Removal of Desktop.ini for the third time!

Innitialy,my Thread/post had to do with asking for help with the Removal of C:\Windows\assembly\GAC\32\Desktop.ini At that time,I was only able to run the infected computer in safe mode.Shortly there after,the message "Windows has encountered a critical problem and will restart in one minute" popped up and since then,that's what happens when trying to run windows even in safe mode.The last problem this computer has is that there is some kind of delay that happens when trying to scroll with a number of applications such as notepad,wordpad,or even two browsers.At the same time,there is a delay when I try to type characters in any application,including notepad or wordpad.Amazingly enough,I had listed my post back in early June and then never heard from any tech for some time.I reposted and got a email that my Thread/post had been taken up and was shown a link to his reply to the Thread/post and then AGAIN, the whole Thread/post disappeared,again.I then took to emailing an official of Majorgeeks to ask for help in finding why the posts had disappeared.Since then,I have heard nothing and my emails have not been answered.I will thank any one that is willing to help me with this problem.

 

Hi, sorry for the inconvenience you have experienced. I'm not sure why your posts aren't showing up but I will bring it to the moderators' attention.

So I can better help you, do you know which operating system you are on? Windows XP, Windows Vista, Windows 7?

 

Hello to Thisisu.Thank you for your attention to my problem computer.It is running Windows 7 a 32Bit version.Only new info is that I found that running a Live cd of linux mint 12 does not show any of the delay scroll or typing problems.

 

Please download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

On the System Recovery Options menu you will get the following options:

• Select Command Prompt
• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
• Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please attach this log to your next reply. (How to attach)

 

Hello and sorry for the delay here.Don't know exactly where to start.I have been held in the hospital for observation after a Diabetic low blood sugar episode.When I returned and went to the computer room,my wife informed me that my grandson had run a live or bootable CD named "Bitdefender Malware or Virus scanner" on it and it and had she says removed some stuff it found and then he left.I start the computer to do your procedure and it boots to full normal windows!The only thing I find is that it has even more of those delays in both scrolling and trying to type in either notepad or wordpad. I did finish your instructions for the Farbar Scan and the resultant frst.txt and have uploaded it.I hope you will be able to help with the delay problems.Again,sorry for my delay in responding to you.

 

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Attached is fixlist.txt

• Save fixlist.txt to your flash drive.
• You should now have both fixlist.txt and FRST.exe on your flash drive.

Now re-enter System Recovery Options.
Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (How to attach)

Now attempt to boot normally.

 

Hello again today 8-10-12.Thank you for the fixlist tool.I have attached the log file. After running the tool and being told the log file had been created,I closed down and rebooted.A dialog box showed before the taskbar could appear that says "cannot create shell notification icon" and had to be closed before the taskbar would appear.The windows loaded and I tested and found the delays were still there.I would like to know if,since the live linux mint 12 does not have any delays,does that say that it is not a hardware problem?Again,thanks for your time for me.

 

The fix wasn't effective at all. Trying to find out why. Please rescan with FRST and attach the newest FRST.txt

 

Also, is this a RAID Mirror setup?

 

Hello.I understand that the script did not seem to work,so you want a redo of it to check on.I have attached the new fixlog I did this evening.Let me know how it works this time please.Thank you again.

 

It did not work again at all.

So now I would like to see a new scan of FRST.

Also answer my previous question regarding a potential RAID Mirror setup.

 

OK,This is not a raid setup,just the C: drive for the windows ultimate 32 bit installation and a second drive with a large amount of stored files from previous computers. I have attached the new scan log frst.txt made today the 13th.Have you thought of my question as to hardware versus software being this delay problem? Some of the delays are now up to 8 or 9 seconds! Thanks again.

 

This log is clean for the most part.

It could be a hardware issue. Start going through this thread: Fixing Google Redirection/hijacking and other redirection problems

 

RE your last instructions to me,I did the following;********************
Java Cache Emptied,IE Explorer cache flushed
Could NOT flush DNS Cache,it came back with a message "Could not flush the DNS Resolver Cache: Function failed during execution"
Router and Modem reset. Delay problem not changed.
Gooredfix made a log that I shall attach.Delay problem not changed. No log from TDSS killer.Delay problem not changed.
MBRcheck was run,and said "Done" Log will be attached.
There is no Disk Emulation Software.
Control Internet Explorer Add-ons with Add-on Manager.Downloaded the MS fixit for IE and ran it. No change in delays.
The Anti Virus/Malware on this computer is MS Security Essentials.
Show hidden files and folders has been selected.
There is no Disk Emulation Software.
Ccleaner downloaded and run with defaults.
Come back to
http://forums.majorgeeks.com/showthread.php?t=35407 after Cclean is done.
Turn off UAC and reboot.Return to
http://forums.majorgeeks.com/showthread.php?t=139681
RougeKiller was run as Admin and log saved to attach.
Malwarebytes Full Scan was run and log saved to attach. Restart Required.
TDSSKiller was run,No log from TDSS killer.Delay problem not changed.
Come back to
http://forums.majorgeeks.com/showthread.php?t=139681
Himanpro downloaded. Version 3.6.1.164 After the scan ran,there was no place to select "Ignore" When Next was clicked,
the cleaning process/removal process had started and all had been moved to Quarantined! There is a log file that wil be attached.
Computer says it cannot find C:\Users\David\AppData\LocalLow\Playbryte\Assemblies\1\BrowserObjects.dll -> Quarantined. No change in Delays browsers running or not running. I see your comment that you think my problem is hardware related.I remind you that I asked if the fact that Linux Mint,and now Ubuntu both run all applications with out any delays,do you still think this is a hardware problem?After you check all the logs I have just sent.Is there any place else to go with this? One other information is that upon booting,a dialog box comes up that says"Cannot create shell notification icon and in the corner has a label of USB Vaccine. Thanks for your time.

 

Check the root of C:
This is where the TDSSKiller logs are found.

Also what happened with MGtools? c:\MGlogs.zip You need to attach this.

 

8-17-12Response
OK,I have tried to finish with the programs you pointed out.The TDSS program results showed up on the screen but as it still does not appear where it is supposed to on the root of C:\ ,I copied it's contents to a text file to send as a log. The MGlogs.zip file has also been uploaded.I will wait for your opinion of these uploads.

 

From Programs and Features (via Control Panel), please uninstall the below:

• 123 MP3 to WAV converter
• Advanced Defrag v6.4
• Babylon toolbar on IE
• BadCopy Pro
• Better Explorer Beta 1
• Better Explorer
• BitLord 1.1
• Bitlord Toolbar
• Conduit Engine
• Coupon Printer for Windows
• DVDVideoSoftTB Toolbar
• Fix Redirect Virus
• Freecorder Toolbar
• Get It Free
• Java(TM) 6 Update 32
• Search-Results Toolbar
• Uninstall 1.0.0.1
• Vuze Remote Toolbar
• What is This?
• WhiteSmoke Bar Toolbar
• Wise Registry Cleaner 7.22
• Yontoo Layers Runtime 1.10.01
• Your Uninstaller! 2008 Version 6.2
• Your Uninstaller! 7
• YTD Toolbar v6.2
• YTD YouTube Downloader & Converter 3.6

Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the text-field.

Code:

[COLOR="DarkRed"]:services[/COLOR]
cidwitmc
cqliwdgf
DfSdkS
finuqmbm
kqccnkqb
lughilsn
[COLOR="DarkRed"]:files[/COLOR]
C:\Users\David\Local Settings\Application Data\antiphishing-webblog1_1dn
C:\Users\David\Local Settings\Application Data\Babylon
C:\Users\David\Local Settings\Application Data\Conduit
C:\Program Files\WhiteSmoke_Bar
C:\Program Files\Freecorder
C:\Users\David\Local Settings\unlkwnpioj.exe
C:\Users\David\Local Settings\Application Data\unlkwnpioj.exe
C:\Users\David\AppData\Local\unlkwnpioj.exe
C:\Users\David\Local Settings\ziwekmbz.exe
C:\ProgramData\Anti-phishing Domain Advisor
C:\Users\David\Local Settings\Application Data\ziwekmbz.exe
C:\Users\David\AppData\Local\ziwekmbz.exe
C:\Windows\assembly\GAC\Desktop.ini
C:\Windows\Installer\{b9f091c1-8959-7a39-c054-56e1678cfee7}
C:\Users\David\AppData\Local\{b9f091c1-8959-7a39-c054-56e1678cfee7}
dir /s C:\Windows\System32\%APPDATA% /c
C:\Program Files\ConduitEngine
C:\Program Files\Bitlord
C:\Program Files\DVDVideoSoftTB
C:\Program Files\wbtooltb
C:\Program Files\Free Download Manager
C:\Program Files\Ask.com
C:\Program Files\YTD Toolbar
C:\Users\David\AppData\Roaming\Microsoft\Windows\Templates\klkseh2u8osn0otj2lxs4a878h7k
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Coupons
type C:\2108FP.TXT /c
dir c:\Aida32Tstr /c
[COLOR="DarkRed"]:reg[/COLOR]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F3FEE66E-E034-436a-86E4-9690573BEE8A}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{63ee0f5c-b56a-4ecf-b209-45fdcbfcaf45}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{167d9323-f7cc-48f5-948a-6f012831a69f}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
[COLOR="DarkRed"]:commands[/COLOR]
[emptytemp]
[resethosts]

Now click the button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

__

Scan with OTL by OldTimer.

• Right mouse click on the OTL icon on your desktop and select Run as Administrator
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the text-field.
  
  Code:

  activex
  netsvcs
  

• Now click the button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach OTL.txt to your next message. (How to attach)

 

I would like to know if the list of programs you want me to uninstall are all infected in some way?Thank you.

 

Not infected as much as junk/trash programs that just hinder PC performance.

 

I am working to uninstall all the items you have listed.I have run in to a bit of extra work to do so, as I find that most of these programs have left quite a bit of leftover items in the registry that take me a long time get all of them out.I should hope to be done by tomorrow.Thank you for your patience

 

Finally Hello. I have finished all the uninstalling and have run the OTL program steps in your instructions.The two logs are posted to you too.The OTL log file was rejected by the upload as too big so I had to zip it to upload it. to you.I hope that is OK!

 

Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the text-field.

Code:

[COLOR="DarkRed"]:otl[/COLOR]
IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3007394
IE - HKU\S-1-5-21-1343217212-1768020030-871570028-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://mystart.incredibar.com/mb128?a=6OyLBCBtq3&i=26
IE - HKU\S-1-5-21-1343217212-1768020030-871570028-1000\..\URLSearchHook: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - No CLSID value found
IE - HKU\S-1-5-21-1343217212-1768020030-871570028-1000\..\URLSearchHook: {167d9323-f7cc-48f5-948a-6f012831a69f} - No CLSID value found
IE - HKU\S-1-5-21-1343217212-1768020030-871570028-1000\..\URLSearchHook: {63ee0f5c-b56a-4ecf-b209-45fdcbfcaf45} - No CLSID value found
IE - HKU\S-1-5-21-1343217212-1768020030-871570028-1000\..\URLSearchHook: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - No CLSID value found
IE - HKU\S-1-5-21-1343217212-1768020030-871570028-1000\..\URLSearchHook: {ba14329e-9550-4989-b3f2-9732e92d17cc} - No CLSID value found
IE - HKU\S-1-5-21-1343217212-1768020030-871570028-1000\..\URLSearchHook: {F3FEE66E-E034-436a-86E4-9690573BEE8A} - No CLSID value found
IE - HKU\S-1-5-21-1343217212-1768020030-871570028-1000\..\SearchScopes,DefaultScope = {CFF4DB9B-135F-47c0-9269-B4C6572FD61A}
IE - HKU\S-1-5-21-1343217212-1768020030-871570028-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-1343217212-1768020030-871570028-1000\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/?q={searchTerms}&AF=109453&babsrc=SP_ss&mntrId=1c17dc0800000000000000027287fe53
IE - HKU\S-1-5-21-1343217212-1768020030-871570028-1000\..\SearchScopes\{2CE294A0-FB1A-4833-9160-08587AC7E0B8}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2504091
IE - HKU\S-1-5-21-1343217212-1768020030-871570028-1000\..\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}: "URL" = http://www.mystart.com/search_w.php?type=webblog1_1msch&fr=chr-vmn&q={searchTerms}&ei=UTF-8
IE - HKU\S-1-5-21-1343217212-1768020030-871570028-1000\..\SearchScopes\{8E18155A-BD1B-41E7-82AC-E3C0FD60E092}: "URL" = http://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=937811&p={searchTerms}
IE - HKU\S-1-5-21-1343217212-1768020030-871570028-1000\..\SearchScopes\{91607fa7-3c2f-4f90-93e3-d5337a6b0ac2}: "URL" = Playbryte-fa-bndl/search/redirect/?type=default&user_id=7e776a77-f72e-47d4-a852-b09fde982891&query={searchTerms}
IE - HKU\S-1-5-21-1343217212-1768020030-871570028-1000\..\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}: "URL" = https://isearch.avg.com/search?cid={3D6015AB-2E0E-42D7-B084-9FA41BB12842}&mid=&lang=&ds=&pr=&d=&v=&sap=dsp&q={searchTerms}
IE - HKU\S-1-5-21-1343217212-1768020030-871570028-1000\..\SearchScopes\{CFF4DB9B-135F-47c0-9269-B4C6572FD61A}: "URL" = http://mystart.incredibar.com/mb128/?search={searchTerms}&loc=IB_DS&a=6OyLBCBtq3&i=26
IE - HKU\S-1-5-21-1343217212-1768020030-871570028-1000\..\SearchScopes\{E27E5075-04AA-449A-90FA-0A31B9A6E683}: "URL" = http://open-search.eu/google.php
FF - prefs.js..browser.search.defaultenginename: "MyStart Search"
FF - prefs.js..browser.search.defaultthis.engineName: "WhiteSmoke Bar Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT3007394&SearchSource=3&q={searchTerms}"
FF - prefs.js..browser.search.order.1: "Search the web (Babylon)"
FF - prefs.js..browser.search.param.yahoo-fr: "chr-greentree_ff&type=937811&ilc=12"
[2012/08/21 03:04:03 | 000,000,000 | ---D | M] (Freecorder Community Toolbar) -- C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\hmbcs5kv.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}
[2012/04/26 02:11:18 | 000,000,000 | ---D | M] (EPUBReader) -- C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\hmbcs5kv.default\extensions\{5384767E-00D9-40E9-B72F-9CC39D655D6F}
[2012/08/22 01:31:25 | 000,000,000 | ---D | M] (Bitlord Community Toolbar) -- C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\hmbcs5kv.default\extensions\{63ee0f5c-b56a-4ecf-b209-45fdcbfcaf45}
[2012/08/22 01:31:39 | 000,000,000 | ---D | M] (Productivity 3.1) -- C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\hmbcs5kv.default\extensions\{9427041a-a8dc-4d06-9a68-93873486e957}
[2012/08/22 01:31:53 | 000,000,000 | ---D | M] (Vuze Remote) -- C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\hmbcs5kv.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}
[2012/04/24 01:10:04 | 000,000,000 | ---D | M] (Browser Companion Helper) -- C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\hmbcs5kv.default\extensions\bbrs_006@blabbers.com
[2012/01/05 15:31:46 | 000,000,000 | ---D | M] (Microsoft Default Manager) -- C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\hmbcs5kv.default\extensions\DefaultManager@Microsoft
[2012/08/20 06:20:30 | 000,000,000 | ---D | M] (incredibar.com) -- C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\hmbcs5kv.default\extensions\ffxtlbr@incredibar.com
[2012/08/20 06:19:30 | 000,000,000 | ---D | M] (OneClickDownloader) -- C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\hmbcs5kv.default\extensions\OneClickDownload@OneClickDownload.com
[2012/07/23 15:39:33 | 000,000,000 | ---D | M] (PlayBryte) -- C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\hmbcs5kv.default\extensions\playbryte@playbryte.com
[2012/08/20 05:59:00 | 000,000,000 | ---D | M] (VideoFileDownload - Download YouTube Videos) -- C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\hmbcs5kv.default\extensions\plugin@videofiledownload.com
[2011/07/27 11:46:34 | 000,000,931 | ---- | M] () -- C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\hmbcs5kv.default\searchplugins\conduit.xml
[2012/08/20 06:19:48 | 000,002,203 | ---- | M] () -- C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\hmbcs5kv.default\searchplugins\MyStart Search.xml
[2011/11/06 06:34:17 | 000,061,854 | ---- | M] () (No name found) -- C:\USERS\DAVID\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\HMBCS5KV.DEFAULT\EXTENSIONS\YTVDW@PGPORT.COM.XPI
[2012/02/24 10:50:03 | 000,002,310 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\babylon.xml
O2 - BHO: (Complitly) - {0FB6A909-6086-458F-BD92-1F8EE10042A0} - C:\Users\David\AppData\Roaming\Complitly\Complitly.dll (SimplyGen)
O2 - BHO: (Web Assistant) - {336D0C35-8A85-403a-B9D2-65C292C39087} - C:\Program Files\Web Assistant\Extension32.dll ()
O2 - BHO: (Incredibar.com Helper Object) - {6E13DDE1-2B6E-46CE-8B66-DC8BF36F6B99} - C:\Program Files\Incredibar.com\incredibar\1.5.11.14\bh\incredibar.dll (Montera Technologeis LTD)
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No CLSID value found.
O2 - BHO: (ReImage Browser Helper) - {a0e8bc7d-6959-40b6-8e05-204d9768ad6e} - C:\Program Files\ReImageCompanion\jsloader.dll (ReImage)
O2 - BHO: (DealPly) - {A6174F27-1FFF-E1D6-A93F-BA48AD5DD448} - C:\Program Files\DealPly\DealPlyIE.dll (DealPly Technologies Ltd)
O2 - BHO: (no name) - {A7A6995D-6EE1-4FD1-A258-49395D5BF99C} - No CLSID value found.
O2 - BHO: (Webblog) - {C3947F4E-8894-4C04-98E0-DF182C706DDF} - C:\Program Files\wbtooltb\wbtoolDx.dll File not found
O2 - BHO: (FDMIECookiesBHO Class) - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll File not found
O3 - HKLM\..\Toolbar: (no name) - {98889811-442D-49dd-99D7-DC866BE87DBC} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {b278d9f8-0fa9-465e-9938-0c392605d8e3} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Webblog) - {C3947F4E-8894-4C04-98E0-DF182C706DDF} - C:\Program Files\wbtooltb\wbtoolDx.dll File not found
O3 - HKLM\..\Toolbar: (no name) - {F3FEE66E-E034-436a-86E4-9690573BEE8A} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Incredibar Toolbar) - {F9639E4A-801B-4843-AEE3-03D9DA199E77} - C:\Program Files\Incredibar.com\incredibar\1.5.11.14\incredibarTlbr.dll (Montera Technologeis LTD)
O3 - HKU\S-1-5-21-1343217212-1768020030-871570028-1000\..\Toolbar\WebBrowser: (no name) - {1392B8D2-5C05-419F-A8F6-B9F15A596612} - No CLSID value found.
O3 - HKU\S-1-5-21-1343217212-1768020030-871570028-1000\..\Toolbar\WebBrowser: (no name) - {167D9323-F7CC-48F5-948A-6F012831A69F} - No CLSID value found.
O3 - HKU\S-1-5-21-1343217212-1768020030-871570028-1000\..\Toolbar\WebBrowser: (no name) - {30F9B915-B755-4826-820B-08FBA6BD249D} - No CLSID value found.
O3 - HKU\S-1-5-21-1343217212-1768020030-871570028-1000\..\Toolbar\WebBrowser: (no name) - {63EE0F5C-B56A-4ECF-B209-45FDCBFCAF45} - No CLSID value found.
O3 - HKU\S-1-5-21-1343217212-1768020030-871570028-1000\..\Toolbar\WebBrowser: (no name) - {872B5B88-9DB5-4310-BDD0-AC189557E5F5} - No CLSID value found.
O3 - HKU\S-1-5-21-1343217212-1768020030-871570028-1000\..\Toolbar\WebBrowser: (no name) - {BA14329E-9550-4989-B3F2-9732E92D17CC} - No CLSID value found.
O3 - HKU\S-1-5-21-1343217212-1768020030-871570028-1000\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
[2012/08/20 06:20:30 | 000,000,000 | ---D | C] -- C:\Program Files\Incredibar.com
[2012/08/20 06:20:07 | 000,000,000 | ---D | C] -- C:\Program Files\Web Assistant
[2012/08/20 06:18:21 | 000,000,000 | ---D | C] -- C:\Program Files\1ClickDownload
@Alternate Data Stream - 152 bytes -> C:\ProgramData\TEMP:1CE11B51
@Alternate Data Stream - 130 bytes -> C:\ProgramData\TEMP:B3D74A13
[COLOR="DarkRed"]:files[/COLOR]
dir /s C:\Users\David\AppData\Roaming\GHISLER /c
[COLOR="DarkRed"]:commands[/COLOR]
[clearallrestorepoints]
[emptytemp]
[resethosts]

Now click the button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

 

Hello thisisu.This os in reply to your emailed instructions to me of 8-22-12. I have attached the OTL log requested.It is dated today the 23rd at 9:20PM.David

 

How is your computer running at this point? I suspect your system is free of malware now however let me double-check your latest logs. Complete the below and also answer my question.

Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

Hi again.I have just uploaded the Mglogs.zip after the GetLogs.bat finished running.The computer still has intermitant delays,sometimes between 8 to 9 seconds before activity continues! David

 

You should not be doing much on the computer while we are working together. You especially should not be downloading illegal software. Read: Warning about Porn, Keygens, Cracks, and other Illegal Software

The below was found in your latest logs:

Code:

diskee~1.tor  Aug 24 2012       13875  "Diskeeper_2012_16.0.1010.0_(2012).7352987.TPB.torrent"
_torre~1.tor  Aug 24 2012        8843  "[torrent.cd].Miray.HDClone.Professional.v4.0.7.Full-DOA.torrent"
8lajqy~1.par  Aug 24 2012       13772  "8LAJqyLX.torrent.part"

__

However, I do not see any further evidence of actual malware so the problem is most likely something else. For additional help, try the Software or Hardware forums.

__

If you are not having any other malware related problems, it is time to do our final steps:

• Any programs we had you download and/or install can be removed at this time.
• If we had you download and run ComboFix, here is how to uninstall it:
  • Press and hold the Windows key and then press the letter R on your keyboard.
  • This opens the Run dialog box.
  • Copy and paste the below text inside the text-field:
    • "%userprofile%\desktop\ComboFix" /uninstall
  • Now press ENTER
  • ComboFix will extract its files one last time and you should receive a notification that ComboFix has been uninstalled shortly after.
• You can re-enable your Disk Emulation software at this time via DeFogger.
• If we had you create or download a registry patch or "fix" script, these can be deleted at this time.
• Go into the C:\MGtools folder and run the MGclean.bat file to remove additional traces of our tools.
• Now we will toggle System Restore to remove any infected system restore points.
  • Read this: How to Disable And Enable System Restore
• Lastly, here is a guide to protect you from future infections: How to Protect yourself from malware!
• Be safe