[NeonFx]

You did good. There's no need to send me a private message when you're done though. I get notified of all responses. Let's do the following:

STEP 1

It seems one of your flash drives may be infected. Please do the following:

Download Flash_Disinfector.exe by sUBs from here and save it to your desktop.

• Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
• The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
• Wait until it has finished scanning and then exit the program.
• Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you run it. Don't delete this folder...it will help protect your drives from future infection.


STEP 2

Run OTS

• Under the Paste Fix Here box on the right, paste in the following

Code:

[Unregister Dlls]
[Modules - Safe List]
YY -> defohesi.dll -> C:\WINDOWS\system32\defohesi.dll
YY -> fasapako.dll -> C:\WINDOWS\system32\fasapako.dll
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {02478D38-C3F9-4efb-9B51-7695ECA05670} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> {7E853D72-626A-48EC-A868-BA8D5E23E045} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YN -> "SITEguard" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "tatisepen" -> C:\WINDOWS\System32\defohesi.DLL [Rundll32.exe "c:\windows\system32\defohesi.dll",a]
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls
YY -> c:\windows\system32\vemusise.dll -> C:\WINDOWS\System32\vemusise.dll
YY -> fasapako.dll -> C:\WINDOWS\System32\fasapako.dll
YY -> c:\windows\system32\defohesi.dll -> C:\WINDOWS\system32\defohesi.dll
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
YY -> logon.exe -> C:\WINDOWS\System32\logon.exe
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< SSODL [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
YY -> "{0a9ee376-2eca-4a07-b582-1d4851089105}" [HKLM] -> C:\WINDOWS\system32\defohesi.dll [hagubupok]
YN -> "{EA5D0B32-0630-4AC4-BF8B-DFC2EC7D9406}" [HKLM] -> C:\Documents and Settings\All Users\Microsoft AData\sysnet.dll [SysNet]
< SharedTaskScheduler [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
YY -> "{0a9ee376-2eca-4a07-b582-1d4851089105}" [HKLM] -> C:\WINDOWS\system32\defohesi.dll [tokatiluy]
[Files/Folders - Created Within 30 Days]
NY ->  C:\Program Files\Personal Guard 2009 -> C:\Program Files\Personal Guard 2009
NY -> Microsoft AData -> C:\Documents and Settings\All Users\Microsoft AData
[Files/Folders - Modified Within 30 Days]
NY -> nazojowu -> C:\WINDOWS\System32\nazojowu
NY -> tockrjoa.job -> C:\WINDOWS\tasks\tockrjoa.job
NY -> rofazito.dll -> C:\WINDOWS\System32\rofazito.dll
[Files - No Company Name]
NY -> tockrjoa.job -> C:\WINDOWS\tasks\tockrjoa.job
NY -> rofazito.dll -> C:\WINDOWS\System32\rofazito.dll
NY -> winsc.exe -> C:\WINDOWS\System32\winsc.exe
NY -> spoov.exe -> C:\WINDOWS\spoov.exe
NY -> certsystem.exe -> C:\WINDOWS\certsystem.exe
NY -> regred.exe -> C:\WINDOWS\regred.exe
NY -> usexplorer.exe -> C:\WINDOWS\usexplorer.exe
NY -> securits.com -> C:\WINDOWS\securits.com
NY -> microsoftdef.dll -> C:\WINDOWS\microsoftdef.dll
NY -> logon.exe -> C:\WINDOWS\System32\logon.exe
NY -> setup.exe -> C:\Documents and Settings\User1\My Documents\setup.exe
NY -> zetoyago.dll -> C:\WINDOWS\System32\zetoyago.dll
NY -> defohesi.dll -> C:\WINDOWS\System32\defohesi.dll
NY -> popiwoba.dll -> C:\WINDOWS\System32\popiwoba.dll
NY -> jopisado.dll -> C:\WINDOWS\System32\jopisado.dll
NY -> fujegifu.dll -> C:\WINDOWS\System32\fujegifu.dll
NY -> fasapako.dll -> C:\WINDOWS\System32\fasapako.dll
NY -> tevaziva.dll -> C:\WINDOWS\System32\tevaziva.dll
NY -> jifopufo.dll -> C:\WINDOWS\System32\jifopufo.dll
NY -> sojerire.dll -> C:\WINDOWS\System32\sojerire.dll
NY -> yukojuni.dll -> C:\WINDOWS\System32\yukojuni.dll
[Alternate Data Streams]
NY -> @Alternate Data Stream - 1193 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:yIDePx8pFK3y7vDESBcJzziHf
NY -> @Alternate Data Stream - 1238 bytes -> C:\Program Files\Common Files\System:Q18TDnbTWyJerlOXf4GCR2QH
NY -> @Alternate Data Stream - 1332 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:iBpKY8jt7Pxvg8e0q9dCxwh
NY -> @Alternate Data Stream - 173 bytes -> C:\Program Files\Ubi Soft\Chessmaster 9000\Chessmaster.exe:{89CD9D98-BF71-864E-5ED2-F40A37830465}
NY -> @Alternate Data Stream - 88 bytes -> C:\Documents and Settings\User1\My Documents\msvci70.dll:SummaryInformation
[Empty Temp Folders]
[Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• This will create a log in C:\_OTS\MovedFiles\<date>_<time>.txt where date and time are those of when the fix was run. Open it from there if it does not appear automatically on reboot. Please copy and paste or attach the contents of that file here.

STEP 3

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Full Scan", then click Scan. Scan all of your harddrives.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

STEP 4

Run OTS again and click on the Quick Scan button at the top. Attach the results of this scan in your next reply.

[Kenny1]

Before I lose track I'll post what's gone on so far... I completed step 1 and disinfected my flash drive, but upon the reboot I received the following error message: Error loading c:\windows\system32\defohesi.dll The specified module could not be found.

I then proceeded to step 2, and upon clicking "run fix" I recieved a series of error messages, the first three were the same but each referencing a different .dll file as follows:
"OTS: OTS.exe bad image The application or DLL c:\windows\system32\rofazito.dll is not a valid windows image. Please check this against your installation diskette." Then the same error twice more referring to microsoftdef.dll and sojerire.dll respectively in place of rofazito.dll. Then a fourth error message: OTS range check error. After I closed out the 4th error message the OTS window appeared to be frozen, reporting the task "emptying recycle bin" at the bottom. I waited several minutes and closed the OTS window, and was left with a blank screen showing only my desktop background image and nothing else. I then shut down manually and restarted the computer. I'm now planning to go and attempt to start step 2 over again. I just wanted to post this much information before I get in over my head (further...)

[NeonFx]

Yes, please try Step 2 again. When you post the results you might have two files (C:\_OTS\MovedFiles\<date>_<time>.txt), one for each time you ran the fix. Please post those as well if they're there.
OTS may seem to freeze, but give it some time if it does, it's probably still working.

[Kenny1]

I've completed step 2 and the following log appeared quite quickly after a requested reboot by OTS:

All Processes Killed
[Modules - Safe List]
[Registry - Safe List]
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7E853D72-626A-48EC-A868-BA8D5E23E045}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar\\SITEguard not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\tatisepen not found.
File C:\WINDOWS\System32\defohesi.DLL not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:c:\windows\system32\vemusise.dll deleted successfully.
File C:\WINDOWS\System32\vemusise.dll not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:fasapako.dll deleted successfully.
File C:\WINDOWS\System32\fasapako.dll not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:c:\windows\system32\defohesi.dll deleted successfully.
File C:\WINDOWS\system32\defohesi.dll not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell:logon.exe deleted successfully.
File C:\WINDOWS\System32\logon.exe not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceOb jectDelayLoad\\hagubupok not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0a9ee376-2eca-4a07-b582-1d4851089105}\ not found.
File C:\WINDOWS\system32\defohesi.dll not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceOb jectDelayLoad\\SysNet not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EA5D0B32-0630-4AC4-BF8B-DFC2EC7D9406}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Share dTaskScheduler\\{0a9ee376-2eca-4a07-b582-1d4851089105} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0a9ee376-2eca-4a07-b582-1d4851089105}\ not found.
File C:\WINDOWS\system32\defohesi.dll not found.
[Files/Folders - Created Within 30 Days]
File C:\Program Files\Personal Guard 2009 not found!
File C:\Documents and Settings\All Users\Microsoft AData not found!
[Files/Folders - Modified Within 30 Days]
File C:\WINDOWS\System32\nazojowu not found!
File C:\WINDOWS\tasks\tockrjoa.job not found!
File C:\WINDOWS\System32\rofazito.dll not found!
[Files - No Company Name]
File C:\WINDOWS\tasks\tockrjoa.job not found!
File C:\WINDOWS\System32\rofazito.dll not found!
File C:\WINDOWS\System32\winsc.exe not found!
File C:\WINDOWS\spoov.exe not found!
File C:\WINDOWS\certsystem.exe not found!
File C:\WINDOWS\regred.exe not found!
File C:\WINDOWS\usexplorer.exe not found!
File C:\WINDOWS\securits.com not found!
File C:\WINDOWS\microsoftdef.dll not found!
File C:\WINDOWS\System32\logon.exe not found!
File C:\Documents and Settings\User1\My Documents\setup.exe not found!
File C:\WINDOWS\System32\zetoyago.dll not found!
File C:\WINDOWS\System32\defohesi.dll not found!
File C:\WINDOWS\System32\popiwoba.dll not found!
File C:\WINDOWS\System32\jopisado.dll not found!
File C:\WINDOWS\System32\fujegifu.dll not found!
File C:\WINDOWS\System32\fasapako.dll not found!
File C:\WINDOWS\System32\tevaziva.dll not found!
File C:\WINDOWS\System32\jifopufo.dll not found!
File C:\WINDOWS\System32\sojerire.dll not found!
File C:\WINDOWS\System32\yukojuni.dll not found!
[Alternate Data Streams]
Unable to delete ADS C:\Documents and Settings\All Users\Application Data\Microsoft:yIDePx8pFK3y7vDESBcJzziHf .
Unable to delete ADS C:\Program Files\Common Files\System:Q18TDnbTWyJerlOXf4GCR2QH .
Unable to delete ADS C:\Documents and Settings\All Users\Application Data\Microsoft:iBpKY8jt7Pxvg8e0q9dCxwh .
Unable to delete ADS C:\Program Files\Ubi Soft\Chessmaster 9000\Chessmaster.exe:{89CD9D98-BF71-864E-5ED2-F40A37830465} .
Unable to delete ADS C:\Documents and Settings\User1\My Documents\msvci70.dll:SummaryInformation .
[Empty Temp Folders]


User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: User1
->Temp folder emptied: 587439 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 15316315 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 15.26 mb

< End of fix log >
OTS by OldTimer - Version 3.1.3.0 fix logfile created on 11052009_225224

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

I will now proceed to step 3...

[NeonFx]

Ok

[Kenny1]

Step 3 has been completed, with the following MBAM log:

Malwarebytes' Anti-Malware 1.41
Database version: 3109
Windows 5.1.2600 Service Pack 3

11/6/2009 4:47:06 AM
mbam-log-2009-11-06 (04-47-06).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 222180
Time elapsed: 33 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 17

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Pers onal Guard 2009 (Rogue.PersonalGuard2009) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdwareAlert (Rogue.AdwareAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{89C33134-A927-4B70-B252-394EF4817115}\RP417\A0071597.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{89C33134-A927-4B70-B252-394EF4817115}\RP417\A0071598.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{89C33134-A927-4B70-B252-394EF4817115}\RP417\A0071599.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{89C33134-A927-4B70-B252-394EF4817115}\RP417\A0071627.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{89C33134-A927-4B70-B252-394EF4817115}\RP417\A0071649.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{89C33134-A927-4B70-B252-394EF4817115}\RP417\A0071674.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{89C33134-A927-4B70-B252-394EF4817115}\RP417\A0071675.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{89C33134-A927-4B70-B252-394EF4817115}\RP417\A0071676.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{89C33134-A927-4B70-B252-394EF4817115}\RP417\A0071925.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{89C33134-A927-4B70-B252-394EF4817115}\RP417\A0071928.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{89C33134-A927-4B70-B252-394EF4817115}\RP417\A0071929.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{89C33134-A927-4B70-B252-394EF4817115}\RP417\A0071930.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{89C33134-A927-4B70-B252-394EF4817115}\RP417\A0071931.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{89C33134-A927-4B70-B252-394EF4817115}\RP417\A0071933.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{89C33134-A927-4B70-B252-394EF4817115}\RP417\A0071934.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0VQR4NID\load-full[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\_OTS\MovedFiles\11052009_222451\C_WINDOWS\System32\logon.exe (Worm.Emold) -> Quarantined and deleted successfully.


Interestingly, my AVG is set to run autmatically at 4am everyday and because I went to bed and left MBAM doing it's thing, AVG did it's thing also (probably after MBAM was finished, but I was asleep, so MBAM would have been still open, waiting for me to act) and I awoke a few minutes ago to find that AVG had found quite a list of nasty items, which I deleted. I then found MBAM also done with it's own host of bugs which I also deleted. I'm wondering if both programs found the same bugs or what. Anyway, I'll now proceed with step 4...

[Kenny1]

Please find attached, to big to post....

That completes my assignment!! Look forward to the results.

Kind Regards,
Kenny

[NeonFx]

The results are good How's the computer running?

Let's cleanup a bit, update some stuff and run an online scanner. The scan will take a while but it's well worth it as it can often find things all other scanners will miss.

STEP 1

Run OTS

• Under the Paste Fix Here box on the right, paste in the following

Code:

[Kill All Processes]
[Registry - Safe List]
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
YN -> \F -> 
YN -> \{1dd6dee4-d3b3-11dc-91a6-001cbf6c3324} -> 
YN -> \{4e028a99-c555-11de-9ee2-001b2492f51a} -> 
YN -> \{8e62349c-c822-11de-9ef6-001b2492f51a} -> 
YN -> \{a8c4c622-d054-11dd-981a-001b2492f51a} -> 
YN -> \{c21b2aa3-fced-11dc-9312-001b2492f51a} -> 
[Custom Items]
:reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_Dlls"=""
:end
[ClearAllRestorePoints]
[Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• This will create a log in C:\_OTS\MovedFiles\<date>_<time>.txt where date and time are those of when the fix was run. Open it from there if it does not appear automatically on reboot. Please copy and paste or attach the contents of that file here.

STEP 2

Before we run the scanner, I need you to update Internet Explorer to IE8. Even if you don't use it, we need to have it updated as its components are deeply connected with Windows itself.

Please go here to download the installer:

http://www.microsoft.com/windows/internet-explorer/


STEP 3

The online scanner uses Java, so I will need you to download and install the latest version for that.

Please go here to download the installer:

http://java.com/en/download/index.jsp


STEP 4

Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.



2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.

3. Click Run at the Security prompt.


The program will then begin downloading and installing and will also update the database.


Please be patient as this can take quite a long time to download.

• Once the update is complete, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  • Spyware, adware, dialers, and other riskware
  • Archives
  • E-mail databases
• Click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View report... at the bottom.
• Click the Save report... button.
  
  
• Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

[Kenny1]

All Processes Killed
[Registry - Safe List]
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountP oints2\F\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountP oints2\{1dd6dee4-d3b3-11dc-91a6-001cbf6c3324}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1dd6dee4-d3b3-11dc-91a6-001cbf6c3324}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountP oints2\{4e028a99-c555-11de-9ee2-001b2492f51a}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4e028a99-c555-11de-9ee2-001b2492f51a}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountP oints2\{8e62349c-c822-11de-9ef6-001b2492f51a}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8e62349c-c822-11de-9ef6-001b2492f51a}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountP oints2\{a8c4c622-d054-11dd-981a-001b2492f51a}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a8c4c622-d054-11dd-981a-001b2492f51a}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountP oints2\{c21b2aa3-fced-11dc-9312-001b2492f51a}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c21b2aa3-fced-11dc-9312-001b2492f51a}\ not found.
[Custom Items]
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\"AppInit_Dlls"|"" /E : value set successfully!

Restorepoints cleared and new one set!
< End of fix log >
OTS by OldTimer - Version 3.1.3.0 fix logfile created on 11062009_124450

Everything seems to be running fine, except IE8 (which I just installed a couple days ago) which is giving me problems that are probably unrelated to what we've been dealing with (I think...)

[Kenny1]

Hmmm... just looking at Step 2 I see you want me to upgrade to IE8, which, as I mentioned in my last post, I did just a couple days ago, right around the time all these other problems emerged actually... In any case, I've been looking for a way to uninstall IE8 because of the problems I'm having with it. I couldn't see it under add/remove programs. Perhaps I should reinstall it, maybe the initial installation was corrupted by the other issues? I'll try that.....

[NeonFx]

Yeah, something must have happened during the installation because your computer and OTS think you still have IE6 :

Quote:

Internet Explorer (Version = 6.0.2900.5512)

Trying to reinstall it now is a good idea.

[Kenny1]

I just downloaded IE8 and tried to run the installer and it said it cannot uninstall the current version of IE8 on this computer. It offered to go ahead and install a second version but seemed to be saying that the second one would be uninstallable too?? Anyway, I elected not to proceed. I'd rather figure out how to uninstall IE8 that's onboard now and then start over, hopefully with a better result. With that in mind I'll wait for your advice regarding Step 2 and move on to Step 3.

[NeonFx]

If the uninstaller is on your system it would be located here:

%windir%\ie8\spuninst\spuninst.exe

To run the uninstaller go to Start > Run and type in Cmd.exe . Copy and Paste the above line into the prompt and press Enter.

[Kenny1]

done!

[NeonFx]

Click About Internet Explorer under the Help menu in Internet Explorer. That will tell you what version you're running on your system.

I still think you should install the newer version as there will probably be a way to uninstall it after you do.