Hi,
You may wish to copy and paste these instructions on notepad for easier reference later.
Boot into safe mode under your normal user name. See how
HERE
Next turn on "Show all files and folders, including hidden and system". See how
HERE
Go to start > run and type services.msc. Press the enter key.
Search for the following services. Double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.
shellservice
After that,
run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):
O21 - SSODL: shellservice - {8FB2D6CA-E258-48CF-9DAB-EEFB735E225C} - C:\WINDOWS\system32\config\atww\ShellService.dll
Close HJT.
Run AVG AntiRootkit and fix these entries:
C:\WINDOWS\system32\config\atww
C:\WINDOWS\system32\config\atww\Cache
C:\WINDOWS\system32\config\atww\ccp.dll 282624 bytes
C:\WINDOWS\system32\config\atww\Config.xml 552 bytes
C:\WINDOWS\system32\config\atww\dprx.dll 122880 bytes
C:\WINDOWS\system32\config\atww\dtor.exe 581632 bytes
C:\WINDOWS\system32\config\atww\ffe.dll 282624 bytes
C:\WINDOWS\system32\config\atww\filesvc.sys 12288 bytes
C:\WINDOWS\system32\config\atww\mca.dll 454656 bytes
C:\WINDOWS\system32\config\atww\mcff.dll 212992 bytes
C:\WINDOWS\system32\config\atww\mcie.dll 278528 bytes
C:\WINDOWS\system32\config\atww\mck.dll 516096 bytes
C:\WINDOWS\system32\config\atww\mcmsg.dll 151552 bytes
C:\WINDOWS\system32\config\atww\mco.dll 258048 bytes
C:\WINDOWS\system32\config\atww\mcoexp.dll 286720 bytes
C:\WINDOWS\system32\config\atww\mcsc.dll 913408 bytes
C:\WINDOWS\system32\config\atww\mcy.dll 155648 bytes
C:\WINDOWS\system32\config\atww\procdrv.sys 8192 bytes
C:\WINDOWS\system32\config\atww\regfil.sys 8192 bytes
C:\WINDOWS\system32\config\atww\Settings.xml 12288 bytes
C:\WINDOWS\system32\config\atww\ShellService.dll 94208 bytes
Navigate in Windows Explorer and delete the following
files and
folders in
bold.
C:\WINDOWS\system\
SysSD.dll
C:\WINDOWS\system32\config\
atww\ < delete this entire folder
Reboot into normal mode and rehide your protected OS files.
Thereafter, please post fresh HJT and ComboFix logs from normal mode as attachments into this thread.
Let me know if the AVG antirootkit deletions are successful.
Regards,
Your friendly momok =)
This thread is for the use of Rhinezfinest only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.