Hey haven't been on here in a while because I'm busy with school. Anyway I got this nasty trojan that won't die.:mad: Here's what I have tried so far:
AVG resident shield said that it's trojan horse called generic2.KRQ and located in C:\Windows\system32\{...}.exe. However I can't seem to find this file and delete it. I ran HJT and got this:

Logfile of HijackThis v1.99.1
Scan saved at 9:03:29 PM, on 12/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
D:\INSTAL~1\AVG\avgcc.exe
D:\INSTAL~1\AVG\avgamsvr.exe
D:\INSTAL~1\AVG\avgupsvc.exe
D:\INSTAL~1\AVG\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
D:\INSTAL~1\AVG\avgwb.dat
H:\Program Files\Firefox\Mozilla Firefox\firefox.exe
D:\Installed programs\Hijacked This\hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [AVG7_CC] D:\INSTAL~1\AVG\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [vtdln.exe] C:\WINDOWS\system32\vtdln.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = H:\Program Files\Adobe\Reader\reader_sl.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{0501DEBE-D887-47A6-949D-636CE89869A8}: NameServer = 85.255.116.150,85.255.112.70
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E8BE7C0-7A52-41FC-80CC-17DFA1E19DCB}: NameServer = 85.255.116.150,85.255.112.70
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E33FBD2-0FDB-40F6-9B5B-3D17D24596E2}: NameServer = 85.255.116.150,85.255.112.70
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.150 85.255.112.70
O17 - HKLM\System\CS1\Services\Tcpip\..\{0501DEBE-D887-47A6-949D-636CE89869A8}: NameServer = 85.255.116.150,85.255.112.70
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.150 85.255.112.70
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\INSTAL~1\AVG\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\INSTAL~1\AVG\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\INSTAL~1\AVG\avgemc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

I tried to boot in safemode and run AVG/Ad-aware still no luck. One strange thing is that everytime I reboot, iexplorer.exe would be on. I suspect that this is ran by the trojan but can't get rid of it. As you can see in the HJT, I've close it with task manager. I'm not sure about
O4 - HKLM\..\Run: [vtdln.exe] C:\WINDOWS\system32\vtdln.exe
and all of the 017. Anyone care to explain? Also when AVG is run it shows a reading error in vtdln.exe.

You correctly identified the problems showing in the HJT log...

Open a HJT scan and put checks by:

O4 - HKLM\..\Run: [vtdln.exe] C:\WINDOWS\system32\vtdln.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{0501DEBE-D887-47A6-949D-636CE89869A8}: NameServer = 85.255.116.150,85.255.112.70
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E8BE7C0-7A52-41FC-80CC-17DFA1E19DCB}: NameServer = 85.255.116.150,85.255.112.70
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E33FBD2-0FDB-40F6-9B5B-3D17D24596E2}: NameServer = 85.255.116.150,85.255.112.70
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.150 85.255.112.70
O17 - HKLM\System\CS1\Services\Tcpip\..\{0501DEBE-D887-47A6-949D-636CE89869A8}: NameServer = 85.255.116.150,85.255.112.70
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.150 85.255.112.70

Close all open windows except HJT and press Fix checked...

The O17s are from the Ukraine and it is likely that they reflect a trojan that is trying to steal personal info to rob you... You need to change/put watches on passwords, account numbers and so on that you might have used on this computer... What was the file you were looking for here??

C:\Windows\system32\{...}.exe

The generic2.KRQ produced no Google hits, so I can't even identify this infection... Try a few more scans to see if you can kill it or at least better identify it...

1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/combofix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall...

Then AVG AS (Ewido)...

Please download, install, and update Ewido anti-spyware (http://www.ewido.net/en/download/)



Load Ewido and then click the Update tab at the top. Under Manual Update click Start update.

After the update finishes (the status bar at the bottom will display "Update successful")

Close ewido. Do not run it yet.


Please reboot your computer into Safe Mode. To boot into Safe Mode, please restart your computer. Tap F8 before Windows loads. Select Safe Mode on the screen that appears.


In Safe Mode, load Ewido and click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine and click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.

Ewido will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.

Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).

Restart back into Normal Mode.


Please perform another scan with Hijack This, and then post back with a copy of the Ewido log and the new HijackThis log.

and then...

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found: http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
http://users.telenet.be/bluepatchy/miekiemoes/images/move.gif
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.


Post all of the logs and a fresh HJT log...

I have the combo fix log but it's too long to post here(58808 char > max of 10000 char). Here's the other 2 logs:
Ewido log:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:28:15 PM 12/1/2006

+ Scan result:



[196] VM_00D60000 -> Downloader.Agent.uj : Cleaned with backup (quarantined).
[220] VM_00BF0000 -> Downloader.Agent.uj : Cleaned with backup (quarantined).
[780] VM_009D0000 -> Downloader.Agent.uj : Cleaned with backup (quarantined).


::Report end

HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 11:32:42 PM, on 12/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
D:\INSTAL~1\AVG\avgcc.exe
D:\Installed programs\AVG anti-spyware\AVG Anti-Spyware 7.5\avgas.exe
H:\Program Files\Adobe\Reader\reader_sl.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Installed programs\AVG anti-spyware\AVG Anti-Spyware 7.5\guard.exe
D:\INSTAL~1\AVG\avgamsvr.exe
D:\INSTAL~1\AVG\avgupsvc.exe
D:\INSTAL~1\AVG\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
H:\Program Files\Firefox\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Installed programs\Hijacked This\hijackthis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [AVG7_CC] D:\INSTAL~1\AVG\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Installed programs\AVG anti-spyware\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [jjcft.exe] C:\WINDOWS\system32\jjcft.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = H:\Program Files\Adobe\Reader\reader_sl.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{0501DEBE-D887-47A6-949D-636CE89869A8}: NameServer = 85.255.116.150,85.255.112.70
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E8BE7C0-7A52-41FC-80CC-17DFA1E19DCB}: NameServer = 85.255.116.150,85.255.112.70
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E33FBD2-0FDB-40F6-9B5B-3D17D24596E2}: NameServer = 85.255.116.150,85.255.112.70
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.150 85.255.112.70
O17 - HKLM\System\CS1\Services\Tcpip\..\{0501DEBE-D887-47A6-949D-636CE89869A8}: NameServer = 85.255.116.150,85.255.112.70
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.150 85.255.112.70
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Installed programs\AVG anti-spyware\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\INSTAL~1\AVG\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\INSTAL~1\AVG\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\INSTAL~1\AVG\avgemc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

As you can see the O17's are back. It's like everytime I delete them and reboot they appear again. Also it seems they use a different .exe each time. Notice that now it's called jjcft.exe instead of vtdln.exe. AVG scan doesn't show up anything other than a reading error with jjcft.exe. I tried to get more info on generic2.krq but no luck. When AVG gave me the option to heal or remove I click on any one and it gives the "cannot remove, access denied..." The file location C\Window\system32\{...}.exe seems to change everytime I reboot.

Thanks for the help but I was in a hurry so I just reformatted the C: drive:mad: to get rid of this headache. Anyway now that I have a fresh new windows, any advice/ programs I need to prevent future headaches?
Thanks.

I hope you also let the RAM clear...

As for suggestions...

Here is my prevention speech to help avoid future infection:

This is a good time to set up protection against further attacks. Read the article linked below about "How did I
get infected". You need an antivirus that is updated, a good firewall (a router firewall is not enough) and a
spyware blocker like SpywareBlaster and also IE-Spyads. All of these have good free versions available... be very
cautious about any security software that advertises in popups or other intrusive ways, they are not only usually
useless, but also often have malware in them....

http://forums.spywareinfo.com/index.php?showtopic=60955