Hello -

At my wits end here. When I try to boot my computer into normal mode I get a blue screen error for about a second then It restarts.

I checked my memory with memtest and all is fine. My spybot scan produces two problems; Click.Giftload and Fraud.DefenceCentre. I click fix and it removes them. I also ran the reg check option in CCleaner which produced over 700 issues. I ckick fix all issues, cross my fingers, and restart...
Bang! Same blue screen error. Same two problems return in Sybot scan. All CCleaner reg issues have returned.
Mawarebytes produces nothing.

Help me please.

Thank you in advance.

.
DDS (Ver_11-03-05.01) - NTFSx86 NETWORK
Run by Claralara at 11:02:51.62 on 30/04/2011
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_15
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3543.2605 [GMT 1:00]
.
AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
FW: COMODO Firewall *Enabled* {5F676F4C-DD6D-A47C-12D6-C449366C71EE}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\Explorer.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\SpyNoMore\SNM.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Claralara\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B7Y3OVFQ\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uSearch Bar = Preserve
uWindow Title = Internet Explorer provided by Dell
uInternet Settings,ProxyOverride = local;*.local
mURLSearchHooks: H - No File
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\program files\vacuykgbìkm�ëkprpbpni.exe\kprpbpni.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [Advanced SystemCare 4] "c:\program files\iobit\advanced systemcare 4\ASCTray.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min/ns
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [MRT] "c:\windows\system32\MRT.exe" /R
mRun: [SNM] c:\program files\spynomore\SNM.exe /startup
StartupFolder: c:\users\claral~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: DisableTaskMgr = 1 (0x1)
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} - hxxp://www.vexcast.com/download/vexcast.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\claral~1\appdata\roaming\mozilla\firefox\profiles\oz4e9niw.default\
FF - prefs.js: browser.search.selectedEngine - Ixquick HTTPS
FF - prefs.js: browser.startup.homepage - hxxps://eu.ixquick.com/?r=2774
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\tvuplayer\npTVUAx.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\claralara\appdata\local\google\update\1.2.183.39\npGoogleOneClick8.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-6-1 34744]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2010-6-4 236600]
S2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2009-8-14 1872320]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_22764d41\AEstSrv.exe [2009-5-13 81920]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;"c:\program files\avira\antivir desktop\sched.exe" --> c:\program files\avira\antivir desktop\sched.exe [?]
S2 AntiVirService;Avira AntiVir Guard;"c:\program files\avira\antivir desktop\avguard.exe" --> c:\program files\avira\antivir desktop\avguard.exe [?]
S2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
S2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32coinst,serviceStartProc --> RUNDLL32.EXE ykx32coinst,serviceStartProc [?]
S3 OA009Ufd;Creative Camera OA009 Upper Filter Driver;c:\windows\system32\drivers\OA009Ufd.sys [2009-3-6 133632]
S3 OA009Vid;Creative Camera OA009 Function Driver;c:\windows\system32\drivers\OA009Vid.sys [2009-3-19 271552]
.
=============== Created Last 30 ================
.
2011-04-30 09:45:15 1152 ----a-w- c:\windows\system32\windrv.sys
2011-04-30 09:45:08 -------- d-----w- c:\program files\SpyNoMore
2011-04-30 09:44:33 -------- d-----w- c:\users\claral~1\appdata\roaming\GetRightToGo
2011-04-28 06:17:39 -------- d-----w- c:\program files\ESET
2011-04-27 15:06:53 -------- d-----w- c:\progra~2\SUPERAntiSpyware.com
2011-04-27 15:06:48 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-04-27 10:53:45 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2011-04-27 10:53:43 -------- d-----w- c:\program files\LSoft Technologies
2011-04-23 10:09:27 -------- d-----w- c:\program files\FDF
2011-04-21 16:24:57 -------- d-----w- C:\dc17b29dd922a5bb9d8606b295
2011-04-21 16:12:28 -------- d-----w- c:\progra~2\ErrorEND
2011-04-21 16:12:22 -------- d-----w- c:\program files\ErrorEND
2011-04-21 12:00:32 -------- d-----w- c:\users\claral~1\appdata\roaming\CheeseSoft
2011-04-21 12:00:32 -------- d-----w- C:\FU_Backup
2011-04-21 12:00:29 -------- d-----w- c:\program files\FinalUninstaller
2011-04-21 11:52:57 -------- d-----w- c:\program files\Add Remove Pro
2011-04-21 11:47:21 -------- d-----w- c:\program files\RegScrubVistaXP
2011-04-21 11:42:15 -------- d-----w- c:\program files\Free Window Registry Repair
2011-04-21 11:36:36 23552 ----a-w- c:\windows\system32\drivers\dfg.sys
2011-04-19 09:40:05 -------- d-----w- c:\progra~2\RegCure
2011-04-18 09:30:38 -------- d-----w- c:\program files\FreeApps
2011-04-18 09:30:37 -------- d-----w- c:\progra~2\FreeApp
2011-04-17 11:15:01 29520 ----a-w- c:\windows\system32\SmartDefragBootTime.exe
2011-04-17 11:15:01 16184 ----a-w- c:\windows\system32\drivers\SmartDefragDriver.sys
2011-04-14 17:16:06 54016 ----a-w- c:\windows\system32\drivers\kontwh.sys
2011-04-14 01:12:59 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-12 08:32:18 6792528 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{e92de2d3-b480-43c1-8c78-70b19b5da71e}\mpengine.dll
2011-03-31 12:14:32 -------- d-----w- c:\users\claral~1\appdata\local\Opera
.
==================== Find3M ====================
.
2011-03-10 17:03:51 1162240 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-10 17:03:51 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-03-03 13:25:11 2041856 ----a-w- c:\windows\system32\win32k.sys
2011-03-02 15:44:27 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-02-16 16:16:37 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-02-16 14:02:23 292864 ----a-w- c:\windows\system32\atmfd.dll
2011-02-02 18:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
.
============= FINISH: 11:03:18.93 ===============

Click.GiftLoad: [SBI $89783858] User settings (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION\svchost.exe

Fraud.DefenseCenter: [SBI $400D394B] Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr


--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SDWinSec.exe (1.0.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2011-04-27 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2011-03-18 Includes\Adware.sbi (*)
2011-03-22 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2010-12-14 Includes\Dialer.sbi (*)
2011-03-08 Includes\DialerC.sbi (*)
2011-02-24 Includes\HeavyDuty.sbi (*)
2011-03-29 Includes\Hijackers.sbi (*)
2011-03-29 Includes\HijackersC.sbi (*)
2010-09-15 Includes\iPhone.sbi (*)
2010-12-14 Includes\Keyloggers.sbi (*)
2011-03-08 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2011-04-05 Includes\Malware.sbi (*)
2011-04-26 Includes\MalwareC.sbi (*)
2011-02-24 Includes\PUPS.sbi (*)
2011-03-15 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2011-03-08 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2011-02-24 Includes\Spyware.sbi (*)
2011-03-15 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2010-12-28 Includes\Trojans.sbi (*)
2011-04-26 Includes\TrojansC-02.sbi (*)
2011-04-26 Includes\TrojansC-03.sbi (*)
2011-04-18 Includes\TrojansC-04.sbi (*)
2011-04-26 Includes\TrojansC-05.sbi (*)
2011-03-08 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

Hello and welcome to Safer Networking.

I am currently assessing your situation and will be back with a fix for your problem as soon as possible.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this, click Thread Tools, then click Subscribe to this Thread. Under the Notification Type: title, make sure it is set to Instant notification by email, then click Add Subscription.

Please be patient with me during this time.

Meanwhile, please make a reply to this topic to acknowledge that you have read this and is still with me to tackle the problem until the end. If I do not get any response within 3 days, this topic will be closed.

Hello -

I have done what you ask and am awaiting your reply.

Thenk you for your time.

Hello KingMoz :),

Welcome to Safer Networking. I am Jack&Jill, and I will be helping you out.

Before we go further, there are a few things that I would like to make clear so that we are share the same understanding.

Please observe and follow these Forum Rules (http://forums.spybot.info/showthread.php?t=288).
Any advice is for your computer only and is taken at your own risk. Fixes sometimes will cause unexpected results, but I will do my best to assist you.
Please read the instructions carefully and follow them closely, in the order they are presented to you.
If you have any doubts or problems during the fix, please stop and ask.
All the tools that I will ask you to download and use are safe. Please allow if prompted by any of your security softwares.
Do not use or run any malware cleaning tools without supervision as they may cause more harm if improperly used.
Refrain from installing any new programs except those that I request during the fix to prevent interference to my diagnosis of the problem.
Lack of malware symptoms does not mean your computer is clean. Stick to this topic until I give the All Clear.
If you do not reply within 3 days, this topic will be closed.
If you are agreeable to the above, then everything should go smoothly :) . We may begin.

--------------------

You have Malwarebytes' Anti-Malware (MBAM) on your machine. I wish to take a look at the most recent log file. Open MBAM and click on the Logs tab. Open the file at the bottom of the list and post the contents back here. If there is no log or you have yet to run MBAM, please let me know.

--------------------

Is this a business computer?

--------------------

Remove P2P software

IMPORTANT: I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

µTorrent
StreamTorrent 1.0


Please read the Guidelines for P2P Programs (http://forums.spybot.info/showthread.php?t=282) where we explain why it's not a good idea to have them.
Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.
Go to Control Panel > Add/Remove Programs and uninstall the P2P program(s) listed above (in red).
Please remove them before we continue with fixing your computer.

--------------------

Please post back:
1. previous MBAM logs
2. the answer to my question about your computer
3. new Attach.txt

Hello Jack&Jill :)

Thanks again for your time. As regards uTorrent I did remove this before my initial post and it's not in my add/remove list. My apologies with streamtorrent. I have now removed that too.

When I tried to find a MBAM log there was none there, so I ran a new scan. It is now telling me I have an infected registry data item. I tried to remove it but it returns on restart.

Here is the log file and new attach.

Thanks

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6525

Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 9.0.8112.16421

07/05/2011 11:58:02
MBAMLog

Scan type: Quick scan
Objects scanned: 138819
Time elapsed: 2 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Hello KingMoz :),

You are running two Antivirus (AV) softwares:

Avira AntiVir Personal - Free Antivirus
COMODO Internet Security

Although AV is essential for keeping your computer free from viruses, having more than one AV will do more harm than protect your computer. They will not only conflict, but will slow down your computer as well. Did you pay for either one of them? Please keep the paid AV and uninstall the other. Otherwise, you will need to choose in accordance to your preference.

COMODO Internet Security has both the antivirus and firewall components.

--------------------

Remove unwanted programs

Go to Control Panel > Add/Remove Programs.
Please uninstall the following bad programs one by one (if present, or any programs that may contain the below strings in its name):

SpyNoMore 2.98


Read and proceed carefully when uninstalling these programs so that you will not be tricked into keeping them.

--------------------


Is this a business computer? Please answer this question.

--------------------

Please close all programs and do not run any others before and during the Rootkit Unhooker scan. Do not use the computer for anything else until after the scan is completed.

Please download Rootkit Unhooker and save it to your desktop. Click here. (http://www.kernelmode.info/ARKs/RKUnhookerLE.EXE)

Double click RKUnhookerLE.exe to run it.
Click the Report tab, then click Scan.
Ensure the following are checked (ticked):

Drivers
Stealth Code
Files
Code Hooks
Uncheck the rest, then click OK. An initial scan will be performed.
When prompted to Select Disks for Scan, make sure C:\ is checked and click OK.
Wait until the scanner is done, then click on File at the pull down menu, followed by Save Report.
Save the report somewhere you can find it. Click Close to exit.
Copy the entire contents of the report and paste it in your next reply.

You may get a warning about parasite detection. Please click OK to continue.

--------------------

Please post back:
1. the answer to my question about your computer
2. the Rootkit Unhooker log

Hi Jack&Jill

Yes this a personal computer. And things have just gone from bad to worse!

I uninstalled Comodo then restarted and now I have lost my wireless connection and cant seem to get it back. Its saying 'connected but with limited access' and I cant get online. Other computers on the network are working fine. What a nightmare!:sick:

Am beginning to contemplate restoring factory settings now but I was hoping it wouldn't come to that...

Hello KingMoz :),

Open Network Connections by clicking Start > Control Panel > Network and Internet > Network and Sharing Center > Manage network connections.

Right click on the connection that is affected, and then click Properties. A Local Area Connection Properties dialog will appear. At the Networking tab, do you see anything related to Comodo? Please list down all the items so that I can take a look.

Hello again -

I did what you asked and yes there was a box saying 'comodo internet security firewall driver'.

I unticked the box and hey presto, i'm back online :bigthumb:

I then downloaded and ran Rootkit Unhooker and got the following error:

Error loading driver, NTSTATUS code:0xC000035F

:confused:

Hello KingMoz :),

Please use Revo Uninstalller (http://www.revouninstaller.com/revo_uninstaller_free_download.html) to remove the remaining of COMODO Internet Security, then check if the Comodo driver is removed. Please let me know the result.

--------------------

About the error from Rootkit Unhooker, most likely it is caused by interference from Avira antivirus (AV).

Please disable the AV temporarily right clicking on the icon at the system tray, then uncheck AntiVir Guard enable. Now, try running Rootkit Unhooker again. Remember to enable Avira when done with Rootkit Unhooker and please do not go online when active protection is disabled.

If that does not work, please try it in Safe Mode.

Restart in Safe Mode

Reboot your computer and tap on the F8 key repeatedly during startup.
A menu will appear. Select to start Windows in Safe Mode by using the arrow keys. Click here for tutorial on how to boot up in Safe Mode if you need help. (http://www.bleepingcomputer.com/forums/index.php?showtutorial=61)

Hello Jack&Jill -

I have completely uninstalled Comodo and the driver, but for some reason when I restart, they return? I have no idea why this is. Like I said in my initial post I cannot boot into normal mode. Only safe mode. So maybe thats the reason I can't uninstall properly?

I have also tried to uninstall Avira in order to run RooKit Unhooker, but to no avail. I just can't get RKU to run. And like Comodo, Avira returns after a restart.

Any other ideas?

Thanks again for your time.

Hello KingMoz :),

Lets give this a shot. Before that, please uninstall Spybot.

Please close all programs and do not run any others before and during the GMER scan. Do not use the computer for anything else until after the scan is completed.

Please download GMER and save it to your desktop. Click here. (http://www.gmer.net/download.php)

Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily when running GMER. They may cause the computer to freeze.
If you need help to disable your protection programs see here (http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/490111-how-disable-your-security-applications.html) and here (http://www.bleepingcomputer.com/forums/topic114351.html).
Double click the .exe file. If asked to allow the gmer driver file with a sys extension to load, please consent.
If it gives you a warning about rootkit activity and asks if you want to run scan, click on No.
In the right panel, you will see several boxes that have been checked (ticked).
Uncheck IAT/EAT
Uncheck All other Drives/Partitions except C:\ (leave C:\ checked)
Uncheck Show All (don't miss this one)
Then click the Scan button and wait for it to finish.
Once done, click on the Save... button and save it as "Gmer.txt" at a convenient location. Post the contents of that report.
Enable back your security softwares as soon as you completed the GMER steps.
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries.

If you are having problems running GMER, retry with Devices unchecked as well. If you are still encountering difficulties, please try running GMER in Safe Mode. You can get into Safe Mode using the F8 key during the startup of your computer after a reboot.

--------------------

Please post back:
1. the GMER log

Hello KingMoz :),

I usually close the topic after 3 days without any reply, and it has already been 2 days since my last post. Do you still need help? Any problems following my instructions? Need more time?

If I do not get any response within the next 24 hours, this topic will be closed.

Hi Jack&Jill -

Sorry about the delay. I had some trouble with Gmer due to the time it was taking to scan and work commitments. Finally managed to get the log (which took over two hours), but its HUGE! Way too big to post. I unchecked all the boxes you asked and also had to uncheck devices.

Here is the services part which says I have active rootkits, but i was unable to post the reg part which is massive. I could zip it and attach it but I thought i'd better ask first before I do that.

Is this the correct log? Or is there a smaller one I am missing?

Cheers

GMER 1.0.15.15627 - http://www.gmer.net
Rootkit scan 2011-05-19 02:50:53
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 TOSHIBA_ rev.LV01
Running: 2nin8gij.exe; Driver: C:\Users\CLARAL~1\AppData\Local\Temp\uwldquog.sys


---- Services - GMER 1.0.15 ----

Service C:\Program Files\Avira\AntiVir Desktop\sched.exe (*** hidden *** ) [AUTO] AntiVirSchedulerService <-- ROOTKIT !!!
Service C:\Program Files\Avira\AntiVir Desktop\avguard.exe (*** hidden *** ) [AUTO] AntiVirService <-- ROOTKIT !!!
Service C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe (*** hidden *** ) [AUTO] cmdAgent <-- ROOTKIT !!!
Service System32\DRIVERS\cmdguard.sys (*** hidden *** ) [SYSTEM] cmdGuard <-- ROOTKIT !!!
Service System32\DRIVERS\cmdhlp.sys (*** hidden *** ) [SYSTEM] cmdHlp <-- ROOTKIT !!!
Service system32\DRIVERS\inspect.sys (*** hidden *** ) [SYSTEM] Inspect <-- ROOTKIT !!!
Service C:\Program Files\iPod\bin\iPodService.exe (*** hidden *** ) [MANUAL] iPod Service <-- ROOTKIT !!!
Service C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (*** hidden *** ) [MANUAL] ose <-- ROOTKIT !!!
Service C:\Windows\servicing\TrustedInstaller.exe (*** hidden *** ) [AUTO] TrustedInstaller <-- ROOTKIT !!!

Hello KingMoz :),


Sorry about the delay. I had some trouble with Gmer due to the time it was taking to scan and work commitments. Not a problem. I am quite busy as well. However, we should strive to keep replies within 3 days, or I will not be able to help others still waiting.


Is this the correct log? Or is there a smaller one I am missing? It is correct, but we will leave it for the moment.

For Windows Vista or Windows 7, please use right click and select Run as administrator instead of double click to run all the tools I ask you to, or they may not work properly.

Disable CD Emulation drivers

Please download DeFogger© by jpshortstuff and save it to your desktop. Click here. (http://www.jpshortstuff.247fixes.com/Defogger.exe)
Double click on DeFogger.exe to run the tool.
The application window will appear.
Click the Disable button to disable your CD Emulation drivers.
Click Yes to continue.
A Finished! message will appear, then click OK.
DeFogger will now ask to reboot the machine, click OK.
DO NOT re-enable these drivers until otherwise instructed.

If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Also remember to keep your AV temporarily disabled when you continue the steps below. Enable it after you have completed them.

--------------------

Please download TDSSKiller© from Kaspersky and save it to your desktop. Click here. (http://support.kaspersky.com/downloads/utils/tdsskiller.exe)

Alternatively, you may get the zip version (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and extract the file to the desktop.
Double click on TDSSKiller.exe to execute it.
Press Start scan to begin.
If anything is found, please change all the actions to Skip only.
Then click on Continue at the lower right corner.
You may be prompted to reboot your computer, please consent.
Once complete, a log will be produced at C:\. It will be named TDSSKiller.Version_Date_Time_log.txt, for example, C:\TDSSKiller.2.4.12.0_26.12.2010_23.12.11_log.txt.
Please post the contents of this log.

--------------------

Please download aswMBR and save it to your desktop. Click here. (http://public.avast.com/~gmerek/aswMBR.exe)

Double click the aswMBR.exe file to run it.
Click on the Scan button to start. The program will launch a scan.
When done, you will see Scan finished successfully. Please click on Save log and save the file to your desktop.
Please post the contents of the log in your next reply.


--------------------

Please post back:
1. the TDSSKiller log
2. aswMBR result

Hello Jack&Jill -

Thank you so much for your help, but i'm sorry to say I have thrown in the towel and reformatted. I just desperately needed my laptop back in working order asap, and right now, its working fine. I'm sorry if I wasted your time a little, that wasn't my intention, but please lock this thread and move on to someone more in need of your assistance.

Thank You

Hello KingMoz :),

No hassle at all. Sometimes a reformat will be the fastest and most effective way. Thanks for letting me know and you are most welcome. Take care and surf safely.

--------------------

As your problems appear to have been resolved, this topic is now closed.

We are glad to be of help. If you are satisfied with our assistance and wish to donate to help with the costs of this volunteer site, please read :
Your donation helps in improving Spybot-S&D! (http://www.safer-networking.org/en/donate/index.html)