Rootkit.Agent and Rootkit.ADS - logs

[kittykapan]

Hello,

I have problems with removing Rootkit.Agent and Rootkit.ADS. MBAM detects it, but it cannot delete it - after reboot, the Rootkits are still present in the system. I'd be very grateful for help. I attach some logs I made in DDS.

thanks in advance for any tips...

Attach.txt

DDS.txt

Attach.txt

DDS.txt

[AdvancedSetup]

Update and Scan with Malwarebytes' Anti-Malware

• Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  
• Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
  
  • Update Malwarebytes' Anti-Malware
  • Select the Update tab
    
  • Click Update
    

  [*]When the update is complete, select the Scanner tab

  [*]Select Perform quick scan, then click Scan.

  [*]When the scan is complete, click OK, then Show Results to view the results.

  [*]Be sure that everything is checked, and click Remove Selected.

  [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

  • If you accidently close it, the log file is saved here and will be named like this:
    
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    

Then RESTART the computer

AFTER the reboot run HJT Do a system scan and save a logfile

The post back NEW MBAM and HJT logs in that order please.

[kittykapan]

Hi,

Here are my new logs, made in MBAM an HJT.

mbam_log_2009_01_31__10_40_44_.txt

hijackthis.txt

mbam_log_2009_01_31__10_40_44_.txt

hijackthis.txt

[AdvancedSetup]

Hi kittykapan,

Please do not attach logs unless requested. Please repost your logs directly into a reply.

[kittykapan]

Malwarebytes' Anti-Malware 1.33

Wersja bazy definicji: 1712

Windows 5.1.2600 Dodatek Service Pack 3

2009-01-31 10:40:44

mbam-log-2009-01-31 (10-40-44).txt

Typ skanowania: Szybkie skanowanie

Przeskanowane obiekty: 58132

Uplynelo: 1 minute(s), 2 second(s)

Zainfekowane procesy w pamieci: 0

Zainfekowane moduly pamieci: 0

Zainfekowane klucze rejestru: 8

Zainfekowane wartosci rejestru: 0

Zainfekowane pliki rejestru: 2

Zainfekowane foldery: 0

Zainfekowane pliki: 2

Zainfekowane procesy w pamieci:

(Nie wykryto groznych plikow)

Zainfekowane moduly pamięci:

(Nie wykryto groznych plikow)

Zainfekowane klucze rejestru:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ati8ucxx (Rootkit.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ati8ucxx (Rootkit.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\ati8ucxx (Rootkit.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ati8ucxx (Rootkit.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ati8ucfxx (Rootkit.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\icf (Rootkit.ADS) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\icf (Rootkit.ADS) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\icf (Rootkit.ADS) -> Quarantined and deleted successfully.

Zainfekowane wartosci rejestru:

(Nie wykryto groznych plikow)

Zainfekowane pliki rejestru:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Zainfekowane foldery:

(Nie wykryto groźnych plik

[AdvancedSetup]

Please visit this webpage for instructions for downloading ComboFix to your

DESKTOP

:

how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run

ComboFix.exe

on your DESKTOP and not from any other folder.

Also,

DO NOT

click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

ComboFix.exe

ComboFix.exe

ComboFix.exe

Note:

The

Windows Recovery Console

will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Click
  Yes
  to allow ComboFix to continue scanning for malware.
  
  
• When the tool is finished, it will produce a report for you.
  
  
• Please post the
  C:\ComboFix.txt
  along with a
  new HijackThis log
  so we may continue cleaning the system.
  
  

[AdvancedSetup]

Please post a status update on this.

[AdvancedSetup]

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

[AdvancedSetup]

Post re-opened at user's request.

[kittykapan]

ComboFix 09-02-06.01 - Łukasz 2009-02-07 1:52:08.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1250.1.1045.18.2047.1602 [GMT 1:00]

Uruchomiony z: c:\documents and settings\Łukasz\Pulpit\ComboFix.exe

* Utworzono nowy punkt przywracania

.

ADS - svchost.exe: deleted 25600 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\2u.com

C:\abk.bat

c:\documents and settings\All Users\Dane aplikacji\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Dane aplikacji\Microsoft\Network\Downloader\qmgr1.dat

C:\e.cmd

C:\iky.bat

C:\sq.com

C:\vva0hc0p.cmd

c:\windows\system32\eqwbzvvf.dll

c:\windows\system32\eqwbzvvf32.dll

E:\1u0o8bnq.cmd

E:\2.cmd

E:\2u.com

E:\6x8be16.cmd

E:\83l3v.cmd

E:\abk.bat

E:\Autorun.inf

E:\e.cmd

E:\iky.bat

E:\kk3.bat

E:\n.com

E:\nfdmg.com

E:\njibyekk.com

E:\otyh.cmd

E:\r1y1.bat

E:\sq.com

E:\tyktjfww.exe

E:\u9dyi.exe

E:\vva0hc0p.cmd

E:\x.com

E:\x0.cmd

E:\xih9.cmd

E:\xk2n.bat

F:\1u0o8bnq.cmd

F:\2.cmd

F:\2u.com

F:\6x8be16.cmd

F:\83l3v.cmd

F:\abk.bat

F:\Autorun.inf

F:\e.cmd

F:\iky.bat

F:\kk3.bat

F:\n.com

F:\nfdmg.com

F:\njibyekk.com

F:\otyh.cmd

F:\r1y1.bat

F:\sq.com

F:\tyktjfww.exe

F:\u9dyi.exe

F:\vva0hc0p.cmd

F:\x.com

F:\x0.cmd

F:\xih9.cmd

F:\xk2n.bat

----- BITS: Możliwe zainfekowane strony -----

hxxp://supertvist.com

.

((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_FCI

-------\Legacy_ICF

-------\Legacy_TCPSR

-------\Service_ICF

-------\Service_tcpsr

((((((((((((((((((((((((( Pliki utworzone od 2009-01-07 do 2009-02-07 )))))))))))))))))))))))))))))))

.

2009-01-31 08:45 . 2009-01-31 10:37 <DIR> d-------- c:\program files\SpywareGuard

2009-01-30 23:27 . 2009-01-31 09:03 250 --a------ c:\windows\gmer.ini

2009-01-30 22:18 . 2009-02-07 01:41 32,768 --a------ c:\windows\system32\drivers\ati8ucxx.sys

2009-01-17 18:40 . 2009-01-17 18:40 <DIR> d-------- c:\documents and settings\Łukasz\Dane aplikacji\Malwarebytes

2009-01-17 18:32 . 2009-01-17 18:41 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-01-17 18:32 . 2009-01-17 18:32 <DIR> d-------- c:\documents and settings\All Users\Dane aplikacji\Malwarebytes

2009-01-17 18:32 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-17 18:32 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-01-17 18:15 . 2007-11-09 00:17 <DIR> d--h----- c:\documents and settings\Administrator\Ustawienia lokalne

2009-01-17 18:15 . 2007-11-09 00:17 <DIR> d-------- c:\documents and settings\Administrator\Ulubione

2009-01-17 18:15 . 2007-11-08 23:24 <DIR> d--h----- c:\documents and settings\Administrator\Szablony

2009-01-17 18:15 . 2007-11-09 00:17 <DIR> d-------- c:\documents and settings\Administrator\Pulpit

2009-01-17 18:15 . 2007-11-09 00:17 <DIR> d-------- c:\documents and settings\Administrator\Moje dokumenty

2009-01-17 18:15 . 2007-11-09 00:17 <DIR> dr------- c:\documents and settings\Administrator\Menu Start

2009-01-17 18:15 . 2007-11-09 00:17 <DIR> dr-h----- c:\documents and settings\Administrator\Dane aplikacji

2009-01-17 18:15 . 2009-01-17 18:15 <DIR> d-------- c:\documents and settings\Administrator

2009-01-17 16:10 . 2009-01-17 16:10 <DIR> d-------- c:\program files\Daphne

2009-01-17 10:23 . 2009-01-17 10:23 <DIR> d-------- c:\documents and settings\All Users\Dane aplikacji\Lavasoft

2009-01-17 09:16 . 2009-01-17 10:23 <DIR> d-------- c:\program files\Lavasoft

2009-01-17 09:16 . 2009-01-17 10:23 <DIR> d-------- c:\documents and settings\Łukasz\Dane aplikacji\Lavasoft

2009-01-17 09:10 . 2009-01-17 09:10 217 --a------ c:\windows\system32\MRT.INI

2009-01-17 01:49 . 2009-01-17 01:49 0 --a------ c:\windows\system32\system32xp.exe.tmp

2009-01-15 20:32 . 2009-01-17 09:10 32,768 --a------ c:\windows\system32\drivers\ati6gnxx.sys

2009-01-15 20:31 . 2008-04-14 18:21 26,624 --a------ c:\windows\system32\stu2.exe

.

(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-07 00:40 --------- d-----w c:\program files\AutoConnect

2009-02-06 18:12 --------- d-----w c:\windows\system32\config\systemprofile\Dane aplikacji\SolidDocuments

2009-02-01 14:03 196,608 ----a-w c:\windows\system32\drivers\nStandard.bin

2009-01-29 17:03 --------- d-----w c:\documents and settings\Łukasz\Dane aplikacji\SolidDocuments

2009-01-17 16:20 --------- d-----w c:\documents and settings\Łukasz\Dane aplikacji\Orbit

2009-01-17 12:22 --------- d-----w c:\program files\SUPERAntiSpyware

2009-01-17 12:22 --------- d-----w c:\program files\Common Files\Wise Installation Wizard

2009-01-17 10:06 --------- d-----w c:\program files\Windows Live Safety Center

2009-01-15 20:33 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\Microsoft Help

2008-12-24 21:05 --------- d-----w c:\documents and settings\Łukasz\Dane aplikacji\dvdcss

2008-12-19 22:52 --------- d--h--w c:\program files\InstallShield Installation Information

2008-12-19 22:51 --------- d-----w c:\program files\Microsoft Games for Windows - LIVE

2008-12-15 11:47 10,604 ----a-w c:\documents and settings\Łukasz\Dane aplikacji\wklnhst.dat

2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys

2008-11-28 20:22 105,411 --sh--r C:\o1.com

2008-11-10 17:10 108,271 --sh--r C:\whi.com

2008-04-12 09:07 22,328 ----a-w c:\documents and settings\Łukasz\Dane aplikacji\PnkBstrK.sys

2007-12-25 00:38 32 ----a-w c:\documents and settings\All Users\Dane aplikacji\ezsid.dat

2008-03-02 20:02 88 --sh--r c:\windows\system32\E18CEA6D67.sys

2008-03-02 20:02 3,350 --sha-w c:\windows\system32\KGyGaAvL.sys

.

file copied: c:\windows\system32\user32.dll -> c:\qoobox\Quarantine\C\WINDOWS\system32\user32.dll.vir ( 580096 bytes )

Infected c:\windows\system32\user32.dll hex repaired

((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-06-12 700416]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

"RGSC"="e:\gry\GTA4\Rockstar Games Social Club\RGSCLauncher.exe" [2008-12-19 306088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"GamerOSD"="c:\program files\ASUS\GamerOSD\GamerOSD.exe" [2007-02-14 380928]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]

"CorelDRAW Graphics Suite 11b"="c:\program files\Corel\Corel Graphics 12\Languages\PL\Programs\Registration.exe" [2004-06-23 733184]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 1294336]

c:\documents and settings\ťukasz\Menu Start\Programy\Autostart\

SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-08-29 360448]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati6gnxx.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati8ucxx.sys]

@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=

"c:\\Program Files\\Gadu-Gadu\\gg.exe"=

R0 ati8ucxx;ati8ucxx;c:\windows\system32\drivers\ati8ucxx.sys [2009-01-30 32768]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-01-08 24652]

R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [2007-11-08 38656]

S0 ati6gnxx;ati6gnxx;c:\windows\system32\drivers\ati6gnxx.sys [2009-01-15 32768]

S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]

S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\drivers\fantom.sys [2006-03-10 39424]

S3 V0260VID;Live! Cam Vista IM;c:\windows\system32\drivers\V0260Vid.sys [2007-12-24 178913]

.

Zawartość folderu 'Zaplanowane zadania'

2009-01-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-602609370-839522115-1004.job

- c:\documents and settings\A []

.

- - - - USUNIĘTO PUSTE WPISY - - - -

HKCU-Run-LightScribe Control Panel - c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

HKCU-Run-Start WingMan Profiler - (no file)

HKLM-Run-JMB36X IDE Setup - c:\windows\RaidTool\xInsIDE.exe

Notify-eqwbzvvf - (no file)

.

------- Skan uzupełniający -------

.

IE: &Download by Orbit

IE: &Grab video by Orbit

IE: Do&wnload selected by Orbit

IE: Down&load all by Orbit

IE: E&ksportuj do programu Microsoft Excel

FF - ProfilePath -

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-07 01:56:42

Windows 5.1.2600 Dodatek Service Pack 3 NTFS

skanowanie ukrytych proces

[AdvancedSetup]

I would recommend using this tool if you can. It can address some files if they've been modified. Most Anti-Malware tools can not.

Please download this, place a blank CD in your burner and double-click on the downloaded file. It will automatically burn the CD for you.

At the bottom left should be 2 flags. If you use your mouse and click on the British flag the interface should switch to English for you.

Have it scan ALL files. There is no way that I'm aware of to save a log, so you may need to write down any special errors or infections found and their outcome.

Requires access to a working computer with a CD/DVD burner to create a bootable CD.

Avira AntiVir Rescue System - download

Avira AntiVir Rescue System
Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore. Thus it is possible to:





• repair a damaged system,
• rescue data,
  
  
• scan the system for virus infections.

  
  Just double-click on the rescue system package to burn it to a CD/DVD. You can then use this CD/DVD to boot your computer.
  The Avira AntiVir Rescue System is updated several times a day so that the most recent security updates are always available.
  

Rescue CD screen resolution problem

Please see the post here if you're unable to view the entire screen of Avira.

[kittykapan]

This is update on those malwares. I apologise, as my description isn't very accurate, but here is what I've done:

As you recommended, I created CD with Avira AntiVir Rescue System and use it to boot my PC. Then I run started to scan (all files) and I choose option (in Configuration menu) to remove/rename all suspected files. Scan process was quite long, but it detected rootkits that were causing the problem. Log screen showed that those files are not removable and hence Avira changed their names. I restarted the system and started Windows. Quick scan with updated MBAM still detected those (renamed) files and still marked them as Rootkit.Agent and Rootkit.ADS. But now MBAM managed to remove them. After reboot I scanned the system with MBAM once again and now it don't show any malwares. It looks like it's OK now.

Thank you so much for your kind help, I never would been able to solve this problem by myself. Amazing job Hope that helps anyone, who are unlucky enough to have those rootkits.

[AdvancedSetup]

If you would please run MBAM scan again and post that log and a new HJT log so I can review it for you.

It hopefully is all gone now but best to take a look.

[kittykapan]

Malwarebytes' Anti-Malware 1.33

Database version: 1736

Windows 5.1.2600 Dodatek Service Pack 3

2009-02-07 23:59:08

mbam-log-2009-02-07 (23-59-08).txt

Scan type: Quick Scan

Objects scanned: 57631

Time elapsed: 51 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 23:58:23, on 2009-02-07

Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\Program Files\ASUS\GamerOSD\GamerOSD.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\ATKKBService.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\Program Files\Portrait Displays\HP Display Assistant\DTSRVC.exe

C:\Program Files\CDBurnerXP\NMSAccessU.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Documents and Settings\Łukasz\Ustawienia lokalne\Dane aplikacji\Google\Update\GoogleUpdate.exe

C:\Program Files\AutoConnect\AutoConnect.exe

C:\Program Files\Opera\Opera.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Documents and Settings\Łukasz\Pulpit\Nowy folder\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll

O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll

O4 - HKLM\..\Run: [GamerOSD] C:\Program Files\ASUS\GamerOSD\GamerOSD.exe

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\PL\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=021509 serial=DR12WCX-8531381-WDY lang=PL

O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe

O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [RGSC] E:\Gry\GTA4\Rockstar Games Social Club\RGSCLauncher.exe /silent

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab

O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab

O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su2...15035/CTPID.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{16E6E59C-EEF1-4C82-8496-360A8D67CB82}: NameServer = 213.241.79.37 83.238.255.76

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: eqwbzvvf - eqwbzvvf32.dll (file missing)

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Portrait Displays\HP Display Assistant\DTSRVC.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Usługa iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

O23 - Service: SolidPDFConverterReadSpool (ScReadSpool) - VoyagerSoft, LLC - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--

End of file - 6738 bytes

[AdvancedSetup]

Did you set the NameServer = 213.241.79.37 83.238.255.76 ?

Please delete your current copy of Combofix.exe and download a new fresh copy and run it again and post back that log.

Additional links to download the tool:

ComboFix.exe

ComboFix.exe

ComboFix.exe

[AdvancedSetup]

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.