I have gotten infected with a trojan another site calls "trojan.agent.rt" which constantly reloads a trial version of Pest Trap no matter how many times I eradicate it using Adaware SE, manual deletions and Norton Windoctor (to clean up the registry afterwards). I'm really suprised Adaware SE can't kill it, but am even more suprised that the FTC hasn't shut these con artists down yet.

The intial screen which starts the problem rolling is a certificate prompt asking if you trust the content from HIPOINT Ltd, using "http://di.info" as the loading site. The cert pops up repeatedly no matter how many times you deny it. The object of the perps is to get the Pest Trap Trail version installed on your machine. Once it's loaded it obnoxiously informs you of false adware dangers and says you must pay the registration fee to get these "terribly dangerous infections" removed. Actually, the only terribly dangerous infection IS the program itself.

What can Lavasoft do for this? Ad Aware SE seems to be thwarted by these jerks.

I recently saw a computer that had "pest trap" on, it also had another malware that replaces programs that load at startup with itself, you may want to check that none of your load at startup programs have been replaced.

I think you have something there. In trying to eradicate this trojan, I noticed that when it was soliciting me to be installed it was showing up in a dialog box labled as the update manager for WordPerfect. I deletd WP and all of it's related files thinking it was the culprit, but it is back anyway. AND now on my other PC, a phony Adobe update manager dialog box is popping up with this same solicitation to download this bugger.

This has got to be illegal, isn't it? Isn't this the same offence as an internet worm or virus? These deceptive and corrupting tactics to get someone to take on a company's product has got to be, at the least, a violation of US trade practices and subjects this outfit to penalties from the Federal Trade Commision. Not to mention civil action from the companies whose names are being hijacked for these download requests.

Can anyone give me a program to use which will scan my HD for all instances of hijackers like this one? I've heard some nick names for progs dropped here and there, but don't know how to get one of them.

Thanx

Hi, the problem is that the perpetrators do not operate out of the US, therefore the FTC cannot touch them.

We have various tools to help eradicate this pest, it sounds like a new variant that Ad-Aware doesn't detect yet.

Could you please post the following

1. Your Adaware Scan log with the latest reference file update.

Please make sure that you are using
Ad-aware SE Build 106r1
Note: If your version is 6.0 and not the SE, you need to uninstall and get the latest version from the above link.

[if not Uninstall your old Ad-aware first then install SE]
See here for how to get the latest verison of Ad-Aware:
http://www.lavasoftsupport.com/index.php?showtopic=1163

Then use the WebUpDate
to get the latest Definition file
SE1R135 27.11.2006
To do this Open Ad-aware
Click the WebUpDate
button at the top right hand side of the Ad-aware screen (The world globe).
Click "Connect"
Ad-aware will then download the latest Definition file for you.
To make sure it is updated , look at the main
Ad-aware screen, and look under "Initialization Status"
It should say the Latest Definition file.
then scan doing a "Full Scan"
and then post your logfile here by using the Add-Reply Feature .
As Logs are stored in :
C:\Documents and Settings\USERNAME\Application Data\Lavasoft\Ad-aware\Logs\.
An easy way to get there is to
click Start,
click Run
And type in and press ENTER: %appdata%
then click Lavasoft
then Ad-Aware
and then Logs.
scroll down to find the latest one that you have
(by date & time)
and open it right Click select all
copy and then paste the contents of it here.
...............
2. A diagnostic log from this free tool called HijackThis
Instructions on creating a HijackThis Log
http://www.lavasoftsupport.com/index.php?showtopic=216

Thanks for the response! ...and here you go. I had to post it as an attachment because it's too long to paste here. It's in the form of a Wordpad .rtf file.

Be aware that I know about the Gain adware, and I do tolerate it, as I'm using Gators e-wallet and one won't work without the other. I am removing it soon to use Roboform instead, but first have to get up the funds to register the latter. I will look for the "Hijack This" software and run a scan with that when I find it, posting that log here too.

Thanx again,

Duncan

Here is the Hijack This log file.

Thanx again,

Duncan

Logfile of HijackThis v1.99.1
Scan saved at 10:58:24 AM, on 12/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe

Thanks for the logs.

I'm reviewing these next. The HijackThis log is cut off on the bottom. Could you please scan again and then scroll all the way to the bottom of the page to get the entire text in?

Sorry 'bout that. Here ya go:

Logfile of HijackThis v1.99.1
Scan saved at 8:53:31 AM, on 12/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ntsystem.exe
C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\winstall.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Gator.com\Gator\Gator.exe
C:\Program Files\Common Files\GMT\GMT.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\system32\ntsystem.exe
O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Gator eWallet.lnk = C:\Program Files\Gator.com\Gator\Gator.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} (iWon Progressive Counter) - http://cc.iwon.com/ct/pm3/iWonPMSetup_12_1,0,2,5.exe
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqcpc/downloads/msxml4.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.20.19/ttinst.cab
O16 - DPF: {E53458D2-5A83-4BD1-8DE2-EEEBE73BAB77} - http://dinet.info/n/us22/n.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

Thanks, That reveals a couple of traces. I'm going to need one other log please now that I've seen that.

But first, I'd like to get copies of some files from you so we can add to our detection database.

Go here to upload the files as attachments
http://www.thespykiller.co.uk/forum/index.php?board=1.0
Just press new topic (Make the subject: For CalamityJane from Duncan Yahn at LS ),
fill in a short message & then press the browse button and then navigate to & select these files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press the *Post* button to upload the files

Files to attach for upload:

C:\winstall.exe

C:\WINDOWS\system32\ntsystem.exe

You DO NOT need to register to start a topic or upload, anybody can upload the files

You will not see the files that have been uploaded as they only show to the authorized users who can download them. I will be able to see them and collect them from there.

If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press the *Post* button to attach the file and post the message.

...............
When you have done that, please come back to this topic and run the following tool please. This will produce the other log I need for the info to write up a fix for you.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/combofix.exe

2. Double click on combofix.exe & follow the prompts.

Note: If you receive a popup with a Disclaimer, read that and answer Y for yes (or N for no)
Y is recommended (if you put N, the tool will exit without fixing and will remove the combofix file and folders)

Do NOT click on the window while the fix is running, because that will cause your system to hang and the fix to stall.

3. When finished, it shall produce a log for you. Post that log in your next reply

\Jane,

I posted the uploads on the forum location you stated and here is the combofix log.

Thanx, Dunc


Lachlan - 06-12-22 9:35:13.65 Service Pack 2
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\Lachlan\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Lachlan\Application Data\Install.dat
C:\winstall.exe


((((((((((((((((((((((((((((((( Files Created from 2006-11-22 to 2006-12-22 ))))))))))))))))))))))))))))))))))


2006-12-15 10:56 <DIR> d-------- C:\HijackThis
2006-12-07 15:33 <DIR> d-------- C:\Documents and Settings\Lachlan\Application Data\Google
2006-12-04 21:54 <DIR> d-------- C:\Program Files\Google
2006-12-04 21:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google
2006-11-30 16:27 <DIR> d-------- C:\Documents and Settings\Lachlan\Application Data\Lavasoft
2006-11-23 22:31 <DIR> d-------- C:\Program Files\MSXML 4.0
2006-11-23 22:31 <DIR> d-------- C:\e0e56561bbc39e5bca


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-22 09:27 -------- d-------- C:\Program Files\Common Files\GMT
2006-12-22 08:54 -------- d-------- C:\Program Files\Common Files\CMEII
2006-12-15 11:51 -------- d-------- C:\Program Files\Internet Explorer
2006-12-15 11:50 -------- d-------- C:\Program Files\Outlook Express
2006-12-15 11:50 -------- d-------- C:\Program Files\Common Files\System
2006-12-07 22:22 -------- d-------- C:\Program Files\Common Files\Adobe
2006-12-07 22:22 -------- d-------- C:\Program Files\Adobe
2006-12-07 22:16 -------- d-------- C:\Program Files\Common Files
2006-12-07 21:32 -------- d-------- C:\Program Files\WordPerfect Office 12
2006-12-06 22:29 2374472 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-11-09 23:45 -------- d-------- C:\Program Files\Lavasoft
2006-11-09 23:27 4096 --a------ C:\WINDOWS\system32\ntsystem.exe
2006-11-09 23:20 614400 --a------ C:\WINDOWS\system32\msvcr80.dll
2006-11-09 22:54 -------- d-------- C:\Program Files\Java
2006-11-07 22:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-10-28 18:00 -------- d-------- C:\Program Files\HighCriteria
2006-10-22 19:04 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-22 18:58 -------- d-------- C:\Program Files\Firaxis Games
2006-10-19 06:56 713216 --a------ C:\WINDOWS\system32\sxs.dll
2006-10-13 05:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-10-11 09:24 58880 --a------ C:\WINDOWS\system32\pnrpnsp.dll
2006-10-11 09:24 553984 --a------ C:\WINDOWS\system32\p2psvc.dll
2006-10-11 09:24 313344 --a------ C:\WINDOWS\system32\p2pgraph.dll
2006-10-11 09:24 153088 --a------ C:\WINDOWS\system32\p2p.dll
2006-10-11 09:24 116224 --a------ C:\WINDOWS\system32\p2pnetsh.dll
2006-10-11 09:24 104960 --a------ C:\WINDOWS\system32\p2pgasvc.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
@=""
"ATI Launchpad"="\"C:\\Program Files\\ATI Multimedia\\main\\launchpd.exe\""
"ATI DeviceDetect"="C:\\Program Files\\ATI Multimedia\\main\\ATIDtct.EXE"
"ATI Remote Control"="C:\\Program Files\\ATI Multimedia\\RemCtrl\\ATIRW.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.908.5008\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"CMESys"="\"C:\\Program Files\\Common Files\\CMEII\\CMESys.exe\""
"VTPreset"="VTPreset.exe"
"LTMSG"="LTMSG.exe 7"
"AlcxMonitor"="ALCXMNTR.EXE"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"gwiz"="C:\\WINDOWS\\system32\\ntsystem.exe"
"TotalRecorderScheduler"="\"C:\\Program Files\\HighCriteria\\TotalRecorder\\TotRecSched.exe\""

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,30,01,00,00,00,00,00,00,b0,02,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f0,01,00,00,ad,00,00,00,80,00,00,00,6e,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"="Eudora's Shell Extension"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"Wallpaper"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll"

Completion time: 06-12-22 9:38:58.75
C:\ComboFix.txt ... 06-12-22 09:38

Thanks, I did get the files and will submit them for future detection which will help everyone!

Open HijackThis and do a *system scan only*

When it finishes, place a checkmark in the boxes next to these entries

O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\system32\ntsystem.exe

O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe

Then press the *fix checked* button

Close HijackThis and delete this file:


C:\WINDOWS\system32\ntsystem.exe

................................
1. Go to *Start* then *Run* and type in regedit and hit *OK*.
Go to *File* then *Export* and save the registry somewhere as a backup. Give it a name you'll remember like SaveReg.reg. That is a backup just in case something doesn't go right and we could restore the registry if needed.

Next, Open Notepad, then copy and paste the following lines shown in bold into Notepad:

REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Save the text file pasted into notepad to the desktop as fix.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.
.......................
Now please reboot your PC.

Then scan one more with HijackThis and ComboFix and post the new logs from both scans.
ComboFix will have made a second log for the scan named: ComboFix2.txt on your hard drive.

That is the fix. This is more info on those files and this infection:

Complete scanning result of "ntsystem.exe", received in VirusTotal at 12.22.2006, 23:49:03 (CET).

Antivirus Version Update Result
AntiVir 7.3.0.21 12.22.2006 TR/Dldr.Oleloa.H
Authentium 4.93.8 12.22.2006 Possibly a new variant of W32/Threat-HLLSI-based!Maximus
Avast 4.7.892.0 12.21.2006 no virus found
AVG 386 12.22.2006 no virus found
BitDefender 7.2 12.22.2006 no virus found
CAT-QuickHeal 8.00 12.22.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 12.22.2006 no virus found
DrWeb 4.33 12.22.2006 no virus found
eSafe 7.0.14.0 12.21.2006 suspicious Trojan/Worm
eTrust-InoculateIT 23.73.95 12.22.2006 no virus found
eTrust-Vet 30.3.3269 12.22.2006 Win32/Nitwiz!generic
Ewido 4.0 12.22.2006 Downloader.Oleloa
Fortinet 2.82.0.0 12.22.2006 W32/AFH!tr.dldr
F-Prot 3.16f 12.22.2006 Possibly a new variant of W32/Threat-HLLSI-based!Maximus
F-Prot4 4.2.1.29 12.21.2006 W32/Threat-HLLSI-based!Maximus
Ikarus T3.1.0.27 12.22.2006 Trojan-Clicker.Win32.Agent.hg
Kaspersky 4.0.2.24 12.22.2006 no virus found
McAfee 4925 12.22.2006 Downloader-AFH
Microsoft 1.1904 12.22.2006 no virus found
NOD32v2 1935 12.22.2006 probably a variant of Win32/TrojanDownloader.Oleloa
Norman 5.80.02 12.22.2006 no virus found
Panda 9.0.0.4 12.22.2006 no virus found
Prevx1 V2 12.23.2006 Trojan.NTSystem
Sophos 4.12.0 12.22.2006 no virus found
Sunbelt 2.2.907.0 12.18.2006 no virus found
TheHacker 6.0.3.135 12.20.2006 no virus found
UNA 1.83 12.22.2006 no virus found
VBA32 3.11.1 12.22.2006 no virus found
VirusBuster 4.3.19:9 12.22.2006 no virus found

Aditional Information
File size: 4096 bytes
MD5: 4c826de9b26edec3d2fdaee5ac85509e
SHA1: e5402006dfaa89762771c547fa4ef5349a7f63bc
packers: UPX
packers: UPX
packers: UPX
packers: UPX

And that is this pest called Win32/Nitwiz.A trojan. Computer Associates has a writeup on it here:
http://www3.ca.com/securityadvisor/virusin...s.aspx?id=58686
..........................
And the other file belonged to the Pest-Trap pest

Complete scanning result of "winstall.exe", received in VirusTotal at 12.22.2006, 23:51:32 (CET).

Antivirus Version Update Result
AntiVir 7.3.0.21 12.22.2006 TR/Dldr.Small.cpg.1
Authentium 4.93.8 12.22.2006 could be infected with an unknown virus
Avast 4.7.892.0 12.21.2006 Win32:Renos-P
AVG 386 12.22.2006 Generic2.AVS
BitDefender 7.2 12.22.2006 Application.Hoax.Renos.EO
CAT-QuickHeal 8.00 12.22.2006 Hoax.Renos.eo (Not a Virus)
ClamAV devel-20060426 12.22.2006 Trojan.Downloader.Small-1339
DrWeb 4.33 12.22.2006 Trojan.Fakealert
eSafe 7.0.14.0 12.21.2006 no virus found
eTrust-InoculateIT 23.73.95 12.22.2006 Win32/Renos.eo!Trojan
eTrust-Vet 30.3.3269 12.22.2006 Win32/Oneraw!generic
Ewido 4.0 12.22.2006 Not-A-Virus.Hoax.Win32.Renos.eo
Fortinet 2.82.0.0 12.22.2006 Adware/PestTrap
F-Prot 3.16f 12.22.2006 could be infected with an unknown virus
F-Prot4 4.2.1.29 12.21.2006 generic
Ikarus T3.1.0.27 12.22.2006 not-a-virus:Hoax.Win32.Renos.eo
Kaspersky 4.0.2.24 12.22.2006 not-virus:Hoax.Win32.Renos.eo
McAfee 4925 12.22.2006 potentially unwanted program Adware-PestTrap
Microsoft 1.1904 12.22.2006 Renos
NOD32v2 1935 12.22.2006 Win32/Adware.SpySheriff
Norman 5.80.02 12.22.2006 W32/Renos.GT
Panda 9.0.0.4 12.22.2006 Adware/SpySheriff
Prevx1 V2 12.23.2006 Spyware.PestTrap
Sophos 4.12.0 12.22.2006 Troj/Spywad-Gen
Sunbelt 2.2.907.0 12.18.2006 SpySheriff
TheHacker 6.0.3.135 12.20.2006 no virus found
UNA 1.83 12.22.2006 Hoax.Win32.Renos.C50A
VBA32 3.11.1 12.22.2006 Trojan.Fakealert
VirusBuster 4.3.19:9 12.22.2006 Trojan.Renos.BE

Aditional Information
File size: 29184 bytes
MD5: b917ffe96edb3ae8cac14d4a19787706
SHA1: 5728a9c8bdb37b272d3646553d5f63332316977c

[quote name='LS CalamityJane' date='Dec 22 2006, 04:13 PM' post='26827']
That is the fix. This is more info on those files and this infection:


It is? Pest trap is still on the machine after the steps you listed in the prior mssg were performed. Here is the HiJackThis log and combofix logs afterwards:

Logfile of HijackThis v1.99.1
Scan saved at 2:32:23 PM, on 1/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\PestTrap\PestTrap.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Gator.com\Gator\Gator.exe
C:\Program Files\Common Files\GMT\GMT.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [PestTrap] C:\Program Files\PestTrap\PestTrap.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Gator eWallet.lnk = C:\Program Files\Gator.com\Gator\Gator.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} (iWon Progressive Counter) - http://cc.iwon.com/ct/pm3/iWonPMSetup_12_1,0,2,5.exe
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqcpc/downloads/msxml4.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.20.19/ttinst.cab
O16 - DPF: {E53458D2-5A83-4BD1-8DE2-EEEBE73BAB77} - http://dinet.info/n/us22/n.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)



...and here is the combofix log:


Lachlan - 07-01-01 14:45:12.84 Service Pack 2
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\Lachlan\Desktop\My Downloads"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Lachlan\Application Data\Install.dat
C:\winstall.exe


((((((((((((((((((((((((((((((( Files Created from 2006-12-01 to 2007-01-01 ))))))))))))))))))))))))))))))))))


2007-01-01 14:18 <DIR> d-------- C:\Backups
2007-01-01 14:13 <DIR> d-------- C:\Program Files\HijackThis
2006-12-23 11:05 <DIR> d-------- C:\Program Files\PestTrap
2006-12-15 10:56 <DIR> d-------- C:\HijackThis
2006-12-07 15:33 <DIR> d-------- C:\Documents and Settings\Lachlan\Application Data\Google
2006-12-04 21:54 <DIR> d-------- C:\Program Files\Google
2006-12-04 21:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-01 14:35 -------- d-------- C:\Program Files\Common Files\GMT
2007-01-01 13:32 -------- d-------- C:\Program Files\Common Files\CMEII
2006-12-15 11:51 -------- d-------- C:\Program Files\Internet Explorer
2006-12-15 11:50 -------- d-------- C:\Program Files\Outlook Express
2006-12-15 11:50 -------- d-------- C:\Program Files\Common Files\System
2006-12-07 22:22 -------- d-------- C:\Program Files\Common Files\Adobe
2006-12-07 22:22 -------- d-------- C:\Program Files\Adobe
2006-12-07 22:16 -------- d-------- C:\Program Files\Common Files
2006-12-07 21:32 -------- d-------- C:\Program Files\WordPerfect Office 12
2006-12-06 22:29 2374472 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-11-30 16:27 -------- d-------- C:\Documents and Settings\Lachlan\Application Data\Lavasoft
2006-11-23 22:31 -------- d-------- C:\Program Files\MSXML 4.0
2006-11-09 23:45 -------- d-------- C:\Program Files\Lavasoft
2006-11-09 23:20 614400 --a------ C:\WINDOWS\system32\msvcr80.dll
2006-11-09 22:54 -------- d-------- C:\Program Files\Java
2006-11-07 22:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-10-19 06:56 713216 --a------ C:\WINDOWS\system32\sxs.dll
2006-10-13 05:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-10-11 09:24 58880 --a------ C:\WINDOWS\system32\pnrpnsp.dll
2006-10-11 09:24 553984 --a------ C:\WINDOWS\system32\p2psvc.dll
2006-10-11 09:24 313344 --a------ C:\WINDOWS\system32\p2pgraph.dll
2006-10-11 09:24 153088 --a------ C:\WINDOWS\system32\p2p.dll
2006-10-11 09:24 116224 --a------ C:\WINDOWS\system32\p2pnetsh.dll
2006-10-11 09:24 104960 --a------ C:\WINDOWS\system32\p2pgasvc.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
@=""
"ATI Launchpad"="\"C:\\Program Files\\ATI Multimedia\\main\\launchpd.exe\""
"ATI DeviceDetect"="C:\\Program Files\\ATI Multimedia\\main\\ATIDtct.EXE"
"ATI Remote Control"="C:\\Program Files\\ATI Multimedia\\RemCtrl\\ATIRW.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.908.5008\\GoogleToolbarNotifier.exe"
"PestTrap"="C:\\Program Files\\PestTrap\\PestTrap.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"CMESys"="\"C:\\Program Files\\Common Files\\CMEII\\CMESys.exe\""
"VTPreset"="VTPreset.exe"
"LTMSG"="LTMSG.exe 7"
"AlcxMonitor"="ALCXMNTR.EXE"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TotalRecorderScheduler"="\"C:\\Program Files\\HighCriteria\\TotalRecorder\\TotRecSched.exe\""

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,30,01,00,00,00,00,00,00,b0,02,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f0,01,00,00,ad,00,00,00,80,00,00,00,6e,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"="Eudora's Shell Extension"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"Wallpaper"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll"

Completion time: 07-01-01 14:45:48.71
C:\ComboFix.txt ... 07-01-01 14:45
C:\ComboFix2.txt ... 06-12-22 09:38

It was the fix 9 days ago when I posted it. PestTrap which wasn't previously showing has reinstalled itself since.

If you only applied that fix today, then it was too late.

Please try to stick with this.

Please download the Killbox by Option^Explicit.
http://www.downloads.subratam.org/KillBox.zip

Unzip/Extract the contents to your desktop
How to extract (decompress) zipped or compressed files
http://www.lvsonline.com/compresstut/index.shtml

We'll use that utility later.
........................................

First make a copy of these instructions to have handy. Disconnect your computer from the internet

Open HijackThis and do a system scan only.

When it finishes, checkmark these entries then press the *fix checked* button

O4 - HKCU\..\Run: [PestTrap] C:\Program Files\PestTrap\PestTrap.exe

Delete the folder:
C:\Program Files\PestTrap

Open Notepad, then copy and paste the following lines shown in bold into Notepad:

REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Save the text file pasted into notepad to the desktop as fix.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.
...........................
Now we'll use Killbox

1. Open Killbox by clicking on Killbox.exe

2. Select *Delete on Reboot* in the first column

Click to view attachment

3. Copy the following text shown in bold below to clipboard by highlighting the bold text and press Control + C

C:\WINDOWS\SYSTEM32\ntoskrnl.dll

4. In Killbox, select the "File" tab at the top

5. Choose "Paste from Clipboard" in the drop down menu

Click to view attachment

6. Press the red button with the white x in it.

7. You will receive a prompt stating that files will be deleted on next reboot. Do you want to reboot now?
Choose Yes when asked if you want to reboot. If your computer does not restart, please reboot it manually

Then, after a reboot, please scan and post a fresh HijackThis log and a fresh ComboFix log

Duncan

I had exactly the same problem as you. No matter how many times I got rid if the damn trojan, it kept coming back. It turns out that the Java platform was reloading the trojan each time I accessed the internet and by completing the following instructions I managed to get prevent it from coming back.

Updating Java and Clearing Cache

1. Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
2. It will say "Java Plug-in" under the icon. Please find the update button or tab in the Java Control Panel. Update your Java then reboot.
3. If you are unable to update you can manually update by going here: http://www.java.com/en/download/manual.jsp
4. After the reboot, go back into the Control Panel and double-click the Java Icon.
5. Under Temporary Internet Files, click the Delete Files button.
6. There are three options in the window to clear the cache - Leave ALL 3 Checked
Downloaded Applets
Downloaded Applications
Other Files
7. Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
8. Click OK to leave the Java Control Panel.

After completing the above, delete all traces of the trojan from your machine as explained earlier and your problem should be solved.

Hope this helps.