Sorry I forgot to say this before but THANK YOU for all the help you are giving me. I am sure you can get my mess cleaned up! ;D
I am still concerned that IASTOR is not returning a good MD5
Download ComboFix from one of these locations:
* IMPORTANT !!! Save ComboFix.exe to your Desktop
[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
[*]Double click on ComboFix.exe & follow the prompts.
[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
As requested. The Combo fix file…
Lets have a look at some suspect files and then kill them. Once done can you let me know how it is running
Open notepad and copy/paste the text in the quotebox below into it:
http://forum.avast.com/index.php?topic=70001.15 Collect:: c:\windows\rundll16.exe c:\windows\logo1_.exe c:\windows\system32\runouce.exe c:\windows\RUNDL132.EXE c:\windows\logo_1.exe c:\windows\system32\eEmpty.exe c:\windows\system32\T.COM c:\windows\R.COM c:\windows\system32\drivers\iufiojjr.sys
Save this as CFScript.txt
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Refering to the picture above, drag CFScript.txt into ComboFix.exe
When finished, it shall produce a log for you. Post that log in your next reply.
Note
When CF finishes running, the ComboFix log will open along with a message box–do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
[*]Ensure you are connected to the internet and click OK on the message box.
Here is the latest run. It SEEMS ok but I haven’t run a virus scan yet. Await your response.
Hmm CF should have removed the files in addition to collecting them. Once done do a quick scan with Avast to see if it OK
-
Please open Notepad
[*] Click Start , then Run[*]Type notepad .exe in the Run Box. -
Now copy/paste the entire content of the codebox below into the Notepad window:
File:: c:\windows\rundll16.exe c:\windows\logo1_.exe c:\windows\system32\runouce.exe c:\windows\RUNDL132.EXE c:\windows\logo_1.exe c:\windows\system32\eEmpty.exe c:\windows\system32\T.COM c:\windows\R.COM c:\windows\system32\drivers\iufiojjr.sys
-
Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
-
Save the above as CFScript.txt
-
Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
- After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
[*]Combofix.txt [*]A new OTListit log.
First report:
OTL:
Sorry. Had them labeled wrong but you know which are which.
The files are being respawned - I see you have iobit 360 as well on your system could you uninstall that please
Download AVPTool from Here to your desktop
Run the programme you have just downloaded to your desktop (it will be randomly named )
First we will run a virus scan
On the first tab select all elements down to Computer and then select start scan
Once it has finished select report and post that.
http://i1224.photobucket.com/albums/ee362/Essexboy3/avpfront.jpg
Do not close AVPTool or it will self uninstall, if it does uninstall - then just rerun the setup file on your desktop
Now an analysis scan
Select the Manual Disinfection tab
Press the Gather System Information button
Once done Open the last report saved folder then attach the zip file to your next post zip
The file is located at C:\Users[i]your name[/i]\Desktop\Virus Removal Tool\setup_9.0.0.722_05.01.2011_20-34\LOG\avptool_sysinfo.zip
http://i1224.photobucket.com/albums/ee362/Essexboy3/avpmanual.jpg
Here is the First scan (Kapersky)
It won’t let me upload the ZIPPED folder. I unzipped as best as I could and have added them. If there is a better way to get the info to you, please let me know.
Found another way to post the zip file too:
And just for giggles &grins…am MBAM scan:
Could you upload the zip file to Mediafire Sorry I should have put that in my last post as this forum does not allow zip files
Also what are your current problems ?
OK. Try this:
As to my problems.
OK. I had (don’t know if it is gone yet) the Backdoor.Tidserv!inf Virus. I THINK that requires a manual removal. The problem is I do NOT have a disk with the Windows Recovery Console. There appears to be the program on my HDD BUT when I put in the Windows XP-Pro with SP3 disk, it fails to recognize the hard drive. Dead end.
I have been unable to do a system recovery. It pops up but the buttons do NOTHING. Dead end.
The blasted CD tray pops open randomly (unless, of course, I WANT it to).
Finally, I live in Ohio of the USA. I do not think you can help with this matter, though.
Thanks for all, so far.
Not much showing on the analysis log which is good. Are you still showing the Backdoor.Tidserv!inf alerts ?
OK two things to do, first I will remove some items with AVP and then try a scandisc. The opening and closing of the CD drive happened to me once - just before it failed
[*]Re-run AVPTool
[*]Select the Manual Disinfection tab
[*]Where it states Step 3 paste in the following disinfection script and press execute
begin
SetAVZPMStatus(True);
SearchRootkit(true, true);
SetAVZGuardStatus(True);
DelBHO('{472734EA-242A-422b-ADF8-83D1E48CC825}');
RegKeyParamDel('HKEY_USERS','.DEFAULT\Control Panel\Desktop','scrnsave.exe');
RegKeyParamDel('HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Services\Eventlog\Application\ACW_DE','EventMessageFile');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
[]Your system will reboot on completion, if it does not please do so yourself
[]On completion please run another analysis scan and attach the zip file
http://i1224.photobucket.com/albums/ee362/Essexboy3/avpmanual.jpg
THEN
Go to start > All Programs > Accessories
Click Command Prompt
When the prompt opens type the following bolded text and press enter
sfc /scannow (Note: There is a space between sfc and /scannow)
On completion reboot, let me know of any errors that it detected.
SCAN:
http://www.mediafire.com/?d4lqzk8nc7tdqne
No, I have not seen the Backdoor.Tidserv!inf except in an old scan using Hijack This, which saidit was a manual remove only.
Are you having any problems now ?