OTL fails to run

I inherited a Dell Inspiron 1100 Laptop which was infected with malware etc. It would boot up, but popup errors, auto rebooting, empty desktop, no start menu programs, and other problems occurred. I disabled all startup programs in msconfig except Avira and was able to install the latest Avira free version which detected 10 problems, one of which was TR\Crypt.cfi.Gen trojan. I installed Advanced System Care 4 and that alledgedly solved many problems, but I still have no icons on the desktop or in the start menu. There are certain programs, like Outlook Express and Microsoft Office that still work, and I would like to restore those shortcuts and get the desktop back.

I can't put anything on the desktop, so I ran OTL from the website and it failed to run. I tried running a download file of OTL from the startmenu, but it failed too. What's next?

Hi there Chic_Bowdrie and welcome to GeekPolice!

I am Gabethebabe and I will be helping you with this issue. Before we start some general remarks/rules:

• Whilst I´m helping you, please follow my instructions carefully and do not experiment on your own or accept help from other persons.
  
• Feel free to ask questions! Especially if my instructions are not clear. I´m here to help, not confuse you.
  
• I will try and respond quickly, but please understand I do have a real life (job, wife, 3 kids, kinky hobbies).
  
• Stick with me till the end. If your computer starts running better, doesn´t mean it is clean yet!

====================

Please download RKill by Grinler from Download Mirror #1 and save it to your desktop.
Download Mirror #1 (rkill.exe)
Download Mirror #2 (rkill.scr)
Download Mirror #3 (rkill.com)
Download Mirror #4 (WiNlOgOn.exe)
Download Mirror #5 (uSeRiNiT.exe)
Download Mirror #6 (iExplore.exe)
Download Mirror #7 (eXplorer.exe)

• Double click the RKill desktop icon (rightclick > Run as Administrator for Vista/WIN7).
  
• A black screen will briefly flash indicating a successful run.
  
• If this does not occur please delete that application and try using Mirror #2
  
• Continue process until the tool runs.
  
• Important: RKill only temporarily disables the malware. If you reboot the computer, it will be active again. So do not reboot until we kill the infection.

====================

Please download OTL by OldTimer from here and save it to your desktop.

• Close all windows and double click OTL.exe.
  
• The Extra Registry setting should be Use Safelist
  
• Copy and paste the following text into the Custom Scans/Fixes box:

• Click the Run Scan button and allow it to run.
  
• It will produce two logs for you, OTL.txt and Extras.txt. Please post both logs in this thread.
  
• You may need multiple posts to get it all.

====================

Please download aswMBR by Alwil Software from here and save it to your desktop.

• Double click aswMBR.exe to run the tool
  
• Click the Scan button to start the scan
  
• Don´t panic if you see any **Rootkit** entries. The tool sometimes produces false alarms
  
• Once the scan finishes click Save log to save the log to your desktop
  
• Copy and paste the contents of this log (aswMBR.txt) into your next reply.

Thanks, Gabethebabe. I ran RKill successfully and the desktop icons returned. However, "OTL has encountered a problem and needs to close. We are sorry for the inconvenience." Do you need the error report?

How about aswMBR, did that run?

Sorry for the delay and not reading your earlier post all the way through . . .

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-10-07 13:31:24
-----------------------------
13:31:24.160 OS Version: Windows 5.1.2600 Service Pack 3
13:31:24.160 Number of processors: 1 586 0x209
13:31:24.160 ComputerName: ELBERT UserName:
13:31:25.341 Initialize success
13:35:18.847 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
13:35:18.847 Disk 0 Vendor: IC25N020ATCS04-0 CA2OA72A Size: 19077MB BusType: 3
13:35:21.100 Disk 0 MBR read successfully
13:35:21.100 Disk 0 MBR scan
13:35:21.100 Disk 0 Windows XP default MBR code
13:35:21.110 Disk 0 scanning sectors +39054015
13:35:21.210 Disk 0 scanning C:\WINDOWS\system32\drivers
13:35:43.693 Service scanning
13:35:45.886 Modules scanning
13:36:16.360 Disk 0 trace - called modules:
13:36:16.400 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
13:36:16.410 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x82f90ab8]
13:36:16.410 3 CLASSPNP.SYS[f8898fd7] -> nt!IofCallDriver -> \Device\00000074[0x82f32030]
13:36:16.410 5 ACPI.sys[f880f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-e[0x82f56940]
13:36:16.420 Scan finished successfully
13:36:58.060 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\*my*name*\Desktop\MBR.dat"
13:36:58.150 The log file has been saved successfully to "C:\Documents and Settings\*my*name*\Desktop\aswMBR.txt"

Time to use ComboFix by sUBs, a powerful tool that you are advised not to run without supervision of a trained malware helper. Please visit this webpage and read the tutorial on using ComboFix very carefully. After that download the tool and save it to your desktop.

Doubleclick ComboFix.exe to run the tool. Please post its log back here.

Combofix diverged from the text in the tutorial by rebooting the computer. The hard drive LED is on, but the screen has been blank over 10 minutes. Is this normal?

ComboFix 11-10-07.04 - *my*name* 10/07/2011 16:02:25.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.638.231 [GMT -4:00]
Running from: c:\documents and settings\*my*name*\Desktop\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\*my*name*\g2ax_customer_downloadhelper_win32_x86.exe
c:\documents and settings\*my*name*\GoToAssistDownloadHelper.exe
c:\documents and settings\*my*name*\My Documents\~WRL0004.tmp
c:\documents and settings\*my*name*\My Documents\~WRL0196.tmp
c:\documents and settings\*my*name*\My Documents\~WRL0522.tmp
c:\documents and settings\*my*name*\My Documents\~WRL0650.tmp
c:\documents and settings\*my*name*\My Documents\~WRL0958.tmp
c:\documents and settings\*my*name*\My Documents\~WRL1104.tmp
c:\documents and settings\*my*name*\My Documents\~WRL1311.tmp
c:\documents and settings\*my*name*\My Documents\~WRL1315.tmp
c:\documents and settings\*my*name*\My Documents\~WRL1906.tmp
c:\documents and settings\*my*name*\My Documents\~WRL2206.tmp
c:\documents and settings\*my*name*\My Documents\~WRL2281.tmp
c:\documents and settings\*my*name*\My Documents\~WRL2410.tmp
c:\documents and settings\*my*name*\My Documents\~WRL2454.tmp
c:\documents and settings\*my*name*\My Documents\~WRL2854.tmp
c:\documents and settings\*my*name*\My Documents\~WRL2908.tmp
c:\documents and settings\*my*name*\My Documents\~WRL2985.tmp
c:\documents and settings\*my*name*\My Documents\~WRL2998.tmp
c:\documents and settings\*my*name*\My Documents\~WRL3401.tmp
c:\documents and settings\*my*name*\My Documents\~WRL3406.tmp
c:\documents and settings\*my*name*\My Documents\~WRL3508.tmp
c:\documents and settings\*my*name*\My Documents\~WRL3511.tmp
c:\documents and settings\*my*name*\My Documents\~WRL3642.tmp
c:\documents and settings\*my*name*\My Documents\~WRL3691.tmp
c:\documents and settings\*my*name*\Start Menu\OTL.exe
c:\documents and settings\*my*name*\Start Menu\Programs\Windows XP Recovery
c:\documents and settings\*my*name*\WINDOWS
C:\NORTON~1.EXE
c:\program files\messenger\msmsgsin.exe
c:\windows\system32\config\systemprofile\Application Data\Starware347
c:\windows\system32\config\systemprofile\Application Data\Starware347\BrowserSearch\BrowserSearch.xml
c:\windows\system32\config\systemprofile\Application Data\Starware347\BrowserSearch\BrowserSearch.xml.backup
c:\windows\system32\config\systemprofile\Application Data\Starware347\EntertainmentMarketingSP\EntertainmentMarketingSPOptions.xml
c:\windows\system32\config\systemprofile\Application Data\Starware347\EntertainmentMarketingSP\EntertainmentMarketingSPOptions.xml.backup
c:\windows\system32\config\systemprofile\Application Data\Starware347\ErrorSearch\ErrorSearchOptions.xml
c:\windows\system32\config\systemprofile\Application Data\Starware347\ErrorSearch\ErrorSearchOptions.xml.backup
c:\windows\system32\config\systemprofile\Application Data\Starware347\Games\GamesOptions.xml
c:\windows\system32\config\systemprofile\Application Data\Starware347\Games\GamesOptions.xml.backup
c:\windows\system32\config\systemprofile\Application Data\Starware347\JokeSearch\JokeSearchOptions.xml
c:\windows\system32\config\systemprofile\Application Data\Starware347\JokeSearch\JokeSearchOptions.xml.backup
c:\windows\system32\config\systemprofile\Application Data\Starware347\Layouts\PreferencesLayout.xml
c:\windows\system32\config\systemprofile\Application Data\Starware347\Layouts\PreferencesLayout.xml.backup
c:\windows\system32\config\systemprofile\Application Data\Starware347\Layouts\ToolbarLayout.xml
c:\windows\system32\config\systemprofile\Application Data\Starware347\Layouts\ToolbarLayout.xml.backup
c:\windows\system32\config\systemprofile\Application Data\Starware347\Manager\ManagerOptions.xml
c:\windows\system32\config\systemprofile\Application Data\Starware347\Manager\ManagerOptions.xml.backup
c:\windows\system32\config\systemprofile\Application Data\Starware347\Movies\MoviesOptions.xml
c:\windows\system32\config\systemprofile\Application Data\Starware347\Movies\MoviesOptions.xml.backup
c:\windows\system32\config\systemprofile\Application Data\Starware347\Pranks\PranksOptions.xml
c:\windows\system32\config\systemprofile\Application Data\Starware347\Pranks\PranksOptions.xml.backup
c:\windows\system32\config\systemprofile\Application Data\Starware347\RelatedSearch\RelatedSearchOptions.xml
c:\windows\system32\config\systemprofile\Application Data\Starware347\RelatedSearch\RelatedSearchOptions.xml.backup
c:\windows\system32\config\systemprofile\Application Data\Starware347\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml
c:\windows\system32\config\systemprofile\Application Data\Starware347\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml.backup
c:\windows\system32\config\systemprofile\Application Data\Starware347\SearchAssistPlus\SearchAssistPlusOptions.xml
c:\windows\system32\config\systemprofile\Application Data\Starware347\SearchAssistPlus\SearchAssistPlusOptions.xml.backup
c:\windows\system32\config\systemprofile\Application Data\Starware347\SearchMatch\SearchMatchOptions.xml
c:\windows\system32\config\systemprofile\Application Data\Starware347\SearchMatch\SearchMatchOptions.xml.backup
c:\windows\system32\config\systemprofile\Application Data\Starware347\Toolbar\TBProductsOptions.xml
c:\windows\system32\config\systemprofile\Application Data\Starware347\Toolbar\TBProductsOptions.xml.backup
c:\windows\system32\config\systemprofile\Application Data\Starware347\ToolbarLogo\ToolbarLogoOptions.xml
c:\windows\system32\config\systemprofile\Application Data\Starware347\ToolbarLogo\ToolbarLogoOptions.xml.backup
c:\windows\system32\config\systemprofile\Application Data\Starware347\ToolbarSearch\ToolbarSearchOptions.xml
c:\windows\system32\config\systemprofile\Application Data\Starware347\ToolbarSearch\ToolbarSearchOptions.xml.backup
c:\windows\system32\config\systemprofile\Application Data\Starware347\TravelSearch\TravelSearchOptions.xml
c:\windows\system32\config\systemprofile\Application Data\Starware347\TravelSearch\TravelSearchOptions.xml.backup
c:\windows\system32\dumphive.exe
c:\windows\system32\rnaph.dll
c:\windows\system32\SrchSTS.exe
c:\windows\system32\system
c:\windows\system32\tmp.reg
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MYWEBSEARCHSERVICE
-------\Legacy_RPCPATCH
-------\Legacy_RPCTFTPD
.
.
((((((((((((((((((((((((( Files Created from 2011-09-07 to 2011-10-07 )))))))))))))))))))))))))))))))
.
.
2011-10-07 19:51 . 2002-12-19 00:50 167936 ----a-w- c:\windows\system32\LexLog.dll
2011-10-07 18:51 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv.dll
2011-10-07 18:51 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
2011-10-07 18:51 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2011-10-07 18:51 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys
2011-10-07 18:51 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2011-10-07 18:51 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\dllcache\kbdhid.sys
2011-10-07 18:51 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2011-10-07 18:51 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\dllcache\hidusb.sys
2011-10-07 12:04 . 2011-10-07 12:04 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-07 04:07 . 2011-10-07 04:07 440822 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-10-07 02:02 . 2011-10-07 01:11 582656 ----a-w- C:\OTL.com
2011-10-06 15:22 . 2011-10-06 15:22 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\ICS
2011-10-06 14:15 . 2011-09-09 09:12 599040 ------w- c:\windows\system32\dllcache\crypt32.dll
2011-10-06 14:01 . 2011-06-24 14:10 139656 ------w- c:\windows\system32\dllcache\rdpwd.sys
2011-10-06 13:54 . 2011-07-08 14:02 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys
2011-10-06 13:14 . 2010-12-20 17:32 551936 ------w- c:\windows\system32\dllcache\oleaut32.dll
2011-10-06 13:10 . 2011-04-21 13:37 105472 ------w- c:\windows\system32\dllcache\mup.sys
2011-10-05 22:13 . 2011-09-18 12:39 134344 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-10-05 22:13 . 2011-09-16 03:55 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2011-10-05 22:13 . 2011-09-16 03:55 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-10-05 22:13 . 2011-10-05 22:13 -------- d-----w- c:\program files\Avira
2011-10-05 22:13 . 2011-10-05 22:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-09 09:12 . 2002-09-23 20:10 599040 ---ha-w- c:\windows\system32\crypt32.dll
2011-07-15 13:29 . 2002-08-29 10:00 456320 ---ha-w- c:\windows\system32\drivers\mrxsmb.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Advanced SystemCare 4"="c:\program files\IObit\Advanced SystemCare 4\ASCTray.exe" [2011-08-09 417112]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-09-23 258512]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-10-01 18:44 87352 ---ha-w- c:\windows\SYSTEM32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
NvCp1Do REG_SZ C:\sgs.exe
Virscanner REG_SZ c:\windows\smss.exe
AntiVir REG_SZ c:\program files\smss.exe
Msnmsgr.exe REG_SZ c:\lsass.exe
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 8.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 8.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 8.0 Tray Icon.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online Tray Icon.lnk
backup=c:\windows\pss\America Online Tray Icon.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Companion.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL Companion.lnk
backup=c:\windows\pss\AOL Companion.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2002-12-17 17:28 684032 ---ha-w- c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2007-03-09 15:09 63712 ---ha-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CARPService]
2003-01-23 20:06 4608 ---ha-w- c:\windows\SYSTEM32\carpserv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\SYSTEM32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DadApp]
2002-11-01 21:47 208560 ---ha-w- c:\program files\Dell\AccessDirect\DadApp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell AIO Printer A920]
2003-04-10 11:52 270336 ---ha-w- c:\program files\Dell AIO Printer A920\dlbkbmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2004-07-19 13:51 306688 ---ha-w- c:\program files\Dell Support\DSAgnt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
2002-07-17 15:18 28672 ---ha-w- c:\windows\SYSTEM32\DSentry.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2005-10-19 12:59 126976 ---ha-w- c:\windows\SYSTEM32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-10-19 12:59 155648 ---ha-w- c:\windows\SYSTEM32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
2008-07-24 23:46 63048 ---ha-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
2002-07-16 12:21 28672 ---h--w- c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
2002-08-14 22:29 90112 ---ha-w- c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
2002-07-17 16:00 200767 ---ha-w- c:\program files\Microsoft Money\System\mnyexpr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ---ha-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2003-10-07 08:52 77824 ---ha-w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-04-06 06:27 26105128 ---ha-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-07-12 08:00 132496 ---ha-w- c:\program files\Java\jre1.6.0_02\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2003-05-02 22:15 610304 ---ha-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
2003-05-02 22:21 110592 ---ha-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2003-07-25 16:28 151597 ---ha-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2010-08-24 09:38 247144 ---ha-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon_McciTrayApp]
2007-06-06 23:52 936960 ---ha-w- c:\program files\Verizon\McciTrayApp.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R1 avkmgr;avkmgr;c:\windows\SYSTEM32\DRIVERS\avkmgr.sys [10/5/2011 6:13 PM 36000]
R2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\IObit\Advanced SystemCare 4\ASCService.exe [10/6/2011 12:46 AM 328536]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/5/2011 6:13 PM 86224]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [7/24/2008 7:46 PM 12856]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [8/24/2010 5:38 AM 92008]
S3 {5C8B2B62-A385-11d5-A78B-00104B672758};AIM 3.0 Part 01 Codec Driver CH-7017-A;c:\windows\SYSTEM32\DRIVERS\a311.sys [1/1/1980 1:00 AM 31799]
S3 {5C8B2B65-A385-11d5-A78B-00104B672758};AIM 3.0 Part 01 Codec Driver CH-7017-B;c:\windows\SYSTEM32\DRIVERS\a310.sys [1/1/1980 1:00 AM 33335]
S3 BLKWGN;Belkin Wireless G Notebook Card Service;c:\windows\system32\DRIVERS\BLKWGN.sys --> c:\windows\system32\DRIVERS\BLKWGN.sys [?]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\SYSTEM32\DRIVERS\gan_adapter.sys [10/19/2006 11:11 AM 10664]
S3 wlanndi5;wlanndi5 NDIS Protocol Driver;c:\windows\SYSTEM32\wlanndi5.sys [4/21/2004 5:51 PM 16384]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-07 c:\windows\Tasks\ASC4_PerformanceMonitor.job
- c:\program files\IObit\Advanced SystemCare 4\PMonitor.exe [2011-10-06 20:40]
.
2003-08-01 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.dellnet.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Translate this web page with Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/ActionTU.htm
IE: Translate with Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Action.htm
TCP: DhcpNameServer = 204.186.110.76 216.144.187.37 216.144.187.199
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\*my*name*\Application Data\Mozilla\Firefox\Profiles\1rwdf2qj.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch
FF - prefs.js: browser.search.selectedEngine - iMesh Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?babsrc=adbartrp&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - Ext: LogMeIn, Inc. Remote Access Plugin: LogMeInClient@logmein.com - %profile%\extensions\LogMeInClient@logmein.com
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: myBabylon English Toolbar: {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - %profile%\extensions\{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}
FF - Ext: HP Smart Web Printing: smartwebprinting@hp.com - c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF - Ext: HP Smart Web Printing: smartwebprinting@hp.com - c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{474597C5-AB09-49d6-A4D5-2E8D7341384E} - (no file)
HKU-Default-Run-Virscanner - c:\windows\smss.exe
HKU-Default-Run-AntiVir - c:\program files\smss.exe
HKU-Default-Run-Msnmsgr.exe - c:\lsass.exe
MSConfigStartUp-Advanced SystemCare 3 - c:\program files\IObit\Advanced SystemCare 3\AWC.exe
MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-ccRegVfy - c:\program files\Common Files\Symantec Shared\ccRegVfy.exe
MSConfigStartUp-ConMgr - c:\program files\EarthLink 5.0\conmgr.exe
MSConfigStartUp-My Web Search Bar - c:\progra~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL
MSConfigStartUp-MYTffkoXRESS - c:\documents and settings\All Users\Application Data\MYTffkoXRESS.exe
MSConfigStartUp-MyWebSearch Email Plugin - c:\progra~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
MSConfigStartUp-MyWebSearch Plugin - c:\progra~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
MSConfigStartUp-VerizonServicepoint - c:\program files\Verizon\VSP\VerizonServicepoint.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-07 16:32
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(716)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'explorer.exe'(3448)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
c:\windows\System32\igfxpph.dll
c:\windows\System32\hccutils.DLL
c:\windows\system32\igfxres.dll
c:\windows\System32\igfxsrvc.dll
c:\windows\System32\igfxdev.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\progra~1\COMMON~1\aol\ACS\acsd.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\System32\logon.scr
.
**************************************************************************
.
Completion time: 2011-10-07 17:33:06 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-07 21:32
.
Pre-Run: 5,071,695,872 bytes free
Post-Run: 5,124,145,152 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
.
- - End Of File - - EADE82E39068653563390C3EFDDADBC1

OK, I was wrong about Combofix going off script. It just didn't warn me about the auto-reboot. Also my screen was blank for at least 2 hours. I finally left and when I came back 4 hours later, there was the log file just as predicted.

Did running Avira and ASC before seeking help here do more harm than good?

Speaking of Avira, I see it asking me to move TR/Crypt.cfi.gen and ADWARE/OpenCandy.A.276 to quaranteen. Should I do it?

Chic_Bowdrie wrote:

Speaking of Avira, I see it asking me to move TR/Crypt.cfi.gen and ADWARE/OpenCandy.A.276 to quaranteen. Should I do it?

You can also always submit a suspected file to virustotal.com to verify whether the file suspected by Avira is really a threat or maybe just a false positive (not uncommon for Avira).

Advanced system care is software that I wouldn´t touch with a 7" pole, firstly because the maker IObit has a terrible name after their Malwarebytes incident and secondly because these type of system utilities do very few that common sense can´t do.

Combofix bashed mywebsearch which is known adware.

====================

Please download Malwarebytes' Anti-Malware from here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select Perform Quick Scan, then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Note:

• If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
  
• Click OK to either and let MBAM proceed with the disinfection process.
  
• If asked to restart the computer, please do so immediately.

Post the contents of the MBAM log in your next reply, please.

OK, MBAM did not find anything. I quarantined the suspect Avira detections and now I can't find them to submit to virustotal.com. Here is the MBAM report:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7899

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/8/2011 6:24:35 AM
mbam-log-2011-10-08 (06-24-35).txt

Scan type: Quick scan
Objects scanned: 195510
Time elapsed: 13 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Final utility we will run is a tool that is able to bring back shortcuts and stuff that were deleted by malware. Maybe it has a positive effect.

• Please download Unhide by Grinler from here and save it to your desktop.
  
• Double click unhide.exe to run the tool.
  
• It will take some time to go through all your files, so please be patient.
  
• Let me know if good stuff happened.

Things are looking good. The program file shortcuts are back. At some point in this process, the files and folders in "My Computer"and "My Documents" appeared except they were faint compared to the files and folderts I created since I originally booted this computer. Since I don't have a history with this computer , I don't know how to compare with how it used to work. But it seems to work good now. It appears to go into sleep mode too often, but I can adjust that now. Also desktop background and screen saver are changeable now. Cool. You are awesome! 7"

Excellent. As far as I can see, your computer is CLEAN.



====================

Time to uninstall used tools.

• Go to Start > Run and type or copy/paste Combofix /uninstall (note the space before the "/").
  
• Double click OTL.exe to run it again and click the CleanUp button.
  
• If we used any other tools and they still remain on your desktop, please delete them manually.

====================

You need to install the latest version of Java. Having the latest version is important to take advantage of fixes that have eliminated security vulnerabilities.

• Go to Start > Control Panel
  
• Double-click on Add or Remove Programs
  
• Look for entries that say Java, Java RunTime Environment or J2SE.
  
• Uninstall all of them that are not named Java (TM) 6 Update 27

After doing this, you can go to java.com, click on Free Java Download and proceed from there to install the latest version of Java (currently Version 6 Update 27).

After installing Java, go to Start > Control Panel > Java to open the Java Control Panel.
Under the General tab, Temporary Internet Files click Settings, then click Delete Files.
Select both options and click OK to delete the Java cache.

====================

Do you have any more questions or do you want to see my ALORTKYCC (Awesome List Or Recommendations To Keep Your Computer Clean)?

My OTL.exe never ran. Is cleanup still appropriate? All other tools have been removed. I read your ALORTKYCC from another post. Using a limited instead of administrator account is great advice. I take it you recommend removing Avira, but which of the three Panda, Ad-Aware, Avast do you prefer?

Finally, you don't like Advanced Systmems Care because it doesn't do more than common sense. Isn't that some help to us novices? What would you recommend as an alternative?

I am very pleased with this service and will be donating as a result.

If OTL never ran, you can just delete it.

Avira is a fine antivirus. I just know that it incorporated some dubious toolbars into its software and I hate that. I don´t know the current status about that though. If you keep Avira, that is fine. If you change it for either of the three other products, that is equally fine. Don´t waste too much time on choice of AV, it is only one of the many security measures you should take.

The best system care is
- Run MBAM once/month
- Clean up temporary files + defrag once/month
- Look at running programs (task manager) and make sure that every process that is running actually benefits you. If you come across a process you don´t know, you have a very good friend in Google.

If you are pleased, I am pleased

I am pleased, but I spoke too soon about program file shortcuts returning.
The program folders appear on the startup menu, but when I move the curser over the folder icons, most but not all of the shortcuts are empty. For example, under Accessories I have a Communcations sub-folder, but it is empty. Games, Microsoft Office, Real, Skype, Startup are all empty. Do I have to add these back manually?

I am afraid so

You can uninstall/reinstall programs to get shortcuts back or look them up in the program folder, create a shortcut and drag it to the start menu.

A trick you can use for Windows standard menu items is to create a new account (USERNAME) on your computer, which will create the original start menu in the "C:\Documents and Settings\USERNAME\Start Menu" folder.

With an admin account you can copy&paste the contents into your own account Start Menu folder.

But yeah, it will require some work to build it up again. GL with it.

I can do this since I will be creating the new account anyway to avoid malware and for my daughter's use. Many thanks again.