Resolved Rogue antivirus security tools will not be removed by Malwarebytes, Help please

Status
Not open for further replies.
Okay, well to start off I can run Windows in normal mode and I tried to run ComboFix in normal mode but it wouldn't let me, it would reboot my computer and it wouldn't continue the process. ComboFix did run though in safe mode and I was able to do the complete scan. I do not have the CD for the operating system on my computer because I downgraded to XP I have the CD for Vista. There is no message when I log on to Normal Mode and I do have internet access but it still redirects me when I search for something in Google.

Here is the log.
ComboFix 10-11-21.01 - Administrator 11/25/2010 11:46:09.1.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1013.859 [GMT -5:00]
Running from: c:\documents and settings\Administrator.JAY-BB4D1EF4B91\Desktop\jaynori.exe
Command switches used :: I:\CFScript.txt

FILE ::
"c:\windows\system32\drivers\vewji.sys"
"c:\windows\system32\SETUPAPI.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Jay Jay\Local Settings\Application Data\{30D1A54D-FC50-43F6-8173-0D2E7FAFD035}
c:\documents and settings\Jay Jay\Local Settings\Application Data\{30D1A54D-FC50-43F6-8173-0D2E7FAFD035}\chrome.manifest
c:\documents and settings\Jay Jay\Local Settings\Application Data\{30D1A54D-FC50-43F6-8173-0D2E7FAFD035}\chrome\content\_cfg.js
c:\documents and settings\Jay Jay\Local Settings\Application Data\{30D1A54D-FC50-43F6-8173-0D2E7FAFD035}\chrome\content\overlay.xul
c:\documents and settings\Jay Jay\Local Settings\Application Data\{30D1A54D-FC50-43F6-8173-0D2E7FAFD035}\install.rdf

c:\windows\system32\winlogon.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

c:\windows\system32\midimap.dll . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_eixqcdue


((((((((((((((((((((((((( Files Created from 2010-10-25 to 2010-11-25 )))))))))))))))))))))))))))))))
.

2010-11-22 02:59 . 2010-11-22 03:08 -------- d-----w- C:\jaynori
2010-11-22 02:54 . 2010-11-22 02:54 -------- d-----w- C:\$AVG
2010-11-21 06:13 . 2010-11-21 06:13 -------- d-----w- C:\_OTM
2010-11-05 03:28 . 2010-11-05 03:28 -------- d-----w- C:\extensions
2010-11-05 03:12 . 2010-11-05 03:12 -------- d-----r- C:\MSOCache
2010-11-05 03:10 . 2010-11-05 03:10 -------- d-----w- C:\Intel

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 16:23 . 2008-04-14 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2008-04-14 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2008-04-14 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2008-04-14 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:57 . 2009-06-13 17:58 1016320 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:57 . 2009-06-13 17:51 1598464 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-10 05:57 . 2009-06-13 17:35 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-08 16:17 . 2010-09-08 16:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 16:17 . 2010-09-08 16:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-01 11:51 . 2008-04-14 12:00 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:38 . 2009-06-13 17:30 1861888 ----a-w- c:\windows\system32\win32k.sys
.

------- Sigcheck -------

[-] 2009-06-13 . 038CA45522FE9B756EFB90DBFA9141EA . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys

[-] 2009-06-13 . EC4D66049FCFE818C1D1738DB9A6E5C8 . 568832 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

[-] 2009-08-06 . F7B2E1B864661A543338AF598F5B9115 . 79072 . . [7.4.7600.226] . . c:\windows\7SP_Files\wuauclt.exe
[7] 2009-08-06 . 62BB79160F86CD962F312C68C6239BFD . 53472 . . [7.4.7600.226] . . c:\windows\7SP_Files\backup\wuauclt.exe
[-] 2009-08-06 . F7B2E1B864661A543338AF598F5B9115 . 79072 . . [7.4.7600.226] . . c:\windows\system32\wuauclt.exe

[-] 2010-08-23 . 54223CA7190149BE59E1D10413AB88F5 . 724992 . . [5.82] . . c:\windows\7SP_Files\comctl32.dll
[7] 2010-08-23 . 93AFB83FBC1F9443CAC722FCA63D73BF . 617472 . . [5.82] . . c:\windows\7SP_Files\backup\comctl32.dll
[-] 2010-08-23 . 54223CA7190149BE59E1D10413AB88F5 . 724992 . . [5.82] . . c:\windows\system32\comctl32.dll
[-] 2010-08-23 . 54223CA7190149BE59E1D10413AB88F5 . 724992 . . [5.82] . . c:\windows\system32\dllcache\comctl32.dll
[7] 2010-08-23 . 736B12B725AEB2B07F0241A9F680CB10 . 1054208 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
[-] 2009-05-17 . 45B909FB560A7BED67B3457945999013 . 653312 . . [5.82] . . c:\windows\$NtUninstallKB2296011$\comctl32.dll
[-] 2009-05-17 . C6CC0229FA60F9E5A2F9E6FD52878665 . 1064448 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
[-] 2009-05-17 . 303673E56D0524AF50B339BD8618E5AC . 931840 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll

[-] 2010-09-10 . 4FADACE7BA753F74F23F34E0EB275BD0 . 6182400 . . [8.00.6001.23067] . . c:\windows\7SP_Files\mshtml.dll
[7] 2010-09-10 . 8A03CC037E6B7D1796192815231B0C3F . 5958656 . . [8.00.6001.23067] . . c:\windows\7SP_Files\backup\mshtml.dll
[-] 2010-09-10 . 4FADACE7BA753F74F23F34E0EB275BD0 . 6182400 . . [8.00.6001.23067] . . c:\windows\system32\mshtml.dll
[-] 2010-09-10 . 4FADACE7BA753F74F23F34E0EB275BD0 . 6182400 . . [8.00.6001.23067] . . c:\windows\system32\dllcache\mshtml.dll
[-] 2009-06-13 . C94EE53BB0A926279C4C67522031FB7A . 6077440 . . [8.00.6001.22873] . . c:\windows\ie8updates\KB2360131-IE8\mshtml.dll

[-] 2009-06-13 . 05F5164AC40A1D5DE2188B58DD82101F . 648704 . . [5.1.2600.5512] . . c:\windows\7SP_Files\user32.dll
[-] 2009-06-13 . 99C1ACB1B8F0F2CECC56515E502B5120 . 575488 . . [5.1.2600.5512] . . c:\windows\7SP_Files\backup\user32.dll
[-] 2009-06-13 . 05F5164AC40A1D5DE2188B58DD82101F . 648704 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll

[-] 2010-09-10 . 9B374EFDAD4930CB67C57869E12FCBBF . 1016320 . . [8.00.6001.23060] . . c:\windows\7SP_Files\wininet.dll
[7] 2010-09-10 . 0555E190DCD06B8998E6DDCA42DAEB82 . 919552 . . [8.00.6001.23060] . . c:\windows\7SP_Files\backup\wininet.dll
[-] 2010-09-10 . 9B374EFDAD4930CB67C57869E12FCBBF . 1016320 . . [8.00.6001.23060] . . c:\windows\system32\wininet.dll
[-] 2010-09-10 . 9B374EFDAD4930CB67C57869E12FCBBF . 1016320 . . [8.00.6001.23060] . . c:\windows\system32\dllcache\wininet.dll
[-] 2009-06-13 . A09FCA16773A52C6CB0756D84A5509E4 . 971776 . . [8.00.6001.22873] . . c:\windows\ie8updates\KB2360131-IE8\wininet.dll

[-] 2009-06-13 . C64877ED8A2092D28D5119C8270117EC . 1512448 . . [6.00.2900.5634] . . c:\windows\explorer.exe
[-] 2009-06-13 . 6B29E8DCF44B1E2434C4F6F903AE41C8 . 1512448 . . [6.00.2900.5634] . . c:\windows\7SP_Files\explorer.exe
[-] 2009-06-13 . 7C20A150945965CC47E8289636BF4346 . 2117632 . . [6.00.2900.5634] . . c:\windows\7SP_Files\backup\explorer.exe

[-] 2010-07-16 . 149217B62C933505058C8FC4BBE5FD37 . 1341440 . . [5.1.2600.6010] . . c:\windows\7SP_Files\ole32.dll
[7] 2010-07-16 . 8D51FB47062F2A1A9EFECCEF338A4C46 . 1289216 . . [5.1.2600.6010] . . c:\windows\7SP_Files\backup\ole32.dll
[-] 2010-07-16 . 149217B62C933505058C8FC4BBE5FD37 . 1341440 . . [5.1.2600.6010] . . c:\windows\system32\ole32.dll
[-] 2010-07-16 . 149217B62C933505058C8FC4BBE5FD37 . 1341440 . . [5.1.2600.6010] . . c:\windows\system32\dllcache\ole32.dll
[7] 2009-06-13 . 0A80305BFB7346ACB49FD5611B675EC5 . 1288192 . . [5.1.2600.5685] . . c:\windows\$NtUninstallKB979687$\ole32.dll

[-] 2009-06-13 . CBF5945651C96E471B3A004BBDC36864 . 37376 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe

[-] 2009-06-13 . D440FD3EA29AEB8AC99F22986A87D345 . 727904 . . [8.00.6001.18702] . . c:\windows\7SP_Files\IEXPLORE.EXE
[-] 2009-06-13 . 56A2008025323B8D2B49184CC6F3FAA1 . 535904 . . [8.00.6001.18702] . . c:\windows\7SP_Files\backup\IEXPLORE.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VistaDrive"="c:\windows\VistaDrive\VistaDrive.exe" [2006-10-06 280779]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [BU]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-01-07 429392]
"RTHDCPL"="RTHDCPL.EXE" [2008-09-02 16851456]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-16 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-16 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-16 138008]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"DigidesignMMERefresh"="c:\program files\Digidesign\Drivers\MMERefresh.exe" [2010-06-16 77824]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-02 281768]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"CIAxxxxxxx.exe"="c:\ciaxxxxxxx.exe\CIAxxxxxxx.exe" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-06-13 128512]

c:\documents and settings\Jay Jay\Start Menu\Programs\Startup\
Refresh Icon Cache.lnk - c:\windows\7SP_Files\Refresh Icon Cache\Refresh Icon Cache.exe [2010-11-5 203139]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-11-05 03:22 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [11/4/2010 9:46 PM 12552]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/4/2010 9:46 PM 108552]
R3 MBX2DFU;Digidesign Mbox 2 Firmware Updater;c:\windows\system32\drivers\dgmbx2fu.sys [11/13/2010 10:14 AM 21648]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/4/2010 9:46 PM 335240]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/22/2010 11:20 PM 135336]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]
S2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [11/9/2010 7:32 PM 16400]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/4/2010 10:18 PM 236368]
S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [4/19/2010 12:45 PM 1050440]
S3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [11/9/2010 7:32 PM 85008]
S3 DGUSBAP;Service for Digidesign Mbox2 (WDM);c:\windows\system32\drivers\dgmbx2.sys [11/13/2010 10:14 AM 129040]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/4/2010 10:18 PM 19160]
S3 MBX2MIDK;Digidesign Mbox 2 Midi Driver;c:\windows\system32\drivers\mbx2midk.sys [11/9/2010 7:32 PM 21904]
S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [2/25/2010 10:18 AM 10064]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2010-11-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]

2010-11-14 c:\windows\Tasks\Automatic maintenance.job
- c:\program files\TuneUp Utilities 2010\OneClickStarter.exe [2010-04-19 17:51]

2010-11-23 c:\windows\Tasks\Malwarebytes' Scheduled Scan for Jay Jay.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2010-11-05 20:07]

2010-11-23 c:\windows\Tasks\Malwarebytes' Scheduled Update for Jay Jay.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2010-11-05 20:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {757ACDF3-519A-40D4-A448-B7C20F55602E} = 4.2.2.1
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-25 11:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1957994488-1500820517-1606980848-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,17,3f,4b,0f,7b,e6,e2,47,8f,fd,d4,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,17,3f,4b,0f,7b,e6,e2,47,8f,fd,d4,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(680)
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\cscui.dll

- - - - - - - > 'lsass.exe'(784)
c:\windows\system32\SETUPAPI.dll
.
Completion time: 2010-11-25 11:54:41 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-25 16:54
ComboFix2.txt 2010-11-22 03:18
ComboFix3.txt 2010-11-22 03:08

Pre-Run: 473,249,062,912 bytes free
Post-Run: 473,339,666,432 bytes free

- - End Of File - - 9AFCDCFDD3D78E973F8ACB5BBFDC0268
 
I've had the flu. I'm trying to catch up now. IF you PM me in the future, kindly give me the URL of your thread.
Are you having anything else except the redirect? These scans need to be run in Normal Mode. Some processes don't start in Safe Mode and I won't see them.

Rescan with Eset online:

Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner
  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the Active X control to install
  4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  5. Click Start
  6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  7. Click Scan
  8. Wait for the scan to finish
  9. Re-enable your Antivirus software.
  10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
======================================
Download HijackThis http://download.bleepingcomputer.com/hijackthis/HijackThis.zipand save to your desktop.
  • Extract it to a directory on your hard drive called c:\HijackThis.
  • Then navigate to that directory and double-click on the hijackthis.exe file.
  • When started click on the Scan button and then the Save Log button to create a log of your information.
  • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
 
Sorry about the delay, but heres the Online Scanner log file. I'll send the other soon


ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=0440d6d6e40a9b468a2a5d19e87a990f
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-11-20 04:43:19
# local_time=2010-11-20 11:43:19 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1024 16777175 100 0 423077 423077 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=57012
# found=3
# cleaned=0
# scan_time=1525
C:\Documents and Settings\Jay Jay\Application Data\hotfix.exe a variant of Win32/Adware.FakeAntiSpy.S application 00000000000000000000000000000000 I
C:\Documents and Settings\Jay Jay\My Documents\Downloads\Acoustica.Mixcraft.v5.1.149.AiR\setup.exe NSIS/TrojanDownloader.FakeAlert.DK.Gen trojan 00000000000000000000000000000000 I
C:\WINDOWS\ixewejoguxa.dll a variant of Win32/Cimag.EE trojan 00000000000000000000000000000000 I
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=0440d6d6e40a9b468a2a5d19e87a990f
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-12-05 10:03:12
# local_time=2010-12-05 05:03:12 (-0500, Eastern Standard Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1024 16777175 100 0 173047 173047 0 0
# compatibility_mode=1797 16775125 100 93 0 27166567 0 0
# compatibility_mode=8192 67108863 100 0 389583 389583 0 0
# scanned=107614
# found=14
# cleaned=0
# scan_time=9781
C:\Qoobox\Quarantine\C\Documents and Settings\Jay Jay\Local Settings\Application Data\78354931.exe.vir a variant of Win32/Kryptik.IIA trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\uqiqotiw.dll.vir a variant of Win32/Cimag.DV trojan 00000000000000000000000000000000 I
C:\WINDOWS\explorer.exe Win32/Bamital.EV trojan 00000000000000000000000000000000 I
C:\WINDOWS\ihobiper.dll a variant of Win32/Cimag.DV trojan 00000000000000000000000000000000 I
C:\WINDOWS\7SP_Files\Windows File Protection Switcher\Windows File Protection Switcher.exe a variant of Win32/HackTool.Patcher.B application 00000000000000000000000000000000 I
C:\WINDOWS\system32\winlogon.exe Win32/Bamital.EV trojan 00000000000000000000000000000000 I
C:\_OTM\MovedFiles\11212010_011316\C_Documents and Settings\Jay Jay\My Documents\Downloads\Acoustica.Mixcraft.v5.1.149.AiR\setup.exe NSIS/TrojanDownloader.FakeAlert.DK.Gen trojan 00000000000000000000000000000000 I
C:\_OTM\MovedFiles\11212010_011316\C_WINDOWS\ixewejoguxa.dll a variant of Win32/Cimag.DV trojan 00000000000000000000000000000000 I
K:\Hard Drive\Plugins and Programs\FriendBlaster Pro 10.4.0.rar Win32/HackTool.Patcher.A application 00000000000000000000000000000000 I
K:\Hard Drive\Plugins and Programs\NiPro-53.zip probably a variant of Win32/Agent.DUBEDBP trojan 00000000000000000000000000000000 I
K:\Hard Drive\Plugins and Programs\Tone2FireBird Vst Installion\keygen.exe a variant of Win32/Keygen.AD application 00000000000000000000000000000000 I
K:\Hard Drive\Plugins and Programs\IZotope.Ozone.VST.DX.RTAS.HTDM.v4.01.Incl.Keygen\keygen.exe a variant of Win32/Keygen.AD application 00000000000000000000000000000000 I
K:\Hard Drive\Plugins and Programs\Wave Plugins\Waves Plugins\DX RTAS VST\Native Instruments Kontakt 1.5.0.5\Setup.exe a variant of Win32/Keygen.AA application 00000000000000000000000000000000 I
${Memory} Win32/Bamital.EV trojan 00000000000000000000000000000000 I
 
HijackThis Log

Log for HijackThis



Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:36:25 PM, on 12/5/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
C:\WINDOWS\VistaDrive\VistaDrive.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\BitTorrent\BitTorrent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\WINDOWS\7SP_Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [VistaDrive] C:\WINDOWS\VistaDrive\VistaDrive.exe
O4 - HKLM\..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe -H
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKLM\..\RunOnce: [InnoSetupRegFile.0000000001] "C:\WINDOWS\is-S899T.exe" /REG
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TransBar] C:\WINDOWS\7SP_Files\TransBar\TransBar.exe /s
O4 - HKUS\S-1-5-18\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [CIA8498xx.exe] C:\CIA8498xx.exe\CIA8498xx.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe" (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: Refresh Icon Cache.lnk = C:\WINDOWS\7SP_Files\Refresh Icon Cache\Refresh Icon Cache.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1288925219531
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1288925214703
O17 - HKLM\System\CCS\Services\Tcpip\..\{757ACDF3-519A-40D4-A448-B7C20F55602E}: NameServer = 4.2.2.1
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe
O23 - Service: TuneUp Utilities Service (TuneUp.UtilitiesSvc) - TuneUp Software - C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe

--
End of file - 8498 bytes
 
What is the H Drive?

Run this:

Download CKScanner and save to your desktop.
  • Doubleclick CKScanner.exe and click Search For Files.
  • When the cursor hourglass disappears, click [b/]Save List To File.[/b]
  • A message box will verify that the file is saved.
  • Double-click the [/b]CKFiles.txt icon[/b] on your desktop and copy/paste the contents
    in your next reply.
 
I have reopened the thread- at least briefly. The following first group is the log you sent in a PM. I don't do support in that area. The second is a listing of new infections found, after previous cleaning which shows entries with keygens. This is evidence of pirated programs. Apparently you attempted to load pirated programs onto your system from a memory card

CKScanner log sent by OP:
CKScanner - Additional Security Risks - These are not necessarily bad
c:\documents and settings\jay jay\start menu\programs\waves\documents\x-crackle help.lnk
c:\program files\common files\digidesign\dae\plug-in settings\eq 3.0\snare\emphasize crack 2.tfx
c:\program files\common files\digidesign\dae\plug-in settings\eq 3.0\snare\emphasize crack.tfx
c:\program files\common files\digidesign\dae\plug-in settings\eq 3.0\_1 band eq\snare\emphasize crack 2.tfx
c:\program files\common files\digidesign\dae\plug-in settings\eq 3.0\_1 band eq\snare\emphasize crack.tfx
c:\program files\image-line\hardcore\presets\i cracked my tube!.hdprg
c:\program files\image-line\sawer\presets\ambient\mc cracked.sawer
c:\program files\waves\plug-ins\xcrackle.dll
c:\program files\waves\plug-ins\xcrackle.dll.rsr
c:\program files\waves\plug-ins\documents\xcrackle.pdf
c:\program files\waves\plug-ins\plug-in settings\x-crackle settings.xps
scanner sequence 3.CH.11
----- EOF -----
Click to expand...
New infections found in 2nd Eset log:
C:\WINDOWS\explorer.exe Win32/Bamital.EV trojan
C:\WINDOWS\ihobiper.dll a variant of Win32/Cimag.DV trojan
C:\WINDOWS\7SP_Files\Windows File Protection Switcher\Windows File Protection Switcher.exe a variant of Win32/HackTool.Patcher.B application
C:\WINDOWS\system32\winlogon.exe Win32/Bamital.EV trojan
K:\Hard Drive\Plugins and Programs\FriendBlaster Pro 10.4.0.rar Win32/HackTool.Patcher.A application
K:\Hard Drive\Plugins and Programs\NiPro-53.zip probably a variant of Win32/Agent.DUBEDBP trojan
K:\Hard Drive\Plugins and Programs\Tone2FireBird Vst Installion\keygen.exe a variant of Win32/Keygen.AD application
K:\Hard Drive\Plugins and Programs\IZotope.Ozone.VST.DX.RTAS.HTDM.v4.01.Incl.Keygen\keygen.exe a variant of Win32/Keygen.AD application
K:\Hard Drive\Plugins and Programs\Wave Plugins\Waves Plugins\DX RTAS VST\Native Instruments Kontakt 1.5.0.5\Setup.exe a variant of Win32/Keygen.AA application
${Memory} Win32/Bamital.EV trojan
Click to expand...

Cracks and keygens indicate that in order to get a program or application, the serial key or license key has been obtained from a file sharing program, obtaining the program free instead of paying for it. This is called piracy. It is illegal and we don't support piracy.

As long as you participate in this type of activity, you are going to get malware, along with the 'key' to steal the program. If you have some other explanation about these entries that tells me otherwise, I will listen.
 
I'm really sorry but a friend of mines lend me the hard drive because of the programs he had were what I needed and I wasn't told how he had gotten them, he only said a friend of his got them for him. If I would have known this I wouldn't have used it. I do not support piracy either but I guess I should have known that they were pirated.
 
Please run a new Eset scan.
=============================
You also still have both AVG and Avira running. This makes the system more vulnerable, so one of them needs to be removed. Here is some help:
  • AVG Removal: Note: You may have to reinstall AVG to uninstall it fully
  • Avira Manual Removal

    • [o] Start> Settings> Control Panel> Add or Remove Programs (Windows 2000/ XP) or Start - Control Panel - Uninstall a program (Windows Vista / 7)
      [o] Wait for the list of installed programs to load, then click the name of the Avira program.
      [o] Click Remove next to the program's name (Windows 2000 / XP) or in the menu above the list (Windows Vista / 7).
      [o] Press Yes, to confirm the removal and then OK.
      [o] Click Next until Finish. The software is removed.
    Reboot the computer when finished.
    ==============================
    Then repeat HijackThis so we can make sure no bad entries remain.
 
It's strange I'm sure I had removed every pirated programs presence yet the keygens still appear, why is this?


Esset Log

C:\Qoobox\Quarantine\C\WINDOWS\uqiqotiw.dll.vir a variant of Win32/Cimag.DV trojan
C:\WINDOWS\explorer.exe Win32/Bamital.EV trojan
C:\WINDOWS\ihobiper.dll a variant of Win32/Cimag.DV trojan
C:\WINDOWS\system32\winlogon.exe Win32/Bamital.EV trojan
C:\_OTM\MovedFiles\11212010_011316\C_Documents and Settings\Jay Jay\My Documents\Downloads\Acoustica.Mixcraft.v5.1.149.AiR\setup.exe NSIS/TrojanDownloader.FakeAlert.DK.Gen trojan
C:\_OTM\MovedFiles\11212010_011316\C_WINDOWS\ixewejoguxa.dll a variant of Win32/Cimag.DV trojan
K:\System Volume Information\_restore{93D02D89-718A-4633-8674-1156B96F8406}\RP17\A0005289.exe a variant of Win32/Keygen.AD application
K:\System Volume Information\_restore{93D02D89-718A-4633-8674-1156B96F8406}\RP17\A0005318.exe a variant of Win32/Keygen.AA application
K:\System Volume Information\_restore{93D02D89-718A-4633-8674-1156B96F8406}\RP17\A0005354.exe a variant of Win32/Keygen.AD application
Operating memory Win32/Bamital.EV trojan


HijackThis Log

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:02:38 AM, on 12/10/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
C:\WINDOWS\VistaDrive\VistaDrive.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\WINDOWS\7SP_Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [VistaDrive] C:\WINDOWS\VistaDrive\VistaDrive.exe
O4 - HKLM\..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe -H
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TransBar] C:\WINDOWS\7SP_Files\TransBar\TransBar.exe /s
O4 - HKUS\S-1-5-18\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [CIA7870xx.exe] C:\CIA7870xx.exe\CIA7870xx.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe" (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: Refresh Icon Cache.lnk = C:\WINDOWS\7SP_Files\Refresh Icon Cache\Refresh Icon Cache.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1288925219531
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1288925214703
O17 - HKLM\System\CCS\Services\Tcpip\..\{757ACDF3-519A-40D4-A448-B7C20F55602E}: NameServer = 4.2.2.1
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe
O23 - Service: TuneUp Utilities Service (TuneUp.UtilitiesSvc) - TuneUp Software - C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe

--
End of file - 7870 bytes
 
You're getting there. The entries in the Eset log are of 3 types:
1. Qoobox: this is where Combofix puts the files it has quarantined. Those entries are no longer avtive and will be removed at the end when I have you uninstall Combofix.
2. System Volume: these are the restore points. These are not active. The only way they could cause a problem is if you happened to choose one of the infected files to do a System restore. Those also will be removed at the end.
3. The following are the active infections that need to be moved as follows:

Please download OTMovit by Old Timer and save to your desktop.
  • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    Code: 
    :Processes	

:Files  
C:\WINDOWS\explorer.exe 
C:\WINDOWS\ihobiper.dll 
C:\WINDOWS\system32\winlogon.exe 
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.[/list]

The Win32/Bamital Trojan is still in the system, most likely because it's in the memory. Trojan:Win32/Bamital.A is a trojan often installed by other malware. It monitors and modifies Web search queries and displays advertisements. It is triggered when the browser is Internet Explorer, Opera, Firefox, Chrome, or Safari.

The Payload is that it modifies browsing behavior- patches and redirects the following functions of the Windows Socket module, which are used by the browser, to its malicious routine so it can monitor and modify Web search queries and offer its own online advertisements.

Let's try to replace the infected files:
Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:[Be sure to scroll down to include ALL lines.
Code: 
File::

Folder::

Registry::

Driver::
Fcopy::
c:\windows\ServicePackFiles\i386\winlogon.exe |  c:\windows\system32\winlogon.exe
c:\windows\ServicePackFiles\i386\explorer.exe| c:\windows\explorer.exe
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
After doing this, run a new Eset scan- hopefully there won't be any new infections. If you are still getting active ,new malware infections, after replacing the 2 files. I will recommend a reformat/reinstall.
 
Here's the log for OTMoveit, ComboFix has some problems because it reboots the computer and won't run when it restarts it says it needs to find a program that can open a file, I'll tell you the file name in the next reply



All processes killed
========== PROCESSES ==========
========== FILES ==========
Item C:\WINDOWS\explorer.exe is whitelisted and cannot be moved.
DllUnregisterServer procedure not found in C:\WINDOWS\ihobiper.dll
C:\WINDOWS\ihobiper.dll moved successfully.
Item C:\WINDOWS\system32\winlogon.exe is whitelisted and cannot be moved.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Administrator.JAY-BB4D1EF4B91
->Temp folder emptied: 101 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->FireFox cache emptied: 4550528 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Jay Jay
->Temp folder emptied: 2960794 bytes
->Temporary Internet Files folder emptied: 52370075 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 106962817 bytes
->Flash cache emptied: 4066 bytes

User: LocalService
->Temporary Internet Files folder emptied: 509455 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 571956 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 442 bytes

Total Files Cleaned = 160.00 mb


OTM by OldTimer - Version 3.1.17.2 log created on 12102010_222523
 
Okay so what happens with ComboFix is at first a prompt pops up saying windows cannot find program for file nircmd.cfxxe, then it says that "ComboFix has detected the presence of rootkit activity and needs to reboot the machine, and when it reboots another prompt pops up saying cannot open CF12616.cfxxe
 
You already have Combofix on the desktop. It has already been run. Are you following this direction in Reply #38?
Please run this Custom CFScript:

  • * [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it: Be sure to scroll down to include ALL lines.
Click to expand...

  • There is a chance that the cracks and keygens corrupted files needed to run this again.

    Run the Eset scan to see if there is something else on the system.
 
Yes I did exactly what you told me and that came up. Heres the new log from Eset, I'm guessing I should format my harddrive


ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=0440d6d6e40a9b468a2a5d19e87a990f
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-11-20 04:43:19
# local_time=2010-11-20 11:43:19 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1024 16777175 100 0 423077 423077 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=57012
# found=3
# cleaned=0
# scan_time=1525
C:\Documents and Settings\Jay Jay\Application Data\hotfix.exe a variant of Win32/Adware.FakeAntiSpy.S application 00000000000000000000000000000000 I
C:\Documents and Settings\Jay Jay\My Documents\Downloads\Acoustica.Mixcraft.v5.1.149.AiR\setup.exe NSIS/TrojanDownloader.FakeAlert.DK.Gen trojan 00000000000000000000000000000000 I
C:\WINDOWS\ixewejoguxa.dll a variant of Win32/Cimag.EE trojan 00000000000000000000000000000000 I
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=0440d6d6e40a9b468a2a5d19e87a990f
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-12-05 10:03:12
# local_time=2010-12-05 05:03:12 (-0500, Eastern Standard Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1024 16777175 100 0 173047 173047 0 0
# compatibility_mode=1797 16775125 100 93 0 27166567 0 0
# compatibility_mode=8192 67108863 100 0 389583 389583 0 0
# scanned=107614
# found=14
# cleaned=0
# scan_time=9781
C:\Qoobox\Quarantine\C\Documents and Settings\Jay Jay\Local Settings\Application Data\78354931.exe.vir a variant of Win32/Kryptik.IIA trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\uqiqotiw.dll.vir a variant of Win32/Cimag.DV trojan 00000000000000000000000000000000 I
C:\WINDOWS\explorer.exe Win32/Bamital.EV trojan 00000000000000000000000000000000 I
C:\WINDOWS\ihobiper.dll a variant of Win32/Cimag.DV trojan 00000000000000000000000000000000 I
C:\WINDOWS\7SP_Files\Windows File Protection Switcher\Windows File Protection Switcher.exe a variant of Win32/HackTool.Patcher.B application 00000000000000000000000000000000 I
C:\WINDOWS\system32\winlogon.exe Win32/Bamital.EV trojan 00000000000000000000000000000000 I
C:\_OTM\MovedFiles\11212010_011316\C_Documents and Settings\Jay Jay\My Documents\Downloads\Acoustica.Mixcraft.v5.1.149.AiR\setup.exe NSIS/TrojanDownloader.FakeAlert.DK.Gen trojan 00000000000000000000000000000000 I
C:\_OTM\MovedFiles\11212010_011316\C_WINDOWS\ixewejoguxa.dll a variant of Win32/Cimag.DV trojan 00000000000000000000000000000000 I
K:\Hard Drive\Plugins and Programs\FriendBlaster Pro 10.4.0.rar Win32/HackTool.Patcher.A application 00000000000000000000000000000000 I
K:\Hard Drive\Plugins and Programs\NiPro-53.zip probably a variant of Win32/Agent.DUBEDBP trojan 00000000000000000000000000000000 I
K:\Hard Drive\Plugins and Programs\Tone2FireBird Vst Installion\keygen.exe a variant of Win32/Keygen.AD application 00000000000000000000000000000000 I
K:\Hard Drive\Plugins and Programs\IZotope.Ozone.VST.DX.RTAS.HTDM.v4.01.Incl.Keygen\keygen.exe a variant of Win32/Keygen.AD application 00000000000000000000000000000000 I
K:\Hard Drive\Plugins and Programs\Wave Plugins\Waves Plugins\DX RTAS VST\Native Instruments Kontakt 1.5.0.5\Setup.exe a variant of Win32/Keygen.AA application 00000000000000000000000000000000 I
${Memory} Win32/Bamital.EV trojan 00000000000000000000000000000000 I
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6415
# api_version=3.0.2
# EOSSerial=0440d6d6e40a9b468a2a5d19e87a990f
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-12-10 04:58:21
# local_time=2010-12-09 11:58:21 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1797 16775141 100 93 0 27543243 0 0
# compatibility_mode=8192 67108863 100 0 766259 766259 0 0
# scanned=86796
# found=10
# cleaned=0
# scan_time=3609
C:\Qoobox\Quarantine\C\WINDOWS\uqiqotiw.dll.vir a variant of Win32/Cimag.DV trojan (unable to clean) 00000000000000000000000000000000 I
C:\WINDOWS\explorer.exe Win32/Bamital.EV trojan (unable to clean) 00000000000000000000000000000000 I
C:\WINDOWS\ihobiper.dll a variant of Win32/Cimag.DV trojan (unable to clean) 00000000000000000000000000000000 I
C:\WINDOWS\system32\winlogon.exe Win32/Bamital.EV trojan (unable to clean) 00000000000000000000000000000000 I
C:\_OTM\MovedFiles\11212010_011316\C_Documents and Settings\Jay Jay\My Documents\Downloads\Acoustica.Mixcraft.v5.1.149.AiR\setup.exe NSIS/TrojanDownloader.FakeAlert.DK.Gen trojan (unable to clean) 00000000000000000000000000000000 I
C:\_OTM\MovedFiles\11212010_011316\C_WINDOWS\ixewejoguxa.dll a variant of Win32/Cimag.DV trojan (unable to clean) 00000000000000000000000000000000 I
K:\System Volume Information\_restore{93D02D89-718A-4633-8674-1156B96F8406}\RP17\A0005289.exe a variant of Win32/Keygen.AD application (unable to clean) 00000000000000000000000000000000 I
K:\System Volume Information\_restore{93D02D89-718A-4633-8674-1156B96F8406}\RP17\A0005318.exe a variant of Win32/Keygen.AA application (unable to clean) 00000000000000000000000000000000 I
K:\System Volume Information\_restore{93D02D89-718A-4633-8674-1156B96F8406}\RP17\A0005354.exe a variant of Win32/Keygen.AD application (unable to clean) 00000000000000000000000000000000 I
${Memory} Win32/Bamital.EV trojan 00000000000000000000000000000000 I
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6415
# api_version=3.0.2
# EOSSerial=0440d6d6e40a9b468a2a5d19e87a990f
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-12-12 08:27:03
# local_time=2010-12-12 03:27:03 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1797 16775141 100 93 0 27771721 0 0
# compatibility_mode=8192 67108863 100 0 991137 991137 0 0
# scanned=85080
# found=11
# cleaned=0
# scan_time=3654
C:\Documents and Settings\Jay Jay\Application Data\Sun\Java\Deployment\cache\6.0\26\7646669a-1ffc6d94 multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\uqiqotiw.dll.vir a variant of Win32/Cimag.DV trojan (unable to clean) 00000000000000000000000000000000 I
C:\WINDOWS\explorer.exe Win32/Bamital.EV trojan (unable to clean) 00000000000000000000000000000000 I
C:\WINDOWS\system32\winlogon.exe Win32/Bamital.EV trojan (unable to clean) 00000000000000000000000000000000 I
C:\_OTM\MovedFiles\11212010_011316\C_Documents and Settings\Jay Jay\My Documents\Downloads\Acoustica.Mixcraft.v5.1.149.AiR\setup.exe NSIS/TrojanDownloader.FakeAlert.DK.Gen trojan (unable to clean) 00000000000000000000000000000000 I
C:\_OTM\MovedFiles\11212010_011316\C_WINDOWS\ixewejoguxa.dll a variant of Win32/Cimag.DV trojan (unable to clean) 00000000000000000000000000000000 I
C:\_OTM\MovedFiles\12102010_222523\C_WINDOWS\ihobiper.dll a variant of Win32/Cimag.DV trojan (unable to clean) 00000000000000000000000000000000 I
K:\System Volume Information\_restore{93D02D89-718A-4633-8674-1156B96F8406}\RP17\A0005289.exe a variant of Win32/Keygen.AD application (unable to clean) 00000000000000000000000000000000 I
K:\System Volume Information\_restore{93D02D89-718A-4633-8674-1156B96F8406}\RP17\A0005318.exe a variant of Win32/Keygen.AA application (unable to clean) 00000000000000000000000000000000 I
K:\System Volume Information\_restore{93D02D89-718A-4633-8674-1156B96F8406}\RP17\A0005354.exe a variant of Win32/Keygen.AD application (unable to clean) 00000000000000000000000000000000 I
${Memory} Win32/Bamital.EV trojan 00000000000000000000000000000000 I
 
A problem in that it will limit what you can do. If you wipe the drive you are going to have to replace the operating system. I'll check to see if there is any way around this- do you have the license key for the OS? You will need some legitimate source of Windows XP and then it has to be validated.

I will check to see if Repair is an option- you can get into the system, correct?
 
Status
Not open for further replies.

Similar threads

A
Infected: Antivirus says it's Trojan:Script/Wacatac.H!ml
Replies
12
Views
2K
adidaman27
A
L
Solved Unknown spyware/ Monitoring/ Hijacking of my devices
Replies
15
Views
3K
Broni
Broni
S
  • Locked
Inactive Please help: Infected-or-not?
Replies
2
Views
3K
Broni
Broni

Latest posts

Back