Ok Lisa...here we go. Please print these instructions out so you can following along.
Please empty any Quarantine folder in your antivirus and purge all recovery items in the spybot program if you use it before continuing.
DO NOT REBOOT once you post the new set of logs at the end of this fix. Doing so will render those logs incomplete as the filenames will change.
Download
KillBox http://www.atribune.org/downloads/KillBox.exe
Download and install
CleanUp http://cleanup.stevengould.org/
Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Please make sure system restore is enabled by right clicking on My Computer and go to Properties->System Restore and check the box for Turn ON System Restore. Once your clean we will turn this off and then create a new restore point.
Download ewido security suite from here…
http://www.ewido.net/en/download/
Update it’s database from here..
http://www.ewido.net/en/download/updates/
Run a scan and let it clean the PC. Delete what it finds.
Close out all open windows and disconnect the PC from any internet access.
1. Delete this file... C:\WINDOWS\system32\
Autorun.ico
2. Go to Start->Run and type
Services.msc then hit Ok
Scroll down and find the service called:
System Startup Service (SvcProc)
When you find it, double-click on it. In the next window that opens, click the
Stop button, then click on properties and under the General Tab, change the Startup Type to
Disabled. Now hit Apply and then Ok and close any open windows.
3. Run the cleanup utility and when prompted to reboot/logoff select
NO
4. Run KILL box. Go to Tools > Delete Temp Files > Click
*OK* Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say
YES and when the next box opens prompting you to reboot now...click
NO...and proceed with the next file. Once you get to the last one click
NO when it asks you to reboot.
C:\Windows\System32\svcproc.exe
C:\Windows\System32\ Nail.exe
C:\WINDOWS\System32\VHXVFB.EXE
C:\WINDOWS\FLNLHKH.EXE
C:\WINDOWS\WPVWDI~1.EXE
C:\WINDOWS\System32\DRPMON.DLL
C:\WINDOWS\Bolger.dll
c:\windows\system32\atdmvq.exe
C:\WINDOWS\woinstall.exe
C:\WINDOWS\wpvwdiqga.exe
C:\WINDOWS\System32\AfcicuO.exe
C:\WINDOWS\System32\Ihjc.exe
C:\WINDOWS\System32\Lun8r9.exe
C:\WINDOWS\System32\LwiPYK.exe
c:\windows\system32\eII.exe
C:\windows\system32\QP.exe
c:\windows\system32\ogszrsd.exe
c:\windows\system32\ipcrv.exe
c:\windows\system32\extredir.exe
5. Now, click on Start, then Run ... type cmd and press "OK".
In the next box that opens, type
cd\
and press "Enter". Now you'll see the C: prompt ... looks like this:
C:\>
Type
cd\windows
and then Enter.
Next, type
nail.exe /FullRemove
(make sure there is a space between nail.exe and the /) ... then Enter.
6. Run Hiajckthis and fix the following entrys...
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
O4 - HKLM\..\Run: [eII.exe] c:\windows\system32\eII.exe
O4 - HKLM\..\Run: [QP] C:\windows\system32\QP.exe
O4 - HKLM\..\Run: [x37i3pe] extredir.exe
O4 - HKLM\..\Run: [imoxxl] c:\windows\system32\ogszrsd.exe
O4 - HKCU\..\Run: [g0osRfK5i] ipcrv.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
7. Reboot the PC reconnect your internet access and post another FindIt’s log and hijackthis log.