Cannot Delete or move virus file

O9 - Extra ‘Tools’ menuitem: Æô¶¯Ñ¸À×5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra button: (no name) - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra button: (no name) - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (no file)
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O13 - Gopher Prefix:
O15 - Trusted Zone: *.download.com
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip..{48564BD0-D71E-4DD5-A3D2-6E00E033CC1D}: NameServer = 207.69.188.185,207.69.188.186
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Application Driver Auto Removal Service (01) (appdrvrem01) - Protection Technology - C:\Windows\System32\appdrvrem01.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c98653b8fc5c84) (gupdate1c98653b8fc5c84) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes’ Anti-Malware\mbamservice.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2009.SP2\RpcAgentSrv.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


End of file - 10135 bytes

can’t find the file with view hidden files enabled.

There are two entries,that I can find no info on, they are

O4 - HKUS.DEFAULT…Run: [nDler2] ?globalrootsystemrootsystem32nDler2.exe (User ‘Default user’)

O4 - HKUSS-1-5-18…Run: [nDler2] ?globalrootsystemrootsystem32nDler2.exe (User ‘?’

when googled globalrootsystemrootsystem32nDler2.exe turns up little,what i have found is bad reading

http://www.bleepingcomputer.com/forums/lofiversion/index.php/t216207.html

Scan again with HJT, this time choose scan only, put ticks in the boxes next to those 2 entries and choose ‘fix selected’

Run another boot scan and a scan with MBAM, keep the pc off the internet

Then post another HJT log

The file you were looking for ’ ovfsthvcdcqqejrrwospshraopripidcwiqpau.dll 'are you sure its not in C\Windows\System32\drivers ?
I have been doing some digging, I think you may have a rootkit protecting this very nasty infection. I’m afraid this is a little out of my league.
What I can suggest is using the Avira rescue cd.I have posted a link with instructions. This disc will find and disable rootkits and nasties.
Hopefully someone here may instruct you to use Combofix, I am not familiar enough with the program.
You will need to use a clean pc to download the rescue disc.Anything bad it finds,you will be given the option to change the extension eg virus.exe to virus.xxx,thus disabling the threat.
If you use the disc please report back the results

Tutorial ( which includes download link )

http://forum.avira.com/wbb/index.php?page=Thread&postID=730130#post730130

you can use this small utility to delete Locked files:
http://www.snapfiles.com/get/removereboot.html

just download and install it, right click on any file that you want to delete and choose “Delete on Reboot” and restart your computer :slight_smile:

Sometimes, only using Unlocker (http://ccollomb.free.fr/unlocker/) or KillBox (http://killbox.net/) or MoveOnBoot (http://www.snapfiles.com/get/moveonboot.html) or Delete FXP (http://www.jrtwine.com/) you can delete files that, for any reason, have a bad ‘signature’ in the Master File Table (MFT).

i am pretty sure the file doesnt exist in the folders avast specified, the funny thing is avast is the only one that seem to mention it, since i have MBAM also. I’ll do as you suggested and fix the selected filed and do another boot scan with avast then MBAM. I’ll report back later with results

i scanned with avast boot up scan. and it came up with two files, this time i didnt delete as before, instead i sent it to virus chest:
[Chest] C:\Windows\System32\ovfsthvcdcqqejrrwospshraopripidcwiqpau.dll
[Chest] C:\Windows\System32\ovfsthqpkopcqluufuwakljwpvlcsqcnqcylnh.dll

should i delete it now?

No hurry to delete files in the chest. It’s a protected area; they cannot get out unless released by the user.

What’s a concern is that these files seem to be recreating themselves. One of them the name doesn’t change, the other (the second in the chest) has a new file name, “ovfsthqpkopcqluufuwakljwpvlcsqcnqcylnh.dll”

What this says is that there are other malware files/reg settings (and as micky77 says, possibly rootkit-related) that are causing the trojan to be rebuilt.
This is a bit out of my league, too, at least in terms of knowing how and where to look for these.

I’d try Superantispyware http://www.superantispyware.com/download.html which is another very good scanner, free in the non-resident version. Slightly larger download than MBAM. Has constantly developed new-tech features and claims to remove (some) rootkits.

I’d also be inclined to hit it with some rootkit scanners. TrendMicro make one, so do Avira , I think, there is a good resource for locating these here: http://andymanchesta.com/. Scan it with one or two rootkit apps. Of those listed at the site, Gmer, TM rootkit buster and the one made by safer networking (spybot) are probably the easiest to use. Check before removing anything, though, as sometimes FP’s occur. (I’ve had these with rootkit revealer. It’s an involved science, a bit complex; known FP’s are posted on RR’s forum. Just an example.)

you are right, it is a rootkit. I restarted my pc and the avast warning popped up again. I’ll try out the trend micro rootkit buster

at least i know what the file is called now. I cant remove this file, C:\Windows\System32\drivers\ovfsthyerrmnuubbifxtvstndlwcpqvqpiiamx.sys no matter what. I think this is the rootkit, i tried trend micro but it doesnt work. any ideas?

±---------------------------------------------------
| Trend Micro RootkitBuster
| Module version: 2.52.0.1013
±---------------------------------------------------

–== Dump Hidden MBR and Hidden File on C:\ ==–
[HIDDEN_FILE]:
FullPath : C:\Windows\System32\drivers\ovfsthyerrmnuubbifxtvstndlwcpqvqpiiamx.sys
FullPathLength: 70
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x20
ShareAccess : 0x0
Type : 0x0
[HIDDEN_FILE]:
FullPath : C:\Windows\System32\ovfsthpnfhwfxvltyvtbbamudqxbfycbcgleqy.dat
FullPathLength: 62
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x20
ShareAccess : 0x0
Type : 0x0
[HIDDEN_FILE]:
FullPath : C:\Windows\System32\ovfsthqpkopcqluufuwakljwpvlcsqcnqcylnh.dll
FullPathLength: 62
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x20
ShareAccess : 0x0
Type : 0x0
[HIDDEN_FILE]:
FullPath : C:\Windows\System32\ovfsthrkemjqpausfyyiibauxjrgyniasdjmcb.dll
FullPathLength: 62
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x20
ShareAccess : 0x0
Type : 0x0
[HIDDEN_FILE]:
FullPath : C:\Windows\System32\ovfsthvcdcqqejrrwospshraopripidcwiqpau.dll
FullPathLength: 62
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x80
ShareAccess : 0x0
Type : 0x0
5 hidden files found.

–== Dump Hidden Registry Value on HKLM ==–
No hidden registry entries found.

–== Dump Hidden Process ==–
No hidden processes found.

–== Dump Hidden Driver ==–
No hidden drivers found.

Try rebooting to safe mode and removing the file manually.There was a list of tools a few posts back, including “unlocker”. Try one of those if removing it in “safe” doesn’t work.
I would also move the other similar named files to another folder, maybe create one and call it “suspicious”.
Once that is done, the chances are good it is nailed.

Also try SAS. (Superantispyware.) Various posts and reports tend to indicate that if there is malware around that MBAM can’t remove, sometimes SAS will, and vice versa. They are both real good, and if one doesn’t work, the other one is worth a try.

If still no luck, try another of the antirootkits.
Good luck, hope this helps.

Try the rescue disc I mentioned, this will scan your pc without booting into windows.The rootkit will be dormant.You are wasting your time trying to remove this manually.What you have is nDler2.exe,and a rootkit its very nasty.

You could try rootrepeal,and post a log.
http://www.malwarebytes.org/forums/index.php?showtopic=12709

As you can see,from the examples in the link, ovfsthxkwpjtxfk.sys is the rootkit, similar to your file ovfsthvcdcqqejrrwospshraopripidcwiqpau.Usually its just the first part that matches,the rest are random letters.All the rootkits begin with either
TDSS
Seneka
GAOPDX
UAC
ovfst

I am pretty sure rootrepeal will identify your file,as a sys file in system32\drivers.If you do use this program please post a log before deleting anything

Another rescue cds…
Read the instructions, download and burn (maybe from another computer), finally use one of this rescue CD’s:

  1. Avira
  2. Kaspersky
  3. BitDefender
  4. F-Secure
  5. Dr. Web

Configuration:

  • Scan files
  • Scan registry
  • Scan processes
  • Fast scan
  • Working disk total size : 465.76 GB
  • Working disk free size : 50.56 GB (10 %)

Results:
Hidden file : c:\windows\system32\ovfsthpnfhwfxvltyvtbbamudqxbfycbcgleqy.dat
Hidden file : c:\windows\system32\ovfsthqpkopcqluufuwakljwpvlcsqcnqcylnh.dll
Hidden file : c:\windows\system32\ovfsthrkemjqpausfyyiibauxjrgyniasdjmcb.dll
Hidden file : c:\windows\system32\ovfsthvcdcqqejrrwospshraopripidcwiqpau.dll
Hidden file : c:\windows\system32\drivers\ovfsthyerrmnuubbifxtvstndlwcpqvqpiiamx.sys
Hidden value : HKEY_USERS\S-1-5-21-2149623557-4127203915-1145061720-1000\Software\SecuROM\License information → datasecu
Hidden value : HKEY_USERS\S-1-5-21-2149623557-4127203915-1145061720-1000\Software\SecuROM\License information → rkeysecu
Hidden key : HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ovfsthxxqpxwmwtbbbiimrqrvooxdvodeixvcn\main
Hidden key : HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ovfsthxxqpxwmwtbbbiimrqrvooxdvodeixvcn\modules
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ovfsthxxqpxwmwtbbbiimrqrvooxdvodeixvcn → start
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ovfsthxxqpxwmwtbbbiimrqrvooxdvodeixvcn → type
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ovfsthxxqpxwmwtbbbiimrqrvooxdvodeixvcn → group
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ovfsthxxqpxwmwtbbbiimrqrvooxdvodeixvcn → imagepath
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ovfsthxxqpxwmwtbbbiimrqrvooxdvodeixvcn → inst
Hidden key : HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ovfsthxxqpxwmwtbbbiimrqrvooxdvodeixvcn\main
Hidden key : HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ovfsthxxqpxwmwtbbbiimrqrvooxdvodeixvcn\modules
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ovfsthxxqpxwmwtbbbiimrqrvooxdvodeixvcn → start
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ovfsthxxqpxwmwtbbbiimrqrvooxdvodeixvcn → type
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ovfsthxxqpxwmwtbbbiimrqrvooxdvodeixvcn → group
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ovfsthxxqpxwmwtbbbiimrqrvooxdvodeixvcn → imagepath
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ovfsthxxqpxwmwtbbbiimrqrvooxdvodeixvcn → inst
Hidden key : HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ovfsthxxqpxwmwtbbbiimrqrvooxdvodeixvcn\main
Hidden key : HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ovfsthxxqpxwmwtbbbiimrqrvooxdvodeixvcn\modules
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ovfsthxxqpxwmwtbbbiimrqrvooxdvodeixvcn → start
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ovfsthxxqpxwmwtbbbiimrqrvooxdvodeixvcn → type
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ovfsthxxqpxwmwtbbbiimrqrvooxdvodeixvcn → group
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ovfsthxxqpxwmwtbbbiimrqrvooxdvodeixvcn → imagepath
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ovfsthxxqpxwmwtbbbiimrqrvooxdvodeixvcn → inst
Hidden key : HKEY_LOCAL_MACHINE\System\ControlSet004\Services\ovfsthxxqpxwmwtbbbiimrqrvooxdvodeixvcn\main
Hidden key : HKEY_LOCAL_MACHINE\System\ControlSet004\Services\ovfsthxxqpxwmwtbbbiimrqrvooxdvodeixvcn\modules
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet004\Services\ovfsthxxqpxwmwtbbbiimrqrvooxdvodeixvcn → start
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet004\Services\ovfsthxxqpxwmwtbbbiimrqrvooxdvodeixvcn → type
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet004\Services\ovfsthxxqpxwmwtbbbiimrqrvooxdvodeixvcn → group
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet004\Services\ovfsthxxqpxwmwtbbbiimrqrvooxdvodeixvcn → imagepath
Hidden key : HKEY_LOCAL_MACHINE\System\ControlSet005\Services\ovfsthxxqpxwmwtbbbiimrqrvooxdvodeixvcn\main
Hidden key : HKEY_LOCAL_MACHINE\System\ControlSet005\Services\ovfsthxxqpxwmwtbbbiimrqrvooxdvodeixvcn\modules
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet005\Services\ovfsthxxqpxwmwtbbbiimrqrvooxdvodeixvcn → start
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet005\Services\ovfsthxxqpxwmwtbbbiimrqrvooxdvodeixvcn → type
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet005\Services\ovfsthxxqpxwmwtbbbiimrqrvooxdvodeixvcn → group
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet005\Services\ovfsthxxqpxwmwtbbbiimrqrvooxdvodeixvcn → imagepath
Hidden value : HKEY_LOCAL_MACHINE\System\ControlSet005\Services\ovfsthxxqpxwmwtbbbiimrqrvooxdvodeixvcn → inst


Files: 5/257981
Registry items: 36/571487
Processes: 0/61
Scan time: 00:16:59

Active processes:

  • xvazgdky.exe (PID 172) (Avira AntiRootkit Tool - Beta)
  • firefox.exe (PID 3944)
  • taskeng.exe (PID 1552)
  • SearchFilterHost.exe (PID 2636)
  • System (PID 4)
  • smss.exe (PID 468)
  • csrss.exe (PID 604)
  • wininit.exe (PID 656)
  • csrss.exe (PID 672)
  • services.exe (PID 704)
  • lsass.exe (PID 720)
  • lsm.exe (PID 728)
  • winlogon.exe (PID 808)
  • svchost.exe (PID 916)
  • nvvsvc.exe (PID 980)
  • svchost.exe (PID 1008)
  • svchost.exe (PID 1044)
  • svchost.exe (PID 1168)
  • svchost.exe (PID 1208)
  • LVPrcSrv.exe (PID 1244)
  • svchost.exe (PID 1272)
  • audiodg.exe (PID 1312)
  • svchost.exe (PID 1340)
  • SLsvc.exe (PID 1444)
  • svchost.exe (PID 1484)
  • rundll32.exe (PID 1544)
  • svchost.exe (PID 1640)
  • aswUpdSv.exe (PID 1720)
  • ashServ.exe (PID 1744)
  • WUDFHost.exe (PID 1920)
  • dwm.exe (PID 216)
  • explorer.exe (PID 564)
  • spoolsv.exe (PID 832)
  • taskeng.exe (PID 928)
  • svchost.exe (PID 1304)
  • taskeng.exe (PID 1836)
  • GoogleUpdate.exe (PID 2056)
  • RtHDVCpl.exe (PID 2380)
  • GrooveMonitor.exe (PID 2388)
  • ashDisp.exe (PID 2396)
  • rundll32.exe (PID 2468)
  • realsched.exe (PID 2476)
  • iTunesHelper.exe (PID 2508)
  • mbamgui.exe (PID 2532)
  • CurseClient.exe (PID 2592)
  • wmpnscfg.exe (PID 2616)
  • AppleMobileDeviceService.exe (PID 3072)
  • mDNSResponder.exe (PID 3104)
  • mbamservice.exe (PID 3340)
  • svchost.exe (PID 3368)
  • svchost.exe (PID 1956)
  • ViewpointService.exe (PID 2872)
  • svchost.exe (PID 2828)
  • SearchIndexer.exe (PID 3488)
  • ashMaiSv.exe (PID 3704)
  • ashWebSv.exe (PID 4016)
  • wmpnetwk.exe (PID 2796)
  • iPodService.exe (PID 3056)
  • SearchProtocolHost.exe (PID 1348)
  • mobsync.exe (PID 3912)
  • avirarkd.exe (PID 3720)
    ========================================================================================================
  • Scan finished Monday, April 27, 2009 - 16:33:29 PM
    ========================================================================================================

I cannot believe it, I’m just going to bed ( early start ). Your rootkit is the 5th entry, the only one that is in drivers,the only one that ends in sys

Hidden file : c:\windows\system32\drivers\ovfsthyerrmnuubbifxtvstndlwcpqvqpiiamx.sys

There are other files beginning with ovfsth
Remember, if you run another scan,the one you want is in drivers only and ends in sys only

The instructions are, quote " Once you have identified the CLB driver then use your mouse to highlight it in the Rootrepeal window.
Next right mouse click on it and select wipe file option only then immediately reboot the computer."

I would then post a HJT log,to see if the two entries

O4 - HKUS.DEFAULT…Run: [nDler2] ?globalrootsystemrootsystem32nDler2.exe (User ‘Default user’)

O4 - HKUSS-1-5-18…Run: [nDler2] ?globalrootsystemrootsystem32nDler2.exe (User ‘?’

are still there if they are,tick them,choose fix selected.
Then run boot time scan. Don’t be surprised if Avast finds ovfsthyerrmnuubbifxtvstndlwcpqvqpiiamx, I do not know if rootrepeal deletes or disables the rootkit. If its found, it should be able to delete for good.

One word of warning, I take no responsibility for Rootrepeal, it is a beta program,and I’m no expert.( the guy in the link is )

I personally would have used the Rescue disc,at least that is reversible.

However i think your system is so compromised,you have little to lose ( I would have wiped it clean )
The removal of the rootkit,should hopefully show what virus its been hiding.

Best of luck

Combofix targets this rootkit and does a fairly good job of killing it

One I have just completed

((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) .

c:\recycler\S-6-9-86-100027177-100018623-100002105-8530.com
c:\windows\k.txt
c:\windows\system32\c.ico
c:\windows\system32\drivers\gxvxcbwwoppfmdliqpxtewbmiqxhysvlmdnxr.sys
c:\windows\system32\drivers\gxvxccbqjnsrprumlxwqltewfldbqlhxjnhym.sys
c:\windows\system32\drivers\gxvxcosvppxeutfumlxriuldlvndthawxdqlt.sys
c:\windows\system32\drivers\gxvxcsnamuricbauhwxfhhsawvxkcxeddefek.sys
c:\windows\system32\gxvxccounter
c:\windows\system32\gxvxcfojthodljkbuqxtdilwjxkymlsuwasrh.dll
c:\windows\system32\m.ico
c:\windows\system32\s.ico
d:\recycler\S-2-0-21-100021065-100018984-100014993-7277.com
d:\recycler\S-2-2-57-100029120-100003844-100032272-2131.com
d:\recycler\S-3-5-86-100007466-100029778-100025507-3378.com
d:\recycler\S-4-2-86-100003510-100007707-100018194-4341.com
d:\recycler\S-6-9-50-100005614-100018597-100006917-3919.com
d:\recycler\S-6-9-86-100027177-100018623-100002105-8530.com
d:\recycler\S-7-1-86-100032498-100026464-100031041-2877.com

I have the same problem as the thread-starter :frowning: . I have a combofix log-file, it deleted folder ietoolbar, but that was empty and cleaned from another time, it s not this one, I think disabling avast for a second (needed for combofix), also did something else bad, this thing must have done something, because every stroke is slow, if i type fast, it sometimes misses a letter, and it s not the normal way my computer behaves (keylogger or whatever might do this). I also have the ovf[xxxxx].dll, and ovf[xxxxx].sys, detected by avira antirootkit, and deleted, also with some enteries, but no help, avast deletes those ovf[xxxxx].dll files with start-up-scan, bu they always come back. In winows i neve had avast saying to have detected the virus, only in start-up-scan, it only displays every few minutes a message that it has blocked something (that something varied first days (5 day ago) from something with ‘catch-you.ru/[xxxxx]’, to something like ‘direktitfast.com/engine/engne.php[xxxx lots alphabet]’ the last 2 days.
I checked by hand all of the services/drivers and some registery-entries at certain points where other alureon’s have ‘crap’, but couldn’t find anything.
I can also say that i think it started with my wife running some exe-file from a usb-stick, despite scanning from avast, that dated from 21/apr, and the av-database says to detect alureon-v since 23/apr.

If I may post the combofix message here, let me know, i don’t know if only threatstarter is allowed or everyone infected. (i can post it tommorow earliest).

VIRUS REMOVED!

Hey guys! These posts have been just awesome! I have been reading and trying things and working along with you guys. I spent about 6 hours yesterday trying to get rid of this virus with no luck. Tried several other boards and lots of people around the world that have the same problem. Although this virus has really annoyed the s*** out of me I was impressed with it. It was sneaky, smart and always one step ahead. It even disabled the system restore next button. I am greatful the creator of the virus did not decide to do more malicious things to the computer and it looked mainly like an advertising bot, forwarding links to other sites (especially when you are googling how to remove it).

Well today I woke up and AVG FREE finally got their act together and identified the virus as… Trojan horse Rootkit-Pakes.A moved to the virus vault and succesfully disabled it. The AVG update came in just several hours ago from the time of this post. I have lots of tech friends that use Avast and love it so I am not trying to detract from this great product. Just it might be worth trying AVG FREE just to get rid of this nasty virus. Its removed, im free to surf any sites I want, malwarebytes is no longer blocked (had to change the file name to use it) and none of the scanners can detect anything any more (dr web, panda, etc). Dodged a bullet!! Because this virus is so new there are alot of confused people, but this board was the most on track at accurately detecting and identifying it so thanks guys!! I will keep scanning in intervals for the next 24 hours just in case this virus is smarter then we think :stuck_out_tongue:

Im just going to put some keywords stuff below here for other poor souls that are having the same problem.

Names: Trojan horse Rootkit-Pakes.A, trojan.dnschanger, trojan.agent, BackDoor.Tdss.115, Trj/Downloader.VTK, Trojan-Downloader.Win32.Agent.brpo
(yes those are all the different names, various programs I tried identified it as!)

Symptoms: system restore next button not working, spybot not loading, malwarebytes not loading, anti-malware not loading, virus keeps coming back, gxvx .dll, AVG update issues, AVG not updating, windows defender crashing, windows defender not updating.

Cheers!

Thats excellent Essexboy, does it do it automatically on the first run ( so to speak ). I have read the tutorial for Combofix, looks like a daunting program to use, without some training