Posts by jholland1964

Running MBA-M after combofix WILL clean malware - it is not a bad step.
The thing is, it will also alter the contents of any subsequent CFScript as I'll have to cross-check the two logs - I just don't want to have to look at two logs at once and try to figure what has been removed and what still needs to be . . .

Congrats on being a "featured poster, btw....!"

PP :)

Sorry, these things have me so...????....so many of these here hard to keep track of whose log is whose???? Where did you see featured poster?

I thought I had. Sorry. It's all yours.:)

Sisaly, if you will noted in post #33, PP said the following:

I will check back Wednesday evening EST - there are still a bunch of fixes we need to do manually with combofix. I'll post them for you tomorrow.

Please don't run any other tools until you hear from HIM. The fixes with combofix will be very specific to YOUR computer. Running other cleaners can cause difficulties with the fixes he will post for you. So if others suggest some other cleaner, please IGNORE them. The HiJackThis program is NOT a cleaner but essentially a scanner to give another picture of what may be on the computer for PP to look at now please wait until PP returns before taking any other steps.
Judy

No, not closed yet. PP for sure has to look at these logs. Especially the combofix log as there may be additional fixes which need to be done with that before the computer can be assured to be clean. This is an especially nasty bug which does have ways of hiding itself all over the computer.
Why not run a full scan with HiJackThis and post that log so the logs will all be here when he gets back tomorrow.
Judy

Oh ho ho....I removed them after just posted the first log, and it's rescanning. ;)

So far all system operations functioning normally.

BTW: To anyone reading this, I was able to do all this because my infected laptop is networked to my desktop. And my hubby is the one that infected the sucker and his wifey is fixing the problem.

LOL...nothing like a sense of humor to keep things under control. That's hilarious Sisaly! :icon_cheesygrin:

Sisaly, you didn't have MBA-M remove the items found. You HAVE to do this. Run it again, when it shows you what is found then click the Remove Selected button.

Ok here's the list. I have purposely left off items having to do with your printer, your scanner, you photos, and your dial-up modem sometimes those programs are so darned touchy that if you disable something you end up with a headache. Take a look at them, see if you need them and then you decide on those, I will list those at the bottom with ***'s above that list.
Here is the list of those you CAN turn off without problems:

igfxtray-Quick access to the control panel via a System Tray icon for graphics based upon the Intel chipsets.These chipsets are often included on motherboards. Available via Start -> Settings -> Control Panel
igfxhkcmd- Installed by the Intel 810 and 815 chipset graphic drivers. If you want the Ctrl+Alt+F12 or similar keypresses to access Intel's customised graphics properties, you need it, otherwise not. Can be disabled via the Display Properties in Control Panel.
igfxpers-Associated with the Common User Interface module for Intel graphics cards
RealTray-System Tray Icon for Real Player
ISUSPM Startup-Install Shield Update Scheduler. This automatically search for and does updates for software. You can do this manually
ISUSScheduler-same as above really. Do it manually.
MimBoot-starts Music Match Jukebox. Do it manually
MMTray-Music Match task tray icon
QuickTime Task-System tray icon for Quick Time viewer
dscactivate-Dell's Remote Support Program.
DellSupportCenter-just what it says. Can be run manually...there possibly will several of these listed by the way, turn them all off.
Ad-Watch-Part of Lavasoft Ad-aware Plus …

Give me a minute and I will give you a list. Easiest way is to use Mike Lin's Startup Control Panel. Free program. Download and install and you'll find it in the Control Panel with a little computer icon labeled Start up. Back shortly with the list.

Looks great. Now a couple of suggestions;
You have a huge number of auto starting programs there which are not needed and therefore running all the time in the background and using valuable resources AND slowing your start up time. I would recommend removing those which can easily be run manually when needed.

Did you purchase AdAware? If not then I would recommend disabling the AdAware Service which runs all the time, it doesn't virtually nothing except run and use resources in the free version.
You have a program on there Viewpoint Media Player which is considered foistware or adware. It comes in with the install of different programs, AOL, AIM, versions of Netscape, certain Adobe products, to name some. It is called foistware because you didn't ask for it or personally choose to install it. I would recommend it's removal.
First you have to stop the processes it starts up;
Go to Task Manager and find ViewpointService.exe and
ViewMgr.exe
Highlight and click "End Process".
Next do the following;
Click on Start > Run and type: services.msc
Scroll down the list and find the service called "Viewpoint Manager Service"
When you find the service, double-click on it.
In the Properties Window > General Tab that opens, click the "Stop" button.
From the drop-down menu next to "Startup Type", click on "Disabled".
Now click "Apply", then "OK" and close any open windows.

Next go to …

I hesitate to post here because I don't want to hijack his thread and make him be unable to fix his pc...

Well you just DID ATTEMPT to hijack this thread. It is NOT appreciated. IF you had read this entire thread, and you obviously have not, you would have seen that this infection CAN be removed using the tools we have directed for use here, including removing infected Registry Entries and definitely NOT with HJT. If you knew also anything about HiJackThis, and you obviously do not, you would also know that it is #1 NOT considered a Fix tool but a scan tool. #2.Yes, fixes can be done with HiJackThis but should only be done AFTER other steps have been completed.
Please read the HiJackThis Tutorial and note the explicit comments given there.

HijackThis is an advanced tool, and therefore requires advanced knowledge about Windows and operating systems in general. If you delete items that it shows, without knowing what they are, it can lead to other problems such as your Internet no longer working or problems with running Windows itself. You should also attempt to clean the Spyware/Hijacker/Trojan with all other methods before using HijackThis. If you allow HijackThis to remove entries before another removal tool scans your computer, the files from the Hijacker/Spyware will still be left on your computer and future removal tools will not be able to find them.

Now, back to you Kevin, The logs look great …

Whilst everyone else is offline, I would suggest that you update MBA-M and do another full scan. The database you have there is a little behind.
Your Hijackthis log suggests that you have not rebooted the PC since running MBA-M anyway, which is required before posting the logs.

I suggested that he not reboot to begin with Crunchie, so I imagine that is why Kevin didn't do it. I just wanted to be certain that at least most of what was going to be found would be removed.

Crunchie is correct Kevin, you need now to update MBA-M, do another Full Scan and Remove all found, and this time Reboot. But FIRST
Go to Start, Control Panel, Administrative Tools, Services. Scroll through that list and find
AntipyProex (AntipPro2009_100) svchasts.exe, should be near the top of the list...when you do, double click to open it's properties. IF it is running Stop it by pushing the stop button which will be visible if it is running. The go to it's Start up type, right there in the middle, and change it's type from Automatic to Disabled. Apply and then close Services. Then do the following that I mentioned last night since you all ready are in Control Panel go to
Scheduled Tasks to see if there are any unusual entries there. This infection is very similar to a couple others which put a scheduled task entry in order to download more infections or just start the processes needed …

Will keep an eye your way. One thing though, before you call it a night. As Crunchie likes to point out, MBA-M doesn't run at full strength in Safe Mode, so if after the scan you can at least boot and run in normal boot, would be a good idea - just let run over-night :)

Keep us posted as to how you go.

@Judy - good point on the Scheduled Tasks. As an aside to the Task Manager tip, would suggest SysInternal's Process Manager, as should give a more accurate look-over as to what is still running in the back-ground

Right now kaninelupus I doubt he could get that on his computer, plus for now he really should limit what he attempts to download to removal tools at best. He very easily found those two processes that PP told him to look for so I would advise against this for now. We don't really want to "push the envelope" at this time.

Plus he said he can access Task Manager in Normal mode so the question of running MBA-M in safe is somewhat moot. If he was able to stop those processes from running while in normal mode then he should then immediately be able to run MBA-M also in normal mode. Of course if that is totally impossible then safe will have to do, but it will not fully scan all files in safe mode.

Kevin, when you get that MBA-M done, be sure to have it clean everything. Unless it tells you to reboot in order to clean, don't until you run the HJT scan and post back with both the logs. Of course if you do have to reboot in order to complete the cleaning process by all means do so. Be sure though to check the task manager for those processes again before you do anything.
You also might want to check in Scheduled Tasks to see if there are any unusual entries there. This one is similar to a couple others which put a scheduled task entry in order to download more infections. If you see something you didn't add yourself, delete it.
Judy

Another interesting bit of info on this linked website...There are 3 domains hosted on this IP address....one is the one in question here and the other two are Ukraine web sites.

EDIT: @Judy - Interestingly enough, the removal tool for download at the site KL linked looks like PCTools Spyware Doctor, a legitimate and well-respected product, last I heard. Maybe WOT is a bit off?
PP :)

Could be, but all the other links I found with same instructions, word for word by the way, do not include the link called Windows Police Pro Automatic Remover. Why don't they call it Spyware Doctor?

Ok, you know more than me PP so I bow to you and take back my comment.

Just to get ppl up to speed, this is a little more info on Windows Police Pro.... and it ain't pretty :(

NB: They do seem to provide a dedicated removal tool, but having no direct experience at this doozy, would await any feedback on the source of this "removal" tool to be sure.

@PhilliePhan - how good are you at guiding someone through a reg-fix? Looking more and more at this one, that may well be required here.

kaninelupus, the link you posted, according to Web Of Trust has an extremely POOR reputation

Thanks to WOT...this failure website...IS FAKE...ROGUE...DON'T USE it's instructions....Although it has a similar name to remove-malware.com, it is totally different. Malware distributor, not a malware removal site....It may contain virus/ads....This website promotes a ROGUE software.
Also presents fake description and lies about other legitimate software in order to promote theirs....Exploits your browser,scares you into purchasing a fake anti-virus software you do not need,downloads contain trojans and rogue security programs which can infect your computer badly.

If the OP can find a way to download Malwarebytes Anti-Malware, possibly to a flash drive and transfer it to the infected computer then install and run a Full Scan, Removing Everything found when the scan is complete this would be the first recommended step. Obviously the program could not be updated but at this point it would give the poster a place to begin.

I would recommend that you also install SpywareBlaster. It is a FREE program which will protect your computer against:
Spyware, adware, browser hijackers, and dialers, prevent the installation of ActiveX-based spyware, block spying / tracking via cookies and restrict the actions of potentially unwanted or dangerous web sites.
Download, install, update ENABLE ALL protection and CLOSE the program. It doesn't run in the background. Check for updates weekly, doesn't always have them but when it does just enable all protection again and close the program.
Keep MBA-M and update and scan with it weekly, removing anything it finds.

Other than that if you feel all is working well you can also set a new, clean Restore point.
To do this Right Click My computer.
Choose Properties
When System Properties opens choose the System Restore Tab.
Place a check mark in Shut down System Restore.
You will probably get a message telling you it will be shut down, click ok or yes.
Allow it to shut down.
Wait a moment. Then go back in and take that check mark Out so that System Restore will turn back on.
Other than that you are good to go and if you agree you can mark this one solved.
Judy

**Also, I've got AVG Free and Avira Antivir running on my laptop. Should I delete one/both of these anti-virus programs?**

Where the heck did Avira come from? It wasn't there before.
If it were MY computer I would go with Avira, in fact I do. I have used AVG and didn't like it, mainly because it doesn't do as good a job as Avira, at least I don't believe it does, plus it is loaded with "bloat". Take a look in your log and see how many AVG processes are there.
If you do decide to go with Avira uninstall AVG through the normal means. Then download and run the AVG Removal Tool to be certain all is gone.
Reboot and run a new HJT log and post that back here.

I see parts of two anti-virus programs on the computer. AVG8 which seems to actually be your anti-virus program and left over files from a Norton/Symantec program removed incorrectly I would imagine.
You need to go to Add/Remove and Uninstall EVERYTHING you find with either Norton or Symantec listed on it.
Once you have done that then go to Start, Search, Files and Folders and be sure to also use Advanced Options there to also search in System Folders, Hidden Files and Folders and Sub Folders.
Search first for Symantec. Once the search is complete DELETE all that is found. Then do it again for all items named Norton. Once the search is complete then Delete ALL that is found.
Reboot the computer.

Next Run HJT again. Place check marks next to the following listings if they remain:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = socks=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = plimus.com,http://www.plimus.com,regnow.com,www...w.com,;*.local
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: (no name) - {36ADA89D-2440-4DC4-820A-3A05E8630935} - C:\Program Files\Video ActiveX Access\iesplg.dll (file missing)

O15 - Trusted Zone: http://*.broadband.o2.co.uk

O22 - SharedTaskScheduler: drays - {33b8d257-07f6-4c06-8605-94bc21728635} - C:\WINDOWS\system32\xedasn.dll (file missing)

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - …

Any further suggestions?

Yes, now you are going to have to go back and run both programs correctly.
Your HiJackThis was run BEFORE MBA-M and not AFTER as it should have been, or else you have only re-posted the original HJT log, I don't know which, but it IS the same log you originally posted. We need a NEW scan done AFTER the fixes are completed with MBA-M

HiJackThis was run at 16:04
MBA-M was run at 20:17:24

MBA-M issue #1, was not updated. Your database version shows as 2551 and the current database is 2700
MBA-M issue #2 the log clearly shows that there was No action taken. on any of the items found.

You need to follow directions exactly. Run MBA-M again, Update it first.
Then Run a Full Scan with it.
* When the scan is complete
* Be sure that everything is checked, and click Remove Selected.
Reboot the computer

Then run a NEW HiJackThis scan, save the log and please copy/past both logs here. Do not attach them.

I think I figured it out! When I restarted just now the progam was no longer in my taskbar, but it was in my Task Manager this time!!! I right clicked it to find out which process it was and it was called alg.exe now I know that there is a real windows file called that but this wasn't the real one, so I ended process, searched my computer for anything called alg.exe deleted like 7 of the files that came up except the one in Windows\System32 and in Hijack this deleted the alg.exe thing I found and it hasn't come back yet, even when I restarted my computer!!!

When you ran your HJT scan was this showing on the computer?
At the time of the scan there was only one instance of this showing
C:\WINDOWS\System32\alg.exe
which is the correct location for the file. This refers to the Application Layer Gateway Service which "Provides support for 3rd party protocol plug-ins for Internet Connection Sharing and the Windows Firewall." This can be disabled if you are not using Internet Connection Sharing or the built-in Windows firewall.
I would advise that you update MBA-M again and do one more Full Scan with it. I also advise that you do a Full Scan with your virus program. This file, if not properly located is indicative of either a virus or of a backdoor Trojan. It is possible that none of these scans picked it up so I advise you …

That Malwarebytes still shows in your start up programs, it should not be there. Did you reboot immediately after running the program?

I honestly don't see anything in the log that would indicate this Form 1 program.
Is it possible for you to get a print screen of it both closed and opened and attach them here? Maybe this would give more of a clue. It honestly is something I have never encountered before.
Also, please copy/paste the MBA-M log here even though it doesn't show anything.

See if this works:
Please navigate to the MBAM folder located in the Program Files directory.

Locate MBAM.exe and rename it to winlogon.exe
Once renamed double click on the file to open MBAM and select Full Scan

At the end of the scan allow MBAM to remove what it had found then reboot.

You say nothing of running MBA-M so please do the following:
Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.

Reboot the computer

Run a new HJT scan and post back with the MBA-M log and the HJT log.

For one thing I see several programs running while the HJT scan was done which shouldn't be running at the same time;
ESET Online Scanner, MBA-M install are two of them.
Those two should not be running at the same time. Reboot your computer. Install MBA-M if it isn't fully installed. Update it and then run a Full Scan with it. When it is complete it will show you what it found. Place Check Marks in all items found and click Remove Selected.
REBOOT the computer. Then, using Internet Explorer go to that ESET Scanner page, turn OFF your Avast program and run a Full Scan with it. When it is complete have it remove all items found.
Reboot the computer.

Immediately on reboot, before you open any other programs, run a new HJT scan.
Post back here with ALL three of those logs.

Yes the computer itself looks clean. However, before you do scans of the USB drives you need to disable the AutoPlay feature for USB devices, otherwise you could re-infect the computer if these drives do carry the infection. To do this follow the directions HERE
After you have disabled the Auto Play THEN plug in the drives and scan them with MBA-M and also your AV program.

See if you can do this, download the program HostsXpert which gives you the ability to restore the default host file back onto your machine. To do so, download the HostsXpert program and run it. When it opens, click on the Restore Original Hosts button and then exit HostsXpert.

Are you still getting the Redirects?

Ok, I have done that now. Is the system clean now do you think ? And is there a possibility that the virus spread to any USB drives that have been plugged into the machine?

Well, yes there is, you never said there were USB drives involved here. You should update MBA-M and scan those and follow the same procedure with those, HJT wouldn't be an option though.

That is your System Restore. Set a new Restore point to clear all that out.
To do this Right click My Computer, choose properties. When that opens click on the System Restore Tab. Place a check mark in Turn Off System Restore, click ok. System Restore will then turn off and the Restore Points removed. Wait a moment and then do the Reverse...remove that check mark and System Restore will turn back on with a new and clean restore point.

Should I consider everything clean, then? If so, thanks greatly for the assistance. :)

As long as you feel everything is running as it should then yes it is clean and you can mark this thread solved. I'm happy I could be of service. If you need anymore help don't hesitate to come back. That is why we are here.
Judy

What I said was

update MBA-M if possible and then run a full scan with it in NORMAL mode

Since you cannot do that at this time, just run the full scan and have it remove anything it finds.
Post back here with the log, EVEN IF NOTHING IS FOUND.

Ok, first of all,
Do the following, With all browsers CLOSED. Go to Add/Remove
Look for and Uninstall ALL of the following that you may find there:
FunWebProducts.

* My Web Search (Smiley Central or FWP product as applicable)
* My Way Speedbar (Smiley Central or other FWP as applicable)
* My Way Speedbar (AOL and Yahoo Messengers
) (beta users only)
* My Way Speedbar (Outlook, Outlook Express, and IncrediMail)
* Search Assistant - My Way

You also need to STOP from running at start up and therefore running in the background, Windows Defender, SuperANTISPYWARE and AdAware. If possible do this from within the programs themselves. Having these running in the background can interfere with fixes attempted. Plus...SAS and AdAware background services only work IF you have purchased the programs. While the services run on the FREE versions they do nothing but consume valuable resources.

Reboot the computer, in NORMAL mode. You DO NOT have to be online to do this.

Run HJT again and put check marks next to the following entries if they remain:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://safesearch.cyberdefender.com/smallsearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)

O1 - Hosts: 89.149.210.26 www.google.com
O1 - Hosts: 89.149.210.26 www.google.de
O1 …

Looks good.

I'll be waiting for your logs.
Judy

.. i recommend installing bitdefender internet security 2009.
let me kno how it works out.

good luck and stay protected!

Bad suggestion. NEVER install two anti-virus programs on one computer. Poster hasn't completed a scan with the installed av program, why would installing a second one make a difference?
Continue with the instructions given concerning ESET online scanner.

I agree with Crunchie, why stop the av scan? You have no idea if something is still on the machine so it was absolutely of no use to even run it.
You need to complete the scan, that is the only way to be certain. You also should run ESET Online scanner and have it remove anything found.
To run ESET you need to do the following: Use Internet Explorer and also TURN OFF your Norton Program.

After you do that, REBOOT the computer. Update MBA-M and do one more Full Scan with it, Remove All that is found.
Reboot the computer.
Then run another HJT scan and post back with that log, the new MBA-M log and the ESET log.

I also note you have Ewido Anti-spy program on the computer. It is no longer a stand alone program but part of AVG antivirus. You should Uninstall this program.
Also your Java is WAY out of date and should be updated.

Don't use the computer then until everything is deemed fully clean. Be sure it is not on or connected to the internet until you have completed the steps. We want to be sure all is gone.

Update MBA-M and give us one more Full Scan with it.

Run a new HJT scan and post the log.

SDFix must be used in Safe Mode only. This may be one reason why you say it won't work. But if you feel it has replicated then, why?

SDFix wouldn't be the tool to use for that anyway. It is not listed on the items which that SDFix will remove on the SDFix Information page.

Instead you should do the following:

Download ComboFix from Here or Here. Save it to the desktop.

Do NOT run the program yet.
First you must do the following:
# Close all open Windows including this one.
# Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. I
Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.

Once you double-click on the icon you may see a Windows Prompt.
Windows is issuing this prompt because ComboFix does not have a digital signature. This is perfectly normal and safe and you can click on the Run button to continue.

ComboFix is now preparing to run and when it has finished you will see the Disclaimer …

You didn't give me time to read the HJT log and give the fixes using it. If you would feel better doing the other, as I said, go ahead. If you look at the MBA-M log it shows that it was removed by MBA-M. The instructions given on the page you linked say do a Quick Scan with MBA-M, we have you do a Full Scan. But that said, if you would feel better then do the steps listed on the page, post back with the logs and then I will give you the clean up steps using a new HJT scan log.

What do you think of using SDFIx ?

You all ready have removed the infections using MBA-M.
but if you want to go ahead. Follow the instructions TO THE LETTER, no deviation. Then you will also have to run another Full Scan with MBA-M. Reboot and then do another Full Scan with HJT. Post back here with the SDFix log, the MBA-M log and the new HJT log.

Additional: I can see under security task manager a few rogue process "msword98.exe" operating in c\windows\system32. "braviax.exe" in c\windows\system32. Should I perform a boot scan using Avast ?

Yes and see if that makes a difference.

OK, MBA-M has finished, it picked up only 1 trojan - C:\windows\system32\1.tmp (Trojan.agent).
This was quarantined and deleted. I followed the instructions from MBA-M and restarted straight away. Unfortunately, still no access to windows or windows safe mode with networking...Hmmm. BSOD still popping up - is there anyway that I can find out what it says? I tried photographing it with a digital camera (lol) but it disappears too fast! What should I do next ?

If you can access the Event Viewer in Safe mode go there and see what the errors are. Probably listed in System Errors section.
Start, Control Panel, Administrative Tools, Event Viewer. Look in System and also in Applications. Just the most recent errors listed there.

Ok, thanks a lot JHolland1964, nasty piece of kit this one! Who writes these things!

Creeps who take joy in hurting those they don't know!

Do what you can and then we can figure out where to go from there.
Also post that first MBA-M log when you do. That can be found within the program under Logs tab.

Good deal. To clarify the TeaTimer...what it can do is interfere with actual fixes done, especially if there is a registry key involved.
What it is "supposed to do" is give you a notification of registry changes which are going to be made and give you the option of saying no or yes. But with the number of infections found when TeaTimer is definitely running in the background all the time if obviously falls short on this. Of course some people may have received a warning before some sort of infection makes a registry change or addition but I sincerely doubt that ALL people would say ok.
Plus when fixes are being attempted using other programs TeaTimer has been known to block these legitimate changes needed and NOT do any notification.
The Spybot scanner is excellent and will remove many infections and a lot of malware but the TeaTimer portion leaves a lot to be desired.
I will wait for your scan logs.
Judy

I note several things immediately in the HJT log.
#1. SpyBot TeaTimer is running. This needs to be disabled as it WILL interfere with any fixes done.
* Run Spybot-S&D in Advanced Mode
* If it is not already set to do this, go to the Mode menu
select
Advanced Mode
* On the left hand side, click on Tools
* Then click on the Resident icon in the list
* Uncheck
Resident TeaTimer
and OK any prompts.
* Restart your computer

#2. Now this "may" be taken care of by the above restart, but MBA-M was set to run at Start Up, meaning the program evidently has been run but required a restart to fully remove whatever was found. This would have been noted in the log, which you did not post by the way. It would have said Quarantine or Delete on restart or something similar. Meaning it couldn't clean without restarting the computer.

The reason for this would be that the infected file was probably in use AND set to start after the computer boots up. When MBA-M must complete a removal with a restart what will happen when the computer is restarted is MBA-M will Remove the infected files BEFORE they can begin to run. So this should be a rule to follow with EVERY MBA-M scan, unless the scan is clean, just always reboot the computer after the scan, even if the log …

Looks clean. If you feel all is fixed you can mark this closed.
Judy