@Ornette

Download CureIt

ftp://ftp.drweb.com/pub/drweb/cureit/launch.exe

reboot pc to safe mode

Run launch.exe, after which they will appear splash-screen - click Start

You will be informed about the initiation of preliminary scan - click OK

Wait a few minutes to make Dr.Web CureIt Scan Express; if malware is found, click on Yes to All button in the window that appears, allow the program to carry out disinfection

Click Settings> Change settings F9; in the window that opens, uncheck option Heuristic Analysis and then click Yes

In the main window, mark the Complete Scan option and then click the Dr.Web CureIt scan will begin

If malware is found, click on Yes to All button in the window that appears, allow the program to carry out disinfection

When the scan is complete, click Select All button (if available), and then click the Cure,
in the menu that opens, click Move incurable

understand my English ;D

Thank you, but I’m waiting for Stefan to advise whether his problem is fixed

Don’t want to hijack his thread

I have some more info on my problem, and maybe, will also help Stefan should he return.

Until then…

Sorry about the late response I had a power cut to add to my problems,
I’ll grab the log files from DDS again and attach both that were output.
should I try CureIt aswell?
Thanks

sorry I mean Combofix not DDS! oops

Ok so here is the ComboFix Log, Thanks for your patience with me.

Running an outdated operating system plus an old browser will lead to system infections

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

Stefan

Open notepad and copy/paste the text present inside the code box below:

File::
c:\program files\satflmhl\bglrvpqy.exe
c:\docume~1\Stefan\LOCALS~1\Temp\idrmkl.sys
c:\documents and settings\Stefan\Start Menu\Programs\Startup\bglrvpqy.exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe"

Driver::
idrmkl

RegNull::
[HKEY_USERS\S-1-5-21-790525478-1957994488-839522115-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
[HKEY_USERS\S-1-5-21-790525478-1957994488-839522115-1004\Software\SecuROM\License information*]

Save this as CFScript.

http://img213.imageshack.us/img213/1218/cfscript1.gif

Close all browser windows and refering to the picture above.
Drag CFScript.txt into Combofix.exe. ComboFix will re-run.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run. When finished, it will produce a log for you.
Copy/paste the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

Thanks YoKenny I’m just updating these now,
Other than this I think the symptoms have disapeared.
I turned the net back on and tried web browsing and it isn’t redirecting me to odd places when I click on google search results.
I’m also no longer getting avast popping up saying a virus has been found…
Could this mean I’m safe?

@argus
I shall perform the Combofix thing now one second

Here is the ComboFix log as requested.
Any thoughts?
Thanks

Ok so I have started to do a boot-time full system scan and my computer is now detecting quite alot of Win32:Ramnit-G virus’s this is bad I’m guessing?

I can recommend scan with CureIt :-\

Ramnit is file infector (virus)
All partitions have infected

another way

Format C and download Avast at the desktop and complete scan HDD

warning

do not touch other partitions

I’ll try CureIt, I’m guessing I’m gonna have to flatten it and start again though.

If I do what files are safe to back up and put back onto my newly installed os?

I feel rather deflated at the prospect of a full re-boot, going to have to buy a new OS disc to replace the one I lost aswell erghh,
Thanks for the help

From the active windows is impossible to clean file infektor

CureIt is a great tool, but the outcome is not a guarantee

Okay Argus, no worries
Cure it doesn’t seem to have worked so I think its time to flatten everything.
ERGH!
Thanks for your time

No. From the script that argus posted its clear that you were suffering the same problem as me.

You may well have had a lot of already infected files before you managed to get to the root of this problem. Are you still getting the IEXPLORE.exe processes appearing when you turn on the computer? If not, it would seem that things are going well. If you are, its also possible that a pre infected Rammit file has triggered this once again. Don’t give up.

As someone else mentioned, running outdated software i.e. XP SP2 is not a great idea. Its worth mentioning that this all happened for me while running Avast 5.1.889 - since I upgraded to 6.0 this problem, the root of which previously undetected by the scanner, is now coming up as

Win32:Hiloti-AX

(i kept a copy of my fyynaotm.exe file for reference)

Good luck

Hi Ornette,
I’ll have another crack at it then
I’m no longer getting the iexplorer processes, which is good.
I’m going to try Cure it once again, It didn’t seem to run properly, should I so it in safe mode?
Thanks

Safe mode is an option

I’m not an expert on any of these tools, but safe mode you are going to avoid a lot of the loaded drivers that might conflict with it. On the other hand, it will be a lot slower under safe mode.

Cure it detected no infected files,
my browser is no longer re-directing,
I can access USB memory sticks by double clicking on them rather than having to do: Run… J:
Avast is not detecting anymore virus’s…
could this mean I’m safe?

Re-run DDS

Post DDS.txt back to topic.

To protect against infection USB install this program

http://amf.mycity.rs/programs/mc/mcshield/

exelent program

OK I shall go and do this now. thanks
cool I’ll use that MC Shield aswell to make sure my usb isn’t causing any issues