Win32 Virus - Boot-time Scan Failure

[BlackRoseBaron]

Greetings, I've acquired a rather nasty virus, and I humbly come to you for help.

OS : Windows Vista

Symptoms:

* Internet explorer popup advertisements (I currently use Firefox.)

* Security Center automatically disables. I have run services, and set it back to automatic, and it simply turns back to disabled immediately.

* Failure of Spy bot Search & Destroy and other anti spy-ware software. The program crashed, and when I try to run it again, it fails. The following message is given,  "(program name) has stopped working. A problem caused the program to stop working correctly. Windows will close the program and notify you if a solution is available". This occurs with Spy bot S&D, Superantispyware, and Malwarebytes.

*When I run avast scan, it pops up 4-5 different warnings that a virus / trojan has infected my computer. Delete / Move to Virus Chest do nothing. Move to virus chest tells me that the file cannot be accessed due to current use.

Here is a somewhat large copy and paste of a log of these 4-5 warnings that pop up over and over again. (Deleted repetitive middle portion to save some space.)

-----------------------------------------------------------------------------------------------------------------
8/12/2009   10:20:30 PM   1250133630   SYSTEM   1840   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Windows\System32\UACrhttajeqxc.dll" file. 
8/12/2009   10:20:30 PM   1250133630   SYSTEM   1840   Sign of "Win32:Fasec [Trj]" has been found in "C:\Windows\System32\UAChhfeuusppy.dll" file. 
8/12/2009   10:20:37 PM   1250133637   SYSTEM   1840   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Windows\System32\UACrhttajeqxc.dll" file. 
8/12/2009   10:20:37 PM   1250133637   SYSTEM   1840   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Windows\System32\UACrhttajeqxc.dll" file. 
8/12/2009   10:20:37 PM   1250133637   SYSTEM   1840   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Windows\System32\UACrhttajeqxc.dll" file. 
8/12/2009   10:24:31 PM   1250133871   SYSTEM   1840   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Windows\System32\UACrhttajeqxc.dll" file. 
8/12/2009   10:25:11 PM   1250133911   SYSTEM   1840   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Windows\System32\UACrhttajeqxc.dll" file. 
8/12/2009   10:25:23 PM   1250133923   SYSTEM   1840   Sign of "Win32:Fasec [Trj]" has been found in "C:\Windows\System32\UAChhfeuusppy.dll" file. 
8/12/2009   10:25:32 PM   1250133932   SYSTEM   1840   Sign of "Win32:Fasec [Trj]" has been found in "C:\Windows\System32\UAChhfeuusppy.dll" file. 
8/12/2009   10:25:41 PM   1250133941   SYSTEM   1840   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Windows\System32\UACrhttajeqxc.dll" file. 
8/12/2009   10:25:47 PM   1250133947   SYSTEM   1840   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Windows\System32\UACrhttajeqxc.dll" file. 
8/12/2009   10:25:54 PM   1250133954   SYSTEM   1840   Sign of "Win32:Fasec [Trj]" has been found in "C:\Windows\System32\UAChhfeuusppy.dll" file. 
8/12/2009   10:26:04 PM   1250133964   SYSTEM   1840   Sign of "Win32:Fasec [Trj]" has been found in "C:\Windows\System32\UAChhfeuusppy.dll" file. 
\UACrhttajeqxc.dll" file. 
8/12/2009   10:45:04 PM   1250135104   SYSTEM   1840   Sign of "Win32:Fasec [Trj]" has been found in "C:\Windows\System32\UAChhfeuusppy.dll" file. 
8/12/2009   10:45:13 PM   1250135113   SYSTEM   1840   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Windows\System32\UACrhttajeqxc.dll" file. 
8/12/2009   11:31:43 PM   1250137903   SYSTEM   1928   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Windows\System32\UACrhttajeqxc.dll" file. 
8/12/2009   11:31:44 PM   1250137904   SYSTEM   1928   Sign of "Win32:Fasec [Trj]" has been found in "C:\Windows\System32\UAChhfeuusppy.dll" file. 
8/13/2009   12:01:13 AM   1250139673   SYSTEM   1928   Sign of "JS:Pdfka-MQ [Trj]" has been found in "C:\Users\John\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3K322BZ4\README[1].pdf" file.

------------------------------------------------------------------------------------------------------------------

* Failure of Boot-time scan. I've tried to run the boot-time scan multiple times to avoid the currently running issue. The scan freezes on the same file each time I run it. "D:\windows...TMContainer00000000000000000002.regtrans-ms"

I have tried other anti-virus software including AVG Free and OneCare, with no sucess. I disabled both of these before running Avast. I'm currently running the free demo version, and I plan to pay for the upgrade if it can repair my system.

Below is a copy / paste of my HijackThis logfile, if it is of any use.

-------------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:50:51 PM, on 8/12/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18294)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\msa.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Windows\system32\rundll32.exe
C:\Users\John\AppData\Local\Temp\b.exe
C:\Windows\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Monopod] C:\Users\John\AppData\Local\Temp\b.exe
O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'Default user')
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resource/download/scanner/en-US/wlscctrl2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe

--
End of file - 2078 bytes

-------------------------------------------------------------------------------------------------------------------------

I will check back regularly, and if more information is required to help, I'll provide it ASAP.

I'm grateful for any help with this issue.

-BlackRoseBaron

 

[YoKenny]

You need to start Internet Explorer then go to Tools then Windows Update and download all of the available updates.

Also you should enable Automatic Updates or at least be notified that Updates are available.

Go to Control Panel then Automatic Updates then select Automatic (recommended) or at least Notify me but don't automatically download or install them.

Download Malwarebytes' Anti-Malware (MBAM) then install it then update it and run a Quick scan:
http://www.malwarebytes.org/mbam.php

Post its log here.

Even though you use Firefox Windows still uses IE8 for Windows and it should be updated:
http://www.microsoft.com/windows/internet-explorer/default.aspx

Go to Secunia Online Software Inspector then run it to see what other applications are vulnerable:
http://secunia.com/vulnerability_scanning/online

[BlackRoseBaron]

You need to start Internet Explorer then go to Tools then Windows Update and download all of the available updates.

Also you should enable Automatic Updates or at least be notified that Updates are available.

Go to Control Panel then Automatic Updates then select Automatic (recommended) or at least Notify me but don't automatically download or install them.

Download Malwarebytes' Anti-Malware (MBAM) then install it then update it and run a Quick scan:
http://www.malwarebytes.org/mbam.php

Post its log here.

Even though you use Firefox Windows still uses IE8 for Windows and it should be updated:
http://www.microsoft.com/windows/internet-explorer/default.aspx

Go to Secunia Online Software Inspector then run it to see what other applications are vulnerable:
http://secunia.com/vulnerability_scanning/online

Internet Explorer 8.0 has now been installed, and all available windows updates are installed.

I'm unable to complete the MalwareBytes step, the program encounters a problem and is forced the close the second I try to install.

The Secunia Online Software Inspector couldn't complete its scan.

Here is a screenshot of the result: I let it run for over 30 minutes on that same file after this was taken.



I apparently have something nasty in my D recovery drive, something that causes scans to come to a screeching halt.

Something else noteworthy: After updates were installed, and computer was rebooted, I got a message telling me that something called "b.exe" failed to run and is being shut down.

Another note: I had AVCare on this machine before this latest problem started, I closed processes, uninstalled, deleted its files in registry, and deleted its program files directory. This had cleared up all issues until recently.

Your help is much appreciated,
-BlackRoseBaron

[mathboyx215]

Can you boot into safe mode with networking and try installing malwarebytes again.After you have it installed,update it and run a full scan.Then post back a log.

If you don't know how to boot into safe mode with networking,here is a tutorial:
http://www.vista4beginners.com/Boot-in-safe-mode

[Pondus]

you could try

Norman Malware Cleaner http://www.norman.com/support/support_tools/58732/en

Dr.Web CurIt  http://www.freedrweb.com/

[BlackRoseBaron]

Can you boot into safe mode with networking and try installing malwarebytes again.After you have it installed,update it and run a full scan.Then post back a log.

If you don't know how to boot into safe mode with networking,here is a tutorial:
http://www.vista4beginners.com/Boot-in-safe-mode

I've now uninstalled and reinstalled malwarebytes in safe mode with networking. The program installed, but will not run. When I try to run it under normal boot, I get a message telling me that the program is closing. In safe mode, when I try to run, it just does absolutely nothing.

-BlackRoseBaron

[mathboyx215]

Try renaming it to something like fun.exe or bad.exe and try again in safe mode.

[BlackRoseBaron]

you could try

Norman Malware Cleaner http://www.norman.com/support/support_tools/58732/en

Dr.Web CurIt  http://www.freedrweb.com/

I tried Norman Malware, it doesn't appear to have fixed my problem, but I gained information. I'll likely try Dr. Web later if I am still infected.

FakeAlert.AANY  (marked for deferred cleaning)
W32/FakeAlert.AANZ  (marked for deferred cleaning)
W32/DNSChanger.FDCM (marked for deferred cleaning)
W32/DLoader.TGAO    (4 deleted)
W32/FakeAlert.ZQI   (1 deleted)
HTML/Iframe.J       (many deleted)

The items marked for deferred cleaning don't appear to have been fixed.

Edit: The items marked for deferred cleaning were on the same files that Avast picked up over and over again but could not fix.

Try renaming it to something like fun.exe or bad.exe and try again in safe mode.

I tried renaming, and it worked. I'm currently running malwarebytes scan and will post back with results later.

-BlackRoseBaron

[Pondus]

you may need to run Norman more than once and restart between

[BlackRoseBaron]

Unfortunately, Malwarebytes scan was not successful. The program froze while scanning the D Recovery drive in the same fashion as the other scans.

Here is a screenshot of the result (frozen screen):



I'm now going to try rescanning with Norman a couple times, as per suggestion.

Thank you for the continued support,
-BlackRoseBaron

Edit: I'm also going to try running Spybot S&D and Superantispyware after renaming.

Edit: Another symptom I have noticed, fake / redirected google search bar on firefox start page, redirected google / yahoo image search. It redirects to a blank page, what I assume was supposed to be advertisements.

[mathboyx215]

Edit: Another symptom I have noticed, fake / redirected google search bar on firefox start page, redirected google / yahoo image search. It redirects to a blank page, what I assume was supposed to be advertisements.

The redirection is caused by the dns changer trojan.Usually malwarebytes can get rid of it.

Edit:You could run a quick scan as pondus suggested if the full scan don't work.

[Pondus]

I see Malwarebytes did 26minutes in full scan before it froze.....what if you try quick scan, will it finish the scan?

[BlackRoseBaron]

Following is copy / paste of MBytes quick scan, which completed successfully.

---------------------------------------------------------

Malwarebytes' Anti-Malware 1.40
Database version: 2616
Windows 6.0.6002 Service Pack 2 (Safe Mode)

8/13/2009 5:16:24 PM
mbam-log-2009-08-13 (17-16-24).txt

Scan type: Quick Scan
Objects scanned: 76498
Time elapsed: 2 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 30
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\System32\UAChhfeuusppy.dll (Trojan.TDSS) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{40196867-19f8-7157-c097-ecaff653c9ad} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e24211b3-a78a-c6a9-d317-70979ace5058} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3ba4271e-5c1e-48e2-b432-d8bf420dd31d} (Rogue.DeusCleaner) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Monopod (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\net (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\monopod (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\System32\UAChhfeuusppy.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Users\John\AppData\Local\Temp\b.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\$Recycle.Bin\S-1-5-21-3708478136-1392408501-2315465819-1000\$RD040QY\Uninstall.exe (Rogue.AVCare) -> Quarantined and deleted successfully.
C:\$Recycle.Bin\S-1-5-21-3708478136-1392408501-2315465819-1000\$RK0FBTH\AVCare.exe (Rogue.AVCare) -> Quarantined and deleted successfully.
C:\Users\John\AppData\Local\Temp\d.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Users\John\AppData\Local\Temp\e.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\John\AppData\Local\Temp\g.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Users\John\AppData\Local\Temp\h.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.
C:\Windows\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

-------------------------------------------------------------

I'll now test for symptoms, and see if full scans on Malwarebytes and other software will run.

-BlackRoseBaron

[mathboyx215]

Just one question before you start scanning again.Have you restarted your computer yet?

Edit:Please proceed to page 2 as I have posted instructions on how to remove these

[BlackRoseBaron]

Just one question before you start scanning again.Have you restarted your computer yet?

Yes, I've been restarting computer between each scan.

Malwarebytes said that there was one infection which would require a reboot. I rebooted the computer, and symptoms persist. I'm now running another quickscan to see what remained.

Copy / Paste of this scan follows:

Malwarebytes' Anti-Malware 1.40
Database version: 2616
Windows 6.0.6002 Service Pack 2 (Safe Mode)

8/13/2009 5:27:11 PM
mbam-log-2009-08-13 (17-27-11).txt

Scan type: Quick Scan
Objects scanned: 76095
Time elapsed: 3 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

-------

I'll now reboot again.

-BlackRoseBaron

Edit: C:\Windows\system32\uacinit.dll  -- Whatever this is, it persists through quick-scan, repair, reboot, re quick-scan process and restores the following:

HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace)

It's the same deal with Normon's unfortunately, it picks up the same infections after scan, repair, reboot, rescan.

Currently trying Spybot, Superantispyware with new names.