Solved Firefox Errors [Firefox.exe always running]

[Resolved] Firefox Errors [Firefox.exe always running]

Hi, I have just finished cleaning up my computer from a virus which took over the task manager, registry editor, my administrator privileges, etc. However, now I always seem to have a firefox.exe process running in the task manager. When I kill the process, it starts up again in a matter of seconds. It uses around 4040 K. It's not a memory hog, however, it affects my ability to run CCleaner and clean firefox.

When I go to uninstall firefox, or install a newer version, the entire computer freezes. This does not happen with any other installation or uninstallation, as far as I am aware. What might be happening to my computer?

 

Thank you for the reply.

I have viewed that page, however, the registry did not have any keys which pertained to this. Also, my anti-virus scanner (bitdefender) does not return any results, neither does superanti-virus, nor malewarebytes.

What should I do?

DDS:


DDS (Ver_09-03-16.01) - NTFSx86
Run by **** ***** at 17:36:00.21 on Sat 03/28/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.410 [GMT -4:00]

AV: BitDefender Antivirus *On-access scanning enabled* (Updated)
FW: BitDefender Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Razer\Diamondback 3G\razerhid.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\Program Files\Razer\Diamondback 3G\razertra.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Razer\Diamondback 3G\razerofa.exe
C:\Documents and Settings\**** *****\Desktop\dds.scr
C:\Program Files\Winamp\winamp.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = localhost:8080
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2009\IEToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe "
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Diamondback] c:\program files\razer\diamondback 3g\razerhid.exe
mRun: [BDAgent] "c:\program files\bitdefender\bitdefender 2009\bdagent.exe "
mRun: [BitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2009\IEShow.exe "
dRunOnce: [RunNarrator] Narrator.exe
uPolicies-explorer: NoActiveDesktop = 00000000
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Send by Bluetooth - c:\program files\ivt corporation\bluesoleil\transsend\ie\tsinfo.htm
IE: Send via &Message... - c:\program files\ivt corporation\bluesoleil\transsend\ie\tssms.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC}
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/betapit/PCPitStop.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1213931208437
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\windows\system32\skype4com.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File
LSA: Authentication Packages = msv1_0 c:\windows\system32\hgGvUNEx

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\franco~1\applic~1\mozilla\firefox\profiles\k034g4sf.default\
FF - component: c:\program files\mozilla firefox\components\FFComm.dll
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\documents and settings\**** *****\local settings\application data\google\update\1.2.131.11\npGoogleOneClick5.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [2008-1-21 20744]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-9-3 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-9-3 55024]
R2 BDVEDISK;BDVEDISK;c:\program files\bitdefender\bitdefender 2009\BDVEDISK.sys [2008-7-2 82696]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2008-8-12 111112]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2008-8-14 104328]
R3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\drivers\btnetBus.sys [2008-12-7 30088]
R3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [2008-1-21 26248]
R3 Razerlow;Diamondback 3G USB Filter Driver;c:\windows\system32\drivers\DB3G.sys [2008-6-19 13225]
R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2009-3-1 560896]
S0 trts;trts;c:\windows\system32\drivers\qghucchb.sys --> c:\windows\system32\drivers\qghucchb.sys [?]
S2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [2008-6-19 26144]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\common files\bitdefender\bitdefender arrakis server\bin\Arrakis3.exe [2008-7-17 118784]
S3 BsMobileCS;BsMobileCS;c:\program files\ivt corporation\bluesoleil\BsMobileCS.exe [2009-2-27 143467]
S3 BTIAUSB;Generic Bluetooth Device;c:\windows\system32\drivers\btiausb.sys [2008-7-30 23808]
S3 BTPROT;Generic Bluetooth Filter;c:\windows\system32\drivers\btprot.sys [2008-8-2 453120]
S3 DfSdkS;Defragmentation-Service;c:\program files\ashampoo\ashampoo winoptimizer 6\DfSdkS.exe [2009-3-26 410976]
S3 FXDRV;FXDRV;\??\d:\fxdrv.sys --> d:\Fxdrv.sys [?]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2008-8-29 13352]
S3 s125bus;Sony Ericsson Device 125 driver (WDM);c:\windows\system32\drivers\s125bus.sys [2008-8-29 83336]
S3 s125mdfl;Sony Ericsson Device 125 USB WMC Modem Filter;c:\windows\system32\drivers\s125mdfl.sys [2008-8-29 15112]
S3 s125mdm;Sony Ericsson Device 125 USB WMC Modem Driver;c:\windows\system32\drivers\s125mdm.sys [2008-8-29 108680]
S3 s125mgmt;Sony Ericsson Device 125 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s125mgmt.sys [2008-8-29 100488]
S3 s125obex;Sony Ericsson Device 125 USB WMC OBEX Interface;c:\windows\system32\drivers\s125obex.sys [2008-8-29 98696]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-9-3 7408]
S3 Simply Accounting Database Connection Manager;Simply Accounting Database Connection Manager;c:\program files\winsim\connectionmanager\simplyconnectionmanager.exe --> c:\program files\winsim\connectionmanager\SimplyConnectionManager.exe [?]
S3 XDva189;XDva189;\??\c:\windows\system32\xdva189.sys --> c:\windows\system32\XDva189.sys [?]

=============== Created Last 30 ================

2009-03-26 21:17 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-03-26 21:15 <DIR> --d----- c:\program files\Windows Installer Clean Up
2009-03-26 20:18 <DIR> --d----- c:\program files\Trend Micro
2009-03-26 19:48 81,920 a------- c:\windows\system32\ieencode.dll
2009-03-26 18:42 39,776 a------- c:\windows\system32\DfSdkBt64.exe
2009-03-26 18:42 33,632 a------- c:\windows\system32\DfSdkBt.exe
2009-03-26 17:58 <DIR> --dsh--- c:\documents and settings\**** *****\IETldCache
2009-03-26 17:20 <DIR> --d----- c:\program files\Ashampoo
2009-03-26 16:43 <DIR> --d----- c:\docume~1\franco~1\applic~1\TeamViewer
2009-03-26 16:43 <DIR> --d----- c:\program files\TeamViewer
2009-03-26 16:42 <DIR> --d----- c:\documents and settings\**** *****\temp
2009-03-26 16:37 1,646 a------- c:\windows\system32\spupdsvc.inf
2009-03-26 16:33 <DIR> --d----- c:\program files\ProgDVB
2009-03-22 23:44 <DIR> --dsh--- C:\Diskeeper
2009-03-22 23:16 <DIR> --d----- c:\program files\common files\Diskeeper Corporation
2009-03-22 23:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Diskeeper Corporation
2009-03-22 23:15 <DIR> --d----- c:\program files\Diskeeper Corporation
2009-03-22 23:01 5,982 a------- c:\windows\system32\LOCALSERVICE.INI
2009-03-22 23:01 103 a------- c:\windows\system32\LOCALDEVICE.INI
2009-03-22 22:44 <DIR> --d----- c:\program files\IVT Corporation
2009-03-22 21:53 102,439 a------- c:\windows\system32\sipr3260.dll
2009-03-22 21:45 86,658 a------- c:\windows\system32\blka
2009-03-22 21:44 24,064 a------- c:\windows\system32\blka.exe
2009-03-22 21:07 850 a------- c:\windows\system32\ProductTweaks.xml
2009-03-22 21:07 385 a------- c:\windows\system32\user_gensett.xml
2009-03-22 20:50 8 a------- c:\windows\SAGE.INI
2009-03-22 20:46 <DIR> --d----- c:\windows\system32\logs
2009-03-22 20:46 <DIR> --d----- c:\docume~1\franco~1\applic~1\BitDefender
2009-03-22 20:45 <DIR> --d----- c:\program files\BitDefender
2009-03-22 20:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\BitDefender
2009-03-22 20:43 <DIR> --d----- c:\program files\common files\BitDefender
2009-03-21 15:01 8,628 a---h--- c:\windows\Lord Diablo.GID
2009-03-21 14:14 <DIR> --d----- c:\docume~1\franco~1\applic~1\Malwarebytes
2009-03-21 14:14 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-21 14:14 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-21 14:14 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-21 14:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-21 14:11 35,840 a------- c:\windows\system32\gldx.exe
2009-03-21 00:02 1,152 a------- c:\windows\system32\windrv.sys
2009-03-21 00:00 <DIR> --d----- c:\docume~1\franco~1\applic~1\GetRightToGo
2009-03-20 22:28 12,872 a------- c:\windows\system32\dLer.exe
2009-03-20 19:28 1 a------- c:\windows\system32\uniq.tll
2009-03-20 19:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-03-17 12:37 <DIR> --d----- c:\windows\system32\VIRepair
2009-03-15 19:29 446,464 a------- c:\windows\system32\wmvdmoe.dll
2009-03-15 19:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PY_Software
2009-03-15 19:29 <DIR> --d----- c:\program files\Active WebCam
2009-03-09 22:47 <DIR> --d-h--- c:\windows\PIF
2009-03-05 23:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Downloaded Installations
2009-03-05 22:42 5 a------- c:\windows\VS98ENT.MIF
2009-03-01 18:01 560,896 a----r-- c:\windows\system32\drivers\rt2870.sys
2009-02-27 17:04 1,032 a------- c:\windows\system32\bscs.ini
2009-02-27 16:45 9,728 a------- c:\windows\system32\BsMonUI.dll
2009-02-27 16:45 18,432 a------- c:\windows\system32\BsMonSvr.dll
2009-02-27 16:45 405,589 a------- c:\windows\system32\BsUI.dll
2009-02-27 16:45 57,430 a------- c:\windows\system32\btfunc.dll
2009-02-27 16:44 278,647 a------- c:\windows\system32\outlookAddin.dll
2009-02-27 16:44 53,248 a------- c:\windows\system32\HtmPrintHelper.dll
2009-02-27 16:44 114,774 a------- c:\windows\system32\versit.dll
2009-02-27 16:44 622,693 a------- c:\windows\system32\BSShell.dll
2009-02-27 16:43 557,142 a------- c:\windows\system32\Bscdlg.dll
2009-02-27 16:43 114,788 a------- c:\windows\system32\BsProfileFunc.dll
2009-02-27 16:43 151,642 a------- c:\windows\system32\BsCommon.dll
2009-02-27 16:43 94,314 a------- c:\windows\system32\BsHelpCSps.dll
2009-02-27 16:43 553,075 a------- c:\windows\system32\BlueSoleilCSps.dll
2009-02-27 16:41 28,766 a------- c:\windows\system32\PlayerCtrl.dll
2009-02-27 16:41 98,403 a------- c:\windows\system32\Bs2Res.dll
2009-02-27 16:41 241,748 a------- c:\windows\system32\BsSDK.dll
2009-02-27 16:41 122,976 a------- c:\windows\system32\BsMobileSDK.dll
2009-02-27 16:40 28,672 a------- c:\windows\system32\BsMobileCSps.dll
2009-02-27 16:40 28,760 a------- c:\windows\system32\BsTrace.dll

==================== Find3M ====================

2009-03-26 19:49 81,984 a------- c:\windows\system32\bdod.bin
2009-03-22 21:40 192,512 a------- c:\windows\system32\txmlutil.dll
2009-03-22 21:40 242,184 a------- c:\windows\system32\drivers\bdfsfltr.sys
2009-03-22 21:40 104,328 a------- c:\windows\system32\drivers\bdfndisf.sys
2009-03-22 21:40 111,112 a------- c:\windows\system32\drivers\bdfm.sys
2009-03-22 21:40 82,696 a------- c:\windows\system32\drivers\BDVEDISK.sys
2009-03-20 19:35 14,336 a------- c:\windows\system32\svchost.exe
2009-03-09 22:47 2,855 a------- c:\windows\pif\QBASIC.PIF
2009-02-13 23:22 21,840 a------t c:\windows\system32\SIntfNT.dll
2009-02-13 23:22 17,212 a------t c:\windows\system32\SIntf32.dll
2009-02-13 23:22 12,067 a------t c:\windows\system32\SIntf16.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-06 18:52 49,504 a------- c:\windows\system32\sirenacm.dll
2009-01-21 19:27 1,032,582 a------- c:\windows\system32\alleg42.dll
2009-01-07 18:21 26,144 a------- c:\windows\system32\spupdsvc.exe
2009-01-07 18:20 24,576 a------- c:\windows\system32\nlsdl.dll
2009-01-07 18:20 26,112 a------- c:\windows\system32\idndl.dll
2009-01-07 18:20 23,552 a------- c:\windows\system32\normaliz.dll
2009-01-07 18:20 265,720 a------- c:\windows\system32\msdbg2.dll
2009-01-05 18:33 3,751,995 a------- c:\windows\system32\GPhotos.scr
2009-01-03 16:40 15,368 a------- c:\windows\system32\btinstall.dll
2008-08-25 01:49 78,000 a------- c:\docume~1\franco~1\applic~1\inst.exe
2008-08-09 22:29 22,328 a------- c:\docume~1\franco~1\applic~1\PnkBstrK.sys
2008-07-08 15:16 47,360 a------- c:\docume~1\franco~1\applic~1\pcouffin.sys
2002-04-16 11:27 5 a--sh--- c:\windows\system32\CdI5T.drv
2008-08-04 02:59 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008080420080805\index.dat

============= FINISH: 17:37:27.98 ===============

 

Thank you PeteC,

it is much appreciated

- François

 

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3





--------------------------------------------------------------------
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

(Click on this link to see a list of programs that should be disabled.)
http://www.bleepingcomputer.com/forums/topic114351.html


Double click on Combo-Fix.exe & follow the prompts.

Please allow ComboFix to install, if needed, Windows Recovery Console. It is a simple procedure that will only take a few moments of your time.

No Validation is Required.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.



** Please Note:
At times ComboFix may appear to stall, please be patient.

• When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

Please only run the tool once, ty.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

You may need several replies to post the requested logs, otherwise they might get cut off.

 

But also, lately I've been having trouble with Utorrent as well, it does not seem to be downloading anything, when it has worked fine in the past...

ComboFix 09-03-30.02 - Francois Forrest 2089-03-30 23:56:02.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.623 [GMT -4:00]
Running from: c:\documents and settings\Francois Forrest\Desktop\ComboFix.exe
AV: BitDefender Antivirus *On-access scanning disabled* (Outdated)
FW: BitDefender Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\Francois Forrest\Application Data\inst.exe
c:\windows\system32\install.exe
c:\windows\system32\skinboxer43.dll
c:\windows\system32\uniq.tll

.
((((((((((((((((((((((((( Files Created from 2089-02-28 to 2089-03-31 )))))))))))))))))))))))))))))))
.

2089-03-30 22:59 . 2089-03-30 22:59 0 --a------ c:\windows\system32\BSPRINT.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2089-03-31 03:17 81,984 ----a-w c:\windows\system32\bdod.bin
2008-08-10 02:29 22,328 ----a-w c:\documents and settings\Francois Forrest\Application Data\PnkBstrK.sys
2008-07-08 19:16 47,360 ----a-w c:\documents and settings\Francois Forrest\Application Data\pcouffin.sys
2009-03-23 01:38 61,440 ----a-w c:\program files\mozilla firefox\components\FFComm.dll
.

------- Sigcheck -------

2007-10-30 12:53 360832 64798ecfa43d78c7178375fcdd16d8c8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 07:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2007-10-30 13:20 360064 90caff4b094573449a0872a0f919b178 c:\windows\$NtServicePackUninstall$\tcpip.sys
2008-04-14 00:50 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\ServicePackFiles\i386\TCPIP.SYS
2006-02-28 08:00 359040 9f4b36614a0fc234525ba224957de55c c:\windows\SoftwareDistribution\Download\3c0bacd63e67d049a438275fd7b87f25\backup\tcpip.sys
2008-04-13 15:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\SoftwareDistribution\Download\64ed0a1c038340f7dcd71548187888e1\tcpip.sys
2008-08-02 05:19 361600 cbeebeb899e31ef52b962cb31fc8ca5c c:\windows\system32\dllcache\TCPIP.SYS
2008-08-02 05:19 361600 cbeebeb899e31ef52b962cb31fc8ca5c c:\windows\system32\drivers\TCPIP.SYS

2008-04-14 05:42 1423872 dc7c3534cf32c669705016aae6d8a334 c:\windows\explorer.exe
2007-06-13 07:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
2007-06-13 06:23 1033216 97bd6515465659ff8f3b7be375b2ea87 c:\windows\$NtServicePackUninstall$\explorer.exe
2008-04-14 05:42 1033728 12896823fb95bfb3dc9b46bcaedc9923 c:\windows\ServicePackFiles\i386\explorer.exe
2006-02-28 08:00 1032192 a0732187050030ae399b241436565e64 c:\windows\SoftwareDistribution\Download\3c0bacd63e67d049a438275fd7b87f25\backup\explorer.exe
2008-04-13 20:12 1033728 12896823fb95bfb3dc9b46bcaedc9923 c:\windows\SoftwareDistribution\Download\64ed0a1c038340f7dcd71548187888e1\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"itype "= "c:\program files\Microsoft IntelliType Pro\itype.exe" [2005-12-04 437008]
"StartCCC "= "c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"Diamondback "= "c:\program files\Razer\Diamondback 3G\razerhid.exe" [2007-08-01 147456]
"BDAgent "= "c:\program files\BitDefender\BitDefender 2009\bdagent.exe" [2009-03-22 741376]
"BitDefender Antiphishing Helper "= "c:\program files\BitDefender\BitDefender 2009\IEShow.exe" [2009-03-22 69632]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator "= "Narrator.exe" [2008-04-14 c:\windows\system32\narrator.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack "= 0 (0x0)
"NoFileAssociate "= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-03-05 23:18 356352 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1 "= xfcodec.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Thoosje Vista Sidebar.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Thoosje Vista Sidebar.lnk
backup=c:\windows\pss\Thoosje Vista Sidebar.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinFlip.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinFlip.lnk
backup=c:\windows\pss\WinFlip.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDAgent
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\framework windows

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSRaid
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\windows resurections

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BtTray]
--a------ 2009-02-27 17:04 278016 c:\program files\IVT Corporation\BlueSoleil\BtTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-14 05:42 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FlashMute]
--a------ 2006-03-11 15:49 221184 c:\program files\FlashMute\flashmute.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-03 18:39 133104 c:\documents and settings\Francois Forrest\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a--c--- 2007-08-24 07:00 33648 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a------ 2005-12-04 20:39 461584 c:\program files\Microsoft IntelliPoint\ipoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
--a--c--- 2005-06-08 14:44 196608 c:\program files\Logitech\Video\ManifestEngine.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
--a--c--- 2005-06-08 15:24 458752 c:\program files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
--a------ 2005-06-08 15:14 217088 c:\program files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
--a------ 2005-07-19 17:32 221184 c:\windows\system32\LVCOMSX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2009-02-06 18:51 3885408 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhilipsDM]
--a------ 2006-07-13 18:47 651264 c:\program files\Philips\Philips Device Manager\bin\DeviceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhilipsLime]
--a--c--- 2006-06-09 17:30 159744 c:\program files\Philips\Philips Lime Service\bin\LimeAlive.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 c:\program files\QuickTime Alternative\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2007-06-13 08:16 528384 c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
--a------ 2004-09-23 12:41 860160 c:\program files\Analog Devices\SoundMAX\SMax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a--c--- 2004-10-14 09:11 1388544 c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2009-01-26 16:31 2144088 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2008-03-25 04:28 144784 c:\program files\Java\jre1.6.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2009-03-05 23:17 1830128 c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2009-03-09 11:49 37888 c:\program files\Winamp\winampa.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE "=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE "=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe "=
"c:\\Program Files\\LimeWire\\LimeWire.exe "=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
"c:\\Program Files\\America's Army\\System\\ArmyOps.exe "=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe "=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe "=
"c:\\WINDOWS\\system32\\PnkBstrA.exe "=
"c:\\WINDOWS\\system32\\PnkBstrB.exe "=
"c:\\Program Files\\xchat\\xchat.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\uTorrent\\uTorrent.exe "=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleilCS.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=

R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [2008-01-21 20744]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-09-03 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-09-03 55024]
R2 BDVEDISK;BDVEDISK;c:\program files\BitDefender\BitDefender 2009\BDVEDISK.sys [2008-07-02 82696]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2008-08-12 111112]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2008-08-14 104328]
R3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\drivers\btnetBus.sys [2008-12-07 30088]
R3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [2008-01-21 26248]
R3 Razerlow;Diamondback 3G USB Filter Driver;c:\windows\system32\drivers\DB3G.sys [2008-06-19 13225]
R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2009-03-01 560896]
S0 trts;trts;c:\windows\system32\drivers\qghucchb.sys --> c:\windows\system32\drivers\qghucchb.sys [?]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [2008-07-17 118784]
S3 BsMobileCS;BsMobileCS;c:\program files\IVT Corporation\BlueSoleil\BsMobileCS.exe [2009-02-27 143467]
S3 BTIAUSB;Generic Bluetooth Device;c:\windows\system32\drivers\btiausb.sys [2008-07-30 23808]
S3 BTPROT;Generic Bluetooth Filter;c:\windows\system32\drivers\btprot.sys [2008-08-02 453120]
S3 DfSdkS;Defragmentation-Service;c:\program files\Ashampoo\Ashampoo WinOptimizer 6\DfSdkS.exe [2009-03-26 410976]
S3 FXDRV;FXDRV;\??\d:\fxdrv.sys --> d:\Fxdrv.sys [?]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2008-08-29 13352]
S3 s125bus;Sony Ericsson Device 125 driver (WDM);c:\windows\system32\drivers\s125bus.sys [2008-08-29 83336]
S3 s125mdfl;Sony Ericsson Device 125 USB WMC Modem Filter;c:\windows\system32\drivers\s125mdfl.sys [2008-08-29 15112]
S3 s125mdm;Sony Ericsson Device 125 USB WMC Modem Driver;c:\windows\system32\drivers\s125mdm.sys [2008-08-29 108680]
S3 s125mgmt;Sony Ericsson Device 125 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s125mgmt.sys [2008-08-29 100488]
S3 s125obex;Sony Ericsson Device 125 USB WMC OBEX Interface;c:\windows\system32\drivers\s125obex.sys [2008-08-29 98696]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-09-03 7408]
S3 Simply Accounting Database Connection Manager;Simply Accounting Database Connection Manager;c:\program files\Winsim\ConnectionManager\SimplyConnectionManager.exe --> c:\program files\Winsim\ConnectionManager\SimplyConnectionManager.exe [?]
S3 XDva189;XDva189;\??\c:\windows\system32\XDva189.sys --> c:\windows\system32\XDva189.sys [?]
S4 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [2008-06-19 26144]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MESSENGER
*NewlyCreated* - NETDDE
*NewlyCreated* - NETDDEDSDM

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Snqyicepjsa
UrAibrba
lubeu

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{5477D33F-0944-58FD-221B-DE07A7698242}]
c:\windows\system32\blka.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-28 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Francois Forrest\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 18:39]

2009-03-26 c:\windows\Tasks\User_Feed_Synchronization-{C11F502A-E357-46E2-AC75-84A972988119}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 18:36]
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
MSConfigStartUp-Aim6 - c:\program files\AIM6\aim6.exe
MSConfigStartUp-avgids - c:\program files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe
MSConfigStartUp-ConnectionManager - c:\program files\Winsim\ConnectionManager\Simply.SystemTrayIcon.exe
MSConfigStartUp-DAEMON Tools Pro Agent - c:\program files\DAEMON Tools Pro\DTProAgent.exe
MSConfigStartUp-diagnostic manager - c:\docume~1\FRANCO~1\LOCALS~1\Temp\2281490080.exe
MSConfigStartUp-hfivuxudi - c:\windows\Rterahatewisuc.dll
MSConfigStartUp-LClock - c:\program files\LClock\LClock.exe
MSConfigStartUp-MSMSGS - c:\program files\Messenger\msmsgs.exe
MSConfigStartUp-OODefragTray - c:\windows\system32\oodtray.exe
MSConfigStartUp-SMSTray - c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe
MSConfigStartUp-SNM - c:\program files\SpyNoMore\SNM.exe
MSConfigStartUp-STYLEXP - c:\program files\TGTSoft\StyleXP\StyleXP.exe
MSConfigStartUp-TaskSwitchXP - c:\program files\TaskSwitchXP\TaskSwitchXP.exe
MSConfigStartUp-ViOrb - c:\program files\ViOrb\ViOrb.exe
MSConfigStartUp-Vista Sidebar - c:\program files\Vista Sidebar\sidebar.exe
MSConfigStartUp-ViStart - c:\program files\ViStart\ViStart.exe
MSConfigStartUp-viwc - c:\windows\system32\viwc.exe
MSConfigStartUp-WindowBlinds - c:\documents and settings\All Users\Documents\Stardock\WindowBlinds\WBInstall32.exe
MSConfigStartUp-Comrade - (no file)


.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = localhost:8080
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Send by Bluetooth - c:\program files\IVT Corporation\BlueSoleil\TransSend\IE\tsinfo.htm
IE: Send via &Message... - c:\program files\IVT Corporation\BlueSoleil\TransSend\IE\tssms.htm
FF - ProfilePath - c:\documents and settings\Francois Forrest\Application Data\Mozilla\Firefox\Profiles\k034g4sf.default\
FF - component: c:\program files\Mozilla Firefox\components\FFComm.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\Francois Forrest\Local Settings\Application Data\Google\Update\1.2.131.11\npGoogleOneClick5.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

---- FIREFOX POLICIES ----
FF - user.js: browser.blink_allowed - false
FF - user.js: network.prefetch-next - true
FF - user.js: nglayout.initialpaint.delay - 250
FF - user.js: layout.spellcheckDefault - 2
FF - user.js: browser.urlbar.autoFill - true
FF - user.js: browser.search.openintab - false
FF - user.js: browser.tabs.closeButtons - 1
FF - user.js: browser.tabs.opentabfor.middleclick - true
FF - user.js: browser.tabs.tabMinWidth - 100
FF - user.js: browser.urlbar.hideGoButton - false
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2089-03-30 23:59:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION "= "266C8D93B59F5A38CB4938523B536C2E7420016260B83EA55A435E1486BBE6E22CC1DF8BDE6765710A63B801B40A4A50966F7349C621585C21C59AB53520D19A50C58CBDF87ABACC698946FDEB0ABDD51D6CD302EB3B9AE974E4BEFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC79338EDD5E5BE2F6E667A2D97226D213B555A6A0AC4980AC7933AA2628B731D9BBFB72E926ADC3A0E8F7CF3ADD58D03F8E1C573F3CDCB61CDE1B06A916F0C136579B1555DDC1538317AD906CA0F8766A07CF47235AC8A5BB550684899589764E3A021F59D76B10189358D46DE6B16A69CBC67532D7036529918C62B5EEC3AEABE24B5941D10F7111E20790828426E2B985A221473D0F0C4B04FE4DC58325F8BD279A7D7C21CFA604614C2A9462BD49BAB4070163A736DF686FB366F343751B562E943A9BAB19116F3A3E7F2DFC23BC30AC993DACC9855C30ED82C31C35428D2DF7E23458EC1944B070F6DFFEE44490C41387F1EBE64B323369C6EF4373DD7CD9D1B4018C74428C8BD9178F5BBD564B03E200B18CD99CC3682362E70D2C5B49DDE2B92CB6E54A65281F40C53C3FCE265CEB3780218E52A8A62DB99FC2A216869923A834F9F72A029040982FBCB7699024CE64575D0886ADADEFB5FCD42C29FD545F3A0D9D7523C5358CCBEC1B85A6AC1404C2239AD99AD09D28C3575333772C37B72D1D0C3E344D692B08113E1D475148D51246D5AEB2C57BE3D27F7436A5C2D223C24054C526E2E31600A5AC08D389BF639694AFC2B775B109D83692469B24986740C32993010AC11A69A491609792DF1E18D76D68D4F98DCD4D322B0C08E95EA36F6DE2429377005A007F3E5922E0F04F614B77847AA2403EAD1D60405CE0DE479E71F9017015834B031925B44518A00FC2225C0FDB735FB97B9477314C09B7189F7C8E14ED80143733CA60CB1815FC4E8F814A17F225637539AA5B41D196ECADC6AC64D1250B5BBB595F290BF6667C4E9F00193DF9A1AAF7F0661967A972E4F5EE9560A575B9EA4B3F9860F101CC76274FACBEB6F20A761DAFC0E3ACD5B968B074BE100F004735AAB1280A16184027C17C885A4DA1B0EB9584288F311B3CA6F3BA22A0A0AB2090F486B7CF1EE4EAAFDE8C872CDC0D9C946406FE982502FE32A7A52FE3032266B99612E37AC7512C9411E59318D7820ADEE0CA1B1A50573A0288A0485371D1EE5052B03AFBE28D153DBC750929C311E81AB8F1C5580CAE5AEE28184688B9EC44D63CBFC067528BECF69F29B98A390E5CFCE91A3E37C6D90138E9FD7242BE69A3B4C022EF751183AE70C7766A8D6690BBA148E7B5C20475808187488DE37A027E369BBE3181297007C1965353278B7513047C855227D75B63CE0EEFC8F3F5B37A89DF00E68B3C115B "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(952)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2089-03-31 0:02:02
ComboFix-quarantined-files.txt 2089-03-31 04:01:59

Pre-Run: 221,166,850,048 bytes free
Post-Run: 221,150,445,568 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Home Edition" /fastdetect

272 --- E O F --- 2009-03-17 15:53:17

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE "=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE "=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe "=
"c:\\Program Files\\LimeWire\\LimeWire.exe "=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
"c:\\Program Files\\America's Army\\System\\ArmyOps.exe "=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe "=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe "=
"c:\\WINDOWS\\system32\\PnkBstrA.exe "=
"c:\\WINDOWS\\system32\\PnkBstrB.exe "=
"c:\\Program Files\\xchat\\xchat.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\uTorrent\\uTorrent.exe "=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleilCS.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=

R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [2008-01-21 20744]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-09-03 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-09-03 55024]
R2 BDVEDISK;BDVEDISK;c:\program files\BitDefender\BitDefender 2009\BDVEDISK.sys [2008-07-02 82696]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2008-08-12 111112]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2008-08-14 104328]
R3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\drivers\btnetBus.sys [2008-12-07 30088]
R3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [2008-01-21 26248]
R3 Razerlow;Diamondback 3G USB Filter Driver;c:\windows\system32\drivers\DB3G.sys [2008-06-19 13225]
R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2009-03-01 560896]
S0 trts;trts;c:\windows\system32\drivers\qghucchb.sys --> c:\windows\system32\drivers\qghucchb.sys [?]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [2008-07-17 118784]
S3 BsMobileCS;BsMobileCS;c:\program files\IVT Corporation\BlueSoleil\BsMobileCS.exe [2009-02-27 143467]
S3 BTIAUSB;Generic Bluetooth Device;c:\windows\system32\drivers\btiausb.sys [2008-07-30 23808]
S3 BTPROT;Generic Bluetooth Filter;c:\windows\system32\drivers\btprot.sys [2008-08-02 453120]
S3 DfSdkS;Defragmentation-Service;c:\program files\Ashampoo\Ashampoo WinOptimizer 6\DfSdkS.exe [2009-03-26 410976]
S3 FXDRV;FXDRV;\??\d:\fxdrv.sys --> d:\Fxdrv.sys [?]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2008-08-29 13352]
S3 s125bus;Sony Ericsson Device 125 driver (WDM);c:\windows\system32\drivers\s125bus.sys [2008-08-29 83336]
S3 s125mdfl;Sony Ericsson Device 125 USB WMC Modem Filter;c:\windows\system32\drivers\s125mdfl.sys [2008-08-29 15112]
S3 s125mdm;Sony Ericsson Device 125 USB WMC Modem Driver;c:\windows\system32\drivers\s125mdm.sys [2008-08-29 108680]
S3 s125mgmt;Sony Ericsson Device 125 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s125mgmt.sys [2008-08-29 100488]
S3 s125obex;Sony Ericsson Device 125 USB WMC OBEX Interface;c:\windows\system32\drivers\s125obex.sys [2008-08-29 98696]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-09-03 7408]
S3 Simply Accounting Database Connection Manager;Simply Accounting Database Connection Manager;c:\program files\Winsim\ConnectionManager\SimplyConnectionManager.exe --> c:\program files\Winsim\ConnectionManager\SimplyConnectionManager.exe [?]
S3 XDva189;XDva189;\??\c:\windows\system32\XDva189.sys --> c:\windows\system32\XDva189.sys [?]
S4 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [2008-06-19 26144]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MESSENGER
*NewlyCreated* - NETDDE
*NewlyCreated* - NETDDEDSDM

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Snqyicepjsa
UrAibrba
lubeu

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{5477D33F-0944-58FD-221B-DE07A7698242}]
c:\windows\system32\blka.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-28 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Francois Forrest\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 18:39]

2009-03-26 c:\windows\Tasks\User_Feed_Synchronization-{C11F502A-E357-46E2-AC75-84A972988119}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 18:36]
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
MSConfigStartUp-Aim6 - c:\program files\AIM6\aim6.exe
MSConfigStartUp-avgids - c:\program files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe
MSConfigStartUp-ConnectionManager - c:\program files\Winsim\ConnectionManager\Simply.SystemTrayIcon.exe
MSConfigStartUp-DAEMON Tools Pro Agent - c:\program files\DAEMON Tools Pro\DTProAgent.exe
MSConfigStartUp-diagnostic manager - c:\docume~1\FRANCO~1\LOCALS~1\Temp\2281490080.exe
MSConfigStartUp-hfivuxudi - c:\windows\Rterahatewisuc.dll
MSConfigStartUp-LClock - c:\program files\LClock\LClock.exe
MSConfigStartUp-MSMSGS - c:\program files\Messenger\msmsgs.exe
MSConfigStartUp-OODefragTray - c:\windows\system32\oodtray.exe
MSConfigStartUp-SMSTray - c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe
MSConfigStartUp-SNM - c:\program files\SpyNoMore\SNM.exe
MSConfigStartUp-STYLEXP - c:\program files\TGTSoft\StyleXP\StyleXP.exe
MSConfigStartUp-TaskSwitchXP - c:\program files\TaskSwitchXP\TaskSwitchXP.exe
MSConfigStartUp-ViOrb - c:\program files\ViOrb\ViOrb.exe
MSConfigStartUp-Vista Sidebar - c:\program files\Vista Sidebar\sidebar.exe
MSConfigStartUp-ViStart - c:\program files\ViStart\ViStart.exe
MSConfigStartUp-viwc - c:\windows\system32\viwc.exe
MSConfigStartUp-WindowBlinds - c:\documents and settings\All Users\Documents\Stardock\WindowBlinds\WBInstall32.exe
MSConfigStartUp-Comrade - (no file)


.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = localhost:8080
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Send by Bluetooth - c:\program files\IVT Corporation\BlueSoleil\TransSend\IE\tsinfo.htm
IE: Send via &Message... - c:\program files\IVT Corporation\BlueSoleil\TransSend\IE\tssms.htm
FF - ProfilePath - c:\documents and settings\Francois Forrest\Application Data\Mozilla\Firefox\Profiles\k034g4sf.default\
FF - component: c:\program files\Mozilla Firefox\components\FFComm.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\Francois Forrest\Local Settings\Application Data\Google\Update\1.2.131.11\npGoogleOneClick5.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

---- FIREFOX POLICIES ----
FF - user.js: browser.blink_allowed - false
FF - user.js: network.prefetch-next - true
FF - user.js: nglayout.initialpaint.delay - 250
FF - user.js: layout.spellcheckDefault - 2
FF - user.js: browser.urlbar.autoFill - true
FF - user.js: browser.search.openintab - false
FF - user.js: browser.tabs.closeButtons - 1
FF - user.js: browser.tabs.opentabfor.middleclick - true
FF - user.js: browser.tabs.tabMinWidth - 100
FF - user.js: browser.urlbar.hideGoButton - false
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2089-03-30 23:59:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION "= "266C8D93B59F5A38CB4938523B536C2E7420016260B83EA55A435E1486BBE6E22CC1DF8BDE6765710A63B801B40A4A50966F7349C621585C21C59AB53520D19A50C58CBDF87ABACC698946FDEB0ABDD51D6CD302EB3B9AE974E4BEFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC79338EDD5E5BE2F6E667A2D97226D213B555A6A0AC4980AC7933AA2628B731D9BBFB72E926ADC3A0E8F7CF3ADD58D03F8E1C573F3CDCB61CDE1B06A916F0C136579B1555DDC1538317AD906CA0F8766A07CF47235AC8A5BB550684899589764E3A021F59D76B10189358D46DE6B16A69CBC67532D7036529918C62B5EEC3AEABE24B5941D10F7111E20790828426E2B985A221473D0F0C4B04FE4DC58325F8BD279A7D7C21CFA604614C2A9462BD49BAB4070163A736DF686FB366F343751B562E943A9BAB19116F3A3E7F2DFC23BC30AC993DACC9855C30ED82C31C35428D2DF7E23458EC1944B070F6DFFEE44490C41387F1EBE64B323369C6EF4373DD7CD9D1B4018C74428C8BD9178F5BBD564B03E200B18CD99CC3682362E70D2C5B49DDE2B92CB6E54A65281F40C53C3FCE265CEB3780218E52A8A62DB99FC2A216869923A834F9F72A029040982FBCB7699024CE64575D0886ADADEFB5FCD42C29FD545F3A0D9D7523C5358CCBEC1B85A6AC1404C2239AD99AD09D28C3575333772C37B72D1D0C3E344D692B08113E1D475148D51246D5AEB2C57BE3D27F7436A5C2D223C24054C526E2E31600A5AC08D389BF639694AFC2B775B109D83692469B24986740C32993010AC11A69A491609792DF1E18D76D68D4F98DCD4D322B0C08E95EA36F6DE2429377005A007F3E5922E0F04F614B77847AA2403EAD1D60405CE0DE479E71F9017015834B031925B44518A00FC2225C0FDB735FB97B9477314C09B7189F7C8E14ED80143733CA60CB1815FC4E8F814A17F225637539AA5B41D196ECADC6AC64D1250B5BBB595F290BF6667C4E9F00193DF9A1AAF7F0661967A972E4F5EE9560A575B9EA4B3F9860F101CC76274FACBEB6F20A761DAFC0E3ACD5B968B074BE100F004735AAB1280A16184027C17C885A4DA1B0EB9584288F311B3CA6F3BA22A0A0AB2090F486B7CF1EE4EAAFDE8C872CDC0D9C946406FE982502FE32A7A52FE3032266B99612E37AC7512C9411E59318D7820ADEE0CA1B1A50573A0288A0485371D1EE5052B03AFBE28D153DBC750929C311E81AB8F1C5580CAE5AEE28184688B9EC44D63CBFC067528BECF69F29B98A390E5CFCE91A3E37C6D90138E9FD7242BE69A3B4C022EF751183AE70C7766A8D6690BBA148E7B5C20475808187488DE37A027E369BBE3181297007C1965353278B7513047C855227D75B63CE0EEFC8F3F5B37A89DF00E68B3C115B "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(952)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2089-03-31 0:02:02
ComboFix-quarantined-files.txt 2089-03-31 04:01:59

Pre-Run: 221,166,850,048 bytes free
Post-Run: 221,150,445,568 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Home Edition" /fastdetect

272 --- E O F --- 2009-03-17 15:53:17



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:07:08 AM, on 3/31/2089
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Razer\Diamondback 3G\razerhid.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\Program Files\Razer\Diamondback 3G\razertra.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Razer\Diamondback 3G\razerofa.exe
C:\WINDOWS\system32\LVComsX.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe "
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Diamondback] C:\Program Files\Razer\Diamondback 3G\razerhid.exe
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe "
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send by Bluetooth - C:\Program Files\IVT Corporation\BlueSoleil\TransSend\IE\tsinfo.htm
O8 - Extra context menu item: Send via &Message... - C:\Program Files\IVT Corporation\BlueSoleil\TransSend\IE\tssms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1213931208437
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\WINDOWS\system32\skype4com.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: BlueSoleilCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
O23 - Service: BsHelpCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe
O23 - Service: BsMobileCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BsMobileCS.exe
O23 - Service: Defragmentation-Service (DfSdkS) - mst software GmbH, Germany - C:\Program Files\Ashampoo\Ashampoo WinOptimizer 6\Dfsdks.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\MapleStory\npkcmsvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Simply Accounting Database Connection Manager - Unknown owner - C:\Program Files\Winsim\ConnectionManager\SimplyConnectionManager.exe (file missing)
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe (file missing)
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--
End of file - 8605 bytes

 

Welcome back

This computer has serious issues here.
The infection may have caused irreversible damage.


Print this topic or save to notepad, it will make it easier for you to follow the instructions and complete all of the necessary steps as we will need to close all windows that are open later in the fix.



Go to My Computer->Tools->Folder Options->View tab:

[*]Under the Hidden files and folders heading:

[*]Select - Show hidden files and folders.

[*]Uncheck- Hide protected operating system files (recommended) option.

[*]Also, make sure there is no checkmark beside Hide file extensions for known file types.

[*] Click OK. (Remember to Hide files and folders once done)

Please go to: VirusTotal

• 
  
  
  
  
  
• Click the Browse button and search for the following file: c:\windows\system32\drivers\TCPIP.SYS
• Click Open
• Then click Send File
• Please be patient while the file is scanned.
• Once the scan results appear, please provide them in your next reply.

If it says already scanned -- click "reanalyze now "



Also the below files need to be scanned, please note the file names appear to be the same but are located in different directories.
Take your time and have each one scanned.

c:\windows\system32\dllcache\TCPIP.SYS
c:\windows\ServicePackFiles\i386\TCPIP.SYS

c:\windows\explorer.exe
c:\windows\ServicePackFiles\i386\explorer.exe
c:\windows\SoftwareDistribution\Download\3c0bacd63e67d049a438275fd7b87f25\backup\explorer.exe




Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8080
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)





Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

Click on this link Here to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the CODE box below:
Save this as "CFScript.txt " including quotes and change the "Save as type" to "All Files" and place it on your desktop.

Code:

RegNULL::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
File:: 
c:\windows\system32\XDva189.sys
c:\windows\system32\blka.exe
c:\windows\system32\drivers\qghucchb.sys
Driver::
trts
XDva189

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{5477D33F-0944-58FD-221B-DE07A7698242}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\windows resurections]
NetSvc::
Snqyicepjsa
UrAibrba
lubeu

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.




We need to try and get an online scan.

• Download the latest version of Java Runtime Environment (JRE)
• Second install down listed on the page
  
  *** be sure that when you update Java, to uncheck any toolbars for OpenOffice.org if you don't want those added to you computer***
  
  Click on the Accept License Agreement button Next Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment License Agreement. ".
  Download Now! Windows Offline Installation, Multi-language
  
  Now close all windows, including your browser.
  Double click on the Java installation that you downloaded and follow the prompts.
  
  NEXT-remove all older versions of Java Go to Start > Control Panel double-click on the Software icon > add/remove programs.
  Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... ) Select it and click Remove.
• Close any programs you may have running - especially your web browser.
• Repeat as many times as necessary to remove each older Java versions.

Please download ATF Cleaner by Atribune From Here and save it to your Desktop.
Follow the instructions for the browser you use.
Read the instructions about the cookies. Delete what you do not need.

Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Java Cache
The rest are optional - if you want to remove the lot, check "Select All ".
Finally click Empty Selected. When you get the "Done Cleaning " message, click OK.
If you use the Firefox or Opera browsers, you can use this program
as a quick way to tidy those up as well.
When you have finished, click on the Exit button in the Main menu.
========================



NEXT**
I'd like for you to run this next online scan to check for remnants or anything that might be hidden.
The below scan can take up to an hour or longer, please be patient.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.


Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Other available links
Kaspersky Online Scanner or from here
http://www.kaspersky.com/virusscanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

• The program will install and then begin downloading the latest definition
  files.
• After the files have been downloaded on the left side of the page in the Scan section select My Computer.
• This will start the program and scan your system.
• The scan will take a while, so be patient and let it run. (At times it may appear to stall)
  * Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  * Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  * Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  
• Once the scan is complete, click on View scan report To obtain the report:

Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:
Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in
your reply.

Animated tutorial
http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif

(Note.. for Internet Explorer 7 users:
If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
Or use Firefox with IE-Tab plugin
https://addons.mozilla.org/en-US/firefox/addon/1419


In your next reply post:
Information on files requested scanned
ComboFix.txt
Kaspersky log
New HJT log taken after the above scans have run


You may need several replies to post the requested logs, otherwise they might get cut off.

 

I did the virustotal scans, none had any detections besides the one explorer.exe file.
I tried running kaspersky, however, everytime it tries to update, I get an error, and kaspersky says that my license key is invalid?
So I could not run kaspersky.
Also, my forwarded ports are not seeming to work... I'm not sure if I need a certain Windows XP service enabled or not? But I forwarded them properly, but it still says that they aren't, and as a result, utorrent does not work...

I am not quite sure what to do next, also, O23 in the HijackThis did not remove, I tried several times.

Thank you for your help, here are the logs I could manage to get:


ComboFix 09-03-31.01 - Francois Forrest 2089-03-31 21:31:16.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.646 [GMT -4:00]
Running from: c:\documents and settings\Francois Forrest\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Francois Forrest\Desktop\CFScript.txt
AV: BitDefender Antivirus *On-access scanning disabled* (Outdated)
FW: BitDefender Firewall *disabled*
* Created a new restore point

FILE ::
c:\windows\system32\blka.exe
c:\windows\system32\drivers\qghucchb.sys
c:\windows\system32\XDva189.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\system32\blka.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_XDVA189
-------\Service_trts
-------\Service_XDva189


((((((((((((((((((((((((( Files Created from 2089-03-01 to 2089-04-01 )))))))))))))))))))))))))))))))
.

2089-03-31 18:09 . 2089-03-31 18:08 410,984 --a------ c:\windows\system32\deploytk.dll
2089-03-30 22:59 . 2089-03-30 22:59 0 --a------ c:\windows\system32\BSPRINT.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2089-04-01 00:45 81,984 ----a-w c:\windows\system32\bdod.bin
2008-08-10 02:29 22,328 ----a-w c:\documents and settings\Francois Forrest\Application Data\PnkBstrK.sys
2008-07-08 19:16 47,360 ----a-w c:\documents and settings\Francois Forrest\Application Data\pcouffin.sys
.

------- Sigcheck -------

2007-10-30 12:53 360832 64798ecfa43d78c7178375fcdd16d8c8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 07:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2007-10-30 13:20 360064 90caff4b094573449a0872a0f919b178 c:\windows\$NtServicePackUninstall$\tcpip.sys
2008-04-14 00:50 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\ServicePackFiles\i386\TCPIP.SYS
2006-02-28 08:00 359040 9f4b36614a0fc234525ba224957de55c c:\windows\SoftwareDistribution\Download\3c0bacd63e67d049a438275fd7b87f25\backup\tcpip.sys
2008-04-13 15:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\SoftwareDistribution\Download\64ed0a1c038340f7dcd71548187888e1\tcpip.sys
2008-08-02 05:19 361600 cbeebeb899e31ef52b962cb31fc8ca5c c:\windows\system32\dllcache\TCPIP.SYS
2008-08-02 05:19 361600 cbeebeb899e31ef52b962cb31fc8ca5c c:\windows\system32\drivers\TCPIP.SYS

2008-04-14 05:42 1423872 dc7c3534cf32c669705016aae6d8a334 c:\windows\explorer.exe
2007-06-13 07:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
2007-06-13 06:23 1033216 97bd6515465659ff8f3b7be375b2ea87 c:\windows\$NtServicePackUninstall$\explorer.exe
2008-04-14 05:42 1033728 12896823fb95bfb3dc9b46bcaedc9923 c:\windows\ServicePackFiles\i386\explorer.exe
2006-02-28 08:00 1032192 a0732187050030ae399b241436565e64 c:\windows\SoftwareDistribution\Download\3c0bacd63e67d049a438275fd7b87f25\backup\explorer.exe
2008-04-13 20:12 1033728 12896823fb95bfb3dc9b46bcaedc9923 c:\windows\SoftwareDistribution\Download\64ed0a1c038340f7dcd71548187888e1\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot@2089-03-31_ 0.00.28.90 )))))))))))))))))))))))))))))))))))))))))
.
- 2089-03-31 03:17:02 81,984 ----a-w c:\windows\system32\bdod.bin
+ 2089-04-01 00:45:01 81,984 ----a-w c:\windows\system32\bdod.bin
+ 2089-03-31 22:08:55 410,984 ----a-w c:\windows\system32\deploytk.dll
- 2008-03-25 05:28:39 135,168 ----a-w c:\windows\system32\java.exe
+ 2089-03-31 22:08:55 144,792 ----a-w c:\windows\system32\java.exe
- 2008-03-25 05:28:43 135,168 ----a-w c:\windows\system32\javaw.exe
+ 2089-03-31 22:08:55 144,792 ----a-w c:\windows\system32\javaw.exe
- 2008-03-25 06:37:01 139,264 ----a-w c:\windows\system32\javaws.exe
+ 2089-03-31 22:08:55 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2089-04-01 01:14:43 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_594.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"itype "= "c:\program files\Microsoft IntelliType Pro\itype.exe" [2005-12-04 437008]
"StartCCC "= "c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"Diamondback "= "c:\program files\Razer\Diamondback 3G\razerhid.exe" [2007-08-01 147456]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2089-03-31 148888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator "= "Narrator.exe" [2008-04-14 c:\windows\system32\narrator.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack "= 0 (0x0)
"NoFileAssociate "= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-03-05 23:18 356352 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1 "= xfcodec.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Thoosje Vista Sidebar.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Thoosje Vista Sidebar.lnk
backup=c:\windows\pss\Thoosje Vista Sidebar.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinFlip.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinFlip.lnk
backup=c:\windows\pss\WinFlip.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BtTray]
--a------ 2009-02-27 17:04 278016 c:\program files\IVT Corporation\BlueSoleil\BtTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-14 05:42 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FlashMute]
--a------ 2006-03-11 15:49 221184 c:\program files\FlashMute\flashmute.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-03 18:39 133104 c:\documents and settings\Francois Forrest\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a--c--- 2007-08-24 07:00 33648 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a------ 2005-12-04 20:39 461584 c:\program files\Microsoft IntelliPoint\ipoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
--a--c--- 2005-06-08 14:44 196608 c:\program files\Logitech\Video\ManifestEngine.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
--a--c--- 2005-06-08 15:24 458752 c:\program files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
--a------ 2005-06-08 15:14 217088 c:\program files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
--a------ 2005-07-19 17:32 221184 c:\windows\system32\LVCOMSX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2009-02-06 18:51 3885408 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhilipsDM]
--a------ 2006-07-13 18:47 651264 c:\program files\Philips\Philips Device Manager\bin\DeviceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhilipsLime]
--a--c--- 2006-06-09 17:30 159744 c:\program files\Philips\Philips Lime Service\bin\LimeAlive.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 c:\program files\QuickTime Alternative\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2007-06-13 08:16 528384 c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
--a------ 2004-09-23 12:41 860160 c:\program files\Analog Devices\SoundMAX\SMax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a--c--- 2004-10-14 09:11 1388544 c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2009-01-26 16:31 2144088 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2009-03-05 23:17 1830128 c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2009-03-09 11:49 37888 c:\program files\Winamp\winampa.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE "=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE "=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe "=
"c:\\Program Files\\LimeWire\\LimeWire.exe "=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
"c:\\Program Files\\America's Army\\System\\ArmyOps.exe "=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe "=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe "=
"c:\\WINDOWS\\system32\\PnkBstrA.exe "=
"c:\\WINDOWS\\system32\\PnkBstrB.exe "=
"c:\\Program Files\\xchat\\xchat.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\uTorrent\\uTorrent.exe "=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleilCS.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=

R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [2008-01-21 20744]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-09-03 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-09-03 55024]
R3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\drivers\btnetBus.sys [2008-12-07 30088]
R3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [2008-01-21 26248]
R3 Razerlow;Diamondback 3G USB Filter Driver;c:\windows\system32\drivers\DB3G.sys [2008-06-19 13225]
R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2009-03-01 560896]
S3 BsMobileCS;BsMobileCS;c:\program files\IVT Corporation\BlueSoleil\BsMobileCS.exe [2009-02-27 143467]
S3 BTIAUSB;Generic Bluetooth Device;c:\windows\system32\drivers\btiausb.sys [2008-07-30 23808]
S3 BTPROT;Generic Bluetooth Filter;c:\windows\system32\drivers\btprot.sys [2008-08-02 453120]
S3 DfSdkS;Defragmentation-Service;c:\program files\Ashampoo\Ashampoo WinOptimizer 6\DfSdkS.exe [2009-03-26 410976]
S3 FXDRV;FXDRV;\??\d:\fxdrv.sys --> d:\Fxdrv.sys [?]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2008-08-29 13352]
S3 s125bus;Sony Ericsson Device 125 driver (WDM);c:\windows\system32\drivers\s125bus.sys [2008-08-29 83336]
S3 s125mdfl;Sony Ericsson Device 125 USB WMC Modem Filter;c:\windows\system32\drivers\s125mdfl.sys [2008-08-29 15112]
S3 s125mdm;Sony Ericsson Device 125 USB WMC Modem Driver;c:\windows\system32\drivers\s125mdm.sys [2008-08-29 108680]
S3 s125mgmt;Sony Ericsson Device 125 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s125mgmt.sys [2008-08-29 100488]
S3 s125obex;Sony Ericsson Device 125 USB WMC OBEX Interface;c:\windows\system32\drivers\s125obex.sys [2008-08-29 98696]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-09-03 7408]
S4 Simply Accounting Database Connection Manager;Simply Accounting Database Connection Manager;c:\program files\Winsim\ConnectionManager\SimplyConnectionManager.exe --> c:\program files\Winsim\ConnectionManager\SimplyConnectionManager.exe [?]
S4 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [2008-06-19 26144]
.
Contents of the 'Scheduled Tasks' folder

2009-03-28 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Francois Forrest\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 18:39]

2009-03-26 c:\windows\Tasks\User_Feed_Synchronization-{C11F502A-E357-46E2-AC75-84A972988119}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 18:36]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.6.0_06\bin\jusched.exe


.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Send by Bluetooth - c:\program files\IVT Corporation\BlueSoleil\TransSend\IE\tsinfo.htm
IE: Send via &Message... - c:\program files\IVT Corporation\BlueSoleil\TransSend\IE\tssms.htm
FF - ProfilePath - c:\documents and settings\Francois Forrest\Application Data\Mozilla\Firefox\Profiles\k034g4sf.default\
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\Francois Forrest\Local Settings\Application Data\Google\Update\1.2.131.11\npGoogleOneClick5.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

---- FIREFOX POLICIES ----
FF - user.js: browser.blink_allowed - false
FF - user.js: network.prefetch-next - true
FF - user.js: nglayout.initialpaint.delay - 250
FF - user.js: layout.spellcheckDefault - 2
FF - user.js: browser.urlbar.autoFill - true
FF - user.js: browser.search.openintab - false
FF - user.js: browser.tabs.closeButtons - 1
FF - user.js: browser.tabs.opentabfor.middleclick - true
FF - user.js: browser.tabs.tabMinWidth - 100
FF - user.js: browser.urlbar.hideGoButton - false
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2089-03-31 21:33:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(672)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2089-03-31 21:34:44
ComboFix-quarantined-files.txt 2089-04-01 01:34:38
ComboFix2.txt 2089-03-31 04:02:06

Pre-Run: 221,154,267,136 bytes free
Post-Run: 221,160,566,784 bytes free

230 --- E O F --- 2009-03-17 15:53:17

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:02:30 PM, on 3/31/2089
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Razer\Diamondback 3G\razerhid.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\Program Files\Razer\Diamondback 3G\razertra.exe
C:\Program Files\Razer\Diamondback 3G\razerofa.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\BitDefender\BitDefender 2009\bdwizreg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\LVComsX.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe "
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Diamondback] C:\Program Files\Razer\Diamondback 3G\razerhid.exe
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe "
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send by Bluetooth - C:\Program Files\IVT Corporation\BlueSoleil\TransSend\IE\tsinfo.htm
O8 - Extra context menu item: Send via &Message... - C:\Program Files\IVT Corporation\BlueSoleil\TransSend\IE\tssms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1213931208437
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\WINDOWS\system32\skype4com.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: BlueSoleilCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
O23 - Service: BsHelpCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe
O23 - Service: BsMobileCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BsMobileCS.exe
O23 - Service: Defragmentation-Service (DfSdkS) - mst software GmbH, Germany - C:\Program Files\Ashampoo\Ashampoo WinOptimizer 6\Dfsdks.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\MapleStory\npkcmsvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Simply Accounting Database Connection Manager - Unknown owner - C:\Program Files\Winsim\ConnectionManager\SimplyConnectionManager.exe (file missing)
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe (file missing)
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--
End of file - 8399 bytes

c:\windows\ServicePackFiles\i386\explorer.exe


File explorer.exe received on 03.31.2009 23:59:55 (CET)
Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.03.31 -
AhnLab-V3 5.0.0.2 2009.03.31 -
AntiVir 7.9.0.129 2009.03.31 -
Antiy-AVL 2.0.3.1 2009.03.31 -
Authentium 5.1.2.4 2009.03.31 -
Avast 4.8.1335.0 2009.03.31 -
AVG 8.5.0.285 2009.03.31 -
BitDefender 7.2 2009.03.31 -
CAT-QuickHeal 10.00 2009.03.31 -
ClamAV 0.94.1 2009.03.31 -
Comodo 1092 2009.03.31 -
DrWeb 4.44.0.09170 2009.03.31 -
eSafe 7.0.17.0 2009.03.31 Win32.Banker
eTrust-Vet 31.6.6427 2009.03.31 -
F-Prot 4.4.4.56 2009.03.31 -
F-Secure 8.0.14470.0 2009.03.31 -
Fortinet 3.117.0.0 2009.03.31 -
GData 19 2009.03.31 -
Ikarus T3.1.1.49.0 2009.03.31 -
K7AntiVirus 7.10.687 2009.03.31 -
Kaspersky 7.0.0.125 2009.03.31 -
McAfee 5570 2009.03.31 -
McAfee+Artemis 5570 2009.03.31 -
McAfee-GW-Edition 6.7.6 2009.03.31 Win32.LooksLike.Virut
Microsoft 1.4502 2009.03.31 -
NOD32 3978 2009.03.31 -
Norman 6.00.06 2009.03.31 -
nProtect 2009.1.8.0 2009.03.31 -
Panda 10.0.0.14 2009.03.31 -
PCTools 4.4.2.0 2009.03.31 -
Prevx1 V2 2009.04.01 -
Rising 21.23.12.00 2009.03.31 -
Sophos 4.40.0 2009.03.31 -
Sunbelt 3.2.1858.2 2009.03.31 -
Symantec 1.4.4.12 2009.03.31 -
TheHacker 6.3.3.9.296 2009.03.30 -
TrendMicro 8.700.0.1004 2009.03.31 -
VBA32 3.12.10.1 2009.03.31 -
ViRobot 2009.3.31.1669 2009.03.31 -
VirusBuster 4.6.5.0 2009.03.31 -
Additional information
File size: 1033728 bytes
MD5...: 12896823fb95bfb3dc9b46bcaedc9923
SHA1..: 9d2bf84874abc5b6e9a2744b7865c193c08d362f
SHA256: 1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455
SHA512: de5ff5c5bb0fea3f9d08dd1746a6b00501a1e3ca76cfd11adcb8b714c537e1b9<br>7abcfa3ad136eb12221b4c503183946c92a583ffb535e302d7aa12c6fe598ed9
ssdeep: 12288:HHmcoCUyZtwAvAs4wTCyrPTloHWYUrkf8w0Vnzac1/g/J/vMS:nmfty/wA<br>vN7lrvbkf8w0VnH1/g/J/k<br>
PEiD..: -
TrID..: File type identification<br>Win32 Executable Generic (42.3%)<br>Win32 Dynamic Link Library (generic) (37.6%)<br>Generic Win/DOS Executable (9.9%)<br>DOS Executable Generic (9.9%)<br>Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x1a55f<br>timedatestamp.....: 0x48025c30 (Sun Apr 13 19:17:04 2008)<br>machinetype.......: 0x14c (I386)<br><br>( 4 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x1000 0x44c09 0x44e00 6.38 fd89c9ce334764ffdbb62637ad9b5809<br>.data 0x46000 0x1db4 0x1800 1.30 983f35021232560eaaa99fcbc1b7d359<br>.rsrc 0x48000 0xb2268 0xb2400 6.63 95339c37646fa93e3695e06572a21889<br>.reloc 0xfb000 0x374c 0x3800 6.78 ec335057489badbf6d8142b57175fd91<br><br>( 13 imports ) <br>&gt; ADVAPI32.dll: RegSetValueW, RegEnumKeyExW, GetUserNameW, RegNotifyChangeKeyValue, RegEnumValueW, RegQueryValueExA, RegOpenKeyExA, RegEnumKeyW, RegCloseKey, RegCreateKeyW, RegQueryInfoKeyW, RegOpenKeyExW, RegQueryValueExW, RegCreateKeyExW, RegSetValueExW, RegDeleteValueW, RegQueryValueW<br>&gt; BROWSEUI.dll: -, -, -, -<br>&gt; GDI32.dll: GetStockObject, CreatePatternBrush, OffsetViewportOrgEx, GetLayout, CombineRgn, CreateDIBSection, GetTextExtentPoint32W, StretchBlt, CreateRectRgnIndirect, CreateRectRgn, GetClipRgn, IntersectClipRect, GetViewportOrgEx, SetViewportOrgEx, SelectClipRgn, PatBlt, GetBkColor, CreateCompatibleDC, CreateCompatibleBitmap, OffsetWindowOrgEx, DeleteDC, SetBkColor, BitBlt, ExtTextOutW, GetTextExtentPointW, GetClipBox, GetObjectW, SetTextColor, SetBkMode, CreateFontIndirectW, DeleteObject, GetTextMetricsW, SelectObject, GetDeviceCaps, TranslateCharsetInfo, SetStretchBltMode<br>&gt; KERNEL32.dll: GetSystemDirectoryW, CreateThread, CreateJobObjectW, ExitProcess, SetProcessShutdownParameters, ReleaseMutex, CreateMutexW, SetPriorityClass, GetCurrentProcess, GetStartupInfoW, GetCommandLineW, SetErrorMode, LeaveCriticalSection, EnterCriticalSection, ResetEvent, LoadLibraryExA, CompareFileTime, GetSystemTimeAsFileTime, SetThreadPriority, GetCurrentThreadId, GetThreadPriority, GetCurrentThread, GetUserDefaultLangID, Sleep, GetBinaryTypeW, GetModuleHandleExW, SystemTimeToFileTime, GetLocalTime, GetCurrentProcessId, GetEnvironmentVariableW, UnregisterWait, GlobalGetAtomNameW, GetFileAttributesW, MoveFileW, lstrcmpW, LoadLibraryExW, FindClose, FindNextFileW, FindFirstFileW, lstrcmpiA, SetEvent, AssignProcessToJobObject, GetDateFormatW, GetTimeFormatW, FlushInstructionCache, lstrcpynW, GetSystemWindowsDirectoryW, SetLastError, GetProcessHeap, HeapFree, HeapReAlloc, HeapSize, HeapAlloc, GetUserDefaultLCID, ReadProcessMemory, OpenProcess, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, UnhandledExceptionFilter, SetUnhandledExceptionFilter, VirtualFree, VirtualAlloc, ResumeThread, TerminateProcess, TerminateThread, GetSystemDefaultLCID, GetLocaleInfoW, CreateEventW, GetLastError, OpenEventW, DelayLoadFailureHook, WaitForSingleObject, GetTickCount, ExpandEnvironmentStringsW, GetModuleFileNameW, GetPrivateProfileStringW, lstrcmpiW, CreateProcessW, FreeLibrary, GetWindowsDirectoryW, LocalAlloc, CreateFileW, DeviceIoControl, LocalFree, GetQueuedCompletionStatus, CreateIoCompletionPort, SetInformationJobObject, CloseHandle, LoadLibraryW, GetModuleHandleW, ActivateActCtx, DeactivateActCtx, GetFileAttributesExW, GetProcAddress, DeleteCriticalSection, CreateEventA, HeapDestroy, InitializeCriticalSection, MulDiv, InitializeCriticalSectionAndSpinCount, lstrlenW, InterlockedDecrement, InterlockedIncrement, GlobalAlloc, InterlockedExchange, GetModuleHandleA, GetVersionExA, GlobalFree, GetProcessTimes, lstrcpyW, GetLongPathNameW, RegisterWaitForSingleObject<br>&gt; msvcrt.dll: _itow, free, memmove, realloc, _except_handler3, malloc, _ftol, _vsnwprintf<br>&gt; ntdll.dll: RtlNtStatusToDosError, NtQueryInformationProcess<br>&gt; ole32.dll: CoFreeUnusedLibraries, RegisterDragDrop, CreateBindCtx, RevokeDragDrop, CoInitializeEx, CoUninitialize, OleInitialize, CoRevokeClassObject, CoRegisterClassObject, CoMarshalInterThreadInterfaceInStream, CoCreateInstance, OleUninitialize, DoDragDrop<br>&gt; OLEAUT32.dll: -, -<br>&gt; SHDOCVW.dll: -, -, -<br>&gt; SHELL32.dll: -, -, SHGetFolderPathW, -, -, -, -, -, ExtractIconExW, -, -, -, -, -, -, -, -, -, -, -, -, -, -, SHGetSpecialFolderLocation, ShellExecuteExW, -, -, -, SHGetSpecialFolderPathW, -, -, -, SHBindToParent, -, -, -, SHParseDisplayName, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, SHChangeNotify, SHGetDesktopFolder, SHAddToRecentDocs, -, -, -, DuplicateIcon, -, -, -, -, -, -, -, -, SHUpdateRecycleBinIcon, SHGetFolderLocation, SHGetPathFromIDListA, -, -, -, -, -, -, -, SHGetPathFromIDListW, -, -, -<br>&gt; SHLWAPI.dll: StrCpyNW, -, -, -, -, StrRetToBufW, StrRetToStrW, -, -, -, -, SHQueryValueExW, PathIsNetworkPathW, -, AssocCreate, -, -, -, -, -, StrCatW, StrCpyW, -, -, -, -, -, -, SHGetValueW, -, StrCmpNIW, PathRemoveBlanksW, PathRemoveArgsW, PathFindFileNameW, StrStrIW, PathGetArgsW, -, StrToIntW, SHRegGetBoolUSValueW, SHRegWriteUSValueW, SHRegCloseUSKey, SHRegCreateUSKeyW, SHRegGetUSValueW, SHSetValueW, -, PathAppendW, PathUnquoteSpacesW, -, -, PathQuoteSpacesW, -, SHSetThreadRef, SHCreateThreadRef, -, -, -, PathCombineW, -, -, -, SHStrDupW, PathIsPrefixW, PathParseIconLocationW, AssocQueryKeyW, -, AssocQueryStringW, StrCmpW, -, -, -, -, -, -, -, -, SHRegQueryUSValueW, SHRegOpenUSKeyW, SHRegSetUSValueW, PathIsDirectoryW, PathFileExistsW, PathGetDriveNumberW, -, StrChrW, PathFindExtensionW, -, -, PathRemoveFileSpecW, PathStripToRootW, -, -, -, SHOpenRegStream2W, -, -, -, StrDupW, SHDeleteValueW, StrCatBuffW, SHDeleteKeyW, StrCmpIW, -, -, wnsprintfW, -, -, StrCmpNW, -, -<br>&gt; USER32.dll: TileWindows, GetDoubleClickTime, GetSystemMetrics, GetSysColorBrush, AllowSetForegroundWindow, LoadMenuW, GetSubMenu, RemoveMenu, SetParent, GetMessagePos, CheckDlgButton, EnableWindow, GetDlgItemInt, SetDlgItemInt, CopyIcon, AdjustWindowRectEx, DrawFocusRect, DrawEdge, ExitWindowsEx, WindowFromPoint, SetRect, AppendMenuW, LoadAcceleratorsW, LoadBitmapW, SendNotifyMessageW, SetWindowPlacement, CheckMenuItem, EndDialog, SendDlgItemMessageW, MessageBeep, GetActiveWindow, PostQuitMessage, MoveWindow, GetDlgItem, RemovePropW, GetClassNameW, GetDCEx, SetCursorPos, ChildWindowFromPoint, ChangeDisplaySettingsW, RegisterHotKey, UnregisterHotKey, SetCursor, SendMessageTimeoutW, GetWindowPlacement, LoadImageW, SetWindowRgn, IntersectRect, OffsetRect, EnumDisplayMonitors, RedrawWindow, SubtractRect, TranslateAcceleratorW, WaitMessage, InflateRect, CallWindowProcW, GetDlgCtrlID, SetCapture, LockSetForegroundWindow, SystemParametersInfoW, FindWindowW, CreatePopupMenu, GetMenuDefaultItem, DestroyMenu, GetShellWindow, EnumChildWindows, GetWindowLongW, SendMessageW, RegisterWindowMessageW, GetKeyState, CopyRect, MonitorFromRect, MonitorFromPoint, RegisterClassW, SetPropW, GetWindowLongA, SetWindowLongW, FillRect, GetCursorPos, MessageBoxW, LoadStringW, ReleaseDC, GetDC, EnumDisplaySettingsExW, EnumDisplayDevicesW, PostMessageW, DispatchMessageW, TranslateMessage, GetMessageW, PeekMessageW, PtInRect, BeginPaint, EndPaint, SetWindowTextW, GetAsyncKeyState, InvalidateRect, GetWindow, ShowWindowAsync, TrackPopupMenuEx, UpdateWindow, DestroyIcon, IsRectEmpty, SetActiveWindow, GetSysColor, DrawTextW, IsHungAppWindow, SetTimer, GetMenuItemID, TrackPopupMenu, EndTask, SendMessageCallbackW, GetClassLongW, LoadIconW, OpenInputDesktop, CloseDesktop, SetScrollPos, ShowWindow, BringWindowToTop, GetDesktopWindow, CascadeWindows, CharUpperBuffW, SwitchToThisWindow, InternalGetWindowText, GetScrollInfo, GetMenuItemCount, CreateWindowExW, DialogBoxParamW, MsgWaitForMultipleObjects, CharNextA, RegisterClipboardFormatW, EndDeferWindowPos, DeferWindowPos, BeginDeferWindowPos, PrintWindow, SetClassLongW, GetPropW, GetNextDlgGroupItem, GetNextDlgTabItem, ChildWindowFromPointEx, IsChild, NotifyWinEvent, TrackMouseEvent, GetCapture, GetAncestor, CharUpperW, SetWindowLongA, DrawCaption, ModifyMenuW, InsertMenuW, IsWindowEnabled, GetMenuState, LoadCursorW, GetParent, IsDlgButtonChecked, DestroyWindow, EnumWindows, IsWindowVisible, GetClientRect, UnionRect, EqualRect, GetWindowThreadProcessId, GetForegroundWindow, KillTimer, GetClassInfoExW, DefWindowProcW, RegisterClassExW, GetIconInfo, SetScrollInfo, GetLastActivePopup, SetForegroundWindow, IsWindow, GetSystemMenu, IsIconic, IsZoomed, EnableMenuItem, SetMenuDefaultItem, MonitorFromWindow, GetMonitorInfoW, GetWindowInfo, GetFocus, SetFocus, MapWindowPoints, ScreenToClient, ClientToScreen, GetWindowRect, SetWindowPos, DeleteMenu, GetMenuItemInfoW, SetMenuItemInfoW, CharNextW<br>&gt; UxTheme.dll: GetThemeBackgroundContentRect, GetThemeBool, GetThemePartSize, DrawThemeParentBackground, OpenThemeData, DrawThemeBackground, GetThemeTextExtent, DrawThemeText, CloseThemeData, SetWindowTheme, GetThemeBackgroundRegion, -, GetThemeMargins, GetThemeColor, GetThemeFont, GetThemeRect, IsAppThemed<br><br>( 0 exports ) <br>
RDS...: NSRL Reference Data Set<br>-
ThreatExpert info: &lt;a href='http://www.threatexpert.com/report.aspx?md5=12896823fb95bfb3dc9b46bcaedc9923' target='_blank'&gt;http://www.threatexpert.com/report.aspx?md5=12896823fb95bfb3dc9b46bcaedc9923&lt;/a&gt;

Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.03.31 -
AhnLab-V3 5.0.0.2 2009.03.31 -
AntiVir 7.9.0.129 2009.03.31 -
Antiy-AVL 2.0.3.1 2009.03.31 -
Authentium 5.1.2.4 2009.03.31 -
Avast 4.8.1335.0 2009.03.31 -
AVG 8.5.0.285 2009.03.31 -
BitDefender 7.2 2009.03.31 -
CAT-QuickHeal 10.00 2009.03.31 -
ClamAV 0.94.1 2009.03.31 -
Comodo 1092 2009.03.31 -
DrWeb 4.44.0.09170 2009.03.31 -
eSafe 7.0.17.0 2009.03.31 Win32.Banker
eTrust-Vet 31.6.6427 2009.03.31 -
F-Prot 4.4.4.56 2009.03.31 -
F-Secure 8.0.14470.0 2009.03.31 -
Fortinet 3.117.0.0 2009.03.31 -
GData 19 2009.03.31 -
Ikarus T3.1.1.49.0 2009.03.31 -
K7AntiVirus 7.10.687 2009.03.31 -
Kaspersky 7.0.0.125 2009.03.31 -
McAfee 5570 2009.03.31 -
McAfee+Artemis 5570 2009.03.31 -
McAfee-GW-Edition 6.7.6 2009.03.31 Win32.LooksLike.Virut
Microsoft 1.4502 2009.03.31 -
NOD32 3978 2009.03.31 -
Norman 6.00.06 2009.03.31 -
nProtect 2009.1.8.0 2009.03.31 -
Panda 10.0.0.14 2009.03.31 -
PCTools 4.4.2.0 2009.03.31 -
Prevx1 V2 2009.04.01 -
Rising 21.23.12.00 2009.03.31 -
Sophos 4.40.0 2009.03.31 -
Sunbelt 3.2.1858.2 2009.03.31 -
Symantec 1.4.4.12 2009.03.31 -
TheHacker 6.3.3.9.296 2009.03.30 -
TrendMicro 8.700.0.1004 2009.03.31 -
VBA32 3.12.10.1 2009.03.31 -
ViRobot 2009.3.31.1669 2009.03.31 -
VirusBuster 4.6.5.0 2009.03.31 -

Additional information
File size: 1033728 bytes
MD5...: 12896823fb95bfb3dc9b46bcaedc9923
SHA1..: 9d2bf84874abc5b6e9a2744b7865c193c08d362f
SHA256: 1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455
SHA512: de5ff5c5bb0fea3f9d08dd1746a6b00501a1e3ca76cfd11adcb8b714c537e1b9<br>7abcfa3ad136eb12221b4c503183946c92a583ffb535e302d7aa12c6fe598ed9
ssdeep: 12288:HHmcoCUyZtwAvAs4wTCyrPTloHWYUrkf8w0Vnzac1/g/J/vMS:nmfty/wA<br>vN7lrvbkf8w0VnH1/g/J/k<br>
PEiD..: -
TrID..: File type identification<br>Win32 Executable Generic (42.3%)<br>Win32 Dynamic Link Library (generic) (37.6%)<br>Generic Win/DOS Executable (9.9%)<br>DOS Executable Generic (9.9%)<br>Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x1a55f<br>timedatestamp.....: 0x48025c30 (Sun Apr 13 19:17:04 2008)<br>machinetype.......: 0x14c (I386)<br><br>( 4 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x1000 0x44c09 0x44e00 6.38 fd89c9ce334764ffdbb62637ad9b5809<br>.data 0x46000 0x1db4 0x1800 1.30 983f35021232560eaaa99fcbc1b7d359<br>.rsrc 0x48000 0xb2268 0xb2400 6.63 95339c37646fa93e3695e06572a21889<br>.reloc 0xfb000 0x374c 0x3800 6.78 ec335057489badbf6d8142b57175fd91<br><br>( 13 imports ) <br>&gt; ADVAPI32.dll: RegSetValueW, RegEnumKeyExW, GetUserNameW, RegNotifyChangeKeyValue, RegEnumValueW, RegQueryValueExA, RegOpenKeyExA, RegEnumKeyW, RegCloseKey, RegCreateKeyW, RegQueryInfoKeyW, RegOpenKeyExW, RegQueryValueExW, RegCreateKeyExW, RegSetValueExW, RegDeleteValueW, RegQueryValueW<br>&gt; BROWSEUI.dll: -, -, -, -<br>&gt; GDI32.dll: GetStockObject, CreatePatternBrush, OffsetViewportOrgEx, GetLayout, CombineRgn, CreateDIBSection, GetTextExtentPoint32W, StretchBlt, CreateRectRgnIndirect, CreateRectRgn, GetClipRgn, IntersectClipRect, GetViewportOrgEx, SetViewportOrgEx, SelectClipRgn, PatBlt, GetBkColor, CreateCompatibleDC, CreateCompatibleBitmap, OffsetWindowOrgEx, DeleteDC, SetBkColor, BitBlt, ExtTextOutW, GetTextExtentPointW, GetClipBox, GetObjectW, SetTextColor, SetBkMode, CreateFontIndirectW, DeleteObject, GetTextMetricsW, SelectObject, GetDeviceCaps, TranslateCharsetInfo, SetStretchBltMode<br>&gt; KERNEL32.dll: GetSystemDirectoryW, CreateThread, CreateJobObjectW, ExitProcess, SetProcessShutdownParameters, ReleaseMutex, CreateMutexW, SetPriorityClass, GetCurrentProcess, GetStartupInfoW, GetCommandLineW, SetErrorMode, LeaveCriticalSection, EnterCriticalSection, ResetEvent, LoadLibraryExA, CompareFileTime, GetSystemTimeAsFileTime, SetThreadPriority, GetCurrentThreadId, GetThreadPriority, GetCurrentThread, GetUserDefaultLangID, Sleep, GetBinaryTypeW, GetModuleHandleExW, SystemTimeToFileTime, GetLocalTime, GetCurrentProcessId, GetEnvironmentVariableW, UnregisterWait, GlobalGetAtomNameW, GetFileAttributesW, MoveFileW, lstrcmpW, LoadLibraryExW, FindClose, FindNextFileW, FindFirstFileW, lstrcmpiA, SetEvent, AssignProcessToJobObject, GetDateFormatW, GetTimeFormatW, FlushInstructionCache, lstrcpynW, GetSystemWindowsDirectoryW, SetLastError, GetProcessHeap, HeapFree, HeapReAlloc, HeapSize, HeapAlloc, GetUserDefaultLCID, ReadProcessMemory, OpenProcess, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, UnhandledExceptionFilter, SetUnhandledExceptionFilter, VirtualFree, VirtualAlloc, ResumeThread, TerminateProcess, TerminateThread, GetSystemDefaultLCID, GetLocaleInfoW, CreateEventW, GetLastError, OpenEventW, DelayLoadFailureHook, WaitForSingleObject, GetTickCount, ExpandEnvironmentStringsW, GetModuleFileNameW, GetPrivateProfileStringW, lstrcmpiW, CreateProcessW, FreeLibrary, GetWindowsDirectoryW, LocalAlloc, CreateFileW, DeviceIoControl, LocalFree, GetQueuedCompletionStatus, CreateIoCompletionPort, SetInformationJobObject, CloseHandle, LoadLibraryW, GetModuleHandleW, ActivateActCtx, DeactivateActCtx, GetFileAttributesExW, GetProcAddress, DeleteCriticalSection, CreateEventA, HeapDestroy, InitializeCriticalSection, MulDiv, InitializeCriticalSectionAndSpinCount, lstrlenW, InterlockedDecrement, InterlockedIncrement, GlobalAlloc, InterlockedExchange, GetModuleHandleA, GetVersionExA, GlobalFree, GetProcessTimes, lstrcpyW, GetLongPathNameW, RegisterWaitForSingleObject<br>&gt; msvcrt.dll: _itow, free, memmove, realloc, _except_handler3, malloc, _ftol, _vsnwprintf<br>&gt; ntdll.dll: RtlNtStatusToDosError, NtQueryInformationProcess<br>&gt; ole32.dll: CoFreeUnusedLibraries, RegisterDragDrop, CreateBindCtx, RevokeDragDrop, CoInitializeEx, CoUninitialize, OleInitialize, CoRevokeClassObject, CoRegisterClassObject, CoMarshalInterThreadInterfaceInStream, CoCreateInstance, OleUninitialize, DoDragDrop<br>&gt; OLEAUT32.dll: -, -<br>&gt; SHDOCVW.dll: -, -, -<br>&gt; SHELL32.dll: -, -, SHGetFolderPathW, -, -, -, -, -, ExtractIconExW, -, -, -, -, -, -, -, -, -, -, -, -, -, -, SHGetSpecialFolderLocation, ShellExecuteExW, -, -, -, SHGetSpecialFolderPathW, -, -, -, SHBindToParent, -, -, -, SHParseDisplayName, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, SHChangeNotify, SHGetDesktopFolder, SHAddToRecentDocs, -, -, -, DuplicateIcon, -, -, -, -, -, -, -, -, SHUpdateRecycleBinIcon, SHGetFolderLocation, SHGetPathFromIDListA, -, -, -, -, -, -, -, SHGetPathFromIDListW, -, -, -<br>&gt; SHLWAPI.dll: StrCpyNW, -, -, -, -, StrRetToBufW, StrRetToStrW, -, -, -, -, SHQueryValueExW, PathIsNetworkPathW, -, AssocCreate, -, -, -, -, -, StrCatW, StrCpyW, -, -, -, -, -, -, SHGetValueW, -, StrCmpNIW, PathRemoveBlanksW, PathRemoveArgsW, PathFindFileNameW, StrStrIW, PathGetArgsW, -, StrToIntW, SHRegGetBoolUSValueW, SHRegWriteUSValueW, SHRegCloseUSKey, SHRegCreateUSKeyW, SHRegGetUSValueW, SHSetValueW, -, PathAppendW, PathUnquoteSpacesW, -, -, PathQuoteSpacesW, -, SHSetThreadRef, SHCreateThreadRef, -, -, -, PathCombineW, -, -, -, SHStrDupW, PathIsPrefixW, PathParseIconLocationW, AssocQueryKeyW, -, AssocQueryStringW, StrCmpW, -, -, -, -, -, -, -, -, SHRegQueryUSValueW, SHRegOpenUSKeyW, SHRegSetUSValueW, PathIsDirectoryW, PathFileExistsW, PathGetDriveNumberW, -, StrChrW, PathFindExtensionW, -, -, PathRemoveFileSpecW, PathStripToRootW, -, -, -, SHOpenRegStream2W, -, -, -, StrDupW, SHDeleteValueW, StrCatBuffW, SHDeleteKeyW, StrCmpIW, -, -, wnsprintfW, -, -, StrCmpNW, -, -<br>&gt; USER32.dll: TileWindows, GetDoubleClickTime, GetSystemMetrics, GetSysColorBrush, AllowSetForegroundWindow, LoadMenuW, GetSubMenu, RemoveMenu, SetParent, GetMessagePos, CheckDlgButton, EnableWindow, GetDlgItemInt, SetDlgItemInt, CopyIcon, AdjustWindowRectEx, DrawFocusRect, DrawEdge, ExitWindowsEx, WindowFromPoint, SetRect, AppendMenuW, LoadAcceleratorsW, LoadBitmapW, SendNotifyMessageW, SetWindowPlacement, CheckMenuItem, EndDialog, SendDlgItemMessageW, MessageBeep, GetActiveWindow, PostQuitMessage, MoveWindow, GetDlgItem, RemovePropW, GetClassNameW, GetDCEx, SetCursorPos, ChildWindowFromPoint, ChangeDisplaySettingsW, RegisterHotKey, UnregisterHotKey, SetCursor, SendMessageTimeoutW, GetWindowPlacement, LoadImageW, SetWindowRgn, IntersectRect, OffsetRect, EnumDisplayMonitors, RedrawWindow, SubtractRect, TranslateAcceleratorW, WaitMessage, InflateRect, CallWindowProcW, GetDlgCtrlID, SetCapture, LockSetForegroundWindow, SystemParametersInfoW, FindWindowW, CreatePopupMenu, GetMenuDefaultItem, DestroyMenu, GetShellWindow, EnumChildWindows, GetWindowLongW, SendMessageW, RegisterWindowMessageW, GetKeyState, CopyRect, MonitorFromRect, MonitorFromPoint, RegisterClassW, SetPropW, GetWindowLongA, SetWindowLongW, FillRect, GetCursorPos, MessageBoxW, LoadStringW, ReleaseDC, GetDC, EnumDisplaySettingsExW, EnumDisplayDevicesW, PostMessageW, DispatchMessageW, TranslateMessage, GetMessageW, PeekMessageW, PtInRect, BeginPaint, EndPaint, SetWindowTextW, GetAsyncKeyState, InvalidateRect, GetWindow, ShowWindowAsync, TrackPopupMenuEx, UpdateWindow, DestroyIcon, IsRectEmpty, SetActiveWindow, GetSysColor, DrawTextW, IsHungAppWindow, SetTimer, GetMenuItemID, TrackPopupMenu, EndTask, SendMessageCallbackW, GetClassLongW, LoadIconW, OpenInputDesktop, CloseDesktop, SetScrollPos, ShowWindow, BringWindowToTop, GetDesktopWindow, CascadeWindows, CharUpperBuffW, SwitchToThisWindow, InternalGetWindowText, GetScrollInfo, GetMenuItemCount, CreateWindowExW, DialogBoxParamW, MsgWaitForMultipleObjects, CharNextA, RegisterClipboardFormatW, EndDeferWindowPos, DeferWindowPos, BeginDeferWindowPos, PrintWindow, SetClassLongW, GetPropW, GetNextDlgGroupItem, GetNextDlgTabItem, ChildWindowFromPointEx, IsChild, NotifyWinEvent, TrackMouseEvent, GetCapture, GetAncestor, CharUpperW, SetWindowLongA, DrawCaption, ModifyMenuW, InsertMenuW, IsWindowEnabled, GetMenuState, LoadCursorW, GetParent, IsDlgButtonChecked, DestroyWindow, EnumWindows, IsWindowVisible, GetClientRect, UnionRect, EqualRect, GetWindowThreadProcessId, GetForegroundWindow, KillTimer, GetClassInfoExW, DefWindowProcW, RegisterClassExW, GetIconInfo, SetScrollInfo, GetLastActivePopup, SetForegroundWindow, IsWindow, GetSystemMenu, IsIconic, IsZoomed, EnableMenuItem, SetMenuDefaultItem, MonitorFromWindow, GetMonitorInfoW, GetWindowInfo, GetFocus, SetFocus, MapWindowPoints, ScreenToClient, ClientToScreen, GetWindowRect, SetWindowPos, DeleteMenu, GetMenuItemInfoW, SetMenuItemInfoW, CharNextW<br>&gt; UxTheme.dll: GetThemeBackgroundContentRect, GetThemeBool, GetThemePartSize, DrawThemeParentBackground, OpenThemeData, DrawThemeBackground, GetThemeTextExtent, DrawThemeText, CloseThemeData, SetWindowTheme, GetThemeBackgroundRegion, -, GetThemeMargins, GetThemeColor, GetThemeFont, GetThemeRect, IsAppThemed<br><br>( 0 exports ) <br>
RDS...: NSRL Reference Data Set<br>-
ThreatExpert info: &lt;a href='http://www.threatexpert.com/report.aspx?md5=12896823fb95bfb3dc9b46bcaedc9923' target='_blank'&gt;http://www.threatexpert.com/report.aspx?md5=12896823fb95bfb3dc9b46bcaedc9923&lt;/a&gt;

 

You'll have to give me information?

 

Sorry, I realized that if I posted a short post, then I edited it, and saved it, it would not cut off my logs, I edited my post and all logs are in it.

Thank you.

 

OK, I see how you edited it all in now.

I've got bad news.
My suspicions have been confirmed.


c:\windows\ServicePackFiles\i386\explorer.exe
Virut
c:\windows\explorer.exe
Virut


The above files are from a very ugly virus called Virut.
Although the Virus can be removed I cannot reverse the damage it has already done to your computer.

All Files located under this area in your ComboFix log
------------------- Sigcheck -----------------

Have already been corrupted and are patched by the virus.
These are system critical files that windows cannot operate without..The virus will continue to morph on the computer infecting other files along the way.

Your system is infected with a polymorphic file infector called Virut, Virut is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. As of now, security experts suggest that a clean reformat is the only way to clean the infection and it is the only way to return the machine to its normal working state.

Backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (software, .exe files) and screensavers (.scr). It attempts to infect any accessed .exe or .scr files by appending itself to the executable.

Also, try to avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Virut can penetrate and infect .exe files inside compressed files too.

Below is an article created specifically for this infection.
http://miekiemoes.blogspot.com/2009/02/vir...s-throwing.html




There is tutorial in link below on how to format.
http://web.mit.edu/ist/products/winxp/adva...all-format.html



How best to protect yourself online.
http://users.telenet.be/bluepatchy/miekiem...prevention.html

http://www.michaelstevenstech.com/cleanxpinstall.html
Clean Install Windows XP

http://spyware-free.us/tutorials/reformat/
Reformatting Windows XP


I am so sorry to give nothing but bad news.

 

Okay, I will reformat, reinstall, and completely reinstate all software, etc. by tomorrow. I'll post a couple logs of HJT and what not, and maybe get some feedback as to how well my system is set up for prevention. Thank you for all your help thus far, it is much appreciated.

-François

 

I'm glad to help.
If you are backing up data
DO NOT backup any executable files (software, .exe files) and screensavers (.scr).

Also, try to avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them.

Only Documents and Photos in my opinion are safe.

 

Sorry for the late reply Juliet. I did as you advised, backed up ONLY non-exe and non-scr files. I finally reinstalled my entire system, minus the video games at the moment, however, here are some logs that I ran. Hopefully everything looks A-okay?
P.s. The reason there is no explorer.exe file, and an ExplorerFranco.exe instead, is because I modified the explorer.exe file to change the text on the start menu, that's all.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:23:00 AM, on 4/3/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\WINDOWS\ExplorerFranco.exe
D:\Program Files\Razer\Diamondback 3G\razerhid.exe
D:\Program Files\Microsoft IntelliType Pro\itype.exe
D:\Program Files\D-Link\D-Link Wireless N DWA-130\AirNCFG.exe
D:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
D:\Program Files\COMODO\COMODO Internet Security\cfp.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\Razer\Diamondback 3G\razertra.exe
D:\Program Files\Razer\Diamondback 3G\razerofa.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Documents and Settings\Owner\Desktop\dds.scr
D:\WINDOWS\system32\cmd.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
F2 - REG:system.ini: Shell=ExplorerFranco.exe
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Diamondback] D:\Program Files\Razer\Diamondback 3G\razerhid.exe
O4 - HKLM\..\Run: [itype] "d:\Program Files\Microsoft IntelliType Pro\itype.exe "
O4 - HKLM\..\Run: [D-Link D-Link Wireless N DWA-130] D:\Program Files\D-Link\D-Link Wireless N DWA-130\AirNCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] D:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [COMODO Internet Security] "D:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?3763248109531
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Wireless Service - D:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - D:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 4174 bytes


DDS (Ver_09-03-16.01) - NTFSx86
Run by Owner at 1:23:37.31 on Fri 04/03/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.593 [GMT -5:00]

AV: avast! antivirus 4.8.1335 [VPS 090402-1] *On-access scanning enabled* (Updated)
FW: COMODO Firewall *enabled*

============== Running Processes ===============

D:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
D:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
D:\WINDOWS\system32\svchost.exe -k netsvcs
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\WINDOWS\ExplorerFranco.exe
D:\Program Files\Razer\Diamondback 3G\razerhid.exe
D:\Program Files\Microsoft IntelliType Pro\itype.exe
D:\Program Files\D-Link\D-Link Wireless N DWA-130\AirNCFG.exe
D:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
svchost.exe
D:\Program Files\COMODO\COMODO Internet Security\cfp.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\Razer\Diamondback 3G\razertra.exe
D:\Program Files\Razer\Diamondback 3G\razerofa.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
mWinlogon: Shell=ExplorerFranco.exe
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - d:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
mRun: [Diamondback] d:\program files\razer\diamondback 3g\razerhid.exe
mRun: [itype] "d:\program files\microsoft intellitype pro\itype.exe "
mRun: [D-Link D-Link Wireless N DWA-130] d:\program files\d-link\d-link wireless n dwa-130\AirNCFG.exe
mRun: [ANIWZCS2Service] d:\program files\ani\aniwzcs2 service\WZCSLDR2.exe
mRun: [COMODO Internet Security] "d:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [avast!] d:\progra~1\alwils~1\avast4\ashDisp.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?3763248109531
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Notify: !SASWinLogon - d:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - d:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - d:\docume~1\owner\applic~1\mozilla\firefox\profiles\pkw1cy5y.default\

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;d:\windows\system32\drivers\aswSP.sys [2009-4-2 114768]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;d:\windows\system32\drivers\cmdguard.sys [2009-4-2 110992]
R1 cmdHlp;COMODO Internet Security Helper Driver;d:\windows\system32\drivers\cmdhlp.sys [2009-4-2 24336]
R1 SASDIFSV;SASDIFSV;d:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;d:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R2 aswFsBlk;aswFsBlk;d:\windows\system32\drivers\aswFsBlk.sys [2009-4-2 20560]
R2 avast! Antivirus;avast! Antivirus;d:\program files\alwil software\avast4\ashServ.exe [2009-4-2 138680]
R2 cmdAgent;COMODO Internet Security Helper Service;d:\program files\comodo\comodo internet security\cmdagent.exe [2009-4-2 700152]
R3 avast! Mail Scanner;avast! Mail Scanner;d:\program files\alwil software\avast4\ashMaiSv.exe [2009-4-2 254040]
R3 avast! Web Scanner;avast! Web Scanner;d:\program files\alwil software\avast4\ashWebSv.exe [2009-4-2 352920]
R3 Razerlow;Diamondback 3G USB Filter Driver;d:\windows\system32\drivers\DB3G.sys [2089-4-1 13225]
R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;d:\windows\system32\drivers\rt2870.sys [2089-4-1 560896]
S3 FXDRV;FXDRV;\??\e:\fxdrv.sys --> e:\Fxdrv.sys [?]
S3 SASENUM;SASENUM;d:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]

=============== Created Last 30 ================

2009-04-03 00:38 <DIR> --d----- d:\program files\Spybot - Search & Destroy
2009-04-03 00:38 <DIR> --d----- d:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-04-03 00:36 <DIR> --d----- d:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-04-03 00:36 <DIR> --d----- d:\program files\SUPERAntiSpyware
2009-04-03 00:36 <DIR> --d----- d:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2009-04-03 00:36 <DIR> --d----- d:\program files\common files\Wise Installation Wizard
2009-04-03 00:34 118,784 a------- d:\windows\system32\MSSTDFMT.DLL
2009-04-03 00:34 <DIR> --d----- d:\program files\SpywareBlaster
2009-04-03 00:27 <DIR> --d----- d:\docume~1\owner\applic~1\AD ON Multimedia
2009-04-03 00:27 0 a------- d:\windows\control.ini
2009-04-03 00:27 <DIR> --d----- d:\program files\MyPhoneExplorer
2009-04-03 00:26 <DIR> --d----- d:\program files\DVDVideoSoft
2009-04-03 00:26 <DIR> --d----- d:\program files\common files\DVDVideoSoft
2009-04-03 00:25 <DIR> --d----- d:\program files\LimeWire
2009-04-03 00:25 <DIR> --d----- d:\program files\Trend Micro
2009-04-03 00:17 <DIR> --d----- d:\program files\AskBarDis
2009-04-03 00:17 <DIR> --d----- d:\program files\Foxit Software
2009-04-03 00:17 <DIR> --d----- d:\docume~1\owner\applic~1\Foxit
2009-04-03 00:16 <DIR> --d----- d:\documents and settings\owner\Tracing
2009-04-03 00:15 <DIR> --d----- d:\program files\Microsoft
2009-04-03 00:15 <DIR> --d----- d:\program files\Windows Live SkyDrive
2009-04-03 00:14 <DIR> --d----- d:\program files\Real Alternative
2009-04-03 00:14 90,112 a------- d:\windows\system32\QuickTimeVR.qtx
2009-04-03 00:14 57,344 a------- d:\windows\system32\QuickTime.qts
2009-04-03 00:13 <DIR> --d----- d:\program files\QuickTime Alternative
2009-04-03 00:09 168,448 a------- d:\windows\system32\unrar.dll
2009-04-03 00:09 <DIR> --d----- d:\program files\K-Lite Codec Pack
2009-04-03 00:03 266,360 a------- d:\windows\system32\TweakUI.exe
2009-04-03 00:03 160,217 a------- d:\windows\system32\PowerToysLicense.rtf
2009-04-02 23:58 <DIR> --d----- d:\program files\uTorrent
2009-04-02 23:58 <DIR> --d----- d:\docume~1\owner\applic~1\uTorrent
2009-04-02 23:52 <DIR> --d----- d:\program files\CCleaner
2009-04-02 23:51 <DIR> --d----- d:\program files\common files\Windows Live
2009-04-02 23:42 <DIR> --d----- d:\program files\ResourceHacker
2009-04-02 23:39 <DIR> --d----- d:\docume~1\owner\applic~1\Malwarebytes
2009-04-02 23:39 15,504 a------- d:\windows\system32\drivers\mbam.sys
2009-04-02 23:39 38,496 a------- d:\windows\system32\drivers\mbamswissarmy.sys
2009-04-02 23:39 <DIR> --d----- d:\program files\Malwarebytes' Anti-Malware
2009-04-02 23:39 <DIR> --d----- d:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-02 23:22 155,384 a------- d:\windows\system32\guard32.dll
2009-04-02 23:22 110,992 a------- d:\windows\system32\drivers\cmdguard.sys
2009-04-02 23:22 24,336 a------- d:\windows\system32\drivers\cmdhlp.sys
2009-04-01 23:31 <DIR> --d----- d:\docume~1\alluse~1\applic~1\Comodo
2009-04-01 23:31 <DIR> --d----- d:\program files\COMODO
2009-04-01 23:30 <DIR> --d----- d:\docume~1\owner\applic~1\Teleca
2009-04-01 23:30 <DIR> --d----- d:\docume~1\alluse~1\applic~1\Sony Ericsson
2009-04-01 23:30 <DIR> --d----- d:\program files\common files\Teleca Shared
2009-04-01 23:30 <DIR> --d----- d:\program files\Sony Ericsson
2009-04-01 23:30 <DIR> --d----- d:\docume~1\alluse~1\applic~1\Teleca
2009-04-01 23:28 6,176 a------- d:\windows\system32\drivers\w810cm.sys
2009-04-01 23:28 5,808 a------- d:\windows\system32\drivers\w810wh.sys
2009-04-01 23:28 <DIR> --d----- d:\windows\Downloaded Installations
2009-04-01 22:40 7 a------- d:\windows\system32\ANIWZCSUSERNAME
2009-04-01 22:40 0 a------- d:\windows\ativpsrm.bin
2009-04-01 22:21 221,184 a------- d:\windows\system32\wmpns.dll
2009-04-01 22:20 <DIR> --d----- d:\program files\DirectX
2009-04-01 22:19 88,960 a------- d:\windows\system32\drivers\MidiSyn.sys
2009-04-01 22:19 65,536 ac------ d:\windows\system32\dllcache\a3d.dll
2009-04-01 22:19 65,536 a------- d:\windows\system32\a3d.dll
2009-04-01 22:19 392,704 a------- d:\windows\system32\drivers\senfilt.sys
2009-04-01 22:19 127,872 a------- d:\windows\system32\drivers\aeaudio.sys
2009-04-01 22:19 1,285,632 a------- d:\windows\system32\SMMedia.dll
2009-04-01 22:19 30,208 a------- d:\windows\system32\wdmioctl.dll
2009-04-01 22:18 765,952 a------- d:\windows\system\crlds3d.dll
2009-04-01 22:18 991,232 a------- d:\windows\system32\virtear.dll
2009-04-01 22:18 65,536 a------- d:\windows\system32\Audio3d.dll
2009-04-01 22:18 <DIR> --d----- d:\windows\VirtualEar
2009-04-01 22:18 220,992 a------- d:\windows\system32\drivers\smwdm.sys
2009-04-01 22:18 49,152 a------- d:\windows\system32\DSndUp.exe
2009-04-01 22:18 <DIR> --d----- d:\program files\Analog Devices
2009-04-01 22:18 45,056 a------- d:\windows\system32\CleanUp.exe
2009-04-01 22:03 <DIR> --d----- d:\windows\pss
2009-04-01 22:01 <DIR> --d----- d:\windows\system32\PreInstall
2009-04-01 21:58 13,770 a------- d:\windows\system32\wpa.bak
2009-04-01 21:52 410,984 a------- d:\windows\system32\deploytk.dll
2009-04-01 21:52 73,728 a------- d:\windows\system32\javacpl.cpl
2009-04-01 21:41 145,792 ac------ d:\windows\system32\dllcache\portcls.sys

==================== Find3M ====================

2009-02-25 17:58 3,565,568 a------- d:\windows\system32\drivers\ati2mtag.sys
2009-02-25 16:42 442,368 a------- d:\windows\system32\ATIDEMGX.dll
2009-02-25 16:41 325,120 a------- d:\windows\system32\ati2dvag.dll
2009-02-25 16:30 11,841,536 a------- d:\windows\system32\atioglxx.dll
2009-02-25 16:30 204,800 a------- d:\windows\system32\atipdlxx.dll
2009-02-25 16:29 155,648 a------- d:\windows\system32\Oemdspif.dll
2009-02-25 16:29 26,112 a------- d:\windows\system32\Ati2mdxx.exe
2009-02-25 16:29 43,520 a------- d:\windows\system32\ati2edxx.dll
2009-02-25 16:29 155,648 a------- d:\windows\system32\ati2evxx.dll
2009-02-25 16:27 602,112 a------- d:\windows\system32\ati2evxx.exe
2009-02-25 16:26 53,248 a------- d:\windows\system32\ATIDDC.DLL
2009-02-25 16:16 3,817,984 a------- d:\windows\system32\ati3duag.dll
2009-02-25 16:09 307,200 a------- d:\windows\system32\atiiiexx.dll
2009-02-25 15:59 2,670,080 a------- d:\windows\system32\ativvaxx.dll
2009-02-25 15:58 3,107,788 a------- d:\windows\system32\ativva5x.dat
2009-02-25 15:58 887,724 a------- d:\windows\system32\ativva6x.dat
2009-02-25 15:44 49,664 a------- d:\windows\system32\amdpcom32.dll
2009-02-25 15:40 475,136 a------- d:\windows\system32\atikvmag.dll
2009-02-25 15:38 126,976 a------- d:\windows\system32\atiadlxx.dll
2009-02-25 15:38 17,408 a------- d:\windows\system32\atitvo32.dll
2009-02-25 15:37 53,248 a------- d:\windows\system32\drivers\ati2erec.dll
2009-02-25 15:35 290,816 a------- d:\windows\system32\atiok3x2.dll
2009-02-25 15:32 45,056 a------- d:\windows\system32\aticalrt.dll
2009-02-25 15:32 45,056 a------- d:\windows\system32\aticalcl.dll
2009-02-25 15:32 626,688 a------- d:\windows\system32\ati2cqag.dll
2009-02-25 15:30 3,227,648 a------- d:\windows\system32\aticaldd.dll
2009-02-25 15:15 593,920 -------- d:\windows\system32\ati2sgag.exe
2009-02-06 18:52 49,504 a------- d:\windows\system32\sirenacm.dll
2009-01-26 12:55 182,995 a------- d:\windows\system32\atiicdxx.dat

============= FINISH: 1:24:01.15 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-03-16.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date:
System Uptime: 4/3/2009 12:55:58 AM (1 hours ago)

Motherboard: WinFast | | 760GXK8MC
Processor: AMD Sempron(tm) Processor 3000+ | Socket 940 | 1799/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 75 GiB total, 35.968 GiB free.
D: is FIXED (NTFS) - 298 GiB total, 256.146 GiB free.
E: is CDROM (CDFS)
F: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: SiS 900-Based PCI Fast Ethernet Adapter
Device ID: PCI\VEN_1039&DEV_0900&SUBSYS_0C92105B&REV_91\3&61AAA01&0&20
Manufacturer: SiS
Name: SiS 900-Based PCI Fast Ethernet Adapter
PNP Device ID: PCI\VEN_1039&DEV_0900&SUBSYS_0C92105B&REV_91\3&61AAA01&0&20
Service: SISNIC

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

µTorrent
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
ANIO Service
ANIWZCS2 Service
ATI Display Driver
avast! Antivirus
CCleaner (remove only)
Choice Guard
ClearType Tuning Control Panel Applet
COMODO Internet Security
D-Link Wireless N DWA-130
Foxit Reader
Free YouTube to Mp3 Converter version 3.1
HijackThis 2.0.2
Java(TM) 6 Update 13
K-Lite Codec Pack 4.7.5 (Standard)
LimeWire 5.1.2
Logitech® Camera Driver
Malwarebytes' Anti-Malware
Microsoft Application Error Reporting
Microsoft IntelliType Pro 6.3
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Mozilla Firefox (3.0.8)
MSVCRT
MSXML 6.0 Parser (KB933579)
MyPhoneExplorer
QuickTime Alternative 2.8.0
Razer Diamondback 3G
Real Alternative 1.9.0
Segoe UI
Sony Ericsson PC Suite 1.20.173
SoundMAX
Spybot - Search & Destroy
SpywareBlaster 4.1
SUPERAntiSpyware Free Edition
Tweak UI
Uninstall 1.0.0.1
Update for Windows XP (KB911164)
WebFldrs XP
Winamp
Windows Driver Package - Razer (Razerlow) HIDClass (03/07/2007 1.0.0.2)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
WinRAR archiver

==== End Of File ===========================

 

This looks good to me.

Use these two applications wisely µTorrent and LimeWire 5.1.2.

While the machine has a clean load and the drive shouldn't be full, I would have it scanned with Kaspersky.

Dump temp files first with CCleaner.


The below scan can take up to an hour or longer, please be patient.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.


Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Other available links
Kaspersky Online Scanner or from here
http://www.kaspersky.com/virusscanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

• The program will install and then begin downloading the latest definition
  files.
• After the files have been downloaded on the left side of the page in the Scan section select My Computer.
• This will start the program and scan your system.
• The scan will take a while, so be patient and let it run. (At times it may appear to stall)
  * Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  * Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  * Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  
• Once the scan is complete, click on View scan report To obtain the report:

Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:
Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in
your reply.

Animated tutorial
http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif

(Note.. for Internet Explorer 7 users:
If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
Or use Firefox with IE-Tab plugin
https://addons.mozilla.org/en-US/firefox/addon/1419


In your next reply post:
Kaspersky log
New HJT log taken after the above scans have run

 

Kaspersky returned 0 threats, so that was good, as for the new HJT log, here you are:
(By the way, thank you very much for all your help on this matter, my computer is running extremely fast now though!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:38:09 AM, on 4/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\WINDOWS\ExplorerFranco.exe
D:\Program Files\Razer\Diamondback 3G\razerhid.exe
D:\Program Files\Microsoft IntelliType Pro\itype.exe
D:\Program Files\D-Link\D-Link Wireless N DWA-130\AirNCFG.exe
D:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
D:\Program Files\COMODO\COMODO Internet Security\cfp.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Razer\Diamondback 3G\razertra.exe
D:\Program Files\Razer\Diamondback 3G\razerofa.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Java\jre6\bin\java.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
F2 - REG:system.ini: Shell=ExplorerFranco.exe
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Diamondback] D:\Program Files\Razer\Diamondback 3G\razerhid.exe
O4 - HKLM\..\Run: [itype] "d:\Program Files\Microsoft IntelliType Pro\itype.exe "
O4 - HKLM\..\Run: [D-Link D-Link Wireless N DWA-130] D:\Program Files\D-Link\D-Link Wireless N DWA-130\AirNCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] D:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [COMODO Internet Security] "D:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?3763248109531
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238792678593
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Wireless Service - D:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - D:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe

--
End of file - 4350 bytes

 

Your welcome

The machine looks clean and lean.


Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

Now reboot your computer to set the registry.



Your good to go, good job!


Please take the time to read over a few of my preventive tips.


Please navigate to Microsoft Windows Updates and download all the "Critical Updates " for Windows.


Firefox 3
The award-winning Web browser is now faster, more secure, and fully customizable to your online life. With Firefox 2, added powerful new features that make your online experience even better. It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
*NoScript - Addon for Firefox that stops all scripts from running on websites. Stops malicious software from invading via flash, java, javascript, and many other entry points.

How to prevent Malware: Created by Miekiemoes

Here are some additional utilities that will further enhance your safety.
# http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)


Read this article 'Safe Computing Practices'.
So how did I get infected in the first place.

Secure My Computer: A Layered Approach

Strong passwords: How to create and use them

Free Antivirus-AntiSpyware-Firewall Software
Slow Computer May Not Be Malware Related, Help! My computer is slow!
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html


PC Safety and Security--What Do I Need?
http://www.techsupportforum.com/sec...115548-pc-safety-security-what-do-i-need.html

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!
This site offers people who have been (or are) victims of malware the opportunity to document their story.

Extra note:
Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan. http://secunia.com/software_inspector/