Help me pls...trojan horse in system volume information

trojan horses keeps appearing in my system volume information folder and when i deleted it with avast it is gone untill i resart my computer and there it is again even when i disable system restore and reboot …there wasnt any then i enabled system restore after that there was no virus till i restart my computer…everytime i delete the virus…it would just apppear back after i resart my computer.
It is affecting my IE explorer when i use any search engine it would direct me to other websites instead of what i searched for…
heres the info of the viruses
File name: F:\System Volume Information_restore{7ED2B8CA-68DA-42DF-ACF9-F5208D0B3C1D}\RP2\A0000158.exe
Malware name:Win32:Agent-AVO [Trj]
Type: trojan horse
Theres another similar one named
Win32:Small-BHP [Trj]
all in my system volume information…i have moved them to the virus chest and waiting for advice.
I deleted them many times over again they stil comes back>
Thanks…please help me

Hi helpmenow4311,

You need to delete System Restore information.

http://www.pchell.com/virus/systemrestore.shtml

i have already disabled system restore…hmm i just dled ewido anti-spyware and i scanned and found this:
Downloader.Agent.uj
whats this… and i have a error deleting/cleaning/qurantine it…what to do?

Have you tried a boot time scan with avast! Open the avast! scanner and right click anywhere on the screen, and select the boot time option from the menu. Make sure you have a keyboard with a cable plugged in- cordless keyboards don’t work during a boot time scan. Move any malware found to the chest.

After that, scan with Ewido (if your OS supports it), Ad-Aware, Spybot Search & Destroy and a-Squared. Download install and update all these before you scan with avast and scan in safe mode if possible while off line after doing the boot time scan.

How to Start Windows in Safe Mode:

http://www.pchell.com/support/safemode.shtml

It is often worth repeating the procedure as these programs often find more malware the second time around.

Ignore any files in system restore while scanning, and when you have finished scanning, follow the procedure for deleing system restore files.

If you still have problems, please post a HijackThis! log.

http://www.bleepingcomputer.com/tutorials/tutorial42.html

Is your OS up to date and do you have a firewall operating? If not, you will get reinfected easily.

Here’s some links:

Ewido http://www.ewido.net/en/

a-Squared http://www.emsisoft.com/en/

Ad-Aware http://www.majorgeeks.com/download506.html

Spybot Search & Destroy http://www.safer-networking.org/

Good luck!

oww…my key board is cordless…and i have only windows firewall

Logfile of HijackThis v1.99.1
Scan saved at 9:54:56 PM, on 9/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\brsvc01a.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\system32\brss01a.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
F:\Program Files\Brother\ControlCenter2\brctrcen.exe
F:\Program Files\Creative\Shared Files\CAMTRAY.EXE
F:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
F:\Program Files\ewido anti-spyware 4.0\ewido.exe
F:\Program Files\MSN Messenger\MsnMsgr.Exe
F:\Program Files\Hamachi\hamachi.exe
F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
F:\Program Files\Alwil Software\Avast4\ashServ.exe
F:\WINDOWS\system32\Brmfrmps.exe
F:\WINDOWS\system32\CTsvcCDA.EXE
F:\Program Files\ewido anti-spyware 4.0\guard.exe
F:\WINDOWS\system32\slserv.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\wdfmgr.exe
F:\WINDOWS\system32\MsPMSPSv.exe
F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
F:\Program Files\Alwil Software\Avast4\ashWebSv.exe
F:\WINDOWS\System32\alg.exe
F:\Program Files\DAP\DAP.EXE
F:\Documents and Settings\john khoo\My Documents\My Completed Downloads\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM..\Run: [SSBkgdUpdate] “F:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe” -Embedding -boot
O4 - HKLM..\Run: [PaperPort PTD] F:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM..\Run: [IndexSearch] F:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM..\Run: [SetDefPrt] F:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM..\Run: [ControlCenter2.0] F:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM..\Run: [Creative WebCam Tray] F:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM..\Run: [WheelMouse] F:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM..\Run: [avast!] F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM..\Run: [IWinHelp] C:\Program Files\NAV32watcher.exe
O4 - HKLM..\Run: [DownloadAccelerator] “F:\Program Files\DAP\DAP.EXE” /STARTUP
O4 - HKLM..\Run: [!ewido] “F:\Program Files\ewido anti-spyware 4.0\ewido.exe” /minimized
O4 - HKCU..\Run: [MsnMsgr] “F:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [WindowsHiderPro] F:\Program Files\WHidePro\whpro.exe
O4 - HKCU..\Run: [BitTorrent] “F:\Program Files\BitTorrent\bittorrent.exe” --force_start_minimized
O4 - Global Startup: hamachi.lnk = F:\Program Files\Hamachi\hamachi.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Status Monitor.lnk = F:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: &Clean Traces - F:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - F:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - F:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Download All by FlashGet - F:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - F:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\PROGRA~1\FlashGet\flashget.exe (file missing)
O9 - Extra ‘Tools’ menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\PROGRA~1\FlashGet\flashget.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip..{11015C35-883A-4F31-A349-DF4D79FC19D0}: NameServer = 85.255.115.2
O17 - HKLM\System\CCS\Services\Tcpip..{9EA15D2D-66EB-4B5D-9130-0780A9814DE7}: NameServer = 85.255.115.2
O17 - HKLM\System\CCS\Services\Tcpip..{E61524CF-D2D7-48FA-AC1D-C3736FAECA2C}: NameServer = 85.255.115.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.2 85.255.112.7
O17 - HKLM\System\CS1\Services\Tcpip..{11015C35-883A-4F31-A349-DF4D79FC19D0}: NameServer = 85.255.115.2
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.2 85.255.112.7
O17 - HKLM\System\CS2\Services\Tcpip..{11015C35-883A-4F31-A349-DF4D79FC19D0}: NameServer = 85.255.115.2
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.2 85.255.112.7
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - “F:\PROGRA~1\MSNMES~1\msgrapp.dll” (file missing)
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - F:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - F:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - F:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - F:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - F:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - F:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - F:\WINDOWS\SYSTEM32\slserv.exe

This entry seems very suspicious to me because I can’t find anything on Google about it:

C:\Program Files\NAV32watcher.exe

You could try submitting this file to virustotal for analysis:

http://www.virustotal.com/en/indexf.html

You may need to enable hidden files to be shown:

http://www.bleepingcomputer.com/tutorials/tutorial62.html

The easiest way do do a boot time scan is to plug in a corded keyboard before the scan. Do you have one lying around or can you borrow one? During the scan, select the option to send malware to the chest.

I would also recommend an online scan with Trend Micro Housecall and Panda. Disable avast! during these scans or you will get a false alarm.

http://housecall.trendmicro.com/

http://www.pandasoftware.com/products/activescan/com/activescan_principal.htm

A firewall would also be a good idea. Zone Alarm Free is probably the easiest, and it will allow you to keep a check on anything trying to connect out from your computer.

http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp

If you do take up Frank’s suggestion to use panda’s on-line scanner, be aware that you are likely to have virus warnings from avast as Panda doesn’t encrypt its virus signature files so avast can see then in the ActiveScan folder.

Another thing I don’t like about Panda is the fact it places this junk into your system folders, there are many other on-line scanners that don’t do this and encrypt their virus signature files, so that you don’t need to try Panda. On-line Virus Scanners and other useful Links Security-Ops.eu.tt

If you do take up Frank's suggestion to use panda's on-line scanner, be aware that you are likely to have virus warnings from avast as Panda doesn't encrypt its virus signature files so avast can see then in the ActiveScan folder.

That’s why I recomended disabling avast! :wink:

Panda does seem to be recommended by a lot of anti-malware forums, perhaps because of success at removal rather than detection. That accolade goes to the Kaspersky scanner, which of course will let you know if you have malware but won’t remove it.

BitDefender, F-Secure and CA also have scanners which remove malware, and Symantec and McAfee onew which don’t.

Links to all and discussion of the signatures problem can also be found here:

http://www.geocities.com/dontsurfinthenude/

That's why I recomended disabling avast! Wink
That's fine for the duration of the scan but the next on-demand scan you do, when you have forgotten you ever used Panda, all hell breaks loose, your pulse rises, your memory fails even though avast says 'don't panic !' people do.

I can live with that but I can’t abide putting this junk in the system folders as if you delete it, it ends up in peoples system restore, _restore points. This not only can result in the cr** being restored but avast detects it in the system restore folder and alarms, now you don’t know it is from Panda and you disable system restore and lose whatever restore points you had.

Your probably getting the picture that I don’t particularly like Panda, regardles of how good its detections might be there are alternatives (some of which you mention) that don’t cause this potential grief.

:slight_smile: Hi :

 AND you have the adware "Flashget" program that would
 be wise to uninstall . And if you are going to P2Ping with
 Bittorrent, you should expect an occasional trojan to
 get on your computer .

ok now how do i get rid of that downloader >:(

AND you have the adware "Flashget" program that would be wise to uninstall.

No, actually this is not true. The HijackThis! entries show that the program has actually been uninstalled but has left some registry entries behind. You can have HijackThis! fix these entries if you like, but this is only a tidy-up exercise:

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\PROGRA~1\FlashGet\flashget.exe (file missing)
O9 - Extra ‘Tools’ menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\PROGRA~1\FlashGet\flashget.exe (file missing)

You should really be worried about this entry:

C:\Program Files\NAV32watcher.exe

which is unidentified and possibly malware. You need to check the file at virustotal to identify it or run a few online scans to do the same as I mentioned before.

EDIT correction, I spoke too hastily. It seems the file missing tag does not actually always mean the file is not present in O9 entries:

IV. About (file Missing) and what it means. It doesn't always mean the file is really missing!!

You will see (file missing) in some of the lines in different sections. You can only rely on that to be true in the sections for BHOs and Toolbars (02s & 03s)

http://www.dslreports.com/faq/13622

You should use Add/Remove in control panel to see if there is an entry for FlashGet, and remove it if you want to do so, otherwise have HijackThis! remove the entries and delete the files manually.

hmm C:\Program Files\NAV32watcher.exe <—this file i deleted b4 and its not a virus…my fren sent it to me saying its a game and i opened it n my com keeps restarting…till i delete it…it isnt any form of malware

I rescanned my com with hijackthis after i restart my computer. the virus should b back in my system volume information.
Logfile of HijackThis v1.99.1
Scan saved at 9:34:28 PM, on 9/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\brsvc01a.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\system32\brss01a.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
F:\Program Files\Brother\ControlCenter2\brctrcen.exe
F:\Program Files\Creative\Shared Files\CAMTRAY.EXE
F:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
F:\Program Files\DAP\DAP.EXE
F:\Program Files\ewido anti-spyware 4.0\ewido.exe
F:\Program Files\MSN Messenger\MsnMsgr.Exe
F:\Program Files\Hamachi\hamachi.exe
F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
F:\Program Files\Alwil Software\Avast4\ashServ.exe
F:\WINDOWS\system32\Brmfrmps.exe
F:\WINDOWS\system32\CTsvcCDA.EXE
F:\WINDOWS\system32\slserv.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\wdfmgr.exe
F:\WINDOWS\system32\MsPMSPSv.exe
F:\WINDOWS\system32\wuauclt.exe
F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
F:\Program Files\Alwil Software\Avast4\ashWebSv.exe
F:\WINDOWS\System32\alg.exe
F:\Documents and Settings\john khoo\My Documents\My Completed Downloads\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM..\Run: [SSBkgdUpdate] “F:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe” -Embedding -boot
O4 - HKLM..\Run: [PaperPort PTD] F:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM..\Run: [IndexSearch] F:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM..\Run: [SetDefPrt] F:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM..\Run: [ControlCenter2.0] F:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM..\Run: [Creative WebCam Tray] F:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM..\Run: [WheelMouse] F:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM..\Run: [avast!] F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM..\Run: [DownloadAccelerator] “F:\Program Files\DAP\DAP.EXE” /STARTUP
O4 - HKLM..\Run: [!ewido] “F:\Program Files\ewido anti-spyware 4.0\ewido.exe” /minimized
O4 - HKCU..\Run: [MsnMsgr] “F:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [WindowsHiderPro] F:\Program Files\WHidePro\whpro.exe
O4 - HKCU..\Run: [BitTorrent] “F:\Program Files\BitTorrent\bittorrent.exe” --force_start_minimized
O4 - Global Startup: hamachi.lnk = F:\Program Files\Hamachi\hamachi.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Status Monitor.lnk = F:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: &Clean Traces - F:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - F:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - F:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Download All by FlashGet - F:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - F:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\PROGRA~1\FlashGet\flashget.exe (file missing)
O9 - Extra ‘Tools’ menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\PROGRA~1\FlashGet\flashget.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip..{11015C35-883A-4F31-A349-DF4D79FC19D0}: NameServer = 85.255.115.2
O17 - HKLM\System\CCS\Services\Tcpip..{9EA15D2D-66EB-4B5D-9130-0780A9814DE7}: NameServer = 85.255.115.2
O17 - HKLM\System\CCS\Services\Tcpip..{E61524CF-D2D7-48FA-AC1D-C3736FAECA2C}: NameServer = 85.255.115.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.2 85.255.112.7
O17 - HKLM\System\CS1\Services\Tcpip..{11015C35-883A-4F31-A349-DF4D79FC19D0}: NameServer = 85.255.115.2
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.2 85.255.112.7
O17 - HKLM\System\CS2\Services\Tcpip..{11015C35-883A-4F31-A349-DF4D79FC19D0}: NameServer = 85.255.115.2
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.2 85.255.112.7
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - “F:\PROGRA~1\MSNMES~1\msgrapp.dll” (file missing)
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - F:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - F:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - F:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - F:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - F:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - F:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - F:\WINDOWS\SYSTEM32\slserv.exe

Btw i dont understand how 2 delete the downloader…everytime i delete the viruses…the downloader installs it back after i resart my computer -.- Thanks for all the help guys ^^

Have you done as previously suggested scann it at a multi AV scanner site ?

Check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. You can’t do this with the file in the chest, you will need to move it out.