Here we go-

Got a trojan via a WRC torrent DL with IE7. I first noticed that my McAfee had dis-enabled itself. Immedately, went to system restore but all the restore points previous to infection were deleted/hidden. I already had malwarebytes installed, and ran it straight away. It returned several results which were deleted. My comp also had installed AdAware and SpyBot (newest versions) which I ran as well. Both detected small malware, which were deleted.

After restart, McAfee initialized in dis-enabled state. Firefox is working, but IE7 returns exponential numbers of popups. After startup, if I run anti-spyware, a trojan is usually detected. If I delete the trojan, there is no significant change for a few minutes, then randomly a prompt "Generic Host Process for Win32 services has encountered a problem and needs to close..." If i try to initialize a app after that message, the OS sorta crashes, where nothing will load: no task manager will pop up, no shut down window, etc.

I've got my MWB and HJT logs here. I'll post my McAfee log at the end, if it helps. If you need, I can take a screenshot of active processes and post.

Please help!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:57:22 PM, on 2/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\NETGEAR\WG311v3\WinDomainlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\NETGEAR\WG311v3\WinDomainlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Documents and Settings\Marcus\Desktop\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: {e50ee11a-c2b8-2708-f7b4-323b11df1dc9} - {9cd1fd11-b323-4b7f-8072-8b2ca11ee05e} - C:\WINDOWS\system32\mvoqas.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe
O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O20 - AppInit_DLLs: mvoqas.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Documents and Settings\Marcus\Desktop\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

--
End of file - 8679 bytes



Malwarebytes' Anti-Malware 1.31
Database version: 1525
Windows 5.1.2600 Service Pack 3

2/20/2009 5:46:28 PM
mbam-log-2009-02-20 (17-46-28).txt

Scan type: Quick Scan
Objects scanned: 55712
Time elapsed: 3 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\Temp\ntdll64.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\warning.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ahtn.htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\frmwrk32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\ntdll64.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\Marcus\Local Settings\Temp\ntdll64.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\mousehook.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Marcus\Local Settings\Temp\mousehook.dll (Trojan.FakeAlert) -> Delete on reboot.


McAfee:


2/12/2009 2:21:35 AM Statistics:
2/12/2009 2:21:35 AM Files scanned: 19329
2/12/2009 2:21:35 AM Files detected: 1
2/12/2009 2:21:35 AM Files cleaned: 0
2/12/2009 2:21:35 AM Files deleted: 1
2/12/2009 2:21:35 AM Files moved: 0
2/12/2009 12:09:23 PM Engine version = 5.3.00
2/12/2009 12:09:23 PM DAT version = 5514
2/12/2009 12:09:23 PM Number of virus signatures in EXTRA.DAT = None
2/12/2009 12:09:23 PM Names of viruses that EXTRA.DAT can detect = None
2/12/2009 12:09:53 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM jqs.exe C:\Program Files\Java\jre6\lib\rt.jar\RuntimeTypeInfoSet.class (Virus)
2/12/2009 12:21:53 PM Not scanned (scan timed out) GENERALLEE\Marcus iexplore.exe C:\Program Files\Java\jre6\lib\rt.jar\TypeInfoImpl.class (Virus)
2/12/2009 8:55:30 PM Script execution blocked GENERALLEE\Marcus iexplore.exe Script executed by iexplore.exe Exploit-MS06-014 (Trojan)
2/12/2009 9:03:38 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM aawservice.exe C:\WINDOWS\Driver Cache\i386\driver.cab\CTABCEP2.GPD (Virus)
2/12/2009 9:12:28 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM aawservice.exe C:\Program Files\Activision\Call of Duty 2\main\iw_13.iwd\mtl_metal_chimney (Virus)
2/12/2009 9:42:06 PM Not scanned (The file is encrypted) NT AUTHORITY\SYSTEM aawservice.exe C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityFirewallOpenPorts.zip
2/12/2009 9:42:06 PM Not scanned (The file is encrypted) NT AUTHORITY\SYSTEM aawservice.exe C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityFirewallOpenPorts1.zip
2/12/2009 9:42:06 PM Not scanned (The file is encrypted) NT AUTHORITY\SYSTEM aawservice.exe C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WarezPP.zip
2/12/2009 9:42:06 PM Not scanned (The file is encrypted) NT AUTHORITY\SYSTEM aawservice.exe C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinTDSSrtk.zip
2/12/2009 9:45:08 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM aawservice.exe C:\Documents and Settings\Marcus\Desktop\Adobe Photoshop CS2 9.0 Final\Photoshop CS2\Adobe® Photoshop® CS2\commonfilesinstaller\Data1.cab\SING.DLL (Virus)
2/12/2009 9:45:23 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM aawservice.exe C:\Documents and Settings\Marcus\Desktop\Adobe Photoshop CS2 9.0 Final\Photoshop CS2\Adobe® Photoshop® CS2\Data1.cab\VERSIONCUEUI.DLL (Virus)
2/12/2009 9:48:57 PM Engine version = 5.3.00
2/12/2009 9:48:57 PM DAT version = 5524
2/12/2009 9:48:57 PM Number of virus signatures in EXTRA.DAT = None
2/12/2009 9:48:57 PM Names of viruses that EXTRA.DAT can detect = None
2/12/2009 9:50:19 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM jqs.exe C:\Program Files\Java\jre6\lib\rt.jar\Init$1.class (Virus)
2/12/2009 10:09:31 PM Not scanned (scan timed out) GENERALLEE\Marcus iexplore.exe C:\Program Files\Java\jre6\lib\rt.jar\DTMNodeList.class (Virus)
2/13/2009 1:40:44 AM Engine version = 5.3.00
2/13/2009 1:40:44 AM DAT version = 5524
2/13/2009 1:40:44 AM Number of virus signatures in EXTRA.DAT = None
2/13/2009 1:40:44 AM Names of viruses that EXTRA.DAT can detect = None
2/13/2009 1:41:27 AM Not scanned (scan timed out) NT AUTHORITY\SYSTEM jqs.exe C:\Program Files\Java\jre6\lib\rt.jar\SerializerFactory.class (Virus)
2/13/2009 11:43:27 AM Not scanned (scan timed out) NT AUTHORITY\SYSTEM jqs.exe C:\Program Files\Java\jre6\lib\rt.jar\RegistrationDocument.class (Virus)
2/14/2009 3:05:56 PM Not scanned (scan timed out) GENERALLEE\Marcus iexplore.exe C:\Program Files\Java\jre6\lib\rt.jar\motif_sv.class (Virus)
2/14/2009 7:11:44 PM Script execution blocked GENERALLEE\Marcus iexplore.exe Script executed by iexplore.exe Exploit-MS06-014 (Trojan)
2/15/2009 4:54:57 PM Not scanned (scan timed out) GENERALLEE\Marcus firefox.exe C:\Documents and Settings\Marcus\Local Settings\Application Data\Mozilla\Firefox\Profiles\vosyr6jb.default\Cache\_CACHE_001_\00000500.EML (Virus)
2/15/2009 8:33:53 PM Not scanned (scan timed out) GENERALLEE\Marcus firefox.exe C:\Documents and Settings\Marcus\Local Settings\Application Data\Mozilla\Firefox\Profiles\vosyr6jb.default\Cache\_CACHE_001_\00000500.EML (Virus)
2/15/2009 9:15:40 PM Script execution blocked GENERALLEE\Marcus iexplore.exe Script executed by iexplore.exe Exploit-MS06-014 (Trojan)
2/15/2009 9:24:06 PM Not scanned (scan timed out) GENERALLEE\Marcus firefox.exe C:\Documents and Settings\Marcus\Local Settings\Application Data\Mozilla\Firefox\Profiles\vosyr6jb.default\Cache\_CACHE_001_\00000500.EML (Virus)
2/17/2009 10:31:28 AM Not scanned (scan timed out) NT AUTHORITY\SYSTEM jqs.exe C:\Program Files\Java\jre6\lib\rt.jar\DigestMD5Base.class (Virus)
2/17/2009 4:19:51 PM Not scanned (scan timed out) GENERALLEE\Marcus iexplore.exe C:\Program Files\Java\jre6\lib\rt.jar\WindowsIconFactory$CheckBoxIcon.class (Virus)
2/18/2009 10:32:13 AM Not scanned (scan timed out) NT AUTHORITY\SYSTEM jqs.exe C:\Program Files\Java\jre6\lib\rt.jar\NamespaceMappings.class (Virus)
2/18/2009 6:00:43 PM Not scanned (scan timed out) GENERALLEE\Marcus iexplore.exe C:\Program Files\Java\jre6\lib\rt.jar\FuncHere.class (Virus)

2/18/2009 7:33:44 PM Statistics:
2/18/2009 7:33:44 PM Files scanned: 30376
2/18/2009 7:33:44 PM Files detected: 0
2/18/2009 7:33:44 PM Files cleaned: 0
2/18/2009 7:33:44 PM Files deleted: 0
2/18/2009 7:33:44 PM Files moved: 0
2/18/2009 9:41:44 PM Engine version = 5.3.00
2/18/2009 9:41:44 PM DAT version = 5524
2/18/2009 9:41:44 PM Number of virus signatures in EXTRA.DAT = None
2/18/2009 9:41:44 PM Names of viruses that EXTRA.DAT can detect = None
2/18/2009 9:42:17 PM Not scanned (scan timed out) GENERALLEE\Marcus WgaTray.exe C:\Program Files\Java\jre6\lib\rt.jar\XSSimpleTypeDecl$2.class (Virus)
2/18/2009 9:50:45 PM Not scanned (scan timed out) GENERALLEE\Marcus iexplore.exe C:\Program Files\Java\jre6\lib\rt.jar\BootstrapResolver.class (Virus)

2/19/2009 12:17:23 AM Statistics:
2/19/2009 12:17:23 AM Files scanned: 2185
2/19/2009 12:17:23 AM Files detected: 0
2/19/2009 12:17:23 AM Files cleaned: 0
2/19/2009 12:17:23 AM Files deleted: 0
2/19/2009 12:17:23 AM Files moved: 0
2/19/2009 12:25:35 AM Engine version = 5.3.00
2/19/2009 12:25:35 AM DAT version = 5524
2/19/2009 12:25:35 AM Number of virus signatures in EXTRA.DAT = None
2/19/2009 12:25:35 AM Names of viruses that EXTRA.DAT can detect = None
2/19/2009 12:25:50 AM Cleaned C:\WINDOWS\system32\prunnet.exe Generic.dx (Trojan)

2/19/2009 12:29:53 AM Statistics:
2/19/2009 12:29:53 AM Files scanned: 0
2/19/2009 12:29:53 AM Files detected: 1
2/19/2009 12:29:53 AM Files cleaned: 0
2/19/2009 12:29:53 AM Files deleted: 0
2/19/2009 12:29:53 AM Files moved: 0
2/19/2009 12:31:51 AM Engine version = 5.3.00
2/19/2009 12:31:51 AM DAT version = 5524
2/19/2009 12:31:51 AM Number of virus signatures in EXTRA.DAT = None
2/19/2009 12:31:51 AM Names of viruses that EXTRA.DAT can detect = None
2/19/2009 1:51:31 AM Engine version = 5.3.00
2/19/2009 1:51:31 AM DAT version = 5524
2/19/2009 1:51:31 AM Number of virus signatures in EXTRA.DAT = None
2/19/2009 1:51:31 AM Names of viruses that EXTRA.DAT can detect = None
2/19/2009 10:04:24 AM Engine version = 5.3.00
2/19/2009 10:04:24 AM DAT version = 5524
2/19/2009 10:04:24 AM Number of virus signatures in EXTRA.DAT = None
2/19/2009 10:04:24 AM Names of viruses that EXTRA.DAT can detect = None

2/19/2009 10:08:04 AM Statistics:
2/19/2009 10:08:04 AM Files scanned: 0
2/19/2009 10:08:04 AM Files detected: 0
2/19/2009 10:08:04 AM Files cleaned: 0
2/19/2009 10:08:04 AM Files deleted: 0
2/19/2009 10:08:04 AM Files moved: 0
2/19/2009 10:10:32 AM Engine version = 5.3.00
2/19/2009 10:10:32 AM DAT version = 5524
2/19/2009 10:10:32 AM Number of virus signatures in EXTRA.DAT = None
2/19/2009 10:10:32 AM Names of viruses that EXTRA.DAT can detect = None
2/19/2009 4:33:38 PM Engine version = 5.3.00
2/19/2009 4:33:38 PM DAT version = 5524
2/19/2009 4:33:38 PM Number of virus signatures in EXTRA.DAT = None
2/19/2009 4:33:38 PM Names of viruses that EXTRA.DAT can detect = None

2/19/2009 4:49:17 PM Statistics:
2/19/2009 4:49:17 PM Files scanned: 1
2/19/2009 4:49:17 PM Files detected: 0
2/19/2009 4:49:17 PM Files cleaned: 0
2/19/2009 4:49:17 PM Files deleted: 0
2/19/2009 4:49:17 PM Files moved: 0
2/19/2009 4:52:57 PM Engine version = 5.3.00
2/19/2009 4:52:57 PM DAT version = 5524
2/19/2009 4:52:57 PM Number of virus signatures in EXTRA.DAT = None
2/19/2009 4:52:57 PM Names of viruses that EXTRA.DAT can detect = None
2/20/2009 12:45:25 AM Engine version = 5.3.00
2/20/2009 12:45:25 AM DAT version = 5524
2/20/2009 12:45:25 AM Number of virus signatures in EXTRA.DAT = None
2/20/2009 12:45:25 AM Names of viruses that EXTRA.DAT can detect = None
2/20/2009 8:45:35 AM Engine version = 5.3.00
2/20/2009 8:45:35 AM DAT version = 5524
2/20/2009 8:45:35 AM Number of virus signatures in EXTRA.DAT = None
2/20/2009 8:45:35 AM Names of viruses that EXTRA.DAT can detect = None
2/20/2009 5:18:32 PM Engine version = 5.3.00
2/20/2009 5:18:32 PM DAT version = 5524
2/20/2009 5:18:32 PM Number of virus signatures in EXTRA.DAT = None
2/20/2009 5:18:32 PM Names of viruses that EXTRA.DAT can detect = None
2/20/2009 5:41:00 PM Engine version = 5.3.00
2/20/2009 5:41:00 PM DAT version = 5524
2/20/2009 5:41:00 PM Number of virus signatures in EXTRA.DAT = None
2/20/2009 5:41:00 PM Names of viruses that EXTRA.DAT can detect = None

2/20/2009 5:47:08 PM Statistics:
2/20/2009 5:47:08 PM Files scanned: 0
2/20/2009 5:47:08 PM Files detected: 0
2/20/2009 5:47:08 PM Files cleaned: 0
2/20/2009 5:47:08 PM Files deleted: 0
2/20/2009 5:47:08 PM Files moved: 0
2/20/2009 5:49:35 PM Engine version = 5.3.00
2/20/2009 5:49:35 PM DAT version = 5524
2/20/2009 5:49:35 PM Number of virus signatures in EXTRA.DAT = None
2/20/2009 5:49:35 PM Names of viruses that EXTRA.DAT can detect = None


Thanks Again!

Hi.

Please update Malwarebytes, run a quick scan and post the log. Also run this scan please:

Download Lop S&D from here

• Double-click Lop S&D.exe
• Choose the language, then choose Option 1 (Search)
• Wait till the scan completes
• Post the log which is created: (%SystemDrive%\lopR.txt)

Thanks for the Help. I did as you asked. As a heads up: when I ran the updated MWB, spyware SD resident came up with an alert saying "Browser helper object value added" with a long serial number for the process that started (9cd1fd11-b323-4d7f- ......) I don't think it was a MWB process, might be related to the trojan.

Not to sound ungreatful (I'm anything but)- this LOP S&D software is a little sketchy. Small and french? Please don't ask me to DL any additional tools unless absolutely necessary. I already listed my armada of installed tools, and it doesn't seem like I should need any more. Unless that's the only way.

Thanks again!

Updated MWB log:

Malwarebytes' Anti-Malware 1.34
Database version: 1782
Windows 5.1.2600 Service Pack 3

2/20/2009 6:56:59 PM
mbam-log-2009-02-20 (18-56-59).txt

Scan type: Quick Scan
Objects scanned: 68998
Time elapsed: 3 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\mvoqas.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9cd1fd11-b323-4b7f-8072-8b2ca11ee05e} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9cd1fd11-b323-4b7f-8072-8b2ca11ee05e} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9cd1fd11-b323-4b7f-8072-8b2ca11ee05e} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\mvoqas.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ungrdxwa.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekakxmifuxf.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\senekaobwgwsrn.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\ddcYqOgh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\senekawqdutehb.sys (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekabgiteqot.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekamliltabd.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\senekaqatxthsm.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\seneka.sys (Trojan.Agent) -> Quarantined and deleted successfully.



Here is the LOP SD log

--------------------\\ Lop S&D 4.2.5-0 XP/Vista

Microsoft Windows XP Professional ( v5.1.2600 ) Service Pack 3
X86-based PC ( Multiprocessor Free : Intel® Pentium® 4 CPU 3.00GHz )
BIOS : Phoenix ROM BIOS PLUS Version 1.10 A01
USER : Marcus ( Administrator )
BOOT : Normal boot
C:\ (Local Disk) - NTFS - Total:144 Go (Free:11 Go)
D:\ (CD or DVD)

"C:\Lop SD" ( MAJ : 19-12-2008|23:40 )
Option : [1] ( Fri 02/20/2009|19:07 )

--------------------\\ Listing folders in APPLIC~1

[09/10/2005|12:05] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Creative
[08/19/2004|01:14] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Identities
[09/10/2005|11:52] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Jasc Software Inc
[09/10/2005|11:50] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Microsoft
[09/10/2005|11:42] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Sun
[09/10/2005|11:57] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Symantec

[04/23/2006|09:32] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Adobe
[04/23/2006|09:48] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Adobe Systems
[09/14/2005|08:33] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> AOL
[01/24/2007|07:05] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Apple Computer
[05/26/2007|06:45] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> BVRP Software
[03/29/2008|02:31] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Dell
[04/11/2008|10:50] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> GTek
[10/02/2005|07:02] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> HP
[09/10/2005|11:52] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> InstallShield
[09/10/2005|11:54] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Intuit
[12/19/2008|12:59] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Lavasoft
[12/20/2008|02:05] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Malwarebytes
[11/04/2008|01:06] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Microsoft
[09/14/2005|08:22] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Network Associates
[09/10/2005|11:53] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> QuickTime
[08/19/2004|01:22] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> SBSI
[12/20/2008|05:59] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Spybot - Search & Destroy
[09/14/2005|08:14] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Symantec
[05/28/2006|10:46] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Windows Genuine Advantage

[09/10/2005|12:05] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Creative
[08/19/2004|01:14] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Identities
[09/10/2005|11:52] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Jasc Software Inc
[08/19/2004|12:57] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Microsoft
[09/10/2005|11:42] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Sun
[09/10/2005|11:57] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Symantec

[03/10/2006|09:31] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Microsoft

[12/04/2008|10:11] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Adobe
[02/25/2006|06:26] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> AdobeUM
[03/07/2006|09:36] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Apple Computer
[05/03/2008|11:08] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> BitZipper
[03/04/2008|06:34] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Creative
[09/25/2005|11:26] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> CyberLink
[12/09/2005|06:53] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Google
[04/14/2007|02:59] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Gtek
[12/20/2008|12:51] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Help
[06/28/2007|06:40] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> HP
[08/19/2004|01:14] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Identities
[05/26/2007|06:34] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> InstallShield
[09/26/2005|03:41] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Jasc Software Inc
[12/19/2008|01:00] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Lavasoft
[10/11/2005|07:55] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Leadertech
[03/28/2006|08:35] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Macromedia
[12/20/2008|02:05] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Malwarebytes
[02/06/2008|09:18] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Microsoft
[12/20/2008|12:30] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Mozilla
[04/25/2006|10:40] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Opera
[04/30/2008|10:05] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Real
[10/11/2005|07:56] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Sonic
[09/10/2005|11:42] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Sun
[09/10/2005|11:57] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Symantec
[02/14/2006|10:40] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Talkback
[02/14/2006|10:40] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Thunderbird
[02/19/2009|12:18] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> uTorrent

[08/19/2004|12:57] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Microsoft

--------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks

[02/20/2009 07:01 PM][--a------] C:\WINDOWS\tasks\mfwpraie.job
[02/20/2009 07:01 PM][--ah-----] C:\WINDOWS\tasks\SA.DAT
[08/10/2004 02:00 AM][-r-h-----] C:\WINDOWS\tasks\desktop.ini

--------------------\\ Listing Folders in C:\Program Files

[01/23/2009|08:09] C:\Program Files\<DIR> Activision
[04/23/2006|09:51] C:\Program Files\<DIR> Adobe
[09/10/2005|11:47] C:\Program Files\<DIR> ATI Technologies
[05/26/2007|06:34] C:\Program Files\<DIR> Avanquest update
[05/03/2008|11:25] C:\Program Files\<DIR> BitZipper
[12/28/2005|08:22] C:\Program Files\<DIR> Canon
[09/16/2007|01:33] C:\Program Files\<DIR> CDex_150
[02/19/2009|01:02] C:\Program Files\<DIR> Common Files
[08/19/2004|01:02] C:\Program Files\<DIR> ComPlus Applications
[02/19/2009|04:49] C:\Program Files\<DIR> Creative
[12/22/2007|03:41] C:\Program Files\<DIR> Crystal Player
[03/02/2006|01:50] C:\Program Files\<DIR> CureROM
[09/10/2005|11:49] C:\Program Files\<DIR> CyberLink
[12/10/2005|06:52] C:\Program Files\<DIR> DAEMON Tools
[10/24/2006|08:11] C:\Program Files\<DIR> DC++
[09/10/2005|12:01] C:\Program Files\<DIR> Dell
[09/10/2005|11:52] C:\Program Files\<DIR> Dell Inc
[04/14/2007|02:48] C:\Program Files\<DIR> DellSupport
[10/22/2008|12:23] C:\Program Files\<DIR> DivX
[08/19/2004|01:16] C:\Program Files\<DIR> EnglishOtto
[04/20/2006|05:25] C:\Program Files\<DIR> Fargo
[02/19/2009|04:47] C:\Program Files\<DIR> GemMaster
[12/09/2005|06:53] C:\Program Files\<DIR> Google
[12/30/2008|10:33] C:\Program Files\<DIR> GTR2
[10/02/2005|07:02] C:\Program Files\<DIR> Hewlett-Packard
[10/02/2005|07:03] C:\Program Files\<DIR> HP
[02/19/2009|04:49] C:\Program Files\<DIR> InstallShield Installation Information
[09/10/2005|11:48] C:\Program Files\<DIR> Intel
[11/02/2008|02:18] C:\Program Files\<DIR> Internet Explorer
[09/10/2005|11:54] C:\Program Files\<DIR> Intuit
[01/24/2007|07:07] C:\Program Files\<DIR> iTunes
[09/26/2005|03:41] C:\Program Files\<DIR> Jasc Software Inc
[02/19/2009|01:04] C:\Program Files\<DIR> Java
[10/13/2008|09:25] C:\Program Files\<DIR> K-Lite Codec Pack
[12/19/2008|01:00] C:\Program Files\<DIR> Lavasoft
[09/29/2007|01:04] C:\Program Files\<DIR> LucasArts
[02/20/2009|06:52] C:\Program Files\<DIR> Malwarebytes' Anti-Malware
[11/02/2008|02:24] C:\Program Files\<DIR> Messenger
[09/14/2005|08:55] C:\Program Files\<DIR> Microsoft ActiveSync
[08/19/2004|01:07] C:\Program Files\<DIR> microsoft frontpage
[12/20/2007|05:45] C:\Program Files\<DIR> Microsoft Games
[09/14/2005|09:27] C:\Program Files\<DIR> Microsoft IntelliPoint
[09/14/2005|08:55] C:\Program Files\<DIR> Microsoft Office
[09/10/2005|11:51] C:\Program Files\<DIR> Microsoft Plus! Digital Media Edition
[09/10/2005|11:51] C:\Program Files\<DIR> Microsoft Plus! Photo Story 2 LE
[09/14/2005|08:55] C:\Program Files\<DIR> Microsoft Visual Studio
[09/14/2005|08:55] C:\Program Files\<DIR> Microsoft Works
[09/14/2005|08:53] C:\Program Files\<DIR> Microsoft.NET
[09/10/2005|11:48] C:\Program Files\<DIR> Modem Helper
[09/10/2005|11:48] C:\Program Files\<DIR> Modem On Hold
[05/26/2007|06:43] C:\Program Files\<DIR> Motorola Phone Tools
[11/02/2008|02:18] C:\Program Files\<DIR> Movie Maker
[02/20/2009|07:02] C:\Program Files\<DIR> Mozilla Firefox
[08/19/2004|01:01] C:\Program Files\<DIR> MSN
[08/19/2004|01:01] C:\Program Files\<DIR> MSN Gaming Zone
[11/15/2006|03:01] C:\Program Files\<DIR> MSXML 4.0
[09/10/2005|11:50] C:\Program Files\<DIR> MUSICMATCH
[11/27/2006|09:30] C:\Program Files\<DIR> NETGEAR
[11/02/2008|02:15] C:\Program Files\<DIR> NetMeeting
[09/14/2005|08:22] C:\Program Files\<DIR> Network Associates
[08/19/2004|01:02] C:\Program Files\<DIR> Online Services
[11/02/2008|02:15] C:\Program Files\<DIR> Outlook Express
[05/10/2006|02:55] C:\Program Files\<DIR> PC-Pine
[01/24/2007|07:06] C:\Program Files\<DIR> QuickTime
[09/10/2005|11:53] C:\Program Files\<DIR> Real
[08/19/2004|01:20] C:\Program Files\<DIR> RGB
[12/10/2005|08:47] C:\Program Files\<DIR> Rockstar Games
[04/14/2008|06:08] C:\Program Files\<DIR> SCi Games
[06/26/2007|09:40] C:\Program Files\<DIR> Soldier of Fortune II - Double Helix MP TEST
[09/10/2005|11:56] C:\Program Files\<DIR> Sonic
[12/20/2008|05:58] C:\Program Files\<DIR> Spybot - Search & Destroy
[09/14/2005|08:18] C:\Program Files\<DIR> Symantec
[02/20/2009|05:52] C:\Program Files\<DIR> Trend Micro
[08/19/2004|01:14] C:\Program Files\<DIR> Uninstall Information
[02/19/2009|12:17] C:\Program Files\<DIR> uTorrent
[04/11/2008|10:50] C:\Program Files\<DIR> VideoLAN
[09/10/2005|11:50] C:\Program Files\<DIR> Windows Media Player
[11/02/2008|02:15] C:\Program Files\<DIR> Windows NT
[08/19/2004|01:02] C:\Program Files\<DIR> Windows Plus
[08/19/2004|01:05] C:\Program Files\<DIR> WindowsUpdate
[08/19/2004|01:07] C:\Program Files\<DIR> xerox
[04/14/2006|03:25] C:\Program Files\<DIR> Xilisoft
[09/10/2005|11:52] C:\Program Files\<DIR> Your Company Name

--------------------\\ Listing Folders in C:\Program Files\Common Files

[04/23/2006|09:47] C:\Program Files\Common Files\<DIR> Adobe
[04/23/2006|09:47] C:\Program Files\Common Files\<DIR> Adobe Systems Shared
[09/14/2005|08:33] C:\Program Files\Common Files\<DIR> AOL
[09/14/2005|08:22] C:\Program Files\Common Files\<DIR> Cisco Systems
[09/14/2005|08:55] C:\Program Files\Common Files\<DIR> DESIGNER
[02/04/2008|01:44] C:\Program Files\Common Files\<DIR> DirectX
[10/02/2005|07:04] C:\Program Files\Common Files\<DIR> HP
[09/10/2005|12:01] C:\Program Files\Common Files\<DIR> InstallShield
[09/14/2005|08:46] C:\Program Files\Common Files\<DIR> Intuit
[09/14/2005|08:55] C:\Program Files\Common Files\<DIR> L&H
[09/14/2005|08:56] C:\Program Files\Common Files\<DIR> Microsoft Shared
[08/19/2004|01:04] C:\Program Files\Common Files\<DIR> MSSoap
[09/14/2005|08:21] C:\Program Files\Common Files\<DIR> Network Associates
[09/10/2005|11:53] C:\Program Files\Common Files\<DIR> Nullsoft
[08/19/2004|12:57] C:\Program Files\Common Files\<DIR> ODBC
[03/10/2006|07:28] C:\Program Files\Common Files\<DIR> Real
[08/19/2004|01:04] C:\Program Files\Common Files\<DIR> Services
[09/10/2005|11:56] C:\Program Files\Common Files\<DIR> Sonic Shared
[08/19/2004|12:57] C:\Program Files\Common Files\<DIR> SpeechEngines
[09/14/2005|08:24] C:\Program Files\Common Files\<DIR> SWF Studio
[09/14/2005|08:16] C:\Program Files\Common Files\<DIR> Symantec Shared
[11/02/2008|02:14] C:\Program Files\Common Files\<DIR> System
[09/10/2005|11:51] C:\Program Files\Common Files\<DIR> TiVo Shared
[12/19/2008|12:58] C:\Program Files\Common Files\<DIR> Wise Installation Wizard
[03/10/2006|07:28] C:\Program Files\Common Files\<DIR> xing shared

--------------------\\ Process

( 55 Processes )

... OK !

--------------------\\ Searching with S_Lop

No Lop folder found !

--------------------\\ Searching for Lop Files - Folders

C:\DOCUME~1\Marcus\Cookies\marcus@divavillage.advertserve[1].txt
C:\DOCUME~1\Marcus\Cookies\marcus@imagevenue.advertserve[2].txt
C:\DOCUME~1\Marcus\Cookies\marcus@advertising[1].txt
C:\DOCUME~1\Marcus\Cookies\marcus@advertising[2].txt
C:\DOCUME~1\Marcus\Cookies\marcus@adopt.euroclick[2].txt

--------------------\\ Searching within the Registry

..... OK !

--------------------\\ Checking the Hosts file

Hosts file CLEAN


--------------------\\ Searching for hidden files with Catchme

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-20 19:08:47
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden files: 0

--------------------\\ Searching for other infections

--------------------\\ ROOTKIT !!

Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV.SYS]
Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TDSSSERV.SYS]
Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV.SYS]
Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TDSSserv.sys]
Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv.sys]
Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSSserv.sys]

--------------------\\ Suspect ..

C:\WINDOWS\system32\TDSSmtvd.dat

--------------------\\ Cracks & Keygens ..

C:\DOCUME~1\Marcus\My Documents\MARCUS\MUSIC\MP3 albums\Jay Z\In My Lifetime, Volume 1\12 - Jay-Z - Rap Game Crack Game.mp3
C:\DOCUME~1\Marcus\My Documents\MARCUS\MUSIC\MP3 albums\Kanye West\Late Registration\08-Crack Music featuring Game.mp3
C:\DOCUME~1\Marcus\My Documents\MARCUS\MUSIC\MP3 albums\Notorious BIG\Ten Crack Commandments.mp3
C:\DOCUME~1\Marcus\My Documents\MARCUS\MUSIC\MP3 Downloads\Acid Pro 5.0 + Keygen
C:\DOCUME~1\Marcus\My Documents\MARCUS\MUSIC\MP3 Downloads\Age of Empires III crack
C:\DOCUME~1\Marcus\My Documents\MARCUS\MUSIC\MP3 Downloads\Acid Pro 5.0 + Keygen\Acid Pro 5.0.exe
C:\DOCUME~1\Marcus\My Documents\MARCUS\MUSIC\MP3 Downloads\Acid Pro 5.0 + Keygen\Fix Registration.reg
C:\DOCUME~1\Marcus\My Documents\MARCUS\MUSIC\MP3 Downloads\Acid Pro 5.0 + Keygen\Keygen.exe
C:\DOCUME~1\Marcus\My Documents\MARCUS\MUSIC\MP3 Downloads\Acid Pro 5.0 + Keygen\README.txt
C:\DOCUME~1\Marcus\My Documents\MARCUS\MUSIC\MP3 Downloads\Age of Empires III crack\dev-ae33.rar
C:\DOCUME~1\Marcus\My Documents\MARCUS\MUSIC\MP3 Downloads\SW KOTOR II\Crack
C:\DOCUME~1\Marcus\My Documents\MARCUS\MUSIC\MP3 Downloads\SW KOTOR II\Crack\swkotor2.exe
C:\DOCUME~1\Marcus\My Documents\MARCUS\MUSIC\MP3 Downloads\SW KOTOR II\Crack\swkotor2.ini


[F:97][D:16]-> C:\DOCUME~1\Marcus\LOCALS~1\Temp
[F:479][D:0]-> C:\DOCUME~1\Marcus\Cookies
[F:237][D:8]-> C:\DOCUME~1\Marcus\LOCALS~1\TEMPOR~1\content.IE5

1 - "C:\Lop SD\LopR_1.txt" - Fri 02/20/2009|19:10 - Option : [1]

--------------------\\ Scan completed at 19:10:23

The tools I had you download are needed to clean your PC (and for the record, no it's not small and Frenchy, it's in English and isn't a removal tool, simply a tool to help in the diagnostic process).

However, since you're using cracks, we cannot continue to help.

Tigger-

Thanks for what help you were able to provide. I didn't intend to insult your diagnostic tools- I'm just a little apprehensive of installing more software at this point. The french-as-a-primary language aspect made me think twice.

I'm sorry that you cannot help me any further.

The cracks and keygens in the My Documents folder I am familiar with and pose no threat- I can uninstall/delete them if that would help things.

If you cannot help me any further with direct instructions, can you:

(A) give me some analysis of the nature of my problem/situation from the diagnostic data provided

( suggest an attack approach or plan of addressing my situation (such as removing problematic cracks)

© refer me to a different reputable security/malware forum

Additionally, if any other moderators are able to help/make suggestions that would be appreciated as well.

Please don't be offended by anything I said, I was simply pointing out a few things about that tool. While it may seem a little odd that the tool starts in French, most of our tools have multiple languages, and we would never have you download anything that is not safe.

While the cracks you have may not pose a threat, cracks are a way of getting infected, and when people have cracks on the computer and we find them, that's usually where they got the infection from. You also must remember cracks are illegal.

I will be able to continue helping you if you remove the cracks. Let me know.

Tigger-

Thanks for sticking it out with me. I removed the "crack" files that had been on my hard drive. The three files that LOP S&D is still identifying are all actual .mp3s that I uploaded from CD and actively listen to. The files which LOP had previously identified under "cracks and keygens" I had acquired over two ago. Also, they were acquired directly in 1st person from a friend via USB key, not through any p2p service. Therefore, I'd be surprised if they were related to my recent infection. Unless its a really crafty infection.

Note for MBAM community: Any "crack" files previously displayed in diagnostic results were NOT related to the infringement of copyrighted or trademarked data. Piracy is illegal and should not be practiced by MBAM users. It is an easy way to contract malware. Don't do it!

Here's the new Lop log. Other than deleting the indicated files, I have preformed no other actions since last post.

Thanks, cheers, and hope your weekend is starting off better than mine.





--------------------\\ Lop S&D 4.2.5-0 XP/Vista

Microsoft Windows XP Professional ( v5.1.2600 ) Service Pack 3
X86-based PC ( Multiprocessor Free : Intel® Pentium® 4 CPU 3.00GHz )
BIOS : Phoenix ROM BIOS PLUS Version 1.10 A01
USER : Marcus ( Administrator )
BOOT : Normal boot
C:\ (Local Disk) - NTFS - Total:144 Go (Free:18 Go)
D:\ (CD or DVD)
I:\ (Local Disk) - NTFS - Total:372 Go (Free:174 Go)

"C:\Lop SD" ( MAJ : 19-12-2008|23:40 )
Option : [1] ( Fri 02/20/2009|21:23 )

--------------------\\ Listing folders in APPLIC~1

[09/10/2005|12:05] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Creative
[08/19/2004|01:14] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Identities
[09/10/2005|11:52] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Jasc Software Inc
[09/10/2005|11:50] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Microsoft
[09/10/2005|11:42] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Sun
[09/10/2005|11:57] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Symantec

[04/23/2006|09:32] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Adobe
[04/23/2006|09:48] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Adobe Systems
[09/14/2005|08:33] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> AOL
[01/24/2007|07:05] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Apple Computer
[05/26/2007|06:45] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> BVRP Software
[03/29/2008|02:31] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Dell
[04/11/2008|10:50] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> GTek
[10/02/2005|07:02] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> HP
[09/10/2005|11:52] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> InstallShield
[09/10/2005|11:54] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Intuit
[12/19/2008|12:59] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Lavasoft
[12/20/2008|02:05] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Malwarebytes
[11/04/2008|01:06] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Microsoft
[09/14/2005|08:22] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Network Associates
[09/10/2005|11:53] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> QuickTime
[08/19/2004|01:22] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> SBSI
[12/20/2008|05:59] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Spybot - Search & Destroy
[09/14/2005|08:14] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Symantec
[05/28/2006|10:46] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Windows Genuine Advantage

[09/10/2005|12:05] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Creative
[08/19/2004|01:14] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Identities
[09/10/2005|11:52] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Jasc Software Inc
[08/19/2004|12:57] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Microsoft
[09/10/2005|11:42] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Sun
[09/10/2005|11:57] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Symantec

[03/10/2006|09:31] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Microsoft

[12/04/2008|10:11] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Adobe
[02/25/2006|06:26] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> AdobeUM
[03/07/2006|09:36] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Apple Computer
[05/03/2008|11:08] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> BitZipper
[03/04/2008|06:34] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Creative
[09/25/2005|11:26] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> CyberLink
[12/09/2005|06:53] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Google
[04/14/2007|02:59] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Gtek
[12/20/2008|12:51] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Help
[06/28/2007|06:40] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> HP
[08/19/2004|01:14] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Identities
[05/26/2007|06:34] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> InstallShield
[09/26/2005|03:41] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Jasc Software Inc
[12/19/2008|01:00] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Lavasoft
[10/11/2005|07:55] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Leadertech
[03/28/2006|08:35] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Macromedia
[12/20/2008|02:05] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Malwarebytes
[02/06/2008|09:18] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Microsoft
[12/20/2008|12:30] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Mozilla
[04/25/2006|10:40] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Opera
[04/30/2008|10:05] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Real
[10/11/2005|07:56] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Sonic
[09/10/2005|11:42] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Sun
[09/10/2005|11:57] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Symantec
[02/14/2006|10:40] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Talkback
[02/14/2006|10:40] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> Thunderbird
[02/19/2009|12:18] C:\DOCUME~1\Marcus\APPLIC~1\<DIR> uTorrent

[08/19/2004|12:57] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Microsoft

--------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks

[02/20/2009 08:00 PM][--a------] C:\WINDOWS\tasks\mfwpraie.job
[02/20/2009 07:01 PM][--ah-----] C:\WINDOWS\tasks\SA.DAT
[08/10/2004 02:00 AM][-r-h-----] C:\WINDOWS\tasks\desktop.ini

--------------------\\ Listing Folders in C:\Program Files

[01/23/2009|08:09] C:\Program Files\<DIR> Activision
[04/23/2006|09:51] C:\Program Files\<DIR> Adobe
[09/10/2005|11:47] C:\Program Files\<DIR> ATI Technologies
[05/26/2007|06:34] C:\Program Files\<DIR> Avanquest update
[05/03/2008|11:25] C:\Program Files\<DIR> BitZipper
[12/28/2005|08:22] C:\Program Files\<DIR> Canon
[09/16/2007|01:33] C:\Program Files\<DIR> CDex_150
[02/19/2009|01:02] C:\Program Files\<DIR> Common Files
[08/19/2004|01:02] C:\Program Files\<DIR> ComPlus Applications
[02/19/2009|04:49] C:\Program Files\<DIR> Creative
[12/22/2007|03:41] C:\Program Files\<DIR> Crystal Player
[03/02/2006|01:50] C:\Program Files\<DIR> CureROM
[09/10/2005|11:49] C:\Program Files\<DIR> CyberLink
[12/10/2005|06:52] C:\Program Files\<DIR> DAEMON Tools
[10/24/2006|08:11] C:\Program Files\<DIR> DC++
[09/10/2005|12:01] C:\Program Files\<DIR> Dell
[09/10/2005|11:52] C:\Program Files\<DIR> Dell Inc
[04/14/2007|02:48] C:\Program Files\<DIR> DellSupport
[10/22/2008|12:23] C:\Program Files\<DIR> DivX
[08/19/2004|01:16] C:\Program Files\<DIR> EnglishOtto
[04/20/2006|05:25] C:\Program Files\<DIR> Fargo
[02/19/2009|04:47] C:\Program Files\<DIR> GemMaster
[12/09/2005|06:53] C:\Program Files\<DIR> Google
[12/30/2008|10:33] C:\Program Files\<DIR> GTR2
[10/02/2005|07:02] C:\Program Files\<DIR> Hewlett-Packard
[10/02/2005|07:03] C:\Program Files\<DIR> HP
[02/20/2009|09:20] C:\Program Files\<DIR> InstallShield Installation Information
[09/10/2005|11:48] C:\Program Files\<DIR> Intel
[11/02/2008|02:18] C:\Program Files\<DIR> Internet Explorer
[09/10/2005|11:54] C:\Program Files\<DIR> Intuit
[01/24/2007|07:07] C:\Program Files\<DIR> iTunes
[09/26/2005|03:41] C:\Program Files\<DIR> Jasc Software Inc
[02/19/2009|01:04] C:\Program Files\<DIR> Java
[10/13/2008|09:25] C:\Program Files\<DIR> K-Lite Codec Pack
[12/19/2008|01:00] C:\Program Files\<DIR> Lavasoft
[02/20/2009|09:20] C:\Program Files\<DIR> LucasArts
[02/20/2009|06:52] C:\Program Files\<DIR> Malwarebytes' Anti-Malware
[11/02/2008|02:24] C:\Program Files\<DIR> Messenger
[09/14/2005|08:55] C:\Program Files\<DIR> Microsoft ActiveSync
[08/19/2004|01:07] C:\Program Files\<DIR> microsoft frontpage
[12/20/2007|05:45] C:\Program Files\<DIR> Microsoft Games
[09/14/2005|09:27] C:\Program Files\<DIR> Microsoft IntelliPoint
[09/14/2005|08:55] C:\Program Files\<DIR> Microsoft Office
[09/10/2005|11:51] C:\Program Files\<DIR> Microsoft Plus! Digital Media Edition
[09/10/2005|11:51] C:\Program Files\<DIR> Microsoft Plus! Photo Story 2 LE
[09/14/2005|08:55] C:\Program Files\<DIR> Microsoft Visual Studio
[09/14/2005|08:55] C:\Program Files\<DIR> Microsoft Works
[09/14/2005|08:53] C:\Program Files\<DIR> Microsoft.NET
[09/10/2005|11:48] C:\Program Files\<DIR> Modem Helper
[09/10/2005|11:48] C:\Program Files\<DIR> Modem On Hold
[05/26/2007|06:43] C:\Program Files\<DIR> Motorola Phone Tools
[11/02/2008|02:18] C:\Program Files\<DIR> Movie Maker
[02/20/2009|08:50] C:\Program Files\<DIR> Mozilla Firefox
[08/19/2004|01:01] C:\Program Files\<DIR> MSN
[08/19/2004|01:01] C:\Program Files\<DIR> MSN Gaming Zone
[11/15/2006|03:01] C:\Program Files\<DIR> MSXML 4.0
[09/10/2005|11:50] C:\Program Files\<DIR> MUSICMATCH
[11/27/2006|09:30] C:\Program Files\<DIR> NETGEAR
[11/02/2008|02:15] C:\Program Files\<DIR> NetMeeting
[09/14/2005|08:22] C:\Program Files\<DIR> Network Associates
[08/19/2004|01:02] C:\Program Files\<DIR> Online Services
[11/02/2008|02:15] C:\Program Files\<DIR> Outlook Express
[05/10/2006|02:55] C:\Program Files\<DIR> PC-Pine
[01/24/2007|07:06] C:\Program Files\<DIR> QuickTime
[09/10/2005|11:53] C:\Program Files\<DIR> Real
[08/19/2004|01:20] C:\Program Files\<DIR> RGB
[12/10/2005|08:47] C:\Program Files\<DIR> Rockstar Games
[04/14/2008|06:08] C:\Program Files\<DIR> SCi Games
[06/26/2007|09:40] C:\Program Files\<DIR> Soldier of Fortune II - Double Helix MP TEST
[09/10/2005|11:56] C:\Program Files\<DIR> Sonic
[12/20/2008|05:58] C:\Program Files\<DIR> Spybot - Search & Destroy
[09/14/2005|08:18] C:\Program Files\<DIR> Symantec
[02/20/2009|05:52] C:\Program Files\<DIR> Trend Micro
[08/19/2004|01:14] C:\Program Files\<DIR> Uninstall Information
[02/19/2009|12:17] C:\Program Files\<DIR> uTorrent
[04/11/2008|10:50] C:\Program Files\<DIR> VideoLAN
[09/10/2005|11:50] C:\Program Files\<DIR> Windows Media Player
[11/02/2008|02:15] C:\Program Files\<DIR> Windows NT
[08/19/2004|01:02] C:\Program Files\<DIR> Windows Plus
[08/19/2004|01:05] C:\Program Files\<DIR> WindowsUpdate
[08/19/2004|01:07] C:\Program Files\<DIR> xerox
[04/14/2006|03:25] C:\Program Files\<DIR> Xilisoft
[09/10/2005|11:52] C:\Program Files\<DIR> Your Company Name

--------------------\\ Listing Folders in C:\Program Files\Common Files

[04/23/2006|09:47] C:\Program Files\Common Files\<DIR> Adobe
[04/23/2006|09:47] C:\Program Files\Common Files\<DIR> Adobe Systems Shared
[09/14/2005|08:33] C:\Program Files\Common Files\<DIR> AOL
[09/14/2005|08:22] C:\Program Files\Common Files\<DIR> Cisco Systems
[09/14/2005|08:55] C:\Program Files\Common Files\<DIR> DESIGNER
[02/04/2008|01:44] C:\Program Files\Common Files\<DIR> DirectX
[10/02/2005|07:04] C:\Program Files\Common Files\<DIR> HP
[09/10/2005|12:01] C:\Program Files\Common Files\<DIR> InstallShield
[09/14/2005|08:46] C:\Program Files\Common Files\<DIR> Intuit
[09/14/2005|08:55] C:\Program Files\Common Files\<DIR> L&H
[09/14/2005|08:56] C:\Program Files\Common Files\<DIR> Microsoft Shared
[08/19/2004|01:04] C:\Program Files\Common Files\<DIR> MSSoap
[09/14/2005|08:21] C:\Program Files\Common Files\<DIR> Network Associates
[09/10/2005|11:53] C:\Program Files\Common Files\<DIR> Nullsoft
[08/19/2004|12:57] C:\Program Files\Common Files\<DIR> ODBC
[03/10/2006|07:28] C:\Program Files\Common Files\<DIR> Real
[08/19/2004|01:04] C:\Program Files\Common Files\<DIR> Services
[09/10/2005|11:56] C:\Program Files\Common Files\<DIR> Sonic Shared
[08/19/2004|12:57] C:\Program Files\Common Files\<DIR> SpeechEngines
[09/14/2005|08:24] C:\Program Files\Common Files\<DIR> SWF Studio
[09/14/2005|08:16] C:\Program Files\Common Files\<DIR> Symantec Shared
[11/02/2008|02:14] C:\Program Files\Common Files\<DIR> System
[09/10/2005|11:51] C:\Program Files\Common Files\<DIR> TiVo Shared
[12/19/2008|12:58] C:\Program Files\Common Files\<DIR> Wise Installation Wizard
[03/10/2006|07:28] C:\Program Files\Common Files\<DIR> xing shared

--------------------\\ Process

( 56 Processes )

... OK !

--------------------\\ Searching with S_Lop

No Lop folder found !

--------------------\\ Searching for Lop Files - Folders

C:\DOCUME~1\Marcus\Cookies\marcus@divavillage.advertserve[1].txt
C:\DOCUME~1\Marcus\Cookies\marcus@imagevenue.advertserve[2].txt
C:\DOCUME~1\Marcus\Cookies\marcus@advertising[1].txt
C:\DOCUME~1\Marcus\Cookies\marcus@advertising[2].txt
C:\DOCUME~1\Marcus\Cookies\marcus@adopt.euroclick[2].txt

--------------------\\ Searching within the Registry

..... OK !

--------------------\\ Checking the Hosts file

Hosts file CLEAN


--------------------\\ Searching for hidden files with Catchme

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-20 21:24:45
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden files: 0

--------------------\\ Searching for other infections

--------------------\\ ROOTKIT !!

Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV.SYS]
Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TDSSSERV.SYS]
Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV.SYS]
Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TDSSserv.sys]
Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv.sys]
Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSSserv.sys]

--------------------\\ Suspect ..

C:\WINDOWS\system32\TDSSmtvd.dat

--------------------\\ Cracks & Keygens ..

C:\DOCUME~1\Marcus\My Documents\MARCUS\MUSIC\MP3 albums\Jay Z\In My Lifetime, Volume 1\12 - Jay-Z - Rap Game Crack Game.mp3
C:\DOCUME~1\Marcus\My Documents\MARCUS\MUSIC\MP3 albums\Kanye West\Late Registration\08-Crack Music featuring Game.mp3
C:\DOCUME~1\Marcus\My Documents\MARCUS\MUSIC\MP3 albums\Notorious BIG\Ten Crack Commandments.mp3


[F:99][D:16]-> C:\DOCUME~1\Marcus\LOCALS~1\Temp
[F:479][D:0]-> C:\DOCUME~1\Marcus\Cookies
[F:237][D:8]-> C:\DOCUME~1\Marcus\LOCALS~1\TEMPOR~1\content.IE5

1 - "C:\Lop SD\LopR_1.txt" - Fri 02/20/2009|19:10 - Option : [1]
2 - "C:\Lop SD\LopR_2.txt" - Fri 02/20/2009|21:25 - Option : [1]

--------------------\\ Scan completed at 21:25:46

I'll try to keep the tools to a minimum, but we are going to need this tool to replace your infected userinit.exe and to remove the TDSS rookit.

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HijackThis log in your next reply
Note: Do not mouseclick Combofix's window while its running. That may cause it to stall

Alright! Sorry I've been slow in responding- I had to go into work early this morning and was away from my (home) PC.

I ran ComboFix with no major issues. While it was running, Spybot SD resident (initialized on bootup) alerted me that my homepage and websearch setting were being changed... but I don't think spybot interfered with the scan.

Also, after the scan a windows security alert has popped up in the tray saying that my windows firewall was disabled (probably part of combofix)

Strangely, during the scan my clock changed to military time, then reverted after the reboot. weird.

Again- Thanks for your ongoing support.

ComboFix 09-02-19.01 - Marcus 2009-02-21 19:44:45.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.1859 [GMT -8:00]
Running from: c:\documents and settings\Marcus\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

.
ADS - explorer.exe: deleted 7454 bytes in 4 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Marcus\Cookies\wolehyf.ban
c:\documents and settings\Marcus\Local Settings\Temporary Internet Files\avezubu.db
c:\documents and settings\Marcus\Local Settings\Temporary Internet Files\dibil.pif
c:\documents and settings\Marcus\Local Settings\Temporary Internet Files\epyfigug.dat
c:\windows\IE4 Error Log.txt
c:\windows\system32\998.exe
c:\windows\system32\init32.exe
c:\windows\system32\TDSSmtvd.dat
c:\windows\system32\uniq.tll
c:\windows\system32\win32hlp.cnf
c:\windows\Tasks\mfwpraie.job
c:\windows\wiaserviv.log
c:\windows\wiaservv.log

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\userinit.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Service_seneka
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2009-01-22 to 2009-02-22 )))))))))))))))))))))))))))))))
.

2009-02-20 19:06 . 2009-02-20 21:25 <DIR> d-------- C:\Lop SD
2009-02-20 17:52 . 2009-02-20 17:52 <DIR> d-------- c:\program files\Trend Micro
2009-02-19 01:04 . 2009-02-19 01:04 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-02-19 00:22 . 2009-02-19 00:30 1,924 --a------ c:\windows\ccddawrp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-21 05:20 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-21 05:20 --------- d-----w c:\program files\LucasArts
2009-02-21 02:52 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-20 00:49 --------- d-----w c:\program files\Creative
2009-02-20 00:47 --------- d-----w c:\program files\GemMaster
2009-02-19 09:04 --------- d-----w c:\program files\Java
2009-02-19 08:18 --------- d-----w c:\documents and settings\Marcus\Application Data\uTorrent
2009-02-19 08:17 --------- d-----w c:\program files\uTorrent
2009-02-11 18:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 18:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-10 22:00 1,033,728 ----a-w c:\windows\explorer.exe
2009-01-24 04:09 --------- d-----w c:\program files\Activision
2008-12-31 06:33 --------- d-----w c:\program files\GTR2
2008-10-12 20:30 19,606 -c--a-w c:\program files\Common Files\melo.com
2008-10-12 20:30 18,326 ----a-w c:\documents and settings\Marcus\Application Data\ycexim.reg
2008-10-12 20:30 16,160 -c--a-w c:\program files\Common Files\mudohoc.bat
2008-10-12 20:30 15,553 -c--a-w c:\program files\Common Files\ahupebykiw.dl
2008-10-12 20:30 15,461 -c--a-w c:\program files\Common Files\efucu.ban
2008-10-12 20:30 12,008 ----a-w c:\documents and settings\Marcus\Application Data\ubywuxy.com
2008-10-12 20:30 11,389 ----a-w c:\documents and settings\Marcus\Application Data\axepub.bin
2007-05-27 03:22 24,192 -c--a-w c:\documents and settings\Marcus\usbsermptxp.sys
2007-05-27 03:22 22,768 -c--a-w c:\documents and settings\Marcus\usbsermpt.sys
2005-10-09 09:09 1,682 -csha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-14 344064]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-10 90112]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-05 127035]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]
"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 147514]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2003-05-15 163840]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-11-08 128920]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-03-10 180269]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-19 148888]
"P17Helper"="P17.dll" [2004-06-10 c:\windows\system32\P17.dll]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]
MA111 Configuration Utility.lnk - c:\program files\NETGEAR\MA111 Configuration Utility\wlancfg.exe [2006-09-01 459264]
NETGEAR WG311v3 Smart Wizard.lnk - c:\windows\Installer\{70014586-7BBA-4A92-A610-CDC896C48F8F}\NewShortcut1_1.exe [2006-11-27 1078]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:53:50 PM, on 2/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\NETGEAR\WG311v3\WinDomainlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\NETGEAR\WG311v3\WinDomainlogon.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.EXE
C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe
C:\Documents and Settings\Marcus\Desktop\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe
O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O20 - AppInit_DLLs: mvoqas.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Documents and Settings\Marcus\Desktop\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

--
End of file - 8532 bytes

That's not the entire Comobfix log, please post all of it.

Oops- thought I grabbed the whole thing last time. Sorry. Must have gotten impatient with my copy-paste. Here ya go. Thanks!

ComboFix 09-02-19.01 - Marcus 2009-02-22 11:49:05.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.1915 [GMT -8:00]
Running from: c:\documents and settings\Marcus\Desktop\ComboFix.exe
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2009-01-22 to 2009-02-22 )))))))))))))))))))))))))))))))
.

2009-02-20 19:06 . 2009-02-20 21:25 <DIR> d-------- C:\Lop SD
2009-02-20 17:52 . 2009-02-20 17:52 <DIR> d-------- c:\program files\Trend Micro
2009-02-19 01:04 . 2009-02-19 01:04 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-02-19 00:22 . 2009-02-19 00:30 1,924 --a------ c:\windows\ccddawrp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-21 05:20 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-21 05:20 --------- d-----w c:\program files\LucasArts
2009-02-21 02:52 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-20 00:49 --------- d-----w c:\program files\Creative
2009-02-20 00:47 --------- d-----w c:\program files\GemMaster
2009-02-19 09:04 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-02-19 09:04 --------- d-----w c:\program files\Java
2009-02-19 08:18 --------- d-----w c:\documents and settings\Marcus\Application Data\uTorrent
2009-02-19 08:17 --------- d-----w c:\program files\uTorrent
2009-02-11 18:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 18:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-10 22:00 1,033,728 ----a-w c:\windows\system32\dllcache\explorer.exe
2009-02-10 22:00 1,033,728 ----a-w c:\windows\explorer.exe
2009-01-24 04:09 --------- d-----w c:\program files\Activision
2008-12-31 06:33 --------- d-----w c:\program files\GTR2
2008-12-12 17:01 3,067,904 ------w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2008-10-12 20:30 19,606 -c--a-w c:\program files\Common Files\melo.com
2008-10-12 20:30 18,326 ----a-w c:\documents and settings\Marcus\Application Data\ycexim.reg
2008-10-12 20:30 16,160 -c--a-w c:\program files\Common Files\mudohoc.bat
2008-10-12 20:30 15,553 -c--a-w c:\program files\Common Files\ahupebykiw.dl
2008-10-12 20:30 15,461 -c--a-w c:\program files\Common Files\efucu.ban
2008-10-12 20:30 12,008 ----a-w c:\documents and settings\Marcus\Application Data\ubywuxy.com
2008-10-12 20:30 11,389 ----a-w c:\documents and settings\Marcus\Application Data\axepub.bin
2007-05-27 03:22 24,192 -c--a-w c:\documents and settings\Marcus\usbsermptxp.sys
2007-05-27 03:22 22,768 -c--a-w c:\documents and settings\Marcus\usbsermpt.sys
2005-10-06 23:17 280,576 -c--a-w c:\windows\inf\WG311v3\WG311v3XP.sys
2005-10-06 23:17 280,576 -c--a-w c:\windows\inf\WG311v3\WG311v3.sys
2005-03-01 19:16 212,992 -c--a-w c:\windows\inf\WG311v3\CopyWHQLDriver.exe
2005-10-09 09:09 1,682 -csha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-02-21_19.51.43.17 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-02-22 03:37:42 54,280 ----a-w c:\windows\system32\perfc009.dat
+ 2009-02-22 19:47:07 54,280 ----a-w c:\windows\system32\perfc009.dat
- 2009-02-22 03:37:42 384,596 ----a-w c:\windows\system32\perfh009.dat
+ 2009-02-22 19:47:07 384,596 ----a-w c:\windows\system32\perfh009.dat
+ 2009-02-22 19:43:06 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_784.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-14 344064]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-10 90112]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-05 127035]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]
"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 147514]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2003-05-15 163840]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-11-08 128920]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-03-10 180269]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-19 148888]
"P17Helper"="P17.dll" [2004-06-10 c:\windows\system32\P17.dll]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]
MA111 Configuration Utility.lnk - c:\program files\NETGEAR\MA111 Configuration Utility\wlancfg.exe [2006-09-01 459264]
NETGEAR WG311v3 Smart Wizard.lnk - c:\windows\Installer\{70014586-7BBA-4A92-A610-CDC896C48F8F}\NewShortcut1_1.exe [2006-11-27 1078]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=mvoqas.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\DC++\\DCPlusPlus.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"%windir%\\explorer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12345:UDP"= 12345:UDP:dc++

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2005-09-14 58048]
S0 skbgfqnd;skbgfqnd;c:\windows\system32\drivers\zkiefzrs.sys --> c:\windows\system32\drivers\zkiefzrs.sys [?]
S3 WlanUIB;NETGEAR 802.11b USB Driver;c:\windows\system32\drivers\MA111nd5.sys [2006-09-01 666624]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.dell4me.com/myway
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Marcus\Application Data\Mozilla\Firefox\Profiles\vosyr6jb.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-22 11:52:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(860)
c:\windows\system32\MrvGINA.dll

- - - - - - - > 'lsass.exe'(920)
c:\windows\system32\EntApi.dll
.
Completion time: 2009-02-22 11:54:08
ComboFix-quarantined-files.txt 2009-02-22 19:54:05
ComboFix2.txt 2009-02-22 03:53:00

Pre-Run: 19,710,701,568 bytes free
Post-Run: 19,695,915,008 bytes free

149 --- E O F --- 2009-02-11 11:02:51

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:




3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

Alright. Ran the combofix script. It asked to reboot. I did, and signs of infection are still present (McAfee disabled on startup.)

What's next? And thanks again.

ComboFix 09-02-19.01 - Marcus 2009-02-22 17:53:44.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.2029 [GMT -8:00]
Running from: c:\documents and settings\Marcus\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Marcus\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\documents and settings\Marcus\Application Data\axepub.bin
c:\documents and settings\Marcus\Application Data\ubywuxy.com
c:\documents and settings\Marcus\Application Data\ycexim.reg
c:\program files\Common Files\ahupebykiw.dl
c:\program files\Common Files\efucu.ban
c:\program files\Common Files\melo.com
c:\program files\Common Files\mudohoc.bat
c:\windows\system32\drivers\zkiefzrs.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Marcus\Application Data\axepub.bin
c:\documents and settings\Marcus\Application Data\ubywuxy.com
c:\documents and settings\Marcus\Application Data\ycexim.reg
c:\program files\Common Files\ahupebykiw.dl
c:\program files\Common Files\efucu.ban
c:\program files\Common Files\melo.com
c:\program files\Common Files\mudohoc.bat
c:\windows\ccddawrp\

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_skbgfqnd


((((((((((((((((((((((((( Files Created from 2009-01-23 to 2009-02-23 )))))))))))))))))))))))))))))))
.

2009-02-20 19:06 . 2009-02-20 21:25 <DIR> d-------- C:\Lop SD
2009-02-20 17:52 . 2009-02-20 17:52 <DIR> d-------- c:\program files\Trend Micro
2009-02-19 01:04 . 2009-02-19 01:04 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-02-19 00:22 . 2009-02-19 00:30 1,924 --a------ c:\windows\ccddawrp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-21 05:20 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-21 05:20 --------- d-----w c:\program files\LucasArts
2009-02-21 02:52 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-20 00:49 --------- d-----w c:\program files\Creative
2009-02-20 00:47 --------- d-----w c:\program files\GemMaster
2009-02-19 09:04 --------- d-----w c:\program files\Java
2009-02-19 08:18 --------- d-----w c:\documents and settings\Marcus\Application Data\uTorrent
2009-02-19 08:17 --------- d-----w c:\program files\uTorrent
2009-02-11 18:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 18:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-10 22:00 1,033,728 ----a-w c:\windows\explorer.exe
2009-01-24 04:09 --------- d-----w c:\program files\Activision
2008-12-31 06:33 --------- d-----w c:\program files\GTR2
2007-05-27 03:22 24,192 -c--a-w c:\documents and settings\Marcus\usbsermptxp.sys
2007-05-27 03:22 22,768 -c--a-w c:\documents and settings\Marcus\usbsermpt.sys
2005-10-09 09:09 1,682 -csha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-02-21_19.51.43.17 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-02-22 03:37:42 54,280 ----a-w c:\windows\system32\perfc009.dat
+ 2009-02-23 01:52:53 54,280 ----a-w c:\windows\system32\perfc009.dat
- 2009-02-22 03:37:42 384,596 ----a-w c:\windows\system32\perfh009.dat
+ 2009-02-23 01:52:53 384,596 ----a-w c:\windows\system32\perfh009.dat
+ 2009-02-23 01:58:17 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_790.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-14 344064]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-10 90112]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-05 127035]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]
"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 147514]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2003-05-15 163840]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-11-08 128920]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-03-10 180269]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-19 148888]
"P17Helper"="P17.dll" [2004-06-10 c:\windows\system32\P17.dll]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]
MA111 Configuration Utility.lnk - c:\program files\NETGEAR\MA111 Configuration Utility\wlancfg.exe [2006-09-01 459264]
NETGEAR WG311v3 Smart Wizard.lnk - c:\windows\Installer\{70014586-7BBA-4A92-A610-CDC896C48F8F}\NewShortcut1_1.exe [2006-11-27 1078]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\DC++\\DCPlusPlus.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"%windir%\\explorer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12345:UDP"= 12345:UDP:dc++

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2005-09-14 58048]
S3 WlanUIB;NETGEAR 802.11b USB Driver;c:\windows\system32\drivers\MA111nd5.sys [2006-09-01 666624]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://www.dell4me.com/myway
mDefault_Page_URL = hxxp://www.dell4me.com/myway
mStart Page = hxxp://www.dell4me.com/myway
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Marcus\Application Data\Mozilla\Firefox\Profiles\vosyr6jb.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-22 17:59:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(868)
c:\windows\system32\MrvGINA.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\NETGEAR\WG311v3\WinDomainlogon.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\Network Associates\VirusScan\vstskmgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\NETWOR~1\COMMON~1\naPrdMgr.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\dllhost.exe
c:\program files\NETGEAR\WG311v3\WinDomainlogon.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\ehome\ehmsas.exe
c:\program files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe
c:\documents and settings\Marcus\Desktop\iPod\bin\iPodService.exe
c:\program files\NETGEAR\WG311v3\wlancfg5.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
.
**************************************************************************
.
Completion time: 2009-02-22 18:02:39 - machine was rebooted [Marcus]
ComboFix-quarantined-files.txt 2009-02-23 02:02:36
ComboFix2.txt 2009-02-22 19:54:11
ComboFix3.txt 2009-02-22 03:53:00

Pre-Run: 19,675,172,864 bytes free
Post-Run: 19,662,004,224 bytes free

187 --- E O F --- 2009-02-11 11:02:51







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:05:53 PM, on 2/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\NETGEAR\WG311v3\WinDomainlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\NETGEAR\WG311v3\WinDomainlogon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.EXE
C:\Documents and Settings\Marcus\Desktop\iPod\bin\iPodService.exe
C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe
O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Documents and Settings\Marcus\Desktop\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

--
End of file - 8499 bytes

What signs of infection are you still seeing?

Okay-

Things seem to be improved, but not perfect. McAfee antivirus is still disabled on startup initialization, even though the "enable on startup" option is selected.

There are no more IE popups, but seemingly random searches on firefox redirect to strange sites which instigate popups claiming that my PC is infected and I need to click.. etc

I doesn't seem to be any huge"parasitic load" on my PC performance from malware, but you could convince me that my system was compromised and only running at 80%-90%

I'm running scans with all my malware software. MWBAM returned zero results. Ad-Aware running now, then SpyBot. I'll let you know if they return anything.

Do you know what is causing the antivirus disenable and firefox redirects?

Cheers- progress has been made. Things are improving.

SpyBot did come up with two HKEY Internet explorer issues, but they are probably not responsible for the firefox redirects. (there were no redirect issues with IE)

Download The Avenger by Swandog46 from here.

• Unzip/extract it to a folder on your desktop.
• Double click on avenger.exe to run The Avenger.
• Click OK.
• Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
• Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
  
  CODE
  Files to delete:
  C:\WINDOWS\system32\drivers\TDSSmqlt.sys
  C:\windows\system32\drivers\tdssserv.sys
  C:\WINDOWS\system32\drivers\TDSSmact.sys
  C:\WINDOWS\system32\drivers\TDSSrvdc.sys
  C:\WINDOWS\system32\TDSSwpyd.dat
  C:\WINDOWS\system32\TDSStkdv.log  
  C:\WINDOWS\system32\TDSSotxb.dll
  C:\WINDOWS\system32\TDSScrrn.dll
  C:\WINDOWS\system32\TDSSbvqh.dll
  C:\WINDOWS\system32\TDSSjnmx.dll
  c:\windows\system32\TDSShrxr.dll
  c:\windows\system32\TDSSkkbi.log
  c:\windows\system32\TDSSlrvd.dat
  c:\windows\system32\TDSSlxwp.dll
  c:\windows\system32\TDSSnmxh.log
  c:\windows\system32\TDSSoiqt.dll
  c:\windows\system32\TDSSrhyp.log
  c:\windows\system32\TDSSrtqp.dll
  c:\windows\system32\TDSSsihc.dll
  c:\windows\system32\TDSSxfum.dll
  C:\WINDOWS\SYSTEM32\qoMfefde.dll
  
  Drivers to delete:
  tdssserv
  
  Registry keys to delete:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDSSserv.sys
  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tdssserv
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssserv
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata
  HKEY_LOCAL_MACHINE\SOFTWARE\tdss
  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\tdssserv.sys
  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdssserv.sys
  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tdssserv
  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV
• In the avenger window, click the Paste Script from Clipboard icon, button.
• :!: Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
• Click the Execute button.
• You will be asked Are you sure you want to execute the current script?.
• Click Yes.
• You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
• Click Yes.
• Your PC will now be rebooted.
• Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
• If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
• After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.

Bummer. It seems that the Avenger process was unsuccessful. I executed the script as asked.. there was a confirmation screen (not included in instructions) asking me if I was sure I wanted to run despite the "delete services" command.. I think.

Anyways, nothing appears to have changed upon reboot.. infection signs still present. No second reboot was necessary.

Here's the log. I'll try running the Avenger script again, see if it returns the same result. I'll post if it does.

What's next?



Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "C:\WINDOWS\system32\drivers\TDSSmqlt.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\TDSSmqlt.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\windows\system32\drivers\tdssserv.sys" not found!
Deletion of file "C:\windows\system32\drivers\tdssserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\drivers\TDSSmact.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\TDSSmact.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\drivers\TDSSrvdc.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\TDSSrvdc.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\TDSSwpyd.dat" not found!
Deletion of file "C:\WINDOWS\system32\TDSSwpyd.dat" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\TDSStkdv.log" not found!
Deletion of file "C:\WINDOWS\system32\TDSStkdv.log" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\TDSSotxb.dll" not found!
Deletion of file "C:\WINDOWS\system32\TDSSotxb.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\TDSScrrn.dll" not found!
Deletion of file "C:\WINDOWS\system32\TDSScrrn.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Ran avenger a second time. Here is the "services" prompt that popped up between the "sure you want to execute.." and "reboot.." prompts.

"It is dangerous to edit services registry keys directly, if...." sorry, that's all I jotted down..

It's probably irrelevant, but after the 1st run and reboot, the internal speaker in my tower bleeped at me. It's never done that before.

Strangely, after the second running of avenger, there was no .txt log report that popped up. maybe it knew that the log would be redundant and identical to the last it produced. I don't know.

So I generated another Combofix log... thought it might be more helpful than the avenger log.

What's the next plan of attack?

ComboFix 09-02-19.01 - Marcus 2009-02-23 23:13:13.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.2091 [GMT -8:00]
Running from: c:\documents and settings\Marcus\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2009-01-24 to 2009-02-24 )))))))))))))))))))))))))))))))
.

2009-02-23 22:59 . 2009-02-23 22:59 135,168 --a------ C:\zip.exe
2009-02-23 22:59 . 2009-02-23 22:59 19,286 --a------ C:\cleanup.exe
2009-02-23 22:59 . 2009-02-23 22:59 574 --a------ C:\cleanup.bat
2009-02-23 22:59 . 2009-02-23 22:59 0 --a------ C:\backup.reg
2009-02-20 19:06 . 2009-02-20 21:25 <DIR> d-------- C:\Lop SD
2009-02-20 17:52 . 2009-02-20 17:52 <DIR> d-------- c:\program files\Trend Micro
2009-02-19 01:04 . 2009-02-19 01:04 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-02-19 00:22 . 2009-02-19 00:30 1,924 --a------ c:\windows\ccddawrp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-21 05:20 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-21 05:20 --------- d-----w c:\program files\LucasArts
2009-02-21 02:52 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-20 00:49 --------- d-----w c:\program files\Creative
2009-02-20 00:47 --------- d-----w c:\program files\GemMaster
2009-02-19 09:04 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-02-19 09:04 --------- d-----w c:\program files\Java
2009-02-19 08:18 --------- d-----w c:\documents and settings\Marcus\Application Data\uTorrent
2009-02-19 08:17 --------- d-----w c:\program files\uTorrent
2009-02-11 18:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 18:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-10 22:00 1,033,728 ----a-w c:\windows\system32\dllcache\explorer.exe
2009-02-10 22:00 1,033,728 ----a-w c:\windows\explorer.exe
2009-01-24 04:09 --------- d-----w c:\program files\Activision
2008-12-31 06:33 --------- d-----w c:\program files\GTR2
2008-12-12 17:01 3,067,904 ------w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2007-05-27 03:22 24,192 -c--a-w c:\documents and settings\Marcus\usbsermptxp.sys
2007-05-27 03:22 22,768 -c--a-w c:\documents and settings\Marcus\usbsermpt.sys
2005-10-06 23:17 280,576 -c--a-w c:\windows\inf\WG311v3\WG311v3XP.sys
2005-10-06 23:17 280,576 -c--a-w c:\windows\inf\WG311v3\WG311v3.sys
2005-03-01 19:16 212,992 -c--a-w c:\windows\inf\WG311v3\CopyWHQLDriver.exe
2005-10-09 09:09 1,682 -csha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-02-21_19.51.43.17 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-02-22 03:37:42 54,280 ----a-w c:\windows\system32\perfc009.dat
+ 2009-02-24 07:06:55 54,280 ----a-w c:\windows\system32\perfc009.dat
- 2009-02-22 03:37:42 384,596 ----a-w c:\windows\system32\perfh009.dat
+ 2009-02-24 07:06:55 384,596 ----a-w c:\windows\system32\perfh009.dat
+ 2009-02-24 07:02:51 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_330.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-14 344064]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-10 90112]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-05 127035]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]
"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 147514]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2003-05-15 163840]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-11-08 128920]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-03-10 180269]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-19 148888]
"P17Helper"="P17.dll" [2004-06-10 c:\windows\system32\P17.dll]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]
MA111 Configuration Utility.lnk - c:\program files\NETGEAR\MA111 Configuration Utility\wlancfg.exe [2006-09-01 459264]
NETGEAR WG311v3 Smart Wizard.lnk - c:\windows\Installer\{70014586-7BBA-4A92-A610-CDC896C48F8F}\NewShortcut1_1.exe [2006-11-27 1078]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\DC++\\DCPlusPlus.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"%windir%\\explorer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12345:UDP"= 12345:UDP:dc++

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2005-09-14 58048]
S3 WlanUIB;NETGEAR 802.11b USB Driver;c:\windows\system32\drivers\MA111nd5.sys [2006-09-01 666624]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.dell4me.com/myway
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Marcus\Application Data\Mozilla\Firefox\Profiles\vosyr6jb.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-23 23:16:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(864)
c:\windows\system32\MrvGINA.dll
.
Completion time: 2009-02-23 23:17:50
ComboFix-quarantined-files.txt 2009-02-24 07:17:48
ComboFix2.txt 2009-02-23 02:02:40
ComboFix3.txt 2009-02-22 19:54:11
ComboFix4.txt 2009-02-22 03:53:00

Pre-Run: 19,319,517,184 bytes free
Post-Run: 19,302,203,392 bytes free

139 --- E O F --- 2009-02-11 11:02:51

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:




3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

Okay. Combofix ran the script without event. No reboot necessary. Can't tell if any infection signs have left.. I will post back after reboot/further PC use to tell you if any have been dealt with.

ComboFix 09-02-19.01 - Marcus 2009-02-24 12:30:06.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.2036 [GMT -8:00]
Running from: c:\documents and settings\Marcus\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Marcus\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\backup.reg
C:\cleanup.bat
C:\cleanup.exe
c:\windows\ccddawrp
C:\zip.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\backup.reg
C:\cleanup.bat
C:\cleanup.exe
c:\windows\ccddawrp
C:\zip.exe

.
((((((((((((((((((((((((( Files Created from 2009-01-24 to 2009-02-24 )))))))))))))))))))))))))))))))
.

2009-02-24 12:23 . 2009-02-24 12:23 <DIR> d-------- c:\windows\LastGood
2009-02-20 19:06 . 2009-02-20 21:25 <DIR> d-------- C:\Lop SD
2009-02-20 17:52 . 2009-02-20 17:52 <DIR> d-------- c:\program files\Trend Micro
2009-02-19 01:04 . 2009-02-19 01:04 73,728 --a------ c:\windows\system32\javacpl.cpl

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-24 07:36 --------- d-----w c:\program files\HP
2009-02-21 05:20 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-21 05:20 --------- d-----w c:\program files\LucasArts
2009-02-21 02:52 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-20 00:49 --------- d-----w c:\program files\Creative
2009-02-20 00:47 --------- d-----w c:\program files\GemMaster
2009-02-19 09:04 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-02-19 09:04 --------- d-----w c:\program files\Java
2009-02-19 08:18 --------- d-----w c:\documents and settings\Marcus\Application Data\uTorrent
2009-02-19 08:17 --------- d-----w c:\program files\uTorrent
2009-02-11 18:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 18:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-10 22:00 1,033,728 ----a-w c:\windows\system32\dllcache\explorer.exe
2009-02-10 22:00 1,033,728 ----a-w c:\windows\explorer.exe
2009-01-24 04:09 --------- d-----w c:\program files\Activision
2008-12-31 06:33 --------- d-----w c:\program files\GTR2
2008-12-12 17:01 3,067,904 ------w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2007-05-27 03:22 24,192 -c--a-w c:\documents and settings\Marcus\usbsermptxp.sys
2007-05-27 03:22 22,768 -c--a-w c:\documents and settings\Marcus\usbsermpt.sys
2005-10-06 23:17 280,576 -c--a-w c:\windows\inf\WG311v3\WG311v3XP.sys
2005-10-06 23:17 280,576 -c--a-w c:\windows\inf\WG311v3\WG311v3.sys
2005-03-01 19:16 212,992 -c--a-w c:\windows\inf\WG311v3\CopyWHQLDriver.exe
2005-10-09 09:09 1,682 -csha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-02-21_19.51.43.17 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-02-22 03:37:42 54,280 ----a-w c:\windows\system32\perfc009.dat
+ 2009-02-24 20:25:55 46,924 ----a-w c:\windows\system32\perfc009.dat
- 2009-02-22 03:37:42 384,596 ----a-w c:\windows\system32\perfh009.dat
+ 2009-02-24 20:25:55 367,980 ----a-w c:\windows\system32\perfh009.dat
+ 2009-02-24 20:21:49 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_330.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-14 344064]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-10 90112]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-05 127035]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]
"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 147514]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2003-05-15 163840]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-11-08 128920]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-03-10 180269]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-19 148888]
"P17Helper"="P17.dll" [2004-06-10 c:\windows\system32\P17.dll]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
MA111 Configuration Utility.lnk - c:\program files\NETGEAR\MA111 Configuration Utility\wlancfg.exe [2006-09-01 459264]
NETGEAR WG311v3 Smart Wizard.lnk - c:\windows\Installer\{70014586-7BBA-4A92-A610-CDC896C48F8F}\NewShortcut1_1.exe [2006-11-27 1078]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"%windir%\\explorer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12345:UDP"= 12345:UDP:dc++

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2005-09-14 58048]
S3 WlanUIB;NETGEAR 802.11b USB Driver;c:\windows\system32\drivers\MA111nd5.sys [2006-09-01 666624]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ENTDRV51
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.dell4me.com/myway
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Marcus\Application Data\Mozilla\Firefox\Profiles\vosyr6jb.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-24 12:32:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(864)
c:\windows\system32\MrvGINA.dll

- - - - - - - > 'lsass.exe'(924)
c:\windows\system32\EntApi.dll
.
Completion time: 2009-02-24 12:34:32
ComboFix-quarantined-files.txt 2009-02-24 20:34:30
ComboFix2.txt 2009-02-24 07:17:52
ComboFix3.txt 2009-02-23 02:02:40
ComboFix4.txt 2009-02-22 19:54:11
ComboFix5.txt 2009-02-24 20:29:31

Pre-Run: 19,575,681,024 bytes free
Post-Run: 19,568,209,920 bytes free

154 --- E O F --- 2009-02-11 11:02:51









Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:35:29 PM, on 2/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\NETGEAR\WG311v3\WinDomainlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\NETGEAR\WG311v3\WinDomainlogon.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.EXE
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe
O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Documents and Settings\Marcus\Desktop\iPod\bin\iPodService.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

--
End of file - 7774 bytes

You look clean. Still having any problems?

You also need to uninstall your current version of Adobe Reader and install the latest version (9) from here

Things are looking good.

I'm still getting some signs of infection. IE is running fine, but google searches on firefox result in random (not consistent) redirects.

McAfee is also still disabled on startup, which doesn't seem right.

MWBAM scan still coming up with nothing.

Any ideas what is causing the firefox bug? should I try uninstalling/reinstalling it?

Again, thanks for all your help tigger. +1 to your karma stash.

One more item-

All my system restore points from before infection are still absent. I was hoping that after disinfection, these might be accessible again. I guess it is possible that they were actually deleted/wiped, but I figured I'd let you know.

Let's run an online scan and see if it finds anything. Also, any restore points from before this infection would be infected, so they would have just reinfected you.

Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  Extended (if available otherwise Standard)
  • Scan Options:
  Scan Archives
  Scan Mail Bases
• Click OK
• Now under select a target to scan:
  Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.