Redirections, mbr, Rootkit, phony AV

What a mess! First the redirections, so I went to the malware instructions on that...cleaned out what you said, but it still kept redirecting...so I tried to get tdsskiller to run, couldn't until I ran that second one, also couldn't even get msconfig to run, so I figured that was a problem....couldn't get any browser to work hardly at all, but I could get here, so I got what I needed here...after flushing everything what you said, I still had redirections, so I kept going, but one of the tdss scans, found an mbr problem and fixed it, it said. Also ran mbrcheck and have log.

So I kept going, with read and run me, and had to run combofix from flash drive, but it seemed like it worked o.k. and after that it worked better, but still getting redirections. I seem to be able to use FireFox better, but both IE and Chrome give me grief.

Me and my friend have two machines that are infected, on the same router. We have been signing up separately, as we figure that would be less of a burden on you...but if at any time, you wish us to combine the threads, I'd be glad to.

Thank you so much for your help, I will load all the files. I did try to do it in order, but a couple of scans got halted, but I ran them again...let me know what I need, and I can't thank you enough...

 

And the other logs.

 

Welcome to Major Geeks, obgeff

Please download RogueKiller to your desktop.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the ShortcutsFix button
When it is finished, there will be a log on your desktop called: RKreport[1].txt
Attach RKreport[1].txt to your next message. (How to attach)

Please download Disable/Remove Windows Messenger to your desktop.

• Double-click MessengerDisable.exe to run it.
• Place checkmarks in "Uninstall Windows Messenger" and "Hide Messenger from Outlook Express"
• Click Apply
• Click Exit

Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]ClearJavaCache::[/COLOR]
[COLOR="DarkRed"]Collect::[/COLOR]
C:\Program Files\2YourFace\bho.dll
[COLOR="DarkRed"]Driver::[/COLOR]
ujiooxb
driverhardwarev2
[COLOR="DarkRed"]File::[/COLOR]
c:\windows\system32\drivers\qchfdhqq.sys
C:\Documents and Settings\All Users\Application Data\-6wfXCjoJuhlvKT
C:\Documents and Settings\All Users\Application Data\-6wfXCjoJuhlvKTr
C:\Documents and Settings\All Users\Application Data\-E3rWgpYb5bLXYb
C:\Documents and Settings\All Users\Application Data\-E3rWgpYb5bLXYbr
C:\Documents and Settings\All Users\Application Data\-f1ZdPaFRhZ3GzZ
C:\Documents and Settings\All Users\Application Data\-f1ZdPaFRhZ3GzZ
C:\Documents and Settings\All Users\Application Data\-PFQhoCU4XsKGdx
C:\Documents and Settings\All Users\Application Data\-PFQhoCU4XsKGdxr
C:\WINDOWS\assembly\GAC\Desktop.ini
C:\Documents and Settings\Rich\Local Settings\Temp\MainInstaller.exe
[COLOR="DarkRed"]FileLook::[/COLOR]
C:\WINDOWS\system32\DRIVERS\serial.sys
c:\windows\system32\ntbackup.exe
c:\windows\system32\net1.exe
c:\windows\system32\napstat.exe
c:\windows\system32\autofmt.exe
c:\windows\system32\drivers\dmboot.sys
[COLOR="DarkRed"]Folder::[/COLOR]
C:\Program Files\2YourFace
c:\windows\$NtUninstallKB22793$
C:\Documents and Settings\Rich\Local Settings\Application Data\{a3cc11d1-a5e9-a1a3-7ec4-865e1bafbdda}
c:\program files\AVG
C:\found.000
C:\Documents and Settings\Rich\Start Menu\Programs\Data Recovery
c:\documents and settings\Rich\Application Data\AVG
[COLOR="DarkRed"]NetSvc::[/COLOR]
driverhardwarev2
[COLOR="DarkRed"]Registry::[/COLOR]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"support@2yourface.com"=-
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0DDA5EC3-E2FF-407C-8A8B-6E41B842A661}]

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.

This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

__

Please download OTL by OldTimer.

• Save it to your desktop.
• Double click on the OTL icon on your desktop.
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the text-field.
  
  Code:

  activex
  netsvcs
  /md5start
  afd.sys
  i8042prt.sys
  ipsec.sys
  netbt.sys
  serial.sys
  svchost.exe
  tcpip.sys
  /md5stop
  

• Now click the button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach OTL.txt to your next message. (How to attach)

 

Hello: thankyou so much for taking me on here. I followed the instructions, and ran rogueKiller,. After a couple of false starts, I got it. Combofix would not run...I think to get it to run before, I got it running from a flash drive, but here, when I drug the files over it, it would get started, go about 10 seconds, then just close. I know when I was doing Read and Run me 1st, I had removed AFG, with Revo uninstaller, but I didn't know if that was blocking it still? But I had my current av, MSE, turned off. So I don't know what is making it not run...wouldn't work in Safe Mode either...

So I moved on, ran OTL, and will include that. I am still get getting misdirections, to Sex sites and stuff...it is very hard to get browser to work at all, as it gets redirected...fortunately I have this site bookmarked, and I can get to MajorGeeks. I downloaded from here Chrome and Firefox to see if it was any better, and FF seems to work better, but they get redirected to, but at least I can download on here...

So that's where I stand...if you had any advice on getting ComboFix to run, or whatever you wanted me to do, I'm game...and thank you for your time...

 

Let's try with another tool instead.

Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the text-field.

Code:

[COLOR="DarkRed"]:otl[/COLOR]
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\aexnsclient.dll -- (driverhardwarev2)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (WDICA)
DRV - File not found [Kernel | Boot | Stopped] -- System32\drivers\qchfdhqq.sys -- (ujiooxb)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Simbad)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] --  -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] --  -- (lbrtfdc)
DRV - File not found [Kernel | Boot | Stopped] -- System32\drivers\qrqf.sys -- (ishq)
DRV - File not found [Kernel | System | Stopped] --  -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ComboFix\catchme.sys -- (catchme)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Atdisk)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Abiosdsk)
IE - HKU\S-1-5-21-3434132323-2518546367-4288751037-1005\..\SearchScopes\{0DDA5EC3-E2FF-407C-8A8B-6E41B842A661}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=100000031&src=crm&q={searchTerms}&locale=en_US&apn_ptnrs=TV&apn_dtid=OSJ000YYUS&apn_uid=F7C09FBE-680C-4E08-AB8B-66A0FC30A3FD&apn_sauid=B1F81B30-D1A4-4912-A81B-C3E9BD2A71D8&
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\support@2yourface.com: C:\Program Files\2YourFace\ffextension [2012/05/18 01:11:45 | 000,000,000 | ---D | M]
CHR - plugin: 2YourFace Util (Enabled) = C:\Documents and Settings\Rich\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\lmblfngognklgemafekefcdjcnkdhmdm\1.0_0\2YourFace_Util.dll
O2 - BHO: (2YourFace Addon) - {1185823F-F22F-4027-80E5-4F68ACD5DE5E} - C:\Program Files\2YourFace\bho.dll ()
NetSvcs: driverhardwarev2 - %systemroot%\system32\aexnsclient.dll File not found
[2012/05/18 01:11:45 | 000,000,000 | ---D | C] -- C:\Program Files\2YourFace
[2012/05/06 07:43:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rich\Start Menu\Programs\Data Recovery
[2012/05/02 17:52:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rich\Application Data\AVG
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2012/05/01 12:15:02 | 000,000,184 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\-E3rWgpYb5bLXYbr
[2012/05/01 12:15:02 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\-E3rWgpYb5bLXYb
[2012/05/01 11:40:35 | 000,000,184 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\-6wfXCjoJuhlvKTr
[2012/05/01 11:40:35 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\-6wfXCjoJuhlvKT
[2012/05/01 07:21:13 | 000,000,184 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\-PFQhoCU4XsKGdxr
[2012/05/01 07:21:13 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\-PFQhoCU4XsKGdx
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2012/05/16 11:12:39 | 000,000,160 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\-f1ZdPaFRhZ3GzZr
[2012/05/16 11:12:39 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\-f1ZdPaFRhZ3GzZ
@Alternate Data Stream - 187 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\support@2yourface.com: C:\Program Files\2YourFace\ffextension [2012/05/18 01:11:45 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\support@2yourface.com: C:\Program Files\2YourFace\ffextension [2012/05/18 01:11:45 | 000,000,000 | ---D | M]
ActiveX: {ACC563BC-4266-43f0-B6ED-9D38C4202C7E} -
[COLOR="DarkRed"]:services [/COLOR]
ujiooxb
driverhardwarev2
[COLOR="DarkRed"]:files[/COLOR]
c:\windows\system32\drivers\qchfdhqq.sys
C:\Documents and Settings\All Users\Application Data\-6wfXCjoJuhlvKT
C:\Documents and Settings\All Users\Application Data\-6wfXCjoJuhlvKTr
C:\Documents and Settings\All Users\Application Data\-E3rWgpYb5bLXYb
C:\Documents and Settings\All Users\Application Data\-E3rWgpYb5bLXYbr
C:\Documents and Settings\All Users\Application Data\-f1ZdPaFRhZ3GzZ
C:\Documents and Settings\All Users\Application Data\-f1ZdPaFRhZ3GzZ
C:\Documents and Settings\All Users\Application Data\-PFQhoCU4XsKGdx
C:\Documents and Settings\All Users\Application Data\-PFQhoCU4XsKGdxr
C:\WINDOWS\assembly\GAC\Desktop.ini
C:\Documents and Settings\Rich\Local Settings\Temp\MainInstaller.exe
C:\Program Files\2YourFace
c:\windows\$NtUninstallKB22793$
C:\Documents and Settings\Rich\Local Settings\Application Data\{a3cc11d1-a5e9-a1a3-7ec4-865e1bafbdda}
c:\program files\AVG /d
C:\found.000 /d
C:\Documents and Settings\Rich\Start Menu\Programs\Data Recovery /d
c:\documents and settings\Rich\Application Data\AVG /d
netsh winsock reset /c
[COLOR="DarkRed"]:reg[/COLOR]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1185823F-F22F-4027-80E5-4F68ACD5DE5E}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"support@2yourface.com"=-
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0DDA5EC3-E2FF-407C-8A8B-6E41B842A661}]
[COLOR="DarkRed"]:commands[/COLOR]
[purity]
[clearallrestorepoints]
[emptytemp]
[resethosts]

Now click the button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

I want you to read and follow these instructions (different than how you have run TDSSKiller before): TDSSKiller - How to run

Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

Let me know what problems remain after you have run these steps.

 

Hi, well, the tools ran well--it seemed to me--and I got my hopes up, but right as I started reply, another tab popped up, with a porn add, and now this has happened twice, in my firefox browser if that matters. Including logs, and once again, I thank you.

 

Thanks for the information.

Download SystemLook from one of the links below and save it to your desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy and Paste the content of the following code box into the main text-field:

Code:

[COLOR="DarkRed"]:dir[/COLOR]
c:\windows\system32\test /s
c:\windows\installer\{a3cc11d1-a5e9-a1a3-7ec4-865e1bafbdda} /s
[COLOR="DarkRed"]:service[/COLOR]
dmboot
NtmsSvc
[COLOR="DarkRed"]:filefind[/COLOR]
dmboot.sys
ACPI.sys
autofmt.exe
napstat.exe
net1.exe
ntbackup.exe
ntmssvc.dll
ql1080.sys
ntmssvc.dll
ql10wnt.sys
[COLOR="DarkRed"]:folderfind[/COLOR]
a3cc11d1-a5e9-a1a3-7ec4-865e1bafbdda
[COLOR="DarkRed"]:regfind[/COLOR]
5AB3B925-88DD-490E-AB3E-8BCD446E9001
a3cc11d1-a5e9-a1a3-7ec4-865e1bafbdda
[COLOR="DarkRed"]:comment[/COLOR]
look for clsid za and rloader rk

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan and a file entitled SystemLook.txt will be created on your desktop.
• Attach that file to your next message. (How to attach)

 

Here you are.

 

While I prepare another fix for you, can you upload this file: C:\WINDOWS\system32\drivers\dmboot.sys to here?

Do not delete it, just upload it. I will give you instructions on replacing it with a clean copy later.

 

Sounds good, I uploaded it, twice actually, as first time I forgot to put thread we linked to...anyway, it's there...thankyou

 

Got it, thanks.

I've attached a clean copy of dmboot.sys (extract from the attached .zip archive). However, I just want you to place the dmboot.sys file on the root of your C: drive (C:\dmboot.sys).

The next series of fixes will add it to the correct location safely.

Backup Your Registry with ERUNT

• Please download Erunt
• Run the setup program to install ERUNT on your computer
• Click Erunt.exe to backup your registry to the folder of your choice.

Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the text-field.

Code:

[COLOR="DarkRed"]:files[/COLOR]
C:\WINDOWS\assembly\GAC\Desktop.ini /d
C:\WINDOWS\system32\config\systemprofile\Application Data\desktop.ini /d
c:\windows\installer\{a3cc11d1-a5e9-a1a3-7ec4-865e1bafbdda}
C:\WINDOWS\System32\drivers\dmboot.sys|c:\dmboot.sys /replace
netsh winsock reset /c
[COLOR="DarkRed"]:commands[/COLOR]
[emptytemp]

Now click the button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

Now retry opening OTL. Does it open successfully or does it crash?

Let me know and then we can continue with the rest of removal.

 

That was kind of...weird...but anyway, got dmboot.sys file, put it in C: drive...I got erunt, then ran the otl fix, and it started running alright, in the middle stopped with the big DOS error message: "The procedure entry point Migrate Winsock Configuration could not be located in the DLL MSWSock.dll" so I closed that, and it seemed to keep running, then reboot...

when it came back up, it didn't have the usual OTL notepad, but instead had Desktop Recovery Error and asked me if I wanted to restore my active desktop..anyway, I just basically clicked on properties, tried to bring it back to normal, and it looks ok now....and no, OTL will not open, says it encountered a problem 'Error Reading DiskPartitionInfo1.active' so I'll get the OTL log, see if it made one, at the c drive...

Yep, I think this is the one you want, looks like the most recent...I'll post this, and so far it hasn't redirected, but it can be intermittent, I'll post this while I check...you've been so helpful...

 

It looks much better, I have my own search engine again, still can't turn on firewall...no misdirections -- fingers crossed --

 

You are amazing! My computer is running about 3 times as fast, and I've had no redirections in any of the 3 browsers. So it seems you have fixed this problem. But for some reason, no matter whether I try Security Center, or Firewall itself, it will not turn on, neither will the Security Center recognize that the MSE antivirus is on.

The AV doesn't concern me, but the firewall not being recognized does...I know it had AVG, but I had used revo to uninstall it, and all I now have is MSE, but anyway...thank you so much for your hard work in helping me, and have you any further advice on this firewall?

 

I got the firewall to work! it was some Dell Security Center stuff, also what was blocking combofix, as I clicked on it, (stupidly, I know) and it ran, so I went ahead and included the log, just in case you still wanted it.

But all seems to be running great at this point: no misdirection, firewall and antivirus ok, and windows updates 'updating' ...I am so grateful to what you all do here, and for the work you have done. Thankyou!

 

I'm glad to hear that

Can you submit the 4 files listed below for analysis here?

• c:\windows\system32\autofmt.exe
• c:\windows\system32\napstat.exe
• c:\windows\system32\net1.exe
• c:\windows\system32\ntbackup.exe

And run this thorough scan afterwards:

Please click HERE to download Kaspersky Virus Removal Tool (click on the Download link for Version 11).
NOTE. This is quite large file, so be patient.

• Double click on the file you just downloaded and let it install.
• It will install to your desktop (be patient; it may take a while).
• Accept license agreement and click "Start" button.
• Click on Settings button
  • In Scan scope leave pre-checked items as they're and also checkmark My Computer
  • In Actions checkmark Select action: (disinfect; delete if disinfection fails) instead of preselected Prompt on detection
• Click on Automatic Scan tab and then click on Start scanning button.
• Before it is done it may prompt for action regardless of the setting so choose delete if prompted.
• When the scan is done NO log will be produced.
• Click on Report button then on Automatic Scan report tab.
• Right click anywhere within right pane, click Select All then right click again and click Copy.
• This will copy the items that it found to the clipboard you can then open notepad (go to start then run then type in notepad) and choose paste to paste the contents into Notepad.
• You can save this on the desktop.
• Post the contents of the document in your next reply.

 

Well, I uploaded the files you asked for, then downloaded Kaspersky. I tried running the scan in normal mode, but twice it came up with same error msg "net1.exe entry point not found" -- 'Procedure entry point could not be located in the dynamic link library msvcrt.dll.' followed by "AVPTool is Running Without Drivers - Please try to rebbot and scan in Safe Mode'

So I went into Safe Mode and ran scan, as instructed. Along the way it found 21 threats, which had little pop down windows describing what they were, and how they were getting rid of them. I wrote down a few, as they went pretty fast:
Win32 Z.access K, deleted
Trojan exploit java
Packed.Win32.Katasha

I couldn't get them all, as it was going to fast, but at the end, following instructions to get report, I got to there, and right clicked, and it froze up
couldn't do a thing, whole screen was froze, so I went to Task Manager, trying to see if I could...well, anyway, couldn't get a thing, so just to see if if the log came up again, I ran the Kaspersky scan a second time, and there were no threats--and no log, so I've nothing to report, other than it found a bunch of garbage and apparently got rid of it...

Thankyou, and I'll be standing by

 

Hrm, most likely it removed a bunch of stuff that were already in quarantine folders from the tools we've used.

First, create another registry backup with ERUNT before proceeding.
Note: We are NOT changing anything in the registry. We are just investigating and getting you familiar with a potential change in a future post depending on what the result is.

Open regedit.exe
See below if you do not know how:

-> run -> regedit -> press ENTER

Navigate to this key : HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32
Once you get here, click InProcServer32 so that it is highlighted / selected.
In the right pane, look for (Default)
If you've gotten this far, type out what is in the Data column for (Default) in your next message.

If it looks something like: \\.\globalroot\systemroot\Installer\{a3cc11d1-a5e9-a1a3-7ec4-865e1bafbdda}\n.

Just let me know. I'm trying to find out if the Kaspersky tool automatically corrected this.

If not, we can fix it manually once you post and that should hopefully clear up the remaining weird Windows issues you may be experiencing.

 

Hello, I went to where you said in the registry, opened InProcServer32 and (Default) data column had:

%SystemRoot%\system32\shdocvw.dll

 

Very good! :cool

That is what it should be.

Is everything still running OK?

Just out of curiosity, does OTL now open successfully?

 

You know, last night I thought it was acting up, it just got really 'bogged down' slow, so I just rebooted and it seems alright. I did try opening OTL, and no, it won't open, and sends this error:
"Application EReadError in module OTL.exe at 00016A6B.
Error reading DiskPartitionInfo1.Active: ."

The main obvious problem, the popups and the redirections are gone, so unless you see something, it seems ok...of course, I'm a bit jumpy, as it was so *bad* I worry, but I don't see anything...thankyou!

 

If things for the most part are OK we should wrap up as I do not see any other issues in your logs. The files you uploaded were clean (even the dmboot.sys). They were corrupt files, but not malicious.

Here is a potential I fix that I recommend but note this is NOT required. I'll let you decide on whether you want to run it or not.

Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.
Open Repair_Windows.exe and perform steps #2 and #3.

__

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

Be safe

 

I ran windows repair tool, and just for grins, I did try to open OTL again, and it opened right up, perfectly, so since I knew I was removing everything, I hit cleanup and got rid of that. I did the combofix and mgtools cleanup, and set and turned back on System Restore. Everything is running good and fast, and it's so much cleaner after running the Windows Repair tool.

This was a bad situation, and I tried to fix it myself, and it just got worse. But you guys have always saved the day for people that come here, and you did for me, so thank you very much for your time and effort.

 

I'm glad to hear that, obgeff
Take care :wave