Free Malware Removal Forum

[Ela1n]

primary anitivir avg update is blocked, avz not opening, renaming and morphed version also don't work. i'm pretty sure pc is infected, here's log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:31:14, on 18.12.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\csrcs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ABBYY Lingvo 11 Three Languages\Lvagent.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\ums\Рабочий стол\антивирус\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\net.exe

F2 - REG:system.ini: Shell=Explorer.exe csrcs.exe
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Lingvo Launcher] "C:\Program Files\ABBYY Lingvo 11 Three Languages\Lvagent.exe" /STARTUP
O4 - HKLM\..\Run: [LingvoTraining] "C:\Program Files\ABBYY Lingvo 11 Three Languages\Tutor.exe" /ND /NW /AS
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunServices: [csrcs] C:\WINDOWS\system32\csrcs.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [csrcs] C:\WINDOWS\system32\csrcs.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Перевести с помощью ABBYY Lingvo... - res://C:\Program Files\ABBYY Lingvo 11 Three Languages\Lingvo.exe/3000
O8 - Extra context menu item: &Экспорт в Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O17 - HKLM\System\CCS\Services\Tcpip\..\{492DC32E-8CE3-426F-8DF6-A2062C046099}: NameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{98AC28EF-4FC5-4FF5-94C6-74DF365017BC}: NameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{E3E141B9-7E75-4DCE-8D0D-806CB6D9F173}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{492DC32E-8CE3-426F-8DF6-A2062C046099}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{492DC32E-8CE3-426F-8DF6-A2062C046099}: NameServer = 192.168.1.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Журнал событий (Eventlog) - Корпорация Майкрософт - C:\WINDOWS\system32\services.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Служба COM записи компакт-дисков IMAPI (ImapiService) - Корпорация Майкрософт - C:\WINDOWS\system32\imapi.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Корпорация Майкрософт - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: Plug and Play (PlugPlay) - Корпорация Майкрософт - C:\WINDOWS\system32\services.exe
O23 - Service: Диспетчер сеанса справки для удаленного рабочего стола (RDSessMgr) - Корпорация Майкрософт - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Смарт-карты (SCardSvr) - Корпорация Майкрософт - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Журналы и оповещения производительности (SysmonLog) - Корпорация Майкрософт - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Теневое копирование тома (VSS) - Корпорация Майкрософт - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Адаптер производительности WMI (WmiApSrv) - Корпорация Майкрософт - C:\WINDOWS\system32\wbem\wmiapsrv.exe

[MWR 3 day Mod]

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.

[jmw3]

Hello & Welcome to Malware Removal

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this ensure Notify me when a reply is posted is ticked on the POST A REPLY page.

In the meantime please note the following:

• Please take time to read the Malware Removal Forum Guidelines and Rules where the conditions for receiving help at this forum are explained.
• Any recommendations made are for your computer problems only and should NOT be used on any other computer.
• Please DO NOT run any scans/tools or other fixes unless I ask you to. This is very important for several reasons. Here are just two of them:
  1. The tools that we use are very powerful and can cause >>irreparable damage<< to your computer if not used correctly.
  2. Commercial scanners, for the most part can not completely remove some of the more "resistant" infections. This makes it much more difficult to get rid of completely.
• If you get stuck or are unsure of something please ask for a further explanation, do not guess.
• It will require more than one round to properly clean your system. Continue to respond to this thread until I give you the All Clean! even if symptoms seemingly abate.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.
If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave & if there is no contact for that amount of time I will have to assume you have abandoned your topic.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

Thanks

DDS
Download DDS.scr by sUBs from one of the following links & save it to your desktop.
Link 1
Link 2

• Double-Click on dds.scr and a command window will appear. This is normal
• Shortly after two logs will appear, DDS.txt & Attach.txt
• A window will open instructing you save & post the logs
• Save the logs to a convenient place such as your desktop
• Copy the contents of both logs & post in your next reply

Gmer
Download GMER Rootkit Scanner from here.

• Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
  
  
  Click the image to enlarge it
  
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish
• Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
• Save it where you can easily find it, such as your desktop, and post it in reply

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Note: Do not run any programs while Gmer is running.

To post in next reply:
Contents of DDS log
Contents of Attach.txt
Contents of Gmer log

[Ela1n]

DDS (Ver_09-12-01.01) - FAT32x86
Run by ums at 17:28:59,17 on 28.12.2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1251.7.1049.18.223.59 [GMT 2:00]

AV: AVG Anti-Virus *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\csrcs.exe
C:\WINDOWS\system32\igfxtray.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ABBYY Lingvo 11 Three Languages\Lvagent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\net.exe
C:\Documents and Settings\ums\Рабочий стол\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.ua/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Shell=Explorer.exe csrcs.exe
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [Lingvo Launcher] "c:\program files\abbyy lingvo 11 three languages\Lvagent.exe" /STARTUP
mRun: [LingvoTraining] "c:\program files\abbyy lingvo 11 three languages\Tutor.exe" /ND /NW /AS
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRunServices: [csrcs] c:\windows\system32\csrcs.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
mExplorerRun: [csrcs] c:\windows\system32\csrcs.exe
IE: &Перевести с помощью ABBYY Lingvo... - c:\program files\abbyy lingvo 11 three languages\Lingvo.exe/3000
IE: &Экспорт в Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/fl ... rashim.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {492DC32E-8CE3-426F-8DF6-A2062C046099} = 192.168.1.1
TCP: {98AC28EF-4FC5-4FF5-94C6-74DF365017BC} = 192.168.1.1
TCP: {E3E141B9-7E75-4DCE-8D0D-806CB6D9F173} = 192.168.1.1
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SEH: N/A: {dc7596cb-d6cc-dca3-de52-deea63f6c61d} - c:\program files\internet explorer\rksldk.dll

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-6-16 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-6-16 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-6-16 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-6-16 108552]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-6-17 297752]

=============== Created Last 30 ================

2009-12-28 12:37:56 0 d-sh--w- C:\FOUND.005
2009-12-25 09:10:06 0 d-sh--w- C:\FOUND.004
2009-12-24 08:00:44 0 d-sh--w- C:\FOUND.003
2009-12-23 08:45:24 0 d-sh--w- C:\FOUND.002
2009-12-22 14:38:28 0 d-sh--w- C:\FOUND.001
2009-12-22 13:32:52 0 d-sh--w- C:\FOUND.000
2009-12-18 08:54:48 0 d--h--w- c:\windows\$hf_mig$
2009-12-18 08:52:03 0 d-----w- c:\windows\pss
2009-12-15 15:15:05 0 --sha-r- C:\khw
2009-12-15 08:07:55 0 --sha-r- C:\khv
2009-12-15 08:07:10 1244 --sha-r- c:\windows\system32\autorun.i
2009-12-15 08:07:09 571 --sha-r- c:\windows\system32\autorun.in
2009-12-08 14:10:18 0 d-sh--w- C:\FOUND.013

==================== Find3M ====================

2004-08-18 14:00:00 2 --sh--w- c:\program files\desktop.ini
2004-08-18 15:13:58 656408 --sha-r- c:\windows\system32\csrcs.exe

============= FINISH: 17:29:56,53 ===============


------------------------------------------------------------------------


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 25.10.2007 13:26:19
System Uptime: 28.12.2009 14:36:51 (3 hours ago)

Motherboard: Gigabyte Technology Co., Ltd. | | 8IG1000-G
Processor: Intel(R) Celeron(R) CPU 2.26GHz | Socket 478 | 2840/167mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (FAT32) - 10 GiB total, 4,121 GiB free.
D: is FIXED (FAT32) - 28 GiB total, 26,125 GiB free.
E: is CDROM (CDFS)

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP316: 02.10.2009 12:18:19 - Системная контрольная точка
RP317: 05.10.2009 10:31:25 - Системная контрольная точка
RP318: 06.10.2009 13:22:41 - Системная контрольная точка
RP319: 07.10.2009 13:52:21 - Системная контрольная точка
RP320: 08.10.2009 9:56:49 - Avg8 Update
RP321: 09.10.2009 10:34:31 - Системная контрольная точка
RP322: 12.10.2009 13:28:33 - Системная контрольная точка
RP323: 14.10.2009 9:47:17 - Системная контрольная точка
RP324: 15.10.2009 15:03:20 - Системная контрольная точка
RP325: 16.10.2009 15:21:48 - Системная контрольная точка
RP326: 19.10.2009 10:02:04 - Системная контрольная точка
RP327: 20.10.2009 13:55:28 - Системная контрольная точка
RP328: 21.10.2009 14:21:56 - Системная контрольная точка
RP329: 22.10.2009 9:48:15 - Avg8 Update
RP330: 23.10.2009 10:02:38 - Системная контрольная точка
RP331: 26.10.2009 13:01:34 - Системная контрольная точка
RP332: 27.10.2009 13:33:10 - Системная контрольная точка
RP333: 28.10.2009 13:37:56 - Системная контрольная точка
RP334: 29.10.2009 13:38:47 - Системная контрольная точка
RP335: 30.10.2009 14:33:45 - Системная контрольная точка
RP336: 02.11.2009 11:02:29 - Системная контрольная точка
RP337: 03.11.2009 9:45:07 - Avg8 Update
RP338: 04.11.2009 10:47:49 - Системная контрольная точка
RP339: 05.11.2009 11:26:42 - Системная контрольная точка
RP340: 06.11.2009 9:34:34 - Avg8 Update
RP341: 09.11.2009 11:12:59 - Системная контрольная точка
RP342: 10.11.2009 13:20:41 - Системная контрольная точка
RP343: 11.11.2009 14:01:39 - Системная контрольная точка
RP344: 12.11.2009 14:48:31 - Системная контрольная точка
RP345: 13.11.2009 16:18:22 - Системная контрольная точка
RP346: 16.11.2009 9:56:49 - Системная контрольная точка
RP347: 17.11.2009 11:32:15 - Системная контрольная точка
RP348: 18.11.2009 12:06:08 - Системная контрольная точка
RP349: 19.11.2009 12:48:22 - Системная контрольная точка
RP350: 20.11.2009 13:43:21 - Системная контрольная точка
RP351: 23.11.2009 10:28:27 - Системная контрольная точка
RP352: 24.11.2009 11:14:40 - Системная контрольная точка
RP353: 25.11.2009 13:16:35 - Системная контрольная точка
RP354: 26.11.2009 9:09:06 - Avg8 Update
RP355: 26.11.2009 12:23:54 - Removed QuickTime
RP356: 27.11.2009 12:48:43 - Системная контрольная точка
RP357: 30.11.2009 10:34:11 - Системная контрольная точка
RP358: 01.12.2009 11:16:16 - Системная контрольная точка
RP359: 02.12.2009 11:27:41 - Системная контрольная точка
RP360: 03.12.2009 11:40:31 - Системная контрольная точка
RP361: 04.12.2009 12:17:05 - Системная контрольная точка
RP362: 07.12.2009 16:03:06 - Системная контрольная точка
RP363: 09.12.2009 11:20:24 - Системная контрольная точка
RP364: 10.12.2009 13:12:04 - Системная контрольная точка
RP365: 11.12.2009 10:46:47 - Avg8 Update
RP366: 11.12.2009 10:47:16 - Avg8 Update
RP367: 14.12.2009 10:30:57 - Системная контрольная точка
RP368: 15.12.2009 13:18:20 - Системная контрольная точка
RP369: 16.12.2009 14:24:43 - Системная контрольная точка
RP370: 17.12.2009 14:52:42 - Системная контрольная точка
RP371: 18.12.2009 10:55:01 - Установлен KB921883 для Windows XP.
RP372: 21.12.2009 15:26:12 - Системная контрольная точка
RP373: 22.12.2009 15:51:44 - Системная контрольная точка
RP374: 23.12.2009 17:50:37 - Системная контрольная точка
RP375: 25.12.2009 13:30:22 - Системная контрольная точка
RP376: 28.12.2009 10:44:23 - Системная контрольная точка

==== Installed Programs ======================

Обновление безопасности для Windows XP (KB921883)
ABBYY Lingvo 11 Three Languages
Adobe Acrobat 5.0
Adobe Flash Player 10 ActiveX
Apple Software Update
AVG 8.5
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Intel(R) Extreme Graphics 2 Driver
Marvell Miniport Driver
Microsoft Office XP (профессиональный выпуск)
Microsoft Visual C++ 2005 Redistributable
Realtek AC'97 Audio
Total Commander 7.0 RC4
WebFldrs XP

==== End Of File ===========================

Sorry for attach, but no archivator installed on this pc and i dont have any time.

When i start scan in gmer, it works a bit, then when it come to file system32\version.dll gmer closes. After this i can't start any new application, it just dont appear, so i have to restart.

[jmw3]

Hi

When i start scan in gmer, it works a bit, then when it come to file system32\version.dll gmer closes. After this i can't start any new application, it just dont appear, so i have to restart.

Just to clarify... when Gmer closes, it's only that application you can't start, or is it ALL applications?

Rkill
Note: If your security software warns about Rkill, please ignore & allow the download to continue.
Download Rkill by Grinler using one of the following links. Save it to your Desktop.
Download links: One, Two, Three or Four

• Double click on the Rkill Desktop icon
• A command window will open then disappear upon completion, this is normal

Please leave Rkill on the Desktop unless instructed otherwise.

TFC (Temp File Cleaner)
Download TFC (Temp File Cleaner) by Old Timer Here & save it to your desktop.

• Save any unsaved work. TFC Cleaner will close all open application windows
• Double-click TFC.exe to run the program, your desktop will temporarily disappear
• If prompted, click Yes to reboot

Note: Save your work.. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take any longer than a couple of minutes & may only take a few seconds. Only if needed will you be prompted to reboot.

Malwarebytes' Anti-Malware
Download Malwarebytes' Anti-Malware here & save to your desktop.

• Double-click mbam-setup.exe & follow the prompts to install the program
• At the end, be sure a checkmark is placed next to:
  Update Malwarebytes' Anti-Malware
  Launch Malwarebytes' Anti-Malware
• Then click Finish
• If an update is found, it will download and install the latest version
• Once the program has loaded, select Perform full scan, then click Scan
• When the scan is complete, click OK, then Show Results to view the results
• Check all items except items in the C:\System Volume Information folder... then click on Remove Selected
• When completed, a log will open in Notepad. Please copy & paste the log back into your next reply
  Note:
• The log is automatically saved by Malwarebytes' Anti-Malware & can be viewed by clicking the Logs tab

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either & let Malwarebytes' Anti-Malware proceed with the disinfection process.
If asked to restart the computer, please do so. Failure to reboot will prevent MBAM from removing all the malware.
If you receive an (Error Loading) error on reboot please reboot a second time . It is normal for this error to occur once & does not need to be reported unless it returns on future reboots.

Now try running Gmer again following instructions previously posted.

To post in next reply:
Malwarebytes log
Gmer log (if it ran)
New DDS log (Just the DDS log. I don't need to see a new Attach.txt log)

[Ela1n]

i can't start any application including gmer, can't even open a folder without reboot.

i'll do everything and post results as soon as i'll go to work, since it's christmass time.

[jmw3]

No problem... post when ready.

[Dakeyras]

Due to lack of activity, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.