mist_sahara

Here is the log after running ComboFix. ComboFix 09-04-15.08 - Derrick 04/15/2009 0:26.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.681 [GMT -7:00] Running from: c:\documents and settings\Derrick\Desktop\ComboFix.exe AV: AntiVir Desktop *On-access scanning disabled* (Updated) AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated) FW: ZoneAlarm Security Suite Firewall *disabled* * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Autorun.inf . ((((((((((((((((((((((((( Files Created from 2009-03-15 to 2009-04-15 ))))))))))))))))))))))))))))))) . 2009-04-15 01:01 . 2009-04-15 01:01 -------- d-----w c:\program files\PCSpim 2009-04-15 00:50 . 2009-04-15 00:50 64776 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat 2009-04-15 00:50 . 2009-04-15 00:50 -------- d-----w c:\windows\system32\XPSViewer 2009-04-15 00:50 . 2009-04-15 00:50 -------- d-----w c:\program files\MSBuild 2009-04-15 00:49 . 2009-04-15 00:49 -------- d-----w c:\program files\Reference Assemblies 2009-04-15 00:48 . 2009-04-15 00:49 -------- d-----w C:\8a199e51b6c76bb1c403a8 2009-04-15 00:48 . 2008-07-06 12:06 89088 -c----w c:\windows\system32\dllcache\filterpipelineprintproc.dll 2009-04-15 00:48 . 2008-07-06 12:06 575488 -c----w c:\windows\system32\dllcache\xpsshhdr.dll 2009-04-15 00:48 . 2008-07-06 12:06 575488 ------w c:\windows\system32\xpsshhdr.dll 2009-04-15 00:48 . 2008-07-06 12:06 1676288 -c----w c:\windows\system32\dllcache\xpssvcs.dll 2009-04-15 00:48 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\xpssvcs.dll 2009-04-15 00:48 . 2008-07-06 12:06 117760 ------w c:\windows\system32\prntvpt.dll 2009-04-15 00:48 . 2008-07-06 10:50 597504 -c----w c:\windows\system32\dllcache\printfilterpipelinesvc.exe 2009-04-14 22:53 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll 2009-04-14 22:53 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll 2009-04-14 22:53 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll 2009-04-14 22:53 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe 2009-04-14 22:53 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll 2009-04-14 22:53 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll 2009-04-14 22:53 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll 2009-04-14 22:53 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll 2009-04-14 22:53 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe 2009-04-14 22:52 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb 2009-04-14 22:52 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll 2009-04-14 22:52 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe 2009-04-14 17:26 . 2009-02-13 18:31 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys 2009-04-14 17:26 . 2009-04-14 17:26 -------- d-----w c:\program files\Avira 2009-04-14 17:26 . 2009-04-14 17:26 -------- d-----w c:\documents and settings\All Users\Application Data\Avira 2009-04-14 17:22 . 2009-04-14 17:22 -------- d--h--w c:\windows\system32\GroupPolicy 2009-04-14 00:25 . 2009-04-14 00:26 -------- d-----w c:\program files\Xming 2009-04-13 21:38 . 2009-04-13 21:38 -------- d-----w c:\program files\Trend Micro 2009-04-13 18:57 . 2009-04-13 18:57 -------- d-----w c:\documents and settings\Derrick\Application Data\Malwarebytes 2009-04-13 18:57 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-04-13 18:57 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-04-13 18:57 . 2009-04-13 18:57 -------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-04-13 18:57 . 2009-04-13 18:57 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes 2009-04-13 15:28 . 2009-04-13 15:29 -------- d-----w c:\documents and settings\Derrick\Application Data\vlc 2009-04-13 08:15 . 2009-04-14 00:30 -------- d-----w c:\documents and settings\Derrick\Application Data\SSH 2009-04-13 08:14 . 2009-04-13 08:14 -------- d-----w c:\program files\SSH Communications Security 2009-04-13 07:26 . 2009-04-13 07:26 -------- d-----w c:\program files\VideoLAN 2009-04-13 07:19 . 2009-04-13 07:19 -------- d-----w c:\documents and settings\Derrick\Application Data\FastStone 2009-04-13 07:19 . 2009-04-13 07:19 -------- d-----w c:\program files\FastStone Image Viewer 2009-04-13 06:37 . 2009-04-13 07:23 -------- d-----w c:\program files\StealthBot 2009-04-13 06:26 . 2009-04-13 06:26 -------- d-----w c:\program files\CONEXANT 2009-04-13 06:19 . 2009-04-13 06:20 -------- d-----w c:\documents and settings\Derrick\Local Settings\Application Data\Adobe 2009-04-13 06:06 . 2009-04-13 06:06 -------- d-----w c:\program files\Common Files\Adobe AIR 2009-04-13 06:04 . 2009-04-13 06:05 -------- d-----w c:\program files\Common Files\Adobe 2009-04-13 05:38 . 2009-04-13 06:15 77740 ----a-w c:\windows\War3Unin.dat 2009-04-13 05:38 . 2009-04-13 05:50 2829 ----a-w c:\windows\War3Unin.pif 2009-04-13 05:38 . 2009-04-13 05:50 139264 ----a-w c:\windows\War3Unin.exe 2009-04-13 05:33 . 2009-04-15 03:06 -------- d-----w c:\program files\Warcraft III 2009-04-13 05:13 . 2008-04-13 18:45 6272 -c--a-w c:\windows\system32\dllcache\splitter.sys 2009-04-13 05:13 . 2008-04-13 18:45 6272 ----a-w c:\windows\system32\drivers\splitter.sys 2009-04-13 05:13 . 2008-04-13 19:17 83072 -c--a-w c:\windows\system32\dllcache\wdmaud.sys 2009-04-13 05:13 . 2008-04-13 19:17 83072 ----a-w c:\windows\system32\drivers\wdmaud.sys 2009-04-13 05:13 . 2008-04-13 18:45 52864 -c--a-w c:\windows\system32\dllcache\dmusic.sys 2009-04-13 05:13 . 2008-04-13 18:45 52864 ----a-w c:\windows\system32\drivers\DMusic.sys 2009-04-13 05:13 . 2008-04-13 18:45 56576 -c--a-w c:\windows\system32\dllcache\swmidi.sys 2009-04-13 05:13 . 2008-04-13 18:45 56576 ----a-w c:\windows\system32\drivers\swmidi.sys 2009-04-13 05:13 . 2008-04-13 16:39 142592 -c--a-w c:\windows\system32\dllcache\aec.sys 2009-04-13 05:13 . 2008-04-13 16:39 142592 ----a-w c:\windows\system32\drivers\aec.sys 2009-04-13 05:13 . 2008-04-13 18:45 172416 -c--a-w c:\windows\system32\dllcache\kmixer.sys 2009-04-13 05:13 . 2008-04-13 18:45 172416 ----a-w c:\windows\system32\drivers\kmixer.sys 2009-04-13 05:10 . 2009-04-13 05:10 -------- d-----w c:\program files\ATI Technologies 2009-04-13 04:59 . 2009-04-13 04:59 -------- d-----w c:\documents and settings\NetworkService\Application Data\Intel 2009-04-13 04:59 . 2009-04-13 04:59 -------- d-----w c:\documents and settings\LocalService\Application Data\Intel 2009-04-13 04:59 . 2009-04-13 04:59 -------- d-----w c:\documents and settings\Derrick\Application Data\Intel 2009-04-13 04:58 . 2009-04-13 04:58 21425 ----a-w c:\windows\system32\drivers\AegisP.sys 2009-04-13 04:58 . 2009-04-13 04:58 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\Intel 2009-04-13 04:58 . 2009-04-13 04:58 -------- d-----w c:\documents and settings\All Users\Application Data\Intel 2009-04-13 04:57 . 2007-02-12 18:41 2732032 ----a-w c:\windows\system32\Netw2r32.dll 2009-04-13 04:57 . 2007-02-12 18:40 557056 ----a-w c:\windows\system32\Netw2c32.dll 2009-04-13 04:57 . 2007-02-08 20:51 2209408 ----a-w c:\windows\system32\drivers\w29n51.sys 2009-04-13 04:57 . 2009-04-13 04:57 -------- dc----w c:\windows\system32\DRVSTORE 2009-04-13 04:57 . 2009-04-13 04:57 -------- d-----w c:\program files\Intel 2009-04-13 04:42 . 2008-06-13 11:05 272128 -c----w c:\windows\system32\dllcache\bthport.sys 2009-04-13 04:42 . 2009-02-20 08:10 666112 -c----w c:\windows\system32\dllcache\wininet.dll 2009-04-13 04:42 . 2009-02-20 08:10 619520 -c----w c:\windows\system32\dllcache\urlmon.dll 2009-04-13 04:42 . 2009-03-02 23:04 1499136 -c----w c:\windows\system32\dllcache\shdocvw.dll 2009-04-13 04:41 . 2009-02-06 11:06 2145280 -c----w c:\windows\system32\dllcache\ntkrnlmp.exe 2009-04-13 04:41 . 2009-02-06 11:08 2189056 -c----w c:\windows\system32\dllcache\ntoskrnl.exe 2009-04-13 04:41 . 2009-02-06 10:32 2023936 -c----w c:\windows\system32\dllcache\ntkrpamp.exe 2009-04-13 04:41 . 2009-02-08 02:02 2066048 -c----w c:\windows\system32\dllcache\ntkrnlpa.exe 2009-04-13 04:41 . 2009-02-20 08:11 3068416 -c----w c:\windows\system32\dllcache\mshtml.dll 2009-04-13 04:41 . 2008-05-08 14:02 203136 -c----w c:\windows\system32\dllcache\rmcast.sys 2009-04-13 04:41 . 2008-10-24 11:21 455296 -c----w c:\windows\system32\dllcache\mrxsmb.sys 2009-04-13 04:41 . 2008-12-11 10:57 333952 -c----w c:\windows\system32\dllcache\srv.sys 2009-04-13 04:41 . 2008-05-01 14:33 331776 -c----w c:\windows\system32\dllcache\msadce.dll 2009-04-13 04:41 . 2008-04-11 19:04 691712 -c----w c:\windows\system32\dllcache\inetcomm.dll 2009-04-13 04:41 . 2008-10-15 16:34 337408 -c----w c:\windows\system32\dllcache\netapi32.dll 2009-04-13 04:41 . 2008-09-04 17:15 1106944 -c----w c:\windows\system32\dllcache\msxml3.dll 2009-04-13 04:28 . 2009-04-13 04:28 -------- d-----w c:\windows\system32\scripting 2009-04-13 04:28 . 2009-04-13 04:28 -------- d-----w c:\windows\l2schemas 2009-04-13 04:28 . 2009-04-13 04:28 -------- d-----w c:\windows\system32\en 2009-04-13 04:28 . 2009-04-13 04:28 -------- d-----w c:\windows\system32\bits 2009-04-13 04:25 . 2009-04-13 04:29 -------- d-----w c:\windows\ServicePackFiles 2009-04-13 04:13 . 2009-04-13 04:13 -------- d-----w c:\windows\system32\LogFiles 2009-04-13 04:06 . 2004-08-04 12:00 9585 -c----w c:\windows\system32\dllcache\controls.css 2009-04-13 04:06 . 2004-08-04 12:00 6878 -c----w c:\windows\system32\dllcache\controls.js 2009-04-13 04:06 . 2004-08-04 12:00 381425 -c----w c:\windows\system32\dllcache\copycd.wmv 2009-04-13 04:06 . 2004-07-18 05:55 129045 ------w c:\windows\system32\drivers\cxthsfs2.cty 2009-04-13 04:06 . 2004-08-04 12:00 8298 -c----w c:\windows\system32\dllcache\contents.htm 2009-04-13 04:06 . 2004-08-04 12:00 773 -c----w c:\windows\system32\dllcache\cnth.gif 2009-04-13 04:06 . 2004-08-04 12:00 773 -c----w c:\windows\system32\dllcache\cnt.gif 2009-04-13 04:06 . 2004-08-04 12:00 772 -c----w c:\windows\system32\dllcache\cntd.gif 2009-04-13 04:06 . 2004-08-04 12:00 760 -c----w c:\windows\system32\dllcache\cloapph.gif 2009-04-13 04:06 . 2004-08-04 12:00 717 -c----w c:\windows\system32\dllcache\cloapp.gif 2009-04-13 04:06 . 2004-08-04 12:00 999 -c----w c:\windows\system32\dllcache\bktrh.gif 2009-04-13 04:05 . 2009-04-14 20:49 1113 ----a-w C:\rollback.ini . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-04-15 07:28 . 2009-04-13 03:43 14052896 --sha-w c:\windows\system32\drivers\fidbox.dat 2009-04-15 07:28 . 2009-04-13 03:43 14052896 --sha-w c:\windows\system32\drivers\fidbox.dat 2009-04-15 07:22 . 2009-04-13 03:44 13104 ----a-w c:\documents and settings\Derrick\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-04-15 03:04 . 2009-04-13 03:43 171440 --sha-w c:\windows\system32\drivers\fidbox.idx 2009-04-13 08:20 . 2009-04-13 14:56 251904 ----a-w c:\windows\Internet Logs\xDB1.tmp 2009-04-13 08:14 . 2009-04-13 03:48 -------- d--h--w c:\program files\InstallShield Installation Information 2009-04-13 05:12 . 2009-04-13 05:12 -------- d-----w c:\program files\SigmaTel 2009-04-13 05:12 . 2009-04-13 03:47 -------- d-----w c:\program files\Common Files\InstallShield 2009-04-13 04:39 . 2009-04-13 03:41 4212 ---ha-w c:\windows\system32\zllictbl.dat 2009-04-13 04:32 . 2009-04-13 03:24 86327 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat 2009-04-13 04:22 . 2004-08-04 12:00 250048 --sha-r C:\ntldr 2009-04-13 03:47 . 2009-04-13 03:47 -------- d-----w c:\program files\Broadcom 2009-04-13 03:43 . 2009-04-13 03:43 -------- d-----w c:\documents and settings\Derrick\Application Data\MailFrontier 2009-04-13 03:38 . 2009-04-13 03:38 -------- d-----w c:\program files\Zone Labs 2009-04-13 03:25 . 2009-04-13 03:25 -------- d-----w c:\program files\microsoft frontpage 2009-04-13 03:21 . 2009-04-13 03:21 21640 ----a-w c:\windows\system32\emptyregdb.dat 2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll 2009-02-20 08:10 . 2004-08-04 12:00 666112 ----a-w c:\windows\system32\wininet.dll 2009-02-20 08:10 . 2004-08-04 12:00 81920 ----a-w c:\windows\system32\ieencode.dll 2009-02-16 07:10 . 2009-04-13 03:41 72584 ----a-w c:\windows\zllsputility.exe 2009-02-16 07:10 . 2009-04-13 03:40 1221512 ----a-w c:\windows\system32\zpeng25.dll 2009-02-09 12:10 . 2004-08-04 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll 2009-02-09 12:10 . 2004-08-04 12:00 714752 ----a-w c:\windows\system32\ntdll.dll 2009-02-09 12:10 . 2004-08-04 12:00 617472 ----a-w c:\windows\system32\advapi32.dll 2009-02-09 12:10 . 2004-08-04 12:00 401408 ----a-w c:\windows\system32\rpcss.dll 2009-02-09 11:13 . 2004-08-04 12:00 1846784 ----a-w c:\windows\system32\win32k.sys 2009-02-08 02:02 . 2004-08-03 22:59 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe 2009-02-06 11:11 . 2004-08-04 12:00 110592 ----a-w c:\windows\system32\services.exe 2009-02-06 11:08 . 2004-08-04 12:00 2189056 ----a-w c:\windows\system32\ntoskrnl.exe 2009-02-06 10:39 . 2004-08-04 12:00 35328 ----a-w c:\windows\system32\sc.exe 2009-02-03 19:59 . 2004-08-04 12:00 56832 ----a-w c:\windows\system32\secur32.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384] "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-03-05 108289] . - - - - ORPHANS REMOVED - - - - HKLM-Run-MSConfig - c:\windows\GSPI412.vbs . ------- Supplementary Scan ------- . FF - ProfilePath - c:\documents and settings\Derrick\Application Data\Mozilla\Firefox\Profiles\ulb1e6i1.default\ FF - prefs.js: browser.search.selectedEngine - Wikipedia (en) FF - prefs.js: browser.startup.homepage - hxxp://www.google.com . ************************************************************************** catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-04-15 00:28 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(880) c:\windows\system32\Ati2evxx.dll . Completion time: 2009-04-15 0:29 ComboFix-quarantined-files.txt 2009-04-15 07:29 Pre-Run: 52,533,067,776 bytes free Post-Run: 52,552,151,040 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 213 --- E O F --- 2009-04-14 23:10

I realized that the infection I saw earlier was detected by AtiVir Guard 4/14/2009,10:27:26 --------------------------------------------------------- 4/14/2009,10:27:29 Keyfile contains a valid license. The Avira AntiVir Personal - Free Antivirus will run as a fully functional version! 4/14/2009,10:27:29 AntiVir Guard version: 9.00.01.26,engine version 8.2.0.100,VDF version: 7.1.2.127 4/14/2009,10:27:30 AntiVir Guard was enabled. 4/14/2009,10:27:30 Avira AntiVir Personal - Free Antivirus has been started successfully! 4/14/2009,10:27:30 [CONFIG] On-Access configuration used: - Files to scan: scan files from local drives - Files to scan: Use file extension list: . .386 .?HT* .ACM .ADE .ADP .ANI .APP .ASD .ASF .ASP .ASX .AWX .AX .BAS .BAT .BIN .BOO .CDF .CHM .CLASS .CMD .CNV .COM .CPL .CPX .CRT .CSH .DLL .DLO .DO? .DRV .EMF .EML .EXE* .FAS .FLT .FOT .HLP .HT* .INF .INI .INS .ISP .J2K .JAR .JFF .JFI .JFIF .JIF .JMH .JNG .JP2 .JPE .JPEG .JPG .JS* .JSE .LNK .LSP .MD? .MDB .MOD .MS? .NWS .OBJ .OCX .OLB .OSD .OV? .PCD .PDF .PDR .PGM .PHP .PIF .PKG .PL* .PNG .POT .PPS .PPT .PRG .RAR .REG .RPL .RTF .SBF .SCR .SCRIPT .SCT .SH .SHA .SHB .SHS .SHTM* .SIS .SPL .SWF .SYS .TLB .TMP .TSP .TTF .URL .VB? .VCS .VLM .VXD .VXO .WIZ .WLL .WMD .WMF .WMS .WMZ .WPC .WSC .WSF .WSH .WWK .XL? .XML .XXX .ZIP - Device mode: scan files on open, scan files on close - Actions: ask the user - Scan archive: Disabled - Heuristic: Enabled - Win32 file heuristic: Medium detection level - Logfile report level Default 4/14/2009,10:33:12 Update process started! 4/14/2009,10:33:16 Current Engine Version: 8.2.0.143 4/14/2009,10:33:16 Current Pattern File: 7.1.3.50 4/14/2009,12:41:02 [WARNING] Contains recognition pattern of the HTML/Rce.Gen HTML script virus! C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVSCAN-20090414-123942-6A162BCA\AVSCAN-00000003.vbs [uSER] NT AUTHORITY\SYSTEM [iNFO] No right to access the file. 4/14/2009,12:41:01 [WARNING] Contains recognition pattern of the VBS/Autorun.ar VBS script virus! F:\GSPI410.vbs [uSER] NT AUTHORITY\SYSTEM [iNFO] No right to access the file. 4/14/2009,12:41:02 [WARNING] Contains recognition pattern of the VBS/Autorun.ar VBS script virus! F:\GSPI412.vbs [uSER] NT AUTHORITY\SYSTEM [iNFO] No right to access the file. 4/14/2009,12:41:02 [WARNING] Contains recognition pattern of the HTML/Rce.Gen HTML script virus! C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVSCAN-20090414-123942-6A162BCA\AVSCAN-00000002.vbs [uSER] NT AUTHORITY\SYSTEM [iNFO] No right to access the file. 4/14/2009,13:08:24 [WARNING] Contains recognition pattern of the VBS/Autorun.ar VBS script virus! F:\GSPI410.vbs [uSER] NT AUTHORITY\SYSTEM [iNFO] No right to access the file. 4/14/2009,13:08:25 [WARNING] Contains recognition pattern of the VBS/Autorun.ar VBS script virus! F:\GSPI412.vbs [uSER] NT AUTHORITY\SYSTEM [iNFO] No right to access the file. 4/14/2009,13:08:25 [WARNING] Contains recognition pattern of the HTML/Rce.Gen HTML script virus! C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVSCAN-20090414-130753-D2D8D7A5\AVSCAN-00000003.vbs [uSER] NT AUTHORITY\SYSTEM [iNFO] No right to access the file. 4/14/2009,13:08:24 [WARNING] Contains recognition pattern of the HTML/Rce.Gen HTML script virus! C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVSCAN-20090414-130753-D2D8D7A5\AVSCAN-00000002.vbs [uSER] NT AUTHORITY\SYSTEM [iNFO] No right to access the file.

I forgot to mention, I formatted the thumb drive after all this just to make sure.

Ok, I ended up doing 2 separate scans, one of the local hard disk and 250GB external, and then another scan for my 1GB thumb drive used during the reinstallation. I noticed that during the scan of the thumb drive, some notifications popped up (around 4 or 5) about some harmful vb scripts on the device. But, before I could fully read and react to them, the scan finished and what you see here is the log for that scan. ------------------------------------------------------------------------------------------------ Avira AntiVir Personal Report file date: Tuesday, April 14, 2009 11:02 Scanning for 1351911 virus strains and unwanted programs. Licensee : Avira AntiVir Personal - FREE Antivirus Serial number : 0000149996-ADJIE-0000001 Platform : Windows XP Windows version : (Service Pack 3) [5.1.2600] Boot mode : Normally booted Username : SYSTEM Computer name : DERRICK-LAPTOP Version information: BUILD.DAT : 9.0.0.387 17962 Bytes 3/24/2009 11:04:00 AVSCAN.EXE : 9.0.3.3 464641 Bytes 2/24/2009 19:13:26 AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 17:58:24 LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 18:35:49 LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 17:58:52 ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 19:30:36 ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2/11/2009 03:33:26 ANTIVIR2.VDF : 7.1.3.0 1330176 Bytes 4/1/2009 17:32:39 ANTIVIR3.VDF : 7.1.3.50 235008 Bytes 4/14/2009 17:32:43 Engineversion : 8.2.0.143 AEVDF.DLL : 8.1.1.0 106868 Bytes 1/28/2009 00:36:42 AESCRIPT.DLL : 8.1.1.75 373113 Bytes 4/14/2009 17:32:57 AESCN.DLL : 8.1.1.10 127348 Bytes 4/14/2009 17:32:56 AERDL.DLL : 8.1.1.3 438645 Bytes 10/30/2008 01:24:41 AEPACK.DLL : 8.1.3.12 397687 Bytes 4/14/2009 17:32:56 AEOFFICE.DLL : 8.1.0.36 196987 Bytes 2/27/2009 03:01:56 AEHEUR.DLL : 8.1.0.116 1708407 Bytes 4/14/2009 17:32:54 AEHELP.DLL : 8.1.2.2 119158 Bytes 2/27/2009 03:01:56 AEGEN.DLL : 8.1.1.34 340340 Bytes 4/14/2009 17:32:46 AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 21:32:40 AECORE.DLL : 8.1.6.9 176500 Bytes 4/14/2009 17:32:44 AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 21:32:40 AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 15:47:59 AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 17:32:15 AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 21:34:28 AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 17:32:09 AVARKT.DLL : 9.0.0.1 292609 Bytes 2/9/2009 14:52:24 AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 17:37:08 SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 22:03:49 SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 15:21:33 NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 17:32:10 RCIMAGE.DLL : 9.0.0.21 2438401 Bytes 2/9/2009 18:45:45 RCTEXT.DLL : 9.0.35.0 87297 Bytes 3/11/2009 22:55:12 Configuration settings for the scan: Jobname.............................: Complete system scan Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp Logging.............................: low Primary action......................: interactive Secondary action....................: ignore Scan master boot sector.............: on Scan boot sector....................: on Boot sectors........................: C:, D:, G:, Process scan........................: on Scan registry.......................: on Search for rootkits.................: on Integrity checking of system files..: off Scan all files......................: All files Scan archives.......................: on Recursion depth.....................: 20 Smart extensions....................: on Macro heuristic.....................: on File heuristic......................: medium Start of the scan: Tuesday, April 14, 2009 11:02 Starting search for hidden objects. '29803' objects were checked, '0' hidden objects were found. The scan of running processes will be started Scan process 'avscan.exe' - '1' Module(s) have been scanned Scan process 'avcenter.exe' - '1' Module(s) have been scanned Scan process 'avgnt.exe' - '1' Module(s) have been scanned Scan process 'sched.exe' - '1' Module(s) have been scanned Scan process 'avguard.exe' - '1' Module(s) have been scanned Scan process 'Dot1XCfg.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'firefox.exe' - '1' Module(s) have been scanned Scan process 'mantispm.exe' - '1' Module(s) have been scanned Scan process 'iFrmewrk.exe' - '1' Module(s) have been scanned Scan process 'ZCfgSvc.exe' - '1' Module(s) have been scanned Scan process 'zlclient.exe' - '0' Module(s) have been scanned Scan process 'alg.exe' - '1' Module(s) have been scanned Scan process 'RegSrvc.exe' - '1' Module(s) have been scanned Scan process 'spoolsv.exe' - '1' Module(s) have been scanned Scan process 'ScanningProcess.exe' - '0' Module(s) have been scanned Scan process 'vsmon.exe' - '0' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'WLKEEPER.exe' - '1' Module(s) have been scanned Scan process 'S24EvMon.exe' - '1' Module(s) have been scanned Scan process 'explorer.exe' - '1' Module(s) have been scanned Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned Scan process 'EvtEng.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned Scan process 'lsass.exe' - '1' Module(s) have been scanned Scan process 'services.exe' - '1' Module(s) have been scanned Scan process 'winlogon.exe' - '1' Module(s) have been scanned Scan process 'csrss.exe' - '1' Module(s) have been scanned Scan process 'smss.exe' - '1' Module(s) have been scanned 30 processes with 30 modules were scanned Starting master boot sector scan: Start scanning boot sectors: Starting to scan executable files (registry). The registry was scanned ( '46' files ). Starting the file scan: Begin scan in 'C:\' C:\hiberfil.sys [WARNING] The file could not be opened! [NOTE] This file is a Windows system file. [NOTE] This file cannot be opened for scanning. C:\pagefile.sys [WARNING] The file could not be opened! [NOTE] This file is a Windows system file. [NOTE] This file cannot be opened for scanning. C:\Program Files\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A91000000001}\Data1.cab [0] Archive type: CAB (Microsoft) --> usa03.ths [WARNING] The file could not be written! --> MinionPro_Bold.otf [WARNING] No further files can be extracted from this archive. The archive will be closed [WARNING] No further files can be extracted from this archive. The archive will be closed C:\Site Downloads\zaSuiteSetup_80_298_035_en.exe [0] Archive type: ZIP SFX (self extracting) --> SWITCHUNINST_44ZONE LABS.EXE [1] Archive type: RSRC --> WINDOWS6.0-KB929547-V2-X64.MSU [1] Archive type: CAB (Microsoft) --> Windows6.0-KB929547-v2-x64.cab [WARNING] No further files can be extracted from this archive. The archive will be closed Begin scan in 'D:\' Search path D:\ could not be opened! System error [1005]: The volume does not contain a recognized file system. Begin scan in 'G:\' <DaeDaeK (250GB)> End of the scan: Tuesday, April 14, 2009 11:42 Used time: 40:00 Minute(s) The scan has been done completely. 2393 Scanned directories 183348 Files were scanned 0 Viruses and/or unwanted programs were found 0 Files were classified as suspicious 0 files were deleted 0 Viruses and unwanted programs were repaired 0 Files were moved to quarantine 0 Files were renamed 2 Files cannot be scanned 183346 Files not concerned 1011 Archives were scanned 6 Warnings 2 Notes 29803 Objects were scanned with rootkit scan 0 Hidden objects were found ------------------------------------------------------------------------------------------------ Avira AntiVir Personal Report file date: Tuesday, April 14, 2009 12:39 Scanning for 1351911 virus strains and unwanted programs. Licensee : Avira AntiVir Personal - FREE Antivirus Serial number : 0000149996-ADJIE-0000001 Platform : Windows XP Windows version : (Service Pack 3) [5.1.2600] Boot mode : Normally booted Username : Derrick Computer name : DERRICK-LAPTOP Version information: BUILD.DAT : 9.0.0.387 17962 Bytes 3/24/2009 11:04:00 AVSCAN.EXE : 9.0.3.3 464641 Bytes 2/24/2009 19:13:26 AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 17:58:24 LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 18:35:49 LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 17:58:52 ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 19:30:36 ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2/11/2009 03:33:26 ANTIVIR2.VDF : 7.1.3.0 1330176 Bytes 4/1/2009 17:32:39 ANTIVIR3.VDF : 7.1.3.50 235008 Bytes 4/14/2009 17:32:43 Engineversion : 8.2.0.143 AEVDF.DLL : 8.1.1.0 106868 Bytes 1/28/2009 00:36:42 AESCRIPT.DLL : 8.1.1.75 373113 Bytes 4/14/2009 17:32:57 AESCN.DLL : 8.1.1.10 127348 Bytes 4/14/2009 17:32:56 AERDL.DLL : 8.1.1.3 438645 Bytes 10/30/2008 01:24:41 AEPACK.DLL : 8.1.3.12 397687 Bytes 4/14/2009 17:32:56 AEOFFICE.DLL : 8.1.0.36 196987 Bytes 2/27/2009 03:01:56 AEHEUR.DLL : 8.1.0.116 1708407 Bytes 4/14/2009 17:32:54 AEHELP.DLL : 8.1.2.2 119158 Bytes 2/27/2009 03:01:56 AEGEN.DLL : 8.1.1.34 340340 Bytes 4/14/2009 17:32:46 AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 21:32:40 AECORE.DLL : 8.1.6.9 176500 Bytes 4/14/2009 17:32:44 AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 21:32:40 AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 15:47:59 AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 17:32:15 AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 21:34:28 AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 17:32:09 AVARKT.DLL : 9.0.0.1 292609 Bytes 2/9/2009 14:52:24 AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 17:37:08 SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 22:03:49 SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 15:21:33 NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 17:32:10 RCIMAGE.DLL : 9.0.0.21 2438401 Bytes 2/9/2009 18:45:45 RCTEXT.DLL : 9.0.35.0 87297 Bytes 3/11/2009 22:55:12 Configuration settings for the scan: Jobname.............................: Removable Drives Configuration file..................: c:\program files\avira\antivir desktop\rmdiscs.avp Logging.............................: low Primary action......................: interactive Secondary action....................: ignore Scan master boot sector.............: on Scan boot sector....................: on Boot sectors........................: F:, E:, Process scan........................: on Scan registry.......................: on Search for rootkits.................: off Integrity checking of system files..: off Scan all files......................: Intelligent file selection Scan archives.......................: on Recursion depth.....................: 20 Smart extensions....................: on Macro heuristic.....................: on File heuristic......................: medium Start of the scan: Tuesday, April 14, 2009 12:39 The scan of running processes will be started Scan process 'avscan.exe' - '1' Module(s) have been scanned Scan process 'avcenter.exe' - '1' Module(s) have been scanned Scan process 'avgnt.exe' - '1' Module(s) have been scanned Scan process 'sched.exe' - '1' Module(s) have been scanned Scan process 'avguard.exe' - '1' Module(s) have been scanned Scan process 'Dot1XCfg.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'firefox.exe' - '1' Module(s) have been scanned Scan process 'mantispm.exe' - '1' Module(s) have been scanned Scan process 'iFrmewrk.exe' - '1' Module(s) have been scanned Scan process 'ZCfgSvc.exe' - '1' Module(s) have been scanned Scan process 'zlclient.exe' - '0' Module(s) have been scanned Scan process 'alg.exe' - '1' Module(s) have been scanned Scan process 'RegSrvc.exe' - '1' Module(s) have been scanned Scan process 'spoolsv.exe' - '1' Module(s) have been scanned Scan process 'ScanningProcess.exe' - '0' Module(s) have been scanned Scan process 'vsmon.exe' - '0' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'WLKEEPER.exe' - '1' Module(s) have been scanned Scan process 'S24EvMon.exe' - '1' Module(s) have been scanned Scan process 'explorer.exe' - '1' Module(s) have been scanned Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned Scan process 'EvtEng.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned Scan process 'lsass.exe' - '1' Module(s) have been scanned Scan process 'services.exe' - '1' Module(s) have been scanned Scan process 'winlogon.exe' - '1' Module(s) have been scanned Scan process 'csrss.exe' - '1' Module(s) have been scanned Scan process 'smss.exe' - '1' Module(s) have been scanned 30 processes with 30 modules were scanned Starting master boot sector scan: Start scanning boot sectors: Starting to scan executable files (registry). The registry was scanned ( '46' files ). Starting the file scan: Begin scan in 'F:\' <DAEDAEK_1GB> F:\zlsSetup_80_298_000_en.exe [0] Archive type: ZIP SFX (self extracting) --> SWITCHUNINST_44ZONE LABS.EXE [1] Archive type: RSRC --> WINDOWS6.0-KB929547-V2-X64.MSU [1] Archive type: CAB (Microsoft) --> Windows6.0-KB929547-v2-x64.cab [WARNING] No further files can be extracted from this archive. The archive will be closed Begin scan in 'E:\' <TheFrozenThrone> End of the scan: Tuesday, April 14, 2009 12:41 Used time: 01:42 Minute(s) The scan has been done completely. 15 Scanned directories 11976 Files were scanned 0 Viruses and/or unwanted programs were found 0 Files were classified as suspicious 0 files were deleted 0 Viruses and unwanted programs were repaired 0 Files were moved to quarantine 0 Files were renamed 0 Files cannot be scanned 11976 Files not concerned 77 Archives were scanned 1 Warnings 0 Notes ------------------------------------------------------------------------------------------------ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:18:53 PM, on 4/14/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = GSPI O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\GSPI412.vbs O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [uIUCU] C:\DOCUME~1\Derrick\LOCALS~1\Temp\UIUCU.EXE -CLEAN_UP -S O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKLM\..\RunServices: [MSConfig] C:\WINDOWS\GSPI412.vbs O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe -- End of file - 3988 bytes

After being unable to get rid of a Hijack.Regedit infection detected by Malwarebytes' Anti-Malware, I decided to do a full format and reinstallation of Windows XP on my Dell laptop. After preparing some essential drivers and a free trial of zonealarm, I reinstalled Windows, the drivers, and zonealarm before physically connecting to the internet to download from Windows Update and upgrade to service pack 3. Then, after running a scan with Malwarebytes' Anti-Malware, the same single Hijack.Regedit infection showed up again. I forgot to update the database though, and after I did this, the problem no longer shows up on the scans. I was told by an admin that I should still post a log because it shouldn't have shown up in the first place. Originally, this was in the log file before I updated (from what I remember): HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> No action taken. The log files below are after the update to Malwarebytes' Anti-Malware. ----------------------------------------------------------- Malwarebytes' Anti-Malware 1.36 Database version: 1978 Windows 5.1.2600 Service Pack 3 4/13/2009 3:35:35 PM mbam-log-2009-04-13 (15-35-35).txt Scan type: Full Scan (C:\|) Objects scanned: 85238 Time elapsed: 27 minute(s), 53 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) ----------------------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:39:41 PM, on 4/13/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = GSPI O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\GSPI412.vbs O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [uIUCU] C:\DOCUME~1\Derrick\LOCALS~1\Temp\UIUCU.EXE -CLEAN_UP -S O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\RunServices: [MSConfig] C:\WINDOWS\GSPI412.vbs O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe -- End of file - 3546 bytes

I just realized that I forgot to "update" the database for Malwarebytes' Anti-Malware once I finished installing it. I updated it just now, and when I do a scan, it says that my system is clean and Hijack.Regedit no longer appears in the list. Is this to be expected after updating, or should I still post logs in the log forum?

After going through a long period of time without formatting, my laptop finally succumbed to some nasty malware to the point where it was becoming way too difficult and time consuming to manually install software and pin point the exact causes. Naturally, i did a complete format and reinstallation of WinXP on my Dell laptop. I prepared the essential drivers and a free trial of zonealarm before doing so. After reinstalling Windows, I installed the drivers for my ethernet and zonealarm before physically connecting to the internet. After that, I ran Windows update and got all the latest security fixes and service pack 3 etc. Now, after installing some other productivity software, and seeing that my system was running smoothly, i decided to run Malwarebytes Anti-Malware just to confirm that everything is fine, only to come up with the exact same problem I had before the format, which is Hijack.Regedit. This is the single thing I could not remove prior to the format and now it exists on my system once again. Can someone please explain to me exactly what this is/does and how i can remove/prevent it? Malwarebytes' Anti-Malware 1.36Database version: 1945Windows 5.1.2600 Service Pack 3 4/13/2009 12:24:22 PMmbam-log-2009-04-13 (12-24-15).txt Scan type: Quick ScanObjects scanned: 58522Time elapsed: 5 minute(s), 11 second(s) Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 1Folders Infected: 0Files Infected: 0 Memory Processes Infected:(No malicious items detected) Memory Modules Infected:(No malicious items detected) Registry Keys Infected:(No malicious items detected) Registry Values Infected:(No malicious items detected) Registry Data Items Infected:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> No action taken. Folders Infected:(No malicious items detected) Files Infected:(No malicious items detected)