You're welcome, bajanknight. : )
This will require more than one round to properly eradicate. Please stay with me until given the 'all clear' even if symptoms seemingly abate.
Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.
It's IMPORTANT to carry out the instructions in the sequence listed below.
***************************************************
Quote:
|
Spybot did install and run and cleaned many things, what is left either can't be removed due to it being in use, or reinstalls itself in the process of a reboot.
|
Astute observation. Fixes are reinstalling themselves (so to speak) upon reboot because TeaTimer is interfering.
Spybot's TeaTimer monitors registry changes and alerts when changes are made. These changes must be OK'd or denied manually as the alerts appear. As there are going to be numerous changes to the registry pulling out the infections onboard, the most practical thing to do is disable TeaTimer until we're through cleaning the system:
Using Internet Explorer, download
ResetTeaTimer.bat.
Double click
ResetTeaTimer.bat to remove all entries set by TeaTimer.
***************************************************
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
---------------------------------------------------------------------
Open
notepad and copy/paste the text in the quote box below into it:
Quote:
File::
c:\windows\SYSTEM32\1112.dat
c:\windows\system32\mlljg.dll
c:\windows\system32\kcbgtcnu.dll
c:\windows\SYSTEM32\cnmhypvr.dll
c:\windows\SYSTEM32\oxvqlkrv.dll
c:\windows\system32\Drivers\Otx83.sys
c:\windows\SYSTEM32\ebkp.dll
Folder::
c:\program files\LiveAntispy
Driver::
MSIServer
Otx83.sys
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingB3178"=-
"SpybotDeletingD7475"=-
"SpybotDeletingB7240"=-
"SpybotDeletingD9395"=-
"SpybotDeletingB7743"=-
"SpybotDeletingD4622"=-
"SpybotDeletingB7347"=-
"SpybotDeletingD4538"=-
"SpybotDeletingB497"=-
"SpybotDeletingD1761"=-
"SpybotDeletingB3792"=-
"SpybotDeletingD3745"=-
"SpybotDeletingB2934"=-
"SpybotDeletingD3154"=-
"SpybotDeletingB1312"=-
"SpybotDeletingD4995"=-
"SpybotDeletingB5066"=-
"SpybotDeletingD6844"=-
"SpybotDeletingB9161"=-
"SpybotDeletingD1914"=-
"SpybotDeletingB5601"=-
"SpybotDeletingD3315"=-
"SpybotDeletingB8289"=-
"SpybotDeletingD2483"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingA9519"=-
"SpybotDeletingC3804"=-
"SpybotDeletingA6806"=-
"SpybotDeletingC1350"=-
"SpybotDeletingA6171"=-
"SpybotDeletingC9339"=-
"SpybotDeletingA3251"=-
"SpybotDeletingC5520"=-
"SpybotDeletingA7408"=-
"SpybotDeletingC3607"=-
"SpybotDeletingA4519"=-
"SpybotDeletingC7788"=-
"SpybotDeletingA4326"=-
"SpybotDeletingC7234"=-
"SpybotDeletingA9965"=-
"SpybotDeletingC2754"=-
"SpybotDeletingA3024"=-
"SpybotDeletingC3495"=-
"SpybotDeletingA3896"=-
"SpybotDeletingC1707"=-
"SpybotDeletingA2619"=-
"SpybotDeletingC7137"=-
"SpybotDeletingA8943"=-
"SpybotDeletingC2491"=-
"GrpConv"=-
"SpybotSnD"=-
|
Save this as
"CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at
C:\ComboFix.txt
Please return with the C:\ComboFix.txt for further review, along with an update on system behavior.
__________________
Member of ASAP since 2005
Member of UNITE since 2006
"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."