Inactive Trojan "Backdoor.win32.small.ive"

broni · 2010/03/19

Please, re-run Combofix and post fresh log along with fresh HJT log.

Yushi44 · 2010/03/19

Desktop has appeared again which is good but Kaspersky still says that there is a trojan in explorer.exe

-----------

ComboFix 10-03-19.04 - Moshimoshifishy 19/03/2010 19:43:52.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1549 [GMT 0:00]
Running from: c:\documents and settings\Moshimoshifishy\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
ADS - explorer.exe: deleted 88 bytes in 2 streams.

((((((((((((((((((((((((( Files Created from 2010-02-19 to 2010-03-19 )))))))))))))))))))))))))))))))
.

2010-03-19 19:41 . 2010-03-19 19:42 -------- d-----w- C:\32788R22FWJFW
2010-03-03 06:03 . 2010-03-03 06:03 -------- d-----w- c:\program files\Trend Micro
2010-02-24 08:37 . 2010-02-24 08:37 -------- d--h--w- c:\windows\PIF
2010-02-23 20:33 . 2010-02-23 20:33 -------- d-----w- c:\windows\system32\wbem\Repository
2010-02-19 23:58 . 2010-02-19 23:58 -------- d-----w- c:\documents and settings\Moshimoshifishy\Local Settings\Application Data\Unity
2010-02-17 21:35 . 2009-08-06 19:23 274288 ----a-w- c:\windows\system32\mucltui.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-19 19:51 . 2007-12-10 21:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki
2010-03-19 19:42 . 2007-12-10 15:00 -------- d-----w- c:\documents and settings\Moshimoshifishy\Application Data\uTorrent
2010-03-19 19:42 . 2010-01-21 19:00 -------- d-----w- c:\program files\DNA
2010-03-19 19:42 . 2010-01-21 19:00 -------- d-----w- c:\documents and settings\Moshimoshifishy\Application Data\DNA
2010-03-19 19:41 . 2009-11-14 11:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-03-19 19:38 . 2009-11-14 11:33 7802400 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-03-19 19:38 . 2009-11-14 11:33 688160 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-03-19 19:38 . 2009-11-14 11:33 63084 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-03-19 19:38 . 2009-11-14 11:33 4480 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-03-19 01:54 . 2009-10-23 14:45 -------- d-----w- c:\documents and settings\Moshimoshifishy\Application Data\vlc
2010-03-18 07:32 . 2010-01-11 10:11 -------- d-----w- c:\documents and settings\Moshimoshifishy\Application Data\Skype
2010-03-18 00:07 . 2006-01-13 01:46 1075200 ----a-w- c:\windows\explorer.exe
2010-03-18 00:02 . 2008-01-19 11:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-03-06 20:01 . 2007-08-31 20:59 138384 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-03-06 19:59 . 2007-08-31 20:59 215128 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-03-05 08:25 . 2006-01-13 02:03 360448 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-02-16 20:52 . 2010-02-16 20:50 -------- d-----w- c:\program files\REALTEK USB Wireless LAN Driver and Utility
2010-02-16 20:50 . 2007-08-31 18:16 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-10 21:41 . 2008-09-08 12:46 -------- d-----w- c:\documents and settings\Moshimoshifishy\Application Data\EndNote
2010-01-30 18:46 . 2007-08-31 20:59 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-01-25 22:13 . 2007-08-31 15:48 -------- d-----w- c:\program files\Steam
2010-01-20 22:15 . 2007-12-01 18:49 -------- d-----w- c:\documents and settings\Moshimoshifishy\Application Data\dvdcss
2010-01-05 23:56 . 2010-01-05 23:56 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2010-01-05 19:20 . 2010-01-05 19:20 21035 ----a-w- c:\windows\system32\drivers\AegisP.sys
2008-09-21 22:24 . 2007-10-27 19:43 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------

[-] 2010-03-05 . 2A4818AEA80ACD2C95D7D92D2F3155F8 . 360448 . . [5.1.2600.2688] . . c:\windows\system32\drivers\tcpip.sys

[-] 2006-01-13 . C3B84871DECE94E335B96FAFD756316C . 2187904 . . [5.1.2600.2765] . . c:\windows\system32\ntoskrnl.exe

[-] 2010-03-18 . 2DEACA71A7FD77205F59D48D76B2F565 . 1075200 . . [6.00.2900.2649] . . c:\windows\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot@2010-02-24_16.46.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-19 19:40 . 2010-03-19 19:40 16384 c:\windows\temp\Perflib_Perfdata_f0.dat
+ 2010-03-18 00:01 . 2010-03-18 00:01 16384 c:\windows\temp\Perflib_Perfdata_128.dat
+ 2010-02-17 22:45 . 2010-03-06 10:16 87548 c:\windows\system32\Restore\rstrlog.dat
+ 2010-03-06 19:57 . 2010-03-06 20:49 262144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} "= "c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-01-15 147456]
"swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-19 68856]
"NVIDIA nTune "= "c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-03 81920]
"uTorrent "= "c:\program files\uTorrent\uTorrent.exe" [2010-02-05 289584]
"igndlm.exe "= "c:\program files\Download Manager\DLM.exe" [2009-05-15 1103216]
"Skype "= "c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
"BitTorrent DNA "= "c:\program files\DNA\btdna.exe" [2010-01-21 323392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2007-10-04 8491008]
"nwiz "= "nwiz.exe" [2007-10-04 1626112]
"IMJPMIG8.1 "= "c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2006-01-13 208952]
"MSPY2002 "= "c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2006-01-13 59392]
"NeroFilterCheck "= "c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-10-25 149280]
"NvMediaCenter "= "c:\windows\system32\NvMcTray.dll" [2007-10-04 81920]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"ISUSPM Startup "= "c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler "= "c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"VX3000 "= "c:\windows\vVX3000.exe" [2007-04-10 709992]
"LifeCam "= "c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]
"AVP "= "c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2009-11-23 201992]
"QuickTime Task "= "c:\program files\QuickTime Alternative\QTTask.exe" [2009-11-10 417792]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnsc "= "c:\windows\system32\msnsc.exe" [2006-01-13 62054]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall "= "c:\windows\system32\tscupgrd.exe" [2006-01-13 44544]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
REALTEK USB Wireless LAN Utility.lnk - c:\program files\REALTEK USB Wireless LAN Driver and Utility\RtWLan.exe [2010-2-16 790528]
Update Agent.lnk - c:\program files\3\3Connect\AutoUpdateSrv.exe [2009-2-3 670256]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Steam\\Steam.exe "=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe "=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
"c:\\Program Files\\MSN Messenger\\livecall.exe "=
"c:\\WINDOWS\\system32\\PnkBstrA.exe "=
"c:\\WINDOWS\\system32\\PnkBstrB.exe "=
"c:\\Program Files\\uTorrent\\uTorrent.exe "=
"c:\\Program Files\\Kontiki\\KService.exe "=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe "=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe "=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe "=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Civilization4.exe "=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Warlords\\Civ4Warlords.exe "=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Beyond the Sword\\Civ4BeyondSword.exe "=
"c:\\Program Files\\Steam\\steamapps\\wizwoo\\half-life 2 deathmatch\\hl2.exe "=
"c:\\Program Files\\Arcen Games, LLC\\AI War\\AIWar.exe "=
"c:\\Program Files\\Arcen Games, LLC\\AI War\\AIWarUpdater.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"c:\\Program Files\\Skype\\Phone\\Skype.exe "=
"c:\\Program Files\\DNA\\btdna.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8945:TCP "= 8945:TCPjronn

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [29/01/2008 18:29 33808]
R0 nvata;nvata;c:\windows\system32\drivers\nvata.sys [31/08/2007 15:09 92800]
R0 sfdrv01;StarForce Protection Environment Driver (version 1.x);c:\windows\system32\drivers\sfdrv01.sys [26/03/2006 12:22 51200]
R0 sfhlp02;StarForce Protection Helper Driver (version 2.x);c:\windows\system32\drivers\sfhlp02.sys [13/03/2006 09:38 6656]
R0 sfsync04;StarForce Protection Synchronization Driver (version 4.x);c:\windows\system32\drivers\sfsync04.sys [24/03/2006 16:27 50176]
R0 sfvfs02;StarForce Protection VFS Driver (version 2.x);c:\windows\system32\drivers\sfvfs02.sys [03/11/2005 14:40 63488]
R2 Apple Mobile Device;Apple Mobile Device;c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [28/08/2009 19:42 144672]
R2 atksgt;atksgt;c:\windows\system32\drivers\atksgt.sys [26/12/2008 17:12 279712]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [05/01/2010 19:20 38144]
R2 JavaQuickStarterService;Java Quick Starter;c:\program files\Java\jre6\bin\jqs.exe [25/10/2009 11:27 153376]
R2 KService;KService;c:\program files\Kontiki\KService.exe [14/12/2007 13:05 3068352]
R2 lirsgt;lirsgt;c:\windows\system32\drivers\lirsgt.sys [26/12/2008 17:12 25888]
R2 mdvrmng;Mobile IP Route Manager;c:\windows\system32\drivers\mdvrmng.sys [03/02/2009 21:28 10240]
R2 MSCamSvc;MSCamSvc;c:\program files\Microsoft LifeCam\MSCamS32.exe [17/05/2007 21:45 271720]
R2 npkcrypt;npkcrypt;c:\program files\Tencent\QQ\npkcrypt.sys [22/06/2007 10:44 25074]
R2 NVSvc;NVIDIA Display Driver Service;c:\windows\system32\nvsvc32.exe [13/03/2007 05:58 155716]
R2 PnkBstrA;PnkBstrA;c:\windows\system32\PnkBstrA.exe [31/08/2007 20:59 75064]
R2 PnkBstrB;PnkBstrB;c:\windows\system32\PnkBstrB.exe [31/08/2007 20:59 215128]
R2 PSI_SVC_2;Protexis Licensing V2;c:\program files\Common Files\Protexis\License Service\PsiService_2.exe [24/07/2007 10:15 185632]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [13/03/2008 19:02 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [25/03/2008 20:07 24592]
R3 NMIndexingService;NMIndexingService;c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe [15/01/2007 15:01 266240]
R3 nvax;Service for NVIDIA(R) nForce(TM) Audio Enumerator;c:\windows\system32\drivers\nvax.sys [26/07/2005 05:58 53376]
R3 nvnforce;Service for NVIDIA(R) nForce(TM) Audio;c:\windows\system32\drivers\nvapu.sys [26/07/2005 06:01 415360]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/12/2007 22:33 685816]
S3 hwdatacard;Huawei DataCard USB Modem and USB Serial;c:\windows\system32\drivers\ewusbmdm.sys [03/02/2009 21:27 101376]
S3 NdisIP;Microsoft TV/Video Connection;c:\windows\system32\drivers\NdisIP.sys [06/10/2008 11:19 10880]
S3 NVR0Dev;NVR0Dev;c:\windows\nvoclock.sys [03/07/2007 12:33 6912]
S3 PnkBstrK;PnkBstrK;c:\windows\system32\drivers\PnkBstrK.sys [31/08/2007 20:59 138384]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8187.sys [31/08/2007 15:09 194304]
S3 SLIP;BDA Slip De-Framer;c:\windows\system32\drivers\SLIP.sys [06/10/2008 11:19 11136]
S3 USBAAPL;Apple Mobile USB Driver;c:\windows\system32\drivers\usbaapl.sys [06/01/2010 00:05 40448]
S3 VX3000;VX-3000;c:\windows\system32\drivers\VX3000.sys [06/10/2008 11:12 1966696]
S3 WpdUsb;WpdUsb;c:\windows\system32\drivers\wpdusb.sys [13/01/2006 01:47 38656]
.
Contents of the 'Scheduled Tasks' folder

2010-03-19 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-09-02 18:28]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = 0.0.0.0.0:80
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Banner Ad Blocker - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
IE: Add to QQ Customized Emoticons - c:\program files\Tencent\QQ\AddEmotion.htm
IE: Add to QQ Customized Panel - c:\program files\Tencent\QQ\AddPanel.htm
IE: Add to QQ Emotions - c:\program files\Tencent\QQ\AddEmotion.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: Send picture by MMS - c:\program files\Tencent\QQ\SendMMS.htm
IE: Send Picture with QQ MMS - c:\program files\Tencent\QQ\SendMMS.htm
IE: Upload to QQ Network Hard Disk - c:\program files\Tencent\QQ\AddToNetDisk.htm
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157b} - c:\program files\Tencent\QQ\QQ.EXE
FF - ProfilePath - c:\documents and settings\Moshimoshifishy\Application Data\Mozilla\Firefox\Profiles\jorr8o4m.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - component: c:\documents and settings\Moshimoshifishy\Application Data\Mozilla\Firefox\Profiles\jorr8o4m.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin2.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin3.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin4.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin5.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin6.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin7.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-19 19:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1757981266-1614895754-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"?? "=hex:58,48,36,70,f8,75,ac,56,be,08,fb,c0,a7,75,c4,33,04,0b,aa,37,f1,1f,89,
9e,f6,46,92,67,63,66,6e,eb,3b,85,0a,3c,13,cc,c3,b9,62,5c,da,b6,a6,b3,04,88,\
"?? "=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22

[HKEY_USERS\S-1-5-21-1757981266-1614895754-725345543-1003\Software\SecuROM\License information*]
"datasecu "=hex:ba,0d,2a,a9,6e,d1,29,7b,f6,93,93,ec,f8,fb,32,d0,4c,75,4f,59,c6,
08,b6,71,c6,85,30,42,d9,04,19,29,14,fc,9b,c8,f7,24,cf,34,45,1c,39,bf,e0,8a,\
"rkeysecu "=hex:29,23,be,84,e1,6c,d6,ae,52,90,49,f1,f1,bb,e9,eb
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(996)
c:\windows\system32\klogon.dll

- - - - - - - > 'explorer.exe'(2404)
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-03-19 19:54:45
ComboFix-quarantined-files.txt 2010-03-19 19:54
ComboFix2.txt 2010-03-03 05:24
ComboFix3.txt 2010-02-24 16:54

Pre-Run: 12,579,299,328 bytes free
Post-Run: 12,578,082,816 bytes free

- - End Of File - - 8CC351017CA893DB8C16FC2690D357FC

------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:00:00, on 19/03/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\REALTEK USB Wireless LAN Driver and Utility\RtWLan.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\3\3Connect\AutoUpdateSrv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0.0:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe "
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe "
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe "
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe "
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe "
O4 - HKUS\S-1-5-18\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: REALTEK USB Wireless LAN Utility.lnk = ?
O4 - Global Startup: Update Agent.lnk = ?
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: Add to QQ Customized Emoticons - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: Add to QQ Customized Panel - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: Add to QQ Emotions - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send picture by MMS - C:\Program Files\Tencent\QQ\SendMMS.htm
O8 - Extra context menu item: Send Picture with QQ MMS - C:\Program Files\Tencent\QQ\SendMMS.htm
O8 - Extra context menu item: Upload to QQ Network Hard Disk - C:\Program Files\Tencent\QQ\AddToNetDisk.htm
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE (file missing)
O9 - Extra 'Tools' menuitem: Tencent QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE (file missing)
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.9.113.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe

--
End of file - 10075 bytes

broni · 2010/03/19

I still want to back to this:

I have already uploaded svchost.exe and userinit.exe and they were fine
Click to expand...

Scan results, you posted, listed only lower section, "Additional information "
I'd like to see the upper part of the scan, which should look like this:

File explorer.exe received on 2010.03.19 17:44:38 (UTC)
Current status: finished
Result: 0/42 (0.00%)
a-squared 4.5.0.50 2010.03.19 -
AhnLab-V3 5.0.0.2 2010.03.19 -
AntiVir 8.2.1.196 2010.03.19 -
Antiy-AVL 2.0.3.7 2010.03.19 -
Authentium 5.2.0.5 2010.03.19 -
Avast 4.8.1351.0 2010.03.19 -
Avast5 5.0.332.0 2010.03.19 -
AVG 9.0.0.787 2010.03.19 -
[....]
Click to expand...

In addition, when you upload the file and the file is listed as already analyzed, click on Reanalyse file now button.
I also want you to try explorer.exe again.

Yushi44 · 2010/03/23

I scanned all of them again, explorer seems to scan now when the desktop is working.

-----------------------

File explorer.exe received on 2010.03.23 08:30:09 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 9/42 (21.43%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 42 and 60 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.03.23 Trojan-Downloader.Win32.Small!IK
AhnLab-V3 5.0.0.2 2010.03.22 -
AntiVir 8.2.1.196 2010.03.23 BDS/Small.iuj
Antiy-AVL 2.0.3.7 2010.03.23 -
Authentium 5.2.0.5 2010.03.23 -
Avast 4.8.1351.0 2010.03.22 -
Avast5 5.0.332.0 2010.03.22 -
AVG 9.0.0.787 2010.03.23 -
BitDefender 7.2 2010.03.23 -
CAT-QuickHeal 10.00 2010.03.23 -
ClamAV 0.96.0.0-git 2010.03.23 -
Comodo 4355 2010.03.23 -
DrWeb 5.0.1.12222 2010.03.23 -
eSafe 7.0.17.0 2010.03.21 -
eTrust-Vet 35.2.7382 2010.03.22 -
F-Prot 4.5.1.85 2010.03.23 -
F-Secure 9.0.15370.0 2010.03.23 -
Fortinet 4.0.14.0 2010.03.22 W32/Small.IVE!tr.bdr
GData 19 2010.03.23 -
Ikarus T3.1.1.80.0 2010.03.23 Trojan-Downloader.Win32.Small
Jiangmin 13.0.900 2010.03.23 -
K7AntiVirus 7.10.1004 2010.03.22 -
Kaspersky 7.0.0.125 2010.03.23 -
McAfee 5928 2010.03.22 -
McAfee+Artemis 5928 2010.03.22 Artemis!2DEACA71A7FD
McAfee-GW-Edition 6.8.5 2010.03.23 Trojan.Backdoor.Small.iuj
Microsoft 1.5605 2010.03.23 -
NOD32 4966 2010.03.22 -
Norman 6.04.09 2010.03.22 -
nProtect 2009.1.8.0 2010.03.23 Backdoor/W32.Small.1075200
Panda 10.0.2.2 2010.03.22 -
PCTools 7.0.3.5 2010.03.23 -
Prevx 3.0 2010.03.23 -
Rising 22.40.01.04 2010.03.23 -
Sophos 4.51.0 2010.03.23 -
Sunbelt 6031 2010.03.22 Trojan.Win32.Generic!BT
Symantec 20091.2.0.41 2010.03.23 -
TheHacker 6.5.2.0.241 2010.03.22 -
TrendMicro 9.120.0.1004 2010.03.23 -
VBA32 3.12.12.2 2010.03.22 Backdoor.Win32.Small.ive
ViRobot 2010.3.23.2239 2010.03.23 -
VirusBuster 5.0.27.0 2010.03.22 -
Additional information
File size: 1075200 bytes
MD5...: 2deaca71a7fd77205f59d48d76b2f565
SHA1..: 03159aa736961faff48f23f6e9a016d2555107b8
SHA256: b4fc9bc886ec7855893eb1050fa13ddbdcc8de4d01a5544db2beaf45a90efb15
ssdeep: 12288:/lSDf0XQKEYnEC2kR83ve+skzaUkP8J1ozgdBLlw:tw0AKE2Er6+sk5kP8
JdXLlw
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1a50f
timedatestamp.....: 0x4254fe83 (Thu Apr 07 09:33:55 2005)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x44749 0x44800 6.36 87c7af9337f3955cb1aaf8eaecb9963b
.data 0x46000 0x1db0 0x1800 1.30 6f7a8ca01bbf5135d058551b882fa235
.rsrc 0x48000 0xbd000 0xbcc00 6.51 bb623869cca09ec63b3f5f037f173e36
.reloc 0x105000 0x36e0 0x3800 6.76 90a514d26612338ea4d641063e5b3ac1

( 13 imports )
> ADVAPI32.dll: RegSetValueW, RegEnumKeyExW, GetUserNameW, RegNotifyChangeKeyValue, RegEnumValueW, RegQueryValueExA, RegOpenKeyExA, RegEnumKeyW, RegCloseKey, RegCreateKeyW, RegQueryInfoKeyW, RegOpenKeyExW, RegQueryValueExW, RegCreateKeyExW, RegSetValueExW, RegDeleteValueW, RegQueryValueW
> BROWSEUI.dll: -, -, -, -
> GDI32.dll: GetStockObject, CreatePatternBrush, OffsetViewportOrgEx, GetLayout, CombineRgn, CreateDIBSection, GetTextExtentPoint32W, StretchBlt, CreateRectRgnIndirect, CreateRectRgn, GetClipRgn, IntersectClipRect, GetViewportOrgEx, SetViewportOrgEx, SelectClipRgn, PatBlt, GetBkColor, CreateCompatibleDC, CreateCompatibleBitmap, OffsetWindowOrgEx, DeleteDC, SetBkColor, BitBlt, ExtTextOutW, GetTextExtentPointW, GetClipBox, GetObjectW, SetTextColor, SetBkMode, CreateFontIndirectW, DeleteObject, GetTextMetricsW, SelectObject, GetDeviceCaps, TranslateCharsetInfo, SetStretchBltMode
> KERNEL32.dll: GetSystemDirectoryW, CreateThread, CreateJobObjectW, ExitProcess, SetProcessShutdownParameters, ReleaseMutex, CreateMutexW, SetPriorityClass, GetCurrentProcess, GetStartupInfoW, GetCommandLineW, SetErrorMode, LeaveCriticalSection, EnterCriticalSection, ResetEvent, LoadLibraryExA, CompareFileTime, GetSystemTimeAsFileTime, SetThreadPriority, GetCurrentThreadId, GetThreadPriority, GetCurrentThread, GetUserDefaultLangID, Sleep, GetBinaryTypeW, GetModuleHandleExW, SystemTimeToFileTime, GetLocalTime, GetCurrentProcessId, GetEnvironmentVariableW, UnregisterWait, GlobalGetAtomNameW, GetFileAttributesW, MoveFileW, lstrcmpW, LoadLibraryExW, FindClose, FindNextFileW, FindFirstFileW, lstrcmpiA, SetEvent, AssignProcessToJobObject, GetDateFormatW, GetTimeFormatW, FlushInstructionCache, lstrcpynW, GetSystemWindowsDirectoryW, SetLastError, GetProcessHeap, HeapFree, HeapReAlloc, HeapSize, HeapAlloc, GetUserDefaultLCID, ReadProcessMemory, OpenProcess, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, UnhandledExceptionFilter, SetUnhandledExceptionFilter, VirtualFree, VirtualAlloc, ResumeThread, TerminateProcess, TerminateThread, GetSystemDefaultLCID, GetLocaleInfoW, CreateEventW, GetLastError, OpenEventW, DelayLoadFailureHook, WaitForSingleObject, GetTickCount, ExpandEnvironmentStringsW, GetModuleFileNameW, GetPrivateProfileStringW, lstrcmpiW, CreateProcessW, FreeLibrary, GetWindowsDirectoryW, LocalAlloc, CreateFileW, DeviceIoControl, LocalFree, GetQueuedCompletionStatus, CreateIoCompletionPort, SetInformationJobObject, CloseHandle, LoadLibraryW, GetModuleHandleW, ActivateActCtx, DeactivateActCtx, GetFileAttributesExW, GetProcAddress, DeleteCriticalSection, CreateEventA, HeapDestroy, InitializeCriticalSection, MulDiv, InitializeCriticalSectionAndSpinCount, lstrlenW, InterlockedDecrement, InterlockedIncrement, GlobalAlloc, InterlockedExchange, GetModuleHandleA, GetVersionExA, GlobalFree, GetProcessTimes, lstrcpyW, GetLongPathNameW, RegisterWaitForSingleObject
> msvcrt.dll: _itow, free, memmove, realloc, _except_handler3, malloc, _ftol, _vsnwprintf
> ntdll.dll: RtlNtStatusToDosError, NtQueryInformationProcess
> ole32.dll: CoFreeUnusedLibraries, RegisterDragDrop, CreateBindCtx, RevokeDragDrop, CoInitializeEx, CoUninitialize, OleInitialize, CoRevokeClassObject, CoRegisterClassObject, CoMarshalInterThreadInterfaceInStream, CoCreateInstance, OleUninitialize, DoDragDrop
> OLEAUT32.dll: -, -
> SHDOCVW.dll: -, -, -
> SHELL32.dll: -, -, SHGetFolderPathW, -, -, -, -, -, ExtractIconExW, -, -, -, -, -, -, -, -, -, -, -, -, -, -, SHGetSpecialFolderLocation, ShellExecuteExW, -, -, -, SHGetSpecialFolderPathW, -, -, -, SHBindToParent, -, -, -, SHParseDisplayName, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, SHChangeNotify, SHGetDesktopFolder, SHAddToRecentDocs, -, -, -, DuplicateIcon, -, -, -, -, -, -, -, -, SHUpdateRecycleBinIcon, SHGetFolderLocation, SHGetPathFromIDListA, -, -, -, -, -, -, -, SHGetPathFromIDListW, -, -, -
> SHLWAPI.dll: StrCpyNW, -, -, -, -, StrRetToBufW, StrRetToStrW, -, -, -, -, SHQueryValueExW, PathIsNetworkPathW, -, AssocCreate, -, -, -, -, -, StrCatW, StrCpyW, -, -, -, -, -, -, SHGetValueW, -, StrCmpNIW, PathRemoveBlanksW, PathRemoveArgsW, PathFindFileNameW, StrStrIW, PathGetArgsW, -, StrToIntW, SHRegGetBoolUSValueW, SHRegWriteUSValueW, SHRegCloseUSKey, SHRegCreateUSKeyW, SHRegGetUSValueW, SHSetValueW, -, PathAppendW, PathUnquoteSpacesW, -, -, PathQuoteSpacesW, -, SHSetThreadRef, SHCreateThreadRef, -, -, -, PathCombineW, -, -, -, SHStrDupW, PathIsPrefixW, PathParseIconLocationW, AssocQueryKeyW, -, AssocQueryStringW, StrCmpW, -, -, -, -, -, -, -, -, SHRegQueryUSValueW, SHRegOpenUSKeyW, SHRegSetUSValueW, PathIsDirectoryW, PathFileExistsW, PathGetDriveNumberW, -, StrChrW, PathFindExtensionW, -, -, PathRemoveFileSpecW, PathStripToRootW, -, -, -, SHOpenRegStream2W, -, -, -, StrDupW, SHDeleteValueW, StrCatBuffW, SHDeleteKeyW, StrCmpIW, -, -, wnsprintfW, -, -, StrCmpNW, -, -
> USER32.dll: TileWindows, GetDoubleClickTime, GetSystemMetrics, GetSysColorBrush, AllowSetForegroundWindow, LoadMenuW, GetSubMenu, RemoveMenu, SetParent, GetMessagePos, CheckDlgButton, EnableWindow, GetDlgItemInt, SetDlgItemInt, CopyIcon, AdjustWindowRectEx, DrawFocusRect, DrawEdge, ExitWindowsEx, WindowFromPoint, SetRect, AppendMenuW, LoadAcceleratorsW, LoadBitmapW, SendNotifyMessageW, SetWindowPlacement, CheckMenuItem, EndDialog, SendDlgItemMessageW, MessageBeep, GetActiveWindow, PostQuitMessage, MoveWindow, GetDlgItem, RemovePropW, GetClassNameW, GetDCEx, SetCursorPos, ChildWindowFromPoint, ChangeDisplaySettingsW, RegisterHotKey, UnregisterHotKey, SetCursor, SendMessageTimeoutW, GetWindowPlacement, LoadImageW, SetWindowRgn, IntersectRect, OffsetRect, EnumDisplayMonitors, RedrawWindow, SubtractRect, TranslateAcceleratorW, WaitMessage, InflateRect, CallWindowProcW, GetDlgCtrlID, SetCapture, LockSetForegroundWindow, SystemParametersInfoW, FindWindowW, CreatePopupMenu, GetMenuDefaultItem, DestroyMenu, GetShellWindow, EnumChildWindows, GetWindowLongW, SendMessageW, RegisterWindowMessageW, GetKeyState, CopyRect, MonitorFromRect, MonitorFromPoint, RegisterClassW, SetPropW, GetWindowLongA, SetWindowLongW, FillRect, GetCursorPos, MessageBoxW, LoadStringW, ReleaseDC, GetDC, EnumDisplaySettingsExW, EnumDisplayDevicesW, PostMessageW, DispatchMessageW, TranslateMessage, GetMessageW, PeekMessageW, PtInRect, BeginPaint, EndPaint, SetWindowTextW, GetAsyncKeyState, InvalidateRect, GetWindow, ShowWindowAsync, TrackPopupMenuEx, UpdateWindow, DestroyIcon, IsRectEmpty, SetActiveWindow, GetSysColor, DrawTextW, IsHungAppWindow, SetTimer, GetMenuItemID, TrackPopupMenu, EndTask, SendMessageCallbackW, GetClassLongW, LoadIconW, OpenInputDesktop, CloseDesktop, SetScrollPos, ShowWindow, BringWindowToTop, GetDesktopWindow, CascadeWindows, CharUpperBuffW, SwitchToThisWindow, InternalGetWindowText, GetScrollInfo, GetMenuItemCount, CreateWindowExW, DialogBoxParamW, MsgWaitForMultipleObjects, CharNextA, RegisterClipboardFormatW, EndDeferWindowPos, DeferWindowPos, BeginDeferWindowPos, PrintWindow, SetClassLongW, GetPropW, GetNextDlgGroupItem, GetNextDlgTabItem, ChildWindowFromPointEx, IsChild, NotifyWinEvent, TrackMouseEvent, GetCapture, GetAncestor, CharUpperW, SetWindowLongA, DrawCaption, ModifyMenuW, InsertMenuW, IsWindowEnabled, GetMenuState, LoadCursorW, GetParent, IsDlgButtonChecked, DestroyWindow, EnumWindows, IsWindowVisible, GetClientRect, UnionRect, EqualRect, GetWindowThreadProcessId, GetForegroundWindow, KillTimer, GetClassInfoExW, DefWindowProcW, RegisterClassExW, GetIconInfo, SetScrollInfo, GetLastActivePopup, SetForegroundWindow, IsWindow, GetSystemMenu, IsIconic, IsZoomed, EnableMenuItem, SetMenuDefaultItem, MonitorFromWindow, GetMonitorInfoW, GetWindowInfo, GetFocus, SetFocus, MapWindowPoints, ScreenToClient, ClientToScreen, GetWindowRect, SetWindowPos, DeleteMenu, GetMenuItemInfoW, SetMenuItemInfoW, CharNextW
> UxTheme.dll: GetThemeBackgroundContentRect, GetThemeBool, GetThemePartSize, DrawThemeParentBackground, OpenThemeData, DrawThemeBackground, GetThemeTextExtent, DrawThemeText, CloseThemeData, SetWindowTheme, GetThemeBackgroundRegion, -, GetThemeMargins, GetThemeColor, GetThemeFont, GetThemeRect, IsAppThemed

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Windows Explorer
original name: EXPLORER.EXE
internal name: explorer
file version.: 6.00.2900.2649 (xpsp.050406-1732)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

----------------------------

File svchost.exe received on 2010.03.23 01:34:09 (UTC)
Current status: finished
Result: 0/42 (0.00%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.03.22 -
AhnLab-V3 5.0.0.2 2010.03.22 -
AntiVir 8.2.1.196 2010.03.22 -
Antiy-AVL 2.0.3.7 2010.03.19 -
Authentium 5.2.0.5 2010.03.23 -
Avast 4.8.1351.0 2010.03.22 -
Avast5 5.0.332.0 2010.03.22 -
AVG 9.0.0.787 2010.03.23 -
BitDefender 7.2 2010.03.23 -
CAT-QuickHeal 10.00 2010.03.22 -
ClamAV 0.96.0.0-git 2010.03.22 -
Comodo 4353 2010.03.22 -
DrWeb 5.0.1.12222 2010.03.23 -
eSafe 7.0.17.0 2010.03.21 -
eTrust-Vet 35.2.7382 2010.03.22 -
F-Prot 4.5.1.85 2010.03.23 -
F-Secure 9.0.15370.0 2010.03.23 -
Fortinet 4.0.14.0 2010.03.22 -
GData 19 2010.03.23 -
Ikarus T3.1.1.80.0 2010.03.22 -
Jiangmin 13.0.900 2010.03.22 -
K7AntiVirus 7.10.1004 2010.03.22 -
Kaspersky 7.0.0.125 2010.03.22 -
McAfee 5928 2010.03.22 -
McAfee+Artemis 5928 2010.03.22 -
McAfee-GW-Edition 6.8.5 2010.03.23 -
Microsoft 1.5605 2010.03.22 -
NOD32 4966 2010.03.22 -
Norman 6.04.09 2010.03.22 -
nProtect 2009.1.8.0 2010.03.22 -
Panda 10.0.2.2 2010.03.22 -
PCTools 7.0.3.5 2010.03.22 -
Prevx 3.0 2010.03.23 -
Rising 22.40.00.04 2010.03.22 -
Sophos 4.51.0 2010.03.23 -
Sunbelt 6031 2010.03.22 -
Symantec 20091.2.0.41 2010.03.23 -
TheHacker 6.5.2.0.241 2010.03.22 -
TrendMicro 9.120.0.1004 2010.03.22 -
VBA32 3.12.12.2 2010.03.22 -
ViRobot 2010.3.22.2238 2010.03.22 -
VirusBuster 5.0.27.0 2010.03.22 -
Additional information
File size: 14336 bytes
MD5 : 8f078ae4ed187aaabc0a305146de6716
SHA1 : da0ff4006859a7580aba81f486f692dead2014fe
SHA256: 16593943861d03d508f37f60e41240dee14221e76f625835487f73d5010ac18a
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x2509
timedatestamp.....: 0x41107ED6 (Wed Aug 4 08:14:46 2004)
machinetype.......: 0x14C (Intel I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x2C00 0x2C00 6.29 6fc4d075dfb37185ffae8eacb467b822
.data 0x4000 0x1F0 0x200 1.61 553c0ebbbc67abab785f2065a062b522
.rsrc 0x5000 0x418 0x600 2.54 2997285df9158db5a62ffb42a2fd0d07

( 0 imports )

( 0 exports )
TrID : File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
ThreatExpert: http://www.threatexpert.com/report.aspx?md5=8f078ae4ed187aaabc0a305146de6716
ssdeep: 384:cpiRrTp13SkhnRCwOV5JpeLCdw9rDpWCl8CbW:dT/3Ska6Lh8C
sigcheck: publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Generic Host Process for Win32 Services
original name: svchost.exe
internal name: svchost.exe
file version.: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
PEiD : -
PDFiD : ['-', None, None]
RDS : NSRL Reference Data Set

( Gateway )

Gateway Operating System Windows XP Pro Edition SP2: SVCHOST.EXE, svchost.exe
( Microsoft )

-----------------------------------

File userinit.exe received on 2010.03.22 22:09:12 (UTC)
Current status: finished
Result: 0/42 (0.00%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.03.22 -
AhnLab-V3 5.0.0.2 2010.03.22 -
AntiVir 8.2.1.196 2010.03.22 -
Antiy-AVL 2.0.3.7 2010.03.19 -
Authentium 5.2.0.5 2010.03.22 -
Avast 4.8.1351.0 2010.03.22 -
Avast5 5.0.332.0 2010.03.22 -
AVG 9.0.0.787 2010.03.22 -
BitDefender 7.2 2010.03.22 -
CAT-QuickHeal 10.00 2010.03.22 -
ClamAV 0.96.0.0-git 2010.03.22 -
Comodo 4353 2010.03.22 -
DrWeb 5.0.1.12222 2010.03.22 -
eSafe 7.0.17.0 2010.03.21 -
eTrust-Vet 35.2.7382 2010.03.22 -
F-Prot 4.5.1.85 2010.03.22 -
F-Secure 9.0.15370.0 2010.03.22 -
Fortinet 4.0.14.0 2010.03.22 -
GData 19 2010.03.22 -
Ikarus T3.1.1.80.0 2010.03.22 -
Jiangmin 13.0.900 2010.03.22 -
K7AntiVirus 7.10.1004 2010.03.22 -
Kaspersky 7.0.0.125 2010.03.22 -
McAfee 5928 2010.03.22 -
McAfee+Artemis 5928 2010.03.22 -
McAfee-GW-Edition 6.8.5 2010.03.22 -
Microsoft 1.5605 2010.03.22 -
NOD32 4966 2010.03.22 -
Norman 6.04.09 2010.03.22 -
nProtect 2009.1.8.0 2010.03.22 -
Panda 10.0.2.2 2010.03.22 -
PCTools 7.0.3.5 2010.03.22 -
Prevx 3.0 2010.03.22 -
Rising 22.40.00.04 2010.03.22 -
Sophos 4.51.0 2010.03.22 -
Sunbelt 6031 2010.03.22 -
Symantec 20091.2.0.41 2010.03.22 -
TheHacker 6.5.2.0.241 2010.03.22 -
TrendMicro 9.120.0.1004 2010.03.22 -
VBA32 3.12.12.2 2010.03.22 -
ViRobot 2010.3.22.2238 2010.03.22 -
VirusBuster 5.0.27.0 2010.03.22 -
Additional information
File size: 24576 bytes
MD5 : 39b1ffb03c2296323832acbae50d2aff
SHA1 : e5aedcbe25a97c89101f1f3860ff846e94d70445
SHA256: 5b5d71718108e132d10bafb0c217f469a1e3cc13f79ff8d9cbe3bf4918aff7b7
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x50E5
timedatestamp.....: 0x41107B78 (Wed Aug 4 08:00:24 2004)
machinetype.......: 0x14C (Intel I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x4DB8 0x4E00 6.01 16aee663ed180007a0bf5bf24b845096
.data 0x6000 0x14C 0x200 1.86 cbb599f9267bf53209039d14a3574eb1
.rsrc 0x7000 0xB60 0xC00 3.27 b388ab1541ccd9727979fb26a23f72e1

( 7 imports )

> advapi32.dll: RegOpenKeyExA, ReportEventW, RegisterEventSourceW, DeregisterEventSource, OpenProcessToken, RegCreateKeyExW, RegSetValueExW, GetUserNameW, RegQueryValueExW, RegOpenKeyExW, RegQueryInfoKeyW, RegCloseKey, RegQueryValueExA
> crypt32.dll: CryptProtectData
> kernel32.dll: GetVersionExW, LocalFree, LocalAlloc, GetEnvironmentVariableW, SetEnvironmentVariableW, lstrlenW, lstrcpyW, FreeLibrary, GetProcAddress, LoadLibraryW, CompareFileTime, CloseHandle, lstrcatW, WaitForSingleObject, DelayLoadFailureHook, GetStartupInfoA, GetModuleHandleA, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, LoadLibraryA, InterlockedCompareExchange, LocalReAlloc, GetSystemTime, lstrcmpW, GetCurrentThread, SetThreadPriority, CreateThread, GetFileAttributesExW, GetSystemDirectoryW, SetCurrentDirectoryW, FormatMessageW, lstrcmpiW, GetCurrentProcess, GetUserDefaultLangID, GetCurrentProcessId, ExpandEnvironmentStringsW, SetEvent, OpenEventW, Sleep, GetLastError, SearchPathW, CreateProcessW
> msvcrt.dll: _controlfp, _except_handler3, __set_app_type, __p__fmode, __p__commode, __setusermatherr, __getmainargs, _acmdln, exit, _cexit, _XcptFilter, _exit, _c_exit, _initterm, _adjust_fdiv
> ntdll.dll: RtlLengthSid, RtlCopySid, _itow, RtlFreeUnicodeString, DbgPrint, wcslen, wcscpy, wcscat, wcscmp, RtlInitUnicodeString, NtOpenKey, NtClose, _wcsicmp, memmove, NtQueryInformationToken, RtlConvertSidToUnicodeString
> user32.dll: CreateWindowExW, DestroyWindow, RegisterClassExW, DefWindowProcW, LoadRemoteFonts, wsprintfW, GetSystemMetrics, GetKeyboardLayout, SystemParametersInfoW, GetDesktopWindow, LoadStringW, MessageBoxW, ExitWindowsEx, CharNextW
> winspool.drv: SpoolerInit

( 0 exports )
TrID : File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
ThreatExpert: http://www.threatexpert.com/report.aspx?md5=39b1ffb03c2296323832acbae50d2aff
ssdeep: 384NkhB/JD1CzaxzOV6s9cKmdPGFQ273eLXVBYkkjuv1hkNLdbaLa4CwUJuUCSF4WL:gJDUaxgu5YEVBxkjuv7wbaLa4PU4b7
sigcheck: publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Userinit Logon Application
original name: USERINIT.EXE
internal name: userinit
file version.: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
PEiD : -
RDS : NSRL Reference Data Set

( Gateway )

Gateway Operating System Windows XP Pro Edition SP2: USERINIT.EXE, userinit.exe
( Microsoft )

MSDN Disc 2428.4: userinit.exeMSDN Disc 2428.5: userinit.exeMSDN Disc 2428.8: userinit.exeOperating System Reinstallation CD Microsoft Windows XP Professional Service Pack 2: userinit.exeVirtual PC for Mac Windows XP Home Edition: userinit.exeVirtual PC for Mac Windows XP Professional Edition: userinit.exe

broni · 2010/03/23

Do you have Windows XP CD?

Yushi44 · 2010/03/24

Nope, it's a second hand computer which didn't come with the CD.

broni · 2010/03/24

We'll have replace explorer.exe, which is possibly infected.
Be extremely careful and make sure, you follow my instructions to the dot, because explorer.exe is a very crucial file.

I uploaded zipped explorer.exe file HERE
Download it and unzip it.
Paste explorer.exe into root C:\ folder.

Then....

Please download OTM

Save it to your desktop.

Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).

Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
Code:
:Processes

:Services
      
:Reg

:Files
c:\windows\explorer.exe|C:\explorer.exe /replace

:Commands
[purity]
[emptytemp]
[Reboot]
Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.

Click the red Moveit! button.

Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.

Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Yushi44 · 2010/04/06

Hiya

I have already replaced explorer.exe (with a file from a friend).
The virus alerts have stopped but how can I make sure that the computer is OK?

Thanks

broni · 2010/04/06

Did you replace explorer.exe before VirusTotal scan, or after?

Log in or Sign up

Inactive Trojan "Backdoor.win32.small.ive"

broni Moderator Malware Analyst

Yushi44 Inactive Thread Starter

broni Moderator Malware Analyst

Yushi44 Inactive Thread Starter

broni Moderator Malware Analyst

Yushi44 Inactive Thread Starter

broni Moderator Malware Analyst

Yushi44 Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Inactive Trojan "Backdoor.win32.small.ive"

broni Moderator Malware Analyst

Yushi44 Inactive Thread Starter

broni Moderator Malware Analyst

Yushi44 Inactive Thread Starter

broni Moderator Malware Analyst

Yushi44 Inactive Thread Starter

broni Moderator Malware Analyst

Yushi44 Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Useful Searches