Thank you Tech, I have not tried that but will do a boot scan and see how that goes...Post back if the problem persists.
File::
c:\users\Conor \AppData\Roaming\fvgqad.dat
c:\users\Conor \AppData\Roaming\avdrn.dat
File::
C:\Users\Conor \AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\siszyd32.exe
File::
c:\windows\pss\siszyd32.exe
c:\users\Conor \AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\siszyd32.exe
Registry::
[-HKLM\~\startupfolder\C:^Users^Conor ^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^siszyd32.exe]
One or more of the identified infections is a backdoor Trojan and a key logger.
If this computer is ever used for on-line banking, I suggest you do the following immediately:
1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
2. From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.
Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.
[Unregister Dlls]
[Modules - Safe List]
YY -> ucevenupehukuh.dll -> C:\WINDOWS\ucevenupehukuh.dll
[Win32 Services - Safe List]
YN -> (gupdate) Google Update Service (gupdate) [Auto | Stopped] ->
YY -> (MyWebSearchService) My Web Search Service [Auto | Stopped] -> C:\Program Files\MyWebSearch\bar\1.bin\MWSSVC.EXE
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-2499262627-2763923191-843853277-1006\] > ->
YN -> HKEY_USERS\S-1-5-21-2499262627-2763923191-843853277-1006\: Main\\"SearchMigratedDefaultName" -> My Web Search
YN -> HKEY_USERS\S-1-5-21-2499262627-2763923191-843853277-1006\: Main\\"SearchMigratedDefaultUrl" -> http://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZCxdm768YYGB&fl=0&ptb=hFaIfhRKCbQmyZGSCaRTFg&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&st=sb&searchfor={searchTerms}
< FireFox Extensions [User Folders] > ->
YY -> No name found -> C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\osrbx5ud.default\extensions\{E9A1DEE0-C623-4439-8932-001E7D17607D}
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YY -> "{07B18EA9-A523-4961-B6BB-170DE4475CCA}" [HKLM] -> C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL [My Web Search]
YN -> "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "Fnafidi" -> C:\WINDOWS\ucevenupehukuh.DLL [rundll32.exe "C:\WINDOWS\ucevenupehukuh.dll",Startup]
YN -> "Regedit32" -> C:\WINDOWS\System32\regedit.exe [C:\WINDOWS\system32\regedit.exe]
< Lee Startup Folder > -> C:\Documents and Settings\Lee\Start Menu\Programs\Startup
YY -> ~EmptyValue -> C:\Documents and Settings\Lee\Start Menu\Programs\Startup\siszyd32.exe
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
*UserInit* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit
YY -> C:\WINDOWS\system32\sdra64.exe -> C:\WINDOWS\system32\sdra64.exe
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
[Files/Folders - Modified Within 30 Days]
NY -> fecdfxgl.sys -> C:\WINDOWS\System32\drivers\fecdfxgl.sys
NY -> Swafamagabo.dat -> C:\WINDOWS\Swafamagabo.dat
NY -> Qkoqi.bin -> C:\WINDOWS\Qkoqi.bin
NY -> av_md.exe -> C:\WINDOWS\System32\av_md.exe
NY -> avdrn.dat -> C:\Documents and Settings\Lee\Application Data\avdrn.dat
[Files - No Company Name]
NY -> fecdfxgl.sys -> C:\WINDOWS\System32\drivers\fecdfxgl.sys
NY -> av_md.exe -> C:\WINDOWS\System32\av_md.exe
NY -> fvgqad.dat -> C:\Documents and Settings\NetworkService\Application Data\fvgqad.dat
NY -> Swafamagabo.dat -> C:\WINDOWS\Swafamagabo.dat
NY -> Qkoqi.bin -> C:\WINDOWS\Qkoqi.bin
NY -> fvgqad.dat -> C:\Documents and Settings\LocalService\Application Data\fvgqad.dat
NY -> avdrn.dat -> C:\Documents and Settings\Lee\Application Data\avdrn.dat
NY -> ucevenupehukuh.dll -> C:\WINDOWS\ucevenupehukuh.dll
NY -> pn.ini -> C:\WINDOWS\pn.ini
NY -> pr.ini -> C:\WINDOWS\pr.ini
[Empty Temp Folders]
...could you start your own thread <snip> as I cannot run two infections in one thread TaIt will just be too confusing for him...
Hello,
I've got the same problem. Can I use the fix you made for ghosty85?
C:\WINDOWS\ServicePackFiles\i386\atapi.sys
C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\i386\atapi.sys
C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\i386\atapi.sys
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
:filefind
atapi.sys
get up your statup programs or a program that disables startup programs (like avg antispyware) and identify the file. you wont be able to delete it. it just denies you everytime. next go in to your taskmanager, keeping the other window open. go in to processes and find the svchost that is running really high cpu (around 90 - 99) and end the process. your computer will now say its shutting down in 1 minute. quickly disable or delete the malicious file or startup program. now let the pc restart and do a virus scan. itll now find the file and delete it if you havent already done so. i only know this because i just did it myself. youll also want to do a registry scan with a program like ccleaner and fix all the issues becaus it messes your registry up like a bastard.Perhaps in your youthful exuberance you may have failed to take account of the possibility that the infection and its related garbage might have a different manifestation on different systems, and what worked for you may not work for others.
DONE DONE DONE DONE DONE!
no one seems to have been able to do it, and this virus has been fooled by a 17 year old boy. amatuer programmers.
[Unregister Dlls]
[Modules - Safe List]
YY -> urixugesavadebib.dll -> C:\Users\Fraser\AppData\Local\urixugesavadebib.dll
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {8504a8af-5a60-90ff-aaae-5e26ef0a86c6} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "Qrofejogumajapi" -> C:\Users\Fraser\AppData\Local\urixugesavadebib.DLL [rundll32.exe "C:\Users\Fraser\AppData\Local\urixugesavadebib.dll",Startup]
[Files/Folders - Created Within 30 Days]
NY -> HotbarSA -> C:\ProgramData\HotbarSA
NY -> 2 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp
NY -> 2 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp
[Files/Folders - Modified Within 30 Days]
NY -> Rcusokarade.dat -> C:\Users\Fraser\AppData\Local\Rcusokarade.dat
NY -> Jgudiqusoletu.bin -> C:\Users\Fraser\AppData\Local\Jgudiqusoletu.bin
NY -> fvgqad.dat -> C:\Users\Fraser\AppData\Roaming\fvgqad.dat
NY -> avdrn.dat -> C:\Users\Fraser\AppData\Roaming\avdrn.dat
NY -> zm-w_WijtWsa.exe -> C:\Windows\System32\zm-w_WijtWsa.exe
NY -> MWC-1D6zKsNM.dll -> C:\Windows\System32\MWC-1D6zKsNM.dll
NY -> 2 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp
NY -> 2 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp
[Files - No Company Name]
NY -> siszyd32.exe -> C:\Users\Fraser\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\siszyd32.exe
NY -> Rcusokarade.dat -> C:\Users\Fraser\AppData\Local\Rcusokarade.dat
NY -> Jgudiqusoletu.bin -> C:\Users\Fraser\AppData\Local\Jgudiqusoletu.bin
NY -> fvgqad.dat -> C:\Users\Fraser\AppData\Roaming\fvgqad.dat
NY -> avdrn.dat -> C:\Users\Fraser\AppData\Roaming\avdrn.dat
NY -> sysfolderazipcnt.dll -> C:\Windows\System32\sysfolderazipcnt.dll
NY -> azipcontmn.dll -> C:\Windows\System32\azipcontmn.dll
[Empty Temp Folders]