BleepingComputer.com: TDSS Infection with Browser Hijacking

Hi all,

My personal computer appears to have become infected with an infection of some sort. Malwarebytes and Microsoft Security Essentials were suddenly disabled (the Malwarebytes messages says "Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access this item"), and any searches conducted on google bring the browser to some sort of unknown search engine (with names like "greatsearchengine.com" and "splendidsearchengine.com").

The reason why I suspect it's a virus is that in the Windows Task Manager under processes, I can see a long random string of numbers, similar to the string that appeared when the rogue program "Opencloud AV" installed itself on my computer about a month ago (which led to a self-attempted cleaning that ended in disaster and a necessary windows re-installation). The DDS text is included in the message text below, and attach.txt is included as an attachment. I have also included screenshots of the Task Manager, and from the program TDSSKiller, which identifies rootkits and attempts to remove them, but they return once the computer is rebooted. The GMER program starts running, but is killed before it can complete its scan.

Any help you guys could offer would be greatly appreciated. Thanks.
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29
Run by bcrandal at 21:03:02 on 2011-11-04
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1421 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\2532553476:4216065129.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\StacSV.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\DellTPad\Apoint.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uWinlogon: Shell=c:\documents and settings\bcrandal\local settings\application data\04b3f396\X
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\bcrandal\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1320177274944
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1320177332955
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\bcrandal\application data\mozilla\firefox\profiles\d2xsf5hk.default\
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
S0 cerc6;cerc6; [x]
.
=============== Created Last 30 ================
.
2011-11-04 21:23:24 48016 --sha-w- c:\windows\system32\c_86033.nl_
2011-11-02 03:15:38 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-11-02 02:45:13 -------- d-----w- c:\documents and settings\bcrandal\application data\OpenOffice.org
2011-11-02 02:44:25 -------- d-----w- c:\program files\OpenOffice.org 3
2011-11-02 02:04:16 -------- d-sh--w- c:\documents and settings\bcrandal\local settings\application data\04b3f396
2011-11-02 01:35:07 -------- d-----w- c:\documents and settings\bcrandal\.swt
2011-11-02 01:35:04 -------- d-----w- c:\documents and settings\bcrandal\application data\Azureus
2011-11-02 01:34:13 -------- d-----w- c:\documents and settings\bcrandal\local settings\application data\Conduit
2011-11-01 23:18:12 -------- d-----w- c:\documents and settings\bcrandal\local settings\application data\Temp
2011-11-01 23:18:12 -------- d-----w- c:\documents and settings\bcrandal\local settings\application data\Adobe
2011-11-01 23:13:51 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{152958b1-1ff9-430f-bb05-44a4b0a55a17}\offreg.dll
2011-11-01 22:58:55 -------- d-----w- c:\documents and settings\bcrandal\local settings\application data\Mozilla
2011-11-01 22:07:57 273408 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\hpcpp6de.DLL
2011-11-01 22:07:57 149504 ----a-w- c:\windows\system32\hpcpn6de.dll
2011-11-01 22:03:18 272896 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\hpcpp5r1.dll
2011-11-01 22:03:18 147456 ----a-w- c:\windows\system32\hpcpn5r1.dll
2011-11-01 21:58:57 344064 ----a-w- c:\windows\system32\hpbicoin.dll
2011-11-01 21:58:08 -------- d-----w- C:\HP
2011-11-01 21:57:34 -------- d-----w- C:\OCZ
2011-11-01 21:57:14 -------- d-----w- c:\documents and settings\bcrandal\application data\PeaZip
2011-11-01 21:55:49 -------- d-----w- c:\program files\Xming
2011-11-01 21:50:17 -------- d-----w- c:\program files\VideoLAN
2011-11-01 21:49:36 -------- d-----w- c:\program files\SSH Communications Security
2011-11-01 21:48:18 -------- d-----w- c:\program files\PeaZip
2011-11-01 21:46:31 -------- d-----w- c:\documents and settings\bcrandal\application data\Malwarebytes
2011-11-01 21:46:24 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-11-01 21:46:21 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-01 21:46:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-01 21:45:47 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-11-01 21:45:47 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-01 21:41:46 -------- d-----w- c:\program files\Ghostgum
2011-11-01 21:41:27 -------- d-----w- c:\program files\gs
2011-11-01 21:04:48 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-11-01 21:04:48 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2011-11-01 21:04:28 6668624 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{152958b1-1ff9-430f-bb05-44a4b0a55a17}\mpengine.dll
2011-11-01 21:04:23 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-11-01 21:03:18 -------- d-----w- c:\program files\Microsoft Security Client
2011-11-01 20:58:59 -------- d-----w- c:\program files\Windows Media Connect 2
2011-11-01 20:58:29 -------- d-----w- c:\windows\system32\LogFiles
2011-11-01 20:58:08 6144 -c----w- c:\windows\system32\dllcache\iecompat.dll
2011-11-01 20:20:09 831488 ----a-w- c:\windows\system32\BCMLogon.dll
2011-11-01 20:17:10 -------- d-----w- c:\program files\ATI Technologies
2011-11-01 20:15:59 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2011-11-01 20:15:59 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2011-11-01 20:15:59 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2011-11-01 20:15:58 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2011-11-01 20:15:58 2000384 -c----w- c:\windows\system32\dllcache\iertutil.dll
2011-11-01 20:15:58 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2011-11-01 20:15:49 -------- d-----w- c:\program files\DellTPad
2011-11-01 20:15:48 155136 ----a-w- c:\windows\system32\drivers\Apfiltr.sys
2011-11-01 20:15:47 1419232 ----a-w- c:\windows\system32\WdfCoInstaller01005.dll
2011-11-01 20:15:47 100418 ----a-w- c:\windows\system32\Vxdif.dll
2011-11-01 20:15:19 -------- d-----w- c:\program files\O2Micro OZ776 SCR Driver
2011-11-01 20:14:14 -------- d-----w- c:\documents and settings\bcrandal\application data\Dell
2011-11-01 20:14:13 61440 ----a-w- c:\windows\system32\KPower.dll
2011-11-01 20:14:13 307200 ----a-w- c:\windows\system32\BMAPI.dll
2011-11-01 20:14:13 233472 ----a-w- c:\windows\system32\NicConfigSvc.cpl
2011-11-01 20:14:13 -------- d-----w- c:\program files\Dell
2011-11-01 20:14:02 16128 ----a-w- c:\windows\system32\drivers\APPDRV.SYS
2011-11-01 20:13:47 456320 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2011-11-01 20:13:19 989952 ----a-r- c:\windows\system32\drivers\HSF_DPV.sys
2011-11-01 20:13:19 94208 ----a-r- c:\windows\system32\mdmxsdk.dll
2011-11-01 20:13:19 731136 ----a-r- c:\windows\system32\drivers\HSF_CNXT.sys
2011-11-01 20:13:19 217088 ----a-r- c:\windows\system32\UCI32M21.dll
2011-11-01 20:13:19 211200 ----a-r- c:\windows\system32\drivers\HSFHWAZL.sys
2011-11-01 20:13:19 12672 ----a-r- c:\windows\system32\drivers\mdmxsdk.sys
2011-11-01 20:13:19 -------- d-----w- c:\program files\CONEXANT
2011-11-01 20:12:34 160256 -c--a-w- c:\windows\system32\dllcache\b57xp32.sys
2011-11-01 20:12:34 160256 ----a-r- c:\windows\system32\drivers\b57xp32.sys
2011-11-01 20:12:31 -------- d-----w- c:\program files\Broadcom
2011-11-01 20:07:30 94208 ----a-w- c:\windows\system32\stacsv.exe
2011-11-01 20:04:46 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2011-11-01 20:03:28 -------- d-s---w- c:\windows\system32\Microsoft
2011-11-01 20:03:07 2192768 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2011-11-01 20:03:07 2148864 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2011-11-01 20:03:06 2027008 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2011-11-01 20:02:26 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-11-01 20:01:20 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2011-11-01 20:01:20 272128 ------w- c:\windows\system32\drivers\bthport.sys
.
==================== Find3M ====================
.
2011-11-04 21:44:16 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-11-04 21:30:01 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-11-04 21:23:13 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-11-01 21:45:11 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-26 16:41:20 611328 ------w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-22 23:48:55 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48:54 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48:54 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56:39 385024 ----a-w- c:\windows\system32\html.iec
.
============= FINISH: 21:03:16.95 ===============

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

• Do not run any other tool untill instructed to do so!
  
• please Do not Attach logs or put in code boxes.
  
• Tell me about any problems that have occurred during the fix.
  
• Tell me of any other symptoms you may be having as these can help also.
  
• Do not run anything while running a fix.
  
• Do not run any other tool untill instructed to do so!

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.

Link 1
Link 2
Link 3

1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

In your next post I need the following


• Log from Combofix
  
• let me know of any problems you may have had
  
• How is the computer doing now?

Gringo

I ran Combofix on the infected computer. I was not able to shut down the Microsoft Security Essentials as Combofix requested, possibly because the infection has disabled it.

As a separate non-security issue, my laptop has been unable to access my office's wireless, and it was unable to connect to the internet to install the Recovery Console during the operation of Combofix.

I received the message "Files that are required for Windows to run properly have been replaced by unrecognized versions. To maintain system stability, Windows must restore the original versions of these files. Insert your Windows XP Professional Service Pack 3 CD now." I was unable to do this because the latest installation came from a disk from my department's IT guy, who is on vacation right now. The program said it would keep the unrecognized versions at the risk of instability, and continued operation.

The log is attached to this post.

In testing the computer's functionality, I see in the Task Manager that the program containing the suspected Trojan infection is gone. Using a wireless connection, it appears internet functionality has returned, with no hijacking. A check of the wireless shows the initial issues I've been having with my office wireless are still there, but it still maintains the settings to log into my home wireless. I will conduct a check of the computer when I go home this evening to ensure the home wireless is working on the computer.

In terms of problems, while it appears the program is removed from the running processes, Microsoft Security Essentials and Malwarebytes are disabled ("appropriate permissions" error message in Malwarebytes, error code 0x80070005 in MSE). A scan with TDSSkiller found no threats. After running Combofix, I was able to run GMER from an external drive (GMER log is also attached).

So do I have to re-download Malwarebytes? What should I do about Microsoft Security Essentials?

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

In your next post I need the following


• report from Combofix
  
• let me know of any problems you may have had
  
• How is the computer doing now after running the script?

Gringo

As before, I ran Combofix on the infected computer. I was not able to shut down the Microsoft Security Essentials. This time, I used a wired connection to install the Recovery Console.

The log is attached below. Malwarebytes and MSE are still disabled, but other functions are running normally.

Hello

Please do the following:

Step One
Please download Junction.zip and save it to your desktop.
Unzip it and extract junction.exe to your C:\ drive.

Step Two
Now copy (Ctrl +C) and paste (Ctrl +V) the text inside the code box below into Notepad.

@ECHO OFF
cd c:\
junction -s c:\>log.txt
start log.txt
del %0

Save it to your desktop as File name: junc.bat
Save as type: All Files

Step Three
Double click junc.bat to run it. A log will be presented. Copy and paste or attach the content of the log in your next reply.

Gringo

The junc.bat log file is attached.

Hello

We need to reset some permisions that the virus changed

Download GrantPerms.zip and save it to your desktop.

Unzip the file and depending on the system run GrantPerms.exe or GrantPerms64.exe
Copy and paste the following in the edit box:

c:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Scans\History\CacheManager\MpScanCache-1.bin

Click Unlock. When it is done click "OK".
Click List Permissions and post the result (Perms.txt) that pops up. A copy of Perms.txt will be saved in the same directory the tool is run.

Gringo

A copy of Perms.txt is attached.

are things working now?

gringo

They appear to be working fine. Malwarebytes ran without a problem.

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

In your next post I need the following


• report from Combofix
  
• let me know of any problems you may have had
  
• How is the computer doing now after running the script?

Gringo

The latest log from Combofix is attached. Everything appears to be in working order.

These logs are looking alot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

1. click on start
2. then go to settings
3. after that you need control panel
4. look for the icon add/remove programs
click on the following programs

Java™ 6 Update 22

and click on remove

Your Java is out of date.

It can be updated by the Java control panel

• click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup) -> Update Tab -> Update Now.
  
• An update should begin;
  
• follow the prompts

TFC(Temp File Cleaner):

• Please download TFC to your desktop,
  
• Save any unsaved work. TFC will close all open application windows.
  
• Double-click TFC.exe to run the program.
  
• If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

I would like you to rerun MBAM


• Double-click mbam icon
  
• go to the update tab at the top
  
• click on check for updates
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  
  • If you accidently close it, the log file is saved here and will be named like this:
    
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Download HijackThis

• Go Here to download HijackThis Installer
  
• Save HijackThis Installer to your desktop.
  
• Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  
• By default it will install to C:\Program Files\Trend Micro\HijackThis .
  
• Click on Install.
  
• It will create a HijackThis icon on the desktop.
  
• Once installed it will launch Hijackthis.
  
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  
• Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  
• Come back here to this thread and Paste the log in your next reply.
  
• DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  
• DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

If you have problems running Hijackthis.

sometimes we have to run it like this To run HijackThis as an administrator,
rightclick HijackThis.exe (located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)
and select to run as administrator

"information and logs"

In your next post I need the following


• Log From MBAM
  
• report from Hijackthis
  
• let me know of any problems you may have had
  
• How is the computer doing now?

Gringo

The Anti-MalwareBytes log is attached, and the results of HijackThis are pasted into this reply.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:24:12 PM, on 11/7/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\StacSV.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\DellTPad\Apoint.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\DellTPad\HidFind.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - Startup: OpenOffice.org 3.3.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1320177332955
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: DW WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 4349 bytes

While MalwareBytes was scanning, Microsoft Security Essentials detected two threats. MalwareBytes also detected one of the same threats and removed it successfully. When the computer rebooted, MSE detected one threat, "Virus: Win32/Patchload.O". The infected computer is offline and no action has been taken yet with MSE. Apart from that, computer is operating normally.