC.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETBD.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETBE.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETBF.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETC0.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETC1.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETC2.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SETC3.tmp deleted successfully.
C:\WINDOWS\System32\CONFIG.TMP deleted successfully.
C:\WINDOWS\System32\SET10.tmp deleted successfully.
C:\WINDOWS\System32\SET11.tmp deleted successfully.
C:\WINDOWS\System32\SET12.tmp deleted successfully.
C:\WINDOWS\System32\SET13.tmp deleted successfully.
C:\WINDOWS\System32\SET14.tmp deleted successfully.
C:\WINDOWS\System32\SET15.tmp deleted successfully.
C:\WINDOWS\System32\SET16.tmp deleted successfully.
C:\WINDOWS\System32\SET17.tmp deleted successfully.
C:\WINDOWS\System32\SET18.tmp deleted successfully.
C:\WINDOWS\System32\SET19.tmp deleted successfully.
C:\WINDOWS\System32\SET1A.tmp deleted successfully.
C:\WINDOWS\System32\SET1B.tmp deleted successfully.
C:\WINDOWS\System32\SET1C.tmp deleted successfully.
C:\WINDOWS\System32\SET1D.tmp deleted successfully.
C:\WINDOWS\System32\SET1E.tmp deleted successfully.
C:\WINDOWS\System32\SET1F.tmp deleted successfully.
C:\WINDOWS\System32\SET20.tmp deleted successfully.
C:\WINDOWS\System32\SET21.tmp deleted successfully.
C:\WINDOWS\System32\SET22.tmp deleted successfully.
C:\WINDOWS\System32\SET23.tmp deleted successfully.
C:\WINDOWS\System32\SET24.tmp deleted successfully.
C:\WINDOWS\System32\SET25.tmp deleted successfully.
C:\WINDOWS\System32\SET26.tmp deleted successfully.
C:\WINDOWS\System32\SET27.tmp deleted successfully.
C:\WINDOWS\System32\SET28.tmp deleted successfully.
C:\WINDOWS\System32\SET29.tmp deleted successfully.
C:\WINDOWS\System32\SET2A.tmp deleted successfully.
C:\WINDOWS\System32\SET2B.tmp deleted successfully.
C:\WINDOWS\System32\SET2C.tmp deleted successfully.
C:\WINDOWS\System32\SET2D.tmp deleted successfully.
C:\WINDOWS\System32\SET2E.tmp deleted successfully.
C:\WINDOWS\System32\SET2F.tmp deleted successfully.
C:\WINDOWS\System32\SET30.tmp deleted successfully.
C:\WINDOWS\System32\SET31.tmp deleted successfully.
C:\WINDOWS\System32\SET32.tmp deleted successfully.
C:\WINDOWS\System32\SET33.tmp deleted successfully.
C:\WINDOWS\System32\SET34.tmp deleted successfully.
C:\WINDOWS\System32\SET35.tmp deleted successfully.
C:\WINDOWS\System32\SET36.tmp deleted successfully.
C:\WINDOWS\System32\SET37.tmp deleted successfully.
C:\WINDOWS\System32\SET38.tmp deleted successfully.
C:\WINDOWS\System32\SET39.tmp deleted successfully.
C:\WINDOWS\System32\SET3A.tmp deleted successfully.
C:\WINDOWS\System32\SET3B.tmp deleted successfully.
C:\WINDOWS\System32\SET3C.tmp deleted successfully.
C:\WINDOWS\System32\SET3D.tmp deleted successfully.
C:\WINDOWS\System32\SET3E.tmp deleted successfully.
C:\WINDOWS\System32\SET3F.tmp deleted successfully.
C:\WINDOWS\System32\SET40.tmp deleted successfully.
C:\WINDOWS\System32\SET41.tmp deleted successfully.
C:\WINDOWS\System32\SET42.tmp deleted successfully.
C:\WINDOWS\System32\SET43.tmp deleted successfully.
C:\WINDOWS\System32\SET44.tmp deleted successfully.
C:\WINDOWS\System32\SET45.tmp deleted successfully.
C:\WINDOWS\System32\SET46.tmp deleted successfully.
C:\WINDOWS\System32\SET47.tmp deleted successfully.
C:\WINDOWS\System32\SET48.tmp deleted successfully.
C:\WINDOWS\System32\SET49.tmp deleted successfully.
C:\WINDOWS\System32\SET4A.tmp deleted successfully.
C:\WINDOWS\System32\SET4B.tmp deleted successfully.
C:\WINDOWS\System32\SET4C.tmp deleted successfully.
C:\WINDOWS\System32\SET4D.tmp deleted successfully.
C:\WINDOWS\System32\SET4E.tmp deleted successfully.
C:\WINDOWS\System32\SET4F.tmp deleted successfully.
C:\WINDOWS\System32\SET50.tmp deleted successfully.
C:\WINDOWS\System32\SET51.tmp deleted successfully.
C:\WINDOWS\System32\SET52.tmp deleted successfully.
C:\WINDOWS\System32\SET53.tmp deleted successfully.
C:\WINDOWS\System32\SET54.tmp deleted successfully.
C:\WINDOWS\System32\SET55.tmp deleted successfully.
C:\WINDOWS\System32\SET56.tmp deleted successfully.
C:\WINDOWS\System32\SET57.tmp deleted successfully.
C:\WINDOWS\System32\SET58.tmp deleted successfully.
C:\WINDOWS\System32\SET59.tmp deleted successfully.
C:\WINDOWS\System32\SET5A.tmp deleted successfully.
C:\WINDOWS\System32\SET5B.tmp deleted successfully.
C:\WINDOWS\System32\SET5C.tmp deleted successfully.
C:\WINDOWS\System32\SET5D.tmp deleted successfully.
C:\WINDOWS\System32\SET5E.tmp deleted successfully.
C:\WINDOWS\System32\SET5F.tmp deleted successfully.
C:\WINDOWS\System32\SET60.tmp deleted successfully.
C:\WINDOWS\System32\SET61.tmp deleted successfully.
C:\WINDOWS\System32\SET62.tmp deleted successfully.
C:\WINDOWS\System32\SET63.tmp deleted successfully.
C:\WINDOWS\System32\SET64.tmp deleted successfully.
C:\WINDOWS\System32\SET65.tmp deleted successfully.
C:\WINDOWS\System32\SET66.tmp deleted successfully.
C:\WINDOWS\System32\SET67.tmp deleted successfully.
C:\WINDOWS\System32\SET68.tmp deleted successfully.
C:\WINDOWS\System32\SET69.tmp deleted successfully.
C:\WINDOWS\System32\SET6A.tmp deleted successfully.
C:\WINDOWS\System32\SET6B.tmp deleted successfully.
C:\WINDOWS\System32\SET6C.tmp deleted successfully.
C:\WINDOWS\System32\SET6F.tmp deleted successfully.
C:\WINDOWS\System32\SET7.tmp deleted successfully.
C:\WINDOWS\System32\SET70.tmp deleted successfully.
C:\WINDOWS\System32\SET71.tmp deleted successfully.
C:\WINDOWS\System32\SET72.tmp deleted successfully.
C:\WINDOWS\System32\SET73.tmp deleted successfully.
C:\WINDOWS\System32\SET74.tmp deleted successfully.
C:\WINDOWS\System32\SET75.tmp deleted successfully.
C:\WINDOWS\System32\SET76.tmp deleted successfully.
C:\WINDOWS\System32\SET77.tmp deleted successfully.
C:\WINDOWS\System32\SET78.tmp deleted successfully.
C:\WINDOWS\System32\SET79.tmp deleted successfully.
C:\WINDOWS\System32\SET7A.tmp deleted successfully.
C:\WINDOWS\System32\SET7B.tmp deleted successfully.
C:\WINDOWS\System32\SET7C.tmp deleted successfully.
C:\WINDOWS\System32\SET7D.tmp deleted successfully.
C:\WINDOWS\System32\SET7E.tmp deleted successfully.
C:\WINDOWS\System32\SET7F.tmp deleted successfully.
C:\WINDOWS\System32\SET8.tmp deleted successfully.
C:\WINDOWS\System32\SET80.tmp deleted successfully.
C:\WINDOWS\System32\SET81.tmp deleted successfully.
C:\WINDOWS\System32\SET82.tmp deleted successfully.
C:\WINDOWS\System32\SET83.tmp deleted successfully.
C:\WINDOWS\System32\SET84.tmp deleted successfully.
C:\WINDOWS\System32\SET85.tmp deleted successfully.
C:\WINDOWS\System32\SET86.tmp deleted successfully.
C:\WINDOWS\System32\SET87.tmp deleted successfully.
C:\WINDOWS\System32\SET88.tmp deleted successfully.
C:\WINDOWS\System32\SET89.tmp deleted successfully.
C:\WINDOWS\System32\SET8A.tmp deleted successfully.
C:\WINDOWS\System32\SET8B.tmp deleted successfully.
C:\WINDOWS\System32\SET8C.tmp deleted successfully.
C:\WINDOWS\System32\SET8D.tmp deleted successfully.
C:\WINDOWS\System32\SET8E.tmp deleted successfully.
C:\WINDOWS\System32\SET8F.tmp deleted successfully.
C:\WINDOWS\System32\SET9.tmp deleted successfully.
C:\WINDOWS\System32\SET90.tmp deleted successfully.
C:\WINDOWS\System32\SETA.tmp deleted successfully.
C:\WINDOWS\System32\SETB.tmp deleted successfully.
C:\WINDOWS\System32\SETC.tmp deleted successfully.
C:\WINDOWS\System32\SETD.tmp deleted successfully.
C:\WINDOWS\System32\SETE.tmp deleted successfully.
C:\WINDOWS\System32\SETF.tmp deleted successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\user\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\user\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYJAVA]

User: Administrator

User: All Users

User: Default User

User: LocalService

User: NetworkService

User: user
->Java cache emptied: 38543413 bytes

Total Java Files Cleaned = 37.00 mb


[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 456 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: user
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 2776744 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 13267 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 3.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
Restore point Set: OTL Restore Point (0)

OTL by OldTimer - Version 3.2.31.0 log created on 12152011_125111

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...





4. Is there any improvement in how the computer is now running?

I do seem to see a little improvement in IE's speed. This is the only improvement I observe, so far.

Other than this, everything is as I reported at the end of the instructions just before these, including no access to Internet Options.

I did also notice, when I went to insert a link in this post, that it brought up what I presume is a dialogue box, but the box was empty, inside. I turned off my pop-up blocker, and tried again, but it still doesn't work.

:thanks:

 

[Scolabar]

Hi I_dream_of_Mercury,

Thank you again for all your feedback. You did the right thing to allow ComboFix to update. Thanks also for your patience with the OTL script. :bigthumb:

After OTL ran and rebooted, upon startup, OnlineArmor firewall blocked ERUNT's AUTOBACK.EXE trying to run. When, if ever, should I allow this program to run?

You can always run ERUNT manually at a time that suits you - before the installation of programs/updates, for example. There is no real need to backup up your Registry every time you log on. This is a decision for you to make.

Again, please remember to read the instructions below carefully before executing and perform the steps, in the order given.
If you have any questions about or problems executing these instructions, <STOP> do not proceed, post back with the question or problem before going any further.

Before we proceed please make sure any open programs are closed.

Step 1:
Re-Run ERUNT

Please backup the registry with ERUNT again before proceeding.

Step 2:
ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan.

Please Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted. Then right-click on it and select "Run as Administrator" to install.

Please temporarily disable your Anti-virus real-time protection. If active, it could impact the online scan. Refer to This Howto Topic, if necessary.
** Make sure you are using an account that has Administrative privileges **

1. Double-click on either the IE or FF icon in the Start Menu or Quick Launch Bar to launch your web browser.
2. Then go to ESET Online Scanner - © ESET (All Rights Reserved) to run an online scan.
3. Click on the Run ESET Online Scanner button.
4. Check the box next to "YES, I accept the Terms of Use."
   

   Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
   All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

5. When prompted allow the Add-On/Active X to install.
   Make sure that the options:
   • Remove found threats is UNCHECKED
   • Scan archives is CHECKED
   • Then click on Advanced Settings and select the following options:
     • Scan for potentially unwanted applications
     • Scan for potentially unsafe applications
     • Enable Anti-Stealth Technology
6. Click on the Start button.
   ESET scanner will begin to download the virus signatures database. When the signatures have been downloaded, the scan will start automatically.
7. Do not touch either the Mouse or Keyboard during the scan otherwise it may stall.
8. Wait for the scan to finish. It may take a while but, again, please be patient.
9. When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
10. Now click on the Finish button.
11. Use Notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
12. Copy and Paste the entire contents of log.txt into your next reply.

Remember to re-enable your Anti-virus protection before continuing!

Step 3:
Include in Next Post

1. Did you have any problems carrying out the instructions?
2. ESET log results.

Scolabar
--------------------------------------------------------------------------
No Reply Within 3 Days Will Result In Your Topic Being Closed

 

[I_dream_of_Mercury]

Scolabar, hi! I'm posting this quickly to see if I can catch you while you're still around -

I see that I'm to run ESET, and so you may have already answered this question, because I mentioned my problem with ESET online scan in my first post, but:

When I tried to run ESET online scan just previous to getting help on this forum, it said I needed to be an administrator, even though my account is administative. A remedy they suggest in ESET's FAQ didn't work, when I tried it. - please see my first post for details.

Do you have a way of correcting this problem with ESET, so I can run it?

Thanks for your help!

 

[I_dream_of_Mercury]

1. Did you have any problems carrying out the instructions?

Hi! I was relieved to find that ESET's online scanner allowed me to use it, this time.

The instructions were clear and easy to follow, thanks.

2. ESET log results:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=01bf77cf2a9c46478f590efa830757c8
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-12-16 10:15:40
# local_time=2011-12-16 02:15:40 (-0800, Pacific Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1797 16775141 100 93 0 60486983 0 0
# compatibility_mode=6401 16777213 66 100 0 51380267 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=76634
# found=0
# cleaned=0
# scan_time=8147

 

[Scolabar]

Hi I_dream_of_Mercury,

Well done. :thumright: Now let's see if we can resolve that No Access to 5nternet Options issue.

Again, please remember to read the instructions below carefully before executing and perform the steps, in the order given.
If you have any questions about or problems executing these instructions, <STOP> do not proceed, post back with the question or problem before going any further.

Before we proceed please make sure any open programs are closed.

Step 1:
Re-Run ERUNT

Please backup the registry with ERUNT again before proceeding.

Step 2:
Registry Fix

Please temporarily disable your Anti-virus real-time protection. If active, it could impact the following fixes. Refer to This Howto Topic, if necessary.
** Make sure you are using an account that has Administrative privileges **

1. Click on Start > Run.
2. In the text entry box type:
   
   • notepad
   
   
3. Then click on the OK button.
4. This will open an empty Notepad file.
5. Copy and Paste the contents of the box below into the Notepad window:
   

   Windows Registry Editor Version 5.00
   
   [HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions]
   "NoBrowserOptions"=dword:00000000

6. Make sure there are NO blank lines before Windows Registry Editor Version 5.00..
7. Click Format and ensure Wordwrap is Unchecked.
8. Save as fix1.reg to the Desktop.
9. Save as file type All Files or it won't work.
10. Double-click on the fix1.reg file on your Desktop. When prompted to merge click on the Yes button.
11. Wait approximately 30 seconds and then Reboot the computer to complete the fix.
12. Please confirm whether or not the No Access to Internet Options issue has been resolved.

Remember to re-enable your Anti-virus application after running the above fix!

Step 3:
Include in Next Post

1. Did you have any problems carrying out the instructions?
2. Has the Registry Fix resolved the No Access to Internet Options issue?
3. How is the computer now running?

Scolabar
--------------------------------------------------------------------------
No Reply Within 3 Days Will Result In Your Topic Being Closed

 

[I_dream_of_Mercury]

Scolabar, hi,

1. Did you have any problems carrying out the instructions?

The instructions were easy to follow.

2. Has the Registry Fix resolved the No Access to Internet Options issue?

I still don't have access to Internet Options :sad:

I followed the instructions carefully - I disabled OnlineArmor, Resident/Tea Timer, and Avira, made sure there was no blank line or space before the code, that Notepad had Wordwrap unchecked, changed to All Files when I saved, named it fix1.reg. The message I got didn't use the word "merge," but I did say yes to the prompt to proceed. In just a second, it displayed a box saying it was successful. I waited about 30 seconds, then rebooted.

Neither Tools>Options from inside IE nor the Control Panel access it.

Although I've confirmed that my current user account has administrative privileges, when it didn't work, I tried logging in as Administrator, which requires Safe Mode, on XP. It still didn't work.

I noticed, before (and after) running fix1.reg, that there's now no Internet Options icon in Administrator's Control Panel. I cannot turn Avira on, as the Administrator in Safe Mode - I don't know whether that's normal or not.


2. How is the computer now running?

The computer's running faster than it was Programs launch more quickly and it performs without lagging, as far as I can tell so far.

Some other recent symptoms since the infection and working on the computer are still the same, such as not being able to drag and drop text online, and computer sounds sputtering instead of playing smoothly. I've just noticed that although I can turn Pop-up Blocker on and off, I can't access the Pop-up Blocker Settings. One website that was displaying strange behavior, but which is a well-known and normally trusted site, is still acting strange for me.


A question: Is it alright for me to clean up usage tracks with Spybot S&D, right now?

Thanks very much for your continued help

Hi I_dream_of_Mercury,

Well done. :thumright: Now let's see if we can resolve that No Access to 5nternet Options issue.

Again, please remember to read the instructions below carefully before executing and perform the steps, in the order given.
If you have any questions about or problems executing these instructions, <STOP> do not proceed, post back with the question or problem before going any further.

Before we proceed please make sure any open programs are closed.

Step 1:
Re-Run ERUNT

Please backup the registry with ERUNT again before proceeding.

Step 2:
Registry Fix

Please temporarily disable your Anti-virus real-time protection. If active, it could impact the following fixes. Refer to This Howto Topic, if necessary.
** Make sure you are using an account that has Administrative privileges **

1. Click on Start > Run.
2. In the text entry box type:
   
   • notepad
3. Then click on the OK button.
4. This will open an empty Notepad file.
5. Copy and Paste the contents of the box below into the Notepad window:
   

   Windows Registry Editor Version 5.00
    
   [HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions]
   "NoBrowserOptions"=dword:00000000

6. Make sure there are NO blank lines before Windows Registry Editor Version 5.00..
7. Click Format and ensure Wordwrap is Unchecked.
8. Save as fix1.reg to the Desktop.
9. Save as file type All Files or it won't work.
10. Double-click on the fix1.reg file on your Desktop. When prompted to merge click on the Yes button.
11. Wait approximately 30 seconds and then Reboot the computer to complete the fix.
12. Please confirm whether or not the No Access to Internet Options issue has been resolved.

Remember to re-enable your Anti-virus application after running the above fix!

Step 3:
Include in Next Post

1. Did you have any problems carrying out the instructions?
2. Has the Registry Fix resolved the No Access to Internet Options issue?
3. How is the computer now running?

Scolabar
--------------------------------------------------------------------------
No Reply Within 3 Days Will Result In Your Topic Being Closed

 

[Scolabar]

Hi I_dream_of_Mercury,

Thanks you for all the feedback once again.

The Registry Fix should have resolved your Internet Options access issue. I am beginning to wonder whether a possible hardware issue might be responsible for the Internet Explorer and other issues you are continuing to experience. Let's run another

Is it alright for me to clean up usage tracks with Spybot S&D, right now?

Please wait until after you have completed the instructions below before proceeding with the Spybot cleanup.

Again, please remember to read the instructions below carefully before executing and perform the steps, in the order given.
If you have any questions about or problems executing these instructions, <STOP> do not proceed, post back with the question or problem before going any further.

Before we proceed please make sure any open programs are closed.

Step 1:
Backup All User Data

Please make sure all user data is backed up to an external device: hard drive, DVD or CD, before proceeding.

Step 2:
Check Hard Disk For Errors

1. Click on Start and select Run.
2. Then Copy and Paste the following command into the box and then click on the OK button:
   

   cmd /c chkdsk c: |find /v  "percent" >> "%userprofile%\desktop\checkhd.txt"

   A blank command window will open on your Desktop, then close in a few minutes. This is normal.
   A file and icon named checkhd.txt should appear on your Desktop.
3. Please Copy and Paste the contents of the checkhd.txt file into your next reply.

Step 3:
Include in Next Post

1. Did you have any problems carrying out the instructions?
2. checkhd.txt.

Scolabar
--------------------------------------------------------------------------
No Reply Within 3 Days Will Result In Your Topic Being Closed

 

[I_dream_of_Mercury]

Scolabar, thanks for your reply.

I'm a little embarrassed to confess that I'm only familiar with saving documents to an external device, such as a flash drive, or transferring music to an mp3 player, not doing a user data backup.

In the course of treating this computer, I've saved only the most important files to a flash drive and saved System State to the internal drive, but haven't done a full external backup of user data, so far.

So,
1. Would you please point me to instructions for properly backing up user data, as you instructed, to an external device?

2. Is a flash drive alright for doing this backup?

3. How big is the backup, not counting My Documents, likely to be, if it's possible to estimate, so I can anticipate enough space on the external device?

4. Can the same external drive be used to back up both pc's and Macs? I ask because I might take this opportunity to get a new external drive, and want to consider how much I want to invest in one, in case I get an Apple product, in future.

Thanks for your help and information.

 

[Scolabar]

Hi I_dream_of_Mercury,

In answer to your questions:

Would you please point me to instructions for properly backing up user data, as you instructed, to an external device?

The information on how to backup your data was provided at the end of my initial reply.

• Backup Your Data - Windows XP

Is a flash drive alright for doing this backup?

That depends on the volume of data you need to backup and the size of your flash drive. Personally, I would only recommend backing up to flash drives if you have no other alternative. They are the modern equivalent of the old floppy disks, in my view. An external hard drive or DVD's would be preferable.

How big is the backup, not counting My Documents, likely to be, if it's possible to estimate, so I can anticipate enough space on the external device?

Essentially, your user data data is the contents of your entire User Account directory which in your case would be: C:\Documents and Settings\user. To find out the full size of that directory you may need to need to Show All Files/Folders (- see instructions below). Then navigate to the C:\Documents and Settings directory and then right-click on the user directory and select Properties from the pop-up menu. In the Properties window the amount of actual data to be backed is shown under Size:. The Size on Disk: information will tell you how much space the data actually takes up on the storage device (- C: drive in this case). This can vary depending on the size of the storage device.

Show Hidden Files and Folders

Enable the Show Hidden Files and Folders option, like this:

1. Click Start. Open My Computer.
2. Select the Tools menu and click Folder Options.
3. Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
4. Uncheck the Hide extensions for known file types. option.
5. Uncheck the Hide protected operating system files (recommended) option.
6. Click Apply to set. Click OK.

Note: To Disable the Show Hidden Files and Folders option simply revert and save the options.
​

Can the same external drive be used to back up both pc's and Macs?

Yes. For optimum performance simply create two separate partitions on the external drive: one for Windows (NTFS format) and one for Mac (HFS+ format). Any external drive can be used, bearing in mind that very few PC's have FireWire ports so USB2 is likely to be the common denominator. You can then use the flash drive to transfer data as required between the two operating systems.

Scolabar
--------------------------------------------------------------------------
No Reply Within 3 Days Will Result In Your Topic Being Closed

 

[I_dream_of_Mercury]

Hi, again!

First, here's the checkhd.txt:

The type of the file system is NTFS.
WARNING! F parameter not specified.
Running CHKDSK in read-only mode.
CHKDSK is verifying files (stage 1 of 3)...
CHKDSK is verifying indexes (stage 2 of 3)...
CHKDSK is verifying security descriptors (stage 3 of 3)...
CHKDSK is verifying Usn Journal...
Usn Journal verification completed.
Correcting errors in the Volume Bitmap.
Windows found problems with the file system.
Run CHKDSK with the /F (fix) option to correct these.
156167864 KB total disk space.
33767296 KB in 91796 files.
35900 KB in 6791 indexes.
0 KB in bad sectors.
206596 KB in use by the system.
65536 KB occupied by the log file.
122158072 KB available on disk.
4096 bytes in each allocation unit.
39041966 total allocation units on disk.
30539518 allocation units available on disk.

The information on how to backup your data was provided at the end of my initial reply.

I did follow those directions, when responding to your initial reply! I had already saved the most important of My Documents to an external device (a flash drive), upon suspicion of infection. The instructions said to select the drives you want to back up, and to select System State, so I did a backup of System State. The Backup Utility said, "Choose a place to save your backup," and Browse opened to C:\Backup Files Folder, by default, so I saved it there.

This time, when you mentioned user data and external device, and since you were talking about doing something with the hardware, I thought I must need to back up more than My Documents and System State. As I confessed, I'm not knowledgeable about backups beyond getting a copy of My Documents to an external device. I'm sure I'm negligent in this.

I don't know whether to go into detail about backing up, this time. Basically, the first time I tried, it falsely reported that the medium was full, when it was not nearly full, and aborted the backup. So the next try, I selected files to backup, in the folder you indicated, C:\Documents and Settings\user, leaving out My Documents, so that the file was a fraction the size, and the backup completed. I don't know whether the false report about the drive being full is a problem with the Backup Utility, or with the flash drive.

Thanks for info about flash drives and external hard drives I'll get a portable external hard drive as soon as I'm able.

 

[Scolabar]

Hi I_dream_of_Mercury,

Thanks you for the log and feedback.

Congratulations your computer now appears to be malware free!

I can now confirm that any computer issues you may still be experiencing are not malware-related.

Not A Malware Issue

I recommend you try a good System/Hardware Help Forum. Some suggested links are provided below.
These sites have a variety of experts, that are better equipped to investigate and resolve these kinds of issues.

Good System/Hardware Help Forums

• Computer Trouble
• GeekstoGo
• NutNWorks
• TechSupportGuy
• Whatthetech

Free registration may be required in order to post at these forums and will only take a few minutes.


Now that your computer appears to clear of malware infection we need to tidy a few things up and deal with a few remaining items:

Step 1:
Housekeeping

It's now time for some housekeeping. Please follow the instructions below to remove the tools we have used to clean up your computer.

OTL - Cleanup

1. Right-click on OTL.exe and select the Run As Administrator option to launch the program. If you receive a UAC prompt, please allow it.
   This will remove most, if not all, of the tools we used to clean your PC.
2. Close all other programs apart from OTL as this step will require a reboot.
3. On the OTL main screen, press the CleanUp! button.
4. Click on the Yes button at the prompt and then allow the program to reboot your computer.

Remove Tools Used

You can now safely delete the tools used in cleaning up the infection. Please remove the following tools from your system along with any related .zip files.

aswMBR.exe
fix1.reg
MicrosoftFixit50195.exe​

Please Note: These tools are updated on a regular basis and so, if required in future, should be downloaded afresh under supervision.​

Step 2:
Create Clean System Restore Point

Create a new, clean System Restore point which be used in the event of future system problems:

1. Click on Start > All Programs > Accessories > System Tools > System Restore.
2. Select the Create a restore point option then click on Next.
3. You can name your new Restore Point something like All Clean, for example, and then select Create.
4. Once the Restore Point has been created you can click on Close.
5. Now remove old, infected System Restore points:
6. Next click on Start > Run.
7. Copy and Paste the following command into the text entry box:
   

   cleanmgr

8. Then click on the OK button.
9. Make sure the boxes for Recycle Bin, Temporary Files and Temporary Internet Files are checked. You can choose to check other boxes if you wish but they are not required.
10. Select the More Options tab, under System Restore and click on the Clean up... button and reply Yes to the prompt.
11. Click on the OK button and the Yes button to confirm.

Step 3:
Security Vulnerabilities

I cannot stress how important it is to keep your security software up-to-date. In particular, if you don't keep your Operating System and Internet Explorer up-to-date the computer will be open to re-infection. Since we have been working on your computer the following software has been updated.

Outdated Java SE Runtime Environment (JRE)

Please download from HERE:

1. Find Java SE 7u2.
2. Click on the Download JRE button to the right.
3. Choose the correct Platform and Multi-language. Next, check the box that says I agree to the Java SE Runtime Environment 6 License Agreement.
4. Click on the Continue button.
5. Click on the filename under Windows Offline Installation and save it to your Desktop.
6. Close all active windows.
7. Double-click on the installer file and follow the prompts to install the program.

Step 4:
Improve Your Computer's Security

Foxit Reader
Please remember to check for updates on a regular basis. You can do this by launching the program and selecting Check for Updates Now from the Help menu. Checking for Foxit Reader updates can also be configured automatically by clicking on the Preferences button at the bottom of the Foxit Reader Updates window and selecting either the Each Week or Each Month option. Keeping this software up-to-date will help to ensure your system remains malware free.

Spybot S&D
Please remember to re-enable TeaTimer. Ensure the program is updated on a regular basis and run a scan once every couple of weeks. This will help you to keep your computer clear of malware free.
Please Note: If you consider TeaTimer to be somewhat intrusive you may prefer to keep this feature of the Spybot S&D product disabled. In addition, you may need to disable Spybot S&D's TeaTimer anyway before running other security tools to avoid any conflicts or interference.

MalwareBytes' AntiMalware
It is worth keeping MalwareBytes' AntiMalware on your system. Updating the program and running a scan once every couple of weeks will help you to keep malware free.

Below are some additional (free) programs, that can help improve your computer's security.
Many feel that having a "layered" protection scheme is beneficial, you'll have to decide what works best for your situation. You may like to give them a try.

Alternative Web Browser
Many malware exploits are directed at users of Internet Explorer. Try using a different web browser instead: Mozilla Firefox or Opera

SiteAdvisor
SiteAdvisor is a toolbar for Microsoft Internet Explorer and Mozilla Firefox which alerts you if you're about to enter a potentially dangerous website.
You can find more information and download it from Here .

Panda USB Vaccine
Protect your computer from removable or USB drive infections with Panda USB Vaccine. It is an effective method of preventing the spread of malware.
You can download and learn more about this product from Here.​

Step 5:
Further Guidelines

Please follow these simple guidelines in order to help keep your computer more secure:

Update your Anti-virus program and other programs regularly.
Online Secunia Software Inspector - Copyright © Secunia.
Refer to F-secure Health Check - Copyright © F-Secure Corporation.

Visit Microsoft often
Keep on top of critical updates, as well as other updates for your computer.
How to configure and use Automatic Updates in Windows XP
Using Windows Update for Windows XP
Microsoft Update Home

Read, stay informed.
To help minimize the chances of becoming re-infected, please read:
Computer Security - a short guide to staying safer online

If your computer is running slowly after your clean up, please read:
What to do if your Computer is running slowly​

Please confirm that you have completed the cleanup steps and reviewed the rest of the post.
Once your reply has been received, unless there are other malware questions or concerns, this topic will be closed as resolved.

Stay Safe! :santa:
Scolabar
--------------------------------------------------------------------------
No Reply Within 3 Days Will Result In Your Topic Being Closed

 

[I_dream_of_Mercury]

OTL Cleanup has now been running for 7 hours, without rebooting. It displays the message, "Processing [deleteself]...".

Could this possibly be correct or normal?

I shut down every program, including Spybot S&D TeaTimer/Resident, Avira, and OnlineArmor firewall, before and during running OTL.exe Cleanup. I let it run for 6 3/4 hours before coming online to ask what to do about this. I only have 32GB total on the hard drive, 12GB of which is My Documents, so it's not as if it's plowing through a massive system.

Task Manager says it's running.

Please advise.

 

[Scolabar]

Hi I_dream_of_Mercury,

Apologies for the inconvenience.

Firstly, please stop the OTL Cleanup process using the Task Manager.

Below is a replacement set of instructions for Step 1 of my previous post.
Before we proceed please make sure any other open programs are closed.

Step 1:
Housekeeping

It's now time for some housekeeping. Please follow the instructions below to remove the tools we have used to clean up your computer.

ComboFix - Uninstall

1. Please Download CF_Uninstall.exe and Save it to your Desktop.
   • Alternate Download
2. Double-click on CF_Uninstall.exe to run the program.
3. This should complete the uninstallation of ComboFix.

Note: Please let me know if you encounter any problems.

Remove Tools Used

You can now safely delete the tools used in cleaning up the infection. Please remove the following tools from your system along with any related .zip files.

aswMBR.exe
fix1.reg
MicrosoftFixit50195.exe
OTL.exe​

Please Note: These tools are updated on a regular basis and so, if required in future, should be downloaded afresh under supervision.​

Step 2:
Continuation

Please continue with Step 2 onwards as provided in my previous set of instructions.
Again, please let me know if you experience any problems.

Scolabar

 

[Scolabar]

Hi I_dream_of_Mercury,

I hope you had an enjoyable and relaxing day, yesterday. :santa:

It has been over 48 hours since my last post.

1. Do you still need help?
2. Do you need more time?
3. Are you having problems following my instructions?
4. In line with Safer-Networking's policy, topics will be closed after 3 days without a response.
5. If you do not reply within the next 24 hours, this topic will be closed.

Scolabar
--------------------------------------------------------------------------
No Reply Within 3 Days Will Result In Your Topic Being Closed

 

[Cypher]

This topic has been archived due to inactivity.

If it has been three days or more since your last post, and the helper assisting you posted a response to which you did not reply, your thread will not be re-opened. At that point, if you still require help, please start a new topic and include a new DDS log with a link to your previous thread. Please do not add any logs that might have been requested previously, you would be starting fresh.

If it has been less than three days since your last response and you need the thread re-opened, please send your helper a private message (pm). A valid, working link to the closed topic is required.