BleepingComputer.com: hidden files.

i had that windows recovery virus and followed all the steps to removal and it work great, but i still have a lot of files hidden and i can not place any icons on my desk top. i cant even right click for properties? i did run the unhide.exe to no avail. any suggestions?
hear is the log from rkill


Rkill was run on 04/30/2011 at 9:02:23.
Operating System: Microsoft Windows 2000


Processes terminated by Rkill or while it was running:

C:\WINNT\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\CbvYHAgAAxMvT.exe
F:\rkill.exe


Rkill completed on 04/30/2011 at 9:02:26.


and hear is the log from malebytes

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6476

Windows 5.0.2195 Service Pack 4
Internet Explorer 5.00.3700.1000

4/30/2011 9:29:46 AM
mbam-log-2011-04-30 (09-29-46).txt

Scan type: Full scan (A:\|C:\|D:\|E:\|F:\|)
Objects scanned: 137807
Time elapsed: 9 minute(s), 42 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 19

Memory Processes Infected:
c:\documents and settings\all users\application data\cbvyhagaaxmvt.exe (Trojan.FakeAlert) -> 960 -> Unloaded process successfully.
c:\documents and settings\all users\application data\15064884.exe (Trojan.FakeAlert) -> 1292 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CbvYHAgAAxMvT (Trojan.FakeAlert) -> Value: CbvYHAgAAxMvT -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallPaper (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
c:\documents and settings\01101100\start menu\Programs\windows recovery (Trojan.FakeAV) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\all users\application data\cbvyhagaaxmvt.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\15064884.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\01101100\application data\Sun\Java\deployment\cache\6.0\12\5d4ff04c-3abb6a41 (Rogue.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\01101100\application data\Sun\Java\deployment\cache\6.0\13\5ca3dccd-39d992f7 (Rogue.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\01101100\application data\Sun\Java\deployment\cache\6.0\26\3cfc999a-7103137f (Rogue.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\01101100\application data\Sun\Java\deployment\cache\6.0\3\6f657583-43c74371 (Rogue.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\01101100\application data\Sun\Java\deployment\cache\6.0\4\3fdb35c4-7ac46fa1 (Rogue.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\01101100\application data\Sun\Java\deployment\cache\6.0\41\65d737a9-31d7a1fb (Rogue.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\01101100\application data\Sun\Java\deployment\cache\6.0\47\2b37af-4bcf85c1 (Rogue.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\01101100\application data\Sun\Java\deployment\cache\6.0\47\3387a2f-17cad337 (Rogue.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\01101100\application data\Sun\Java\deployment\cache\6.0\47\3b6872af-26ad650f (Rogue.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\01101100\application data\Sun\Java\deployment\cache\6.0\58\47c85c7a-77905df8 (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\documents and settings\01101100\application data\Sun\Java\deployment\cache\6.0\60\754325bc-7034ad16 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\01101100\application data\Sun\Java\deployment\cache\6.0\62\73dc5d3e-64168c85 (Rogue.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\01101100\local settings\Temp\cxvata5m.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\documents and settings\01101100\my documents\downloads\install_player.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\01101100\Desktop\windows recovery.lnk (Trojan.FakeAV) -> Quarantined and deleted successfully.
c:\documents and settings\01101100\start menu\Programs\windows recovery\uninstall windows recovery.lnk (Trojan.FakeAV) -> Quarantined and deleted successfully.
c:\documents and settings\01101100\start menu\Programs\windows recovery\windows recovery.lnk (Trojan.FakeAV) -> Quarantined and deleted successfully.

windows recovery virus

EDIT: Posts merged ~Budapest

This post has been edited by Budapest: 30 April 2011 - 03:09 PM

i understand the back log but will a response ever come?

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

• Do not run any other tool untill instructed to do so!
  
• Please Do not Attach logs or put in code boxes.
  
• Tell me about any problems that have occurred during the fix.
  
• Tell me of any other symptoms you may be having as these can help also.
  
• Do not run anything while running a fix.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.


In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.

• The application window will appear
  
• Click the Disable button to disable your CD Emulation drivers
  
• Click Yes to continue
  
• A 'Finished!' message will appear
  
• Click OK
  
• DeFogger may ask you to reboot the machine, if it does - click OK

Do not re-enable these drivers until otherwise instructed.

Download DDS:

Please download DDS by sUBs from one of the links below and save it to your desktop:


Download DDS and save it to your desktop

Link1
Link2
Link3

Please disable any anti-malware program that will block scripts from running before running DDS.


• Double-Click on dds.scr and a command window will appear. This is normal.
  
• Shortly after two logs will appear:
  
  • DDS.txt
    
  • Attach.txt
  
  
• A window will open instructing you save & post the logs
  
• Save the logs to a convenient place such as your desktop
  
• Copy the contents of both logs & post in your next reply

Scan With RKUnHooker

• Please Download Rootkit Unhooker Save it to your desktop.
  
• Now double-click on RKUnhookerLE.exe to run it.
  
• Click the Report tab, then click Scan.
  
• Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  
• Wait till the scanner has finished and then click File, Save Report.
  
• Save the report somewhere where you can find it. Click Close.

Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

"just click on Cancel, then Accept".


information and logs:

In your next post I need the following


• .logs from DDS
  
• log from RKUnHooker
  
• let me know of any problems you may have had

Gringo

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows 2000 Professional
Boot Device: \Device\Harddisk0\Partition1
Install Date:
System Uptime: (976138 hours ago)
.
Motherboard: ASUSTeK Computer Inc. | | P4C800
Processor: Intel® Pentium® 4 CPU 3.20GHz | CPU 1 | 3198/200mhz
Processor: Intel® Pentium® 4 CPU 3.20GHz | CPU 1 | 3198/200mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 128 GiB total, 98.664 GiB free.
D: is CDROM (CDFS)
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 3Com Gigabit LOM (3C940)
Device ID: PCI\VEN_10B7&DEV_1700&SUBSYS_80EB1043&REV_12\4&2E98101C&0&28F0
Manufacturer: 3Com
Name: 3Com Gigabit LOM (3C940)
PNP Device ID: PCI\VEN_10B7&DEV_1700&SUBSYS_80EB1043&REV_12\4&2E98101C&0&28F0
Service: EL2000
.
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Device
Device ID: PCI\VEN_8086&DEV_24D3&SUBSYS_80A61043&REV_02\3&267A616A&0&FB
Manufacturer:
Name: PCI Device
PNP Device ID: PCI\VEN_8086&DEV_24D3&SUBSYS_80A61043&REV_02\3&267A616A&0&FB
Service:
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
6200
6200_Help
6200Trb
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe SVG Viewer 3.0
AiO_Scan
AiOSoftware
AVG 9.0
BufferChm
Canon Camera Support Core Library
Canon Camera TWAIN Driver
Canon Camera TWAIN Driver 6.9
Canon G.726 WMP-Decoder
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC
Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
Canon Utilities EOS Utility
Canon Utilities MyCamera
Canon Utilities MyCamera DC
Canon Utilities PhotoStitch
Canon Utilities RemoteCapture Task for ZoomBrowser EX
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
Copy
CP_AtenaShokunin1Config
cp_dwShrek2Albums1
cp_dwShrek2Cards1
CreativeProjects
CreativeProjectsTemplates
CueTour
Destinations
Director
DocProc
DocumentViewer
DriverBoost
EZCam
Fax
FileZilla Client 3.4.0
Foxit Reader
Free PowerPoint/PPT to Pdf Converter 5.5
HiJackThis
Hotfix for MDAC 2.53 (KB927779)
HP Image Zone 4.7
HP Product Assistant
HP PSC & OfficeJet 4.7
HP Update
HPSystemDiagnostics
InstantShare
Java Auto Updater
Java™ 6 Update 20
jZip
Macromedia HomeSite 5
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB971108)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0
Microsoft Office 2000 Disc 2
Microsoft Office 2000 Small Business
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Miraplacid Text Driver SDK 5.6
Mozilla Firefox 4.0.1 (x86 en-US)
NVIDIA Drivers
PanoStandAlone
PhotoGallery
PhotoShow Deluxe 3
ProductContext
QFolder
Readme
Rootkit Unhooker Uninstall
Scan
ScannerCopy
Security Update for DirectX 8 (KB971633)
Security Update for DirectX 9.0 (KB975560)
Security Update for DirectX 9.0 (KB975562)
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Microsoft .NET Framework 2.0 (KB947746)
Security Update for Windows 2000 (KB941569)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB977816)
Security Update for Windows Media Player (KB979402)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 6.4 (KB954600)
Security Update for Windows Media Player 6.4 (KB974112)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB973540)
SkinsHP1
SoundMAX
SUPER © Version 2010.bld.38 (May 2, 2010)
TopStyle Lite (Version 3.0)
TrayApp
Unload
Update Rollup 1 for Windows 2000 SP4
Visual Slideshow
WebFldrs
WebReg
Windows 2000 Hotfix - KB842773
Windows 2000 Hotfix - KB893756
Windows 2000 Hotfix - KB896358
Windows 2000 Hotfix - KB896422
Windows 2000 Hotfix - KB896423
Windows 2000 Hotfix - KB899587
Windows 2000 Hotfix - KB899589
Windows 2000 Hotfix - KB900725
Windows 2000 Hotfix - KB901017
Windows 2000 Hotfix - KB901214
Windows 2000 Hotfix - KB905414
Windows 2000 Hotfix - KB905749
Windows 2000 Hotfix - KB908531
Windows 2000 Hotfix - KB913580
Windows 2000 Hotfix - KB914388
Windows 2000 Hotfix - KB917008
Windows 2000 Hotfix - KB918118
Windows 2000 Hotfix - KB920213
Windows 2000 Hotfix - KB920670
Windows 2000 Hotfix - KB920683
Windows 2000 Hotfix - KB921398
Windows 2000 Hotfix - KB922582
Windows 2000 Hotfix - KB923191
Windows 2000 Hotfix - KB923561
Windows 2000 Hotfix - KB923810
Windows 2000 Hotfix - KB923980
Windows 2000 Hotfix - KB924270
Windows 2000 Hotfix - KB924667
Windows 2000 Hotfix - KB925902
Windows 2000 Hotfix - KB926122
Windows 2000 Hotfix - KB926436
Windows 2000 Hotfix - KB927891
Windows 2000 Hotfix - KB928843
Windows 2000 Hotfix - KB935839
Windows 2000 Hotfix - KB937894
Windows 2000 Hotfix - KB938127
Windows 2000 Hotfix - KB938827
Windows 2000 Hotfix - KB943055
Windows 2000 Hotfix - KB943485
Windows 2000 Hotfix - KB944338
Windows 2000 Hotfix - KB950749
Windows 2000 Hotfix - KB950760
Windows 2000 Hotfix - KB950974
Windows 2000 Hotfix - KB951748-V2
Windows 2000 Hotfix - KB952004
Windows 2000 Hotfix - KB952954
Windows 2000 Hotfix - KB955069
Windows 2000 Hotfix - KB955759
Windows 2000 Hotfix - KB956802
Windows 2000 Hotfix - KB956844
Windows 2000 Hotfix - KB957097
Windows 2000 Hotfix - KB958470
Windows 2000 Hotfix - KB958644
Windows 2000 Hotfix - KB959426
Windows 2000 Hotfix - KB960225
Windows 2000 Hotfix - KB960803
Windows 2000 Hotfix - KB960859
Windows 2000 Hotfix - KB961501
Windows 2000 Hotfix - KB967715
Windows 2000 Hotfix - KB969059
Windows 2000 Hotfix - KB969947
Windows 2000 Hotfix - KB970238
Windows 2000 Hotfix - KB971468
Windows 2000 Hotfix - KB971961
Windows 2000 Hotfix - KB972270
Windows 2000 Hotfix - KB973354
Windows 2000 Hotfix - KB973507
Windows 2000 Hotfix - KB973869
Windows 2000 Hotfix - KB973904
Windows 2000 Hotfix - KB974318
Windows 2000 Hotfix - KB974392
Windows 2000 Hotfix - KB974571
Windows 2000 Hotfix - KB975713
Windows 2000 Hotfix - KB977914
Windows 2000 Hotfix - KB978037
Windows 2000 Hotfix - KB978262
Windows 2000 Hotfix - KB978542
Windows 2000 Hotfix - KB978601
Windows 2000 Hotfix - KB978706
Windows 2000 Hotfix - KB979309
Windows 2000 Hotfix - KB979482
Windows 2000 Hotfix - KB979559
Windows 2000 Hotfix - KB979683
Windows 2000 Hotfix - KB980182
Windows 2000 Hotfix - KB980195
Windows 2000 Hotfix - KB980218
Windows 2000 Hotfix - KB980232
Windows 2000 Hotfix - KB981350
Windows 2000 Hotfix - KB982381
Windows 2000 Service Pack 4
Windows Installer 3.1 (KB893803)
Windows Media Player Hotfix [See Q828026 for more information]
Windows Media Player system update (9 Series)
.
==== End Of File ===========================




.
DDS (Ver_11-03-05.01) - NTFSx86
Run by 01101100 at 10:34:34.34 on Mon 05/09/2011
Internet Explorer: 5.00.3700.1000 BrowserJavaVersion: 1.6.0_20
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.2047.837 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\WINNT\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\HPZipm12.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Documents and Settings\01101100\My Documents\Downloads\dds.scr
.
============== Pseudo HJT Report ===============
.
mDefault_Page_URL = hxxp://www.msn.com
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [Synchronization Manager] mobsync.exe /logon
mRun: [NvCplDaemon] RUNDLL32.EXE c:\winnt\system32\NvCpl.dll,NvStartup
uPolicies-explorer: NoDesktop = 1 (0x1)
Trusted Zone: com\www.msi
DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {32564D57-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv8ax.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\01101100\applic~1\mozilla\firefox\profiles\z150mbsr.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.graphicsfactory.com/
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AvgRkx86;avgrkx86.sys;c:\winnt\system32\drivers\avgrkx86.sys [2010-4-24 52872]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\winnt\system32\drivers\avgldx86.sys [2010-4-24 216200]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\winnt\system32\drivers\avgmfx86.sys [2010-4-24 29512]
R1 AvgTdiX;AVG Network Redirector;c:\winnt\system32\drivers\avgtdix.sys [2010-4-24 242896]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-4-24 308064]
R3 usbhub20;USB Hub Support;c:\winnt\system32\drivers\usbhub20.sys [2010-4-23 49776]
S2 avg9emc;AVG E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-4-24 916760]
S3 Normandy;Normandy SR2;c:\winnt\system32\drivers\Normandy.sys [2011-5-8 34560]
S3 rkhdrv40;Rootkit Unhooker Driver; [x]
.
=============== Created Last 30 ================
.
2011-05-08 17:41:55 -------- d-----w- C:\RkUnhooker
2011-05-08 17:23:27 34560 ----a-w- c:\winnt\system32\drivers\Normandy.sys
2011-05-08 17:20:13 -------- d--h--w- c:\winnt\PIF
2011-04-30 13:36:37 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-04-30 13:36:37 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-04-30 13:36:37 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-04-30 13:36:37 1974616 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
2011-04-30 13:36:37 1892184 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
2011-04-30 13:36:37 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-04-30 13:36:37 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-04-30 13:36:37 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-04-30 13:04:23 -------- d-----w- c:\docume~1\01101100\applic~1\Malwarebytes
2011-04-30 13:03:43 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2011-04-30 13:03:43 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-04-30 13:03:40 19288 ----a-w- c:\winnt\system32\drivers\mbam.sys
2011-04-30 13:03:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-30 12:59:14 21552 -c--a-w- c:\winnt\system32\dllcache\usbstor.sys
2011-04-24 14:09:06 -------- d-----w- c:\program files\Visual Slideshow
2011-04-15 14:04:20 -------- d-----w- c:\docume~1\01101100\locals~1\applic~1\ActiveState
2011-04-15 13:44:09 67584 ----a-w- c:\winnt\unlite2.exe
2011-04-11 15:13:52 -------- d-----w- c:\program files\common files\Vbox
2011-04-11 15:13:41 72192 ----a-w- c:\winnt\unlite3.exe
2011-04-11 15:13:40 -------- d-----w- c:\program files\Bradbury
2011-04-11 15:13:38 143360 ----a-w- c:\winnt\system32\CFFileProxy.dll
2011-04-11 15:13:18 -------- d-----w- c:\program files\Macromedia
.
==================== Find3M ====================
.
2006-05-03 09:06:54 163328 --sh--r- c:\winnt\system32\flvDX.dll
2007-02-21 10:47:16 31232 -csh--r- c:\winnt\system32\msfDX.dll
2008-03-16 12:30:52 216064 -csh--r- c:\winnt\system32\nbDX.dll
.
============= FINISH: 10:34:52.28 ===============





>Stealth
Nothing detected

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.

Link 1
Link 2
Link 3

1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

In your next post I need the following


• Log from Combofix
  
• let me know of any problems you may have had
  
• How is the computer doing now?

Gringo

i cannot run combofix.exe it tells me it can not run with AVG installed and it is not installed.

Hello

I would like you to run AVG uninstall tool AVG removal tool and try to run combofix again


gringo

the link you posted came up with "File not found." and i did run revo uninstaller with no results.

here you go - 32 bit http://www.avg.com/us-en/download-tools

that one work and thank you for your help every thing seems to be back online.

Hello

I would ike to see a report that combofix makes.

extra combofix report

• push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  
• please copy and past the following into the box

C:\ComboFix.txt

• click ok

copy and paste the report into this topic for me to review

Gringo

ComboFix 11-05-09.04 - 01101100 05/11/2011 8:59.1.2 - x86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.2047.1736 [GMT -4:00]
Running from: c:\combofix\ComboFix.exe
Command switches used :: ComboFix
.
/wow section - STAGE 10
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\01101100\Application Data\Adobe\plugs
c:\documents and settings\01101100\Application Data\Adobe\shed
c:\documents and settings\01101100\Recent\dds.pif
c:\winnt\system32\regobj.dll
c:\winnt\Web\default.htt
.
c:\winnt\system32\Drivers\Volsnap.sys . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2011-04-11 to 2011-05-11 )))))))))))))))))))))))))))))))
.
.
2011-05-08 17:41 . 2011-05-09 13:07 -------- d-----w- C:\RkUnhooker
2011-05-08 17:23 . 2011-05-08 17:27 34560 ----a-w- c:\winnt\system32\drivers\Normandy.sys
2011-05-08 17:20 . 2011-05-08 17:20 -------- d--h--w- c:\winnt\PIF
2011-04-30 13:36 . 2011-04-14 16:26 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-04-30 13:36 . 2011-04-14 16:25 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-04-30 13:36 . 2011-04-14 16:25 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-04-30 13:36 . 2011-04-14 16:25 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-04-30 13:36 . 2011-04-14 16:25 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-04-30 13:36 . 2011-04-14 16:25 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-04-30 13:36 . 2010-01-01 08:00 1974616 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-04-30 13:36 . 2010-01-01 08:00 1892184 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-04-30 13:04 . 2011-04-30 13:04 -------- d-----w- c:\documents and settings\01101100\Application Data\Malwarebytes
2011-04-30 13:03 . 2011-04-30 13:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-30 13:03 . 2010-12-20 22:09 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2011-04-30 13:03 . 2011-04-30 13:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-30 13:03 . 2010-12-20 22:08 19288 ----a-w- c:\winnt\system32\drivers\mbam.sys
2011-04-30 12:59 . 2003-06-19 16:05 21552 -c--a-w- c:\winnt\system32\dllcache\usbstor.sys
2011-04-24 14:09 . 2011-04-24 14:09 -------- d-----w- c:\program files\Visual Slideshow
2011-04-15 14:04 . 2011-04-15 14:04 -------- d-----w- c:\documents and settings\01101100\Local Settings\Application Data\ActiveState
2011-04-15 13:58 . 2011-04-16 17:24 -------- d-----w- c:\documents and settings\01101100\Application Data\FileZilla
2011-04-15 13:58 . 2011-04-15 13:58 -------- d-----w- c:\program files\FileZilla FTP Client
2011-04-15 13:44 . 2001-05-11 01:59 67584 ----a-w- c:\winnt\unlite2.exe
2011-04-11 15:13 . 2011-04-11 15:13 -------- d-----w- c:\program files\Common Files\Vbox
2011-04-11 15:13 . 2002-09-03 17:02 72192 ----a-w- c:\winnt\unlite3.exe
2011-04-11 15:13 . 2011-04-15 14:23 -------- d-----w- c:\program files\Bradbury
2011-04-11 15:13 . 2003-08-25 20:55 143360 ----a-w- c:\winnt\system32\CFFileProxy.dll
2011-04-11 15:13 . 2011-04-11 15:13 -------- d-----w- c:\program files\Macromedia
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-14 16:26 . 2011-04-30 13:36 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2006-05-03 09:06 163328 --sh--r- c:\winnt\system32\flvDX.dll
2007-02-21 10:47 31232 -csh--r- c:\winnt\system32\msfDX.dll
2008-03-16 12:30 216064 -csh--r- c:\winnt\system32\nbDX.dll
.
.
------- Sigcheck -------
.
.
[-] 2002-11-26 23:03 . 36678803A8030EE9A771935CFC1848BD . 52224 . . [ERROR: 0x0] . . c:\winnt\system32\mspmsnsv.dll
.
[-] 2004-07-09 08:27 . 3120F6D2AB10CDF242EDE54052A8BE47 . 1689600 . . [ERROR: 0x0] . . c:\winnt\system32\d3d9.dll
.
c:\winnt\System32\comres.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
"Synchronization Manager"="mobsync.exe" [2003-06-19 111376]
"NvCplDaemon"="c:\winnt\system32\NvCpl.dll" [2006-11-17 7700480]
.
c:\documents and settings\01101100\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
.
R3 usbhub20;USB Hub Support;c:\winnt\system32\drivers\usbhub20.sys [4/23/2010 8:38 PM 49776]
S3 Normandy;Normandy SR2;c:\winnt\system32\drivers\Normandy.sys [5/8/2011 1:23 PM 34560]
S3 rkhdrv40;Rootkit Unhooker Driver; [x]
.
.
------- Supplementary Scan -------
.
LSP: %SystemRoot%\system32\msafd.dll
Trusted Zone: com\www.msi
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\01101100\Application Data\Mozilla\Firefox\Profiles\z150mbsr.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.graphicsfactory.com/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-11 09:01
Windows 5.0.2195 Service Pack 4 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINNT\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINNT\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(176)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL
.
Completion time: 2011-05-11 09:02:57
ComboFix-quarantined-files.txt 2011-05-11 13:02
.
Pre-Run: 106,490,298,368 bytes free
Post-Run: 107,029,790,720 bytes free
.
- - End Of File - - 837EAB17FF861A171A0DCF7A3A25631B

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.

• Download TDSSKiller and save it to your Desktop.
  
• doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  
• If an infected file is detected, the default action will be Cure, click on Continue.
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  
• If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo

when i open the file my system reboots. 3 times and no load! just restart.

rename TDSSKiller to Gringo.exe and rerun it again


gringo