Looks like it is okay (false alarm from OA)
http://www.virustotal.com/file-scan...9f35ab2e438e96eb594b22dd6bb1fdad28-1325479717

Okay...
Thanks so much... again!
The external drive checked clean with AVG on my own machine.
I'll check it again on this one with Avira (though that is pro'ly overkill).

Still working on updates... dotNet1.1 had an update that would not install, so I ended up uninstalling all of dotNet, and will reinstall it from the ground up.

The way things stand now... I'd say lock this thread,
If I need to, I can message you asking to reopen it.
Blessings!

hmmm
looks like Avira is doing ITS job,
and it looks like a basic conflict with disinfector's autorun.inf files.
They are being repeatedly blocked.
I am wondering why anything would be trying to open them though,
after the system is up an running.
Wondering if I should remove those files,
or if we need to do more looking at what is happening?

Hello Broni
Should we reopen this thread?

Does this look like we may need to do more work?
When I started MS Office (Word), in order to check version information,
Online Armor Blocked some processes...

First
dde
w_1^VH%!!!!!!!!MKKSkWORDFiles>tW{~$4Q]c@5d1`,xaTO5 \n \dde
Hash(MD5): E5DC625D58450B9D75D3A81E3FD35DC2\dde
file date 12/30/1899

Second
e
w_1^VH%!!!!!!!!MKKSkEXCELFiles>tW{~$4Q]c@II=l2xaTO5 \e
Hash(MD5): 2AC80ADC9772C13340B91726CAD1FAA6\e
file date 12/30/1899

Third
w_1^VH%!!!!!!!!MKKSkPubPrimary>tW{~$4Q]c@?F@6kxaTO5 %1
w_1^VH%!!!!!!!!MKKSkPubPrimary>tW{~$4Q]c@?F@6kxaTO5 %1
Hash(MD5): F0463252FE68B66842A6F3CF7E204E16

Tried to "open file location" for these
"Path does not exist or is not a directory."

Also find these as allowed
tmp21E.tmp, 0.0.0.0, (0.0.0.0)
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp21E.tmp
Hash(MD5): 5FDB643E2B86AA45951B140C72FFB1E6

pv.exe, 0.0.0.0, (0.0.0.0)
C:\Documents and Settings\Administrator\Local Settings\temp\pv.exe
Hash(MD5): 92BD80F82FE8A28385B7D9D3F215E8B3

I have not gone looking for these yet.
I am not sure if all of these were spawned by opening MSWord.

Thanks Broni...
Wondering if they had an infected document corrupt their normal.dot template, so now it is calling for malware we have already removed? But, if so, why would OA deal with it until it tried to start? You are the expert here, I am just grasping at straws. In any case, I am thinking of removing their normal.dot templates, all instances, just in case, and let them be respawned next time Word starts.
=======

Malwarebytes Anti-Malware (Trial) 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.11.06

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Administrator :: BALTIMOR-1MBHXM [administrator]

Protection: Disabled

1/11/2012 2:01:49 PM
mbam-log-2012-01-11 (14-01-49).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 221618
Time elapsed: 19 minute(s), 48 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Do you have any hints for how to check for malicious macros in Office startups?

Okay... I found 14 instance of Normal.DOT.
Most are 145kb; Dated 12/16/2001 3:40pm
4 are 144.4kb; with the same date but time stamp "03:40pm" (not just 3:40pm)
1 is 27kb; Dated 5/7/2005 5:18pm

I am pretty sure if I just delete all of them, MSOffice Word will just generate a new one next time it starts, and it will be in the normal "Template Folder".

I'll delete the 5 OA (block/ask/allow) Entries and
watch to see if they show up again after doing some more with the machine.

Note about 4: These are not touchable...
I cannot rename them or delete them.
They are noted as "all files on MozyHome servers"

May I request help with one more thing?
Though it is not malware per se', I have some program remnants that are resisting removal.

At one time this computer used a Canon Multipass Printer/Scanner
Files were here...
c:\program files\canon\multipass4

All but the following files have been removed...
ctree.dll
mpdata.dat (deletes but respawns)
mpdbif.dll
dtm4.dll
mpdata.idx (deletes but respawns)
stormgr.dll
mpdata.sca (just respawned... not sure what triggered it)

The 4 that will not delete at all are not marked read only.
I have tried from Safe Mode.
I have tried to make sure that all remnants of this software are no longer being called by windows upon boot, but I must be missing something. (I have used both MSConfig and Autoruns. I have not found the processes / dlls as "running" using Process Explorer. So I am kinda stumped.

I see that Explorer has "My Multipass" listed after Recycle Bin in the Folders pane.
So it would appear that Explorer is responsible for these dll's being protected from deletion.
How can I proceed? An OTL Script?
Thanks

Mission accomplished

So... Thanks again.
I have the system ready to return to my friend. I appreciate all the help!

Great Hints. Thanks