Finished. Here’s the log.
Hi,
- Please download The Avenger by Swandog46 to your Desktop.
[*]Right click on the Avenger.zip folder and select “Extract All…”
[*] Follow the prompts and extract the avenger folder to your desktop - Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):
Files to delete:
c:\windows\system32\services.exe.B122559294D6D8E5
c:\windows\system32\drivers\wkpfggwy.sys
c:\windows\system32\services.exe.E4D43E6BA75AE666
c:\windows\system32\services.exe.0053430F2092E97E
c:\windows\system32\services.exe.680DB956975AB82E
c:\windows\system32\drivers\uqufzola.sys
c:\windows\system32\services.exe.9ADD9B17BA9028B4
c:\windows\system32\services.exe.6D8AEF54B4F5A126
c:\windows\system32\services.exe.208C90E9F0015315
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
- Now, open the avenger folder and start The Avenger program by clicking on its icon.
[*] Right click on the window under Input script here:, and select Paste.
[*] You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
[*] Click on Execute
[*] Answer “Yes” twice when prompted.
- The Avenger will automatically do the following:
[*]It will Restart your computer. ( In cases where the code to execute contains “Drivers to Delete” or “Drivers to Disable”, The Avenger will actually restart your system twice.)
[*]On reboot, it will briefly open a black command window on your desktop, this is normal.
[*]After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
[*] The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip. - Please copy/paste the content of c:\avenger.txt into your reply.
I ran avengers with that script, but after the reboot, it did not open a console windows, nor did it create a log file. It also didn’t create an avengers file.
Also, it said it finished executing the script the moment I pressed execute.
Ok…lets see how things look anyway.
Run a new scan with ComboFix and attach that log. 
Here you go:
We are going to have to remove those another way…
FRST
Download Farbar Recovery Scan Tool and save it to a flash drive.
Plug the flashdrive into the infected PC.
Enter System Recovery Options.
To enter System Recovery Options from the Advanced Boot Options:
[*]Restart the computer.
[*]As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
[*]Use the arrow keys to select the Repair your computer menu item.
[*]Select US as the keyboard language settings, and then click Next.
[*]Select the operating system you want to repair, and then click Next.
[*]Select your user account an click Next.
To enter System Recovery Options by using Windows installation disc:
[*]Insert the installation disc.
[*]Restart your computer.
[*]If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
[*]Click Repair your computer.
[*]Select US as the keyboard language settings, and then click Next.
[*]Select the operating system you want to repair, and then click Next.
[*]Select your user account and click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select “Computer” and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
Done. So is the rootkit not completely removed?
So is the rootkit not completely removed?Yes it looks like the worst of the infection has been neutralized but there are some parts that are just wanting to stick around that we need to remove. -------------
Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt
2012-06-23 12:59 - 2012-06-23 12:59 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.E4D43E6BA75AE666
2012-06-23 12:59 - 2012-06-23 12:59 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\wkpfggwy.sys
2012-06-23 12:52 - 2012-06-23 12:52 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.0053430F2092E97E
2012-06-23 12:48 - 2012-06-23 12:48 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.680DB956975AB82E
2012-06-23 12:44 - 2012-06-23 12:44 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.9ADD9B17BA9028B4
2012-06-23 12:44 - 2012-06-23 12:44 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\uqufzola.sys
2012-06-23 12:41 - 2012-06-23 12:41 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.6D8AEF54B4F5A126
2012-06-23 12:37 - 2012-06-23 12:37 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.208C90E9F0015315
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
On Vista or Windows 7: Now please enter System Recovery Options.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.
Everything went succesfully.
Very nice.
Malwarebytes
I see that you have Malwarebytes already on your computer. Please open Malwarebytes, update it and then run a Quick Scan. Save the log that is created for your next reply.
Please run a free online scan with the ESET Online Scanner
[i]Note: You will need to use Internet Explorer for this scan[/i]
[*]Tick the box next to YES, I accept the Terms of Use
[*]Click Start
[*]When asked, allow the ActiveX control to install
[*]Click Start
[*]Make sure that the options Remove found threats is NOT selected and the option Scan unwanted applications is selected.
[*]Click Scan (This scan can take several hours, so please be patient)
[*]Once the scan is completed, you may close the window
Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner[b]log.txt
[*]Copy and paste that log as a reply to this topic
Attach the new logs made by Malwarebytes and ESET online scanner.
Here. Eset did find a bunch of viruses. 
You say ESET found many infections? Did you find the log at C:\Program Files\EsetOnlineScanner\log.txt to attach here?
If you have attached what it is that ESET produced, you should rerun ESET and then directly copy/paste the findings to your next reply. The log that you attached doesn’t show anything.
Here is the log it gave me directly:
C:\inMomentum.v1.0.cracked.READ.NFO-THETA\inMomentum.v1.0.cracked.READ.NFO-THETA\inMomentum.exe NSIS/TrojanDownloader.Agent.NJN trojan
C:\Program Files (x86)\Codemasters\DiRT 3\paul.dll a variant of Win32/Packed.VMProtect.AAA trojan
C:\Program Files (x86)\Codemasters\DiRT 3\SKIDROW.dll a variant of Win32/Packed.VMProtect.AAA trojan
C:\Program Files (x86)\Wizards of the Coast LLC\Magic The Gathering - Duels of the Planeswalkers\Steamclient.dll a variant of Win32/Packed.VMProtect.AAA trojan
C:\Qoobox\Quarantine\C\Windows\assembly\GAC_32\Desktop.ini.vir Win32/Sirefef.EZ trojan
C:\Qoobox\Quarantine\C\Windows\assembly\GAC_64\Desktop.ini.vir Win64/Sirefef.AD trojan
C:\Qoobox\Quarantine\C\Windows\Installer{8d7f222a-0caa-9ae2-1650-9dab4fd0a4b4}\U\00000008.@.vir Win64/Agent.BA trojan
C:\Qoobox\Quarantine\C\Windows\Installer{8d7f222a-0caa-9ae2-1650-9dab4fd0a4b4}\U\80000000.@.vir Win64/Sirefef.AE trojan
C:\Qoobox\Quarantine\C\Windows\System32\Services.exe.vir Win64/Patched.A.Gen trojan
C:\Qoobox\Quarantine\C\Windows\SysWOW64.exe.vir Win32/Adware.RON.FSV application
C:\Qoobox\Quarantine\C\Windows\SysWOW64\7139c08c.exe.vir Win32/Adware.Primawega.AJ application
C:_OTL\MovedFiles\06272012_154029\C_Windows\Installer{8d7f222a-0caa-9ae2-1650-9dab4fd0a4b4}\U\80000000.@ Win64/Sirefef.AE trojan
D:\downloads\cnet_freac-1_0_19_exe.exe a variant of Win32/InstallCore.D application
D:\torrents\Creatures The Albian Years [Creatures 1 2] [WIN7 COMPATIBLE]\setup_creatures_albian_years.exe multiple threats
but I think most of them are false positives.
Hi,
Thanks that is what I would need. Luckily most of them are already quarantined.
[*]Please open Notepad (Start → Run → type notepad in the Open field → OK) and copy and paste the text present inside the code box below:
ClearJavaCache::
File::
C:\inMomentum.v1.0.cracked.READ.NFO-THETA\inMomentum.v1.0.cracked.READ.NFO-THETA\inMomentum.exe
C:\Program Files (x86)\Codemasters\DiRT 3\paul.dll
C:\Program Files (x86)\Codemasters\DiRT 3\SKIDROW.dll
C:\Program Files (x86)\Wizards of the Coast LLC\Magic The Gathering - Duels of the Planeswalkers\Steamclient.dll
D:\torrents\Creatures The Albian Years [Creatures 1 2] [WIN7 COMPATIBLE]\setup_creatures_albian_years.exe
[*]Save this as CFScript.txt and change the “Save as type” to “All Files” and place it on your desktop.
http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif
[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
[*]ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
[*]When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix’s window while it is running. That may cause it to stall.
In your next reply please attach the new ComboFix log and let me know how your system is running?
Done.
Looks like we have some more work to do.
Run FRST again as you did in post #25. When you get the scan completed please attach the new log.
Okay, done.
So what’s the problem? Is the rootkit still modifying these drivers that are popping up in the combofix log?
Hi,
Looks like it is respawning from someplace. Hopefully we will knock it out this time.
Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt
0 ooimmylq; C:\Windows\System32\drivers\ptskc.sys [x]
C:\Windows\System32\drivers\ptskc.sys
0 pzqc; C:\Windows\System32\drivers\jbvvzmv.sys [x]
C:\Windows\System32\drivers\jbvvzmv.sys
2012-06-24 12:02 - 2012-06-24 12:02 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.B122559294D6D8E5
2012-06-27 11:42 - 2012-06-27 11:42 - 00061440 ____A C:\Windows\SysWOW64\Drivers\jbvvzmv.sys
2012-06-27 11:45 - 2012-06-27 11:45 - 00061440 ____A C:\Windows\SysWOW64\Drivers\ptskc.sys
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
On Vista or Windows 7: Now please enter System Recovery Options.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.
Aaand done. Hopefully everything is fixed now.
Do I need to run combofix again now?
Yes please run ComboFix once again.