Windows version: 64-bit Windows 7 Ultimate ver 6.1, build 7600, with several components removed from the installation with W7 Toolkit and vLite. I did a fresh install only a week ago and have only installed some software and device drivers. I haven't noticed any slowdowns, the system is very snappy.
Symptoms: When I installed AVG, it kept warning about the file C:\Windows\SysWOW64\vbgyfuqv.dll, which it wanted to remove but couldn't, so it kept warning every 1-2 minutes. When scanning the whole system, it found infections in a bunch of .exe-files in C:\Windows\Temp\assembly, and also said that a few applications I use were infected and were to be removed after reboot, such as Chrome.exe and VMware.exe. However, when I rebooted, they weren't removed.
At this point I thought there was a problem with AVG finding false positives everywhere, uninstalled it, and got Avast instead. Avast hasn't mentioned vbgyfuqv.dll, but it keeps blocking some Win32:DNSchanger process from trying to access some suspicious URLs I haven't heard of; also it blocks new files in C:\Windows\Temp\assembly\*random characters*\ every few minutes. These files seem to be created when I start new processes. For instance, I just downloaded TDSS Killer from Kaspersky (anti-rootkit tool), and when running it, Avast said this program's process was trying to create more of those files. It (TDSS) didn't find any infections.
At some point, I remember either AVG or Avast reported a file called kwrd.dll.
Also, Windows Update has started to fail, there are 4 important updates I can't download. Also when I reboot, Windows complains that my HP HD Fixed WebCam driver failed to install. Windows update was supposed to do this for me, maybe the rootkit is hiding in this driver or something.
I have scheduled boot-time scans with Avast and run them a few times, but they just find and delete the same two files in C:\Windows\Temp\assembly each time and doesn't stop the weird behavior, also those files keep coming back.
I would like to know whether a file shield such as AVG's resident shield, or the one Avast provides, would have prevented the rootkit from being installed, even though they apparently can't remove it. In that case, I will install an AV earlier next time I reinstall.
I would greatly appreciate if someone could help me remove this thing!
Edited by Maomao, 27 October 2011 - 09:51 PM.