A frustrated Scot...

Next time please wait to be asked.

First problem, logs must be posted from normal boot mode in 99.9% of all instances. Do not post a new one yet.

Next it looks like you may be running multiple antivirus applications. You must use only one. Pick the one you prefer and uninstall all the others.

Disable Spybot's Teatimer because it often gets in the way of cleaning up problems.

To disable TeaTimer, run Spybot and click Mode and select Advanced Mode. Then click Tools and select Resident. Now in the right window pane, uncheck TeaTimer.
Also while this is open, in the left column now select IE Tweaks and then in the right pane make sure all the Miscellaneous locks are unchecked.
Now quit Spybot!

Now goto Add/Remove programs and uninstall MessengerPlus3 which can add all kinds of malware to your PC including a LOP infection.

Now please download the following tool and save it where you will be able to find it.

L2MeFix Tool

Please print out these instructions now or save locally so that you can operate with All Browser Windows CLOSED.

Exit Browsers now before continuing

Please move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and Type 1 and ENTER to select Option #1 for Run Find Log . Allow it as much time as it needs to run until NotePad opens with a log.

NOTE: Please do not run any other options or files in the l2mfix Folder!

Now reconnect and come back here and post as an attachment the l2mfix log. Based on the log, we will determine the next steps.

Now also post a new HJT log from normal boot mode. And provide feedback on all the above steps and comments.

Please DO NOT REBOOT after scanning for these logs!! Otherwise potential problems may mutate and spread. Wait for me to get back to you with the next steps.

 

First download and run Download XP Fix

Then rerun the L2MeFix Tool step and post a new log. It did not work properly because of that error. Let me know if it runs okay this time with getting those messages about autoexec.nt (or any other error message).

You still have both AVG and BitDefender installed. You must uninstall one.

 

Okay that's better.

Print or save these instructions locally now because you will have to be disconnected with no browsers open in the next step.

Please make sure ALL Browser Windows are Closed and also you should physically disconnect from the Internet by unplugging your cable.

Go to the L2MFix Folder on your Desktop and DoubleClick l2mfix.bat and type 2 and ENTER to select option #2 for Run Fix. Then, press any key to Reboot your machine.
Your computer will go bazonkers (now there's a great technical term!) for a bit, but just let it run. It should eventually spit out another log in Notepad. Please attach that log when you come back.

Again, don't run any other files in the L2MFix folder.

Let me know how things look now.

Also attach a new HJT log.

 

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixdll.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixdll.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

Now continue with the below steps.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: C:\WINDOWS\q211312_disk.dll - {A82BE883-EE51-4FAB-85B4-9432C6056673} - C:\WINDOWS\q211312_disk.dll
O18 - Filter: text/html - {A3799505-C65A-4C19-9287-559D8C48DC95} - C:\Documents and Settings\arun menon\Local Settings\Application Data\microsoft\internet explorer\V0.26.dat
O20 - Winlogon Notify: disk - C:\WINDOWS\q211312_disk.dll
O20 - Winlogon Notify: style2 - C:\WINDOWS\q3685171_disk.dll

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Documents and Settings\arun menon\Local Settings\Application Data\microsoft\internet explorer\V0.26.dat
C:\WINDOWS\q211312_disk.dll
C:\WINDOWS\q3685171_disk.dll

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Did HijackThis give an error message when trying to fix those lines? If so, what was it.

Did the registry patch give any error message? Or did it say it worked?

 

Are you sure these DLLs C:\WINDOWS\q211312_disk.dll and C:\WINDOWS\q3685171_disk.dll ) are not related to:

C:\Program Files\Virtual CD v4 SDK

From Windows Explorer, right click on it them and select Properties. Now see if there is a Version tab in the window. If so, select the Version tab and on the next window select each of the listed Item names (one at a time) to get more info about the file. The most important Item is the company name. If there is no Version tab, tell me that too.

 

I'm not questioning this process. We can already see what it is from your HJT log.
See the below:

http://www.liutilities.com/products/wintaskspro/processlibrary/VCSSecS/


I assume you installed and use this? I wanted to see if the DLLs were related.

Do you know how to use regedit? If so, use regedit and look to see it the registry merger actually worked. Look for the below registry keys to see if they are still there.


HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\disk

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\style2

Are you logged in with Administrator priviledges?

 

Please download Pocket KillBox and extract it to its own folder somewhere.

Please run Pocket Killbox. Select the option to Replace on Reboot.
Click Start, and then click Run. (The Run dialog box appears.)
Type, or copy and paste, the following text:

C:\WINDOWS\q211312_disk.dll

then click OK. If a dialog box confirming this action appears, click OK. If you get an error message, just ignore it (click OK) and continue.

Repeat the above for: C:\WINDOWS\q3685171_disk.dll


Please download Pocket KillBox and extract it to its own folder somewhere.

Please run Pocket Killbox. Select the option to Replace on Reboot.


Now, Copy and Paste C:\WINDOWS\q211312_disk.dll into the box and check the option to Use Dummy. Also check the option to End Explorer Shell While Killing File. Now, Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click No!


Now, Copy and Paste C:\WINDOWS\q3685171_disk.dll into the box and check the option to Use Dummy. Also check the option to End Explorer Shell While Killing File. Now, Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click Yes!

Okay so now your PC should be reboot. If you get an error message about Pending Operations, just reboot your PC yourself.

After reboot, run HijackThis and see if we can now do the following. Select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: C:\WINDOWS\q211312_disk.dll - {A82BE883-EE51-4FAB-85B4-9432C6056673} - C:\WINDOWS\q211312_disk.dll
O20 - Winlogon Notify: disk - C:\WINDOWS\q211312_disk.dll
O20 - Winlogon Notify: style2 - C:\WINDOWS\q3685171_disk.dll

After clicking Fix, exit HJT.
Double check to make sure the below files are actually gone:
C:\WINDOWS\q211312_disk.dll
C:\WINDOWS\q3685171_disk.dll

Now post a new HJT log. And tell us how things are working.

 

Yes you should check all user profiles to make sure they are clean.

Yes the other file which is still in your log is a problem. That is the reason for it being in message # 17.
O2 - BHO: C:\WINDOWS\q211312_disk.dll - {A82BE883-EE51-4FAB-85B4-9432C6056673} - C:\WINDOWS\q211312_disk.dll
O20 - Winlogon Notify: disk - C:\WINDOWS\q211312_disk.dll

Run the steps related to q211312_disk.dll in message #17. Where it says "reboot now – Click No!" change that to Yes! Since the other file is already gone, ignore the steps for it.

 

What do you mean by "them"? Is there more than just C:\WINDOWS\q211312_disk.dll ?

Try booting in safe mode and renaming q211312_disk.dll to q211312_disk.ddd
If that works, then try dragging the renamed file to your Desktop. Do not copy it to the Desktop. Move it to the Desktop.

Then reboot and try to fix the lines with HJT. Let me know what happens.

 

Yes you are clean.

I'm not sure what the root cause of this was so it's hard to know if anything else is hiding. If you want to be safe, run the below trial version of Ewido. Follow the steps given.

Download this trial version of Ewido Security Suite

• Install ewido security suite
• Launch ewido, there should be an icon on your desktop double-click it.
• The program will have a window come up. One of the buttons on the left is to Update. Click the Update button.and then Start the Update. The update will start and a progress bar will show the updates being installed.
• After it completes the update, click the Scanner button

Now exit Ewido. Now print the below instructions or save them locally because I want you do have no browsers opened and also have no connection to the internet (unplug your cable) while doing the below.

Okay, reboot into safe mode and follow the steps below. (If you have any problems at all trying to get into safe mode to complete these steps, just run them in normal boot mode and make sure you tell me when you come back.)

Open up Ewido and do the following:

• Click on Scanner
• Then click Settings
• Under What to Scan? Select Scan every file
• Then click OK
• Click on Complete System Scan and the scan will start.
• Let the program scan the machine

While the scan is in progress you will be prompted to clean files that are infected. Leave the defaults selections (to Remove and backup) and click OK. To save yourself some time, you can select Perform action with all infections and then click OK. With the option to scan every file, a lot of cookies will be removed.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

• Click Save report
• Save the report to your desktop or anyplace you will be able to find it to upload here.

Reboot into normal mode and reconnect to the internet.

Come back here and post the Ewido Scan Report. And tell me if you are still having any problems.

 

Happy to hear that updates are working now. Ewido did some minor cleaning.

Now that you are all cleaned up you should see the steps in the below thread:

How to Protect yourself from malware!