Need a lot of help *Malware, trojans

I have somehow contracted a program called Malware Defense onto this pc. I realized it wasn't a legit Windows Security message and haven't clicked on anything but the X whenever a message pops up. It has popped up with multiple messages with different names for the virus.

One of them is :

Email-Worm.Win32.Netsky.q

I would appreciate ANY and all help you can provide.

Thanks.

another that just popped up is Rootkit.Win32.Agent.pp

and another.. Virus.Win32.Gpcode.ak

They all have Win32 in common apparently, but I'm still clueless as to how to get rid of it.

Please download the current version of HijackThis from HERE

• Double click and run the installer.
  
• It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  
• After installing, you should get the user agreement, press accept and Hijack This will run.
  
• Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.
  

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 2:03:20 PM, on 1/12/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Belkin\F5D7050v3\Belkinwcui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Curse\CurseClient.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\oracle\product\10.2.0\db_2\bin\nmesrvc.exe
C:\oracle\product\10.2.0\db_2\bin\isqlplussvc.exe
C:\oracle\product\10.2.0\db_2\BIN\TNSLSNR.exe
C:\oracle\product\10.2.0\db_2\jdk\bin\java.exe
C:\WINDOWS\system32\cmd.exe
C:\oracle\product\10.2.0\db_2\perl\5.8.3\bin\MSWin32-x86-multi-thread\perl.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\app\administrator\product\11.1.0\db_1\bin\ORACLE.EXE
c:\oracle\product\10.2.0\db_2\bin\ORACLE.EXE
C:\WINDOWS\system32\srvany.exe
C:\pvsw\bin\w3dbsmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\oracle\product\10.2.0\db_2\bin\emagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
C:\DOCUME~1\Strayer\LOCALS~1\Temp\twunk_32x.exe
C:\WINDOWS\system32\spoolsv.exe
C:\DOCUME~1\Strayer\LOCALS~1\Temp\wscsvc32.exe
C:\Program Files\Malwarebytes' Anti-Malware\1X0sJ6BC2.exe
C:\oracle\product\10.2.0\db_2\jdk\bin\java.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\cmd.exe
C:\oracle\product\10.2.0\db_2\perl\5.8.3\bin\MSWin32-x86-multi-thread\perl.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.strayer.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.apple.com/quicktime/download
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PeachtreePrefetcher.exe] "C:\PROGRA~1\SAGESO~1\PEACHT~1\PeachtreePrefetcher.exe" /configfile:peachtreeprefetcher.winstart.config
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [F5D7050v3] C:\Program Files\Belkin\F5D7050v3\Belkinwcui.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [CurseClient] C:\Program Files\Curse\CurseClient.exe -silent
O4 - HKCU\..\Run: [twunk_32x.exe] C:\DOCUME~1\Strayer\LOCALS~1\Temp\twunk_32x.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.myitlab.com
O15 - Trusted Zone: *.pearsoncmg.com
O15 - Trusted Zone: *.pearsoned.com
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196431917546
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1222409212781
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {CAFECAFE-0013-0001-0017-ABCDEFABCDEF} (JInitiator 1.3.1.17) - http://open01:8889/forms90/jinitiator/jinit.exe
O16 - DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} (JInitiator 1.3.1.22) - http://waldrop1:8889/forms/jinitiator/jinit.exe
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: getPlus(R) Helper - Unknown owner - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: OracleDBConsoleorcl - Oracle Corporation - C:\app\Administrator\product\11.1.0\db_1\bin\nmesrvc.exe
O23 - Service: OracleDBConsoleorcl10g - Oracle Corporation - C:\oracle\product\10.2.0\db_2\bin\nmesrvc.exe
O23 - Service: OracleOraDb10g_home1iSQL*Plus - Oracle - C:\oracle\product\10.2.0\db_2\bin\isqlplussvc.exe
O23 - Service: OracleOraDb10g_home1TNSListener - Unknown owner - C:\oracle\product\10.2.0\db_2\BIN\TNSLSNR.exe
O23 - Service: OracleOraDb11g_home1TNSListener - Unknown owner - C:\app\Administrator\product\11.1.0\db_1\BIN\TNSLSNR.exe
O23 - Service: OracleServiceORCL - Oracle Corporation - c:\app\administrator\product\11.1.0\db_1\bin\ORACLE.EXE
O23 - Service: OracleServiceORCL10G - Oracle Corporation - c:\oracle\product\10.2.0\db_2\bin\ORACLE.EXE
O23 - Service: Pervasive.SQL Workgroup Engine - Unknown owner - C:\WINDOWS\system32\srvany.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

--
End of file - 9279 bytes

malwarebytes is also running a scan right now. Not sure if I need it but it's in the process of scanning.

Hello.

• Open HijackThis
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  O4 - HKCU\..\Run: [twunk_32x.exe] C:\DOCUME~1\Strayer\LOCALS~1\Temp\twunk_32x.exe
  O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
  O16 - DPF: {CAFECAFE-0013-0001-0017-ABCDEFABCDEF} (JInitiator 1.3.1.17) - http://open01:8889/forms90/jinitiator/jinit.exe
  O16 - DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} (JInitiator 1.3.1.22) - http://waldrop1:8889/forms/jinitiator/jinit.exe
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

the virus will not let me open malwarebytes on it's own. I had to search in another forum here and put the file inside the malware defense program file.

did I do the correct thing?

also, it is currently running a quick scan. will post log when complete

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

1/12/2010 2:19:08 PM
mbam-log-2010-01-12 (14-19-02).txt

Scan type: Quick Scan
Objects scanned: 133475
Time elapsed: 4 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 6
Folders Infected: 1
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\H8SRTlugbscmrmp.dll (Trojan.Vundo) -> No action taken.
C:\Program Files\Malware Defense\mdext.dll (Trojan.TDSS) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\malware defense (Rogue.MalwareDefense) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defense (Rogue.MalwareDefense) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispAppearancePage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
C:\Program Files\malware Defense (Rogue.MalwareDefense) -> No action taken.

Files Infected:
\\?\globalroot\systemroot\system32\H8SRTlugbscmrmp.dll (Trojan.Vundo) -> No action taken.
C:\Program Files\Malware Defense\mdext.dll (Trojan.TDSS) -> No action taken.
C:\Documents and Settings\Strayer\Local Settings\Temp\dhdhtrdhdrtr5y (Rogue.Installer) -> No action taken.
C:\Documents and Settings\Strayer\Local Settings\Temp\Installer.exe (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\Strayer\Local Settings\Temp\twunk_32x.exe (Rogue.Installer) -> No action taken.
C:\Documents and Settings\Strayer\Local Settings\Temp\wscsvc32.exe (Trojan.FakeAlert) -> No action taken.
C:\Program Files\malware Defense\help.ico (Rogue.MalwareDefense) -> No action taken.
C:\Program Files\malware Defense\md.db (Rogue.MalwareDefense) -> No action taken.
C:\Program Files\malware Defense\mdefense.exe (Rogue.MalwareDefense) -> No action taken.
C:\Program Files\malware Defense\uninstall.exe (Rogue.MalwareDefense) -> No action taken.
C:\Documents and Settings\Strayer\Application Data\Microsoft\Internet Explorer\Quick Launch\Malware Defense.lnk (Rogue.MalwareDefense) -> No action taken.

pc just rebooted on it's own. Not sure if it was caused by virus or other programs.

I just had a commercial play in the background of everything. Could not find the program playing it but it was music and then a stand up comedian for about 4 seconds. I have no idea what is going on. Plus I got an error report from Internet Explorer. I am running Firefox currently. No idea why Internet Explorer was open or doing anything.

Hello.

• Download combofix from here
  Link 1
  Link 2
  
  1. If you are using Firefox, make sure that your download settings are as follows:
  
  * Tools->Options->Main tab
  * Set to "Always ask me where to Save the files".
  
  2. During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  3. It is important you rename Combofix during the download, but not after.
  4. Please do not rename Combofix to other names, but only to the one indicated.
  5. Close any open browsers.
  6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
  
• We need to disable your local AV (Anti-virus) before running Combofix.
  
• See HERE for how to disable your AV.
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will then get this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

ComboFix 10-01-12.04 - Strayer 01/12/2010 23:20:52.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.809 [GMT -5:00]
Running from: c:\documents and settings\Strayer\Desktop\Combo-Fix.exe
AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Strayer\LOCALS~1\Temp\wscsvc32.exe
c:\program files\Malware Defense
c:\program files\Malware Defense\help.ico
c:\program files\Malware Defense\md.db
c:\program files\Malware Defense\mdefense.exe
c:\recycler\S-1-5-21-2241071901-2080643895-2114909736-1003
c:\recycler\S-1-5-21-2241071901-2080643895-2114909736-500
c:\recycler\S-1-5-21-2592140583-1678500112-2673196639-500
c:\recycler\S-1-5-21-3508839757-1073166688-2557083772-500
c:\recycler\S-1-5-21-3674948894-2878849263-117399594-500
c:\recycler\S-1-5-21-3872011150-2768187678-2623227235-1003
c:\recycler\S-1-5-21-3872011150-2768187678-2623227235-500
c:\recycler\S-1-5-21-46433314-4233858134-4085887433-500
c:\recycler\S-1-5-21-484763869-842925246-839522115-1003
c:\recycler\S-1-5-21-484763869-842925246-839522115-500
c:\recycler\S-1-5-21-539895279-4232515552-1172043451-500
c:\recycler\S-1-5-21-794496765-3326384110-2332003272-500
c:\recycler\S-1-5-21-908234824-2303208518-2485105053-500
c:\windows\EventSystem.log
c:\windows\system32\drivers\H8SRTworvomollg.sys
c:\windows\system32\H8SRTffcbeyjnbt.dll
c:\windows\system32\h8srtkrl32mainweq.dll
c:\windows\system32\H8SRTlugbscmrmp.dll
c:\windows\system32\H8SRTpncuktmvno.dll
c:\windows\system32\h8srtshsyst.dll
c:\windows\system32\H8SRTssbmgbaslu.dll
c:\windows\system32\H8SRTwtaejbilhs.dat
c:\windows\unins000.dat
c:\windows\unins000.exe
D:\AUTORUN.INF

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_H8SRTd.sys
-------\Legacy_H8SRTd.sys


((((((((((((((((((((((((( Files Created from 2009-12-13 to 2010-01-13 )))))))))))))))))))))))))))))))
.

2010-01-12 19:02 . 2010-01-12 19:02 -------- d-----w- c:\program files\TrendMicro
2010-01-12 18:29 . 2010-01-12 18:29 -------- d-----w- c:\documents and settings\Strayer\Application Data\Malwarebytes
2010-01-12 17:57 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-12 17:57 . 2010-01-12 18:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-12 17:57 . 2010-01-12 17:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-12 17:57 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-08 05:22 . 2008-04-14 10:41 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2010-01-08 05:22 . 2008-04-14 10:41 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-01-08 05:22 . 2008-04-14 05:15 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2010-01-08 05:22 . 2008-04-14 05:15 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2010-01-08 05:22 . 2008-04-14 05:15 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2010-01-08 05:22 . 2008-04-14 05:15 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-19 22:40 . 2009-08-02 00:06 -------- d-----w- c:\documents and settings\Strayer\Application Data\Ventrilo
2009-12-15 06:02 . 2007-11-30 18:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-13 17:57 . 2007-11-30 21:47 75552 ----a-w- c:\documents and settings\Strayer\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-13 17:49 . 2008-09-26 06:41 -------- d-----w- c:\program files\Microsoft Silverlight
2009-12-13 06:25 . 2007-11-30 17:39 -------- d-----w- c:\program files\Microsoft Works
2009-12-13 06:09 . 2007-11-30 18:19 -------- d-----w- c:\program files\Microsoft SQL Server
2009-10-29 07:46 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll
2009-10-21 05:38 . 2004-08-04 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 12:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
.

------- Sigcheck -------

[7] 2008-04-14 09:41 . CDDD4416B2B4C7295FE3FDB6DDE57E4E . 927504 . . [4.1.0.61] . . c:\windows\ServicePackFiles\i386\mfc40u.dll
[-] 2006-11-01 19:17 . 925F8B61ED301A317BA850EBEECBDAA0 . 927504 . . [4.1.0.61] . . c:\windows\$NtServicePackUninstall$\mfc40u.dll
[-] 2004-08-04 12:00 . DDF8D47ACF8FC3FE5F7F2B95C4D4D136 . 924432 . . [4.1.6140] . . c:\windows\$NtUninstallKB924667$\mfc40u.dll
[-] 2001-09-17 20:55 . CB324691BAC64E9D63078D95D2D4A22E . 924432 . . [4.1.6140] . . c:\windows\system32\mfc40u.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"CurseClient"="c:\program files\Curse\CurseClient.exe" [2009-06-08 1934336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-11-30 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"PeachtreePrefetcher.exe"="c:\progra~1\SAGESO~1\PEACHT~1\PeachtreePrefetcher.exe" [2007-08-29 32768]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-11-09 115560]
"F5D7050v3"="c:\program files\Belkin\F5D7050v3\Belkinwcui.exe" [2007-10-31 1654784]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoMovingBands"= 1 (0x1)
"DisablePersonalDirChange"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\World of Warcraft\\Launcher.exe"=
"c:\\World of Warcraft\\Repair.exe"=
"c:\\World of Warcraft\\WoW-3.1.0.9767-to-3.1.1.9806-enUS-downloader.exe"=
"c:\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R2 OracleDBConsoleorcl10g;OracleDBConsoleorcl10g;c:\oracle\product\10.2.0\db_2\BIN\nmesrvc.exe [3/27/2009 12:35 PM 24064]
R2 OracleOraDb10g_home1TNSListener;OracleOraDb10g_home1TNSListener;c:\oracle\product\10.2.0\db_2\BIN\TNSLSNR --> c:\oracle\product\10.2.0\db_2\BIN\TNSLSNR [?]
R2 OracleOraDb11g_home1TNSListener;OracleOraDb11g_home1TNSListener;c:\app\Administrator\product\11.1.0\db_1\BIN\TNSLSNR --> c:\app\Administrator\product\11.1.0\db_1\BIN\TNSLSNR [?]
R2 OracleServiceORCL;OracleServiceORCL;c:\app\administrator\product\11.1.0\db_1\bin\ORACLE.EXE ORCL --> c:\app\administrator\product\11.1.0\db_1\bin\ORACLE.EXE ORCL [?]
R2 OracleServiceORCL10G;OracleServiceORCL10G;c:\oracle\product\10.2.0\db_2\bin\ORACLE.EXE ORCL10G --> c:\oracle\product\10.2.0\db_2\bin\ORACLE.EXE ORCL10G [?]
R2 Pervasive.SQL Workgroup Engine;Pervasive.SQL Workgroup Engine;c:\windows\system32\srvany.exe [11/30/2007 12:45 PM 8192]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [12/15/2009 1:10 AM 102448]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [5/29/2007 12:55 PM 23888]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [12/2/2006 6:17 AM 2805000]
S4 OracleJobSchedulerORCL;OracleJobSchedulerORCL;c:\app\administrator\product\11.1.0\db_1\Bin\extjob.exe ORCL --> c:\app\administrator\product\11.1.0\db_1\Bin\extjob.exe ORCL [?]
S4 OracleJobSchedulerORCL10G;OracleJobSchedulerORCL10G;c:\oracle\product\10.2.0\db_2\Bin\extjob.exe ORCL10G --> c:\oracle\product\10.2.0\db_2\Bin\extjob.exe ORCL10G [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-01-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.strayer.edu/
uInternet Connection Wizard,ShellNext = hxxp://www.apple.com/quicktime/download
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: myitlab.com
Trusted Zone: pearsoncmg.com
Trusted Zone: pearsoned.com
FF - ProfilePath - c:\documents and settings\Strayer\Application Data\Mozilla\Firefox\Profiles\m9av23av.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJinit13117.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJinit13122.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
.
------- File Associations -------
.
vbsfile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
jsefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
.
- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)
SafeBoot-Symantec Antvirus
AddRemove-Malware Defense - c:\program files\Malware Defense\Uninstall.exe
AddRemove-MyITLab ActiveX Installer_is1 - c:\windows\unins000.exe
AddRemove-{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7} - c:\program files\NOS\bin\getPlus_HelperSvc.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-12 23:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOraDb10g_home1TNSListener]
"ImagePath"="c:\oracle\product\10.2.0\db_2\BIN\TNSLSNR "

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOraDb11g_home1TNSListener]
"ImagePath"="c:\app\Administrator\product\11.1.0\db_1\BIN\TNSLSNR "

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"="a"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1280)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(480)
c:\windows\system32\WININET.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\oracle\product\10.2.0\db_2\bin\isqlplussvc.exe
c:\oracle\product\10.2.0\db_2\BIN\TNSLSNR.exe
c:\oracle\product\10.2.0\db_2\jdk\bin\java.exe
c:\app\Administrator\product\11.1.0\db_1\BIN\TNSLSNR.exe
c:\app\administrator\product\11.1.0\db_1\bin\ORACLE.EXE
c:\oracle\product\10.2.0\db_2\perl\5.8.3\bin\MSWin32-x86-multi-thread\perl.exe
c:\oracle\product\10.2.0\db_2\jdk\bin\java.exe
c:\oracle\product\10.2.0\db_2\bin\ORACLE.EXE
c:\pvsw\bin\w3dbsmgr.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\oracle\product\10.2.0\db_2\bin\emagent.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\program files\Java\jre1.6.0_07\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2010-01-13 00:04:41 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-13 05:04

Pre-Run: 13,672,460,288 bytes free
Post-Run: 14,236,696,576 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 3A346A1FE54B42D053EA753A8E02ADC1

To add to that, I received a notice from ComboFix telling me that it had to reboot the pc because rootkit activity was found.

Here are the names of the files:

C:\WINDOWS\system32\drivers\H8SRTworvomollg.sys
C:\WINDOWS\system32\H8SRTffcbeyjnbt.dll
C:\WINDOWS\system32\H8SRTwtaejbilhs.dat
C:\WINDOWS\system32\H8SRTpncuktmvno.dll
C:\WINDOWS\system32\H8SRTlugbscmrmp.dll
C:\WINDOWS\system32\H8SRTssbmgbaslu.dll

They are listed in the log file, but I was just making a side note that ComboFix mentioned them specifically.

After following the steps you put forward I decided to run Malwarebytes again to see if it would find anything else. Here is it's log:

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

1/13/2010 9:58:53 AM
mbam-log-2010-01-13 (09-58-47).txt

Scan type: Quick Scan
Objects scanned: 131509
Time elapsed: 7 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Malware Defense (Rogue.MalwareDefense) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Strayer\Application Data\Microsoft\Internet Explorer\Quick Launch\Malware Defense.lnk (Rogue.MalwareDefense) -> No action taken.




After it found these two infections, I deleted them through Malwarebytes and ran it again. Here is the third log:

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

1/13/2010 10:18:56 AM
mbam-log-2010-01-13 (10-18-56).txt

Scan type: Quick Scan
Objects scanned: 131547
Time elapsed: 8 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I then proceeded to run Combo-Fix.exe once more and here is it's log:

ComboFix 10-01-12.05 - Strayer 01/13/2010 10:25:25.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.642 [GMT -5:00]
Running from: c:\documents and settings\Strayer\Desktop\Combo-Fix.exe
AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.

((((((((((((((((((((((((( Files Created from 2009-12-13 to 2010-01-13 )))))))))))))))))))))))))))))))
.

2010-01-12 19:02 . 2010-01-12 19:02 388096 ----a-r- c:\documents and settings\Strayer\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-01-12 19:02 . 2010-01-12 19:02 -------- d-----w- c:\program files\TrendMicro
2010-01-12 18:29 . 2010-01-12 18:29 -------- d-----w- c:\documents and settings\Strayer\Application Data\Malwarebytes
2010-01-12 17:57 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-12 17:57 . 2010-01-12 18:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-12 17:57 . 2010-01-12 17:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-12 17:57 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-08 05:22 . 2008-04-14 10:41 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2010-01-08 05:22 . 2008-04-14 10:41 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-01-08 05:22 . 2008-04-14 05:15 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2010-01-08 05:22 . 2008-04-14 05:15 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2010-01-08 05:22 . 2008-04-14 05:15 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2010-01-08 05:22 . 2008-04-14 05:15 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-19 22:40 . 2009-08-02 00:06 -------- d-----w- c:\documents and settings\Strayer\Application Data\Ventrilo
2009-12-15 06:02 . 2007-11-30 18:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-13 17:57 . 2007-11-30 21:47 75552 ----a-w- c:\documents and settings\Strayer\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-13 17:49 . 2008-09-26 06:41 -------- d-----w- c:\program files\Microsoft Silverlight
2009-12-13 06:25 . 2007-11-30 17:39 -------- d-----w- c:\program files\Microsoft Works
2009-12-13 06:09 . 2007-11-30 18:19 -------- d-----w- c:\program files\Microsoft SQL Server
2009-10-29 07:46 . 2004-08-04 12:00 832512 ------w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll
2009-10-21 05:38 . 2004-08-04 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 12:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
.

------- Sigcheck -------

[7] 2008-04-14 09:41 . CDDD4416B2B4C7295FE3FDB6DDE57E4E . 927504 . . [4.1.0.61] . . c:\windows\ServicePackFiles\i386\mfc40u.dll
[-] 2006-11-01 19:17 . 925F8B61ED301A317BA850EBEECBDAA0 . 927504 . . [4.1.0.61] . . c:\windows\$NtServicePackUninstall$\mfc40u.dll
[-] 2004-08-04 12:00 . DDF8D47ACF8FC3FE5F7F2B95C4D4D136 . 924432 . . [4.1.6140] . . c:\windows\$NtUninstallKB924667$\mfc40u.dll
[-] 2001-09-17 20:55 . CB324691BAC64E9D63078D95D2D4A22E . 924432 . . [4.1.6140] . . c:\windows\system32\mfc40u.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"CurseClient"="c:\program files\Curse\CurseClient.exe" [2009-06-08 1934336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-11-30 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"PeachtreePrefetcher.exe"="c:\progra~1\SAGESO~1\PEACHT~1\PeachtreePrefetcher.exe" [2007-08-29 32768]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-11-09 115560]
"F5D7050v3"="c:\program files\Belkin\F5D7050v3\Belkinwcui.exe" [2007-10-31 1654784]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoMovingBands"= 1 (0x1)
"DisablePersonalDirChange"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NavLogon]
[BU]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\World of Warcraft\\Launcher.exe"=
"c:\\World of Warcraft\\Repair.exe"=
"c:\\World of Warcraft\\WoW-3.1.0.9767-to-3.1.1.9806-enUS-downloader.exe"=
"c:\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [12/15/2009 1:10 AM 102448]
S2 OracleDBConsoleorcl10g;OracleDBConsoleorcl10g;c:\oracle\product\10.2.0\db_2\BIN\nmesrvc.exe [3/27/2009 12:35 PM 24064]
S2 OracleOraDb10g_home1TNSListener;OracleOraDb10g_home1TNSListener;c:\oracle\product\10.2.0\db_2\BIN\TNSLSNR --> c:\oracle\product\10.2.0\db_2\BIN\TNSLSNR [?]
S2 OracleOraDb11g_home1TNSListener;OracleOraDb11g_home1TNSListener;c:\app\Administrator\product\11.1.0\db_1\BIN\TNSLSNR --> c:\app\Administrator\product\11.1.0\db_1\BIN\TNSLSNR [?]
S2 OracleServiceORCL;OracleServiceORCL;c:\app\administrator\product\11.1.0\db_1\bin\ORACLE.EXE ORCL --> c:\app\administrator\product\11.1.0\db_1\bin\ORACLE.EXE ORCL [?]
S2 OracleServiceORCL10G;OracleServiceORCL10G;c:\oracle\product\10.2.0\db_2\bin\ORACLE.EXE ORCL10G --> c:\oracle\product\10.2.0\db_2\bin\ORACLE.EXE ORCL10G [?]
S2 Pervasive.SQL Workgroup Engine;Pervasive.SQL Workgroup Engine;c:\windows\system32\srvany.exe [11/30/2007 12:45 PM 8192]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [5/29/2007 12:55 PM 23888]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [12/2/2006 6:17 AM 2805000]
S4 OracleJobSchedulerORCL;OracleJobSchedulerORCL;c:\app\administrator\product\11.1.0\db_1\Bin\extjob.exe ORCL --> c:\app\administrator\product\11.1.0\db_1\Bin\extjob.exe ORCL [?]
S4 OracleJobSchedulerORCL10G;OracleJobSchedulerORCL10G;c:\oracle\product\10.2.0\db_2\Bin\extjob.exe ORCL10G --> c:\oracle\product\10.2.0\db_2\Bin\extjob.exe ORCL10G [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-01-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.strayer.edu/
uInternet Connection Wizard,ShellNext = hxxp://www.apple.com/quicktime/download
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: myitlab.com
Trusted Zone: pearsoncmg.com
Trusted Zone: pearsoned.com
FF - ProfilePath - c:\documents and settings\Strayer\Application Data\Mozilla\Firefox\Profiles\m9av23av.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJinit13117.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJinit13122.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
.
------- File Associations -------
.
vbefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
vbsfile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
jsefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
.

**************************************************************************
scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOraDb10g_home1TNSListener]
"ImagePath"="c:\oracle\product\10.2.0\db_2\BIN\TNSLSNR "

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOraDb11g_home1TNSListener]
"ImagePath"="c:\app\Administrator\product\11.1.0\db_1\BIN\TNSLSNR "

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"="a"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1276)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(5020)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-01-13 10:33:34
ComboFix-quarantined-files.txt 2010-01-13 15:33
ComboFix2.txt 2010-01-13 05:04

Pre-Run: 14,199,095,296 bytes free
Post-Run: 14,182,154,240 bytes free

- - End Of File - - 1FF46F22773FD50ABBBDF8E7ED1BE021

What further steps do I need to take?

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

How is the machine running now?

Machine seems to be running alright. No pop-ups or blocked sites that I can tell. Is there anything else I need to search for or take care of?

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers.

1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
https://addons.mozilla.org/en-US/firefox/addon/722
https://addons.mozilla.org/en-US/firefox/addon/1865
https://addons.mozilla.org/en-US/firefox/addon/433

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
Update Checker

5) Finally, consider maintaining a firewall. Some good free firewalls are Kerio, or
Outpost
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found here.

Hopefully this should take care of your problems! Good luck.

Guess it's been taken care of! Thanks a million mate