WinBlueSoft - crying for help

Can someone please help me?
I got infected by this WinBlueSoft this morning...I don't know what else can I do to remove it...I browsed through this page and...I tried that mbam.exe but that thing can't open for me. I tried downloading DDS by sUBs, hijackthis too, but nothing.
Please help me, I'm getting hopeless.
Please note that I'm not some computer-expert..

Thank you!

Please download Ice Sword from HERE

1. Download the zip to your desktop and extract it.
   
2. Open the Ice Sword folder and then launch IceSword.exe.
   
3. Then look in the left hand bottom of the program and press "Registry"
   
4. When the registry list opens, drag the line between the two windows so you can see which registry hive you need.
   
5. Next, open the HKEY_LOCAL_MACHINE, and navigate to the following key:
   
   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
   
   
6. Now look in the right side pane for two run values that are just random numbers.
   
7. Once you have found the value(s), right click it and press "Delete"
   
8. Okay the prompt and close IceSword.
   

**If you are unable to open the zipped file, download IceSword from here:

• Please download IceSword from here, I unzipped it so you should only get the .exe file:
  
  http://rapidshare.com/files/246323341/IceSword.exe
  
  
• Once the file has downloaded, see if you can do the above instructions.
  

I got to step no.6...I don't have just numbers here.

Hello.
Origin got the key wrong, the problem is in this key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Then in the right side pane of Winlogon, find AppInit_DLLs, which points are "blocker.dll"
Delete the AppInit_DLLs value.

See if you can run Hijack This then.

I don't have AppInit_DLLs in the folder.

Hello can you rename HijackThis to Flowers.exe See if it runs.

I found this AppInit_DLLs file in Windows folder...should I delete it?

I tried renameing HijackThis...not working.

Whats the name of the file?

AppInit_DLLs

No I don't think you should, many of those are crucial to the system.

Download MGtools from here: http://forums.majorgeeks.com/chaslang/files/MGtools.exe

Now follow the instructions on this page:

http://forums.majorgeeks.com/showthread.php?t=137630

Once you haver MGtools extracted to your C:\ drive there will be a file there called Analyze.exe That file will be HijackThis, now follow these directions:

• Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.
  

That link is not working...

downloaded it from another one...will see if it works

Weird works on my end, download it here:

http://rapidshare.com/files/247427026/MGtools.exe.html

I downloaded it and runed it. It created MGTools folder but there is only empty temp folder and filelog and sysinfo file in it

Locate and delete this file: C:\windows\system32\blocker.dll

Now see if you can run HijackThis.

I did it with MGTools...here it is :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:00:05, on 22.6.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\setup2.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\DOCUME~1\Kordic\LOCALS~1\Temp\winrlkbyt.exe
C:\DOCUME~1\Kordic\LOCALS~1\Temp\dqpo.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\svchost.exe
\Arhitekt-397a7d\C\MGtools\analyse.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ba/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=101761&gct=&gc=1&q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=101761&gct=&gc=1&q=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedirect?o=101761&gct=&gc=1&q=%s
R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll
F2 - REG:system.ini: Shell=Explorer.exe "C:\Program Files\Outlook Express\wab.exe"
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cleanup] C:\Documents and Settings\Kordic\Contacts\svchost.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Cleanup] C:\Documents and Settings\Kordic\Contacts\svchost.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [setup2.exe] C:\WINDOWS\system32\setup2.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-583907252-1202660629-682003330-1003\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Kordic')
O4 - HKUS\S-1-5-21-583907252-1202660629-682003330-1003\..\Run: [setup2.exe] C:\WINDOWS\system32\setup2.exe (User 'Kordic')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Bluetooth.lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: I&zvoz u Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Istraživanje - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\lspcfm.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=29223
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5864CB14-1664-4ECB-BEA0-F37208407BFA}: NameServer = 85.255.112.225,85.255.112.199
O17 - HKLM\System\CCS\Services\Tcpip\..\{E70F942A-4CC0-4075-BFA4-274B1F4F1211}: NameServer = 85.255.112.225,85.255.112.199
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.225,85.255.112.199
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.225,85.255.112.199
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.112.225,85.255.112.199
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.112.225,85.255.112.199
O17 - HKLM\System\CS5\Services\Tcpip\Parameters: NameServer = 85.255.112.225,85.255.112.199
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.225,85.255.112.199
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe (file missing)
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 9599 bytes

• Open HijackThis. (In this case Analyze.exe)
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll
  O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
  O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
  O4 - HKCU\..\Run: [setup2.exe] C:\WINDOWS\system32\setup2.exe
  O4 - HKUS\S-1-5-21-583907252-1202660629-682003330-1003\..\Run: [setup2.exe] C:\WINDOWS\system32\setup2.exe (User 'Kordic')
  O17 - HKLM\System\CCS\Services\Tcpip\..\{5864CB14-1664-4ECB-BEA0-F37208407BFA}: NameServer = 85.255.112.225,85.255.112.199
  O17 - HKLM\System\CCS\Services\Tcpip\..\{E70F942A-4CC0-4075-BFA4-274B1F4F1211}: NameServer = 85.255.112.225,85.255.112.199
  O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.225,85.255.112.199
  O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.225,85.255.112.199
  O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.112.225,85.255.112.199
  O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.112.225,85.255.112.199
  O17 - HKLM\System\CS5\Services\Tcpip\Parameters: NameServer = 85.255.112.225,85.255.112.199
  O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.225,85.255.112.199
  
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

• Download combofix from here
  Link 1
  Link 2
  

1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to Combo-Fix as follows:





3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.

• See HERE for how to disable your AV. (Mcafee)
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouse click combofix's window whilst it's running. That may cause it to stall.
  

I'm not able to diable my NOD32 nor to run combo-fix

I accidentally restarted my computer and now it seems that WunBlueSoft is gone...is it possible that it's all gone even without running that Combo-Fix? :S

although I still can't runn NOD32 and my net keeps comming up with that ''cannot find server''....but those annoying messages are gone.

Its gone because you fixed the infected lines in HijackThis but its not totally gone from your system as there are leftovers that could trigger it to come back.

Please do the following:

Open up Task Manager(Ctrl + Shift + Esc.), Locate egui.exe and highlight it by clicking on it, once highlighted, click on the "End Process" button. Now try running ComboFix.

I'm such a pain in the arse...sorry! But...when I press Ctrl+Shift+Esc it says Task Manager has been disabled by your administrator. I don't know why it says so 'cause I'm the administrator on this pc.

Most likely its due to virus, lets try a different approach,

• Open HijackThis(Analyze.exe)
  
• Click on the Open the Misc Tools section button
  
• Navigate to System tools and click on Open process manager
  
• Now locate egui.exe and click on the Kill process button
  

Now try running ComboFix

there is no egui.exe here

I need to see a list of your processes, please do the following:

• Open HijackThis(Analyze.exe)
  
• Click on the Open the Misc Tools section button
  
• Navigate to System tools and click on Open process manager
  
• Once there, click on the copy to clip board button
  
  
  
• The process list should now be on your clip board, paste the list in your next reply
  

Process list saved on 20:20:07, on 22.6.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)

[pid] [full path to filename] [file version] [company name]
804 C:\WINDOWS\System32\smss.exe 5.1.2600.2180 Microsoft Corporation
880 C:\WINDOWS\system32\winlogon.exe 5.1.2600.2180 Microsoft Corporation
924 C:\WINDOWS\system32\services.exe 5.1.2600.2180 Microsoft Corporation
948 C:\WINDOWS\system32\lsass.exe 5.1.2600.2180 Microsoft Corporation
1136 C:\WINDOWS\system32\Ati2evxx.exe 6.14.10.4174 ATI Technologies Inc.
1152 C:\WINDOWS\system32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1360 C:\WINDOWS\System32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1384 C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe 5.1.0.3000 Broadcom Corporation.
1756 C:\WINDOWS\system32\Ati2evxx.exe 6.14.10.4174 ATI Technologies Inc.
1876 C:\WINDOWS\system32\spoolsv.exe 5.1.2600.2696 Microsoft Corporation
2016 C:\WINDOWS\Explorer.exe 6.0.2900.2894 Microsoft Corporation
388 C:\Program Files\Analog Devices\Core\smax4pnp.exe 6.0.0.82 Analog Devices, Inc.
560 C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe 6.3.8.1 Hewlett-Packard Development Company, L.P.
576 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE 2.0.0.0 Advanced Micro Devices Inc.
636 C:\Program Files\Java\jre6\bin\jusched.exe 6.0.130.3 Sun Microsystems, Inc.
844 C:\Program Files\Winamp\winampa.exe
1164 C:\WINDOWS\system32\ctfmon.exe 5.1.2600.2180 Microsoft Corporation
1276 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe 2.0.5.0 Nero AG
1336 C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe 5.1.0.3000 Broadcom Corporation.
1928 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe 2.0.0.0 ATI Technologies Inc.
2100 C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE 5.1.0.3000 Broadcom Corporation.
2380 C:\WINDOWS\system32\agrsmsvc.exe 1.0.0.4 Agere Systems
2460 C:\Program Files\Java\jre6\bin\jqs.exe 6.0.130.3 Sun Microsystems, Inc.
2480 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE 7.0.9466.0 Microsoft Corporation
2916 C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe 2.0.5.0 Nero AG
3004 C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe 2.0.2.3 Hewlett-Packard Development Company, L.P.
3096 C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe 2.0.5.0 Nero AG
2692 C:\Program Files\Internet Explorer\IEXPLORE.EXE 6.0.2900.2180 Microsoft Corporation
2160 C:\DOCUME~1\Kordic\LOCALS~1\Temp\winsbhp.exe
3804 C:\Program Files\Internet Explorer\IEXPLORE.EXE 6.0.2900.2180 Microsoft Corporation
3944 C:\DOCUME~1\Kordic\LOCALS~1\Temp\suiujl.exe
4320 C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe 3.0.642.0 ESET
5176 \Arhitekt-397a7d\c\MGtools\analyse.exe


thank you so much for helping me...

Kill a process in HijackThis

• Open HijackThis
  
• Click on the Open the Misc Tools section button
  
• Navigate to System tools and click on Open process manager
  
• Now locate the following process(es)
  winsbhp.exe
  suiujl.exe
  ekrn.exe
  
• and click on the Kill process button
  

Now locate and delete these files:

C:\DOCUME~1\Kordic\LOCALS~1\Temp\winsbhp.exe
C:\DOCUME~1\Kordic\LOCALS~1\Temp\suiujl.exe

Now try to run ComboFix

It still says that my NOD32 is working.

Looks like we are going to have to do this is safe mode,

Can you do the following in Safe Mode with Networking, as the computer is booting press and hold your "F8 Key" which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press your Enter key.

Note: With some computers if you press and hold a key as the computer is booting you will get a stuck key message. If this occurs, instead of pressing and holding the "F8 key", tap the "F8 key" continuously until you get the startup menu.) Once in the start up menu, select "Safe Mode with Networking", then do the following instructions:

Now follow the ComboFix instructions.

my problems don't end.... I cannot access safe mode...I select it but then it starts to show lots of lines with c://windows/system32 including and then it restarts and takes me back to choose between safe mode and normal.

Can you still access normal Safe mode not safe mode with networking?

nope, neither of them.

Hello.
New ideas. Please post a new Hijack This log, I want to kill some other items too.

here it is....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:04:02, on 22.6.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\DOCUME~1\Kordic\LOCALS~1\Temp\winuutq.exe
C:\DOCUME~1\Kordic\LOCALS~1\Temp\winlqsfs.exe
\Arhitekt-397a7d\c\MGtools\analyse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ba/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=101761&gct=&gc=1&q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=101761&gct=&gc=1&q=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedirect?o=101761&gct=&gc=1&q=%s
F2 - REG:system.ini: Shell=Explorer.exe "C:\Program Files\Outlook Express\wab.exe"
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cleanup] C:\Documents and Settings\Kordic\Contacts\svchost.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Cleanup] C:\Documents and Settings\Kordic\Contacts\svchost.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-583907252-1202660629-682003330-1003\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Kordic')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Bluetooth.lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: I&zvoz u Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Istraživanje - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\lspcfm.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=29223
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe (file missing)
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 7447 bytes

Hello.
Some new items showed up, yet I'm suprised Origins Hijack This fix actually worked, because registry editing was disabled.

• Open HijackThis
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=101761&gct=&gc=1&q=
  R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=101761&gct=&gc=1&q=
  R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedirect?o=101761&gct=&gc=1&q=%s
  F2 - REG:system.ini: Shell=Explorer.exe "C:\Program Files\Outlook Express\wab.exe"
  O4 - HKLM\..\Run: [Cleanup] C:\Documents and Settings\Kordic\Contacts\svchost.exe
  O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
  O4 - HKCU\..\Run: [Cleanup] C:\Documents and Settings\Kordic\Contacts\svchost.exe
  O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

There's a file on your machine I can't find anything on, which maybe regenerating this infection, so I want to get it uploaded and scanned.

Submit a file for analysis.

1. Please visit this website: Jotti's Malware Scanner
   
2. Press the "Browse" button and locate the following file in bold:
   C:\WINDOWS\system32\lspcfm.dll
   
3. Press the "Submit File button to submit the file for analysis.
   
4. Allow it to be scanned, it could take a few minutes depending on server load.
   
5. Copy and paste the result back here.
   

I can't open that page...it just loads for ages and then ''cannot find server''.

Thats due to the Rookit, looks like we are going to have to kill it manually,

Download the GMER rootkit scan from here: GMER

1. Unzip it and start GMER.
   
2. Click the >>> tab and then click the Scan button.
   
3. Once done, click the Copy button.
   
4. This will copy the results to your clipboard.
   
5. Paste the results in your next reply.
   

Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.

Two more online scanners to try::

http://www.virustotal.com/
http://virscan.org/

Let me know which (if) one works, and upload the file for a scan.

neither of those sites work for me...

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-22 22:03:47
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

SSDT sptd.sys ZwCreateKey [0xBA6BE0D0]
SSDT sptd.sys ZwEnumerateKey [0xBA6C3FB2]
SSDT sptd.sys ZwEnumerateValueKey [0xBA6C4340]
SSDT sptd.sys ZwOpenKey [0xBA6BE0B0]
SSDT sptd.sys ZwQueryKey [0xBA6C4418]
SSDT sptd.sys ZwQueryValueKey [0xBA6C4298]
SSDT sptd.sys ZwSetValueKey [0xBA6C44AA]

INT 0x06 \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) AE74C16D
INT 0x0E \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) AE74BFC2

Code 8A9A9688 ZwFlushInstructionCache
Code 8AADD446 IofCallDriver
Code 8AADD4C6 IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EF15A 5 Bytes JMP 8AADD44B
.text ntkrnlpa.exe!IofCompleteRequest 804EF1EA 5 Bytes JMP 8AADD4CB
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805B5288 5 Bytes JMP 8A9A968C
? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload B9C8180C 5 Bytes JMP 8AC801C8
? C:\WINDOWS\system32\drivers\pukmnn.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\MSN Messenger\msnmsgr.exe[728] kernel32.dll!SetUnhandledExceptionFilter 7C8447ED 5 Bytes JMP 004DE392 C:\Program Files\MSN Messenger\msnmsgr.exe (Messenger/Microsoft Corporation)
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 100046D0 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!CreateProcessInternalW 7C819704 5 Bytes JMP 100072A0 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\System32\svchost.exe[1344] ADVAPI32.dll!CryptGenKey 77E114B1 5 Bytes JMP 100053B0 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\System32\svchost.exe[1344] CRYPT32.dll!PFXImportCertStore 77AEF748 5 Bytes JMP 100053C0 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\System32\svchost.exe[1344] WININET.dll!InternetCreateUrlA + 1A5 771C2714 5 Bytes JMP 10006CB0 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\System32\svchost.exe[1344] WININET.dll!InternetCloseHandle 771C4DAC 5 Bytes JMP 10005920 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\System32\svchost.exe[1344] WININET.dll!HttpQueryInfoA 771C7842 5 Bytes JMP 100063E0 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\System32\svchost.exe[1344] WININET.dll!InternetReadFile 771C812C 5 Bytes JMP 10003070 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\System32\svchost.exe[1344] WININET.dll!InternetQueryDataAvailable 771D8A17 5 Bytes JMP 10003040 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\System32\svchost.exe[1344] WININET.dll!InternetGetCookieExA 771D9506 5 Bytes JMP 10002A70 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\System32\svchost.exe[1344] WININET.dll!InternetReadFileExW 771F8071 5 Bytes JMP 100030A0 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\System32\svchost.exe[1344] WININET.dll!InternetReadFileExA 771F8D78 5 Bytes JMP 100030D0 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\System32\svchost.exe[1344] WININET.dll!InternetSetCookieExW 77215AD2 5 Bytes JMP 10002810 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 100046D0 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!CreateProcessInternalW 7C819704 5 Bytes JMP 100072A0 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\system32\svchost.exe[1576] ADVAPI32.dll!CryptGenKey 77E114B1 5 Bytes JMP 100053B0 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\system32\svchost.exe[1576] WININET.dll!InternetCreateUrlA + 1A5 771C2714 5 Bytes JMP 10006CB0 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\system32\svchost.exe[1576] WININET.dll!InternetCloseHandle 771C4DAC 5 Bytes JMP 10005920 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\system32\svchost.exe[1576] WININET.dll!HttpQueryInfoA 771C7842 5 Bytes JMP 100063E0 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\system32\svchost.exe[1576] WININET.dll!InternetReadFile 771C812C 5 Bytes JMP 10003070 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\system32\svchost.exe[1576] WININET.dll!InternetQueryDataAvailable 771D8A17 5 Bytes JMP 10003040 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\system32\svchost.exe[1576] WININET.dll!InternetGetCookieExA 771D9506 5 Bytes JMP 10002A70 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\system32\svchost.exe[1576] WININET.dll!InternetReadFileExW 771F8071 5 Bytes JMP 100030A0 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\system32\svchost.exe[1576] WININET.dll!InternetReadFileExA 771F8D78 5 Bytes JMP 100030D0 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\system32\svchost.exe[1576] WININET.dll!InternetSetCookieExW 77215AD2 5 Bytes JMP 10002810 C:\WINDOWS\system32\lspcfm.dll
.text C:\WINDOWS\system32\svchost.exe[1576] CRYPT32.dll!PFXImportCertStore 77AEF748 5 Bytes JMP 100053C0 C:\WINDOWS\system32\lspcfm.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 01E146D0 C:\WINDOWS\system32\lspcfm.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] kernel32.dll!CreateProcessInternalW 7C819704 5 Bytes JMP 01E172A0 C:\WINDOWS\system32\lspcfm.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] ADVAPI32.dll!CryptGenKey 77E114B1 5 Bytes JMP 01E153B0 C:\WINDOWS\system32\lspcfm.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] CRYPT32.dll!PFXImportCertStore 77AEF748 5 Bytes JMP 01E153C0 C:\WINDOWS\system32\lspcfm.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] WININET.dll!InternetCreateUrlA + 1A5 771C2714 5 Bytes JMP 01E16CB0 C:\WINDOWS\system32\lspcfm.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] WININET.dll!InternetCloseHandle 771C4DAC 5 Bytes JMP 01E15920 C:\WINDOWS\system32\lspcfm.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] WININET.dll!HttpQueryInfoA 771C7842 5 Bytes JMP 01E163E0 C:\WINDOWS\system32\lspcfm.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] WININET.dll!InternetReadFile 771C812C 5 Bytes JMP 01E13070 C:\WINDOWS\system32\lspcfm.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] WININET.dll!InternetQueryDataAvailable 771D8A17 5 Bytes JMP 01E13040 C:\WINDOWS\system32\lspcfm.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] WININET.dll!InternetGetCookieExA 771D9506 5 Bytes JMP 01E12A70 C:\WINDOWS\system32\lspcfm.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] WININET.dll!InternetReadFileExW 771F8071 5 Bytes JMP 01E130A0 C:\WINDOWS\system32\lspcfm.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] WININET.dll!InternetReadFileExA 771F8D78 5 Bytes JMP 01E130D0 C:\WINDOWS\system32\lspcfm.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] WININET.dll!InternetSetCookieExW 77215AD2 5 Bytes JMP 01E12810 C:\WINDOWS\system32\lspcfm.dll

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [BA6BEAD4] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [BA6BEC1A] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [BA6BEB9C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [BA6BF748] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [BA6BF61E] sptd.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [BA6D429A] sptd.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8AF051E8

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)

Device \FileSystem\Fastfat \FatCdrom 8A6E5790
Device \Driver\NetBT \Device\NetBT_Tcpip_{E70F942A-4CC0-4075-BFA4-274B1F4F1211} 8AB61790
Device \Driver\usbuhci \Device\USBPDO-0 8AC7F1E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8AE951E8
Device \Driver\dmio \Device\DmControl\DmConfig 8AE951E8
Device \Driver\dmio \Device\DmControl\DmPnP 8AE951E8
Device \Driver\dmio \Device\DmControl\DmInfo 8AE951E8
Device \Driver\usbehci \Device\USBPDO-1 8AC681E8
Device \Driver\usbuhci \Device\USBPDO-2 8AC7F1E8
Device \Driver\usbuhci \Device\USBPDO-3 8AC7F1E8
Device \Driver\usbehci \Device\USBPDO-4 8AC681E8

AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys

Device \Driver\usbuhci \Device\USBPDO-5 8AC7F1E8
Device \Driver\usbuhci \Device\USBPDO-6 8AC7F1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8AF071E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 8AF061E8
Device \Driver\atapi \Device\Ide\IdePort0 8AF061E8
Device \Driver\atapi \Device\Ide\IdePort1 8AF061E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e 8AF061E8
Device \Driver\NetBT \Device\NetBt_Wins_Export 8AB61790
Device \Driver\NetBT \Device\NetbiosSmb 8AB61790
Device \Driver\NetBT \Device\NetBT_Tcpip_{5864CB14-1664-4ECB-BEA0-F37208407BFA} 8AB61790
Device \Driver\usbuhci \Device\USBFDO-0 8AC7F1E8
Device \Driver\usbuhci \Device\USBFDO-1 8AC7F1E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A104790
Device \Driver\usbehci \Device\USBFDO-2 8AC681E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A104790
Device \Driver\usbuhci \Device\USBFDO-3 8AC7F1E8
Device \Driver\usbuhci \Device\USBFDO-4 8AC7F1E8
Device \Driver\Ftdisk \Device\FtControl 8AF071E8
Device \Driver\usbuhci \Device\USBFDO-5 8AC7F1E8
Device \Driver\usbehci \Device\USBFDO-6 8AC681E8
Device \FileSystem\Fastfat \Fat 8A6E5790

AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

Device \FileSystem\Cdfs \Cdfs 8ABFC790

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\MSIVXdqpuiuiycpkbowpklvisnpqwwyrnomtb.sys (*** hidden *** ) [SYSTEM] MSIVXserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\MSIVXserv.sys
Reg HKLM\SYSTEM\ControlSet001\Services\MSIVXserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\MSIVXserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\MSIVXserv.sys@imagepath \systemroot\system32\drivers\MSIVXdqpuiuiycpkbowpklvisnpqwwyrnomtb.sys
Reg HKLM\SYSTEM\ControlSet001\Services\MSIVXserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\MSIVXserv.sys\modules
Reg HKLM\SYSTEM\ControlSet001\Services\MSIVXserv.sys\modules@MSIVXserv \\?\globalroot\systemroot\system32\drivers\MSIVXdqpuiuiycpkbowpklvisnpqwwyrnomtb.sys
Reg HKLM\SYSTEM\ControlSet001\Services\MSIVXserv.sys\modules@MSIVXl \\?\globalroot\systemroot\system32\MSIVXanxylksdotehtivyfxonkdirapuhpqwb.dll
Reg HKLM\SYSTEM\ControlSet001\Services\MSIVXserv.sys\modules@MSIVXclk \\?\globalroot\systemroot\system32\MSIVXdjlnmplwnabwqwaihtirhrivrjkxgokl.dll
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys@imagepath \systemroot\system32\drivers\MSIVXdqpuiuiycpkbowpklvisnpqwwyrnomtb.sys
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys\modules
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys\modules@MSIVXserv \\?\globalroot\systemroot\system32\drivers\MSIVXdqpuiuiycpkbowpklvisnpqwwyrnomtb.sys
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys\modules@MSIVXl \\?\globalroot\systemroot\system32\MSIVXanxylksdotehtivyfxonkdirapuhpqwb.dll
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys\modules@MSIVXclk \\?\globalroot\systemroot\system32\MSIVXdjlnmplwnabwqwaihtirhrivrjkxgokl.dll
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys@imagepath \systemroot\system32\drivers\MSIVXdqpuiuiycpkbowpklvisnpqwwyrnomtb.sys
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys\modules
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys\modules@MSIVXserv \\?\globalroot\systemroot\system32\drivers\MSIVXdqpuiuiycpkbowpklvisnpqwwyrnomtb.sys
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys\modules@MSIVXl \\?\globalroot\systemroot\system32\MSIVXanxylksdotehtivyfxonkdirapuhpqwb.dll
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys\modules@MSIVXclk \\?\globalroot\systemroot\system32\MSIVXdjlnmplwnabwqwaihtirhrivrjkxgokl.dll
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys@imagepath \systemroot\system32\drivers\MSIVXdqpuiuiycpkbowpklvisnpqwwyrnomtb.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys\modules@MSIVXserv \\?\globalroot\systemroot\system32\drivers\MSIVXdqpuiuiycpkbowpklvisnpqwwyrnomtb.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys\modules@MSIVXl \\?\globalroot\systemroot\system32\MSIVXanxylksdotehtivyfxonkdirapuhpqwb.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys\modules@MSIVXclk \\?\globalroot\systemroot\system32\MSIVXdjlnmplwnabwqwaihtirhrivrjkxgokl.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\ControlSet005\Services\MSIVXserv.sys
Reg HKLM\SYSTEM\ControlSet005\Services\MSIVXserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet005\Services\MSIVXserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet005\Services\MSIVXserv.sys@imagepath \systemroot\system32\drivers\MSIVXdqpuiuiycpkbowpklvisnpqwwyrnomtb.sys
Reg HKLM\SYSTEM\ControlSet005\Services\MSIVXserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet005\Services\MSIVXserv.sys\modules
Reg HKLM\SYSTEM\ControlSet005\Services\MSIVXserv.sys\modules@MSIVXserv \\?\globalroot\systemroot\system32\drivers\MSIVXdqpuiuiycpkbowpklvisnpqwwyrnomtb.sys
Reg HKLM\SYSTEM\ControlSet005\Services\MSIVXserv.sys\modules@MSIVXl \\?\globalroot\systemroot\system32\MSIVXanxylksdotehtivyfxonkdirapuhpqwb.dll
Reg HKLM\SYSTEM\ControlSet005\Services\MSIVXserv.sys\modules@MSIVXclk \\?\globalroot\systemroot\system32\MSIVXdjlnmplwnabwqwaihtirhrivrjkxgokl.dll
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE or HERE.

• Click on Avenger.zip to open the file
  
• Extract avenger.exe to your desktop
  

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to delete:
MSIVXserv.sys

Files to delete:
C:\WINDOWS\system32\drivers\MSIVXdqpuiuiycpkbowpklvisnpqwwyrnomtb.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Input script here:", paste in the script from the quote box above.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Then tick "Disable any rootkits found"
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

4. Please copy/paste the content of c:\avenger.txt into your reply.

I completed the first step, I'm not allowed to do the second by my Administrator. It asks me to reboot now...

I've rebooted it and here is the file :


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "MSIVXserv.sys" found!
ImagePath: \systemroot\system32\drivers\MSIVXdqpuiuiycpkbowpklvisnpqwwyrnomtb.sys
Driver disabled successfully.

Rootkit scan completed.

Driver "MSIVXserv.sys" deleted successfully.
File "C:\WINDOWS\system32\drivers\MSIVXdqpuiuiycpkbowpklvisnpqwwyrnomtb.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

See if you can run Malwarebytes now.

yes, I can.

Thats great new, please do a quick scan and post all the contents of the log back here

here it is :

Malwarebytes' Anti-Malware 1.38
Database version: 2283
Windows 5.1.2600 Service Pack 2

22.6.2009 22:23:46
mbam-log-2009-06-22 (22-23-39).txt

Scan type: Quick Scan
Objects scanned: 97186
Time elapsed: 3 minute(s), 14 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 11
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
C:\Documents and Settings\Kordic\Local Settings\Temp\winkodhi.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Kordic\Local Settings\Temp\dpqrbk.exe (Trojan.Downloader) -> No action taken.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Backdoor.Bot) -> No action taken.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{5864cb14-1664-4ecb-bea0-f37208407bfa}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.225,85.255.112.199 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{e70f942a-4cc0-4075-bfa4-274b1f4f1211}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.225,85.255.112.199 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{5864cb14-1664-4ecb-bea0-f37208407bfa}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.225,85.255.112.199 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{e70f942a-4cc0-4075-bfa4-274b1f4f1211}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.225,85.255.112.199 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{5864cb14-1664-4ecb-bea0-f37208407bfa}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.225,85.255.112.199 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{e70f942a-4cc0-4075-bfa4-274b1f4f1211}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.225,85.255.112.199 -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Kordic\Local Settings\Temp\winkodhi.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Kordic\Local Settings\Temp\dpqrbk.exe (Trojan.Downloader) -> No action taken.
c:\RECYCLER\s-1-5-21-1708502002-5774778955-212626128-2853\rundll32.exe (Trojan.Dropper) -> No action taken.
c:\program files\outlook express\wab.exe.tmp (Trojan.Downloader) -> No action taken.
c:\WINDOWS\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> No action taken.
c:\WINDOWS\Temp\tempo-2191406.tmp (Trojan.DNSChanger) -> No action taken.
c:\WINDOWS\Temp\tempo-2192734.tmp (Trojan.DNSChanger) -> No action taken.
c:\WINDOWS\system32\MSIVXanxylksdotehtivyfxonkdirapuhpqwb.dll (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\MSIVXdjlnmplwnabwqwaihtirhrivrjkxgokl.dll (Trojan.Agent) -> No action taken.

Good, the infection is getting beat, now you should be able to run DDS,

• Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
  Link 1
  Link 2
  
• Double click DDS.scr to run.
  
• When complete, two logs will open. Save both of the report to your Desktop.
  
• Copy and paste DDS.txt back here, I don't need to see attach.txt.
  

I downloaded that but when I run it it opens a .txt with lots of gibberish...just a lot of letters

Upload the .txt to rapidhsare for em to look at, do the following:

go to this site: http://rapidshare.com

Once there, click on the Choose button and locate the DDS.txt and click ok. The file should upload and then it will give you a link to download the file from. Please post the link back here.