Need Help ADSL Virus!!!

I'm not sure what version of the READ ME you are working thru since you attached ComboFix which is from the new READ ME, however you attach runkeys.txt and newfiles.txt logs from old versions of the tools. You need to be using this READ & RUN ME FIRST. Malware Removal Guide You will see a procedure in this new READ ME for running MGtools.exe. This program will produce a single ZIP file to attach to your message and this ZIP file will contain 5 logs (newfiles.txt, runkeys.txt, hijackthis.log, procdll.txt, GetUnKey.txt) and all of these logs will be from current versions of the tools.

Have you created the below strangely named user accounts (the ones in bold red) or have these occurred without your knowledge:

Code:

 "C:\Documents and Settings\"
[B][COLOR=red]288B~1        27 Nov 2007              "ÄçìÞôñçò ÌáõñïìÜôçò"[/COLOR][/B]
ADMINI~1       3 Nov 2007              "Administrator"
ADMINI~1.USE   4 Nov 2007              "Administrator.USER-98D412A1B1"
ALLUSE~1      15 Dec 2006              "All Users"
[B][COLOR=red]DCCB~1        15 Nov 2007              "ƒž£ã«¨žª ‹˜¬¨¦£á«žª"[/COLOR][/B]
DEFAUL~1      15 Dec 2006              "Default User"
LOCALS~1      15 Dec 2006              "LocalService"
NETWOR~1      15 Dec 2006              "NetworkService"
USER          15 Dec 2006              "User"

I'm also seeing other strange file names on your PC like below. Do you recognize this? Is this a non-english version of Windows?

Code:

 
"C:\Documents and Settings\All Users\"
6808~1        15 Dec 2006              "„§ ­á¤œ ˜ œ¨š˜©å˜ª"
 
"C:\Documents and Settings\All Users\Start Menu\"
96a6~1.lnk    15 Nov 2007        1621  "Ž¨ ©£æª §¨æ©™˜©žª ¡˜  §¨¦œ§ ¢¦šé¤ §¨¦š¨˜££á«à¤.lnk"
window~2.lnk  15 Nov 2007         398  "‰˜«á¢¦š¦ª «à¤ Windows.lnk"
 

Also again in your installed program list I see strange characters for program names

Code:

 "DisplayName"="ÅíçìÝñùóç áóöáëåßáò ãéá Windows XP (KB923789)"
"DisplayName"="WinRAR 3.70 – ÅöáñìïãÞ Äéá÷åßñéóçò ÓõìðéåóìÝíùí Áñ÷åßùí"

Delete the below file:
C:\WINDOWS\fxavx.ini

Also can you tell me what the below file is for?

Code:

"C:\WINDOWS\"
injectme.dll  26 May 2007       39424  "InjectMe.dll"

 

You are going to have to determine if any of those items that to me are strangely named are good or bad. Especially the user accounts and things in the Startup folder. I cannot tell from my end due to the character translation.

Something that immediately hits me is that I see you are using Kaspersky Internet Security which has its own firewall and then you also have Sygate Personal Firewall installed. Per the READ ME, you must not use more than one software firewall. Thus you must uninstall Sygate now.

Now also per the READ ME, note that you were supposed to be just attaching the C:\MGlogs.zip file and not the individiual logs in the MGtools folder.

Rename the C:\WINDOWS\injectme.dll file to injectme.dll.bak


Also delete the below folder:
C:\Documents and Settings\All Users\Application Data\pile hold boob manager



Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - (no file)
R3 - URLSearchHook: (no name) - {a8f3f65f-f636-4ee8-8e80-82174ca5e030} - (no file)
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - (no file)

After clicking Fix, exit HJT.

Other than the above, your logs do not show anything of concern.