please help

Welcome to Major Geeks!

First you must disable Spybot's Teatimer as requested in the READ & RUN ME. See this: How to disable Spybot's TeaTimer


Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

You did not tell me how things are working?

You do not have any shortcuts for Windows Explorer on your Desktop according to your logs? Do you mean Internet Explorer?



In your first ComboFix log the below files were all show as appearing around the same date and time. The ones in red were definite infections. The one in purple looked very suspicious like an infection too expecially since there is zero info about it.

Code:

[COLOR=red][B]2010-08-28 20:08  11:07 768512 c:\windows\system32\drivers\rucal.sys[/B][/COLOR]
2010-08-28 19:53  17:40 34688  c:\windows\system32\dllcache\lbrtfdc.sys
2010-08-28 19:53  17:40 34688  c:\windows\system32\drivers\lbrtfdc.sys
2010-08-28 19:53  17:41 8576   c:\windows\system32\dllcache\i2omgmt.sys
2010-08-28 19:53  17:41 8576   c:\windows\system32\drivers\i2omgmt.sys
[B][COLOR=red]2010-08-28 19:52  11:04 120    c:\windows\Cbisado.dat[/COLOR][/B]
[B][COLOR=red]2010-08-28 19:52  11:04 0      c:\windows\Rzaquyuru.bin[/COLOR][/B]
[B][COLOR=purple]2010-08-28 19:51  19:51 62976  c:\windows\system32\drivers\bgeplh.sys[/COLOR][/B]
2010-08-28 19:51  17:40 8192   c:\windows\system32\dllcache\changer.sys
2010-08-28 19:51  17:40 8192   c:\windows\system32\drivers\changer.sys

Did you recently ( around August 28th ) install some new hardware or software? Maybe something to do with a CD drive or floppy? Or did you update software?

Is your CD driver working okay? I ask because I had ComboFix remove the bgeplh.sys file along with the registry entry for the driver since it appear like it could have been related to the rucal.sys file. However the report from the last logs indicates that bgeplh.sys may have been a Microsoft driver originally named cdrom.sys. Not sure why any legit software would have to rename this and make it look like malware.

 

Your should not have done this as it was not requested and you should only be doing what was requested as stated in the READ & RUN ME. What was found was likely just things we already quarantined and that your antivirus program never removed when it was active ( like the rucal.sys file ), but you may have also deleted things we need to restore. We shall see.

Let's see if restoring the item I mentioned changes this, the problem may or may not be due to this.


Now we need to use ComboFix to DeQuarantine some items

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Okay then I suggest posting in the Hardware Forum. Since you say you rarely use it, it may have been broken for awhile.

The READ & RUN ME does not add a shrotcut to your Desktop. When it unhides files and folders, this extra link just became visible to you. It was likely always there. See if the final instructions below ( which automatically rehide things) makes it disappear.

Since your logs are clean, it is time for the below.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

You're welcome. Surf safely!

 

You're welcome.

Yes I suspected it was for something legit and not malware. It just seems to be a modified version of cdrom.sys

Thanks for the follow up info.