New sys file XP Pro SP3

[mchain]

File name:  Ixbcgwrb.sys or lxbcgwrb.sys

File listed as autorun allowed Online Armor.  See attached below.  Currently have autorun blocked.

Google shows no results.

[Asyn]

The file date is more than suspicious..!!
Any VT results..??

[DavidR]

Not to mention the services name which, like the file name appear to be randomly generated. This is probably why you find no information on the google search.

[mchain]

Recommendation? 

Agree file date is anomalous, as is the file name.  Have run autoruns, used that to check the registry, no current entries found.  OA has same feature using the File Information box and right-clicking that option within to go search for exact location in registry.  Nothing there either.

Thanks for the feedback.

Have the autorun set to block for now.

Can't VT as cannot find the file; not registered in the registry either.  Have searched with all options enabled.

[DavidR]

So it isn't in the drivers folder as in the first image you posted ?

Could be time to go down the analysis scans path, OTL, etc.

[mchain]

Yes, I'm thinking that also.

Next replies will have all logs posted, except for Malwarebytes, which I will update and run now.  AdwCleaner, OTL, and aswMBR.exe will be posted sometime tomorrow.

Note the time it took for a quick scan.

[mchain]

Ok.  I've run the normal requested scans.  OTL was run as not on quick scan, so took a bit of time to finish.  Do want to point out that there are various Norton drivers left over on the system as I once had Norton's System Utilities, as well as the a/v, they both have been removed for some years now.

Attached logs are below:

All scans run with the usual start up programs running and active; also connected to the internet whilst these scans were running.

Now I wait.

[DavidR]

A malware removal specialist has been informed of your topic.

[essexboy]

Hmm that is showing in control set 3 I would like to run Combofix as I can see no triggers for that service

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
  
• Accept the disclaimer and allow to update if it asks

• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.[/b]
  

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[mchain]

Well, Combofix has been run with avast!, OA, and WD disabled.  Some files were deleted, including a windows.ini file.  Reboot was automatic, run took only 6 minutes, and the attached windows error message popped up on logon to admin. 

I've set OA to allow the executable from Comobofix.

No Combofix txt can be found anywhere, so nothing to attach.  Have run Combofix once before, but that was under your supervision, date was August 29, 2012, but that log would not apply?  [EDIT:]  Have a file 377 bytes in size, but not what I expected.  Attached below.

[essexboy]

OK that is OA blocking combofix on restart so that it was unable to generate a log

Could you re-run Combofix but not let  OA block that on start

[mchain]

Done.  Will post the resulting log on next reply.

[mchain]

Successfully run Comobfix to completion, as it was OA on reboot that blocked Combofix. 

Note the second attachment; do not know what to make of this?  [EDIT:]  This process popped up whilst Combofix was still running.

[essexboy]

That was Combofix releasing your registry

Is OA still finding this start up ?

[mchain]

Thank you for that.

That was Combofix releasing your registry

Is OA still finding this start up ?

Yes, OA still shows the same autorun as present but blocked.

Attached find registry search for autorun entry.  Same result as before; no entry found.

If need be, can we clean this computer up a bit?  I like tidy, but do not know how to do this safely.  Additional note:  Norton Ghost 10 is installed, so...  (See replies #1, 3, and 7).

[EDIT:] It's not reply 7, it is 6.