Rogue antivirus security tools will not be removed by Malwarebytes, Help please

Resolved
By JayNori
Nov 20, 2010
Topic Status:
Not open for further replies.
  1. JayNori

    JayNori Newcomer, in training Topic Starter Posts: 27

    Okay, well to start off I can run Windows in normal mode and I tried to run ComboFix in normal mode but it wouldn't let me, it would reboot my computer and it wouldn't continue the process. ComboFix did run though in safe mode and I was able to do the complete scan. I do not have the CD for the operating system on my computer because I downgraded to XP I have the CD for Vista. There is no message when I log on to Normal Mode and I do have internet access but it still redirects me when I search for something in Google.

    Here is the log.
    ComboFix 10-11-21.01 - Administrator 11/25/2010 11:46:09.1.1 - x86 NETWORK
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1013.859 [GMT -5:00]
    Running from: c:\documents and settings\Administrator.JAY-BB4D1EF4B91\Desktop\jaynori.exe
    Command switches used :: I:\CFScript.txt

    FILE ::
    "c:\windows\system32\drivers\vewji.sys"
    "c:\windows\system32\SETUPAPI.dll"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Jay Jay\Local Settings\Application Data\{30D1A54D-FC50-43F6-8173-0D2E7FAFD035}
    c:\documents and settings\Jay Jay\Local Settings\Application Data\{30D1A54D-FC50-43F6-8173-0D2E7FAFD035}\chrome.manifest
    c:\documents and settings\Jay Jay\Local Settings\Application Data\{30D1A54D-FC50-43F6-8173-0D2E7FAFD035}\chrome\content\_cfg.js
    c:\documents and settings\Jay Jay\Local Settings\Application Data\{30D1A54D-FC50-43F6-8173-0D2E7FAFD035}\chrome\content\overlay.xul
    c:\documents and settings\Jay Jay\Local Settings\Application Data\{30D1A54D-FC50-43F6-8173-0D2E7FAFD035}\install.rdf

    c:\windows\system32\winlogon.exe . . . is infected!!

    c:\windows\explorer.exe . . . is infected!!

    c:\windows\system32\midimap.dll . . . is infected!!

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Service_eixqcdue


    ((((((((((((((((((((((((( Files Created from 2010-10-25 to 2010-11-25 )))))))))))))))))))))))))))))))
    .

    2010-11-22 02:59 . 2010-11-22 03:08 -------- d-----w- C:\jaynori
    2010-11-22 02:54 . 2010-11-22 02:54 -------- d-----w- C:\$AVG
    2010-11-21 06:13 . 2010-11-21 06:13 -------- d-----w- C:\_OTM
    2010-11-05 03:28 . 2010-11-05 03:28 -------- d-----w- C:\extensions
    2010-11-05 03:12 . 2010-11-05 03:12 -------- d-----r- C:\MSOCache
    2010-11-05 03:10 . 2010-11-05 03:10 -------- d-----w- C:\Intel

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-18 16:23 . 2008-04-14 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53 . 2008-04-14 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53 . 2008-04-14 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53 . 2008-04-14 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-10 05:57 . 2009-06-13 17:58 1016320 ----a-w- c:\windows\system32\wininet.dll
    2010-09-10 05:57 . 2009-06-13 17:51 1598464 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-09-10 05:57 . 2009-06-13 17:35 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-08 16:17 . 2010-09-08 16:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-09-08 16:17 . 2010-09-08 16:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-09-01 11:51 . 2008-04-14 12:00 285824 ----a-w- c:\windows\system32\atmfd.dll
    2010-08-31 13:38 . 2009-06-13 17:30 1861888 ----a-w- c:\windows\system32\win32k.sys
    .

    ------- Sigcheck -------

    [-] 2009-06-13 . 038CA45522FE9B756EFB90DBFA9141EA . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys

    [-] 2009-06-13 . EC4D66049FCFE818C1D1738DB9A6E5C8 . 568832 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

    [-] 2009-08-06 . F7B2E1B864661A543338AF598F5B9115 . 79072 . . [7.4.7600.226] . . c:\windows\7SP_Files\wuauclt.exe
    [7] 2009-08-06 . 62BB79160F86CD962F312C68C6239BFD . 53472 . . [7.4.7600.226] . . c:\windows\7SP_Files\backup\wuauclt.exe
    [-] 2009-08-06 . F7B2E1B864661A543338AF598F5B9115 . 79072 . . [7.4.7600.226] . . c:\windows\system32\wuauclt.exe

    [-] 2010-08-23 . 54223CA7190149BE59E1D10413AB88F5 . 724992 . . [5.82] . . c:\windows\7SP_Files\comctl32.dll
    [7] 2010-08-23 . 93AFB83FBC1F9443CAC722FCA63D73BF . 617472 . . [5.82] . . c:\windows\7SP_Files\backup\comctl32.dll
    [-] 2010-08-23 . 54223CA7190149BE59E1D10413AB88F5 . 724992 . . [5.82] . . c:\windows\system32\comctl32.dll
    [-] 2010-08-23 . 54223CA7190149BE59E1D10413AB88F5 . 724992 . . [5.82] . . c:\windows\system32\dllcache\comctl32.dll
    [7] 2010-08-23 . 736B12B725AEB2B07F0241A9F680CB10 . 1054208 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
    [-] 2009-05-17 . 45B909FB560A7BED67B3457945999013 . 653312 . . [5.82] . . c:\windows\$NtUninstallKB2296011$\comctl32.dll
    [-] 2009-05-17 . C6CC0229FA60F9E5A2F9E6FD52878665 . 1064448 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
    [-] 2009-05-17 . 303673E56D0524AF50B339BD8618E5AC . 931840 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll

    [-] 2010-09-10 . 4FADACE7BA753F74F23F34E0EB275BD0 . 6182400 . . [8.00.6001.23067] . . c:\windows\7SP_Files\mshtml.dll
    [7] 2010-09-10 . 8A03CC037E6B7D1796192815231B0C3F . 5958656 . . [8.00.6001.23067] . . c:\windows\7SP_Files\backup\mshtml.dll
    [-] 2010-09-10 . 4FADACE7BA753F74F23F34E0EB275BD0 . 6182400 . . [8.00.6001.23067] . . c:\windows\system32\mshtml.dll
    [-] 2010-09-10 . 4FADACE7BA753F74F23F34E0EB275BD0 . 6182400 . . [8.00.6001.23067] . . c:\windows\system32\dllcache\mshtml.dll
    [-] 2009-06-13 . C94EE53BB0A926279C4C67522031FB7A . 6077440 . . [8.00.6001.22873] . . c:\windows\ie8updates\KB2360131-IE8\mshtml.dll

    [-] 2009-06-13 . 05F5164AC40A1D5DE2188B58DD82101F . 648704 . . [5.1.2600.5512] . . c:\windows\7SP_Files\user32.dll
    [-] 2009-06-13 . 99C1ACB1B8F0F2CECC56515E502B5120 . 575488 . . [5.1.2600.5512] . . c:\windows\7SP_Files\backup\user32.dll
    [-] 2009-06-13 . 05F5164AC40A1D5DE2188B58DD82101F . 648704 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll

    [-] 2010-09-10 . 9B374EFDAD4930CB67C57869E12FCBBF . 1016320 . . [8.00.6001.23060] . . c:\windows\7SP_Files\wininet.dll
    [7] 2010-09-10 . 0555E190DCD06B8998E6DDCA42DAEB82 . 919552 . . [8.00.6001.23060] . . c:\windows\7SP_Files\backup\wininet.dll
    [-] 2010-09-10 . 9B374EFDAD4930CB67C57869E12FCBBF . 1016320 . . [8.00.6001.23060] . . c:\windows\system32\wininet.dll
    [-] 2010-09-10 . 9B374EFDAD4930CB67C57869E12FCBBF . 1016320 . . [8.00.6001.23060] . . c:\windows\system32\dllcache\wininet.dll
    [-] 2009-06-13 . A09FCA16773A52C6CB0756D84A5509E4 . 971776 . . [8.00.6001.22873] . . c:\windows\ie8updates\KB2360131-IE8\wininet.dll

    [-] 2009-06-13 . C64877ED8A2092D28D5119C8270117EC . 1512448 . . [6.00.2900.5634] . . c:\windows\explorer.exe
    [-] 2009-06-13 . 6B29E8DCF44B1E2434C4F6F903AE41C8 . 1512448 . . [6.00.2900.5634] . . c:\windows\7SP_Files\explorer.exe
    [-] 2009-06-13 . 7C20A150945965CC47E8289636BF4346 . 2117632 . . [6.00.2900.5634] . . c:\windows\7SP_Files\backup\explorer.exe

    [-] 2010-07-16 . 149217B62C933505058C8FC4BBE5FD37 . 1341440 . . [5.1.2600.6010] . . c:\windows\7SP_Files\ole32.dll
    [7] 2010-07-16 . 8D51FB47062F2A1A9EFECCEF338A4C46 . 1289216 . . [5.1.2600.6010] . . c:\windows\7SP_Files\backup\ole32.dll
    [-] 2010-07-16 . 149217B62C933505058C8FC4BBE5FD37 . 1341440 . . [5.1.2600.6010] . . c:\windows\system32\ole32.dll
    [-] 2010-07-16 . 149217B62C933505058C8FC4BBE5FD37 . 1341440 . . [5.1.2600.6010] . . c:\windows\system32\dllcache\ole32.dll
    [7] 2009-06-13 . 0A80305BFB7346ACB49FD5611B675EC5 . 1288192 . . [5.1.2600.5685] . . c:\windows\$NtUninstallKB979687$\ole32.dll

    [-] 2009-06-13 . CBF5945651C96E471B3A004BBDC36864 . 37376 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe

    [-] 2009-06-13 . D440FD3EA29AEB8AC99F22986A87D345 . 727904 . . [8.00.6001.18702] . . c:\windows\7SP_Files\IEXPLORE.EXE
    [-] 2009-06-13 . 56A2008025323B8D2B49184CC6F3FAA1 . 535904 . . [8.00.6001.18702] . . c:\windows\7SP_Files\backup\IEXPLORE.EXE
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "VistaDrive"="c:\windows\VistaDrive\VistaDrive.exe" [2006-10-06 280779]
    "UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
    "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [BU]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-01-07 429392]
    "RTHDCPL"="RTHDCPL.EXE" [2008-09-02 16851456]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-16 142104]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-16 162584]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-16 138008]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "DigidesignMMERefresh"="c:\program files\Digidesign\Drivers\MMERefresh.exe" [2010-06-16 77824]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-02 281768]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
    "CIAxxxxxxx.exe"="c:\ciaxxxxxxx.exe\CIAxxxxxxx.exe" [BU]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "_nltide_3"="advpack.dll" [2009-06-13 128512]

    c:\documents and settings\Jay Jay\Start Menu\Programs\Startup\
    Refresh Icon Cache.lnk - c:\windows\7SP_Files\Refresh Icon Cache\Refresh Icon Cache.exe [2010-11-5 203139]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2010-11-05 03:22 11952 ----a-w- c:\windows\system32\avgrsstx.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [11/4/2010 9:46 PM 12552]
    R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/4/2010 9:46 PM 108552]
    R3 MBX2DFU;Digidesign Mbox 2 Firmware Updater;c:\windows\system32\drivers\dgmbx2fu.sys [11/13/2010 10:14 AM 21648]
    S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/4/2010 9:46 PM 335240]
    S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/22/2010 11:20 PM 135336]
    S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]
    S2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [11/9/2010 7:32 PM 16400]
    S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/4/2010 10:18 PM 236368]
    S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [4/19/2010 12:45 PM 1050440]
    S3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [11/9/2010 7:32 PM 85008]
    S3 DGUSBAP;Service for Digidesign Mbox2 (WDM);c:\windows\system32\drivers\dgmbx2.sys [11/13/2010 10:14 AM 129040]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/4/2010 10:18 PM 19160]
    S3 MBX2MIDK;Digidesign Mbox 2 Midi Driver;c:\windows\system32\drivers\mbx2midk.sys [11/9/2010 7:32 PM 21904]
    S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [2/25/2010 10:18 AM 10064]

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    UxTuneUp
    .
    Contents of the 'Scheduled Tasks' folder

    2010-11-16 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]

    2010-11-14 c:\windows\Tasks\Automatic maintenance.job
    - c:\program files\TuneUp Utilities 2010\OneClickStarter.exe [2010-04-19 17:51]

    2010-11-23 c:\windows\Tasks\Malwarebytes' Scheduled Scan for Jay Jay.job
    - c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2010-11-05 20:07]

    2010-11-23 c:\windows\Tasks\Malwarebytes' Scheduled Update for Jay Jay.job
    - c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2010-11-05 20:07]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    TCP: {757ACDF3-519A-40D4-A448-B7C20F55602E} = 4.2.2.1
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-11-25 11:52
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-1957994488-1500820517-1606980848-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,17,3f,4b,0f,7b,e6,e2,47,8f,fd,d4,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,17,3f,4b,0f,7b,e6,e2,47,8f,fd,d4,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(680)
    c:\windows\system32\SETUPAPI.dll
    c:\windows\system32\cscui.dll

    - - - - - - - > 'lsass.exe'(784)
    c:\windows\system32\SETUPAPI.dll
    .
    Completion time: 2010-11-25 11:54:41 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-11-25 16:54
    ComboFix2.txt 2010-11-22 03:18
    ComboFix3.txt 2010-11-22 03:08

    Pre-Run: 473,249,062,912 bytes free
    Post-Run: 473,339,666,432 bytes free

    - - End Of File - - 9AFCDCFDD3D78E973F8ACB5BBFDC0268
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    I've had the flu. I'm trying to catch up now. IF you PM me in the future, kindly give me the URL of your thread.
    Are you having anything else except the redirect? These scans need to be run in Normal Mode. Some processes don't start in Safe Mode and I won't see them.

    Rescan with Eset online:

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    ======================================
    Download HijackThis and save to your desktop.
    • Extract it to a directory on your hard drive called c:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
  3. JayNori

    JayNori Newcomer, in training Topic Starter Posts: 27

    Sorry about the delay, but heres the Online Scanner log file. I'll send the other soon


    ESETSmartInstaller@High as downloader log:
    all ok
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=0440d6d6e40a9b468a2a5d19e87a990f
    # end=finished
    # remove_checked=false
    # archives_checked=true
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-11-20 04:43:19
    # local_time=2010-11-20 11:43:19 (-0500, Eastern Standard Time)
    # country="United States"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=1024 16777175 100 0 423077 423077 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=57012
    # found=3
    # cleaned=0
    # scan_time=1525
    C:\Documents and Settings\Jay Jay\Application Data\hotfix.exe a variant of Win32/Adware.FakeAntiSpy.S application 00000000000000000000000000000000 I
    C:\Documents and Settings\Jay Jay\My Documents\Downloads\Acoustica.Mixcraft.v5.1.149.AiR\setup.exe NSIS/TrojanDownloader.FakeAlert.DK.Gen trojan 00000000000000000000000000000000 I
    C:\WINDOWS\ixewejoguxa.dll a variant of Win32/Cimag.EE trojan 00000000000000000000000000000000 I
    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=0440d6d6e40a9b468a2a5d19e87a990f
    # end=finished
    # remove_checked=false
    # archives_checked=true
    # unwanted_checked=true
    # unsafe_checked=true
    # antistealth_checked=true
    # utc_time=2010-12-05 10:03:12
    # local_time=2010-12-05 05:03:12 (-0500, Eastern Standard Time)
    # country="United States"
    # lang=9
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=1024 16777175 100 0 173047 173047 0 0
    # compatibility_mode=1797 16775125 100 93 0 27166567 0 0
    # compatibility_mode=8192 67108863 100 0 389583 389583 0 0
    # scanned=107614
    # found=14
    # cleaned=0
    # scan_time=9781
    C:\Qoobox\Quarantine\C\Documents and Settings\Jay Jay\Local Settings\Application Data\78354931.exe.vir a variant of Win32/Kryptik.IIA trojan 00000000000000000000000000000000 I
    C:\Qoobox\Quarantine\C\WINDOWS\uqiqotiw.dll.vir a variant of Win32/Cimag.DV trojan 00000000000000000000000000000000 I
    C:\WINDOWS\explorer.exe Win32/Bamital.EV trojan 00000000000000000000000000000000 I
    C:\WINDOWS\ihobiper.dll a variant of Win32/Cimag.DV trojan 00000000000000000000000000000000 I
    C:\WINDOWS\7SP_Files\Windows File Protection Switcher\Windows File Protection Switcher.exe a variant of Win32/HackTool.Patcher.B application 00000000000000000000000000000000 I
    C:\WINDOWS\system32\winlogon.exe Win32/Bamital.EV trojan 00000000000000000000000000000000 I
    C:\_OTM\MovedFiles\11212010_011316\C_Documents and Settings\Jay Jay\My Documents\Downloads\Acoustica.Mixcraft.v5.1.149.AiR\setup.exe NSIS/TrojanDownloader.FakeAlert.DK.Gen trojan 00000000000000000000000000000000 I
    C:\_OTM\MovedFiles\11212010_011316\C_WINDOWS\ixewejoguxa.dll a variant of Win32/Cimag.DV trojan 00000000000000000000000000000000 I
    K:\Hard Drive\Plugins and Programs\FriendBlaster Pro 10.4.0.rar Win32/HackTool.Patcher.A application 00000000000000000000000000000000 I
    K:\Hard Drive\Plugins and Programs\NiPro-53.zip probably a variant of Win32/Agent.DUBEDBP trojan 00000000000000000000000000000000 I
    K:\Hard Drive\Plugins and Programs\Tone2FireBird Vst Installion\keygen.exe a variant of Win32/Keygen.AD application 00000000000000000000000000000000 I
    K:\Hard Drive\Plugins and Programs\IZotope.Ozone.VST.DX.RTAS.HTDM.v4.01.Incl.Keygen\keygen.exe a variant of Win32/Keygen.AD application 00000000000000000000000000000000 I
    K:\Hard Drive\Plugins and Programs\Wave Plugins\Waves Plugins\DX RTAS VST\Native Instruments Kontakt 1.5.0.5\Setup.exe a variant of Win32/Keygen.AA application 00000000000000000000000000000000 I
    ${Memory} Win32/Bamital.EV trojan 00000000000000000000000000000000 I
  4. JayNori

    JayNori Newcomer, in training Topic Starter Posts: 27

    HijackThis Log

    Log for HijackThis



    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 7:36:25 PM, on 12/5/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\AVG\AVG8\avgrsx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Digidesign\Drivers\MMERefresh.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
    C:\WINDOWS\VistaDrive\VistaDrive.exe
    C:\Program Files\Unlocker\UnlockerAssistant.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\BitTorrent\BitTorrent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\WINDOWS\7SP_Files\Styler\TB\StylerTB.dll
    O4 - HKLM\..\Run: [VistaDrive] C:\WINDOWS\VistaDrive\VistaDrive.exe
    O4 - HKLM\..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe -H
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    O4 - HKLM\..\RunOnce: [InnoSetupRegFile.0000000001] "C:\WINDOWS\is-S899T.exe" /REG
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [TransBar] C:\WINDOWS\7SP_Files\TransBar\TransBar.exe /s
    O4 - HKUS\S-1-5-18\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe" (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [CIA8498xx.exe] C:\CIA8498xx.exe\CIA8498xx.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe" (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
    O4 - Startup: Refresh Icon Cache.lnk = C:\WINDOWS\7SP_Files\Refresh Icon Cache\Refresh Icon Cache.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1288925219531
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1288925214703
    O17 - HKLM\System\CCS\Services\Tcpip\..\{757ACDF3-519A-40D4-A448-B7C20F55602E}: NameServer = 4.2.2.1
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
    O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: AVG8 WatchDog (avg8wd) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (file missing)
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
    O23 - Service: digiSPTIService - Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe
    O23 - Service: TuneUp Utilities Service (TuneUp.UtilitiesSvc) - TuneUp Software - C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe

    --
    End of file - 8498 bytes
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    What is the H Drive?

    Run this:

    Download CKScanner and save to your desktop.
    • Doubleclick CKScanner.exe and click Search For Files.
    • When the cursor hourglass disappears, click [b/]Save List To File.[/b]
    • A message box will verify that the file is saved.
    • Double-click the [/b]CKFiles.txt icon[/b] on your desktop and copy/paste the contents
      in your next reply.
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    I have reopened the thread- at least briefly. The following first group is the log you sent in a PM. I don't do support in that area. The second is a listing of new infections found, after previous cleaning which shows entries with keygens. This is evidence of pirated programs. Apparently you attempted to load pirated programs onto your system from a memory card

    CKScanner log sent by OP:
    New infections found in 2nd Eset log:
    Cracks and keygens indicate that in order to get a program or application, the serial key or license key has been obtained from a file sharing program, obtaining the program free instead of paying for it. This is called piracy. It is illegal and we don't support piracy.

    As long as you participate in this type of activity, you are going to get malware, along with the 'key' to steal the program. If you have some other explanation about these entries that tells me otherwise, I will listen.
  7. JayNori

    JayNori Newcomer, in training Topic Starter Posts: 27

    I'm really sorry but a friend of mines lend me the hard drive because of the programs he had were what I needed and I wasn't told how he had gotten them, he only said a friend of his got them for him. If I would have known this I wouldn't have used it. I do not support piracy either but I guess I should have known that they were pirated.
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    The pirated programs need to be removed for support to continue.
  9. JayNori

    JayNori Newcomer, in training Topic Starter Posts: 27

    Okay, so delete the files from the hardrive?
  10. JayNori

    JayNori Newcomer, in training Topic Starter Posts: 27

    Everything is erased
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Please run a new Eset scan.
    =============================
    You also still have both AVG and Avira running. This makes the system more vulnerable, so one of them needs to be removed. Here is some help:
    • AVG Removal: Note: You may have to reinstall AVG to uninstall it fully
    • Avira Manual Removal

      • [o] Start> Settings> Control Panel> Add or Remove Programs (Windows 2000/ XP) or Start - Control Panel - Uninstall a program (Windows Vista / 7)
        [o] Wait for the list of installed programs to load, then click the name of the Avira program.
        [o] Click Remove next to the program's name (Windows 2000 / XP) or in the menu above the list (Windows Vista / 7).
        [o] Press Yes, to confirm the removal and then OK.
        [o] Click Next until Finish. The software is removed.
      Reboot the computer when finished.
      ==============================
      Then repeat HijackThis so we can make sure no bad entries remain.
     
  12. JayNori

    JayNori Newcomer, in training Topic Starter Posts: 27

    It's strange I'm sure I had removed every pirated programs presence yet the keygens still appear, why is this?


    Esset Log

    C:\Qoobox\Quarantine\C\WINDOWS\uqiqotiw.dll.vir a variant of Win32/Cimag.DV trojan
    C:\WINDOWS\explorer.exe Win32/Bamital.EV trojan
    C:\WINDOWS\ihobiper.dll a variant of Win32/Cimag.DV trojan
    C:\WINDOWS\system32\winlogon.exe Win32/Bamital.EV trojan
    C:\_OTM\MovedFiles\11212010_011316\C_Documents and Settings\Jay Jay\My Documents\Downloads\Acoustica.Mixcraft.v5.1.149.AiR\setup.exe NSIS/TrojanDownloader.FakeAlert.DK.Gen trojan
    C:\_OTM\MovedFiles\11212010_011316\C_WINDOWS\ixewejoguxa.dll a variant of Win32/Cimag.DV trojan
    K:\System Volume Information\_restore{93D02D89-718A-4633-8674-1156B96F8406}\RP17\A0005289.exe a variant of Win32/Keygen.AD application
    K:\System Volume Information\_restore{93D02D89-718A-4633-8674-1156B96F8406}\RP17\A0005318.exe a variant of Win32/Keygen.AA application
    K:\System Volume Information\_restore{93D02D89-718A-4633-8674-1156B96F8406}\RP17\A0005354.exe a variant of Win32/Keygen.AD application
    Operating memory Win32/Bamital.EV trojan


    HijackThis Log

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 12:02:38 AM, on 12/10/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Digidesign\Drivers\MMERefresh.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
    C:\WINDOWS\VistaDrive\VistaDrive.exe
    C:\Program Files\Unlocker\UnlockerAssistant.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\WINDOWS\eHome\ehmsas.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\WINDOWS\7SP_Files\Styler\TB\StylerTB.dll
    O4 - HKLM\..\Run: [VistaDrive] C:\WINDOWS\VistaDrive\VistaDrive.exe
    O4 - HKLM\..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe -H
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [TransBar] C:\WINDOWS\7SP_Files\TransBar\TransBar.exe /s
    O4 - HKUS\S-1-5-18\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe" (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [CIA7870xx.exe] C:\CIA7870xx.exe\CIA7870xx.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe" (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
    O4 - Startup: Refresh Icon Cache.lnk = C:\WINDOWS\7SP_Files\Refresh Icon Cache\Refresh Icon Cache.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1288925219531
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1288925214703
    O17 - HKLM\System\CCS\Services\Tcpip\..\{757ACDF3-519A-40D4-A448-B7C20F55602E}: NameServer = 4.2.2.1
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
    O23 - Service: digiSPTIService - Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe
    O23 - Service: TuneUp Utilities Service (TuneUp.UtilitiesSvc) - TuneUp Software - C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe

    --
    End of file - 7870 bytes
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    You're getting there. The entries in the Eset log are of 3 types:
    1. Qoobox: this is where Combofix puts the files it has quarantined. Those entries are no longer avtive and will be removed at the end when I have you uninstall Combofix.
    2. System Volume: these are the restore points. These are not active. The only way they could cause a problem is if you happened to choose one of the infected files to do a System restore. Those also will be removed at the end.
    3. The following are the active infections that need to be moved as follows:

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Processes	
      
      :Files  
      C:\WINDOWS\explorer.exe 
      C:\WINDOWS\ihobiper.dll 
      C:\WINDOWS\system32\winlogon.exe 
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.[/list]

    The Win32/Bamital Trojan is still in the system, most likely because it's in the memory. Trojan:Win32/Bamital.A is a trojan often installed by other malware. It monitors and modifies Web search queries and displays advertisements. It is triggered when the browser is Internet Explorer, Opera, Firefox, Chrome, or Safari.

    The Payload is that it modifies browsing behavior- patches and redirects the following functions of the Windows Socket module, which are used by the browser, to its malicious routine so it can monitor and modify Web search queries and offer its own online advertisements.

    Let's try to replace the infected files:
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:[Be sure to scroll down to include ALL lines.
    Code:
    File::
    
    Folder::
    
    Registry::
    
    Driver::
    Fcopy::
    c:\windows\ServicePackFiles\i386\winlogon.exe |  c:\windows\system32\winlogon.exe
    c:\windows\ServicePackFiles\i386\explorer.exe| c:\windows\explorer.exe
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    After doing this, run a new Eset scan- hopefully there won't be any new infections. If you are still getting active ,new malware infections, after replacing the 2 files. I will recommend a reformat/reinstall.
  14. JayNori

    JayNori Newcomer, in training Topic Starter Posts: 27

    Here's the log for OTMoveit, ComboFix has some problems because it reboots the computer and won't run when it restarts it says it needs to find a program that can open a file, I'll tell you the file name in the next reply



    All processes killed
    ========== PROCESSES ==========
    ========== FILES ==========
    Item C:\WINDOWS\explorer.exe is whitelisted and cannot be moved.
    DllUnregisterServer procedure not found in C:\WINDOWS\ihobiper.dll
    C:\WINDOWS\ihobiper.dll moved successfully.
    Item C:\WINDOWS\system32\winlogon.exe is whitelisted and cannot be moved.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Administrator.JAY-BB4D1EF4B91
    ->Temp folder emptied: 101 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->FireFox cache emptied: 4550528 bytes
    ->Flash cache emptied: 0 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Jay Jay
    ->Temp folder emptied: 2960794 bytes
    ->Temporary Internet Files folder emptied: 52370075 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 106962817 bytes
    ->Flash cache emptied: 4066 bytes

    User: LocalService
    ->Temporary Internet Files folder emptied: 509455 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 571956 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 442 bytes

    Total Files Cleaned = 160.00 mb


    OTM by OldTimer - Version 3.1.17.2 log created on 12102010_222523
  15. JayNori

    JayNori Newcomer, in training Topic Starter Posts: 27

    Okay so what happens with ComboFix is at first a prompt pops up saying windows cannot find program for file nircmd.cfxxe, then it says that "ComboFix has detected the presence of rootkit activity and needs to reboot the machine, and when it reboots another prompt pops up saying cannot open CF12616.cfxxe
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    You already have Combofix on the desktop. It has already been run. Are you following this direction in Reply #38?

    • There is a chance that the cracks and keygens corrupted files needed to run this again.

      Run the Eset scan to see if there is something else on the system.
  17. JayNori

    JayNori Newcomer, in training Topic Starter Posts: 27

    Yes I did exactly what you told me and that came up. Heres the new log from Eset, I'm guessing I should format my harddrive


    ESETSmartInstaller@High as downloader log:
    all ok
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=0440d6d6e40a9b468a2a5d19e87a990f
    # end=finished
    # remove_checked=false
    # archives_checked=true
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-11-20 04:43:19
    # local_time=2010-11-20 11:43:19 (-0500, Eastern Standard Time)
    # country="United States"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=1024 16777175 100 0 423077 423077 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=57012
    # found=3
    # cleaned=0
    # scan_time=1525
    C:\Documents and Settings\Jay Jay\Application Data\hotfix.exe a variant of Win32/Adware.FakeAntiSpy.S application 00000000000000000000000000000000 I
    C:\Documents and Settings\Jay Jay\My Documents\Downloads\Acoustica.Mixcraft.v5.1.149.AiR\setup.exe NSIS/TrojanDownloader.FakeAlert.DK.Gen trojan 00000000000000000000000000000000 I
    C:\WINDOWS\ixewejoguxa.dll a variant of Win32/Cimag.EE trojan 00000000000000000000000000000000 I
    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=0440d6d6e40a9b468a2a5d19e87a990f
    # end=finished
    # remove_checked=false
    # archives_checked=true
    # unwanted_checked=true
    # unsafe_checked=true
    # antistealth_checked=true
    # utc_time=2010-12-05 10:03:12
    # local_time=2010-12-05 05:03:12 (-0500, Eastern Standard Time)
    # country="United States"
    # lang=9
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=1024 16777175 100 0 173047 173047 0 0
    # compatibility_mode=1797 16775125 100 93 0 27166567 0 0
    # compatibility_mode=8192 67108863 100 0 389583 389583 0 0
    # scanned=107614
    # found=14
    # cleaned=0
    # scan_time=9781
    C:\Qoobox\Quarantine\C\Documents and Settings\Jay Jay\Local Settings\Application Data\78354931.exe.vir a variant of Win32/Kryptik.IIA trojan 00000000000000000000000000000000 I
    C:\Qoobox\Quarantine\C\WINDOWS\uqiqotiw.dll.vir a variant of Win32/Cimag.DV trojan 00000000000000000000000000000000 I
    C:\WINDOWS\explorer.exe Win32/Bamital.EV trojan 00000000000000000000000000000000 I
    C:\WINDOWS\ihobiper.dll a variant of Win32/Cimag.DV trojan 00000000000000000000000000000000 I
    C:\WINDOWS\7SP_Files\Windows File Protection Switcher\Windows File Protection Switcher.exe a variant of Win32/HackTool.Patcher.B application 00000000000000000000000000000000 I
    C:\WINDOWS\system32\winlogon.exe Win32/Bamital.EV trojan 00000000000000000000000000000000 I
    C:\_OTM\MovedFiles\11212010_011316\C_Documents and Settings\Jay Jay\My Documents\Downloads\Acoustica.Mixcraft.v5.1.149.AiR\setup.exe NSIS/TrojanDownloader.FakeAlert.DK.Gen trojan 00000000000000000000000000000000 I
    C:\_OTM\MovedFiles\11212010_011316\C_WINDOWS\ixewejoguxa.dll a variant of Win32/Cimag.DV trojan 00000000000000000000000000000000 I
    K:\Hard Drive\Plugins and Programs\FriendBlaster Pro 10.4.0.rar Win32/HackTool.Patcher.A application 00000000000000000000000000000000 I
    K:\Hard Drive\Plugins and Programs\NiPro-53.zip probably a variant of Win32/Agent.DUBEDBP trojan 00000000000000000000000000000000 I
    K:\Hard Drive\Plugins and Programs\Tone2FireBird Vst Installion\keygen.exe a variant of Win32/Keygen.AD application 00000000000000000000000000000000 I
    K:\Hard Drive\Plugins and Programs\IZotope.Ozone.VST.DX.RTAS.HTDM.v4.01.Incl.Keygen\keygen.exe a variant of Win32/Keygen.AD application 00000000000000000000000000000000 I
    K:\Hard Drive\Plugins and Programs\Wave Plugins\Waves Plugins\DX RTAS VST\Native Instruments Kontakt 1.5.0.5\Setup.exe a variant of Win32/Keygen.AA application 00000000000000000000000000000000 I
    ${Memory} Win32/Bamital.EV trojan 00000000000000000000000000000000 I
    ESETSmartInstaller@High as downloader log:
    all ok
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6415
    # api_version=3.0.2
    # EOSSerial=0440d6d6e40a9b468a2a5d19e87a990f
    # end=finished
    # remove_checked=false
    # archives_checked=true
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-12-10 04:58:21
    # local_time=2010-12-09 11:58:21 (-0500, Eastern Standard Time)
    # country="United States"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 0 0 0 0
    # compatibility_mode=1797 16775141 100 93 0 27543243 0 0
    # compatibility_mode=8192 67108863 100 0 766259 766259 0 0
    # scanned=86796
    # found=10
    # cleaned=0
    # scan_time=3609
    C:\Qoobox\Quarantine\C\WINDOWS\uqiqotiw.dll.vir a variant of Win32/Cimag.DV trojan (unable to clean) 00000000000000000000000000000000 I
    C:\WINDOWS\explorer.exe Win32/Bamital.EV trojan (unable to clean) 00000000000000000000000000000000 I
    C:\WINDOWS\ihobiper.dll a variant of Win32/Cimag.DV trojan (unable to clean) 00000000000000000000000000000000 I
    C:\WINDOWS\system32\winlogon.exe Win32/Bamital.EV trojan (unable to clean) 00000000000000000000000000000000 I
    C:\_OTM\MovedFiles\11212010_011316\C_Documents and Settings\Jay Jay\My Documents\Downloads\Acoustica.Mixcraft.v5.1.149.AiR\setup.exe NSIS/TrojanDownloader.FakeAlert.DK.Gen trojan (unable to clean) 00000000000000000000000000000000 I
    C:\_OTM\MovedFiles\11212010_011316\C_WINDOWS\ixewejoguxa.dll a variant of Win32/Cimag.DV trojan (unable to clean) 00000000000000000000000000000000 I
    K:\System Volume Information\_restore{93D02D89-718A-4633-8674-1156B96F8406}\RP17\A0005289.exe a variant of Win32/Keygen.AD application (unable to clean) 00000000000000000000000000000000 I
    K:\System Volume Information\_restore{93D02D89-718A-4633-8674-1156B96F8406}\RP17\A0005318.exe a variant of Win32/Keygen.AA application (unable to clean) 00000000000000000000000000000000 I
    K:\System Volume Information\_restore{93D02D89-718A-4633-8674-1156B96F8406}\RP17\A0005354.exe a variant of Win32/Keygen.AD application (unable to clean) 00000000000000000000000000000000 I
    ${Memory} Win32/Bamital.EV trojan 00000000000000000000000000000000 I
    ESETSmartInstaller@High as downloader log:
    all ok
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6415
    # api_version=3.0.2
    # EOSSerial=0440d6d6e40a9b468a2a5d19e87a990f
    # end=finished
    # remove_checked=false
    # archives_checked=true
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-12-12 08:27:03
    # local_time=2010-12-12 03:27:03 (-0500, Eastern Standard Time)
    # country="United States"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 0 0 0 0
    # compatibility_mode=1797 16775141 100 93 0 27771721 0 0
    # compatibility_mode=8192 67108863 100 0 991137 991137 0 0
    # scanned=85080
    # found=11
    # cleaned=0
    # scan_time=3654
    C:\Documents and Settings\Jay Jay\Application Data\Sun\Java\Deployment\cache\6.0\26\7646669a-1ffc6d94 multiple threats (unable to clean) 00000000000000000000000000000000 I
    C:\Qoobox\Quarantine\C\WINDOWS\uqiqotiw.dll.vir a variant of Win32/Cimag.DV trojan (unable to clean) 00000000000000000000000000000000 I
    C:\WINDOWS\explorer.exe Win32/Bamital.EV trojan (unable to clean) 00000000000000000000000000000000 I
    C:\WINDOWS\system32\winlogon.exe Win32/Bamital.EV trojan (unable to clean) 00000000000000000000000000000000 I
    C:\_OTM\MovedFiles\11212010_011316\C_Documents and Settings\Jay Jay\My Documents\Downloads\Acoustica.Mixcraft.v5.1.149.AiR\setup.exe NSIS/TrojanDownloader.FakeAlert.DK.Gen trojan (unable to clean) 00000000000000000000000000000000 I
    C:\_OTM\MovedFiles\11212010_011316\C_WINDOWS\ixewejoguxa.dll a variant of Win32/Cimag.DV trojan (unable to clean) 00000000000000000000000000000000 I
    C:\_OTM\MovedFiles\12102010_222523\C_WINDOWS\ihobiper.dll a variant of Win32/Cimag.DV trojan (unable to clean) 00000000000000000000000000000000 I
    K:\System Volume Information\_restore{93D02D89-718A-4633-8674-1156B96F8406}\RP17\A0005289.exe a variant of Win32/Keygen.AD application (unable to clean) 00000000000000000000000000000000 I
    K:\System Volume Information\_restore{93D02D89-718A-4633-8674-1156B96F8406}\RP17\A0005318.exe a variant of Win32/Keygen.AA application (unable to clean) 00000000000000000000000000000000 I
    K:\System Volume Information\_restore{93D02D89-718A-4633-8674-1156B96F8406}\RP17\A0005354.exe a variant of Win32/Keygen.AD application (unable to clean) 00000000000000000000000000000000 I
    ${Memory} Win32/Bamital.EV trojan 00000000000000000000000000000000 I
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

     
  19. JayNori

    JayNori Newcomer, in training Topic Starter Posts: 27

    Well the only thing is I don't have a XP Cd, will that be a problem?
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    A problem in that it will limit what you can do. If you wipe the drive you are going to have to replace the operating system. I'll check to see if there is any way around this- do you have the license key for the OS? You will need some legitimate source of Windows XP and then it has to be validated.

    I will check to see if Repair is an option- you can get into the system, correct?
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.