[Resolved] Rogue antivirus security tools will not be removed by Malwarebytes, Help please

Bobbye · Dec 12, 2010

You already have Combofix on the desktop. It has already been run. Are you following this direction in Reply #38?

Please run this Custom CFScript:

* [1]. Close any open browsers.
[2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
[3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it: Be sure to scroll down to include ALL lines.

There is a chance that the cracks and keygens corrupted files needed to run this again.

Run the Eset scan to see if there is something else on the system.

JayNori · Dec 12, 2010

Yes I did exactly what you told me and that came up. Heres the new log from Eset, I'm guessing I should format my harddrive

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=0440d6d6e40a9b468a2a5d19e87a990f
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-11-20 04:43:19
# local_time=2010-11-20 11:43:19 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1024 16777175 100 0 423077 423077 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=57012
# found=3
# cleaned=0
# scan_time=1525
C:\Documents and Settings\Jay Jay\Application Data\hotfix.exe a variant of Win32/Adware.FakeAntiSpy.S application 00000000000000000000000000000000 I
C:\Documents and Settings\Jay Jay\My Documents\Downloads\Acoustica.Mixcraft.v5.1.149.AiR\setup.exe NSIS/TrojanDownloader.FakeAlert.DK.Gen trojan 00000000000000000000000000000000 I
C:\WINDOWS\ixewejoguxa.dll a variant of Win32/Cimag.EE trojan 00000000000000000000000000000000 I
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=0440d6d6e40a9b468a2a5d19e87a990f
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-12-05 10:03:12
# local_time=2010-12-05 05:03:12 (-0500, Eastern Standard Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1024 16777175 100 0 173047 173047 0 0
# compatibility_mode=1797 16775125 100 93 0 27166567 0 0
# compatibility_mode=8192 67108863 100 0 389583 389583 0 0
# scanned=107614
# found=14
# cleaned=0
# scan_time=9781
C:\Qoobox\Quarantine\C\Documents and Settings\Jay Jay\Local Settings\Application Data\78354931.exe.vir a variant of Win32/Kryptik.IIA trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\uqiqotiw.dll.vir a variant of Win32/Cimag.DV trojan 00000000000000000000000000000000 I
C:\WINDOWS\explorer.exe Win32/Bamital.EV trojan 00000000000000000000000000000000 I
C:\WINDOWS\ihobiper.dll a variant of Win32/Cimag.DV trojan 00000000000000000000000000000000 I
C:\WINDOWS\7SP_Files\Windows File Protection Switcher\Windows File Protection Switcher.exe a variant of Win32/HackTool.Patcher.B application 00000000000000000000000000000000 I
C:\WINDOWS\system32\winlogon.exe Win32/Bamital.EV trojan 00000000000000000000000000000000 I
C:\_OTM\MovedFiles\11212010_011316\C_Documents and Settings\Jay Jay\My Documents\Downloads\Acoustica.Mixcraft.v5.1.149.AiR\setup.exe NSIS/TrojanDownloader.FakeAlert.DK.Gen trojan 00000000000000000000000000000000 I
C:\_OTM\MovedFiles\11212010_011316\C_WINDOWS\ixewejoguxa.dll a variant of Win32/Cimag.DV trojan 00000000000000000000000000000000 I
K:\Hard Drive\Plugins and Programs\FriendBlaster Pro 10.4.0.rar Win32/HackTool.Patcher.A application 00000000000000000000000000000000 I
K:\Hard Drive\Plugins and Programs\NiPro-53.zip probably a variant of Win32/Agent.DUBEDBP trojan 00000000000000000000000000000000 I
K:\Hard Drive\Plugins and Programs\Tone2FireBird Vst Installion\keygen.exe a variant of Win32/Keygen.AD application 00000000000000000000000000000000 I
K:\Hard Drive\Plugins and Programs\IZotope.Ozone.VST.DX.RTAS.HTDM.v4.01.Incl.Keygen\keygen.exe a variant of Win32/Keygen.AD application 00000000000000000000000000000000 I
K:\Hard Drive\Plugins and Programs\Wave Plugins\Waves Plugins\DX RTAS VST\Native Instruments Kontakt 1.5.0.5\Setup.exe a variant of Win32/Keygen.AA application 00000000000000000000000000000000 I
${Memory} Win32/Bamital.EV trojan 00000000000000000000000000000000 I
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6415
# api_version=3.0.2
# EOSSerial=0440d6d6e40a9b468a2a5d19e87a990f
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-12-10 04:58:21
# local_time=2010-12-09 11:58:21 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1797 16775141 100 93 0 27543243 0 0
# compatibility_mode=8192 67108863 100 0 766259 766259 0 0
# scanned=86796
# found=10
# cleaned=0
# scan_time=3609
C:\Qoobox\Quarantine\C\WINDOWS\uqiqotiw.dll.vir a variant of Win32/Cimag.DV trojan (unable to clean) 00000000000000000000000000000000 I
C:\WINDOWS\explorer.exe Win32/Bamital.EV trojan (unable to clean) 00000000000000000000000000000000 I
C:\WINDOWS\ihobiper.dll a variant of Win32/Cimag.DV trojan (unable to clean) 00000000000000000000000000000000 I
C:\WINDOWS\system32\winlogon.exe Win32/Bamital.EV trojan (unable to clean) 00000000000000000000000000000000 I
C:\_OTM\MovedFiles\11212010_011316\C_Documents and Settings\Jay Jay\My Documents\Downloads\Acoustica.Mixcraft.v5.1.149.AiR\setup.exe NSIS/TrojanDownloader.FakeAlert.DK.Gen trojan (unable to clean) 00000000000000000000000000000000 I
C:\_OTM\MovedFiles\11212010_011316\C_WINDOWS\ixewejoguxa.dll a variant of Win32/Cimag.DV trojan (unable to clean) 00000000000000000000000000000000 I
K:\System Volume Information\_restore{93D02D89-718A-4633-8674-1156B96F8406}\RP17\A0005289.exe a variant of Win32/Keygen.AD application (unable to clean) 00000000000000000000000000000000 I
K:\System Volume Information\_restore{93D02D89-718A-4633-8674-1156B96F8406}\RP17\A0005318.exe a variant of Win32/Keygen.AA application (unable to clean) 00000000000000000000000000000000 I
K:\System Volume Information\_restore{93D02D89-718A-4633-8674-1156B96F8406}\RP17\A0005354.exe a variant of Win32/Keygen.AD application (unable to clean) 00000000000000000000000000000000 I
${Memory} Win32/Bamital.EV trojan 00000000000000000000000000000000 I
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6415
# api_version=3.0.2
# EOSSerial=0440d6d6e40a9b468a2a5d19e87a990f
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-12-12 08:27:03
# local_time=2010-12-12 03:27:03 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1797 16775141 100 93 0 27771721 0 0
# compatibility_mode=8192 67108863 100 0 991137 991137 0 0
# scanned=85080
# found=11
# cleaned=0
# scan_time=3654
C:\Documents and Settings\Jay Jay\Application Data\Sun\Java\Deployment\cache\6.0\26\7646669a-1ffc6d94 multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\uqiqotiw.dll.vir a variant of Win32/Cimag.DV trojan (unable to clean) 00000000000000000000000000000000 I
C:\WINDOWS\explorer.exe Win32/Bamital.EV trojan (unable to clean) 00000000000000000000000000000000 I
C:\WINDOWS\system32\winlogon.exe Win32/Bamital.EV trojan (unable to clean) 00000000000000000000000000000000 I
C:\_OTM\MovedFiles\11212010_011316\C_Documents and Settings\Jay Jay\My Documents\Downloads\Acoustica.Mixcraft.v5.1.149.AiR\setup.exe NSIS/TrojanDownloader.FakeAlert.DK.Gen trojan (unable to clean) 00000000000000000000000000000000 I
C:\_OTM\MovedFiles\11212010_011316\C_WINDOWS\ixewejoguxa.dll a variant of Win32/Cimag.DV trojan (unable to clean) 00000000000000000000000000000000 I
C:\_OTM\MovedFiles\12102010_222523\C_WINDOWS\ihobiper.dll a variant of Win32/Cimag.DV trojan (unable to clean) 00000000000000000000000000000000 I
K:\System Volume Information\_restore{93D02D89-718A-4633-8674-1156B96F8406}\RP17\A0005289.exe a variant of Win32/Keygen.AD application (unable to clean) 00000000000000000000000000000000 I
K:\System Volume Information\_restore{93D02D89-718A-4633-8674-1156B96F8406}\RP17\A0005318.exe a variant of Win32/Keygen.AA application (unable to clean) 00000000000000000000000000000000 I
K:\System Volume Information\_restore{93D02D89-718A-4633-8674-1156B96F8406}\RP17\A0005354.exe a variant of Win32/Keygen.AD application (unable to clean) 00000000000000000000000000000000 I
${Memory} Win32/Bamital.EV trojan 00000000000000000000000000000000 I

Bobbye · Dec 13, 2010

Yes, reformat/reinstall is indicated.

You will find excellent reformat/reinstall instructions here:
http://www.tech-101.com/tutorials/356-tutorial-windows-install-repair-xp-vista.html

JayNori · Dec 15, 2010

Well the only thing is I don't have a XP Cd, will that be a problem?

Bobbye · Dec 16, 2010

A problem in that it will limit what you can do. If you wipe the drive you are going to have to replace the operating system. I'll check to see if there is any way around this- do you have the license key for the OS? You will need some legitimate source of Windows XP and then it has to be validated.

I will check to see if Repair is an option- you can get into the system, correct?

TechSpot

[Resolved] Rogue antivirus security tools will not be removed by Malwarebytes, Help please

Bobbye Helper on the Fringe

JayNori Newcomer, in training

Bobbye Helper on the Fringe

JayNori Newcomer, in training

Bobbye Helper on the Fringe