here is the OTL.txt file done just after rebooting fromthe fix on OTL…
i attached it because maybe it’s different than if i have been using the pc for a while like before…
sry
Hi there darkmata,
I see that you are running more than I ask you to do. Please try to refrain from that as it may actually hinder our progress even though you have good intentions. So please only run the tools I ask you to. 
Seems like our fix hasn’t taken yet. Sometimes we need to hit this infection several times before it breaks. I appreciate your patience.
Run ERUNT again to make a new backup of your registry.
Run OTL.exe
[*]Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:Services
:OTL
MOD - [2010/11/21 04:24:09 | 000,232,448 | ---- | M] () -- \\?\globalroot\systemroot\syswow64\mswsock.DLL
SRV:[b]64bit:[/b] - [2009/07/14 02:39:46 | 000,005,120 | ---- | M] (Iomega) [Auto | Running] -- C:\Windows\SysNative\SiS300i.dll -- (co_mon)
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\URLSearchHook: {db131c55-60c8-4adc-84dc-9e76ab06e2dc} - SOFTWARE\Classes\CLSID\{db131c55-60c8-4adc-84dc-9e76ab06e2dc}\InprocServer32 File not found
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2851619
IE - HKCU\..\URLSearchHook: {db131c55-60c8-4adc-84dc-9e76ab06e2dc} - SOFTWARE\Classes\CLSID\{db131c55-60c8-4adc-84dc-9e76ab06e2dc}\InprocServer32 File not found
IE - HKCU\..\SearchScopes,DefaultScope = {FD63BF63-BFFF-4B8F-9D26-4267DF7F17DD}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2851619
FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
O2 - BHO: (Conduit Engine ) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngin.dll (Conduit Ltd.)
O2 - BHO: (uTorrentBar_ES Toolbar) - {db131c55-60c8-4adc-84dc-9e76ab06e2dc} - C:\Program Files (x86)\uTorrentBar_ES\prxtbuTor.dll File not found
O3 - HKLM\..\Toolbar: (Conduit Engine ) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngin.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (uTorrentBar_ES Toolbar) - {db131c55-60c8-4adc-84dc-9e76ab06e2dc} - C:\Program Files (x86)\uTorrentBar_ES\prxtbuTor.dll File not found
O18:[b]64bit:[/b] - Protocol\Handler\livecall - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\msnim - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\skype-ie-addon-data - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\wlmailhtml - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\wlpg - No CLSID value found
O33 - MountPoints2\{16478422-317d-11e1-9f37-00241d15fa81}\Shell - "" = AutoRun
O33 - MountPoints2\{16478422-317d-11e1-9f37-00241d15fa81}\Shell\AutoRun\command - "" = L:\LaunchU3.exe -a
NetSvcs:[b]64bit:[/b] snoopfreesvc - C:\Windows\SysNative\bb-run.dll (Iomega)
[2012/03/12 13:33:01 | 000,000,000 | -HS- | M] () -- C:\Windows\SysNative\dds_log_ad13.cmd
[2012/03/02 12:54:55 | 000,000,000 | -HS- | C] () -- C:\Windows\SysNative\dds_log_trash.cmd
[3 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]
[1 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp -> ]
:Files
C:\Windows\SysNative\SiS300i.dll
ipconfig /flushdns /c
dir C:\Users\Cure\AppData\Local\cf5171c8 /s /c
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot when it is done
[*]Then run a new scan and post a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )
Hi jeffce,
sry for all the incovenience…and absolutely thanks for your support!when i try to do a new backup, an emerging message appears:
error saving file C:/windows/ERDNT/13-03-2012/BCD
continue with next file?
[ RegCreateKeyEX:5 - acces denied ]
I press yes, and same message but instead BCD, it changes it to system, software, default, security, sam, ntuser.dat and UsrClass.dat.
and then it appears “OK your backup is done”
now i’ll try to run OTL, first fix , then scan.
thank you.
Hi Jeffce
this is the OTL report.
thanks agian.
Hi jeffce, i’ve done that! 
Hi there jeffce,
just wanted to know if otl file is correct?or maybe i didi something wrong, but I don’t know what. I just did what you tell me…and I runed the scan on the fresh reboot, nothing else.
well I’m sure you are still working on it, but maybe you need something else, if I can help you any other way just tell me.
thanks.
Hi darkmata,
No everything is fine. I am clarifying something with Essexboy before we continue. Hang tight and I will return as quickly as I can.
ok thanks to both for your kindful help!
Hi darkmata,
Run OTL.exe
[*]Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:Services
:OTL
MOD - [2010/11/21 04:24:09 | 000,232,448 | ---- | M] () -- \\?\globalroot\systemroot\syswow64\mswsock.DLL
SRV:[b]64bit:[/b] - [2009/07/14 02:39:46 | 000,005,120 | ---- | M] (Iomega) [Auto | Running] -- C:\Windows\SysNative\SiS300i.dll -- (co_mon)
SRV:[b]64bit:[/b] - [2009/07/14 02:39:46 | 000,005,120 | ---- | M] () [Auto | Stopped] -- C:\Windows\SysNative\ufdsvc.dll -- (swupdtmr)
SRV:[b]64bit:[/b] - [2009/07/14 02:39:46 | 000,005,120 | ---- | M] () [Auto | Stopped] -- C:\Windows\SysNative\USBCamera.dll -- (SlNtHal)
SRV:[b]64bit:[/b] - [2009/07/14 02:39:46 | 000,005,120 | ---- | M] () [Auto | Stopped] -- C:\Windows\SysNative\ati.dll -- (IFP700)
SRV:[b]64bit:[/b] - [2009/07/14 02:39:46 | 000,005,120 | ---- | M] () [Auto | Stopped] -- C:\Windows\SysNative\networkx.dll -- (dmboot)
SRV:[b]64bit:[/b] - [2009/07/14 02:39:46 | 000,005,120 | ---- | M] () [Auto | Stopped] -- C:\Windows\SysNative\U81xmdfl.dll -- (defragfs)
:Files
C:\Windows\SysNative\SiS300i.dll
C:\Windows\SysNative\ufdsvc.dll
C:\Windows\SysNative\USBCamera.dll
C:\Windows\SysNative\ati.dll
C:\Windows\SysNative\networkx.dll
C:\Windows\SysNative\U81xmdfl.dll
ipconfig /flushdns /c
dir C:\Users\Cure\AppData\Local\cf5171c8 /s /c
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot when it is done
[*]Then run a new scan and post a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )
Hi jeffce,
here is the report.
thanks a lot!
Hi,
Download Combofix from any of the links below but rename it to svchost.exe before saving it to your desktop.
==================================
Right-click and Run as Administrator on the renamed ComboFix.exe & follow the prompts.
[*]When finished, it will produce a report for you.
[*]Please post the C:\ComboFix.txt so we can continue cleaning the system.
Hi jeffce,
no combofix.txt created, so sorry…
I don’t know what’s wrong…
thanks again
Hi jeffce
I supose mbam starts at windows start, the sometimes i get the prompt message of C:\windows\assembly\tmp\U\00000001.@
and sometimes two more with different numbers like 800000c0.@ and 800000cb.@
i don’t know if it helps…
Hi darkmata,
No need to say sorry.
Run OTL.exe
[*]Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:Services
:OTL
SRV:[b]64bit:[/b] - [2009/07/14 02:39:46 | 000,005,120 | ---- | M] (Iomega) [Auto | Running] -- C:\Windows\SysNative\mcmscsvc.dll -- (mfesmfk)
:Files
C:\Windows\SysNative\mcmscsvc.dll
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot when it is done
[*]Then run a new scan. Place the following into the Custom Scans section
netsvc
/md5start
consrv.dll
mcmscsvc.dll
/md5stop
createrestorpoint
[*]Press Run Scan ( don’t check the boxes beside LOP Check or Purity this time )
[*]Post a new OTL log
Hi jeffce,
i asume that it has to be a hard work to code/decode all this stuff, and supose how frustrating sometimes this could be, that’s wahy i say sorry…
but i know you can! 
better take this with humor isn’t it?
ok here is the OTL file
LOL!! I actually have a lot of fun doing this and helping people.
[]Please download Junction.zip and save it to your desktop.
[]Unzip it and extract junction.exe to your C:\ drive. So it appears as C:\junction.exe
[]Next,
[]Now copy (Ctrl +C) and paste (Ctrl +V) the text inside the code box below into Notepad.
@ECHO OFF
cd c:\
junction -s c:\>log.txt
start log.txt
del %0
[]Save it to your desktop as File name: junc.bat
[]Save as type: All Files
Next,
Double click junc.bat to run it. (accept any alerts) A log will be presented. Copy and paste or attach the content of the log in your next reply.
lol! nice to hear that!
ok it gave me an error could not find log.txt file be sure that the file name is correct.
and behind that there is a window cmd.exe ,with “acces denied” written…
thanks.
Also i have to say that if i try to extract the flie directly to c: it gives an error:
C:\Users\Cure\Desktop\junction.zip could not create junction.exe acces denied
Hi darkmata,
Run a new scan with with TDSSKiller and remove anything that it finds. Then post the logs that are made.
Hi jeffce
no threats found with TDSSKILLER, here is the log.
thanks