How to remove this virus/trojan DR/Delphi.Gen - Dropper ?

Dear Sir/Madam,

Got this annoying virus/trojan ( contains recognition pattern of the DR/Delphi.Gen - Dropper located at c:\WINDOWS\Temp\xxxx.tmp\svchost.exe. on my computer.

Cant seem to get rid of it. My Avira antivirus keeps popping a window reminder.
Using WINDOWS XP SP3.

Can anyone help me please ? :-(

Below I've pasted the log file report :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:50:43 AM, on 12/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Documents and Settings\user\Application Data\Dropbox\bin\Dropbox.exe
C:\WINDOWS\system32\OSK.exe
C:\WINDOWS\system32\MSSWCHX.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Avira\AntiVir Desktop\avwsc.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=60341
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60341
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60341
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60341
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60341
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.rd.yahoo.com/customize/ycomp/defaults/su/*http://my.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb127\SearchSettings.dll
O2 - BHO: ALPassHelper Class - {00533B73-E574-46E9-B06A-FDF4592E67CB} - C:\Program Files\ESTsoft\ALPass\ApsHelper14.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb127\SearchSettings.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: (no name) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - Startup: Dropbox.lnk = C:\Documents and Settings\user\Application Data\Dropbox\bin\Dropbox.exe
O8 - Extra context menu item: Scan link by Dr.Web - http://www.drweb.com/online/drweb-online-en.html
O9 - Extra button: ALPass - {572E3910-4764-4E88-8929-176B2B192FF7} - C:\Program Files\ESTsoft\ALPass\ALPass.exe
O9 - Extra 'Tools' menuitem: ALPass - {572E3910-4764-4E88-8929-176B2B192FF7} - C:\Program Files\ESTsoft\ALPass\ALPass.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{56ABC468-3CBF-40DE-AF55-7354622D0632}: NameServer = 202.188.0.133,202.188.1.5
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 5956 bytes

Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Alternate link: Forospyware.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  
• Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.
  
• When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.
  

[b]Dear Sir/Madam,

I've followed all your instructions.Here is the C:\ComboFix.txt report as requested by you.Thanks.

ComboFix 09-12-06.09 - user 12/07/2009 17:32.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2037.1676 [GMT 8:00]
Running from: c:\documents and settings\user\desktop\commy.exe
Command switches used :: /stepdel
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\Search Settings
c:\program files\Search Settings\kb127\SearchSettings.dll
c:\program files\Search Settings\kb127\SearchSettingsRes409.dll
c:\program files\Search Settings\SearchSettings.exe
c:\windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job

----- BITS: Possible infected sites -----

hxxp://rss-lenta-news.ru
Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\userinit.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Legacy_SSHNAS
-------\Service_SSHNAS


((((((((((((((((((((((((( Files Created from 2009-11-07 to 2009-12-07 )))))))))))))))))))))))))))))))
.

2009-12-06 03:50 . 2009-12-06 03:50 -------- d-----w- c:\program files\Trend Micro
2009-12-05 08:45 . 2009-12-05 08:45 -------- d-----w- c:\documents and settings\All Users\Application Data\XoftSpySE
2009-12-05 03:15 . 2009-12-05 03:15 152576 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-04 00:34 . 2009-12-05 02:25 -------- d-----w- c:\documents and settings\All Users\Application Data\16955531
2009-12-04 00:05 . 2008-04-14 00:12 26112 ----a-w- c:\windows\system32\stu2.exe
2009-12-03 10:48 . 2009-12-04 00:22 -------- d-----w- c:\program files\Enigma Software Group
2009-12-03 08:17 . 2009-12-03 08:17 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-12-03 07:15 . 2008-04-14 00:12 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2009-12-03 07:14 . 2009-12-03 07:14 -------- d-----w- c:\program files\Windows Media Connect 2
2009-12-03 07:13 . 2009-12-03 07:13 -------- d-----w- c:\windows\system32\drivers\UMDF
2009-12-03 07:13 . 2009-12-03 07:13 -------- d-----w- c:\windows\system32\LogFiles
2009-12-01 13:15 . 2009-12-05 03:12 79488 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-23 10:03 . 2009-11-23 10:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Systweak
2009-11-23 10:02 . 2009-11-23 10:53 -------- d-----w- c:\documents and settings\user\Application Data\Systweak
2009-11-23 10:01 . 2009-11-23 10:01 -------- d-----w- c:\documents and settings\All Users\Application Data\MyDefrag
2009-11-23 10:01 . 2009-11-23 10:55 -------- d-----w- c:\program files\Advanced System Optimizer 3
2009-11-22 07:28 . 2009-11-22 08:33 -------- d-----w- c:\program files\The KMPlayer
2009-11-17 05:05 . 2009-11-17 05:05 -------- d-----w- c:\program files\Pokie Magic Games
2009-11-10 02:48 . 2009-11-10 02:48 -------- d-----w- c:\program files\BigSoL3D 1.4
2009-11-10 00:19 . 2009-11-10 03:04 -------- d-----w- c:\program files\Big Solitaire

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-07 09:38 . 2009-01-27 02:39 -------- d-----w- c:\documents and settings\user\Application Data\uTorrent
2009-12-07 09:37 . 2009-10-13 02:59 -------- d-----w- c:\documents and settings\user\Application Data\Dropbox
2009-12-07 08:21 . 2006-02-28 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-05 10:43 . 2009-12-05 03:02 55192 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-12-05 08:45 . 2008-11-26 02:07 20672 ----a-w- c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-05 03:15 . 2008-12-02 10:51 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-05 03:07 . 2009-12-05 03:07 -------- d-----w- c:\documents and settings\user\Application Data\uniblue
2009-12-05 03:07 . 2009-12-04 10:39 -------- d-----w- c:\program files\Uniblue
2009-12-05 03:02 . 2009-12-05 03:02 -------- d-----w- c:\program files\Reference Assemblies
2009-12-05 00:39 . 2009-08-20 05:30 -------- d-----w- c:\program files\188OMS
2009-12-05 00:37 . 2009-09-28 09:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-12-05 00:37 . 2009-11-04 10:15 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-05 00:36 . 2009-07-12 07:40 -------- d-----w- c:\program files\TubeMaster++
2009-12-05 00:36 . 2009-09-28 03:46 -------- d-----w- c:\program files\URLSnooper2
2009-12-05 00:11 . 2009-12-04 10:50 -------- d-----w- c:\documents and settings\All Users\Application Data\iolo
2009-12-04 10:51 . 2009-12-04 10:51 -------- d-----w- c:\documents and settings\LocalService\Application Data\iolo
2009-12-04 10:50 . 2009-12-04 10:50 74703 ----a-w- c:\windows\system32\mfc45.dll
2009-12-04 10:50 . 2009-12-04 10:50 -------- d-----w- c:\documents and settings\user\Application Data\iolo
2009-12-04 09:59 . 2009-10-18 01:12 -------- d-----w- c:\program files\CCleaner
2009-12-04 03:07 . 2008-10-18 09:00 -------- d-----w- c:\program files\Eraser
2009-12-01 03:43 . 2008-10-17 01:01 -------- d-----w- c:\program files\BitDefender
2009-12-01 03:42 . 2009-01-17 04:45 81984 ----a-w- c:\windows\system32\bdod.bin
2009-11-23 10:49 . 2009-10-26 07:19 -------- d-----w- c:\program files\123 Free Solitaire
2009-11-10 03:06 . 2009-08-02 09:04 -------- d-----w- c:\program files\BatchPhoto
2009-10-19 05:47 . 2009-10-12 05:30 -------- d-----w- c:\documents and settings\user\Application Data\IObit
2009-10-19 05:46 . 2009-08-10 04:52 -------- d-----w- c:\program files\MyDefrag v4.1.2
2009-10-19 05:46 . 2009-04-16 05:28 -------- d-----w- c:\program files\QuickMediaConverter
2009-10-19 05:46 . 2009-02-26 05:34 -------- d-----w- c:\documents and settings\user\Application Data\TeamViewer
2009-10-19 05:46 . 2008-10-17 02:36 -------- d-----w- c:\program files\ACD Systems
2009-10-15 06:42 . 2009-03-18 03:35 -------- d-----w- c:\program files\Java
2009-10-15 06:42 . 2009-10-15 06:42 -------- d-----w- c:\program files\Common Files\Java
2009-10-13 02:59 . 2009-10-13 02:59 89962 ----a-w- c:\documents and settings\user\Application Data\Dropbox\bin\Uninstall.exe
2009-10-12 05:30 . 2009-10-12 05:30 -------- d-----w- c:\program files\IObit
2009-10-09 01:18 . 2009-10-09 01:18 26805255 ----a-w- c:\documents and settings\user\Application Data\Dropbox\bin\Dropbox.exe
2009-10-08 21:18 . 2009-10-08 21:18 499712 ----a-w- c:\documents and settings\user\Application Data\Dropbox\bin\msvcp71.dll
2009-10-08 21:18 . 2009-10-08 21:18 348160 ----a-w- c:\documents and settings\user\Application Data\Dropbox\bin\msvcr71.dll
2009-10-08 21:18 . 2009-10-08 21:18 77824 ----a-w- c:\documents and settings\user\Application Data\Dropbox\bin\DropboxExt.3.dll
2009-09-28 03:49 . 2009-09-28 03:49 46 ----a-w- c:\windows\system32\DonationCoder_urlsnooper_InstallInfo.dat
2009-09-11 14:18 . 2006-02-28 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-04-10 06:13 . 2009-06-13 07:56 49664 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-10-08 21:18 77824 ----a-w- c:\documents and settings\user\Application Data\Dropbox\bin\DropboxExt.3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-10-08 21:18 77824 ----a-w- c:\documents and settings\user\Application Data\Dropbox\bin\DropboxExt.3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-10-08 21:18 77824 ----a-w- c:\documents and settings\user\Application Data\Dropbox\bin\DropboxExt.3.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-11-05 289584]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2009-11-04 2334856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-05 149280]

c:\documents and settings\user\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\user\Application Data\Dropbox\bin\Dropbox.exe [2009-10-9 26805255]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sasnative32

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ovi Files Connector.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced SystemCare 3]
2009-11-04 09:00 2334856 ----a-w- c:\program files\IObit\Advanced SystemCare 3\AWC.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"YSearchProtection"=c:\program files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Persistence"=c:\windows\system32\igfxpers.exe
"Alcmtr"=ALCMTR.EXE
"SearchSettings"=c:\program files\Search Settings\SearchSettings.exe
"StormCodec_Helper"="c:\program files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe"
"IgfxTray"=c:\windows\system32\igfxtray.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Java\\jre1.6.0_06\\bin\\javaw.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Avira\\AntiVir Desktop\\avcenter.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/13/2009 12:15 PM 108289]
S2 Zwangi Service;Zwangi Service; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
------- Supplementary Scan -------
.
uStart Page = www.google.com/ig
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearchURL,(Default) = hxxp://my.rd.yahoo.com/customize/ycomp/defaults/su/*http://my.yahoo.com
IE: Scan link by Dr.Web - http://www.drweb.com/online/drweb-online-en.html
IE: {{572E3910-4764-4E88-8929-176B2B192FF7} - c:\program files\ESTsoft\ALPass\ALPass.exe
TCP: {56ABC468-3CBF-40DE-AF55-7354622D0632} = 202.188.0.133,202.188.1.5
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\ndjrflqz.default\
FF - prefs.js: browser.search.selectedEngine - MyStart Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.my/firefox
FF - prefs.js: keyword.URL - hxxp://mystart.incredimail.com/?loc=ff_address_bar_im2_test_v2&search=
FF - prefs.js: network.proxy.type - 1
FF - component: c:\program files\Mozilla Firefox\components\FFComm.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1601.7122\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
FF - user.js: yahoo.homepage.dontask - true
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{E52BE12D-A44A-4F51-9DC1-34F37A488CC7} - (no file)
AddRemove-Eraser - c:\documents and settings\All Users\Application Data\{A25FEDC1-F6D7-440C-BCE2-B71F595F6646}\EraserSetup32.exe REMOVE=TRUE MODIFY=FALSE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-07 17:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1343024091-861567501-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)

[HKEY_USERS\S-1-5-21-1343024091-861567501-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5C2F93F1-092A-DBE9-1E93-4C3F69540152}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oadnhooejejeadpfdifmfaogopllog"=hex:64,61,6f,70,69,61,6b,6a,00,b0
"oapohbojofillgkkefgpebcpjolfjc"=hex:6a,61,6f,70,69,61,61,6c,69,69,6a,61,6a,62,
70,62,6b,6d,6d,6f,00,fd
"nabpfhhmjiokafgggjebcjbjelhm"=hex:6b,61,64,70,64,61,70,66,65,65,6e,63,61,70,
6b,65,6a,69,67,70,6b,69,00,00

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{44b19dae-af1e-499e-831c-6d57c0741daa}]
@Denied: (Full) (Everyone)
"Model"=dword:00000050
"Therad"=dword:0000001e
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe,41,71,cb,3f,46,a4,7c,ab,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):d8,b0,ac,f7,30,47,aa,dc,68,0d,60,34,a8,b3,f1,db,df,60,ac,86,89,
86,db,0d,c8,6b,31,a6,f2,f0,64,24,6a,34,d8,b9,0f,de,bd,2c,00,00,00,00,00,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2808)
c:\windows\system32\WININET.dll
c:\documents and settings\user\Application Data\Dropbox\bin\DropboxExt.3.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Java\jre6\bin\jqs.exe
.
**************************************************************************
.
Completion time: 2009-12-07 17:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-07 09:39

Pre-Run: 62,348,165,120 bytes free
Post-Run: 62,310,031,360 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - C5ED4724C23A06E116C35D510201F99C

Please download Malwarebytes Anti-Malware from here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• Please save the log to a location you will remember.
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Dear DragonMaster Jay,

The virus/trojan seem to been removed ( I think !).Did not get pop up alerts anymore. Do I need to continue and download Malwarebytes Anti-Malware ?

Yes, please.

Dear DragonMaster Jay,

Here's fhe MBAM log report.

Malwarebytes' Anti-Malware 1.42
Database version: 3289
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/9/2009 11:12:10 AM
mbam-log-2009-12-09 (11-12-10).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 136092
Time elapsed: 15 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Application Data\16955531 (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
(No malicious items detected)

Please run a free online scan with the ESET Online Scanner

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install
  
• Click Start
  
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  
• Click Scan (This scan can take several hours, so please be patient)
  
• Once the scan is completed, you may close the window
  
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  
• Copy and paste that log as a reply to this topic
  

Dear DragonMaster Jay,

Here's the EsetOnlineScanner log.txt report

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=08470ce3cdcafb45baee5bc5c410effc
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-12-10 03:02:24
# local_time=2009-12-10 11:02:24 (+0800, Malay Peninsula Standard Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1797 16775125 100 100 0 36043049 55680 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=32455
# found=0
# cleaned=0
# scan_time=1937

Download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Dear DragonMaster Jay,

Results of screen317's Security Check version 0.99.1
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
Avira AntiVir Personal - Free Antivirus
ESET Online Scanner v3
Avira updated!
``````````````````````````````
Anti-malware/Other Utilities Check:
Ad-Aware
HijackThis 2.0.2
CCleaner (remove only)
Eusing Free Registry Cleaner
Java(TM) 6 Update 17
Java(TM) 6 Update 6
Out of date Java installed!
Adobe Flash Player 10
``````````````````````````````
Process Check:
objlist.exe by Laurent
Ad-Aware AAWService.exe is disabled!
Ad-Aware AAWTray.exe is disabled!
Avira Antivir avguard.exe
``````````````````````````````
DNS Vulnerability Check:
Request Timed Out (Wireless Internet connection/Disconnected Internet/Proxy?)

`````````End of Log```````````

Please download the newest version of Java from Java.com.

Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.

Once old versions are gone, please install the newest version.

==

Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

Firewall

• Tallemu Online Armor: the free version is just as good as the premium. I have linked you to the free version.
  
• Comodo Firewall: the free version is just as good as the premium. I have linked you to the free version. The optional security suite enhances the firewall by 40% increase. If you would like to install the suite that includes antivirus, then remove your old antivirus first.
  
• PC Tools Firewall Plus: free and excellent firewall.

AntiSpyware

• SpywareBlaster
  SpywareBlaster is a program that prevents spyware from installing on your computer. A tutorial on using SpywareBlaster may be found here.
  
• Spybot - Search & Destroy.
  Spybot - Search & Destroy is a spyware and adware removal program. It also has realtime protection, TeaTimer to help safeguard your computer against spyware. (The link for Spybot - Search & Destroy contains a tutorial that will help you download, install, and begin using Spybot).
  

NOTE: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Rogue programs help
There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Securing your computer

• Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  
• hpHosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.
  

Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:

• Firefox may be downloaded from here: http://www.getfirefox.com
  
• Opera is available here: http://www.opera.com/download/
  

Thank you for choosing GeekPolice. Please see this page if you would like to leave feedback or contribute to our site. Do you have any more questions?

Dear Dragonmaster Jay,

i must install some of the software that you mentioned.
One small problem, Spyware Terminator causes my pc to hang. Should I try something else?

Yes, Spyware Terminator has that problem, and the developers refuse to fix it. Therefore, a different program, like Spybot S&D is recommended.

Dear Dragonmaster Jay,

Installed Super AntiSpyware. No real time protection,but it's ok. Just need to run it a few more times. Seems to work with Avira AV and doesn't hang my pc.

Very well.

Dear Dragonmaster Jay,

Thanks a lot for helping me get rid of the nasty stuff. Would recommend to others about Geekpolice.net. And btw, wishing you Merry Christmas & Happy New Year :-)

You as well, thanks.