Is it YourProtector or Your Protection.
I helped someone nail the rootkit and then got them to clean up with mbam. Apparently it stops the user having an internet they can use and installing new software.
edit : I can see from the attachment it is your protection :)
I got them to send me the log :
Malwarebytes' Anti-Malware 1.45
http://www.malwarebytes.org
Database version: 3960
Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.18904
06/04/2010 18:04:53
mbam-log-2010-04-06 (18-04-53).txt
Scan type: Quick scan
Objects scanned: 129614
Time elapsed: 7 minute(s), 29 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 5
Registry Data Items Infected: 3
Folders Infected: 3
Files Infected: 20
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Your Protection (Rogue.YourProtection) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RapportMgmtService.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RapportService.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\_VOID (Rootkit.TDSS) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe_reader (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Administrator\AppData\Local\ave.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.exe\(default) (Hijacked.exeFile) -> Bad: (secfile) Good: (exefile) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
C:\cleansweep.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\_VOIDdvpfdtqcsw (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Program Files\Your Protection (Rogue.YourProtection) -> Quarantined and deleted successfully.
Files Infected:
C:\cleansweep.exe\config.bin (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Your Protection\about.ico (Rogue.YourProtection) -> Quarantined and deleted successfully.
C:\Program Files\Your Protection\activate.ico (Rogue.YourProtection) -> Quarantined and deleted successfully.
C:\Program Files\Your Protection\buy.ico (Rogue.YourProtection) -> Quarantined and deleted successfully.
C:\Program Files\Your Protection\help.ico (Rogue.YourProtection) -> Quarantined and deleted successfully.
C:\Program Files\Your Protection\scan.ico (Rogue.YourProtection) -> Quarantined and deleted successfully.
C:\Program Files\Your Protection\settings.ico (Rogue.YourProtection) -> Quarantined and deleted successfully.
C:\Program Files\Your Protection\splash.mp3 (Rogue.YourProtection) -> Quarantined and deleted successfully.
C:\Program Files\Your Protection\update.ico (Rogue.YourProtection) -> Quarantined and deleted successfully.
C:\Program Files\Your Protection\urp.db (Rogue.YourProtection) -> Quarantined and deleted successfully.
C:\Program Files\Your Protection\virus.mp3 (Rogue.YourProtection) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\js.mui (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\System32\_VOIDqvwebeevmp.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Windows\System32\_VOIDuuforstvir.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Windows\System32\_VOIDeaqcxspnmy.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Users\Administrator\AppData\Local\Temp\_VOIDbfc9.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Users\Administrator\AppData\Local\Temp\wmpscfgs.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\wmpscfgs.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Administrator\AppData\Local\Temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Adobe\acrotray .exe (Trojan.Agent) -> Quarantined and deleted successfully.