Data Execution Prevention Blocks Explorer/Others Following Malware Removal

[ElwoodJD]

Hello, this is my first post to this forum as I have usually had good luck with removing most malware on my own.  This one has me stumped, however, so I would appreciate any help I can get.  Up front, I will say I am experienced with computers (or at least the software side of things) though I'm certainly no expert.  Here is some key information:

OS: XP Pro, Service Pack 3
Anti-Virus: AVG (newest software version as far as I can remember)
Anti-Malware Programs: Ad-Aware Anniversary Edition
                               Spybot S&D (With TeaTimer, though I already read on your list of info to disable it for now)
*I am aware that you recommend two other programs (SuperSpyware and some other).  I am willing to switch to those if recommended, but for now I do not have the option to as you will see.


Here is my problem.  I got one of those annoying popup programs that pretends to be anti-virus claiming I had lots of infections and to buy their software.  I knew I had at least one infection, namely that program popup.  I ran Ad-aware immediately, it found 2 Trojan items, which I selected to remove.  It informed me that to finish the removal process I needed to reboot.  I did so, immediately.  Upon startup, the normal XP login splash screen with user icons was replaced by a simple login box (with my username already filled in to the top box, with a blank password box below).  I logged in.

Before anything popped up, I got the blank background and mouse, and then it told me that Data Execution Prevention blocked "Userinit Logon Application."  I click close message.  Nothing else loads.  I hit alt-ctrl-del, Data Execution Prevention stops that.  Finally, clicking ACD multiple times I get task manager.   Depending on the bootup (I have restarted my computer now multiple times trying different fixes to no avail), I'll have about 6-7 copies of svchost.exe, lsass.exe, services.exe, winlogon.exe, csrss.exe, smss.exe, wuauclt.exe, System, System Idle.

I try to run explorer from task manager to get my desktop.  Sometimes nothing happens to the processes box of task manager, and sometimes dumprep.exe shows up before Data Execution Prevention kills explorer.  For this reason I have been unable to run any of my anti-malware programs again (running ad-aware from task manager fails, though the services show up in processes the application never actually launches; similiar problems with spybot and avg).

Hijackthis, being a simple program, seems to launch no problem however.  I have included a log with this post, though to be sure it does not seem to point to any particular problem (I'm still a newb when it comes to reading hijackthis logs, though I have used to to some success from time to time removing obviously malicious stuff).

EDIT: One more thing.  I have started the computer in safe mode without networking as well, but even there NOTHING loads and task manager attempts to run explorer.exe result in the exact same problems.

EDIT2: So I killed the dumprep.exe program right as it started, and it never got a chance to kill explorer.exe.  I got that running, opened up my Ad-Aware and started a full scan.  I'll let you know what it turns up when it finishes. 
As an added note, my internet does not work.  Though I am connected to my local wireless network, when I open IE7 it says loading proxy settings, then no matter where I try to point the browser it redirects me to http://browser-security.microsoft.com/block.php?r=6.16
I hope editing doesn't bump, because I am really not trying to do that.

Any help would be appreciated, and if you have any other questions I'll be here to answer them.  Thank you so much in advance for any help!!

[attachment deleted by admin]

[evilfantasy]

Welcome to CH.

Go ahead and turn off Tea Timer. It's not doing any good if the computer is already infected and will just get in our way.

- Can you use System Restore to get your desktop/functions back? Or restart tapping F8 and use Last Known Good configuration?

Or...

- Are you able to install/transfer and then run some other tools we will need?

--

Open HijackThis and select Do a system scan only then place a check mark next to:

- O2 - BHO: BHO - {C9C42510-9B21-41c1-9DCD-8382A2D07C61} - C:\WINDOWS\system32\iehelper.dll

Close all borwser windows and click Fix checked.

----------

[ElwoodJD]

Please see Edit2 from the OP in case you did not initially see that information.

As to your specifics:

TeaTimer is off.
I have access to my desktop again, see Edit2, and internet access. 

Following a fullscan of Ad-Aware, I found Win32Backdoor.TDSS (quantity 2), and Win32TR\.\er Agent.  At this point in time and until I hear back from you I have not taken any action upon them and am waiting at the Ad-Aware Scan Results/Perform Actions page.

I have jumpdrives and another clean computer so yes I can install new programs as well as my restored internet access on the infected computer.

I have made the adjustment you recomended in HijackThis, which restored internet functionality.

[evilfantasy]

I hope editing doesn't bump

You don't have to worry about bumping after a helper has replied, in fact I prefer it so I will know that any information has changed

I found Win32Backdoor.TDSS

Ad-Aware or Spybot isn't powerful enough to remove this rootkit. As for your thoughts on them from above replacing them with SUPERAntiSpyware and MalwareBytes is suggested. They used to be the best but for some reason they just aren't keeping up with the newer more powerful scanners.

Let's try to get your functions back.

Click Start > Control Panel > System > Hardware > Device Manager > View > Show Hidden Devices.

* Scroll down to Non-plug and Play Drivers and click the plus icon to open those drivers.
* Search for any of the following:

- Seneka.sys
- clbdriver.sys
- TDSSserv.sys

* Let me know if you find them or not.
* If you do find it, right click on it, and select Disable. Do not try to uninstall them.
* Now reboot and see if you can get on the web.

Note: You can disable the drivers again if you think they might have returned, just don't try to uninstall them.

If the files are not found then please let me know what is listed in Non-plug and Play Drivers.

----------

You might need to reset your web settings.

• Open Internet Explorer, click the Tools button, and then click Internet Options.
  
• Click the Connections tab.
  
• Click the first entry in the Dialup and Virtual Private Networks list, and then click Settings.
  
• Select the Automatically detect settings check box, and then click OK.
  
• Repeat the previous two steps for each entry in the Dialup and Virtual Private Networks list.
  
• Click the Lan Settings button in the Connections tab, and repeat steps 4-6. Click OK on the Connections tab.
  
• Close Internet Explorer, and then restart it.

.
----------

Download (or transfer) ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

[ElwoodJD]

Sorry I disappeared, thank you for hanging in there with me.

I found TDSSserv.sys, neither of the other two.  There are about 40 things in that list, some of them sound suspicious (including: Beep, dmboot, dmload, i2omgmt, lsecdd, sptd, and maybe a couple of others that I could go either way on).  There is a lot in the list, but I'm willing to type them all up if you tell me later that it is necessary.

I have ComboFix on my desktop, but whenever I click it nothing happens.  It is listed under processes in task manager, but the program itself never seems to launch.  I wanted to keep you updated on that to see if you had any ideas, but if I am able to get it to run once it is launched, I'll edit to add the log.

[evilfantasy]

Launch Task Manager by pressing Ctrl + Alt + Delete

End the Process on these file names (if found)

- FindStr
- Vfind
- SED
- GREP
- or any file that has the extension *.cfexe

End each only once. 

Now you should be able to run ComboFix.

[ElwoodJD]

Finally got ComboFix to run last night.  It ran normally, attempted to restart my computer and then I got a dreaded blue screen informing me I had an error occur.  "Bad_Pool_Header"  Then some generic text, then at the bottom STOP: 0x00000019.  (I have actually received this error message 90% of the time that I attempt to shutdown or restart).

Anyway, I did a hard restart of the system, but ComboFix still managed to restart my computer and put out a log.  Additionally, one thing that had noticeably changed is that the login spalsh screen with icons had returned upon startup (instead of the generic text only windows login box that I reported showed up right when the infection began).  I had to go to bed last night, and when I got up this morning things had gotten worse again (including the return of the generic text only windows login box).  I decided to run ComboFix again to scan and produce a log that might more accurately reflect the current stuff going on.  Please see both of them attached.

One more thing, after running ComboFix the second time, it rebooted my computer without the blue screen error.  However, upon startup, my wireless network cannot find any networks in range (even though I usually have about 10 in my apt building).  It almost seems like my wireless switch is off on my computer, but I have triple checked that.  I am not sure what the cause may be.

Thank you again and I look forward to your next set of recommendations.

EDIT: Just for thoroughness, I added a new HijackThis log as well (seeing as there were some new browser hijacks it seems under O2, maybe some other stuff).  I cannot seem to modify this post to add another attachment, but if you'd like I can attach it to the next response I send to you.  I also have noticed a number of new folders that have been created in my C:\   Those include: cmdcons and Qoobox.  I also think there may be some new folders in the Windows directory, but I cannot be sure.

[attachment deleted by admin]

[evilfantasy]

Qoobox is the ComboFix quarantined files.

See here for your Internet connection. http://www.bleepingcomputer.com/combofix/how-to-use-combofix#restore

-----

First download attached xp_files.zip to your desktop from here: http://www.filedropper.com/xpfiles_1

Unzip it & it will create a folder called XP_files on the desktop.

Next:

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

Fcopy::
c:\documents and settings\lt\Desktop\xp_files\userinit.exe | c:\windows\SYSTEM32\DLLCACHE\userinit.exe
c:\documents and settings\lt\Desktop\xp_files\userinit.exe | c:\windows\ServicePackFiles\i386\userinit.exe
c:\documents and settings\lt\Desktop\xp_files\userinit.exe | c:\windows\ServicePackFiles\i386\userinit.exe
c:\documents and settings\lt\Desktop\xp_files\userinit.exe | c:\windows\system32\userinit.exe
c:\documents and settings\lt\Desktop\xp_files\svchost.exe | c:\windows\SYSTEM32\DLLCACHE\svchost.exe
c:\documents and settings\lt\Desktop\xp_files\svchost.exe | c:\windows\$NtServicePackUninstall$\svchost.exe
c:\documents and settings\lt\Desktop\xp_files\svchost.exe | c:\windows\ServicePackFiles\i386\svchost.exe
c:\documents and settings\lt\Desktop\xp_files\svchost.exe | c:\windows\system32\svchost.exe
c:\documents and settings\lt\Desktop\xp_files\ctfmon.exe | c:\windows\SYSTEM32\DLLCACHE\ctfmon.exe
c:\documents and settings\lt\Desktop\xp_files\ctfmon.exe | c:\windows\ServicePackFiles\i386\ctfmon.exe
c:\documents and settings\lt\Desktop\xp_files\ctfmon.exe | c:\windows\$NtServicePackUninstall$\ctfmon.exe
c:\documents and settings\lt\Desktop\xp_files\ctfmon.exe | c:\windows\SYSTEM32\ctfmon.exe
c:\documents and settings\lt\Desktop\xp_files\explorer.exe | c:\windows\SYSTEM32\DLLCACHE\explorer.exe
c:\documents and settings\lt\Desktop\xp_files\explorer.exe | c:\windows\explorer.exe
c:\documents and settings\lt\Desktop\xp_files\explorer.exe | c:\windows\$NtServicePackUninstall$\explorer.exe
c:\documents and settings\lt\Desktop\xp_files\explorer.exe | c:\windows\ServicePackFiles\i386\explorer.exe
c:\documents and settings\lt\Desktop\xp_files\explorer.exe | c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
c:\documents and settings\lt\Desktop\xp_files\explorer.exe | c:\windows\$NtUninstallKB938828$\explorer.exe
c:\documents and settings\lt\Desktop\xp_files\spoolsv.exe | c:\windows\SYSTEM32\DLLCACHE\spoolsv.exe
c:\documents and settings\lt\Desktop\xp_files\spoolsv.exe | c:\windows\system32\spoolsv.exe
c:\documents and settings\lt\Desktop\xp_files\spoolsv.exe | c:\windows\$NtUninstallKB896423$\spoolsv.exe

Driver::
ivfsykgg
Lbd
ethyfttz

File::
c:\windows\system32\2C.tmp
c:\windows\system32\2A.tmp
c:\windows\system32\28.tmp
c:\windows\system32\27.tmp
c:\windows\system32\24.tmp
c:\windows\system32\22.tmp
c:\windows\system32\21.tmp
c:\documents and settings\Cerulo\gihcwa.exe
c:\windows\system32\1F.tmp
c:\windows\system32\6F.tmp
c:\windows\system32\6D.tmp
c:\windows\system32\6C.tmp
c:\documents and settings\Cerulo\vjpyy.exe
c:\windows\system32\6A.tmp
c:\windows\system32\6B.tmp
c:\windows\system32\69.tmp
c:\windows\system32\pdbcopy.exe
c:\windows\system32\68.tmp
c:\documents and settings\Cerulo\kgvxy.exe
c:\windows\system32\67.tmp
c:\windows\system32\35.tmp
c:\windows\plapxfoh.exe
c:\windows\system32\32.tmp
c:\windows\system32\30.tmp
c:\windows\system32\drivers\ivfsykgg.sys
c:\windows\system32\2F.tmp
c:\windows\system32\2E.tmp
c:\windows\system32\40.tmp
c:\windows\tjsutwal.exe
c:\windows\system32\3A.tmp
c:\windows\system32\38.tmp
c:\windows\system32\makehm.exe
c:\windows\system32\37.tmp
c:\windows\system32\36.tmp
c:\windows\system32\drivers\ethyfttz.sys
c:\windows\system32\29.tmp
c:\windows\system32\secupdat.dat
c:\windows\system32\drivers\ndisio.sys
c:\documents and settings\Cerulo\jdpgkx.exe
c:\windows\system32\20.tmp
c:\windows\system32\1E.tmp
c:\windows\system32\1D.tmp
c:\windows\system32\1C.tmp
c:\windows\system32\gcc.exe
c:\windows\system32\3.tmp
c:\windows\sysguard.exe
c:\windows\system32\11.tmp
c:\windows\system32\10.tmp
c:\windows\Ipigafisequ.dll
c:\windows\system32\B.tmp

Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"plapxfoh.exe"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,"

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ivfsykgg.sys]


3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

[ElwoodJD]

I created and ran the instructed CFScript.  Attaches is the ComboFix log from that.

The default windows network "Repair" feature failed to fix my network connection issue.  It hung up at the connect to wireless network part because it still fails to find any wireless networks.  Of course, I know that my network is out there because my other laptop is connected to it.

Just in case its related, I posted a hijack this log as well.  Thanks for any more help you can give me.

[attachment deleted by admin]

[evilfantasy]

You may end up having to reinstall your wireless software. This infection is actually pretty severe, the worst I've seen in a while, and might have "broke" some of your software as well as Windows. I'm not sure this is repairable as that fix didn't work.

c:\windows\system32\userinit.exe . . . is infected!!

c:\windows\system32\spoolsv.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

We need to run a scanner that might repair this and then again might not. Do you have an XP install CD? You might end up needing one.

Disable Spybot's TeaTimer

While TeaTimer is an excellent tool for the prevention of spyware, it can also interfere with HijackThis fixes. Please disable TeaTimer for now until you are clean.

1. Right click Spybot in the System Tray (looks like a calendar with a padlock symbol). Choose Exit Spybot S&D Resident
2. Run Spybot S&D
3. Go to the Mode menu, and make sure Advanced Mode is selected.
4. On the left hand side, choose Tools > Resident
uncheck Resident TeaTimer and OK any prompt and Restart your computer.

Note: If TeaTimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

If TeaTimer will not turn off then uninstall Spybot until we are done cleaning.

----------

Disable Ad-Aware as it may interfere with repairs

• Click the Settings button, Auto Scans tab, and under Scan on Ad-Aware startup
  
• Be sure both selections for No automated scan are checked (green).
  
• Then click Save and close Ad-Aware.

----------

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

- R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
- O2 - BHO: (no name) - {C5BF49A2-94F3-42BD-F434-3604812C8955} - (no file)
- O2 - BHO: (no name) - {C9C42510-9B21-41c1-9DCD-8382A2D07C61} - (no file)

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

 ----------

Before you begin the SDFix instructions you should copy these instructions in a Notepad file and save them to your desktop or print them for easy reference. Much of SDFix will be done in Safe mode and you will be unable to access this web page after booting into Safe mode.

Download SDFix by AndyManchesta and save it to your desktop.

When using this tool, you must use the Administrator's account or an account with Administrative rights

* Now, double-click on the SDFix icon that should now be residing on your desktop. If a Open File - Security Warning box opens, click on the Run button.
* A window will now open showing SDFix being extracted into the C:\SDFix folder.     
* Once the installation program has finished extracting SDFix, it will open a Notepad with further instructions.
* DO NOT use it just yet.

Reboot your computer in Safe Mode using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

When your computer has started in safe mode, and you see the desktop, close all open Windows.

* Click on the Start button, click on the Run menu option, and type the following text from the Code Box into the Open: field then click the OK  button.

Code: [Select]

C:\SDFix\RunThis.bat
* SDFix window will open containing some brief info and a disclaimer on the use of the tool.
* Type Y on your keyboard and then press Enter to begin the cleanup process.
* It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
* Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
* Copy and paste the contents of the results file Report.txt in your next reply.

----------

Download Malwarebytes' Anti-Malware (MBAM)

• Double-click mbam-setup.exe and follow the prompts to install the program.
  
• At the end, be sure a checkmark is placed next to the following:
• Update Malwarebytes' Anti-Malware
  
• Launch Malwarebytes' Anti-Malware

• Then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy and Paste the entire report in your next reply.

.
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

----------

• Next post please add:
• SDFix log
• MBAM log[/b]

[ElwoodJD]

I uninstalled Spybot as TeaTimer was being persistent.  I also made the changes in HijackThis.

I ran SDFix.  Following reboot, while it was finalizing things, it reported that it failed to open the following files:

SDFix-FileCheck\Alchohol120_retail_1.exe
""\Keymaker_v3.exe
""\RC1_Patch_v.exe

It put out a report, as did MBAM, which are attached.

I do have my original XP Pro CD, however, my DVD drive is broken so it might be difficult to utilize it.  I'm suspecting the internet is in a bad way and will need to have its drivers/software reinstalled, but I'm not sure how to go about doing it.

Thank you.

[attachment deleted by admin]

[evilfantasy]

Download Lop S&D by Eric_71 and save it to your Desktop. Lop S&D will only run on Windows XP and Windows Vista

Disable your antivirus and antimalware programs so they do not interfere with the running of Lop S&D. If needed see: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

If you are using Windows Vista, right-click on LopSD.exe icon and select 'Run as administrator' to perform this scan.

• Double-click Lop S&D.exe
  
• Choose the language by typing of the corresponding letter and press Enter
• Click OK at the informative window
  
• Type 1, to choose Option 1 (Search) then press Enter
  
• Wait until the end of the scan
• A report will be generated, post the contents of it in your next reply.

A copy of the report can be found at this location: %systemdrive%\lopR.txt, in most cases C:\lopR.txt

[ElwoodJD]

LopR.txt is attached.  I have to run out for upwards of 45 minutes, but then I will be back.  Thank you.

[attachment deleted by admin]

[evilfantasy]

Disable your antivirus and antimalware programs so they do not interfere with the running of Lop S&D.

Double click

LopSD.exe

If you are using Windows Vista, right-click on LopSD.exe icon and select 'Run as administrator' to perform this scan.

• Choose the language by typing of the corresponding letter and press Enter
  
• Click OK at the informative window.
  
• Type 2 to choose Option 2 (Delete with Hosts File Restore), then press Enter
  
• Wait until the end of the scan.
• A report will be generated, post the contents of it in your next reply.

.
----------

Try to repair your Internet connection again.

Reset the router, unplug it if there is no reset button for about 10 seconds then plug it back in.

• Open Internet Explorer, click the Tools button, and then click Internet Options.
  
• Click the Connections tab.
  
• Click the first entry in the Dialup and Virtual Private Networks list, and then click Settings.
  
• Select the Automatically detect settings check box, and then click OK.
  
• Repeat the previous two steps for each entry in the Dialup and Virtual Private Networks list.
  
• Click the Lan Settings button in the Connections tab, and repeat steps 4-6. Click OK on the Connections tab.
  
• Close Internet Explorer, and then restart it.

.
See if you can connect now.

----------

You have to remove the Cracks & Keygens before I can continue helping.

Download the OTMoveIt3 by OldTimer

Note: If you are running on Vista, right-click on OTMoveIt3.exe and choose Run As Administrator.

* Save it to your Desktop.
* Double-click OTMoveIt3.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code: [Select]

:Processes
explorer.exe

:files
C:\DOCUME~1\Cerulo\Application Data\uTorrent\Its.Always.Sunny.in.Philadelphia.S04E11.The.Gang.Cracks.the.Liberty.Bell.PDTV.XviD-FQM.avi.torrent
C:\DOCUME~1\Cerulo\Application Data\uTorrent\My.Notes.Keeper.v1.9.WinAll.Keygen.Only-BRD.torrent
C:\DOCUME~1\Cerulo\Desktop\MacDrive 7.0.10\Mediafour_MacDrive_v7.0.10_incl_Keygen-PARADOX.rar
C:\DOCUME~1\Cerulo\Favorites\Current Torrents\TMPGEnc XPress v4.4.2.238 Incl. Keygen and Patch-HAZE (download torrent) - TPB.url
C:\DOCUME~1\Cerulo\My Documents\Downloads\My.Notes.Keeper.v1.9.WinAll.Keygen.Only-BRD
C:\DOCUME~1\Cerulo\My Documents\Downloads\My.Notes.Keeper.v1.9.WinAll.Keygen.Only-BRD\brd.nfo
C:\DOCUME~1\Cerulo\My Documents\Downloads\My.Notes.Keeper.v1.9.WinAll.Keygen.Only-BRD\brmnk19a.zip
C:\DOCUME~1\Cerulo\My Documents\Downloads\My.Notes.Keeper.v1.9.WinAll.Keygen.Only-BRD\file_id.diz
C:\DOCUME~1\Cerulo\My Documents\Downloads\My.Notes.Keeper.v1.9.WinAll.Keygen.Only-BRD\Keygen.exe

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

* Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

[evilfantasy]

Also do you have two antivirus installed? Looks like AVG and McAfee. You should only have one installed at a time.