svchost.exe application error

I posted on here a week or so ago about the above problem, Scythe944 was helping me sort it. You asked me to post my hijackthis log on. I did this but have had no replies. I’ll post it again now, if anyone can help me sort the problem I’d be really grateful

Thanks

Log as follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:15:07, on 26/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Home Cinema\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\Home Cinema\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Home Cinema\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Home Cinema\PowerDVD\PDVDServ.exe
C:\Program Files\Home Cinema\PowerCinema\PCMService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\NOTEPAD.EXE
G:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [IMJPMIG8.1] “C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM..\Run: [InstantOn] "C:\Program Files\CyberLink\PowerCinema Linux\ion_install.exe /c "
O4 - HKLM..\Run: [RemoteControl] “C:\Program Files\Home Cinema\PowerDVD\PDVDServ.exe”
O4 - HKLM..\Run: [PCMService] “C:\Program Files\Home Cinema\PowerCinema\PCMService.exe”
O4 - HKLM..\Run: [ATICCC] “C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” runtime
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [NBJ] “C:\Program Files\Ahead\Nero BackItUp\NBJ.exe”
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra ‘Tools’ menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra ‘Tools’ menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Medion-UK - {5C12033D-1BFB-426C-8D7F-B556686BA607} - http://www.medion.co.uk (file missing) (HKCU)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip..{2CDB6404-E171-4CC5-91A8-E0858D7CF603}: NameServer = 85.255.112.90,85.255.112.134
O17 - HKLM\System\CCS\Services\Tcpip..{9D1571F7-5B1C-474A-A285-C167D0FF5821}: NameServer = 85.255.112.90,85.255.112.134
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.90,85.255.112.134
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.90,85.255.112.134
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.90,85.255.112.134
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Home Cinema\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Home Cinema\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Home Cinema\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe


End of file - 8970 bytes

Sorry joto, I guess I was busy…
Here you go…

We didn’t detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don’t use any firewall at all.
We recommend you to use a firewall. Download and install one or activate windows xp´s own one.

O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
Unnecessary (deactivated) entry that can be fixed. toolbar.dll - AOL toolbar

O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
Not dangerous, but unnecessary. QuickTime

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
Unnecessary (deactivated) entry that can be fixed. This entry was classified from our visitors as good.

O17 - HKLM\System\CCS\Services\Tcpip..{2CDB6404-E171-4CC5-91A8-E0858D7CF603}: NameServer = 85.255.112.90,85.255.112.134
Do you know the IP or Domain ‘85.255.112.90,85.255.112.134’? If not, fix this entry.

O17 - HKLM\System\CCS\Services\Tcpip..{9D1571F7-5B1C-474A-A285-C167D0FF5821}: NameServer = 85.255.112.90,85.255.112.134
Do you know the IP or Domain ‘85.255.112.90,85.255.112.134’? If not, fix this entry.

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.90,85.255.112.134
Do you know the IP or Domain ‘85.255.112.90,85.255.112.134’? If not, fix this entry.

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.90,85.255.112.134
Do you know the IP or Domain ‘85.255.112.90,85.255.112.134’? If not, fix this entry.

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.90,85.255.112.134
Do you know the IP or Domain ‘85.255.112.90,85.255.112.134’? If not, fix this entry.

O9 - Extra button: Medion-UK - {5C12033D-1BFB-426C-8D7F-B556686BA607} - http://www.medion.co.uk (file missing) (HKCU)
To be fixed if the entry ‘Medion’ is unknown.
Unnecessary (deactivated) entry that can be fixed. Unknown buttons or entries in the ‘Extras’-menu should be fixed.

C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
Safe, but possibly nasty! According to our database this process runs normally in c:\programme\common~1\x10\common! Check if you know this process and arrange a viruscheck where required.

C:\Program Files\Home Cinema\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
Safe, but possibly nasty! According to our database this process runs normally in c:\programme\cyberlink\shared files\clml_ntservice! Check if you know this process and arrange a viruscheck where required. CyberLink Media Library Service

I’d check into those entries and remove them with HJT.

Other than that, you look pretty good. Nothing serious…

Those 017 ip addresses belong to Ukr telegroup ( based in Ukraine ) which appears to be malicious

http://ddanchev.blogspot.com/2008/07/lazy-summer-days-at-ukrtelegroup-ltds.html

Are your internet searches been redirected ?

Also what securty programs have you scanned with ?

Also your are running HJT from G drive, you MUST install properly in program files C drive. If you fix any entries, and need to restore them, it must be installed properly

Only then should you start fixing entries

I haven’t looked closely at your log yet, do you use a plug for japanese/chinese translation ?

O4 - HKLM..\Run: [IMJPMIG8.1] “C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32

O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

DO NOT FIX

Those entries contain IMJPMIG.EXE ImScInst.exe TINTSETP.EXE

They need to be sent to virustotal fro inspection as they may be malicious

http://www.prevx.com/filenames/1250578899387157976-X1/IMSCINST.EXE.html

http://www.prevx.com/filenames/898787142291842480-X1/TINTSETP.EXE.html

http://spywarefiles.prevx.com/RRDHEA8978/IMJPMIG.EXE.html

Please upload those files and copy/paste the results

http://www.virustotal.com/

will continue looking at your log

HJT just has to be in a folder of its own, it doesn’t have to be in c:\program files\hijackthis, etc. Provided the G:\ drive/partition is a fixed hard disk or partition then it would need to be in its own folder, e.g. g:\HJT\hijackthis.exe, etc.

If G:\ is a usb device then HJT needs to be on a fixed drive in a folder of its own.

Yes thanks David, I had aquick peek at the OP original post, and assumed it was being run from a flash drive http://forum.avast.com/index.php?topic=43702.msg365523#msg365523

Joto I have examined the log, The 017 entries with the IP addresses are certainly bad. The 04 entries could be legit files used in a plug in for internet explorer for translating asian language.However I strongly believe they are very bad files. I see from your original post that this pc has no longer got internet connectivity.So sending those files for analysis will be difficult. ;D
So first fix the entries

O17 - HKLM\System\CCS\Services\Tcpip..{2CDB6404-E171-4CC5-91A8-E0858D7CF603}: NameServer = 85.255.112.90,85.255.112.134

O17 - HKLM\System\CCS\Services\Tcpip..{9D1571F7-5B1C-474A-A285-C167D0FF5821}: NameServer = 85.255.112.90,85.255.112.134

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.90,85.255.112.134
Do you know the IP or Domain ‘85.255.112.90,85.255.112.134’

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.90,85.255.112.134
Do you know the IP or Domain '85.255.112.90,85.255.112.134

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.90,85.255.112.134
Do you know the IP or Domain '85.255.112.90,85.255.112.134

You do this by opening HJT ( that has been installed in its own folder)
Choose ‘do a scan only’ then place ticks in the boxes next to the entries above, then choose fix selected.Close HJT.

Next from your other pc download 2 programs and there updates.

Transfer programs and update files to infected pc via cd ( i do not like using flash drives, as this may also become infected )
Try to install both programs, you may encounter problems,if malware prevents this ( we can get round that )
If you successfully install,exit programs,double click on the update files you also downloaded to install updates. Then run consecutive scans with both programs. I am sure ( hopefully ) we may see something found related to the 04 entries.
Copy/paste the results of the scans

Malwarebytes antimalware http://filehippo.com/download_malwarebytes_anti_malware/

Malwarebytes antimalware updates http://www.gt500.org/malwarebytes/database.jsp

SuperAntiSpyware http://www.superantispyware.com/

SuperAntiSpyware updates http://www.superantispyware.com/definitions.html

Hi Guys. Thanks for help so far. I’ve fixed the 017 files using HJT as instructed. I’ve then downloaded malwarebytes and Superantispyware on other computer and transferred as instructed. Malwarebytes says it’s installed but it won’t launch and the other won’t install at all. Any adivce re next steps eagerly awaited!!

Thanks x

Hello again, try this first.Navigate to C/program files/malwarebyes antimalware, open that folder,you will see mbam.exe, right click on that file and choose rename,then rename to joto.exe, then double click on the renamed file to launcH

Did you manually update MBAM?

Also about those other entries IMJPMIG.EXE, ImScInst.exe, and TINTSETP.EXE do you use any translation plug in for chinese/asian languages ?

Regarding SAS rename the set up file for example to slayer.exe, then double click to install.
Did you download the manual updates for SAS ?

Hi Micky77. I have renamed .exe files and think I can now do the scans. should I select quick scan or do I need to do full scan?

Regarding the plug-in you asked about I don’t know what that would be so am not aware that I have one. Forgive me if I sound a bit stupid!!

Thanks x

Do quick scans first.As for thos entries, when googled, they appear in many HJT logs,however i have yet to find anyone who actually fixed them, so they may be benign.
If i remember,Avast found a Fasec trojan in your initial post,can you tell me the name and location of the file it quarantined ?
http://forum.avast.com/index.php?topic=43702.msg365486#msg365486

Am running the quick scan on malwarebytes now but still can’t get the superantispyware one to launch. Wasn’t sure which exe file to rename. can you clarify for me? Will let you know what comes up on scan I’m doing at mo.

Thanks again for help x

Malwarebytes scan has found 5 infrected files. Two say Trojan.Agent and three say Trojan.DNSChanger. Shall I click remove these files?

Can you copy/paste the log,first please

On the SAS installation/set up file ( you downloaded ) rename, then double click to install. If installation is successful exit program.Then double click on the update/definition file i told you to download. Then go to C/program files/superantispware/ open that folder, locate superantispyware.exe and rename, ( keep the extension, exe ) double click on renamed file to launch

Hi Yoto,

You also could try this:

For Windows XP:

  1. Press Ctrl+Alt+Delete. The Windows Task Manager appears.
  2. Click the Application tab.
  3. Look for an entry related to a program installation. This might include words, such as “install,” “installer,” or “MSI.”
  4. If found, highlight the entry, and then click End Task. If a second dialog box appears, then click End Task in the second box. Close the dialog box.
  5. You could try the install again if it was a legit one,

polonus

Am posting the malwarebytes log below. My husband has already clicked to remove the files so hope that is the right thing to do! Log as follows:

Malwarebytes’ Anti-Malware 1.34
Database version: 1954
Windows 5.1.2600 Service Pack 3

11/04/2009 19:24:09
mbam-log-2009-04-11 (19-24-09).txt

Scan type: Quick Scan
Objects scanned: 76823
Time elapsed: 3 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces{2cdb6404-e171-4cc5-91a8-e0858d7cf603}\DhcpNameServer (Trojan.DNSChanger) → Data: 85.255.112.90,85.255.112.134 → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces{2cdb6404-e171-4cc5-91a8-e0858d7cf603}\DhcpNameServer (Trojan.DNSChanger) → Data: 85.255.112.90,85.255.112.134 → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces{2cdb6404-e171-4cc5-91a8-e0858d7cf603}\DhcpNameServer (Trojan.DNSChanger) → Data: 85.255.112.90,85.255.112.134 → Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\RECYCLER\S-8-2-24-100001961-100017518-100013051-7988.com (Trojan.Agent) → Quarantined and deleted successfully.
C:\WINDOWS\system32\gaopdxcounter (Trojan.Agent) → Quarantined and deleted successfully.

Can you run another quick scan ( i have a feeling gaopdxcounter may return )

repeated the malwarebytes quick scan and it didn’t detect anything. Have now managed to get the superantispyware running so will post the log as soon as it’s done.

Hi joto and micky77,

Consider this info:
http://www.bleepingcomputer.com/forums/index.php?showtopic=213599&view=findpost&p=1202127

polonus

Oh my god, I’ve just followed the above link and now think my computer is knackered. Do you think it’s a sserious as the link makes out Micky77 or do you think we can fully sort it?

The superantispyware scan detected 3 things which have been removed our internet icons have re-appeared at the bottom of the screen but the wireless connection button still seems inactive.

Well its good MBAM no longer detects.It looks like what you have is a serious rootkit infection.I have been googling mad. By all means try MBAM and SAS in safe mode. I went to MBAM forum, there are a lot of entries for gaopdxcounter.
One person there, who is a moderator, fatdcuk,is EXTREMELYwell respected on malware forums. A well informed person.If you look at the link,and specificinstructions regarding rootrepeal, you may have some success.
http://www.malwarebytes.org/forums/index.php?showtopic=13802&hl=gaopdxcounter

http://www.malwarebytes.org/forums/index.php?showtopic=12709 ( including download link )

Scan with rootrepeal and copy/paste results http://rootrepeal.googlepages.com/
Also copy/paste SAS log. ( SAS is good with some rootkits)

Remember even though MBAM removes and then scans clean,this rootkit will return on reboot.