I am writing for help on solving an issue on my friends computer. He must have downloaded a single bug which hijacked his internet and began downloading multiple viruses/malware. I was able to remove a good number of them with the a squared free scanner, but my problem is that when I read all the suggestion guides and forums people were asking for HJT logs and HJF logs. I have had minor success with this and many 'cleaner' programs listed, because I am pretty sure the bug is preventing these tools from scanning and identifying all the appropriate files. I have downloaded almost every single tool onto the laptop I am typing from, renamed, copied to a flash drive and then copied to the infected system, yet the infection still continues to identify these programs and kill them before I am able to see the GUI load up, or the scan to complete (or even get close, the bugs seem to squash these programs in their tracks as soon as an infected file is identified and attempted to be deep scanned. I am trying normal scans right now as was suggested in the 'read first' post.
I have tried deleting the offending reg keys and files with no real success. the programs tell me that the files and keys have been removed yet the infected files are still hiding and are definitely still doing their dirty work.
Since I was unable to produce an HJT or HJF log, and your guide said not t until asked for one I am just going to post the names and locations of identified files discovered by a squared.
c:\prog files\protection system\
C:\prog files\protection system\coreext.dll
My friend uses the computer for business and needs it back asap, I came to you guys asking for help since you seemed to have such great success helping other individuals with similar/same situations.
Note: the programs that aren't killed outright upon launching are usually blocked by privaleges "you are not admin" etc etc. I have had success unlocking the registry with the gpedit.msc tool but can never seem to find where the keys are hiding. It appears that I can get around this with regASSASSIN
When the system starts up it gives a Disc I/O error.. when I first saw this I thought oh.. fantastic, but it appears that the system still boots and leads me to believe that the virus is causing this message and upon fixing the bug the message will disappear too.
Thanks a ton,
EDIT: here is the gmer log result, hopefully this helps.. also I was able to rename and install/run Remove It Pro and it also listed
===below is gmer's log file
GMER 220.127.116.1177 [xw1fngfk.exe] - http://www.gmer.net
Rootkit quick scan 2009-08-19 16:35:34
Windows 5.1.2600 Service Pack 2
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys
AttachedDevice \Driver\Tcpip \Device\Tcp ABTDI.sys (ABTDI/ArcaBit)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys
---- Services - GMER 1.0.15 ----
Service system32\drivers\UACntsppfhxfj.sys (*** hidden *** ) [SYSTEM] UACd.sys <-- ROOTKIT !!!
---- EOF - GMER 1.0.15 ----
Edited by zaneandre, 19 August 2009 - 06:55 PM.