StephenS

Quite an informative read there. I'm so glad there are people out there like you who do this. You do us all a wonderful service. Well, bed time for me. I've been beating my head for hours on this thing. haha Once again, congratulations on a job well done.

Well Well Well. Looks like things are back in business. 1) Regedit works again and I can open a cmd prompt as well. ( I merged the changes into the registry too) 2) No more blocked Bleepingcomputer.com 3) MBAM updated to version 1951 4) No more redirects on Google. 4) Computer seems a bit faster too. haha I want to say thanks for all your help. Hopefully adding that annoyance to MBAM will save some people some grief. Thanks again. You guys are pretty smart.

Hmmmmm Well, I don't get it. I told Hijackthis to delete the file on reboot, but it's still there?!?! this is what I pasted: C:\DOCUME~1\Stephen\LOCALS~1\msqspuq.bet Also, when I tried to merge the changes, Explorer crashed just as before. What's going on here? lol

o_O I'll have to remember this. That's another little trick to add to my book of "How to get rid of malware." haha

Alright. It's been uploaded and posted. Let's hope it's the offending malware we are looking for.

Also, it did indeed add a new regedit to the folder.

Hey Ok, I did what you asked and I got this: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32] "midimapper"="midimap.dll" "msacm.imaadpcm"="imaadp32.acm" "msacm.msadpcm"="msadp32.acm" "msacm.msg711"="msg711.acm" "msacm.msgsm610"="msgsm32.acm" "msacm.trspch"="tssoft32.acm" "vidc.cvid"="iccvid.dll" "VIDC.I420"="msh263.drv" "vidc.iv31"="ir32_32.dll" "vidc.iv32"="ir32_32.dll" "VIDC.IYUV"="iyuv_32.dll" "vidc.mrle"="msrle32.dll" "vidc.msvc"="msvidc32.dll" "VIDC.UYVY"="msyuv.dll" "VIDC.YUY2"="msyuv.dll" "VIDC.YVU9"="tsbyuv.dll" "VIDC.YVYU"="msyuv.dll" "wavemapper"="msacm32.drv" "msacm.msg723"="msg723.acm" "vidc.M263"="msh263.drv" "vidc.M261"="msh261.drv" "msacm.msaudio1"="msaud32.acm" "msacm.sl_anet"="sl_anet.acm" "msacm.l3acm"="C:\\WINDOWS\\System32\\l3codeca.acm" "vidc.iv41"="ir41_32.ax" "msacm.iac2"="iac25_32.ax" "vidc.iv50"="ir50_32.dll" "msacm.ctmp3"="C:\\WINDOWS\\System32\\ctmp3.acm" "wave"="wdmaud.drv" "midi"="wdmaud.drv" "mixer"="wdmaud.drv" "vidc.DIVX"="DivX.dll" "MSVideo8"="VfWWDM32.dll" "wave1"="wdmaud.drv" "midi1"="wdmaud.drv" "mixer1"="wdmaud.drv" "aux"="wdmaud.drv" "wave2"="wdmaud.drv" "midi2"="wdmaud.drv" "mixer2"="wdmaud.drv" "aux1"="wdmaud.drv" "aux2"="C:\\DOCUME~1\\Stephen\\LOCALS~1\\Temp\\..\\msqspuq.bet" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server\RDP] "wave"="rdpsnd.dll" "MaxBandwidth"=dword:000056b9 "wavemapper"="msacm32.drv" "EnableMP3Codec"=dword:00000001 "midimapper"="midimap.dll" "mixer"="rdpsnd.dll" My first look goes immediately to the "C:\\DOCUME~1\\Stephen\\LOCALS~1\\Temp\\..\\msqspuq.bet" under aux2. I saw you dealing with others and you would pick other similar ones for analysis. However, when I checked that file, the date was like several years ago so I left it alone until I could get confirmation from someone else. I don't want to kill something that is legitimate. haha

Ok, I know for a fact I don't have any issues with the first two links you provided because I haven't had anything like that. I did go ahead and DL Rootrepeal though and took a look at the file scan feature. I didn't see anything suspicious looking involving a rootkit. I don't think that's the issue here. Are there any other suggestions you have to get MBAM up to date? It's probably not detecting this variant of malware for that very reason. I can go ahead and install the WebCureit program if there is no other way to get it to version 1950 at this time. Again, it's not having trouble opening or scanning, just updating with its update feature.

I can't get MBAM to update through the normal means though. The version I have is from the manual update. Is that the version I will get if I do it manually?

Also, the latest MBAM log: Malwarebytes' Anti-Malware 1.34 Database version: 1945 Windows 5.1.2600 Service Pack 2 4/7/2009 8:06:22 AM mbam-log-2009-04-07 (08-06-22).txt Scan type: Full Scan (C:\|) Objects scanned: 170180 Time elapsed: 1 hour(s), 17 minute(s), 6 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP6\A0000351.exe (Trojan.Downloader) -> Quarantined and deleted successfully. I was hoping this would take care of it, but alas, it didn't. Oh well... Still waiting on possible solutions.

Bumping to keep it from getting lost.

Hello. This started yesterday, but I have done a lot of research about it and I haven't found a way to remove this annoying malware infection. I have tried AVG, Symantec, AND MBAM and to no avail. Last time I had a problem, MBAM took care of it quite well, but this is probably a new varient and that's why it's not been able to detect/remove this. Here is a list of the problems I have encountered: 1) Google searches are being re-directed to random ad sites. 2) When I attempt to run cmd and regedit, explorer crashes and restarts. I renamed Regedit to reg3dit to get around this, but I'm not sure what I am looking for. I didn't see anything too suspicious with my "untrained eyes." 3) I discovered in my research that bleepingcomputer.net is blocked and I am not able to access it from this computer. I went to another computer that is not infected and did some research on there though. 4) AVG and MBAM do not update through the normal means. I had to manually update each of them to the most current versions in order to reliably scan. I uninstalled AVG after this. I still have MBAM though. 5) Access to Windows updates has been cut off. One further note, I hardly use Internet Explorer, all of my surfing is done in Firefox. That's about all I can think of at this point. Here is a HJT log to get things rolling. I hope we can get rid of this thing soon. Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe C:\ColdFusion8\jnbridge\CF8DotNetsvc.exe C:\ColdFusion8\jnbridge\JNBDotNetSide.exe C:\ColdFusion8\db\slserver54\bin\swagent.exe C:\ColdFusion8\db\slserver54\bin\swstrtr.exe C:\ColdFusion8\db\slserver54\bin\swsoc.exe C:\WINDOWS\System32\CTsvcCDA.exe C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\WINDOWS\System32\DSentry.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Dell\Media Experience\PCMService.exe C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe C:\Program Files\Common Files\Dell\EUSW\Support.exe C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\AWS\WeatherBug\Weather.exe C:\Program Files\Microsoft ActiveSync\wcescomm.exe C:\Program Files\America Online 9.0\aoltray.exe C:\Program Files\Nikon\PictureProject\NkbMonitor.exe C:\PROGRA~1\MI3AA1~1\rapimgr.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.srh.noaa.gov/fwd/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hackerwatch.org/probe?affid=105-17&langid=1 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe" O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe O4 - HKLM\..\Run: [wF7R3El] dimtcfg.exe O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe" O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [WNSI] C:\WINDOWS\System32\wnscpsv.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" O4 - HKLM\..\Policies\Explorer\Run: [1] C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.exe O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing) O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing) O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU) O16 - DPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} (USBAPTester Class) - http://www.nintendowifi.com/troubleshooting/usbaptest.cab O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633 O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsc...76/mcinsctl.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1166068882203 O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmg...,16/mcgdmgr.cab O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: ColdFusion 8 .NET Service - Unknown owner - C:\ColdFusion8\jnbridge\CF8DotNetsvc.exe O23 - Service: ColdFusion 8 Application Server - Macromedia Inc. - C:\ColdFusion8\runtime\bin\jrunsvc.exe O23 - Service: ColdFusion 8 ODBC Agent - Unknown owner - C:\ColdFusion8\db\slserver54\bin\swagent.exe O23 - Service: ColdFusion 8 ODBC Server - Unknown owner - C:\ColdFusion8\db\slserver54\bin\swstrtr.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Haha I forgot about the default cached domain credentials. I should have remembered that too since I had to disable that on another workstation for a security reason. Yeah, I do know the local admin password so there's no problem there. I may not be able to get to this until a couple days though. Other issues have called me away from that machine for the time being so I can only manage it remotely. I keep checking on it though and MBAM is only reporting that one registry key when I log in to it so it's not creating anything new. At least I know that no new infections are popping up on it. Thanks again for the response and I'll let you know what I find out about it.

Also, here is the latest log for MBAM: Malwarebytes' Anti-Malware 1.34 Database version: 1782 Windows 5.1.2600 Service Pack 2 2/20/2009 8:53:30 PM mbam-log-2009-02-20 (20-53-30).txt Scan type: Full Scan (C:\|) Objects scanned: 100324 Time elapsed: 14 minute(s), 3 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

Thanks for the fast reply. I have a quick question about running that rootkit. This particular username that is infected is attatched to a domain. In order to disconnect from everything, I will have to use a different username entirely. Is that going to matter? I only ask this since there have been no other problems of any kind attached to any other username on this computer. Will the rootkit scan work on there just as it would on the affected account?

I was told to repost my question here rather than the general help forum: Hello, I recently downloaded MB to get rid of popup windows that were occurring on a client's machine. I have to say it really did a good job since it detected what other products could NOT find. For the most part, it took care of the nasty Vundo.H trojan that it found. There is one registry key that will NOT go away however. What I find unusual is that it is not in the same registry location that Vundo.H usually puts it. As I have browsed around different forums, I have that most Vundo victims have two registry keys that will not go away. They are the following: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System If I had found these two keys, I would be a little less perplexed than I am now, but of course the trojan decided to throw me a curve. Instead, I have just one key that will re-appear when I log off and log back on. I don't even have to reboot to get it to show up. I have two different accounts that I have used to run the MB program in. When I run MB in one account, it comes up with nothing found. However, when I run it under another account, I get a notification that there is one key remaining. Of course I have removed it with MB as well as manually deleted it, but it just comes right back. Anyhow, the offending key is this: "HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Track System" As you can see, it's a little different than the preceding keys that other users have reported problems with. Everything except the first value is the same though. This is also why I just have to log off and log back on for it to return since it's based on the user that is logged in. Anyhow, any ideas why it would show in this location and not in the Local Machine key like it usually does? I'd like to get rid of this of course, but I wonder if this is another variant other than what the other people have been infected with. As I stated before, all other tests come out clean when logged in as a different user and the machine doesn't show ANY symptoms of being infected. It's just this one key decides to stick around after logging in again as this one user. I know this is a forum where you are supposed to post Hijack this Logs, but the person who owns this computer does not wish me to use that program since the only thing left is this one registry key. (yeah it's weird, but that was their request) I'm really sorry about not posting one as I know you guys want to see those logs to try and fix these things. However, as I do not see any additional symptoms on the computer except for this one key sticking around, I can understand why they feel that way about it. If you guys think the HijackThis log is absolutely necessary to determine why this one key is coming back, I'll do what I can to convince the person to let me run that program and post it anyway.

Hello, I recently downloaded MB to get rid of popup windows that were occurring on a client's machine. I have to say it really did a good job since it detected what other products could NOT find. For the most part, it took care of the nasty Vundo.H trojan that it found. There is one registry key that will NOT go away however. What I find unusual is that it is not in the same registry location that Vundo.H usually puts it. As I have browsed around different forums, I have that most Vundo victims have two registry keys that will not go away. They are the following: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System If I found it in these keys, I would be a little less perplexed than I am now, but of course the trojan decided to throw me a curve. Instead, I have just one key that will re-appear when I loff off and log back on. I don't even have to reboot to get it to show up. I have two different accounts that I have used to run the MB program in. When I run MB in one account, it comes up with nothing found. However, when I run it under another account, I get a notification that there is one key remaining. Of course I have removed it with MB as well as manually deleted it, but it just comes right back. Anyhow, the offending key is this: "HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Track System" As you can see, it's a little different than the preceding keys that other users have reported problems with. Everything except the first value is the same though. This is also why I just have to log off and log back on for it to return since it's based on the user that is logged in. Anyhow, any ideas why it would show in this location and not in the Local Machine key like it usually does? I'd like to get rid of this of course, but I wonder if this is another variant other than what the other people have been infected with. As I stated before, all other tests come out clean when logged in as a different user and the machine doesn't show ANY symptoms of being infected. It's just this one key decides to stick around after logging in again as this one user.