Hello everyone! Long-time reader, first time poster.

About a week ago, my laptop was virused, and had to be reformatted (turns out its hard drive is also horribly damaged, so I gave up on it).

So I decided to change my passwords on my desktop (Which also has Windows XP) after scanning and making 100% sure nothing bad was on it. None of my virus scanners had found anything, EXCEPT Malwarebytes had detected something called PUM.Hijack.StartMenu (which ended up meaning Possibly Unwanted Modification in the Start Menu… which turned out to be me telling Windows to not show Help & Support. Oh noes).

So! After that, I was relieved for once in the past week, until I ran MSConfig’s Startup after installing the new Adobe Reader X, to tell reader_sl to STOP OPENING, again. While doing so, I noticed two programs running with Chinese names… (I’ve attached two pics to show what they looked like in my MSConfig). After telling the two to stop running, I restarted my computer. There were now two more programs with Chinese symbol’d names, so I uncheck them and restart my computer. My computer now argues at me that it can’t find two files that I told it to stop running. So, once again overreacting, I reformatted my desktop, and had no problems at all. Then about 8 hours later, in the morning, I noticed that the Chinese-named programs were back, already, 8 hours later, after not browsing the internet. In fact, my internet cable was unplugged until I was sure I installed all necessary security software, including installing System Pack 3 so as to not have a very vulnerable system and internet explorer (I use Firefox by default though).

Can anyone tell me what it might be, or what it probably is? I can’t for the life of me figure out what it could be, and no virus scanning software, no matter how up to date, can find anything bad. Anyway, thank you all for your time and attention! Much appreciated!

Edit/Update!: Oh yeah! I guess I should tell you guys a bunch more stuff to help figure it out. I have an Acer PC running Windows XP with Service Pack 3. Umm… what else… er, I mostly added that stuff because I had heard somewhere that this is normal Acer stuff, even though I hadn’t noticed Chinese named programs in the Startup of MSConfig before. Someone else said this is normal, because it’s something like Windows checking to see if it can understand Chinese (I indeed installed the East Asian language pack).

Also! Decided to scan with HiJackThis to see if it honestly is anything bad:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:06:52 PM, on 07/12/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Microsoft LifeCam\MSCamSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\WINDOWS\vVX1000.exe
C:\PROGRA~1\Keyboard\Ikeymain.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\AVG\AVG10\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
D:\Program Files\Winamp\winamp.exe
C:\Documents and Settings\Paul\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM..\Run: [IMJPMIG8.1] “C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM..\Run: [LifeCam] “C:\Program Files\Microsoft LifeCam\LifeExp.exe”
O4 - HKLM..\Run: [VX1000] C:\WINDOWS\vVX1000.exe
O4 - HKLM..\Run: [iKeyWorks] C:\PROGRA~1\Keyboard\Ikeymain.exe
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe
O4 - HKLM..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [msnmsgr] “C:\Program Files\Windows Live\Messenger\msnmsgr.exe” /background
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-19..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-20..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS\S-1-5-18..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O4 - HKUS.DEFAULT..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User ‘Default user’)
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra ‘Tools’ menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exe
O23 - Service: IBM - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Paul\LOCALS~1\Temp\IBM.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WRODJ - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Paul\LOCALS~1\Temp\WRODJ.exe

–
End of file - 6252 bytes

There’s the file, if anyone notices anything bad… please do tell.

You need to go take your problem to the AVG Forums, this forum is for avast! users only.

We can fix your problem here as we do with others. It is obvious from your post that your machine is not acting right, and that is the first sign of something wrong.

Since you cannot run more than one antivirus (AV) in your machine at the same time, you need to decide if you want to stay with AVG, which allowed you to have this problem (as well as others we have helped here who have converted over to Avast), or uninstall AVG and go with Avast. You can’t have 2 AV’s in your machine because they will cause a conflict.

If you decided to go with Avast, you need to uninstall AVG with the AVG uninstaller tool: http://www.avg.com/us-en/download-tools.

Here is the Avast comparison product chart: http://www.avast.com/comparison-chart for you to review, and we will be coming out with a new release in the very near future. Our forum is available 24/7 for quick responses, we also have online and phone support as well for both free and paid users, and we have a Certified Malware Expert available.

First, you did the right thing by updating your OS from SP2 to SP3 to help fill those security holes, but that may have helped malware get in your machine. What other scanners did you use if any to detect malware?

Let’s start the process of checking for malware, and you can get back to me regarding your decision on which AV you would like to go with:

Please check your computer for malware with Malwarebytes’ Anti-Malware (MBAM).
· Download free http://www.malwarebytes.org/ (the blue button) for an on-demand scanner.
· Double Click mbam-setup.exe to install the application.
· After install, click update so you have latest database before scanning.
· Under Settings:
o General: Automatically Save File After Scan Completes is checked off
o Scanner Settings: Check all boxes
o Updater: Download and install update if available is checked off
· Once the program has loaded, select “Perform FULL Scan”, then click Scan.
· The scan may take some time to finish, so please be patient.
· When the disinfection scan is complete, a log will appear in Notepad and you may be prompted to Restart. (See Extra Note).
· Click the “remove selected” button to quarantine anything found. You will find the infection details under the Quarantine tab.
· The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
· Copy & Paste the entire report in your next reply.

Please let me know if you have any questions. Thank you.

Malwarebytes’ Anti-Malware 1.50
www.malwarebytes.org

Database version: 5254

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

07/12/2010 6:30:39 PM
mbam-log-2010-12-07 (18-30-39).txt

Scan type: Full scan (C:|D:|)
Objects scanned: 159045
Time elapsed: 21 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Here you go. As you can see, it couldn’t find anything that I can notice. Hmm, I’ve used…

• Malwarebytes’ Antimalware
• AVG Free 2011
• Spybot Search & Destroy
• I did use Avast on my computer before reformatting it, and it couldn’t find anything wrong either
• Trend Housecall

None of these could find anything…

And then I did the Hijackthis and posted the log here. Oh, I also used Rootkit Revealer, to make sure some things were safe. It seemed to only find things that weren’t threats.

When you said in your first post that your machine had a virus and had to be reformatted and the HDD got damaged, what malware did it have?

If your other malware scans have come out clean, it’s up to you how you would like to proceed. It is possible that you have a damaged HDD causing your issue or you still have some hidden malware.

I can give you more diagnostic tools to run if you like. OTL is preferred initially.

1. One will give me more information than a Hjk log, which is an OTL log - see the information on the first post of this thread under Virus/Worms for you to check your machine for malware: http://forum.avast.com/index.php?topic=53253.0. Follow the directions for obtaining the OTL logs (save them as ANSI and not Unicode). Post the two (2) OTL log as an attachment (Additional Options > Attach > Browse (the logs will be on your desktop > Post).

2. The other tool is Dr. Web CureIt, then attach the log, or report any results if clean:

Download the free Dr. Web Cure It! in SAFE MODE to your desktop to scan.

Download Dr Web from here: http://www.freedrweb.com/?lng=en on the top right of the page, tick the EULA and then download.

It will download as an 8-digit file save it to your desktop.
Restart in Safe Mode and run.
Accept the enhanced version.
Then run the Quick Scan.
About halfway through you will be prompted to buy - just “X” the box closed.
Once finished, it will generate a log please attach or report if nothing is found to your next post.

How Do I Use Dr.Web CureIt!? http://www.freedrweb.com/cureit/how_it_works/

Download Dr.Web CureIt! and launch the utility in SAFE MODE. A notification will inform you that the utility is running in the enhanced protection mode allowing it to operate even if malicious programs block access to the Windows interface.
In the enhanced protection mode Dr.Web CureIt! is run on a protected desktop where no other application can be launched. In order to continue working in the enhanced protection mode choose OK or click Cancel to switch to the standard mode.

Click the “Start” button in the anti-virus window. Select “Yes” in the confirmation dialogue, and wait while Dr.Web CureIt! scans system memory and autorun objects. If you need to scan all or selected disks, choose between “Full Scan” or “Custom Scan” (if you choose “Custom Scan,” you need to select the objects you want to scan), and click on the “Start” button.

Dr.Web CureIt! will cure infected files and place incurable files in quarantine. When the scanning is finished, you can view the report and perform desired actions with quarantined files.

Once the scanning is completed, simply remove the Dr.Web CureIt! file from your computer (put it in your recycle bin). If you need to perform another system scan using updated definitions, you will need to download Dr.Web CureIt! again.

Have you thought about which AV you want to use? Also, let me know how you would like to proceed regarding running more diagnostic malware workup. Thank you.

Oh! Ah, the part about the damaged HD, that was referring to my laptop. To clear up any confusion, the situation with both computers is:

Laptop: Had the infected (or just plain viruses under the names of) svchost.exe, shell.exe, and DWM.exe (I don’t even have Vista or 7, so that program should not have been on my laptop). I reformatted it completely, but now the hard drive won’t properly reformat, it seems to have a damaged part, or have some damaged space.

Desktop: Changed passwords on it after scanning with a bunch of things, to make sure the things on my laptop weren’t key loggers. Nothing I used had found anything. The only thing that started me to worrying were the Chinese-character’d programs in the MSconfig’s startup tab. This only REALLY concerned me after I reformatted my desktop and they reappeared in the morning, after reformatting the thing in its entirety.

As for which I will use, I am not 100% sure yet. I will probably try giving Avast a shot, though I do really enjoy the fact that AVG can tell me what links are safe (for the most part). So the main concern, as of the moment, is that I don’t know what those Chinese-character’d files in MSConfig’s startup are, and no anti-malware, virus scanner, or any other form of scanner can find anything bad. It’s just… odd being left in the dark.

If you are done reformatting, you can run an OTL log if you like and we can take it from there, but it’s up to you. Are you being redirected while surfing at all?

Hm? Nope, not being redirected at all… to be honest, there’s nothing really making me think there’s an infection, actively, anyway. The only thing I am truly worried about, or concerned about is that odd Chinese-named program in my MSConfig’s startup, since I don’t know where it came from, exactly and am not sure if it’s harmful or not. OTL? (Sorry, I am unfamiliar with OTL). Do tell Thanks for your help so far, by the way.

You’re welcome. OTL is a diagnostic tool we run to check your machine for malware, missing keys, registry errors, etc., but not hard drive problems.

Check the information on the first post of this thread under Virus/Worms for you to check your machine for malware: http://forum.avast.com/index.php?topic=53253.0.

Follow the directions of obtaining the OTL logs (save them as ANSI and not Unicode). Post the two (2) OTL log as an attachment (Additional Options > Attach > Browse (the logs will be on your desktop > Post).

Here you go. The requested two files. I saved them as ANSI, but saved over the other 2 original files. Hopefully that’s not a problem.

Thank you for providing the logs. I reviewed them, and I am going to refer you to our Certified Malware expert, named Essexboy. He will also review your logs and give you further instructions, however he comes on the forum late UK time. He will respond to you in this thread, so remember to check this thread daily. I will continue to provide assistance in the meantime, then remain in the background while he works with you.

IMPORTANT: If you are on a home network, disconnect the affected machine from the network. Do not share a USB/flash drive with this affected machine. Try to use a different machine when checking email an do not surf on it.

Please do not make any further changes to your machine now that you have provided the logs.

Let me know if you have any questions. Thank you.

I see no sign there - did you say that you had disabled it with MSconfig ?

If so I will need to look in that area

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
SRV - [2010/12/07 17:59:17 | 000,568,192 | ---- | M] (Sysinternals - www.sysinternals.com) [On_Demand | Stopped] -- C:\Documents and Settings\Paul\Local Settings\Temp\WRODJ.exe -- (WRODJ)
SRV - [2010/12/07 17:50:31 | 000,441,216 | ---- | M] (Sysinternals - www.sysinternals.com) [On_Demand | Stopped] -- C:\Documents and Settings\Paul\Local Settings\Temp\IBM.exe -- (IBM)

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

.
Then re-run OTL select All Users and paste the following into the custom scans/ fixes box and press run scan

msconfig

Okay, I am posting 3 different logs… sorry, it won’t let me attach them as files. The first log, in red, will be the log that opened after rebooting the computer after the fix. The second log, in blue, will be the OTL quick scan. The third log, in green, will be the third scan that was of the MSConfig. Hopefully that works for you… And yeah, I had disabled it in MSConfig, whatever it is.

All processes killed
========== OTL ==========
Service WRODJ stopped successfully!
Service WRODJ deleted successfully!
C:\Documents and Settings\Paul\Local Settings\Temp\WRODJ.exe moved successfully.
Service IBM stopped successfully!
Service IBM deleted successfully!
C:\Documents and Settings\Paul\Local Settings\Temp\IBM.exe moved successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Paul\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Paul\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Paul
->Temp folder emptied: 192115600 bytes
->Temporary Internet Files folder emptied: 956769 bytes
->FireFox cache emptied: 66459578 bytes
->Flash cache emptied: 1376 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2162283 bytes
%systemroot%\System32 .tmp files removed: 22108945 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 16468 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 271.00 mb

[EMPTYFLASH]

User: All Users

User: Default User

User: LocalService

User: NetworkService

User: Paul
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

Restore point Set: OTL Restore Point (0)

OTL by OldTimer - Version 3.2.17.3 log created on 12152010_010922

Files\Folders moved on Reboot…

Registry entries deleted on Reboot…

Er, okay, it won’t let me actually post the quickscan or msconfig scan logs. For some reason, they’re huge, and are too big to post as an attachment as well… thoughts?

upload to Mediafire and post the sharing link.

Here you go, from what I understand… I had to throw them in WinRar and upload them both with the name DarkMidghet in their filename before it would let me upload them properly. Sorry about that >_< It just kept telling me they were duplicates, I suspect, of files that were on there with the same name prior. Anyway, in here are the files for the OTL Quickscan called DarkMidgetOTL and the one of the MSConfig Scan called DarkMidgetMSConfig. If there are any issues, please tell me and I’ll get on fixing them.

http://www.mediafire.com/?v1i0swqwh7i6o15

I would like to run combofix next, however, as you have AVG it will need to be uninstalled first. AVG treats combofix as malware and totally destroys the programme

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL MsConfig - StartUpReg: Load - hkey= - key= - File not found MsConfig - StartUpReg: Run - hkey= - key= - File not found

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

.
NEXT

We need to temporarily remove your Anti-Virus, as it interes with the fix I want to run. You can reinstall it again later. If you are not happy about doing this, please let me know before proceding

Download AppRemover and run it.

Click Next >>

http://www.hdrcgb.org.uk/g2g/appremover1.jpg

Ensure “Remove Security Application” is collected and click Next >>

http://www.hdrcgb.org.uk/g2g/appremover2.jpg

AppRemover will scan all the security applications on your PC

http://www.hdrcgb.org.uk/g2g/appremover3.jpg

Select Any AVG entries from the applications offered and click Next >> twice.

http://www.hdrcgb.org.uk/g2g/appremover4.jpg

Follow any further on-screen instructions. If asked to reboot,please do so.

Note: Please do not browse the internet or open any email attachments until your Anti-Virus is re-installed
.
Followed by

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Quick question: Would I be able to simply uninstall AVG myself instead of using AppRemover or does AppRemover have some form of advantage over the manual removal and uninstallation? I’m not really questioning you, but I am however, curious. Just thinking of how best to go about this, because it will undoubtedly involve downloading a bunch of stuff PRIOR to uninstalling AVG, to minimize the use of the internet.

On that note, what do those fixes do exactly? (If you can tell me what both the fixes you’ve had me run do, that’d be awesome). I’m just mostly curious about what I’m doing with my computer, really.

sorry i can’t help, but i just wanted to add this… when i was fighting my system, my msconfig startup looked identical to yours, except i had square boxes where you have chinese letters… other than that, its identical… two suspicious entries at teh end, one ending in :load, the other in :run, exactly as pictured… with mine, i found the wacky randomly lettered exe running and torched it, but my problems never went away

i would copy your data off in safe mode any way you can, before fixing or cleaning anything, otherwise you could be in my shoes with a drive that won’t play along anymore… if this is the same rootkit i got, you might get your butt kicked like i did

good luck man