Posts by gerbil

Using the recovery disks supplied with preloaded systems will take your sys back to brand-new state, causing you to lose all data.
Your idea of loading XP onto another hard drive and copying data off the old one is best.
Your sys is unble to read its registry from the hard drive - running chkdsk with the correct parameter to correct errors can sometimes solve this. I do not know what is on your disks, but a borrowed XP installation cd would give you a Recovery Console, from where you could run chkdsk /r
Or, you could download and burn to a cd this iso, then boot from it : http://www.thecomputerparamedic.com/files/rc.iso
It is a Recovery Console.

You can see mup.sys, therefore it was loaded [by ntldr, which obtained control set info from HKLM\system]; mup.sys is a boot file. But when an attempt was made next to start those drivers, something hung. You do not know what. You could try altering your boot.ini file to include the bootlog parameter, and then read that log file, Ntbtlog.txt from \Windows. Make a boot.ini on another sys, copy it in with RC, read the file with "type" cmd.
You could reset CMOS.
If Repair fails it could be a hardware error [try running chkdsk /r from RC] or that the info in \repair [original? reg files] is corrupt. Repair replaces a lot of system files so it is doubtful that it is one of those drivers which is failing. Try a sys rest instead of entering safe mode.

I think you have a case of Installer bloat there. My Installer folder is just 125MB.
There is a M$ tool to show up orphaned Installer files [those not registered] for you to delete; perhaps you could give it a try?
http://support.microsoft.com/default.aspx?scid=kb;en-us;290301
Run :
msizap.exe G
"And if messing with the registry to switch back to DMA"... try the BIOS selection first. And you do not need to directly edit your registry - use Device Manager to set your IDE drives to DMA if available. Look under IDE ATA controllersproperties.
A site for you: http://winhlp.com/node/10
What was using java?

That is just the way M$ denotes those drives. Using M$'s definitions, the "booting" files are on the System drive; system [OS] files are on their Boot drive. Nobody knows....
If booting and system files are on the same drive [volume] then that volume is denoted System.
Use diskpart to render D: inactive. No sense BIOS getting confused about that one.
I do not thik there is any registry key associated with booting; remember that at this stage in loading an OS it is only the BIOS controlling the action, and then handing control seduentially to files on the drive. The registry comes a good deal later in the process.
My boot and sys files are on C:. I have the main paging file [2 GB] on a second disk but also a small [50MB] one on C:. It should speed things up that way, cut disk access to the second somewhat. I think. Anyway, monitoring their activity shows the C: file gets used to capacity quite often

Heya Billy, for a start, I take NO responsibility if this method fails. You can't find me, anyway....
If it does fail, you will need a Recovery Console [diskpart is in it].
Sure you can copy them [the 3 used by XP are ntldr, ntdetect.com and boot.ini, so COPY them over, and mod that boot.ini in E:].
One other thing....it IS important.
BIOS needs to be able to find those things, and it will look in the partition marked as Active. Check in Comp Mgmnt - Disk Mgmnt; you will see that your C: is marked as (System). It is also the Active partition, but because it contains those boot files it is called System.
You can use Disk Mgmnt to mark any primary partition Active [it complains in some circumstances], but it may not let you remove that setting.
Better to use diskpart in a command window. So.. enter:
diskpart
/? will give you a list of commands. Anyway...
list disk
select disk x - where x is the disk with E: from that list
list partition
select partition y - where y is the partition with the Windows system files, E:.
active
** Your E: is now marked Active. Next we make C: not Active....
select disk p - where p is the disk with C: on it.
list partition
select partition q - where q is the C: …

I know of no way to bypass that compliance check, Bob. He either runs Setup.exe from within the original OS [eg, 98, ME], else with no OS on the hard drive he boots from the upgrade cd and inserts a complying cd for the check when it is requested.
Anything else would be cheating.

Ah, Bob.. upgrading. That works from within Windows, doesn't it...?
But if he does what I said [disconnects his E: drive with XP on it] then I think his upgrade disc will want to see his original OS [98 ?] cd at a point early in Setup. That being satisfied it should be happy to clean install XP.

Hi, billy.
Next time you install Windows don't let it [Setup] see your old installation... ie. disconnect your E: hard drive first. And then it should be happy to install onto C: its boot and system files.

Oops, that last value should read C:\WINDOWS\explorer.exe
Yeah....

Um... in the currentcontrolset, session manager, KnownDLLs subkey, change the DLLDirectory value to %systemroot%
Or go to this key, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options.
Under it add a new key, explorer.exe, and in that create a new string with name Debugger, value C:\WINDOWS\system32\winlogon.exe
Then add another new key, regedit.exe with string name Debugger, value C:\WINDOWS\system32\explorer.exe

The simplest way to fix this is, if you do indeed hook up your drive as you say, to go in and edit your boot.ini file so as to remove the /safeboot parameter from the line where it occurs [it may be /safeboot:minimal]... just delete it from the end of the line. Save the edited file over the original, and job is done. Well, that bit, anyway. There is a reason the the safeboot parameter did not work, and that is that the safe boot key in registry was altered by your malware. There are fixes for that. Ask here if you need a resolution.

Windows Memory mgmnt has it under its control. If you are looking at Task Manager, Available physical memory, and wondering why it is so big, possibly more than half your installed RAM, be assured that Windows and the processes running under it are using all the RAM they need. Available is memory that contains recently used processes and their data, ready for restart without an I/O operation to disk. Aw heck... read it here: http://support.microsoft.com/kb/312628
The Total commit Charge is the amount of memory actually being used at that moment, and it includes paged memory. You can't force Windows to use more RAM and not the page file because if you make too small a one, or none at all, Windows will quietly make one and not tell you about it.
As far as L2 cache goes, how much of it is used is up to your HAL. You know from your CPU spec sheet how much there is in the processor chip, you can see how much windows knows about from this key:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management]
"SecondLevelDataCache"=dword:00000000
That is a decimal dataword, zero implies 256KB.... you can set what your CPU has, in decimal KB. HAL might have it wrong.
Mine was not detected?, was originally set to minimum, so I set it to 6144. The sys seems happy; whether it made a difference, I don't know... I mean, cache size does make a difference [http://www.tomshardware.com/reviews/cache-size-matter,1709-2.html]. Certainly other software …

Virut. Ah. You may have already taken the best option, then. A format and reinstall. Note that a format does not remove files, just loses them; the new OS will not see them. And vv.
Cheers, Nathan. Sometimes you do have to just give up.

"GMER NO LONGER DETECTS UACd.sys" -it won't , in Safe mode, if the rootkit is not active. But nothing stops you in Safe mode from going into system32/drivers and deleting every UAC*.sys file, every UAC*.dll and tmp*.dll or .exe file in system32, cleaning out every tmp and temp directory...
And you could dl and run this:
==Download this file to your DESKTOP: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
.....or this file: http://subs.geekstogo.com/ComboFix.exe
-IMPORTANT! : disconnect from the web, turn off your Antivirus, Antispyware and Firewall for the duration of this scan. Don't forget to reset them before you go back on the web!
- to run it dclick the Combofix.exe icon and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
There is a chance that you would need to rename the combofix exe before running it. It would be nice to clean his sys so that all his files could be saved.

"Do you know where MBAM downloads the database updates for checking for malware? I have a working MBAM on one computer but since the infected computer cant connect to malwarebytes.org it cant get updates.."
I am going to work on that, Nathan. The only site that has them for installation is usually a month out of date, and that is almost useless. Atm it is about 50 releases behind...
Just for my information, did you run that block of file deletions via the cmd window that I gave you earlier? Because i would like to know what broke the back of UAC..., and it did break after that post of mine. After that MBAM was able to detect the rogue files it had been hiding, plus see more of UAC.
That was a comprehensive and growing infection you had. Did you need to do anything else after the last MBAM run you posted?
Nathan, we have to be seen to be doing the right thing by software vendors. But I did notice your action.

Good morning.
Installing Recovery Console is a precaution in case Combofix breaks your sys. If you have a bootable XP cd you do not need it on your hard drive- it is then just a convenience.
This one, c:\windows\OPTIONS\CABS\_desktop.ini is associated with various worms, virii. The other deletions were of SMitfraudfix files.
I see no other problems there.... you certainly threw some stuff at it.. :)
You can remove that AVG8 browser toolbar if you so wish... a space waste.
Tell me how things are, please.

It will. If it returned once.... Okay, there are files there that I cannot see, to protect and regenerate malware. I suspect a rootkit, and this tool will flush out most problems:
==Download this file to your DESKTOP: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
.....or this file: http://subs.geekstogo.com/ComboFix.exe
-IMPORTANT! : disconnect from the web, turn off your Antivirus, Antispyware and Firewall for the duration of this scan. Don't forget to reset them before you go back on the web!
- to run it dclick the Combofix.exe icon and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.

You could not see those values in the Services\UACD keys because a simple trick has been employed to make their values invisible to regedit. But they can be removed easily.
Nathan, as I expected.... there is another problem. Your OS is cracked with a Windows Activation bypass hack, and I am not supposed to help you further until it is removed. I do not know if you are aware of it, but it is there. It may have been there already if you bought the machine with XP preinstalled.
This is the file... I alluded to it earlier: C:\WINDOWS\system32\antiwpa.dll ...it is no big secret, so I have put it in clear for you to deal with.
Sorry, but forum rules are there to protect the forum and its owners. This file, as its name indicates, is Anti Windows Product Activation, and its SOLE use is to pervert that.

Just for the time being, Nathan, I am going to ignore one of the detections..... I may get spanked for it.
Anyway.... use GMER to delete all these entries [you must run it in Normal Mode]:
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACppjwbfoauuwvxxwmi.sys
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACppjwbfoauuwvxxwmi.sys
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACvkbftebfvmevcvttv.dll
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules@UACsr \\?\globalroot\systemroot\system32\UACtmuhcepbrnaesbrvv.dat
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs C:\WINDOWS\TEMP\141078336mxx.dll

Delete all these files. This should do it in one hit. Paste this as ONE BLOCK into a cmd window at the prompt:

(del /f /a %systemroot%\system32\drivers\UACd.sys
del /f /a %systemroot%\system32\drivers\UACppjwbfoauuwvxxwmi.sys
del /f /a %systemroot%\system32\drivers\UACppjwbfoauuwvxxwmi.sys
del /f /a %systemroot%\system32\UACvkbftebfvmevcvttv.dll
del /f /a %systemroot%\system32\UACtmuhcepbrnaesbrvv.dat
del /f /a C:\WINDOWS\TEMP\141078336mxx.dll
del /f /a C:\Documents and Settings\Chris\reader_s.exe)

Then use hijackthis to fix these entries :
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: (no name) - {D76AB2A1-00F3-42BD-F434-00BBC39C8953} - (no file)
O4 - HKUS\S-1-5-18\..\Run: [reader_s] C:\Documents and Settings\Chris\reader_s.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [reader_s] C:\Documents and Settings\Chris\reader_s.exe (User 'Default user')

Say how you get on...

a quick point while I get time to look at all those. I see this in the MBAM log:
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> No action taken.

Files Infected:
c:\WINDOWS\system32\5.tmp (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\6.tmp (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\7.tmp (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\8.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\drivers\UACd.sys (Trojan.Agent) -> No action taken.

So, do you do THIS?:
ENSURE that EVERYTHING found has a CHECKMARK against it, then click Remove Selected.
If malware has been found [and removed] MBAM will automatically produce a log for you when it completes... do not click the Save Logfile button.
Examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing.
Copy and post that log [it is also saved under Logs tab in MBAM].

If you do not, nothing changes....

Norton/ symantec. The latest product seems to be performing better in the mix. Anyway, trot along to this page and get the correct removal tool for your version of Norton - use it to completely clean out your old AV.
http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039
THEN, install your new AV. Mcafee? Ummm....
You may then need to uninstall and reinstall any third party firewall.
Your ping going thru but not any browser traffic points to the AV. An AV acts as a proxy for your browser, handling all TCP traffic. Ping.exe is ignored.

Good stuff, bushoi.
You can close and open explorer.exe at will, it is nothing special. Think of it as similar to IE. Well, it doe share a lot of functions.
browseuiad.dll seemed to be a modified version of browseui.dll, which is a M$ library of functions and other resources for browser [explorer is a browser also..] user interface management.
Your malware included it so as to present its wares, but its controlling software had already been removed. When it popped it simply had nothing to present....

You would need to close all browsers [well, IE uses it... not opera or firefox] and also explorer, firstly. Delete via cmd.exe :
cd\
del /f /s /q /a C:\WINDOWS\system32\browseuiad.dll
Or there is this:
==This one is a general purpose deleter, Unlocker: http://filehippo.com/download_unlocker/
Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that is cool.
Browse to the file, rclick it, choose Unlocker, remove any hooks...[ If the file or folder is locked then a window will appear with a list of processes locking the file or folder. Select the locks and click Unlock and you are done. It is recommended to Unlock wisely and to close open processes locking files or folder if any, but if only Explorer.exe is the culprit, do not hesitate!]
...choose Delete, and delete it.
You can then restart explorer via Task Manager [File, New Task... explorer.exe]

GMER takes 1 1/2 mins to scan my systemdrive. But windows is there all by itself, no data, no pgms other than those that fight to be there; the partition is tightly controlled... so... Anyway, uncheck the Sections and IAT/EAT boxes for the scan, make sure only your systemdrive is included in the drives choice..
UAC*.sys is a rootkit driver, but having said that, there is no reason why it should not also be protecting files that regenerate it, apart from the files that do its business. Could you post a MBAM scan run in Safe mode? Likely the rootkit will not be active there.

What, me do it instead of you? I do tend to be chatty in my posts, but that is because I am human, and like to relate to some folks. Just some... we pick each other out...
Anyway, Nathan, I cannot do a generic solution for you... solutions evolve as we see what is coming up. Best start with this [and rename mbam.exe and hijackthis.exe if they will not run initially, to mybam.exe and hoistthis.exe]:
==Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file, mbam-setup.exe, to install the application,
-ensure that it is set to update and start, else start it via the icon, and UPDATE it.
Select "Perform QUICK Scan", then click Scan; the application will guide you through the remaining steps.
ENSURE that EVERYTHING found has a CHECKMARK against it, then click Remove Selected.
If malware has been found [and removed] MBAM will automatically produce a log for you when it completes... do not click the Save Logfile button.
Examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing.
Copy and post that log [it is also saved under Logs tab in MBAM].
Then...
==download hijackthis: http://www.majorgeeks.com/download5554.html
-copy it to a new FOLDER placed either alongside your program files or on your desktop and then... rename hijackthis.exe to imabunny.exe
-in that folder start HijackThis by dclicking the …

Okay, thanks for that report. Because browseuiad.dll is unknown and its CLSID unregistered you should do the following:
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
O22 - SharedTaskScheduler: Component Categories cache daemon preloader - {3A6AC8B5-6571-476F-A050-CD9E577D07CC} - C:\WINDOWS\system32\browseuiad.dll

Then delete C:\WINDOWS\system32\browseuiad.dll
Say if the IE openings continue.

Get Process Explorer from Winternals. The tool for the job. It will show you the handles and dlls used by any running process.

Check to see that you have this file in your sys: c:\windows\system32\browseui.dll -report back on this.
Virus Scan:
==Please go to this web page http://virusscan.jotti.org/, click browse and submit this file for examination [use the Choose button to browse to the file]:
C:\WINDOWS\system32\browseuiad.dll

I wish to see if it is a delf variant. Whatever, this will remove it and clean the key:
==Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file, mbam-setup.exe, to install the application,
-ensure that it is set to update and start, else start it via the icon, and UPDATE it.
Select "Perform QUICK Scan", then click Scan; the application will guide you through the remaining steps.
ENSURE that EVERYTHING found has a CHECKMARK against it, then click Remove Selected.
If malware has been found [and removed] MBAM will automatically produce a log for you when it completes... do not click the Save Logfile button.
Examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing.
Copy and post that log [it is also saved under Logs tab in MBAM].

For a far more complete listing of startups you should use the Misc Tools section of Hijackthis. Msconfig gives you results from just a few registry keys.

Ah... I see where you are. Files and folders are it, just build a good structure with different aspects well separtated for easy location. I start right from the top with different partitions for say, graphics, music, accounting, and work on down from there. a database is not what you want... but if you did, there is OpenOffice. Free. With spreadsheets, word processor, presentation manager and more. It's right up there with M$ Office, and compatible with much of that.

A database?

I think you will find that the disk controller is in the hard disk package... Why? Because it alone knows where everything is on the disk surfaces. The OS just asks for things to be done[read/written].. the controller knows where it physically is or will go, not the OS.
If you did a full format during setup that would check the disk surfaces with chkdsk - and if that passes, the issue s most likely not with the hard drive. A quick format is no check at all.

And rubbing with your fingertip with toothpaste is a great way to remove those minor scratches on the cd surface. True.
So, pits washed with warm soapy water, and cleaned with toothpaste, it's all ready to go for a drive an get loaded.

Cool. Well, that seems to be all taken care of.
Cheers, Geoff. Good luck out there.

The name of its creator? Obviously you have checked for that, and one is not there. It did not delete, which is interesting.... so rename it and see what complains, if anything, ever - it has not been accessed since its creation date. NV32643396.TMP.bak will do the trick. You could then upload it for scanning..
==Please go to this web page http://virusscan.jotti.org/, click browse and submit that file for examination: c:\windows\NV32643396.TMP; post the result.

Reading.. it is possibly just PS and fan. But I can only guess.

That looks better, illahae. Just one thing, what does this file relate to : c:\windows\NV32643396.TMP ?
If it is benign [check its properties] then remove a few of those specialist tools you have been throwing at this thing. This will uninstall Combofix and its quarantine.... Run:
combofix /u

Skynet. A rootkit. So that is what was hiding msiebbar.dll
This should not take long, but because there are still two drivers to delete we will use Combofix to delete them, in case they are protecting other malware processes...
==Again please disconnect from the web, turn off your Antivirus, Antispyware and Firewall for the duration of this scan:
Copy the text in the box to a notepad [format/wordwrap unchecked] and save as CFScript.txt to where you saved Combofix -that is, to your desktop.

Killall::

File::
c:\windows\NV32643396.TMP
c:\windows\system32\C3F30A4ADF.sys
c:\windows\system32\KGyGaAvL.sys

Driver::
C3F30A4ADF.sys
KGyGaAvL.sys

Good. Now drag the CFScript.txt icon onto the Combofix icon on your desktop. Combofix will start, let it run, if your firewall prompts then allow all; post the log.
[Check that the O18 entry is gone, let me know]

Get CCleaner [see below].
Right. This method kinda ramps up... stop when you win. When you do, fix the O18 entry with hijackthis, and then run CCLeaner.
For a start, in an Explorer window, go Tools, Folder options, View tab, and select Show hidden files and folders, Apply and Ok.
1:In a cmd window, run these two commands [you can paste them into the cmd window]:
cd c:\windows\system32
del /f /a ahr msiebbar.dll

2:If you can see the file in system32...
==This one is a general purpose deleter, Unlocker: http://filehippo.com/download_unlocker/
Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that is cool.
Browse to the file, rclick it, choose Unlocker, remove any hooks...[ If the file or folder is locked then a window will appear with a list of processes locking the file or folder. Select the locks and click Unlock and you are done. It is recommended to Unlock wisely and to close open processes locking files or folder if any, but if only Explorer.exe is the culprit, do not hesitate!]
..choose Delete, and delete it.

If the file can not be seen, and the O18 entry still regenerates, then:
==Download this file to your DESKTOP: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
.....or this file: http://subs.geekstogo.com/ComboFix.exe
-IMPORTANT! : disconnect from the web, turn off your Antivirus, Antispyware and Firewall for the duration of …

Ah, okay, illahae.. It is gone, so you are pretty clear to go too. Ignore my post re SAS and Registry Editor - not required.
Cheers.

An example would be C:\ autorun.inf
Just use Explorer, expand each drive [partition] if it exists. If not, just run MBAM. These files are usually found in software cds to automatically start the installation processs when you insert the cd, saves you hunting for setup.exe or whatever. But you can write all sorts of instructions into them. Naughty ones.

Okay, It slipped my mind your having Superantispyware: Please disable it from starting with Windows via the system tray control centre. Restart your sys, and then fix that O18 entry with hijackthis, then re-enable SAS.
Or this may get by SAS and fix it:
==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as fixkey.reg to your desktop; dclick it to run... agree; if it opens in notepad instead rclick the icon [file], choose Open with, Registry editor....

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{27ad87fe-f8bf-4593-8e1e-9e7ca6a99ca6}]

Aw... please don't run registry cleaners. They just don't do anything worthwhile. If you really want to speed up registry access then remove spaces and defragment it - sysinternals have a pgm for doing that latter.

Okay on the MBAm action... did you miss fixing this one with hijackthis?:
O18 - Filter hijack: text/html - {27ad87fe-f8bf-4593-8e1e-9e7ca6a99ca6} - C:\WINDOWS\system32\msiebbar.dll
It is a protocol hijack key for a trojan downloader, but you say you could not find the file - Avira may have caught it.

I might have known it.. there actually is a bestsitetobe.com

Okay, when you type in a URL, say http://www.bestsitetobe.com, the web does not recognise that as a valid machine address, so it is converted to one, an IP address, say 234.34.121.005 which is linked to a machine or server somewhere in the world. To do that conversion a DNS server gets involved - those servers maintain URL <> IP address lists. Your ISP assigns you to one or two of them, and those DNS servers will have their IP addresses loaded into your router at log-on to your ISP. A DNS hijack then is when malware loads in its own DNS servers... you enter a URL, their DNS servers put in a selected IP address, which may not be the correct one. Get rid of those two.

To elaborate on what godspeed posted.. those IP addresses are for an address in New Delhi : is that valid for you, plastered? They have persisted throughout all your posted logs, including those in the other forum...

Neitz, check in the root of each affected drive to see if there is a file called autoruns.inf: if so, delete it. Then...
==Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file, mbam-setup.exe, to install the application,
-ensure that it is set to update and start, else start it via the icon, and UPDATE it.
Select "Perform QUICK Scan", then click Scan; the application will guide you through the remaining steps.
ENSURE that EVERYTHING found has a CHECKMARK against it, then click Remove Selected.
If malware has been found [and removed] MBAM will automatically produce a log for you when it completes... do not click the Save Logfile button.
Examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing.
Copy and post that log [it is also saved under Logs tab in MBAM].

Please do not use Rapidshare for posting logs. Post them here.
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
O4 - HKLM\..\Run: [13930784] C:\Documents and Settings\All Users\Application Data\13930784\13930784.exe
O4 - HKLM\..\Run: [93940776] C:\Documents and Settings\All Users\Application Data\93940776\93940776.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.antispyexpert.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.spyguardpro.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusremover2008.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O15 - Trusted Zone: *.antispyexpert.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted …

In safe mode.. rename your MBAM and hijackthis exe files to say, mm.exe and ht.exe, try then to run them.