here is RogueKiller:
RogueKiller V5.3.3 [08/18/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRKgmailcom
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html

Operating System: Windows 7 (6.1.7600 ) 32 bits version
Started in : Normal mode
User: dj [Admin rights]
Mode: Remove – Date : 08/22/2011 11:51:54

Bad processes: 13
[HJ NAME] svchost.exe – c:\windows\update.2\svchost.exe → KILLED [TermProc]
[SUSP PATH] sysdriver32.exe – c:\windows\sysdriver32.exe → KILLED [TermProc]
[HJ NAME] svchost.exe – c:\windows\update.1\svchost.exe → KILLED [TermProc]
[SVCHOST] svchost.exe – c:\windows\update.2\svchost.exe → KILLED [TermProc]
[SVCHOST] svchost.exe – c:\windows\update.tray-7-0\svchost.exe → KILLED [TermProc]
[SUSP PATH] sysdriver32.exe – c:\windows\sysdriver32.exe → KILLED [TermProc]
[SUSP PATH] sysdriver32_.exe – c:\windows\sysdriver32_.exe → KILLED [TermProc]
[SUSP PATH] l1rezerv.exe – c:\windows\l1rezerv.exe → KILLED [TermProc]
[SUSP PATH] TechTracker.exe – c:\users\dj\appdata\roaming\cbs interactive\cnet techtracker\techtracker.exe → KILLED [TermProc]
[SVCHOST] svchost.exe – c:\windows\update.tray-7-0-lnk\svchost.exe → KILLED [TermProc]
[SUSP PATH] systemup.exe – c:\windows\systemup.exe → KILLED [TermProc]
[HJ NAME] svchost.exe – c:\windows\update.5.0\svchost.exe → KILLED [TermProc]
[SVCHOST] svchost.exe – c:\windows\update.5.0\svchost.exe → KILLED [TermProc]

Registry Entries: 28
[SUSP PATH] HKLM[…]\Run : wxpdrv (C:\Windows\services32.exe) → DELETED
[HJ NAME] HKLM[…]\Run : tray_ico0 (C:\Windows\update.tray-7-0\svchost.exe) → DELETED
[SUSP PATH] HKLM[…]\Run : 2339572.exe (“C:\Windows\Temp\2339572.exe”) → DELETED
[SUSP PATH] HKLM[…]\Run : sysdriver32.exe (“C:\Windows\sysdriver32.exe” rezerv) → DELETED
[SUSP PATH] HKLM[…]\Run : sysdriver32_.exe (“C:\Windows\sysdriver32_.exe” rezerv) → DELETED
[SUSP PATH] HKLM[…]\Run : 3743462.exe (“C:\Users\dj\AppData\Local\Temp\3743462.exe”) → DELETED
[SUSP PATH] HKLM[…]\Run : 84590761-loader2.exe (“C:\Windows\Temp\84590761-loader2.exe”) → DELETED
[SUSP PATH] HKLM[…]\Run : 356332.exe (“C:\Windows\Temp\356332.exe”) → DELETED
[SUSP PATH] HKLM[…]\Run : l1rezerv.exe (“C:\Windows\l1rezerv.exe”) → DELETED
[SUSP PATH] HKLM[…]\Run : 5766770.exe (“C:\Windows\Temp\5766770.exe”) → DELETED
[SUSP PATH] HKLM[…]\Run : systemup (“C:\Windows\systemup.exe” stand) → DELETED
[BLACKLIST] HKLM[…]\services : srvbtcclient (C:\Windows\update.5.0\svchost.exe srv) → DELETED
[BLACKLIST] HKLM[…]\services : srviecheck (C:\Windows\update.2\svchost.exe srv) → DELETED
[BLACKLIST] HKLM[…]\services : srvsysdriver32 (C:\Windows\sysdriver32.exe srv) → DELETED
[BLACKLIST] HKLM[…]\services : wxpdrivers (C:\Windows\update.1\svchost.exe srv) → DELETED
[BLACKLIST] HKLM[…]\services : srvbtcclient (C:\Windows\update.5.0\svchost.exe srv) → DELETED
[BLACKLIST] HKLM[…]\services : srviecheck (C:\Windows\update.2\svchost.exe srv) → DELETED
[BLACKLIST] HKLM[…]\services : srvsysdriver32 (C:\Windows\sysdriver32.exe srv) → DELETED
[BLACKLIST] HKLM[…]\services : wxpdrivers (C:\Windows\update.1\svchost.exe srv) → DELETED
[SUSP PATH] CNET TechTracker.lnk : C:\Users\dj\AppData\Roaming\CBS Interactive\CNET TechTracker\TechTracker.exe → DELETED
[HJ] HKLM[…]\System : ConsentPromptBehaviorAdmin (0) → REPLACED (2)
[HJ] HKLM[…]\System : ConsentPromptBehaviorUser (0) → REPLACED (1)
[HJ] HKLM[…]\System : EnableLUA (0) → REPLACED (1)
[HJ] HKLM[…]\Security Center : AntiVirusDisableNotify (1) → REPLACED (0)
[HJ] HKLM[…]\Security Center : FirewallDisableNotify (1) → REPLACED (0)
[HJ] HKLM[…]\Security Center : UpdatesDisableNotify (1) → REPLACED (0)
[HJ] HKLM[…]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) → REPLACED (0)
[HJ] HKLM[…]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) → REPLACED (0)

Particular Files / Folders:

HOSTS File:
127.0.0.1 localhost
127.0.0.1 facebook.com
127.0.0.1 www.facebook.com
127.0.0.1 af-za.facebook.com
127.0.0.1 az-az.facebook.com
127.0.0.1 id-id.facebook.com
127.0.0.1 ms-my.facebook.com
127.0.0.1 bs-ba.facebook.com
127.0.0.1 ca-es.facebook.com
127.0.0.1 cs-cz.facebook.com
127.0.0.1 cy-gb.facebook.com
127.0.0.1 da-dk.facebook.com
127.0.0.1 de-de.facebook.com
127.0.0.1 et-ee.facebook.com
127.0.0.1 en-gb.facebook.com
127.0.0.1 es-la.facebook.com
127.0.0.1 eo-eo.facebook.com
127.0.0.1 eu-es.facebook.com
127.0.0.1 tl-ph.facebook.com
127.0.0.1 fo-fo.facebook.com
[…]

Finished : << RKreport[1].txt >>
RKreport[1].txt

OTS:

http://www.mediafire.com/?q1f3wc72szpa7jc

Whilst waiting for someone that can analyse your OTS log:
You could remove these entries from your HOSTS file manually.

HOSTS file redirect a common malware tactic to block AV sites making it difficult to remove malware; the same is true if they want to block facebook in your case - 127.0.0.1 check your HOSTS file using notepad or a text editor of your choice, C:\WINDOWS\system32\drivers\etc\hosts or do a search for HOSTS to find it if not there.

Once open you are looking for entries with those facebook.com entries on the line, you can remove those lines and save the file. http://en.wikipedia.org/wiki/Hosts_file

Note, when saving the file, notepad may have a whinge as there is no file type for the HOSTS file; ensure that the file type is set to all files and it should comply with the fact it hasn’t got a file type/extension. You may, depending on your OS have the UAC have a whinge, so you may need to run that text editor (notepad, etc.) as an administrator.

This hopefully should allow you access to facebook, but be careful on facebook as there are many so called friends trying to sucker you.

It may be that the person analysing your OTS log may ask you to run another tool to further analyse your system so I will give you the info on that so you can prepare it too.

Note these files should be small enough to attach to your post (under 200KB) using the Additional Options link in the Reply window. If both don’t fit, attach one in the post and the other one in a second post. Saves having to upload to mediafire.

thanx for a reply,
I’m running OTL, and am wondering how long would a full length scan take.

When it’s finished, I’ll attach the logs.

EDIT: P.S. the hosts file contains only localhost.

here is OTL log

OTL Extras:

I’m not the OTL expert, but as far as I’m aware if you have lots of temporary files the scan takes much longer. So perhaps you could clear your temporary files before starting it. Edit: I see you have now run OTL, I will try and get someone to analyse it.

TFC - Temp File Cleaner by OldTimer
http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/
TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

OK, if they aren’t in the HOSTS file, it looks like the RogueKiller removed them, I wasn’t sure if it wasn’t just reporting them.

On completion of this run could you zip the following folder : C:_OTL and upload to MegaUpload and post the link please
Mediafire is not working for me for some reason

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL PRC - [2011/08/20 17:51:52 | 000,382,464 | ---- | M] () -- C:\Windows\update.7.1\svchostdriver.exe SRV - File not found [Disabled | Stopped] -- -- (sppuinotify) IE - HKLM\..\URLSearchHook: {40f5f417-32bb-4296-9446-c1e0094e7d82} - File not found IE - HKU\S-1-5-21-1851263083-776427828-930987571-1000\..\URLSearchHook: {40f5f417-32bb-4296-9446-c1e0094e7d82} - File not found O4 - HKLM..\Run: [SxgTkBar] File not found O4 - HKLM..\Run: [tray_ico] File not found O4 - HKLM..\Run: [tray_ico1] File not found O4 - HKLM..\Run: [tray_ico2] File not found O4 - HKLM..\Run: [tray_ico3] File not found O4 - HKLM..\Run: [tray_ico4] File not found O31 - SafeBoot: AlternateShell - services32.exe [2011/08/22 11:50:29 | 000,000,201 | ---- | M] () -- C:\Windows\info1 [2011/08/22 11:50:17 | 000,139,776 | ---- | M] () -- C:\Windows\systemup.exe [2011/08/20 17:58:23 | 000,000,000 | ---D | C] -- C:\Windows\ufa [2011/08/20 17:58:23 | 000,000,000 | ---D | C] -- C:\Windows\rpcminer [2011/08/20 17:58:23 | 000,000,000 | ---D | C] -- C:\Windows\phoenix [2011/08/20 17:53:54 | 000,000,000 | -H-D | C] -- C:\Windows\update.5.0 [2011/08/20 17:52:51 | 000,000,000 | -H-D | C] -- C:\Windows\update.2 [2011/08/20 17:51:53 | 000,000,000 | -H-D | C] -- C:\Windows\update.7.1 [2011/08/20 17:50:50 | 000,000,000 | ---D | C] -- C:\Windows\av_ico [2011/08/20 17:49:30 | 000,000,000 | -H-D | C] -- C:\Windows\update.1 [2011/08/20 17:49:29 | 000,000,000 | -H-D | C] -- C:\Windows\update.tray-7-0-lnk [2011/08/20 17:49:29 | 000,000,000 | -H-D | C] -- C:\Windows\update.tray-7-0 [2011/08/20 17:58:35 | 000,904,792 | ---- | M] () -- C:\Windows\geoiplist.rar [2011/08/20 17:58:35 | 000,246,272 | ---- | M] () -- C:\Windows\unrar.exe [2011/08/20 17:58:22 | 005,589,370 | ---- | M] () -- C:\Windows\phoenix.rar [2011/08/20 17:58:22 | 001,075,284 | ---- | M] () -- C:\Windows\rpcminer.rar [2011/08/20 17:58:22 | 000,182,617 | ---- | M] () -- C:\Windows\ufa.rar [2011/08/20 17:55:35 | 000,232,960 | ---- | M] () -- C:\Windows\l1rezerv.exe [2011/08/20 17:51:35 | 000,000,000 | ---- | M] () -- C:\Windows\loader2.exe_ok [2011/08/20 17:51:03 | 000,258,048 | ---- | M] () -- C:\Windows\sysdriver32_.exe [2011/08/20 17:51:03 | 000,258,048 | ---- | M] () -- C:\Windows\sysdriver32.exe [2011/08/20 17:38:31 | 001,182,208 | ---- | M] () -- C:\Windows\services32.exe [2011/08/22 11:50:25 | 000,139,776 | ---- | C] () -- C:\Windows\systemup.exe [2011/08/21 19:16:08 | 057,716,768 | ---- | C] () -- C:\setup_av_free.exe [2011/08/20 17:58:22 | 005,589,370 | ---- | C] () -- C:\Windows\phoenix.rar [2011/08/20 17:58:22 | 001,075,284 | ---- | C] () -- C:\Windows\rpcminer.rar [2011/08/20 17:58:22 | 000,182,617 | ---- | C] () -- C:\Windows\ufa.rar [2011/08/20 17:55:39 | 000,232,960 | ---- | C] () -- C:\Windows\l1rezerv.exe [2011/08/20 17:54:48 | 004,636,907 | ---- | C] () -- C:\Windows\geoiplist [2011/08/20 17:54:47 | 000,904,792 | ---- | C] () -- C:\Windows\geoiplist.rar [2011/08/20 17:54:47 | 000,246,272 | ---- | C] () -- C:\Windows\unrar.exe [2011/08/20 17:51:53 | 000,000,201 | ---- | C] () -- C:\Windows\info1 [2011/08/20 17:51:27 | 000,000,000 | ---- | C] () -- C:\Windows\loader2.exe_ok [2011/08/20 17:51:23 | 000,258,048 | ---- | C] () -- C:\Windows\sysdriver32_.exe [2011/08/20 17:51:09 | 000,258,048 | ---- | C] () -- C:\Windows\sysdriver32.exe [2011/08/20 17:50:58 | 000,065,536 | ---- | C] () -- C:\Windows\System32\Ikeext.etl [2011/08/20 17:38:46 | 001,182,208 | ---- | C] () -- C:\Windows\services32.exe [2011/08/20 17:38:31 | 001,182,208 | -H-- | M] () MD5=539402D3ABA48D6E55D8CDC645FC315F -- C:\Windows\update.1\svchost.exe [2011/08/20 17:38:31 | 001,182,208 | -H-- | M] () MD5=539402D3ABA48D6E55D8CDC645FC315F -- C:\Windows\update.tray-7-0\svchost.exe [2011/08/20 17:38:31 | 001,182,208 | -H-- | M] () MD5=539402D3ABA48D6E55D8CDC645FC315F -- C:\Windows\update.tray-7-0-lnk\svchost.exe [2011/08/22 11:50:28 | 000,355,840 | ---- | M] () MD5=6C447372C1C601DCE714F7CDB354DAAD -- C:\Windows\update.5.0\svchost.exe [2011/08/21 14:47:27 | 000,634,880 | ---- | M] () MD5=9D64674977EAD38F922E6DD0355D9D7C -- C:\Windows\update.2\svchost.exe

:Files
ipconfig /flushdns /c
C:\Windows\update.1
C:\Windows\update.tray-7-0
C:\Windows\update.tray-7-0-lnk
C:\Windows\update.5.0
C:\Windows\update.2

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

Thanks for joining the topic essexboy.

No problem, I have to use Firefox to download these as IE deletes them before I can get them

thank you both for assistance, I guess this one’s a badass.
In about an hour I’ll get to the infected Notebook, and I’ll get you the logs you asked for.

Thank you - once I have them I will then forward them to Avast

here is a log after the fix/reboot:

All processes killed ========== OTL ========== No active process named svchostdriver.exe was found! Service sppuinotify stopped successfully! Service sppuinotify deleted successfully! Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\{40f5f417-32bb-4296-9446-c1e0094e7d82} deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{40f5f417-32bb-4296-9446-c1e0094e7d82}\ deleted successfully. Registry value HKEY_USERS\S-1-5-21-1851263083-776427828-930987571-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\\{40f5f417-32bb-4296-9446-c1e0094e7d82} deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{40f5f417-32bb-4296-9446-c1e0094e7d82}\ not found. Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\SxgTkBar deleted successfully. Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\tray_ico deleted successfully. Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\tray_ico1 deleted successfully. Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\tray_ico2 deleted successfully. Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\tray_ico3 deleted successfully. Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\tray_ico4 deleted successfully. Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\\AlternateShell deleted successfully. C:\Windows\info1 moved successfully. C:\Windows\systemup.exe moved successfully. C:\Windows\ufa folder moved successfully. C:\Windows\rpcminer folder moved successfully. C:\Windows\phoenix\kernels\poclbm folder moved successfully. C:\Windows\phoenix\kernels\phatk folder moved successfully. C:\Windows\phoenix\kernels folder moved successfully. C:\Windows\phoenix folder moved successfully. C:\Windows\update.5.0 folder moved successfully. C:\Windows\update.2 folder moved successfully. C:\Windows\update.7.1 folder moved successfully. C:\Windows\av_ico folder moved successfully. C:\Windows\update.1 folder moved successfully. C:\Windows\update.tray-7-0-lnk folder moved successfully. C:\Windows\update.tray-7-0 folder moved successfully. C:\Windows\geoiplist.rar moved successfully. C:\Windows\unrar.exe moved successfully. C:\Windows\phoenix.rar moved successfully. C:\Windows\rpcminer.rar moved successfully. C:\Windows\ufa.rar moved successfully. C:\Windows\l1rezerv.exe moved successfully. C:\Windows\loader2.exe_ok moved successfully. C:\Windows\sysdriver32_.exe moved successfully. C:\Windows\sysdriver32.exe moved successfully. C:\Windows\services32.exe moved successfully. File C:\Windows\systemup.exe not found. C:\setup_av_free.exe moved successfully. File C:\Windows\phoenix.rar not found. File C:\Windows\rpcminer.rar not found. File C:\Windows\ufa.rar not found. File C:\Windows\l1rezerv.exe not found. C:\Windows\geoiplist moved successfully. File C:\Windows\geoiplist.rar not found. File C:\Windows\unrar.exe not found. File C:\Windows\info1 not found. File C:\Windows\loader2.exe_ok not found. File C:\Windows\sysdriver32_.exe not found. File C:\Windows\sysdriver32.exe not found. C:\Windows\System32\Ikeext.etl moved successfully. File C:\Windows\services32.exe not found. File C:\Windows\update.1\svchost.exe not found. File C:\Windows\update.tray-7-0\svchost.exe not found. File C:\Windows\update.tray-7-0-lnk\svchost.exe not found. File C:\Windows\update.5.0\svchost.exe not found. File C:\Windows\update.2\svchost.exe not found. ========== FILES ========== < ipconfig /flushdns /c > Windows IP Configuration Successfully flushed the DNS Resolver Cache. C:\Users\dj\Downloads\cmd.bat deleted successfully. C:\Users\dj\Downloads\cmd.txt deleted successfully. File\Folder C:\Windows\update.1 not found. File\Folder C:\Windows\update.tray-7-0 not found. File\Folder C:\Windows\update.tray-7-0-lnk not found. File\Folder C:\Windows\update.5.0 not found. File\Folder C:\Windows\update.2 not found. ========== COMMANDS ========== C:\Windows\System32\drivers\etc\Hosts moved successfully. HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: dj
->Temp folder emptied: 74724 bytes
->Temporary Internet Files folder emptied: 774678 bytes
->FireFox cache emptied: 35922218 bytes
->Flash cache emptied: 456 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 608 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 35.00 mb

[EMPTYFLASH]

User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: dj
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.26.5 log created on 08232011_174827

Files\Folders moved on Reboot…

Registry entries deleted on Reboot…

also the new OTL scan log is attached…

And in about 30 minutes the _OTL folder rar will be uploaded on megaupload, it’s size is 76.57MB

Thank you for doing the upload ;D

After we fixed this, I was asked by a user to check if his facebook acc is available. When I logged in with his data, his account was blocked due a virus known as “Koobface” and after a friend photo check, I was asked to download and run McAfee Scan & Repair, as part of restoring facbook account process.

also, the megaupload is complete, here is the link, so you can happily download what you asked for.
http://www.megaupload.com/?d=5MMUN1CL

thank you once again for your help, everything looks fine now.

Phoenix crew, Semeljci, Croatia.

OK just one legacy registry key to remove and a stray BHO

You will need to re-install Avast, maybe a repair would work. What are the current problems ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL SRV - File not found [Auto | Stopped] -- -- (ddservice) O3 - HKLM\..\Toolbar: (no name) - {40f5f417-32bb-4296-9446-c1e0094e7d82} - No CLSID value found.

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

Aside from facebook trouble, no other problems have been encountered, except known problems like avast not working, and not being able to stay in safe mode. system restore didn’t work also.

Your fix worked fine, as McAfee which was recomended by facebook didn’t find anything after the fix.

I just reinstalled Avast, and it warned me about OTL.exe, wanted me to run it sandboxed.
I ran it normally, so here is the newest log.

Could you check safe mode please to ensure that it works now as it should, also check system restore and windows updates ;D

All of the above checked, Safe mode ok, sys restore ok, windows update failed with code C004F012, but I’m unable to tell if it worked before the infection. It’s not my computer. The Windows installed is not legal and I don’t know how it was activated.

Windows update was disabled once I checked.

The Windows installed is not legal and I don't know how it was activated.

Thank you for your effort. If we detect another new infection I’ll be happy to discuss it with you.

Thank you wizard.