Persistant Trojan - Any help appreciated!

The scans took care of most of it, just a few things to clean up:

Use windows explorer to find and delete:
C:\WINDOWS\system32\DRIVERS\eyr96uotc0.sys

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

As a precaution I would suggest that you run both the SAS and MWB's scans on each user profile and let me know if they find additional problems ( attach those and name them so we know which profile it is).

 

Let me know...in the meantime:

If you are not having any other malware problems, it is time to do our final steps:

 

Ok...Now go to Bitscan link: agree to the license and then select Scan. DO NOT CHANGE THE OPTIONS TO SHOW ALL FILES SCANNED. That will make your logs huge and we don't need to see clean files. Once Bitdefender completes the scan:

Click-on the Detected Problems tab. Then select Click here to export the scan report

When the window comes up to save the report, change the Save as type: box to Text (Tab Delimited) (*.txt) and then in the File name box enter change to bdscan then click save. This will save a file named bdscan.txt in whatever folder you are currently in when you save the file (take notice of where you are at so you can find it later). This bdcan.txt file will actually contain HTML code that we can easily view later while reviewing your log. All we have to do is rename the file to bdscan.html.

 

Well, now rude...

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

download The Avenger by Swandog469, and save it to your Desktop.

* Extract avenger.exe from the Zip file and save it to your desktop
* Run avenger.exe by double-clicking on it.
* Do not change any check box options!!
* Copy everything in the Quote box below, and paste it into the "Input script here:"
part of the window:

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the Reboot now? question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Please attach that log.

 

Uninstall the below software:
Java(TM) SE Runtime Environment 6
Viewpoint Manager (Remove Only) <-- should have been uninstalled in step 1 of the READ ME


Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop (yes overwrite the previous file of the same name if it still exists). Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now run this Running GMER to detect rootkits I will ask for the log below.
Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\ComboFix.txt
• Gmer log
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Now download HostsXpert and then follow the below steps.

• Unzip HostsXpert.zip
• It will create a folder named HostsXpert in whatever folder you extract it to.
• Run HostsXpert.exe by double clicking on it.
• Click the Make Writeable? button. (if you only see a Make Read-Only selection, it is already writeable so skip this button).
• Click Restore Microsoft's Hosts File and then click OK.
• Click the X to exit the program

Now we are going to run a couple new scans with Malwarebytes (aka MBAM)

1. Make sure your PC is in normal mode.
2. Run MBAM and make sure you update it first
3. Select Quick Scan
4. When it finishes the scan make sure you select everything it finds and have it remove the selected items.
5. If MBAM says anything about needing to reboot, make sure that you allow it to reboot your PC immediately. Your computer must get to the Windows is shutting down screen.
6. After reboot, attach the above scan results.
7. Now can your PC again with MBAM and attach this log too.

Now go here and download SysClean:

http://www.trendmicro.com/download/dcs.asp

You will need to download two additional files, one for viruses and the other for spyware. Instructions for which ones to download are found here:

http://www.trendmicro.com/ftp/products/tsc/readme.txt

After running SysClean, attch the log from it.



Now please look at the ComboFIx log you attach and see if you can explain why all of those TCP ports have been opened up. See the below registry key with the list of ports under it:

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

Did you open up all of this ports to support your game playing?

 

Yes because your copy actxprxy.dll (and maybe the other file) are infected and need to be replaced by valid copies.

You can see in the below thread where actxprxy.dll needed to be replace by uninfected copies to resolve problems.

http://forums.majorgeeks.com/showthread.php?t=166170&highlight=actxprxy.dll

You will need to get an uninfected copy of the file off of your CD to fix this. You would have to run the same fixes as previously down in this thread to remove all the problems and then you would have to manually replace the actxprxy.dll file with the clean copy.

 

You're welcome.

Just to make sure we are referring to the samething, I will post them.


If you are not having any other malware problems, it is time to do our final steps:

1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /u
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
   • Delete the C:\combofix folder from combofix (if it exists)
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
9. If you are running Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!