[dvk01]

there have been reports of problems associated with certain ATI graphics cards & a recent security update KB969947

normally that has been unable to log on to computer properly but it would be worth looking into with your problems
however I can't see any sign of it beimg installed in any of your logs

lets see what an online antivirus scan shows

* Run Kaspersky online virus scan Kaspersky Online Scanner.

After the updates have downloaded, click on the "Scan Settings" button.
select the (b)"Spyware, Adware, Dialers and other potentially dangerous programs" for the scan.
Under "Please select a target to scan", click "My Computer".
When the scan is finished, Save the results from the scan!

Note: Kavscan is a scanner only & won't fix anything but will normally find the most infected files so it's report gives us a good place to work from

[MBows]

Download is almost done, but firefox just hit 99% cpu... writing this is very slow..

anyway, hopefully it'll go away, i'll run the scan after the download finishes shortly.

[MBows]

Okay. Working fine now.

[MBows]

I left it on while i went out. It's been running for 2 hours and it's at 28%. seems like it might have locked up a bit. Hopefully it'll complete by tommorow morning...

[MBows]

Kaspersky didn't find much at all .

"Virus.Win32.Induc.a"

Was found in 2 files. That's it.

MalwareBytes also found 1 threat with a quickscan. I'm gonna run a full scan overnight and save a log.

[dvk01]

which files did kasprsky find infected

induc.a is a file infector virus for all delphi compiled files & attacks many running files

[MBows]

Kasperspy:

C:\Video Edit\Midi To Mp3\setup.exe
C:\Video Edit\Midi To Mp3\setup.exe

Also, MalwareBytes found one file infected as well

Files Infected:
C:\Documents and Settings\Owner\Application Data\cpx.exe (Trojan.MultiDropper)

I didn't try and remove the infected file, because you said not to make any changes.

[dvk01]

delete all files found by mbam & Kaspersky

then

Download RSIT (random's system information tool) from here to your desktop, then click on the RSIT.exe to start the scan.

If necessary allow it to locate or download a copy of HijackThis as needed.

Once the scan completes a textbox will open - copy/paste those contents here for review please. The log can also be found at C:\rsit\log.txt.

RSIT will also create a second log, info.txt, which will be minimized to your taskbar. Post that here as well please (it will also be stored at C:\rsit\info.txt).

You can use separate posts here when replying and posting the log files if needed.

and then


Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

Start the Sysprot.exe program.

• Click on the Log tab.
• In the Write to log box select all items.
• Click on the Create Log button on the bottom right.
• After a few seconds a new Window should appear.
• Make sure Scan all drives is selected and click on the Start button.
• When it is complete a new Window will appear to indicate that the scan is finished.
• The log will be created and saved automatically in the same folder. Open the text file and copy/paste the log here.

[MBows]

The Sysprot "create log" stops fairly quickly and returns the error:

"Windows - Drive Not Ready

The drive is not ready for use; its door may be open. Please check drive A: and make sure that a disk is inserted and that the drive door is closed.

Cancel, Try again, Continue."

All three options simply show the error again.

A log is created regardless it seems, so I'll post that anyway.

[dvk01]

delete any existing cfscript on desktop

Download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press SAVE and choose desktop in the list of selections in that window & press save)
Disable any antivirus/antimalware/firewall realtime protection or script blocking in the same way you did previously before running combofix & remember to re-enable it when it has finished
Close any open browsers
Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.







This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.


Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system and will not fix your problem. If you have a similar problem start your own topic in the malware fixing forum

This will create a zip file inside C:\QooBox\quarantine named something like [38]-Submit_2008-01-17@17.50.zip

at the end it will pop up an alert & open your browser and ask you to send the zip file

please follow those instructions. We need to see the zip file before we can carry on with the fix

If there is no pop up alert or open browser then

please go to http://www.thespykiller.co.uk/index.php?board=1.0 and upload these files so I can examine them and if needed distribute them to antivirus companies.
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

Files to submit:
the zip file inside C:\QooBox\quarantine created by combofix named something like [38]-Submit_2008-01-17@17.50.zip

or to
http://www.bleepingcomputer.com/subm...php?channel=38

[MBows]

All set.

The zip will be sent to the second link.

[dvk01]

there is something extremely starnge going on here & I am asking a few other experts to take a look at your logs and see what they think

[MBows]

Quote:

Originally Posted by dvk01

there is something extremely starnge going on here & I am asking a few other experts to take a look at your logs and see what they think

Okay. Trying to be very patient, because I know you're trying to help. Thank you again for taking a look.

Any way of explaining in layman's terms the strange events occuring?

[dvk01]

there are some system files being created at every boot by the looks of it and that is very worrying

I am suspicious it is a new version of a rootkit, taht is already very diifficult to fix so am waiting on input from researchers who specialize in this rootkit

[dvk01]

we don't think is is teh rootkit we were concerned about so aren't sure what is causing teh problems

lets see if any of the other online scans find anything

http://security.symantec.com/default.asp?
http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/
http://www.bitdefender.com/scan8/ie.html