Generally yes - sometimes you need to take a second run at it and tell the programme where it is

To use the programme is not hard…But and this is the crippler it will ocassionaly have false positives or the malware will subvert it, then is the time that you need to know how it works so that you can recover. As a case in point about a year ago a malicious writer found a loophole and ended wiping the system 32 folder, which is why the recovery console is part of the programme now so that a recovery can be made if anything similar should occur

KillAll::

RegLockDel::
[HKEY_USERS\SYSTEM\ControlSet003\Services\gxvxcserv.sys]

Rootkit::
C:\windows\system32\drivers\gxvxcklxojeronkejkydnmleexqurbjpcxpih.sys

I rather not go through system reformatting, it’s troublesome since i have alot of files i’d need to recover. But worse comes to worse i’ll do that. But i’ll try using combofix and totrepeal first, i’ll post later with results.

±---------------------------------------------------
| Trend Micro RootkitBuster
| Module version: 2.52.0.1013
±---------------------------------------------------

–== Dump Hidden MBR and Hidden File on C:\ ==–
No hidden files found.

–== Dump Hidden Registry Value on HKLM ==–
No hidden registry entries found.

–== Dump Hidden Process ==–
No hidden processes found.

–== Dump Hidden Driver ==–
No hidden drivers found.

i used rootrepeal, now i’ll use avast and MBAM to delete the rest of the files, thx for the help everyone, i’ll post the other scans later. And also, any advice ffor the registry entries? i gotta delete them too

Malwarebytes’ Anti-Malware 1.36
Database version: 2056
Windows 6.0.6001 Service Pack 1

4/28/2009 8:33:06 PM
mbam-log-2009-04-28 (20-33-06).txt

Scan type: Full Scan (C:|)
Objects scanned: 280398
Time elapsed: 2 hour(s), 0 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\drivers\ovfsthyerrmnuubbifxtvstndlwcpqvqpiiamx.sys (Trojan.Agent) → Quarantined and deleted successfully.
C:\Windows\System32\ovfsthqpkopcqluufuwakljwpvlcsqcnqcylnh.dll (Trojan.Agent) → Quarantined and deleted successfully.
C:\Windows\System32\ovfsthrkemjqpausfyyiibauxjrgyniasdjmcb.dll (Trojan.Agent) → Quarantined and deleted successfully.
C:\Windows\System32\ovfsthpnfhwfxvltyvtbbamudqxbfycbcgleqy.dat (Trojan.Agent) → Quarantined and deleted successfully.

I think i got everything, but i’m just kinda worried there might still me some registry entries. Thx for all the advices everyone, So if you have the same problems, use rootrepeal or combo fix, then use MBAM and avast bootup scan.

Looks like Rootrepeal disabled the rootkit,then allowing MBAM to remove it. One other thing, it might have been an idea to disable system restore, however if any of these infections reappear in SR ( system volume information ) they can do no harm,unless you restored the pc to that particular restore point.
Regarding registry entries,I would not worry, The entries like the two we found in HJT are there to kick start the virus on boot,If as in your case,you have removed the virus and the rootkit protecting it,there is nothing to kick start.Also I think MBAM would have found any bad registry entries.
Regarding the nDler2.exe entries,thats probably something you may have removed in the past.

I have finally destroyed this virus/rootkit. what I did :
go to save mode !!
used Avast boot-scan
used combofix (did find an empty folder IEtoolbar, but i don’t think that one has to do anything with this)
used DrWeb latest scan (performed a full scan!! after it’s quick scan)
used MBAM (i still could download and update everything)
used Avira anti-rootkit
used Smitfraudfix (but it didn’t find anyting i guess)

DrWeb did remove the actual virus i guess, it was a file (not exact name, since i didn’t log it, i lost the exact name) named approximatly a000056… (don’t remember the extension, but in system restore it was detected by drWeb as .bat)

After all this I repeated that list once again in safe mode after restart except avast boot-scan.
As last step I did the parts avast-boot-scan/MBAM/DRWEB/AVira-antiRootkit again, this time in windows normal mode (although both normal and safe mode didn’t find anything anymore (except for a false positive on combofix and smitfraudfix, which I also removed on the first repeat).

I also had something noone mentioned before here: i could download and update unlike some other victims, but my computer couldn’t make use of usb-sticks anymore, neither did my card-reader work anymore or any camera i attached, only one usb-connected storage device did work, a lacie external hard drive, the fault that came up while trying to connect an usb-stick, in the logbook, was LDMS (Logical Disk Management Service could not start), the virus must have done that, since it appeared after the first restart after the virus got on the computer.

here is a part of the log, just after the virus got on the computer (i don’t know but it looks like it did try to download other viruses/malware?)
(found in warnings.log)

18/04/2009 1:22:13 1240010533 Gunther 1904 Sign of “Win32:Piptea [trj]” has been found in “C:\Documents and Settings\Gunther\Local Settings\Temporary Internet Files\Content.IE5\SI41YKJK\20090411074831[1].exe[UPX]” file.
18/04/2009 1:23:50 1240010630 Gunther 1904 Sign of “Win32:Piptea [trj]” has been found in “C:\WINDOWS\rvvv64624.exe[UPX]” file.
18/04/2009 1:28:06 1240010886 Gunther 2740 Sign of “Win32:Piptea [trj]” has been found in “C:\Documents and Settings\Gunther\Local Settings\Temporary Internet Files\Content.IE5\SI41YKJK\20090411074831[1].exe[UPX]” file.
18/04/2009 1:28:59 1240010939 Gunther 2740 Sign of “Win32:WalDrop [Drp]” has been found in “C:\Documents and Settings\Gunther\Local Settings\Temporary Internet Files\Content.IE5\SI41YKJK\20090417083429[1].exe” file.

The sites it blocked are:
(found in nshield.log)

18.04.2009 01:24:20 Network Shield: blocked access to malicious site hxviewworldmy1.com/download/1/20099/0 [ C:\WINDOWS\system32\svchost.exe ( 1224 ) ]
18.04.2009 01:39:05 Network Shield: blocked access to malicious site catch-you.ru/files/winsetup66.exe [ C:\WINDOWS\system32\svchost.exe ( 944 ) ]
18.04.2009 01:39:06 Network Shield: blocked access to malicious site catch-you.ru/files/ftp_non_crp.exe [ C:\WINDOWS\system32\svchost.exe ( 944 ) ]
18.04.2009 02:24:14 Network Shield: blocked access to malicious site catch-you.ru/files/winsetup66.exe [ PID 1756 ( 1756 ) ]
21.04.2009 14:55:45 Network Shield: blocked access to malicious site easyfriskdisease.cn/?wm=70000 [ C:\WINDOWS\system32\svchost.exe ( 1152 ) ]
24.04.2009 10:00:03 Network Shield: blocked access to malicious site f1.catch-you.ru/winglsetup.exe [ C:\WINDOWS\system32\svchost.exe ( 944 ) ]
24.04.2009 10:00:48 Network Shield: blocked access to malicious site f1.catch-you.ru/ftp_non_crp.exe [ C:\WINDOWS\system32\svchost.exe ( 944 ) ]
25.04.2009 12:50:01 Network Shield: blocked access to malicious site directitfast.com/seneka/engine/engine.php?d=NjoiCDE9Z2lta2xnVVZaW1FIV1VZXV5fXF5dVl1AQUNHQ0JETklCVkROR0qys7OysaPn4e7g7ra/vb27paa04OH3//OloKu9/uj388Scy8DSlJWXnJmTm52LwdyNhJyClIeAh4iZ6euPk46ZrKCspPmrquqqrOypvqK5vLWj77qxraa7t6u/9bmlu/mOgI+G2Y2Jio3Emog= [ C:\WINDOWS\system32\svchost.exe ( 968 ) ]
28.04.2009 00:09:30 Network Shield: blocked access to malicious site 82.98.193.102 [ C:\Program Files\Internet Explorer\iexplore.exe ( 5536 ) ]

Hope this might help some of you or the programmers.
regards