Hello

I seem to have cought a real nasty of a virus/malware i cant get rid of.
What i first noticed was MSN messenger logging me out and sending spam.
I looked it up and it was a virus called antit.exe that was responsible for that.
I got that deleted but in the process i found more and more viruses started popping up.

Win32.Delf.uv and uc and Hupigon13 was found by spybot.
Superantispyware found some rootkit and some trojan agent.
The most nasty part here is that i cant update my antivirus or any of the anti-malware programs due to the fact that the virus is blocking all the websites and such also the ip:s to the update-servers.
It also blocks a few program from starting normally, like hijack this (rename required)

I also did a bootscan with avast that found some prefpoly and junkpoly.

Will post logs in replies from hijackthis, superantispyware and the avast boot scan.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:52:09, on 2009-06-08
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\V0220Mon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Windows Live\Messenger\MsnMsgr.Exe
C:\Documents and Settings\z4tz\Application Data\Mikogo\Mikogo-Host.exe
C:\Program\Spybot - Search & Destroy\TeaTimer.exe
C:\Program\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program\Personal\bin\Personal.exe
C:\WINDOWS\system32\svchost.exe
F:\dc++\Downloads\ventrilo_srv-2.1.2-Windows-i386\ventrilo_srv.exe
C:\Program\Java\jre6\bin\jqs.exe
D:\Program\MATLAB71\webserver\bin\win32\matlabserver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\Spybot - Search & Destroy\SpybotSD.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Trend Micro\HijackThis\test.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: Länkhjälp till Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Delade filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: (no name) - {8abde8bc-3129-4f9a-8ca2-e3cacc4194bd} - (no file)
O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RTHDCPL] "C:\WINDOWS\RTHDCPL.EXE"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\WINDOWS\system32\NeroCheck.exe"
O4 - HKLM\..\Run: [V0220Mon.exe] "C:\WINDOWS\V0220Mon.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvMediaCenter] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Alcmtr] "C:\WINDOWS\ALCMTR.EXE"
O4 - HKLM\..\Run: [avast!] "C:\Program\ALWILS~1\Avast4\ashDisp.exe"
O4 - HKLM\..\Run: [Windows UDP Control Center] csrss.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Mikogo] "C:\Documents and Settings\z4tz\Application Data\Mikogo\Mikogo-Host.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - HKCU\..\Run: [FileZilla Server Interface] "C:\Program\FileZilla Server\FileZilla Server Interface.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1708537768-776561741-839522115-1009\..\Run: [CTFMON.EXE] "C:\WINDOWS\System32\CTFMON.EXE" (User 'postgres')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: Genväg till ventrilo_srv.exe.lnk = F:\dc++\Downloads\ventrilo_srv-2.1.2-Windows-i386\ventrilo_srv.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - .DEFAULT Startup: Genväg till ventrilo_srv.exe.lnk = F:\dc++\Downloads\ventrilo_srv-2.1.2-Windows-i386\ventrilo_srv.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Genväg till ventrilo_srv.exe.lnk = F:\dc++\Downloads\ventrilo_srv-2.1.2-Windows-i386\ventrilo_srv.exe
O4 - Global Startup: BankID säkerhetsprogram.lnk = C:\Program\Personal\bin\Personal.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Program\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\poker\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\poker\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191957987890
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.6.0_11) -
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab57176.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program\DELADE~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !saswinlogon - C:\Program\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Application Management AppMgmtRemoteAccess (AppMgmtRemoteAccess) - Unknown owner - C:\WINDOWS\system32\accessu.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: B-Service - Unknown owner - C:\Documents and Settings\z4tz\Application Data\Mikogo\B-Service.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program\FileZilla Server\FileZilla Server.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program\Delade filer\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c987eefd14140c) (gupdate1c987eefd14140c) - Unknown owner - C:\Program\Google\Update\GoogleUpdate.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - D:\Program\MATLAB71\webserver\bin\win32\matlabserver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - C:\Program\PostgreSQL\8.3\bin\pg_ctl.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program\WinPcap\rpcapd.exe

--
End of file - 10733 bytes

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/08/2009 at 01:47 AM

Application Version : 4.25.1014

Core Rules Database Version : 3885
Trace Rules Database Version: 1833

Scan type : Complete Scan
Total Scan Time : 00:24:48

Memory items scanned : 464
Memory threats detected : 0
Registry items scanned : 6344
Registry threats detected : 4
File items scanned : 21703
File threats detected : 3

Rootkit.Protect
HKLM\System\ControlSet001\Services\protect
C:\WINDOWS\SYSTEM32\DRIVERS\PROTECT.SYS
HKLM\System\ControlSet001\Enum\Root\LEGACY_protect
HKLM\System\CurrentControlSet\Services\protect
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_protect

Trojan.Agent/Gen-NumTemp
C:\WINDOWS\SYSTEM32\7.TMP
C:\WINDOWS\Prefetch\7.TMP-138C6DFA.pf

06/07/2009 21:13
Scan of all local drives

File C:\Program\Trend Micro\HijackThis\HijackThis.exe is infected by Win32:JunkPoly [Cryp], Deleted
File C:\Program\Trend Micro\HijackThis\Kopia av HijackThs.exe is infected by Win32:JunkPoly [Cryp], Deleted
File C:\Program\VentriloMIX\VentriloMIX.exe is infected by Win32:JunkPoly [Cryp], Repair: Error 42060 {The file was not repaired.}, Deleted
File C:\System Volume Information\_restore{B0148294-AF94-4150-8BF3-79C5756260DE}\RP101\A0007754.dll is infected by Win32:Trojan-gen {Other}, Repair: Error 42060 {The file was not repaired.}, Deleted
File C:\System Volume Information\_restore{B0148294-AF94-4150-8BF3-79C5756260DE}\RP101\A0007759.exe is infected by Win32:JunkPoly [Cryp], Deleted
File C:\System Volume Information\_restore{B0148294-AF94-4150-8BF3-79C5756260DE}\RP101\A0007760.exe is infected by Win32:JunkPoly [Cryp], Deleted
File C:\System Volume Information\_restore{B0148294-AF94-4150-8BF3-79C5756260DE}\RP101\A0007761.exe is infected by Win32:JunkPoly [Cryp], Deleted
File C:\System Volume Information\_restore{B0148294-AF94-4150-8BF3-79C5756260DE}\RP97\A0007491.exe is infected by Win32:JunkPoly [Cryp], Deleted
File C:\System Volume Information\_restore{B0148294-AF94-4150-8BF3-79C5756260DE}\RP97\A0007507.exe is infected by Win32:JunkPoly [Cryp], Deleted
File C:\System Volume Information\_restore{B0148294-AF94-4150-8BF3-79C5756260DE}\RP97\A0007557.exe is infected by Win32:JunkPoly [Cryp], Deleted
File C:\WINDOWS\$NtServicePackUninstall$\admin.exe is infected by Win32:PrefPoly [Cryp], Repair: Error 42060 {The file was not repaired.}
File C:\WINDOWS\$NtServicePackUninstall$\author.exe is infected by Win32:PrefPoly [Cryp]

Scanning aborted
Number of searched folders: 9450
Number of tested files: 119386
Number of infected files: 12

----------------------------------------
06/07/2009 23:12
Scan of all local drives

File C:\Documents and Settings\z4tz\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe is infected by Win32:JunkPoly [Cryp], Deleted
File C:\Program\Trend Micro\HijackThis\HijackThisfa.exe is infected by Win32:JunkPoly [Cryp], Deleted
File C:\System Volume Information\_restore{B0148294-AF94-4150-8BF3-79C5756260DE}\RP104\A0008268.exe is infected by Win32:JunkPoly [Cryp], Deleted
File C:\System Volume Information\_restore{B0148294-AF94-4150-8BF3-79C5756260DE}\RP104\A0008269.exe is infected by Win32:JunkPoly [Cryp], Deleted
File C:\WINDOWS\$NtServicePackUninstall$\admin.exe is infected by Win32:PrefPoly [Cryp], Deleted
File C:\WINDOWS\$NtServicePackUninstall$\author.exe is infected by Win32:PrefPoly [Cryp], Deleted
Number of searched folders: 20393
Number of tested files: 278293
Number of infected files: 6

--- Report generated: 2009-06-08 01:52 ---

Hupigon13: [SBI $D5A7DCB6] Settings (Registernyckel, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe

Hupigon13: [SBI $8D4AFC92] Settings (Registernyckel, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com

Hupigon13: [SBI $79919CB3] Settings (Registernyckel, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe

Hupigon13: [SBI $46DBB063] Settings (Registernyckel, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NOD32.exe

Win32.Delf.uc: [SBI $88B8013A] Settings (Registervärde, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\??\C:\WINDOWS\system32\winlogon.exe

Win32.Delf.uc: [SBI $14B30E85] Settings (Registervärde, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\??\C:\WINDOWS\system32\winlogon.exe

Win32.Delf.uv: [SBI $E73FD4D9] Settings (Registervärde, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCONSOL.EXE\Debugger

Win32.Delf.uv: [SBI $9554BC9A] Settings (Registervärde, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP32.EXE\Debugger

Win32.Delf.uv: [SBI $C83CB234] Settings (Registervärde, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.EXE\Debugger

Win32.Delf.uv: [SBI $4D759A7F] Settings (Registervärde, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.EXE\Debugger

Win32.Delf.uv: [SBI $F963F0F7] Settings (Registervärde, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.EXE\Debugger

Win32.Delf.uv: [SBI $83CDDB58] Settings (Registervärde, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapw32.EXE\Debugger

Win32.Delf.uv: [SBI $AB0D8EB4] Settings (Registervärde, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVNT.EXE\Debugger

Win32.Delf.uv: [SBI $C53439DD] Settings (Registervärde, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navw32.EXE\Debugger

Win32.Delf.uv: [SBI $0809137C] Settings (Registervärde, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVWNT.EXE\Debugger

Win32.Delf.uv: [SBI $95619944] Settings (Registervärde, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCAN32.EXE\Debugger

Win32.Delf.uv: [SBI $AE0ED1C1] Settings (Registervärde, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZONEALARM.EXE\Debugger


--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-03-03 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-01-26 advcheck.dll (1.6.2.15)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-05-19 Includes\Adware.sbi (*)
2009-06-02 Includes\AdwareC.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-05-19 Includes\Dialer.sbi (*)
2009-06-02 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2009-06-02 Includes\HijackersC.sbi (*)
2009-05-06 Includes\Keyloggers.sbi (*)
2009-06-02 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2009-05-12 Includes\Malware.sbi (*)
2009-06-02 Includes\MalwareC.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2009-06-02 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-06-02 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-04-07 Includes\Spyware.sbi (*)
2009-06-02 Includes\SpywareC.sbi (*)
2009-04-07 Includes\Tracks.uti
2009-06-02 Includes\Trojans.sbi (*)
2009-06-02 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll


"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

Hi,

Download DDS and save it to your desktop from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt

Save both reports to your desktop. Post them back to your topic.

Thanks for your time

There you have the files requested.

Hi again,


IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

µTorrent
DC++


I'd like you to read this thread (http://forums.spybot.info/showthread.php?t=282).

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).


After that:

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds.txt log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Thanks again for the help, i did as you said in your post deleting the programs and disabled antivirus and closing all other programs.

But when i run combofix i get an error and a bug.txt is created.
Tried running it several times, i tried downloading the Windows Recovery Console and use that, same error. I also tried running it in safe mode with same result.
Bug.txt attatched

Hi

Please try to run ComboFix in safe mode (http://www.computerhope.com/issues/chsafe.htm#02).

As i said in previous message i already tried it. I also tried again and got exactly the same bug.txt.

I did some research on google, this guy (http://www.viprasys.org/vb/f82/bro-vit-plzz-check-213747/#post905937)http://www.viprasys.org/vb/f82/bro-vit-plzz-check-213747/#post905937
got exactly the same text in bug.txt as i did.
I also recognise some of the bad files he encounterd


Trojan Files Found:
C:\WINDOWS\system32\2.tmp - Deleted
C:\WINDOWS\system32\3.tmp - Deleted
C:\WINDOWS\system32\4.tmp - Deleted
C:\WINDOWS\system32\5.tmp - Deleted
C:\WINDOWS\system32\6.tmp - Deleted
C:\WINDOWS\system32\7.tmp - Deleted
C:\WINDOWS\system32\9.tmp - Deleted
C:\WINDOWS\system32\A.tmp - Deleted
C:\WINDOWS\system32\C.tmp - Deleted
C:\WINDOWS\system32\2.tmp - Deleted
similar files can be found sometimes at my computer.

Dont know if this helps you in any way but thought id mention it.

Hi,

Please try to download a new version and rename ComboFix.exe to something.exe. Then try to run it.

Tried it both in normal and safe mode and i get the same bug.txt again unfortunatelly.

Ok. I'll try to find out what's causing the issue. Shall be back later.

Ok
Really appreciate your help!

Hi again,

Let's do some scanning.

Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner)

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.



Read the requirements and privacy statement then click on the Accept button.



The program will launch and start to download the latest definition files.



You will be prompted to install an application from Kaspersky. Click Run



Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
Spyware, Adware, Dialers, and other potentially dangerous programs
Archives



Click on My Computer under Scan.



Once the scan is complete, it will display the results. Click on View Scan Report.



Click on Save Report As....



Change the Files of type to Text file (.txt) before clicking on the Save button.



Save this report to a convenient place.



Copy and paste that information into your topic.



The scan will take a while so be patient and let it run. As it scans your machine very deeply it could take hours to complete, Kaspersky suggests running it during a time of low activity.

If you need a tutorial, see here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif)

Due to inactivity, this thread will now be closed.

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.