W32.Tidserv.G has me in a MMA submission hold!!!!!

I was just about to ask you if I could download it to my ipod & transfer it that way. Ok. Give me a sec.

the program wont open. It says "Winsockxpfix.exe is not a valid Win32 application"

Hello.
Don't use Winsock XP fix, I know what's up now.

There's a rootkit interfering, and that's why you lost internet connection. This rootkit I usually only see in Vista and probably only made for Vista, and this is XP, so it has a few bugs in it. Once we use this next tool and stop the rootkit driver, your net connection should be back.

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE or HERE.

• Click on Avenger.zip to open the file
  
• Extract avenger.exe to your desktop
  

2. Now, start The Avenger program by clicking on its icon on your desktop.

• Leave the script box empty.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Then tick "Disable any rootkits found"
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

3. Please copy/paste the content of c:\avenger.txt into your reply.

avenger was successful. Says:

Hidden driver "gaopdxserv.sys" found!
Image path;
\systemroot\system32\drivers\gaopdxujwighdksfodauvwvsawsItrmmeylgkl.sys
Driver disabled successfully

Hello.
Lets kill the rootkit file now.

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to delete:
gaopdxserv.sys

Files to delete:
C:\WINDOWS\system32\drivers\gaopdxujwighdksfodauvwvsawsItrmmeylgkl.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Input script here:", paste in the script from the quote box above.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Then tick "Disable any rootkits found"
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

4. Please copy/paste the content of c:\avenger.txt into your reply.

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at E:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "gaopdxserv.sys" deleted successfully.

Error: could not open file "C:\WINDOWS\system32\drivers\gaopdxujwighdksfodauvwvsawsItrmmeylgkl.sys"
Deletion of file "C:\WINDOWS\system32\drivers\gaopdxujwighdksfodauvwvsawsItrmmeylgkl.sys" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Completed script processing.

*******************

Finished! Terminate.

Hello.
MBAM will run now, so install it, update it and run the scan.

Here's the log. Also note that my Norton virus alert is going off saying it has detected a virus (W32.Tidserv).




Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

4/9/2009 4:05:17 PM
mbam-log-2009-04-09 (16-05-17).txt

Scan type: Quick Scan
Objects scanned: 73488
Time elapsed: 8 minute(s), 37 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 31
Registry Values Infected: 0
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 17

Memory Processes Infected:
E:\WINDOWS\system32\svcnost.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
E:\Documents and Settings\All Users\Application Data\Microsoft\ipdll.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\browsingadvisor.pornpro_bho (Adware.PlayMP3Z-biz) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\browsingadvisor.pornpro_bho.1 (Adware.PlayMP3Z-biz) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f1e96edc-e0c8-be98-1f15-c29dbed83b53} (Adware.PlayMP3Z-biz) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c28d210b-755b-461f-8141-fd381889d451} (Adware.SearchSpider) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f1e96edc-e0c8-be98-1f15-c29dbed83b53} (Adware.PlayMP3Z-biz) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf6-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MediaHoldings (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Mirar (Adware.Mirar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\PlayMP3 (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\regfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System (Trojan.FakeAlert) -> Data: e:\windows\system32\svcnost.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{7128720f-b27e-4890-b81c-c99c984a8dea}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.121,85.255.112.123 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{9f49c02f-3dcd-4b0f-aa38-ac54fa16bda9}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.121,85.255.112.123 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
E:\Documents and Settings\user\Local Settings\Temp\Mirar_V77_LOG_IESC_AFF_ATD_TID_noMDNS_RPT_AVM_FLX_ADB_BHO_876987.exe (Adware.Mirar) -> Quarantined and deleted successfully.
E:\Documents and Settings\user\Local Settings\Temp\temED7.tmp.exe (Rogue.Installer) -> Quarantined and deleted successfully.
E:\Documents and Settings\user\Local Settings\Temp\temEDF.tmp.exe (Rogue.Installer) -> Quarantined and deleted successfully.
E:\Documents and Settings\user\Local Settings\Temp\temEE2.tmp.exe (Adware.SearchSpider) -> Quarantined and deleted successfully.
E:\Setup.exe (Trojan.Agent) -> Quarantined and deleted successfully.
E:\RECYCLER\S-8-5-38-100012155-100028341-100029518-8673.com (Trojan.Agent) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\gaopdxcounter (Trojan.Agent) -> Quarantined and deleted successfully.
E:\Documents and Settings\All Users\Application Data\Microsoft\bits.dll (Trojan.Agent) -> Quarantined and deleted successfully.
E:\Documents and Settings\All Users\Application Data\Microsoft\ipdll.dll (Trojan.Agent) -> Delete on reboot.
E:\WINDOWS\system32\svcnost.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
E:\WINDOWS\Temp\tempo-123812.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
E:\WINDOWS\Temp\tempo-185453.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
E:\WINDOWS\Temp\tempo-425890.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
E:\WINDOWS\Temp\tempo-551921.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
E:\WINDOWS\Temp\tempo-566593.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
E:\WINDOWS\Temp\tempo-1108203.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
E:\WINDOWS\Temp\tempo-1932531.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.

My mistake. That last log I posted was from BEFORE I rebooted the pc. Here's the log after I just rebooted. I don't know if it's the same or not but....


Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

4/9/2009 4:05:17 PM
mbam-log-2009-04-09 (16-05-17).txt

Scan type: Quick Scan
Objects scanned: 73488
Time elapsed: 8 minute(s), 37 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 31
Registry Values Infected: 0
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 17

Memory Processes Infected:
E:\WINDOWS\system32\svcnost.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
E:\Documents and Settings\All Users\Application Data\Microsoft\ipdll.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\browsingadvisor.pornpro_bho (Adware.PlayMP3Z-biz) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\browsingadvisor.pornpro_bho.1 (Adware.PlayMP3Z-biz) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f1e96edc-e0c8-be98-1f15-c29dbed83b53} (Adware.PlayMP3Z-biz) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c28d210b-755b-461f-8141-fd381889d451} (Adware.SearchSpider) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f1e96edc-e0c8-be98-1f15-c29dbed83b53} (Adware.PlayMP3Z-biz) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf6-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MediaHoldings (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Mirar (Adware.Mirar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\PlayMP3 (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\regfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System (Trojan.FakeAlert) -> Data: e:\windows\system32\svcnost.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{7128720f-b27e-4890-b81c-c99c984a8dea}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.121,85.255.112.123 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{9f49c02f-3dcd-4b0f-aa38-ac54fa16bda9}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.121,85.255.112.123 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
E:\Documents and Settings\user\Local Settings\Temp\Mirar_V77_LOG_IESC_AFF_ATD_TID_noMDNS_RPT_AVM_FLX_ADB_BHO_876987.exe (Adware.Mirar) -> Quarantined and deleted successfully.
E:\Documents and Settings\user\Local Settings\Temp\temED7.tmp.exe (Rogue.Installer) -> Quarantined and deleted successfully.
E:\Documents and Settings\user\Local Settings\Temp\temEDF.tmp.exe (Rogue.Installer) -> Quarantined and deleted successfully.
E:\Documents and Settings\user\Local Settings\Temp\temEE2.tmp.exe (Adware.SearchSpider) -> Quarantined and deleted successfully.
E:\Setup.exe (Trojan.Agent) -> Quarantined and deleted successfully.
E:\RECYCLER\S-8-5-38-100012155-100028341-100029518-8673.com (Trojan.Agent) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\gaopdxcounter (Trojan.Agent) -> Quarantined and deleted successfully.
E:\Documents and Settings\All Users\Application Data\Microsoft\bits.dll (Trojan.Agent) -> Quarantined and deleted successfully.
E:\Documents and Settings\All Users\Application Data\Microsoft\ipdll.dll (Trojan.Agent) -> Delete on reboot.
E:\WINDOWS\system32\svcnost.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
E:\WINDOWS\Temp\tempo-123812.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
E:\WINDOWS\Temp\tempo-185453.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
E:\WINDOWS\Temp\tempo-425890.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
E:\WINDOWS\Temp\tempo-551921.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
E:\WINDOWS\Temp\tempo-566593.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
E:\WINDOWS\Temp\tempo-1108203.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
E:\WINDOWS\Temp\tempo-1932531.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Hello.
Yes, Norton will go crazy now the rootkit is unhidden, but we'll keep going till it's gone.

• Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
  Link 1
  Link 2
  
• Double click DDS.scr to run
  
• When complete, DDS.txt will open.
  
• Save the report to your Desktop.
  
• Copy and paste DDS.txt back here, I don't need to see attach.txt.
  

DDS (Ver_09-03-16.01) - NTFSx86
Run by user at 16:24:45.78 on Thu 04/09/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1534.1093 [GMT -4:00]

AV: Norton AntiVirus 2006 *On-access scanning enabled* (Updated)
FW: Norton Internet Worm Protection *enabled*

============== Running Processes ===============

E:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
E:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
E:\Program Files\Java\jre6\bin\jqs.exe
E:\Program Files\Norton AntiVirus\navapsvc.exe
E:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
E:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
E:\WINDOWS\system32\svchost.exe -k imgsvc
E:\Program Files\Canon\MyPrinter\BJMyPrt.exe
E:\Program Files\Java\jre6\bin\jusched.exe
E:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
E:\Program Files\Internet Explorer\iexplore.exe
E:\Documents and Settings\user\Desktop\dds.scr
E:\Program Files\Messenger\msmsgs.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.infowars.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - e:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - e:\program files\java\jre6\bin\ssv.dll
BHO: CNavExtBho Class: {a8f38d8d-e480-4d52-b7a2-731bb6995fdd} - e:\program files\norton antivirus\NavShExt.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - e:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - e:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - e:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - e:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - e:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - e:\program files\google\google toolbar\GoogleToolbar.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - e:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: Norton AntiVirus: {c4069e3a-68f1-403e-b40e-20066696354b} - e:\program files\norton antivirus\NavShExt.dll
uRun: [ctfmon.exe] e:\windows\system32\ctfmon.exe
uRun: [DAEMON Tools Lite] "e:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [swg] e:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [IgfxTray] e:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] e:\windows\system32\hkcmd.exe
mRun: [CanonSolutionMenu] e:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] e:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [Symantec PIF AlertEng] "e:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "e:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SunJavaUpdateSched] "e:\program files\java\jre6\bin\jusched.exe"
mRun: [ccApp] "e:\program files\common files\symantec shared\ccApp.exe"
mRun: [Adobe Reader Speed Launcher] "e:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
IE: E&xport to Microsoft Excel - e:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - e:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - e:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - e:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 SAVRTPEL;SAVRTPEL;e:\program files\norton antivirus\Savrtpel.sys [2005-8-27 53896]
R2 ccEvtMgr;Symantec Event Manager;e:\program files\common files\symantec shared\ccEvtMgr.exe [2005-9-17 192112]
R2 ccSetMgr;Symantec Settings Manager;e:\program files\common files\symantec shared\ccSetMgr.exe [2005-9-17 169584]
R2 navapsvc;Norton AntiVirus Auto-Protect Service;e:\program files\norton antivirus\navapsvc.exe [2005-9-24 133744]
R2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;e:\program files\common files\nero\nero backitup 4\NBService.exe [2008-9-29 935208]
R2 Symantec Core LC;Symantec Core LC;e:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2009-3-29 1119888]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;e:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-3-28 101936]
R3 libusb0;LibUsb-Win32 - Kernel Driver 03/20/2007, 0.1.12.1;e:\windows\system32\drivers\libusb0.sys [2007-3-20 28672]
R3 NAVENG;NAVENG;e:\progra~1\common~1\symant~1\virusd~1\20090409.004\NAVENG.Sys [2009-4-9 89104]
R3 NAVEX15;NAVEX15;e:\progra~1\common~1\symant~1\virusd~1\20090409.004\NavEx15.Sys [2009-4-9 876144]
R3 SAVRT;SAVRT;e:\program files\norton antivirus\savrt.sys [2005-8-27 334984]
S3 Ambfilt;Ambfilt;e:\windows\system32\drivers\Ambfilt.sys [2009-2-19 1684736]
S3 FXDRV;FXDRV;\??\d:\fxdrv.sys --> d:\Fxdrv.sys [?]
S3 SAVScan;Symantec AVScan;e:\program files\norton antivirus\SAVScan.exe [2005-8-27 198368]
S3 SUSTUCAM;Susteen USB Cable Modem Driver;e:\windows\system32\drivers\sustucam.sys [2009-2-15 47360]
S3 SUSTUCAP;Susteen USB Cable Port Driver;e:\windows\system32\drivers\sustucap.sys [2009-2-15 47360]
S3 SUSTUCAU;Susteen USB Cable USB Driver;e:\windows\system32\drivers\sustucau.sys [2009-2-15 28032]

=============== Created Last 30 ================

2009-04-09 15:50 --d----- e:\docume~1\user\applic~1\Malwarebytes
2009-04-09 14:05 15,504 a------- e:\windows\system32\drivers\mbam.sys
2009-04-09 14:05 38,496 a------- e:\windows\system32\drivers\mbamswissarmy.sys
2009-04-09 14:05 --d----- e:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-09 14:05 --d----- e:\program files\Malwarebytes' Anti-Malware
2009-04-09 01:46 1,409 a------- e:\windows\system32\tmp70591.FOT
2009-04-09 01:46 1,409 a------- e:\windows\system32\tmp64591.FOT
2009-04-09 01:46 1,409 a------- e:\windows\system32\tmp62591.FOT
2009-04-09 01:46 1,409 a------- e:\windows\system32\tmp56591.FOT
2009-04-09 01:46 1,409 a------- e:\windows\system32\tmpA8491.FOT
2009-04-09 01:46 1,409 a------- e:\windows\system32\tmp8E491.FOT
2009-04-09 01:46 1,409 a------- e:\windows\system32\tmp8D491.FOT
2009-04-07 23:51 167,936 a------- e:\windows\system32\ccrpftv6.ocx
2009-04-07 23:51 --d----- e:\program files\RarMonkey
2009-04-07 23:27 --d----- e:\program files\The Adventure Company
2009-04-07 21:00 --d----- e:\program files\Trend Micro
2009-04-07 19:16 34,816 a------- e:\windows\system32\drivers\gaopdxjymxdlmfyyuefoboulqgogjrvjfmykqp.sys
2009-04-07 13:05 34,816 a------- e:\windows\system32\drivers\gaopdxedpjyrxelibrknaorgrvppyxdtapdopr.sys
2009-04-07 00:45 34,816 a------- e:\windows\system32\drivers\gaopdxqkhkaicaqodapwuuutvsdkxkjvcsyhaa.sys
2009-04-07 00:41 659 a------- e:\windows\WININI.QTW
2009-04-07 00:41 253 a------- e:\windows\SYSINI.QTW
2009-04-07 00:41 235 a------- e:\windows\QTW.QTW
2009-04-06 14:17 34,816 a------- e:\windows\system32\drivers\gaopdxsbpaavnljswuxxoqhpdabataixfqppxo.sys
2009-04-06 00:26 --d----- E:\!KillBox
2009-04-05 22:12 306,688 a------- e:\windows\IsUninst.exe
2009-04-05 15:51 --d----- e:\program files\QuickSFV
2009-04-05 15:31 107,888 a------- e:\windows\system32\CmdLineExt.dll
2009-04-05 15:09 --d----- e:\windows\system32\xlive
2009-04-05 02:16 36,864 a------- e:\windows\system32\drivers\gaopdxfhwbwwowxfyavanxylpvxerxetbgnldx.sys
2009-04-04 22:36 --d----- e:\program files\Free Window Registry Repair
2009-04-04 22:02 36,864 a------- e:\windows\system32\drivers\gaopdxrpnqqpfvitlwakaxrodacpinsibhbrft.sys
2009-04-04 21:46 81,920 a------- e:\windows\system32\ieencode.dll
2009-04-04 21:46 81,920 a------- e:\windows\system32\dllcache\ieencode.dll
2009-04-04 19:08 472,678 a----r-- E:\txtsetup.sif
2009-04-04 19:08 260,272 a----r-- E:\$LDR$
2009-04-04 19:08 --d----- E:\$WIN_NT$.~BT
2009-04-04 19:08 --d----- e:\windows\setup.pss
2009-04-04 18:09 --d----- e:\windows\pss
2009-04-04 18:00 --d----- e:\windows\system32\RegVac
2009-04-04 16:45 36,864 a------- e:\windows\system32\drivers\gaopdxhemrmfloymyllgxbndksibmufrrpugtp.sys
2009-04-02 17:28 --d----- e:\program files\7
2009-04-02 17:28 1,888,232 -------- e:\windows\system\vcl40.bpl
2009-04-02 17:28 908,800 -------- e:\windows\system\cp3245mt.dll
2009-04-02 17:28 252,408 -------- e:\windows\system\vclx40.bpl
2009-04-02 17:28 193,536 -------- e:\windows\system\bcbsmp40.bpl
2009-04-02 17:28 61,440 -------- e:\windows\system\mmxImage.dll
2009-04-02 17:28 24,064 -------- e:\windows\system\borlndmm.dll
2009-04-02 17:21 34,816 a------- e:\windows\system32\drivers\gaopdxxqvaqvmexwayufhfxigbsduihdfgmxlu.sys
2009-04-02 17:19 --d----- e:\docume~1\user\applic~1\DAEMON Tools Pro
2009-04-02 17:18 --d----- e:\docume~1\alluse~1\applic~1\DAEMON Tools Lite
2009-04-02 17:18 --d----- e:\program files\DAEMON Tools Lite
2009-04-02 17:14 717,296 a------- e:\windows\system32\drivers\sptd.sys
2009-04-02 17:14 --d----- e:\docume~1\user\applic~1\DAEMON Tools Lite
2009-04-01 11:17 39,936 a------- e:\windows\system32\drivers\gaopdxtavuoeknkjarjnbawiwlsrhncsasqqyl.sys
2009-04-01 02:13 --d----- e:\program files\RegVac Registry Cleaner
2009-03-31 21:59 39,936 a------- e:\windows\system32\drivers\gaopdxtammbbgkvscijetenqqowuybwrqxobrq.sys
2009-03-31 18:55 39,936 a------- e:\windows\system32\drivers\gaopdxbwudoyllrqakctprtuyuwbabdmtakvxu.sys
2009-03-31 02:50 --d-h--- e:\windows\PIF
2009-03-30 12:45 40,960 a------- e:\windows\system32\drivers\gaopdxneqrnsborerddbcnuosgbdwoybvkvqcr.sys
2009-03-30 03:06 40,960 a------- e:\windows\system32\drivers\gaopdxujwighdksfodauvwvsawsltrmmeylgkl.sys
2009-03-30 03:06 275 ---shr-- E:\autorun.inf
2009-03-29 22:31 --d----- e:\docume~1\user\applic~1\iWin
2009-03-29 04:06 --d----- e:\docume~1\user\applic~1\Symantec
2009-03-29 03:58 --d----- e:\program files\Norton AntiVirus
2009-03-29 03:58 10,344 a------- e:\windows\system32\drivers\symlcbrd.sys
2009-03-29 03:58 108,168 a------- e:\windows\system32\drivers\SYMEVENT.SYS
2009-03-29 03:58 87,768 a------- e:\windows\system32\S32EVNT1.DLL
2009-03-27 12:33 --d----- e:\windows\system32\NtmsData
2009-03-27 04:18 306 a------- e:\windows\QTW.INI
2009-03-27 04:17 30 a------- e:\windows\RESULT.QTW
2009-03-26 15:24 --d----- e:\docume~1\alluse~1\applic~1\Azureus
2009-03-26 15:24 --d----- e:\docume~1\user\applic~1\Azureus
2009-03-26 15:23 --d----- e:\program files\Vuze
2009-03-26 00:28 --d----- e:\docume~1\alluse~1\applic~1\Trymedia
2009-03-25 22:05 --d----- e:\docume~1\alluse~1\applic~1\PC Drivers HeadQuarters
2009-03-25 18:24 --d----- e:\docume~1\user\applic~1\NeroDigital
2009-03-22 19:25 0 a------- e:\windows\iplayer.INI
2009-03-20 22:48 --d----- e:\docume~1\alluse~1\applic~1\MonteCristo
2009-03-20 21:42 --dsh--- e:\windows\ftpcache
2009-03-20 20:01 --d----- e:\docume~1\alluse~1\applic~1\Ludia
2009-03-15 16:27 --d----- e:\program files\Veoh Networks
2009-03-13 18:14 --d----- e:\docume~1\alluse~1\applic~1\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-11 23:36 --d----- e:\program files\common files\DivX Shared
2009-03-10 16:48 --d----- e:\program files\TryMedia

==================== Find3M ====================

2009-03-31 13:01 86,327 a------- e:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-09 05:19 410,984 a------- e:\windows\system32\deploytk.dll
2009-02-21 22:51 19,333,112 a------- e:\docume~1\user\applic~1\DivXInstaller.exe
2009-02-16 23:09 3,363 a------- e:\windows\system32\nodes.txt.tmp
2009-02-16 01:04 0 a---h--- e:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-02-09 07:13 1,846,784 a------- e:\windows\system32\win32k.sys
2009-02-03 18:32 18,085,888 a------- e:\windows\RTHDCPL.EXE
2009-02-03 17:35 35,840 a------- e:\windows\system32\RtkCoInstXP.dll
2009-01-21 16:54 1,206,816 a------- e:\windows\RtlUpd.exe

============= FINISH: 16:25:07.62 ===============

Hello.
A lot of leftovers to get.

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
e:\windows\system32\drivers\gaopdxjymxdlmfyyuefoboulqgogjrvjfmykqp.sys
e:\windows\system32\drivers\gaopdxedpjyrxelibrknaorgrvppyxdtapdopr.sys
e:\windows\system32\drivers\gaopdxqkhkaicaqodapwuuutvsdkxkjvcsyhaa.sys
e:\windows\system32\drivers\gaopdxsbpaavnljswuxxoqhpdabataixfqppxo.sys
e:\windows\system32\drivers\gaopdxfhwbwwowxfyavanxylpvxerxetbgnldx.sys
e:\windows\system32\drivers\gaopdxrpnqqpfvitlwakaxrodacpinsibhbrft.sys
e:\windows\system32\drivers\gaopdxhemrmfloymyllgxbndksibmufrrpugtp.sys
e:\windows\system32\drivers\gaopdxxqvaqvmexwayufhfxigbsduihdfgmxlu.sys
e:\windows\system32\drivers\gaopdxtavuoeknkjarjnbawiwlsrhncsasqqyl.sys
e:\windows\system32\drivers\gaopdxtammbbgkvscijetenqqowuybwrqxobrq.sys
e:\windows\system32\drivers\gaopdxbwudoyllrqakctprtuyuwbabdmtakvxu.sys
e:\windows\system32\drivers\gaopdxneqrnsborerddbcnuosgbdwoybvkvqcr.sys
e:\windows\system32\drivers\gaopdxujwighdksfodauvwvsawsltrmmeylgkl.sys
E:\autorun.inf

Folders to delete:
E:\!KillBox
e:\docume~1\user\applic~1\iWin

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Input script here:", paste in the script from the quote box above.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Then tick "Disable any rootkits found"
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

4. Please copy/paste the content of c:\avenger.txt into your reply.

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at E:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "e:\windows\system32\drivers\gaopdxjymxdlmfyyuefoboulqgogjrvjfmykqp.sys" deleted successfully.
File "e:\windows\system32\drivers\gaopdxedpjyrxelibrknaorgrvppyxdtapdopr.sys" deleted successfully.
File "e:\windows\system32\drivers\gaopdxqkhkaicaqodapwuuutvsdkxkjvcsyhaa.sys" deleted successfully.
File "e:\windows\system32\drivers\gaopdxsbpaavnljswuxxoqhpdabataixfqppxo.sys" deleted successfully.
File "e:\windows\system32\drivers\gaopdxfhwbwwowxfyavanxylpvxerxetbgnldx.sys" deleted successfully.
File "e:\windows\system32\drivers\gaopdxrpnqqpfvitlwakaxrodacpinsibhbrft.sys" deleted successfully.
File "e:\windows\system32\drivers\gaopdxhemrmfloymyllgxbndksibmufrrpugtp.sys" deleted successfully.
File "e:\windows\system32\drivers\gaopdxxqvaqvmexwayufhfxigbsduihdfgmxlu.sys" deleted successfully.
File "e:\windows\system32\drivers\gaopdxtavuoeknkjarjnbawiwlsrhncsasqqyl.sys" deleted successfully.
File "e:\windows\system32\drivers\gaopdxtammbbgkvscijetenqqowuybwrqxobrq.sys" deleted successfully.
File "e:\windows\system32\drivers\gaopdxbwudoyllrqakctprtuyuwbabdmtakvxu.sys" deleted successfully.
File "e:\windows\system32\drivers\gaopdxneqrnsborerddbcnuosgbdwoybvkvqcr.sys" deleted successfully.
File "e:\windows\system32\drivers\gaopdxujwighdksfodauvwvsawsltrmmeylgkl.sys" deleted successfully.
File "E:\autorun.inf" deleted successfully.
Folder "E:\!KillBox" deleted successfully.
Folder "e:\docume~1\user\applic~1\iWin" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Please download the OTMoveIt3 by OldTimer.

• Save it to your desktop.
  
• Please double-click OTMoveIt3.exe to run it again.
  
• Press the green CleanUp! button.
  
• Press Yes cleanup process prompt, do the same for the reboot prompt.
  

How is the machine running now?

I just ran the OTMoveIt3

You already know that I'm all smiles, right? My pc is running like it's old self again. You have no ideal how much I appreciate this! You might've brought me some good luck too. I've been flat broke & outta work, but I was already thinking that as soon as I was able to, I would donate to this site. Lo & behold, just about 10 minutes ago, I get a call back from a company I interviewed with telling me I got the job & start next month on the 10th!!