computer acting up

[SuperDave]

I'm checking on this. I'll be back ASAP.

[SuperDave]

You are running more than one Anti-Virus program on your computer which is a no-no. Two of them will have to go.
Webroot AntiVirus with Spy Sweeper
avast! Free Antivirus
iolo AntiVirus

===========================

It keeps repeating that it is miss spelt

It is misspelled. It should be CFScript.txtand not CFSript.txt .The "c" is missing. Please try it again with the correct spelling. Also, please ensure that all your protective programs are disabled before running the script.

[FALLGUY]

Wow! I feel dumb. I corrected and tried again with no luck. I only have spy sweeper for antivirus, which is disabled. the others were just blank files i missed in removal. Combo fix trys to update to newer program about every 3rd time I run it. It also errors during restore.   Error Saving File\erdnt\Hiv-backup\security!  It does this 3 times. I continue past. Then I'll get a forth error   Error Saving File\erdnt\Hiv-backup\users\00000003\ntuser,dat!

[SuperDave]

Ok. Delete ComboFix from your desktop and download a new version and run the scan again, not the script, and send me the log.

Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Alternate link: Forospyware.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools ]A guide to do this can be found here
  
• Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.
  
• When finished, it shall produce a log for you.  Please include the contents of C:\ComboFix.txt in your next reply.
  

[FALLGUY]

It now tells me it is expired and closes. I've tried 3 different downloads and running six ways. I always lose my connection to internet and am unable to repair it. It gives me an error about the IP address. I restart to connect. This takes about 5-8 minutes to do.

[evilfantasy]

Open Malwarebytes' Anti-Malware.

* Click the Update tab.
* Click Check for Updates
* If an update is found, it will download and install.
* Click the Scanner tab.
* Select Perform Quick Scan, then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy & Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

[FALLGUY]

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4144

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/25/2010 9:57:46 PM
mbam-log-2010-05-25 (21-57-46).txt

Scan type: Quick scan
Objects scanned: 131128
Time elapsed: 5 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[evilfantasy]

Run a scan with MGtools and attach the log. Using MGtools

[FALLGUY]

Here is the log for MGtools

[recovering disk space - old attachment deleted by admin]

[evilfantasy]

Go to Add or Remove Programs and uninstall:

• Ask Toolbar
• Viewpoint Media Player

.
----------

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

• O4 - HKLM\..\Run: [NI.UWFX5_0001_N56M0311] C:\Documents and Settings\moore family\Local Settings\Temporary Internet Files\Content.IE5\GBM547GV\WinFixerScannerInstall[1].exe -nag

.

• O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
• O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
• O9 - Extra \'Tools\' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

.
Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

----------

Download OTM by OldTimer to your desktop.

Note: If you are using Vista or Windows 7, right-click on OTM.exe and choose Run As Administrator.

* Save it to your Desktop.
* Double-click OTM.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code: [Select]

:Processes
explorer.exe

:services
LiveUpdate Scheduler
Automatic GameConsoleService

:reg
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"NI.UWFX5_0001_N56M0311"=-
"avast5"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\combofix.exe]

:files
C:\commy.exe
C:\commy.exe28948c
C:\found.000
C:\Program Files\Symantec
C:\Program Files\Messenger
C:\WINDOWS\system32\1024
C:\Documents and Settings\moore family\Desktop\Blackpudding.bat.exe

:Commands
[resethosts]
[purity]
[createrestorepoint]
[emptytemp]
[emptyflash]
[start explorer]
[Reboot]

* Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.

* Close OTM

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

----------

Suspicious file scan

Please go to Jotti's malware scan
(If more than one file needs scanned they must be done separately and logs posted for each one)

* Copy the file path in the below Code box:

Code: [Select]

C:\WINDOWS\system32\drivers\cxxqtr.sys* At the upload site, click once inside the window next to Browse.
* Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
* Next click Submit file
* Your file will possibly be entered into a queue which normally takes less than a minute to clear.
* This will perform a scan across multiple different virus scanning engines.
* Important: Wait for all of the scanning engines to complete.
* Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.

Also scan these two files and post the link to the results.

Code: [Select]

C:\WINDOWS\system32\drivers\rewac.sys

Code: [Select]

C:\WINDOWS\system32\drivers\sdfsaevy.sys
----------

Next post please add the OTM log and the 3 links to the files that were scanned at Jotti.

[FALLGUY]

All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== SERVICES/DRIVERS ==========
Error: No service named LiveUpdate Scheduler was found to stop!
Service\Driver key LiveUpdate Scheduler not found.
Error: No service named Automatic GameConsoleService was found to stop!
Service\Driver key Automatic GameConsoleService not found.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run\\NI.UWFX5_0001_N56M0311 not found.
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run\\avast5 deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\combofix.exe\ deleted successfully.
========== FILES ==========
C:\commy.exe folder moved successfully.
C:\commy.exe28948c folder moved successfully.
C:\found.000 folder moved successfully.
File/Folder C:\Program Files\Symantec not found.
File/Folder C:\Program Files\Messenger not found.
C:\WINDOWS\system32\1024 folder moved successfully.
File/Folder C:\Documents and Settings\moore family\Desktop\Blackpudding.bat.exe not found.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
Error starting restore point: 1016
Error closing restore point: The sequence number is invalid.
 
[EMPTYTEMP]
 
User: All Users
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
 
User: LocalService
->Temp folder emptied: 65748 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->FireFox cache emptied: 717773 bytes
 
User: moore family
->Temp folder emptied: 3332296 bytes
->Temporary Internet Files folder emptied: 14215122 bytes
->Java cache emptied: 129002704 bytes
->FireFox cache emptied: 60559832 bytes
->Flash cache emptied: 2489535 bytes
 
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: patti's place
->Temp folder emptied: 18632 bytes
->Temporary Internet Files folder emptied: 5570965 bytes
->FireFox cache emptied: 10365240 bytes
->Flash cache emptied: 434 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1606296 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 151618416 bytes
 
Total Files Cleaned = 362.00 mb
 
 
OTM by OldTimer - Version 3.1.12.0 log created on 05282010_080304

Files moved on Reboot...

Registry entries deleted on Reboot...

[FALLGUY]

http://virusscan.jotti.org/en/scanresult/815752baf757f0171d9ae6110fdad166c2936378/e11e5c1d850b43b3b58f35c527b7ce0345afab06

[FALLGUY]

http://virusscan.jotti.org/en/scanresult/815752baf757f0171d9ae6110fdad166c2936378/84a7deb74a21aceafc961e7599ee32214e411201

[FALLGUY]

http://virusscan.jotti.org/en/scanresult/e11e5c1d850b43b3b58f35c527b7ce0345afab06/15d767d519dbebb347cbbcc2f04043bb935413c0

[evilfantasy]

Scan these two at Jotti please and post the links.

Code: [Select]

C:\WINDOWS\system32\drivers\rewac.sys

Code: [Select]

C:\WINDOWS\system32\drivers\sdfsaevy.sys