Poprock b.exe virus, blocking McAfee & other anti-viral/malware progs

As many others apparently have, I've become infected with this nasty, nasty little virus. Unfortunately, I tried browsing the web for advice before finding this place, and I did a little tinkering myself before realizing what and how tenacious the problem was. I may have made things all screwy for you guys, because I'm apparently in way over my head... please bear with me, and thanks in advance for any help you can give!

When I tried using HijackThis, it started the scan but immediately shut down before writing a log file for me to save. It now blocks HijackThis as well; I double-click and it does absoƖute nothing. This is also happening with my web browser. Spybot S&D and MBAM both hang when I start them up; I'm sure they'd behave similarly if I renamed the files, as that seems to be a hallmark of this virus.

McAfee opens, and in fact may have some useful information; here's a copy of the registry modification log for the last day. I'm fairly certain that the lower entry is when I was infected.

9/30/2009 11:48:19 AM

Rule type: Registry
Process: C:\Program Files\Internet Explorer\iexplore.exe
Process description: Internet Explorer
Process publisher: Microsoft Corporation
Process version: 6.00.2900.5512 (xpsp.080413-2015) \S- 1-5-21-2952863008219731660-4116829282-1005\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{OE5CBF21-D1SF-11D0-8301-00AA005B4383} \CLSID\{OE5CBF21-D1SF-11D0-8301-00AA005B4383} \InProcServer32C:\WINDOWS\system32\shell32.dll

9/29/2009 7:18:11
Rule type: Registry
Process: C:\Documents and Settings\Administrator\Local Settings\Temp\b.exe \S- 1-5-21-2952863008219731660-4116829282-1005\Software\Microsoft\Windows\CurrentVersion\Run\PopRockC:\Documents and Settings\Administrator\Local Settings\Temp\b.exe

I already went into safe mode and deleted a.exe, b.exe, c.exe, d.exe, e.exe, and f.exe from the above directory (all were the same size, 147k, with the same creaton/modification date), and also the following from the registry:
HKEY_CURRENT_USER\SOFTWARE\NordBull
HKEY_CURRENT_USER\SOFTWARE\poprock
HKEY_CURRENT_USER\SOFTWARE\XML
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\poprock
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{OE5CBF21-D1SF-11D0-8301-00AA005B4383}
HKEY_CLASSES_ROOT\CLSID\{OE5CBF21-D1SF-11D0-8301-00AA005B4383}

According to another post I found regarding what appears to be the same virus, I should now be running SystemLook and reporting the results, but I'll wait on word from you guys before I accidentally screw myself further.

As I said, thanks in advance; I'm fairly stumped, and was contemplating whether to just format and get it over with.

Please download the current version of HijackThis from HERE

• Double click and run the installer.
  
• It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  
• After installing, you should get the user agreement, press accept and Hijack This will run.
  
• Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.
  

Done. It begins a scan, then closes without outputting anything. I try to start it up again, and it gives the error message "Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item." I'm on an administrator account. I've tried renaming the HijackThis executable to winlogon.exe as suggested in this thread with no luck. Should I continue with the advice you've provided this other lost soul by running SystemLook?

Hello.
Thanks, I know where to look now.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  Code:

  
:filefind
scecli.dll
netlogon.dll
eventlog.dll
cngaudit.dll

  
  
  
• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 21:21 on 30/09/2009 by Jesse Cohen (Administrator - Elevation successful)

========== filefind ==========

Searching for "scecli.dll"
C:\WINDOWS\system32\scecli.dll --a--- 181248 bytes [16:16 25/04/2008] [12:00 14/04/2008] A86BB5E61BF3E39B62AB4C7E7085A084

Searching for "netlogon.dll"
C:\WINDOWS\system32\netlogon.dll --a--- 407040 bytes [16:16 25/04/2008] [12:00 14/04/2008] 1B7F071C51B77C272875C3A23E1E4550

Searching for "eventlog.dll"
C:\WINDOWS\system32\eventlog.dll --a--- 61952 bytes [16:16 25/04/2008] [12:00 14/04/2008] (Unable to calculate MD5)

Searching for "cngaudit.dll"
No files found.

-=End Of File=-

Already got the Avenger downloaded, if that turns out to be the next step.

Hello.
Yep, that's the next step.

1. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\system32\eventlog.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

2. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Input script here:", paste in the script from the quote box above.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Then tick "Disable any rootkits found"
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

3. Please copy/paste the content of c:\avenger.txt into your reply.

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\eventlog.dll" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


So far this is exactly following the process of the other thread I've been referring to, so I'll go ahead and give you the next step as well, since it seems to be just a scan... and, as expected, HijackThis works now!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:17:30 AM, on 10/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AutoClickExtreme\AutoClicker.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Jesse Cohen\Desktop\winlogon.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6090110
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6090110
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: AutoClicker.lnk = C:\Program Files\AutoClickExtreme\AutoClicker.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Filter: x-sdch - (no CLSID) - (no file)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Desktop Manager 5.8.809.23506 (GoogleDesktopManager-092308-165331) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 8049 bytes


These seem to me to be the most likely culprits:

O18 - Filter: x-sdch - (no CLSID) - (no file)
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: McAfee Scanner (McODS) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

Nowhere near certain though, for now I'll definitely just re-DL MBAM and wait on your say-so.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

Malwarebytes' Anti-Malware 1.41
Database version: 2886
Windows 5.1.2600 Service Pack 3

10/1/2009 1:30:24 PM
mbam-log-2009-10-01 (13-30-24).txt

Scan type: Quick Scan
Objects scanned: 107093
Time elapsed: 6 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\poprock (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\win32k.sys (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jesse Cohen\Desktop\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

Things seem to be working fine now, thanks so much for your help!

DDS (Ver_09-09-29.01) - NTFSx86
Run by Jesse Cohen at 21:49:53.82 on Thu 10/01/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.1711 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\AutoClickExtreme\AutoClicker.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jesse Cohen\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6090110
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {377c180e-6f0e-4d4c-980f-f45bd3d40cf4} - c:\progra~1\mcafee\msk\mcapbho.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [SecurDisc] c:\program files\nero\nero 7\incd\NBHGui.exe
mRun: [InCD] c:\program files\nero\nero 7\incd\InCD.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autocl~1.lnk - c:\program files\autoclickextreme\AutoClicker.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
AppInit_DLLs: c:\progra~1\google\google~3\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-1-10 201320]
R2 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2008-4-25 14336]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-1-10 358224]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-1-10 144704]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2009-1-10 84992]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-1-10 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-1-10 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-1-10 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-1-10 40488]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-1-10 30192]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-1-10 33832]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-8-22 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-8-22 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2007-6-18 23680]

=============== Created Last 30 ================

2009-10-01 13:53 --dsh--- c:\documents and settings\jesse cohen\PrivacIE
2009-10-01 13:53 --dsh--- c:\documents and settings\jesse cohen\IECompatCache
2009-10-01 13:44 --dsh--- c:\documents and settings\jesse cohen\IETldCache
2009-10-01 13:41 --d----- c:\windows\ie8updates
2009-10-01 13:39 -cd-h--- c:\windows\ie8
2009-10-01 13:37 100,352 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-10-01 13:37 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-10-01 13:37 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-10-01 13:21 --d----- c:\docume~1\jessec~1\applic~1\Malwarebytes
2009-10-01 13:21 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-01 13:21 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-10-01 13:21 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-10-01 13:21 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-30 18:18 --d----- c:\program files\Trend Micro
2009-09-30 11:35 43,520 a------- c:\windows\system32\fcachdll.dll
2009-09-30 11:35 23,040 a------- c:\windows\system32\regtrace.exe
2009-09-30 11:35 21,791 a------- c:\windows\system32\smtpctrs.ini
2009-09-30 11:35 12,288 a------- c:\windows\system32\smtpctrs.dll
2009-09-30 11:35 8,002 a------- c:\windows\system32\smtpctrs.h
2009-09-30 11:35 7,168 a------- c:\windows\system32\snprfdll.dll
2009-09-30 11:35 5,632 a------- c:\windows\system32\adsiisex.dll
2009-09-30 11:35 1,037 a------- c:\windows\system32\ntfsdrct.ini
2009-09-30 11:35 773 a------- c:\windows\system32\ntfsdrct.h
2009-09-30 11:34 --d----- c:\program files\MSN Gaming Zone
2009-09-30 09:16 26,112 ac------ c:\windows\system32\dllcache\EXCH_seos.dll
2009-09-30 09:16 12,288 ac------ c:\windows\system32\dllcache\EXCH_smtpctrs.dll
2009-09-30 09:16 7,168 ac------ c:\windows\system32\dllcache\EXCH_snprfdll.dll
2009-09-30 09:16 65,536 ac------ c:\windows\system32\dllcache\EXCH_mailmsg.dll
2009-09-30 09:16 57,856 ac------ c:\windows\system32\dllcache\EXCH_scripto.dll
2009-09-30 09:16 45,056 ac------ c:\windows\system32\dllcache\EXCH_aqadmin.dll
2009-09-30 09:16 43,520 ac------ c:\windows\system32\dllcache\EXCH_fcachdll.dll
2009-09-30 09:16 38,912 ac------ c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2009-09-30 09:16 23,040 ac------ c:\windows\system32\dllcache\EXCH_regtrace.exe
2009-09-30 09:16 5,632 ac------ c:\windows\system32\dllcache\EXCH_adsiisex.dll
2009-09-30 00:11 --d----- c:\windows\setupupd
2009-09-29 23:40 --d----- c:\windows\setup.pss
2009-09-29 23:06 --d----- c:\windows\system32\NtmsData
2009-09-26 10:12 151 a------- c:\windows\PhotoSnapViewer.INI
2009-09-12 16:48 153,088 -c------ c:\windows\system32\dllcache\triedit.dll

==================== Find3M ====================

2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll

============= FINISH: 21:50:19.90 ===============

Hello.

• Download combofix from here
  Link 1
  Link 2
  
  1. If you are using Firefox, make sure that your download settings are as follows:
  
  * Tools->Options->Main tab
  * Set to "Always ask me where to Save the files".
  
  2. During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  3. It is important you rename Combofix during the download, but not after.
  4. Please do not rename Combofix to other names, but only to the one indicated.
  5. Close any open browsers.
  6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
  
• We need to disable your local AV (Anti-virus) before running Combofix.
  
• See HERE for how to disable your AV.
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will then get this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

ComboFix 09-10-01.05 - Jesse Cohen 10/03/2009 20:10.1.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2705 [GMT -4:00]
Running from: c:\documents and settings\Jesse Cohen\Desktop\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Cache

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPRIP
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_Iprip


((((((((((((((((((((((((( Files Created from 2009-09-04 to 2009-10-04 )))))))))))))))))))))))))))))))
.

2009-10-01 17:53 . 2009-10-01 17:53 -------- d-sh--w- c:\documents and settings\Jesse Cohen\PrivacIE
2009-10-01 17:53 . 2009-10-01 17:53 -------- d-sh--w- c:\documents and settings\Jesse Cohen\IECompatCache
2009-10-01 17:44 . 2009-10-01 17:44 -------- d-sh--w- c:\documents and settings\Jesse Cohen\IETldCache
2009-10-01 17:44 . 2009-10-01 17:44 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-10-01 17:41 . 2009-10-01 17:41 -------- d-----w- c:\windows\ie8updates
2009-10-01 17:39 . 2009-10-01 17:41 -------- dc-h--w- c:\windows\ie8
2009-10-01 17:37 . 2009-08-07 08:48 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-10-01 17:37 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-10-01 17:37 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-10-01 17:21 . 2009-10-01 17:21 -------- d-----w- c:\documents and settings\Jesse Cohen\Application Data\Malwarebytes
2009-10-01 17:21 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-01 17:21 . 2009-10-01 17:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-01 17:21 . 2009-10-01 17:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-01 17:21 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-30 22:18 . 2009-10-01 12:59 -------- d-----w- c:\program files\Trend Micro
2009-09-30 15:35 . 2001-08-18 02:36 23040 ----a-w- c:\windows\system32\regtrace.exe
2009-09-30 15:35 . 2001-08-18 02:36 7168 ----a-w- c:\windows\system32\snprfdll.dll
2009-09-30 15:35 . 2001-08-18 02:36 12288 ----a-w- c:\windows\system32\smtpctrs.dll
2009-09-30 15:35 . 2001-08-18 02:36 43520 ----a-w- c:\windows\system32\fcachdll.dll
2009-09-30 15:35 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\adsiisex.dll
2009-09-30 13:24 . 2009-09-30 14:17 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-09-30 13:16 . 2001-08-18 02:36 7168 -c--a-w- c:\windows\system32\dllcache\EXCH_snprfdll.dll
2009-09-30 13:16 . 2001-08-18 02:36 12288 -c--a-w- c:\windows\system32\dllcache\EXCH_smtpctrs.dll
2009-09-30 13:16 . 2001-08-18 02:36 26112 -c--a-w- c:\windows\system32\dllcache\EXCH_seos.dll
2009-09-30 13:16 . 2001-08-18 02:36 23040 -c--a-w- c:\windows\system32\dllcache\EXCH_regtrace.exe
2009-09-30 13:16 . 2001-08-18 02:36 57856 -c--a-w- c:\windows\system32\dllcache\EXCH_scripto.dll
2009-09-30 13:16 . 2001-08-18 02:36 38912 -c--a-w- c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2009-09-30 13:16 . 2001-08-18 02:36 65536 -c--a-w- c:\windows\system32\dllcache\EXCH_mailmsg.dll
2009-09-30 13:16 . 2001-08-18 02:36 43520 -c--a-w- c:\windows\system32\dllcache\EXCH_fcachdll.dll
2009-09-30 13:16 . 2001-08-18 02:36 5632 -c--a-w- c:\windows\system32\dllcache\EXCH_adsiisex.dll
2009-09-30 13:16 . 2001-08-18 02:36 45056 -c--a-w- c:\windows\system32\dllcache\EXCH_aqadmin.dll
2009-09-30 03:06 . 2009-09-30 03:08 -------- d-----w- c:\windows\system32\NtmsData
2009-09-12 20:48 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-03 16:17 . 2009-08-23 13:44 -------- d-----w- c:\program files\AutoClickExtreme
2009-09-30 03:08 . 2009-01-26 21:26 -------- d-----w- c:\documents and settings\Jesse Cohen\Application Data\uTorrent
2009-08-18 13:54 . 2009-01-10 21:45 22992 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-06 23:24 . 2008-04-25 21:27 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2008-04-25 21:27 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2008-10-16 20:09 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2008-04-25 21:27 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2008-04-25 21:27 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2008-04-25 16:16 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2008-04-25 21:27 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2008-04-25 21:27 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 20:07 . 2009-01-10 21:31 -------- d-----w- c:\program files\Java
2009-08-05 09:01 . 2008-04-25 16:16 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-25 09:23 . 2009-01-26 17:58 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2008-04-25 16:16 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2008-04-25 16:16 286208 ----a-w- c:\windows\system32\wmpdxm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-10 39408]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-01-10 30192]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-02 582992]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-10-04 206064]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-04-22 37888]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-06-25 1629480]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-06-25 1057064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2007-07-17 16132608]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoClicker.lnk - c:\program files\AutoClickExtreme\AutoClicker.exe [2009-8-23 1892352]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-01-10 21:41 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\MM2k\\MudMaster.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [1/10/2009 7:20 PM 84992]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [1/10/2009 5:37 PM 30192]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/22/2008 12:49 AM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/22/2008 12:49 AM 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [6/18/2007 9:18 PM 23680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-10-01 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-01-10 19:32]

2009-10-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-01-10 19:32]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
.
- - - - ORPHANS REMOVED - - - -

AddRemove-HijackThis - c:\documents and settings\Jesse Cohen\Desktop\HijackThis.exe
AddRemove-SearchAssist - c:\dell\SearchAssist\UninstSA.bat



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-03 20:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(884)
c:\windows\system32\Ati2evxx.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(3704)
c:\windows\system32\WININET.dll
c:\program files\AutoClickExtreme\auxiliar.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Nero\Nero 7\InCD\InCDsrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\windows\system32\tcpsvcs.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2009-10-04 20:20 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-04 00:20

Pre-Run: 224,498,122,752 bytes free
Post-Run: 225,949,573,120 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[Boot Loader]
Timeout=2
Default=c:\$win_nt$.~bt\BOOTSECT.DAT
[Operating Systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
c:\$win_nt$.~bt\BOOTSECT.DAT="Microsoft Windows XP Professional Setup"

222 --- E O F --- 2009-09-21 14:29

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?

Hmm... I tried that, but didn't think to disable McAfee beforehand, and I'm getting tons of error messages. First, McAfee popped up a Potentially Unwanted Program alert: name Tool-NirCmd, location C:\32788P22FWJFW\n.pif. Then I got repetitive error messages saying that I didn't have access to the specified file name or path, and finally a message from ComboFix saying that the contents of ComboFix may have been compromised, and I may be infected with a file patching virus "Virut". Hopefully this is just because I forgot to disable McAfee, and I should disable it and repeat this last step...? Or is this virus actually still around?

I'm afraid I have bad news.

Your system is infected with a polymorphic file infector called Virut. Virut is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. As of now, security experts suggest that a format and clean install, or destructive recovery if you have an OEM recovery partition, is the best way to clean the infection and it is the best and safest way to return the machine to its normal working state.

Backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (softwares) and screensavers (*.scr). It attempts to infect any accessed .exe or .scr files by appending itself to the executable.

Also, avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Virut can penetrate and infect .exe files inside compressed files too.

Recent variants also modify htm, html, asp and php files.

Do not back up to another machine, as it may become compromised. Burn to DVD/CD, or to an external drive which has nothing else on it, and which you can format should it happen to become infected from the backups.


For more information, please see Here

Instructions how to format and reinstall Windows can be found Here

Gah. I didn't notice this reply for several days, and was starting to wonder what the deal was. I think I'd rather have had no reply, no offense to you; this is definitely not welcome news. Oh well, before I get on with the business of backing-up and reformatting, a few more questions for you...

• I'm assuming that if I don't know what an OEM recovery partition is, it doesn't apply to me. Is this correct, that I probably don't have one and can't take advantage of this option?
  
  
• I have another computer connected to this one via LAN, and before I realized what I was dealing with I copied several directories over for backup. I expect the executable files in those directories were compromised; is it possible for them to have had any effect on the other computer, if they were merely stored on that computer & never accessed?
  
  
• I have some older programs that I'll have extreme difficulty finding to re-install. Is there a way to check and possibly disinfect only these? nȯne of them are integral to system function, mainly just games in fact, but I'd be disappointed to lose them forever.
  
  
• On the same note, is it possible for the virus to infect anything else besides .exe and .scr files? The blog page you directed me to suggested that HTML and PHP files could be compromised, but were quite easy to clean; have mine already been cleaned, or should I avoid backing those up as well?
  
  
• You also mentioned archives; are all archives vulnerable, or merely the executable files within those archives? Will any archive with an executable file be compromised in itself, or will deleting the executables within my archives help?
  
  
• Is there any potential for this virus to replicate in document files, mp3s, videos, saved game files, etc., and if so do I have any recourse for them?

Again, thanks for all your help; despite the end result being slightly less than ideal, I really appreciate it.

Hello.

I'll try to answer your quests now.

I'm assuming that if I don't know what an OEM recovery partition is, it doesn't apply to me. Is this correct, that I probably don't have one and can't take advantage of this option?

Not really, depends who the machine was made by, was/is it Dell?

I have another computer connected to this one via LAN, and before I realized what I was dealing with I copied several directories over for backup. I expect the executable files in those directories were compromised; is it possible for them to have had any effect on the other computer, if they were merely stored on that computer & never accessed?

The files will be compromised, but as long as you haven't run them, they wont effect your other machine.

I have some older programs that I'll have extreme difficulty finding to re-install. Is there a way to check and possibly disinfect only these? nȯne of them are integral to system function, mainly just games in fact, but I'd be disappointed to lose them forever.

There is a way we can do online scans and see what the scanners report, but that depends if the scanner see anything. If they are infect, they CANNOT be cleaned, Virut is an extremely buggy piece of malware.

On the same note, is it possible for the virus to infect anything else besides .exe and .scr files? The blog page you directed me to suggested that HTML and PHP files could be compromised, but were quite easy to clean; have mine already been cleaned, or should I avoid backing those up as well?

If you have edited your php/html files to remove any code you didn't put there, then they should be okay.

You also mentioned archives; are all archives vulnerable, or merely the executable files within those archives? Will any archive with an executable file be compromised in itself, or will deleting the executables within my archives help?

The exe file INSIDE the archive is infected, but the archive file itself (.zip/.rar) are okay.

Is there any potential for this virus to replicate in document files, mp3s, videos, saved game files, etc., and if so do I have any recourse for them?

Yes, if you run a patched file, it will re-infect your machine again, many experts now suggest that you drop everything and make a fresh start, because as I said above, it will just spread like wild fire if it returns again.

I'm assuming that if I don't know what an OEM recovery partition is, it doesn't apply to me. Is this correct, that I probably don't have one and can't take advantage of this option?

Not really, depends who the machine was made by, was/is it Dell?

Yep, it's a Dell Inspiron 530.

I have some older programs that I'll have extreme difficulty finding to re-install. Is there a way to check and possibly disinfect only these? nȯne of them are integral to system function, mainly just games in fact, but I'd be disappointed to lose them forever.

There is a way we can do online scans and see what the scanners report, but that depends if the scanner see anything. If they are infect, they CANNOT be cleaned, Virut is an extremely buggy piece of malware.

Think you could direct me towards those online scanners? I'd like to save what I can of my older programs, if possible.

Is there any potential for this virus to replicate in document files, mp3s, videos, saved game files, etc., and if so do I have any recourse for them?

Yes, if you run a patched file, it will re-infect your machine again, many experts now suggest that you drop everything and make a fresh start, because as I said above, it will just spread like wild fire if it returns again.

I think either you misunderstood this last question, or I misunderstood your answer... I was asking about data files such as documents, spreadsheets, mp3s, videos, saved games, etc. These aren't runnable per se, they're opened by programs, so they should be safe as I understand it. Just trying to confirm that the programs themselves can be, and probably are, compromised - but a file that I've opened with a compromised program isn't ruined and can be safely backed up.

Yep, it's a Dell Inspiron 530.

Hopefully, it MIGHT have a recovery partition, we'll check soon.

Think you could direct me towards those online scanners? I'd like to save what I can of my older programs, if possible.

www.virustotal.com
www.virscan.org
www.virusscan.jotti.org/en

I think either you misunderstood this last question, or I misunderstood your answer... I was asking about data files such as documents, spreadsheets, mp3s, videos, saved games, etc. These aren't runnable per se, they're opened by programs, so they should be safe as I understand it. Just trying to confirm that the programs themselves can be, and probably are, compromised - but a file that I've opened with a compromised program isn't ruined and can be safely backed up.

I think there might have been a misunderstanding on both our behalfs, see this topic too:
http://evilfantasy.wordpress.com/2009/02/21/vitut-on-the-rise/

Virut is now spreading through mp3 files also (I know my speech needs updating!), and even though mp3 files are opened via WMP and not an executable file per se, but they can still trigger the infection all over again.

I've been reluctant to format, since as I said I have lots of files on here that aren't properly backed up and would be difficult to replace. Since your last post I've basically been biding my time to see if any more symptoms pop up, and haven't seen anything wrong. My virus scanners are working again; I scanned the computer with the MS Safety Scan, and it didn't find anything wrong; port 65520 is showing no activity; I've also been uploading files to the 3 scanning sites you provided, and nȯne of them have found anything in any of my files, aside from likely false positives (e.g. 2/41 virus-scanners showing a result that looks nothing like Virut). I've gotta say, for a virus that infects every file on the computer, this looks like a bit of a dud from where I'm sitting... Is it possible that ComboFix gave me a false positive?

It's possible it's a false positive, yes, but Combofix is widely trusted and your the person behind the screen, not me, I can't see what is happening personally.

Virut is a horrible infection, and weighing up the options of formatting or leave it, formatting would be the best option as leaving it lets the bad guys use your machine to spread the infection to other people, and if caught, YOU would be held responsible for it. That's why were here, to put a stop to that.

Ok. Do you think I can be at all confident about doing an online scan of the files that I'm most concerned about keeping? I'd be copying them to an external hard drive, then scanning them with the sites you recommended from another, uncompromised computer. I'm just leery of doing a full format and losing all my data if there's a good chance that I don't need to, and it seems very odd if ComboFix is the ONLY virus scanner out there that can find any trace of this virus. From all the information I've seen, the last release of this virus was in Feb 2009. Is it really likely that the 41 virus scanners virustotal.com runs, all updated within the last few days, are missing this while ComboFix catches it?

Virut can infect legit system files though, it's not every day that people upload their system files for a scan, or just run a regular scan with their AV either.

You can upload the files you want to keep and see if anything gets flagged, and if nȯne of the scanners say anything, you can keep them on an external hardrive as you wished.