I can't run Spybot, Ewido, or Registry First Aid

Hi,

Could you describe what triggers restarting or does it happen randomly? Is there any kind of message shown?


Let's change the recovery settings to disable automatic rebooting to see if some critical error occurs before the restart:

1.Right-click My Computer, and then click Properties.

2.Click the Advanced tab.

3.Under Startup and Recovery, click Settings to open the Startup and Recovery dialog box.

4.Clear the Automatically restart check box, and click OK the necessary number of times.

5.Restart your computer for the settings to take effect.
 
It seemed somewhat random, but now that I think of it, it usually happens when Internet Explorer is open. There is no message shown, it is as if I had clicked the "turn off computer" button. It goes to the "saving system settings screen" and all that. I checked my Start Up and Recovery Options and I didn't have Automatic Restart box checked to begin with.

I was able to install the Windows Recovery Console now that I have an internet connection again.
 
Hi again,

Let's try a few more tools here.

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Please post contents of that file in your next reply.


Download GMER and save it your desktop:
  • Extract it to your desktop and double-click GMER.exe
  • Click rootkit-tab and then scan.
  • Don't check
    Show All
    box while scanning in progress!
  • When scanning is ready, click Copy.
  • This copies log to clipboard
  • Post log in your reply.
 
Hi,

I had some problems with my computer hanging and/or BSOD with these scans. The mbam scan went ok, but when it rebooted to take finish the cleanup, I got a BSOD with the error "bad_pool_caller".

Also the gmer scan was never able to go through, it hung, or BSOD the 6 or so times I tried it. I will post the intial scan it does on start up of the program.

Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 3

2/18/2009 2:15:19 PM
mbam-log-2009-02-18 (14-15-19).txt

Scan type: Full Scan (C:\|D:\|H:\|)
Objects scanned: 308130
Time elapsed: 1 hour(s), 16 minute(s), 55 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 15
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 51

Memory Processes Infected:
C:\WINDOWS\services.exe (Backdoor.ProRat) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lfzgxnve.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tjyzbell.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xlmazccf.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hdlhfpln.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lfzmillz.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zzgvvcxr.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\services (Backdoor.ProRat) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\services (Backdoor.ProRat) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services (Backdoor.ProRat) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\services (Backdoor.ProRat) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Chris\reader_s.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
C:\WINDOWS\services.exe (Trojan.FakeAlert.H) -> Delete on reboot.
C:\WINDOWS\system32\reader_s.exe (Trojan.FakeAlert.H) -> Delete on reboot.
C:\WINDOWS\lfzgxnve.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\tjyzbell.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\xlmazccf.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\hdlhfpln.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\lfzmillz.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\zzgvvcxr.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\1B.tmp.vir (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\1F.tmp.vir (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\26.tmp.vir (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\2D.tmp.vir (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\38.tmp.vir (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\39.tmp.vir (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\4C.tmp.vir (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ctlapotj.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\dejivibi(2).dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\efcDvTLd.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\kibvpcif.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACbfpuoerx.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACfjtibldv.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\UAChqjcpjre.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\vtUomJYq.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\_awtUkIAQ.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\_fcccywtS.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\_hsfd83jfdg.dll.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\_nccmat.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\_polybf.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ati8ubxx.sys.vir (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\protect.sys.vir (Trojan.NtRootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\2.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\5.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\7.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\9.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\B.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\C.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\D.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\E.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\F.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\inf\xccefb090131.scr (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\xccdf16_090131a.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\xccdf32_090131a.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\system\xccef090131.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\inf\xccdfb16_090131.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.



GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-18 23:26:41
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

Code 8A693480 pIofCallDriver

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs uoeiupgf.sys
Device \FileSystem\Fastfat \Fat uoeiupgf.sys
Device \Driver\NDIS \Device\Ndis [8A66D984] NDIS.sys[.reloc]

---- Processes - GMER 1.0.14 ----

Process C:\Documents and Settings\Chris\kfurfg.exe (*** hidden *** ) 876

---- EOF - GMER 1.0.14 ----
 
Hi,

Please run ComboFix again and post back its report & a fresh hjt log.
 
Here are the logs

ComboFix 09-02-15.01 - Chris 2009-02-19 12:32:44.4 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1758 [GMT -8:00]
Running from: c:\documents and settings\Chris\Desktop\ComboFix.exe
AV: Trend Micro PC-cillin Internet Security 2006 *On-access scanning disabled* (Outdated)
FW: Trend Micro PC-cillin Internet Security (Firewall) *disabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Chris\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\Install.txt
c:\windows\system32\config\systemprofile\reader_s.exe
c:\windows\system32\drivers\ntndis.sys
c:\windows\system32\drivers\str.sys
c:\windows\system32\inf\rundll33.exe
c:\windows\system32\Install.txt
c:\windows\system32\w.exe
c:\windows\system32\xcchit32.ini
c:\windows\xccwinsys.ini

c:\windows\system32\userinit.exe . . . is infected!!

c:\windows\system32\svchost.exe . . . is infected!!

c:\windows\system32\spoolsv.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AFISICX
-------\Legacy_DEFAULTLIB
-------\Legacy_MABIDWE
-------\Legacy_NOYTCYR
-------\Legacy_ROYTCTM
-------\Legacy_SOXPECA
-------\Legacy_TDYDOWKC
-------\Legacy_WSLDOEKD
-------\Service_defaultlib
-------\Service_Passthru


((((((((((((((((((((((((( Files Created from 2009-01-19 to 2009-02-19 )))))))))))))))))))))))))))))))
.

2009-02-18 12:56 . 2009-02-18 12:56 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-18 12:56 . 2009-02-18 12:56 <DIR> d-------- c:\documents and settings\Chris\Application Data\Malwarebytes
2009-02-18 12:56 . 2009-02-18 12:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-18 12:56 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-18 12:56 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-18 12:55 . 2009-02-18 12:55 163,268 --a------ c:\windows\system32\19.tmp
2009-02-18 12:55 . 2009-02-18 12:55 2,048 --a------ c:\windows\system32\16.tmp
2009-02-18 12:55 . 2009-02-18 12:55 168 --a------ c:\windows\system32\10.tmp
2009-02-18 12:43 . 2009-02-18 12:45 163,268 --a------ c:\windows\system32\17.tmp
2009-02-18 12:43 . 2009-02-18 12:43 2,048 --a------ c:\windows\system32\14.tmp
2009-02-17 14:31 . 2009-02-17 14:38 <DIR> d-------- C:\CombFxx
2009-02-17 14:29 . 2009-02-17 14:31 159,613 --a------ c:\windows\system32\13.tmp
2009-02-17 14:29 . 2009-02-17 14:29 31,744 --ah----- c:\documents and settings\Chris\kfurfg.exe
2009-02-17 14:16 . 2009-02-17 14:16 244 --ah----- C:\sqmnoopt19.sqm
2009-02-17 14:16 . 2009-02-17 14:16 232 --ah----- C:\sqmdata19.sqm
2009-02-17 14:14 . 2009-02-17 14:14 25,601 --a------ c:\windows\system32\12.tmp
2009-02-17 14:06 . 2009-02-17 14:06 244 --ah----- C:\sqmnoopt18.sqm
2009-02-17 14:06 . 2009-02-17 14:06 232 --ah----- C:\sqmdata18.sqm
2009-02-17 14:05 . 2009-02-17 14:05 244 --ah----- C:\sqmnoopt17.sqm
2009-02-17 14:05 . 2009-02-17 14:05 232 --ah----- C:\sqmdata17.sqm
2009-02-17 14:04 . 2009-02-17 14:04 31,744 --ah----- c:\documents and settings\Chris\hbxha.exe
2009-02-17 12:17 . 2009-02-17 12:17 206 --a------ c:\windows\system32\MRT.INI
2009-02-17 10:41 . 2009-02-17 10:41 24,577 --a------ c:\windows\system32\86.tmp
2009-02-17 10:41 . 2009-02-17 10:41 244 --ah----- C:\sqmnoopt16.sqm
2009-02-17 10:41 . 2009-02-17 10:41 232 --ah----- C:\sqmdata16.sqm
2009-02-17 10:40 . 2009-02-17 10:40 244 --ah----- C:\sqmnoopt15.sqm
2009-02-17 10:40 . 2009-02-17 10:40 244 --ah----- C:\sqmnoopt14.sqm
2009-02-17 10:40 . 2009-02-17 10:40 232 --ah----- C:\sqmdata15.sqm
2009-02-17 10:40 . 2009-02-17 10:40 232 --ah----- C:\sqmdata14.sqm
2009-02-17 10:39 . 2009-02-17 10:39 244 --ah----- C:\sqmnoopt13.sqm
2009-02-17 10:39 . 2009-02-17 10:39 232 --ah----- C:\sqmdata13.sqm
2009-02-17 10:38 . 2009-02-17 10:41 163,748 --a------ c:\windows\system32\11.tmp
2009-02-17 10:38 . 2009-02-17 10:38 77,824 --a------ c:\windows\system32\u101795332.dll
2009-02-17 10:38 . 2009-02-17 10:38 31,744 --ah----- c:\documents and settings\Chris\tka.exe
2009-02-17 01:44 . 2009-02-17 10:34 130 --a------ c:\windows\adobe.bat
2009-02-17 01:44 . 2009-02-17 01:44 6 --a------ c:\windows\_id.dat
2009-02-17 01:41 . 2009-02-17 01:41 31,744 --ah----- c:\documents and settings\Chris\ccumuu.exe
2009-02-16 23:04 . 2009-02-16 23:04 33,920 --a------ c:\windows\system32\drivers\uoeiupgf.sys
2009-02-16 22:56 . 2009-02-18 12:45 137,408 --a------ c:\windows\system32\drivers\ethpllbq.sys
2009-02-16 22:55 . 2009-02-16 22:55 <DIR> d-------- c:\windows\$ntunistalls
2009-02-16 22:55 . 2009-02-16 22:55 52 --a------ c:\windows\system32\xcchit32.ini.ssyq
2009-02-16 22:54 . 2002-02-15 14:02 676,352 --a------ c:\windows\system32\rtl60.bpl
2009-02-16 22:54 . 2009-02-16 22:54 62,464 --a------ c:\windows\Eyexipadaxu.dll
2009-02-16 22:54 . 2009-02-16 22:54 44,032 --a------ c:\windows\system32\grcrt2.exe
2009-02-16 22:53 . 2009-02-17 14:29 67,072 ---h----- c:\windows\system32\secupdat.dat
2009-02-16 22:53 . 2009-02-17 14:29 53,248 --a------ c:\windows\system32\drivers\ndisio.sys
2009-02-16 22:53 . 2009-02-16 22:53 31,744 --ah----- c:\documents and settings\Chris\nldhj.exe
2009-02-14 10:34 . 2009-02-14 10:34 182,656 --a--c--- c:\windows\system32\dllcache\ndis.sys
2009-02-14 02:10 . 2009-02-14 02:10 <DIR> d-------- C:\rsit
2009-02-09 00:22 . 2009-02-19 12:34 <DIR> d-------- c:\windows\system32\inf
2009-01-28 22:36 . 2009-01-28 22:36 <DIR> d-------- C:\gnuplot
2009-01-24 15:17 . 2009-01-24 15:17 244 --ah----- C:\sqmnoopt12.sqm
2009-01-24 15:17 . 2009-01-24 15:17 232 --ah----- C:\sqmdata12.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-17 22:14 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-17 22:13 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-16 19:53 --------- d-----w c:\program files\SnapStream Media
2009-02-16 19:53 --------- d-----w c:\documents and settings\All Users\Application Data\SnapStream
2009-02-16 18:29 --------- d-----w c:\program files\Common Files\Adobe
2009-02-15 20:19 --------- d-----w c:\program files\QSuite
2009-02-14 18:48 --------- d-----w c:\program files\Java
2009-02-14 18:34 182,656 ----a-w c:\windows\system32\drivers\ndis.sys
2009-01-14 20:58 --------- d-----w c:\program files\MixMeister Fusion + Video
2009-01-11 05:32 --------- d-----w c:\documents and settings\Chris\Application Data\MixMeister Technology
2008-12-31 01:37 --------- d-----w c:\documents and settings\All Users\Application Data\Minnetonka Audio Software
2008-12-28 23:25 --------- d-----w c:\documents and settings\Chris\Application Data\Apple Computer
2004-09-10 21:40 92,160 ----a-w c:\program files\DECCHECK.exe
2004-09-10 21:40 5,970 ----a-w c:\program files\eula.txt
2008-10-06 16:57 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-10-06 16:57 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-10-06 16:57 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-10-06 16:57 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-10-06 16:57 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

------- Sigcheck -------

2004-08-04 04:00 31232 67569ebfaf170f559143d4434e2056ee c:\windows\$NtServicePackUninstall$\svchost.exe
2008-04-13 16:12 31744 e7062f33567f821d9e7ef6ff75e12694 c:\windows\ServicePackFiles\i386\svchost.exe
2009-01-22 22:56 31232 eb015b8f368f08ea457000a19175bee4 c:\windows\system32\svchost.exe
2009-01-22 22:56 31232 c7a2f067e4455df518241a532a56c16d c:\windows\system32\dllcache\svchost.exe

2004-08-04 04:00 182912 1df7f42665c94b825322fae71721130d c:\windows\$NtServicePackUninstall$\ndis.sys
2008-04-13 11:20 182656 1df7f42665c94b825322fae71721130d c:\windows\ServicePackFiles\i386\ndis.sys
2009-02-14 10:34 212608 1df7f42665c94b825322fae71721130d c:\windows\system32\dllcache\ndis.sys
2009-02-14 10:34 212608 1df7f42665c94b825322fae71721130d c:\windows\system32\drivers\ndis.sys

2008-04-13 16:12 1050624 a70fd46df39fc22b3db23e55b4fb520c c:\windows\explorer.exe
2007-06-13 03:26 1050112 62088503ce726540fd2b65eef9261b23 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
2007-06-13 02:23 1050112 575ab078a76fc433e6b1f79269b09190 c:\windows\$NtServicePackUninstall$\explorer.exe
2004-08-04 04:00 1049088 c6affd4a895a674719ddd3fb2bc40da7 c:\windows\$NtUninstallKB938828$\explorer.exe
2008-04-13 16:12 1050624 8c08a5235fc41026da77fa8bc60d2907 c:\windows\ServicePackFiles\i386\explorer.exe

2004-08-04 04:00 32256 b9d5ef452ce5b5ca09fdaa782c2ad5bc c:\windows\$NtServicePackUninstall$\ctfmon.exe
2008-04-13 16:12 32256 11cde4a9c00d81d9390caeafe0193f89 c:\windows\ServicePackFiles\i386\ctfmon.exe
2008-04-13 16:12 32256 ba567d2aad8ed2aae7183702d96650b6 c:\windows\system32\ctfmon.exe

2005-06-10 16:17 74752 bb33ba137547b468c1f6e253b8cff829 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2005-06-10 15:53 74752 346c592ebdb24f1dfe45987c110b20f3 c:\windows\$NtServicePackUninstall$\spoolsv.exe
2004-08-04 04:00 74752 aead5cc82bacdd5af8838dcdaea7811c c:\windows\$NtUninstallKB896423$\spoolsv.exe
2008-04-13 16:12 74752 53b1c475dbb1dfd3157355607cfd42e6 c:\windows\ServicePackFiles\i386\spoolsv.exe
2008-04-13 16:12 74752 05c5ed1c4f67a4df9fbac916bea9f26c c:\windows\system32\spoolsv.exe

2004-08-04 04:00 41472 712f66b287319fb3d0f9dc76cc5a793c c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-13 16:12 43008 7da09362dc61d725ed47002994d9a291 c:\windows\ServicePackFiles\i386\userinit.exe
2008-04-13 16:12 43008 9834e0cdeb23ae248fd546c8ac4782e7 c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-02-15_12.27.06.64 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-05-10 23:51:10 75,776 ----a-w c:\windows\$hf_mig$\KB896428\SP2QFE\telnet.exe
+ 2005-05-10 23:51:10 92,672 ----a-w c:\windows\$hf_mig$\KB896428\SP2QFE\telnet.exe
- 2007-12-06 08:34:45 625,664 ----a-w c:\windows\$hf_mig$\KB944533-IE7\SP2QFE\iexplore.exe
+ 2007-12-06 08:34:45 643,072 ----a-w c:\windows\$hf_mig$\KB944533-IE7\SP2QFE\iexplore.exe
- 2008-10-16 12:46:08 70,656 ----a-w c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\ie4uinit.exe
+ 2008-10-16 12:46:08 87,552 ----a-w c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\ie4uinit.exe
- 2004-08-04 12:00:00 19,968 -c----w c:\windows\$NtServicePackUninstall$\ssbezier.scr
+ 2004-08-04 12:00:00 36,864 -c----w c:\windows\$NtServicePackUninstall$\ssbezier.scr
- 2004-08-04 12:00:00 214,528 -c----w c:\windows\$NtServicePackUninstall$\wordpad.exe
+ 2004-08-04 12:00:00 231,936 -c----w c:\windows\$NtServicePackUninstall$\wordpad.exe
- 2007-06-05 19:41:16 573,503 ----a-w c:\windows\gmer.dll
+ 2009-02-19 05:18:14 884,736 ----a-w c:\windows\gmer.dll
- 2008-08-25 08:38:00 13,824 -c----w c:\windows\ie7updates\KB958215-IE7\ieudinit.exe
+ 2008-08-25 08:38:00 30,720 -c----w c:\windows\ie7updates\KB958215-IE7\ieudinit.exe
+ 2007-12-12 23:06:42 295,606 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe
- 2008-04-14 00:12:12 14,336 ------w c:\windows\ServicePackFiles\i386\auditusr.exe
+ 2008-04-14 00:12:12 31,232 ------w c:\windows\ServicePackFiles\i386\auditusr.exe
- 2008-04-14 00:12:15 39,936 ------w c:\windows\ServicePackFiles\i386\cmmon32.exe
+ 2008-04-14 00:12:15 56,832 ------w c:\windows\ServicePackFiles\i386\cmmon32.exe
- 2008-04-13 18:43:32 9,728 ------w c:\windows\ServicePackFiles\i386\comsdupd.exe
+ 2008-04-13 18:43:32 26,624 ------w c:\windows\ServicePackFiles\i386\comsdupd.exe
- 2008-04-14 00:12:34 18,944 ------w c:\windows\ServicePackFiles\i386\secedit.exe
+ 2008-04-14 00:12:34 35,840 ------w c:\windows\ServicePackFiles\i386\secedit.exe
- 2008-04-14 00:12:40 196,608 ------w c:\windows\ServicePackFiles\i386\wmiadap.exe
+ 2008-04-14 00:12:40 214,016 ------w c:\windows\ServicePackFiles\i386\wmiadap.exe
- 2000-08-31 16:00:00 179,200 ----a-w c:\windows\SWREG.exe
+ 2000-08-31 16:00:00 179,712 ----a-w c:\windows\SWREG.exe
- 2008-04-14 00:12:14 56,832 ----a-w c:\windows\system32\cipher.exe
+ 2008-04-14 00:12:14 73,728 ----a-w c:\windows\system32\cipher.exe
+ 2009-02-18 20:54:56 32,768 --sha-w c:\windows\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\UserData\index.dat
- 2009-02-15 20:08:58 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-02-19 20:45:58 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-02-15 20:08:58 49,152 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-19 20:45:58 98,304 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-19 05:38:27 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009021820090219\index.dat
- 2009-02-15 20:08:58 49,152 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-19 20:45:58 278,528 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2004-08-04 12:00:00 262,200 -c--a-w c:\windows\system32\dllcache\imjputy.exe
+ 2004-08-04 12:00:00 282,680 -c--a-w c:\windows\system32\dllcache\imjputy.exe
- 2004-09-23 02:45:46 991,232 -c--a-w c:\windows\system32\dllcache\migrate.exe
+ 2004-09-23 02:45:46 1,011,712 -c--a-w c:\windows\system32\dllcache\migrate.exe
- 2004-08-04 12:00:00 35,328 -c--a-w c:\windows\system32\dllcache\notiflag.exe
+ 2004-08-04 12:00:00 52,224 -c--a-w c:\windows\system32\dllcache\notiflag.exe
- 2007-06-05 19:41:16 69,905 ----a-w c:\windows\system32\drivers\gmer.sys
+ 2009-02-19 05:18:14 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
- 2008-04-14 00:12:24 59,392 ----a-w c:\windows\system32\logman.exe
+ 2008-04-14 00:12:24 76,288 ----a-w c:\windows\system32\logman.exe
- 2009-01-10 01:35:28 20,853,704 ----a-w c:\windows\system32\MRT.exe
+ 2009-02-12 04:56:17 21,244,872 ----a-w c:\windows\system32\MRT.exe
- 2008-11-14 09:40:23 71,512 ----a-w c:\windows\system32\perfc009.dat
+ 2009-02-17 05:17:37 71,512 ----a-w c:\windows\system32\perfc009.dat
- 2008-11-14 09:40:23 441,954 ----a-w c:\windows\system32\perfh009.dat
+ 2009-02-17 05:17:37 441,954 ----a-w c:\windows\system32\perfh009.dat
+ 2004-01-23 00:31:54 10,761 ----a-w c:\windows\system32\ReinstallBackups\0022\DriverFiles\x10uif.sys
- 2007-11-30 12:39:22 17,272 ----a-w c:\windows\system32\spmsg.dll
+ 2008-07-09 07:38:24 17,272 ------w c:\windows\system32\spmsg.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 32256]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2008-01-22 152872]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 221696]
"FireflyMini"="c:\program files\SnapStream Media\Firefly Mini\FireflyMini.exe" [2007-01-12 155648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2005-12-04 461584]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2005-12-04 437008]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 2006\pccguide.exe" [2005-09-28 917566]
"NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 151552]
"pdfFactory Pro Dispatcher v2"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" [2006-01-12 516096]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 434176]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-05-28 570664]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-04 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"FireflyMini"="c:\program files\SnapStream Media\Firefly Mini\FireflyMini.exe" [2007-01-12 155648]
"Firefly"="c:\program files\SnapStream Media\Firefly\Firefly.exe" [2006-06-05 200704]
"SoundMan"="SOUNDMAN.EXE" [2005-06-20 c:\windows\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"reader_s"="c:\documents and settings\Chris\reader_s.exe" [BU]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\a.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\matrix31290.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\~tmpa.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\~tmpb.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\~tmpc.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\uoeiupgf.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV\\BTVRegistrationService.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV\\BTVLibraryService.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV\\BTVNetworkService.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV\\BTVNotifierService.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV\\BTVRecordingEngine.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV\\BTVGuideDataLoader.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV\\BTVSettingsService.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV\\BTVTaskManagerService.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV\\BTVD3DShell.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV\\SetupWizard.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 AmdAcpi;AmdAcpi Bus Filter Driver;c:\windows\system32\drivers\amdacpi.sys [2006-01-13 13824]
R0 uoeiupgf;uoeiupgf;c:\windows\system32\drivers\uoeiupgf.sys [2009-02-16 33920]
R1 amdtools;AMD Special Tools Driver;c:\windows\system32\drivers\amdtools.sys [2006-01-13 21120]
S0 scybpr;scybpr;c:\windows\system32\drivers\trbg.sys --> c:\windows\system32\drivers\trbg.sys [?]
S1 ethpllbq;ethpllbq;c:\windows\system32\drivers\ethpllbq.sys [2009-02-16 137408]
S1 ewido security suite driver;ewido security suite driver;c:\program files\ewido anti-malware\guard.sys [2005-12-30 3072]
S2 acnkm;acnkm;\??\c:\windows\system32\drivers\dcqkplt.sys --> c:\windows\system32\drivers\dcqkplt.sys [?]
S2 RTWTKRNL;Real-Time Windows Target;c:\windows\system32\drivers\RTWTKRNL.sys [2008-02-11 27200]
S2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [2005-09-26 205328]
S2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [2005-09-28 360517]
S2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [2005-09-12 651325]
S2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2005-09-26 36368]
S2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [2005-09-12 307268]
S3 atirage;atirage;c:\windows\system32\drivers\atiragem.sys [2006-01-12 70528]
S3 MPCSYS;MPCSYS; [x]
S3 WLAN(WLAN);XPC 802.11b/g Wireless Kit Driver(WLAN);c:\windows\system32\drivers\ZD1211U.sys [2006-01-12 278016]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{V2FR455T-5K8M-BRW1-NFF4-I3DY73S22YA5}]
"c:\program files\Internet Explorer\iexplore.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-02-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-DeskTopSrv - c:\windows\system32\grcrt.exe
HKU-Default-Run-cogad - c:\documents and settings\Chris\Application Data\cogad\cogad.exe
HKLM-Explorer_Run-xccinit - c:\windows\system32\inf\rundll33.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\z2fqqhdr.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-19 12:46:49
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:83,70,db,6f,f3,01,18,bc,8a,2c,26,51,2d,77,68,01,45,df,69,a2,32,
04,4f,4d,2e,7b,c9,65,6b,2f,a9,6c,42,48,23,e3,82,6e,4e,c2,89,10,ea,8f,ec,03,\

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:83,70,db,6f,f3,01,18,bc,8a,2c,26,51,2d,77,68,01,45,df,69,a2,32,
04,4f,4d,2e,7b,c9,65,6b,2f,a9,6c,42,48,23,e3,82,6e,4e,c2,89,10,ea,8f,ec,03,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(232)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-02-19 12:52:33 - machine was rebooted [Chris]
ComboFix-quarantined-files.txt 2009-02-19 20:52:31
ComboFix2.txt 2009-02-16 18:51:52
ComboFix3.txt 2009-02-15 20:27:49

Pre-Run: 32,262,320,128 bytes free
Post-Run: 32,266,375,168 bytes free

Current=1 Default=1 Failed=2 LastKnownGood=3 Sets=1,2,3,4
334 --- E O F --- 2009-02-17 20:17:16


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:54:34 PM, on 2/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Chris\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\explorer.exe,
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v2] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /source=HKLM
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [FireflyMini] "C:\Program Files\SnapStream Media\Firefly Mini\FireflyMini.exe"
O4 - HKLM\..\Run: [Firefly] C:\Program Files\SnapStream Media\Firefly\Firefly.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [FireflyMini] "C:\Program Files\SnapStream Media\Firefly Mini\FireflyMini.exe"
O4 - HKUS\S-1-5-18\..\Run: [reader_s] C:\Documents and Settings\Chris\reader_s.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [reader_s] C:\Documents and Settings\Chris\reader_s.exe (User 'Default user')
O4 - Global Startup: BDARemote.lnk = ?
O4 - Global Startup: Beyond TV.lnk = C:\Program Files\SnapStream Media\Beyond TV\BTVAgent2.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_11.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_11.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137127858093
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} - http://www.seagate.com/support/disc/asp/tools/en/bin/npseatools.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB701\webserver\bin\win32\matlabserver.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007.SP1\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007.SP1\RpcSandraSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\SNAPST~1\Common\x10nets.exe

--
End of file - 7951 bytes
 
Hi,

Upload following files to http://www.virustotal.com and post back the results:
c:\windows\system32\userinit.exe
c:\windows\system32\svchost.exe
c:\windows\system32\spoolsv.exe
c:\windows\explorer.exe
 
File userinit.exe received on 02.20.2009 11:20:01 (CET)Antivirus Version Last Update Result
a-squared 4.0.0.93 2009.02.20 -
AhnLab-V3 2009.2.20.1 2009.02.20 Win32/Virut.F
AntiVir 7.9.0.85 2009.02.20 W32/Virut.Gen
Authentium 5.1.0.4 2009.02.20 W32/Virut.AI!Generic
Avast 4.8.1335.0 2009.02.19 Win32:Vitro
AVG 8.0.0.237 2009.02.19 Win32/Virut
BitDefender 7.2 2009.02.20 -
CAT-QuickHeal 10.00 2009.02.20 W32.Virut.G
ClamAV 0.94.1 2009.02.20 -
Comodo 983 2009.02.19 -
DrWeb 4.44.0.09170 2009.02.20 Win32.Virut.56
eSafe 7.0.17.0 2009.02.19 -
eTrust-Vet 31.6.6367 2009.02.20 Win32/Virut.17408
F-Prot 4.4.4.56 2009.02.19 W32/Patched.E.gen!Eldorado
F-Secure 8.0.14470.0 2009.02.20 Virus.Win32.Virut.ce
Fortinet 3.117.0.0 2009.02.20 -
GData 19 2009.02.20 Win32:Vitro
Ikarus T3.1.1.45.0 2009.02.20 -
K7AntiVirus 7.10.637 2009.02.19 -
Kaspersky 7.0.0.125 2009.02.20 Virus.Win32.Virut.ce
McAfee 5530 2009.02.19 W32/Virut.n.gen
McAfee+Artemis 5530 2009.02.19 W32/Virut.n.gen
Microsoft 1.4306 2009.02.20 Virus:Win32/Virut.BM
NOD32 3871 2009.02.20 Win32/Virut.NBK
Norman 6.00.06 2009.02.19 -
nProtect 2009.1.8.0 2009.02.20 -
Panda 10.0.0.10 2009.02.20 W32/Sality.AO
PCTools 4.4.2.0 2009.02.19 -
Rising 21.17.42.00 2009.02.20 Win32.Virut.bm
SecureWeb-Gateway 6.7.6 2009.02.20 Win32.Virut.Gen
Sophos 4.38.0 2009.02.20 W32/Scribble-A
Sunbelt 3.2.1855.2 2009.02.17 Win32.Virut.cf (v)
Symantec 10 2009.02.20 W32.Virut.CF
TheHacker 6.3.2.3.261 2009.02.20 -
TrendMicro 8.700.0.1004 2009.02.20 PE_VIRUX.A-3
VBA32 3.12.10.0 2009.02.20 Virus.Win32.Virut.X5
ViRobot 2009.2.20.1616 2009.02.20 -
VirusBuster 4.5.11.0 2009.02.19 -

Additional information
File size: 43008 bytes
MD5...: 9834e0cdeb23ae248fd546c8ac4782e7
SHA1..: 634d61caafe8f5d10d48e5f6ce8a48c898453b31
SHA256: ea0e15b78b35c67b3df3c97725f79624a92b351cac40e14d6be339e8a51e8ebb
SHA512: b57e4a7a6ba72650e6a9c6519831f0fba2063e2474f1f6603132a8a362d1ef8a<BR>65c34ff4f9cc6bb1d8d20626bd3d83e78b3baa3e50bf40648f68d398aeeda715
ssdeep: 768:+RMJi8jDLIDSAaQFxfftjaLacmkLGKOqkL6/vy9f2kdqaREF4AM204o:+RMJ<BR>bDMDSA7FxffJaLaSLG9qg42XqKEi<BR>
PEiD..: -
TrID..: File type identification<BR>Generic Win/DOS Executable (49.9%)<BR>DOS Executable Generic (49.8%)<BR>Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0x1008c99<BR>timedatestamp.....: 0x480251a8 (Sun Apr 13 18:32:08 2008)<BR>machinetype.......: 0x14c (I386)<BR><BR>( 3 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>.text 0x1000 0x520e 0x5400 5.95 099b53205ad3f1c3b853a5310d08a9b1<BR>.data 0x7000 0x14c 0x200 1.86 0bb948f267e82975313a03d8c0e8a1cf<BR>.rsrc 0x8000 0x5c00 0x4e00 7.63 8fdd2730c2290c4cd2b2cce70ef5e476<BR><BR>( 9 imports ) <BR>> USER32.dll: CreateWindowExW, DestroyWindow, RegisterClassExW, DefWindowProcW, LoadRemoteFonts, wsprintfW, GetSystemMetrics, GetKeyboardLayout, SystemParametersInfoW, GetDesktopWindow, LoadStringW, MessageBoxW, ExitWindowsEx, CharNextW<BR>> ADVAPI32.dll: RegOpenKeyExA, ReportEventW, RegisterEventSourceW, DeregisterEventSource, OpenProcessToken, RegCreateKeyExW, RegSetValueExW, GetUserNameW, RegQueryValueExW, RegOpenKeyExW, RegQueryInfoKeyW, RegCloseKey, RegQueryValueExA<BR>> CRYPT32.dll: CryptProtectData<BR>> WINSPOOL.DRV: SpoolerInit<BR>> ntdll.dll: RtlLengthSid, RtlCopySid, _itow, RtlFreeUnicodeString, DbgPrint, wcslen, wcscpy, wcscat, wcscmp, RtlInitUnicodeString, NtOpenKey, NtClose, _wcsicmp, memmove, RtlConvertSidToUnicodeString, NtQueryInformationToken<BR>> NETAPI32.dll: DsGetDcNameW, NetApiBufferFree<BR>> WLDAP32.dll: -, -, -, -, -, -<BR>> msvcrt.dll: __setusermatherr, _initterm, __getmainargs, _acmdln, _adjust_fdiv, _XcptFilter, _exit, _c_exit, __p__commode, __p__fmode, __set_app_type, _except_handler3, _controlfp, _cexit, exit<BR>> KERNEL32.dll: CompareFileTime, LoadLibraryW, GetProcAddress, FreeLibrary, lstrcpyW, CreateProcessW, lstrlenW, GetVersionExW, LocalFree, LocalAlloc, GetEnvironmentVariableW, CloseHandle, lstrcatW, WaitForSingleObject, DelayLoadFailureHook, GetStartupInfoA, GetModuleHandleA, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, LoadLibraryA, InterlockedCompareExchange, LocalReAlloc, GetSystemTime, lstrcmpW, GetCurrentThread, SetThreadPriority, ExpandEnvironmentStringsW, SearchPathW, GetLastError, CreateThread, GetFileAttributesExW, GetSystemDirectoryW, SetCurrentDirectoryW, FormatMessageW, lstrcmpiW, GetCurrentProcess, GetUserDefaultLangID, GetCurrentProcessId, SetEvent, OpenEventW, Sleep, SetEnvironmentVariableW<BR><BR>( 0 exports ) <BR>
<table border="1"><tr><td colspan="4">File userinit.exe received on 02.20.2009 11:20:01 (CET)</td></tr><tr><td>Antivirus</td><td>Version</td><td>Last Update</td><td>Result</td</tr><tr><td>a-squared</td><td>4.0.0.93</td><td>2009.02.20</td><td>-</td</tr><tr><td>AhnLab-V3</td><td>2009.2.20.1</td><td>2009.02.20</td><td style="color: red;">Win32/Virut.F</td</tr><tr><td>AntiVir</td><td>7.9.0.85</td><td>2009.02.20</td><td style="color: red;">W32/Virut.Gen</td</tr><tr><td>Authentium</td><td>5.1.0.4</td><td>2009.02.20</td><td style="color: red;">W32/Virut.AI!Generic</td</tr><tr><td>Avast</td><td>4.8.1335.0</td><td>2009.02.19</td><td style="color: red;">Win32:Vitro</td</tr><tr><td>AVG</td><td>8.0.0.237</td><td>2009.02.19</td><td style="color: red;">Win32/Virut</td</tr><tr><td>BitDefender</td><td>7.2</td><td>2009.02.20</td><td>-</td</tr><tr><td>CAT-QuickHeal</td><td>10.00</td><td>2009.02.20</td><td style="color: red;">W32.Virut.G</td</tr><tr><td>ClamAV</td><td>0.94.1</td><td>2009.02.20</td><td>-</td</tr><tr><td>Comodo</td><td>983</td><td>2009.02.19</td><td>-</td</tr><tr><td>DrWeb</td><td>4.44.0.09170</td><td>2009.02.20</td><td style="color: red;">Win32.Virut.56</td</tr><tr><td>eSafe</td><td>7.0.17.0</td><td>2009.02.19</td><td>-</td</tr><tr><td>eTrust-Vet</td><td>31.6.6367</td><td>2009.02.20</td><td style="color: red;">Win32/Virut.17408</td</tr><tr><td>F-Prot</td><td>4.4.4.56</td><td>2009.02.19</td><td style="color: red;">W32/Patched.E.gen!Eldorado</td</tr><tr><td>F-Secure</td><td>8.0.14470.0</td><td>2009.02.20</td><td style="color: red;">Virus.Win32.Virut.ce</td</tr><tr><td>Fortinet</td><td>3.117.0.0</td><td>2009.02.20</td><td>-</td</tr><tr><td>GData</td><td>19</td><td>2009.02.20</td><td style="color: red;">Win32:Vitro</td</tr><tr><td>Ikarus</td><td>T3.1.1.45.0</td><td>2009.02.20</td><td>-</td</tr><tr><td>K7AntiVirus</td><td>7.10.637</td><td>2009.02.19</td><td>-</td</tr><tr><td>Kaspersky</td><td>7.0.0.125</td><td>2009.02.20</td><td style="color: red;">Virus.Win32.Virut.ce</td</tr><tr><td>McAfee</td><td>5530</td><td>2009.02.19</td><td style="color: red;">W32/Virut.n.gen</td</tr><tr><td>McAfee+Artemis</td><td>5530</td><td>2009.02.19</td><td style="color: red;">W32/Virut.n.gen</td</tr><tr><td>Microsoft</td><td>1.4306</td><td>2009.02.20</td><td style="color: red;">Virus:Win32/Virut.BM</td</tr><tr><td>NOD32</td><td>3871</td><td>2009.02.20</td><td style="color: red;">Win32/Virut.NBK</td</tr><tr><td>Norman</td><td>6.00.06</td><td>2009.02.19</td><td>-</td</tr><tr><td>nProtect</td><td>2009.1.8.0</td><td>2009.02.20</td><td>-</td</tr><tr><td>Panda</td><td>10.0.0.10</td><td>2009.02.20</td><td style="color: red;">W32/Sality.AO</td</tr><tr><td>PCTools</td><td>4.4.2.0</td><td>2009.02.19</td><td>-</td</tr><tr><td>Rising</td><td>21.17.42.00</td><td>2009.02.20</td><td style="color: red;">Win32.Virut.bm</td</tr><tr><td>SecureWeb-Gateway</td><td>6.7.6</td><td>2009.02.20</td><td style="color: red;">Win32.Virut.Gen</td</tr><tr><td>Sophos</td><td>4.38.0</td><td>2009.02.20</td><td style="color: red;">W32/Scribble-A</td</tr><tr><td>Sunbelt</td><td>3.2.1855.2</td><td>2009.02.17</td><td style="color: red;">Win32.Virut.cf (v)</td</tr><tr><td>Symantec</td><td>10</td><td>2009.02.20</td><td style="color: red;">W32.Virut.CF</td</tr><tr><td>TheHacker</td><td>6.3.2.3.261</td><td>2009.02.20</td><td>-</td</tr><tr><td>TrendMicro</td><td>8.700.0.1004</td><td>2009.02.20</td><td style="color: red;">PE_VIRUX.A-3</td</tr><tr><td>VBA32</td><td>3.12.10.0</td><td>2009.02.20</td><td style="color: red;">Virus.Win32.Virut.X5</td</tr><tr><td>ViRobot</td><td>2009.2.20.1616</td><td>2009.02.20</td><td>-</td</tr><tr><td>VirusBuster</td><td>4.5.11.0</td><td>2009.02.19</td><td>-</td</tr><tr><td colspan="4"> </td></tr><tr><td colspan="4">Additional information</td></tr><tr><td colspan="4">File size: 43008 bytes</td></tr><tr><td colspan="4">MD5...: 9834e0cdeb23ae248fd546c8ac4782e7</td></tr><tr><td colspan="4">SHA1..: 634d61caafe8f5d10d48e5f6ce8a48c898453b31</td></tr><tr><td colspan="4">SHA256: ea0e15b78b35c67b3df3c97725f79624a92b351cac40e14d6be339e8a51e8ebb</td></tr><tr><td colspan="4">SHA512: b57e4a7a6ba72650e6a9c6519831f0fba2063e2474f1f6603132a8a362d1ef8a<BR>65c34ff4f9cc6bb1d8d20626bd3d83e78b3baa3e50bf40648f68d398aeeda715</td></tr><tr><td colspan="4">ssdeep: 768:+RMJi8jDLIDSAaQFxfftjaLacmkLGKOqkL6/vy9f2kdqaREF4AM204o:+RMJ<BR>bDMDSA7FxffJaLaSLG9qg42XqKEi<BR></td></tr><tr><td colspan="4">PEiD..: -</td></tr><tr><td colspan="4">TrID..: File type identification<BR>Generic Win/DOS Executable (49.9%)<BR>DOS Executable Generic (49.8%)<BR>Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)</td></tr><tr><td colspan="4">PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0x1008c99<BR>timedatestamp.....: 0x480251a8 (Sun Apr 13 18:32:08 2008)<BR>machinetype.......: 0x14c (I386)<BR><BR>( 3 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>.text 0x1000 0x520e 0x5400 5.95 099b53205ad3f1c3b853a5310d08a9b1<BR>.data 0x7000 0x14c 0x200 1.86 0bb948f267e82975313a03d8c0e8a1cf<BR>.rsrc 0x8000 0x5c00 0x4e00 7.63 8fdd2730c2290c4cd2b2cce70ef5e476<BR><BR>( 9 imports ) <BR>> USER32.dll: CreateWindowExW, DestroyWindow, RegisterClassExW, DefWindowProcW, LoadRemoteFonts, wsprintfW, GetSystemMetrics, GetKeyboardLayout, SystemParametersInfoW, GetDesktopWindow, LoadStringW, MessageBoxW, ExitWindowsEx, CharNextW<BR>> ADVAPI32.dll: RegOpenKeyExA, ReportEventW, RegisterEventSourceW, DeregisterEventSource, OpenProcessToken, RegCreateKeyExW, RegSetValueExW, GetUserNameW, RegQueryValueExW, RegOpenKeyExW, RegQueryInfoKeyW, RegCloseKey, RegQueryValueExA<BR>> CRYPT32.dll: CryptProtectData<BR>> WINSPOOL.DRV: SpoolerInit<BR>> ntdll.dll: RtlLengthSid, RtlCopySid, _itow, RtlFreeUnicodeString, DbgPrint, wcslen, wcscpy, wcscat, wcscmp, RtlInitUnicodeString, NtOpenKey, NtClose, _wcsicmp, memmove, RtlConvertSidToUnicodeString, NtQueryInformationToken<BR>> NETAPI32.dll: DsGetDcNameW, NetApiBufferFree<BR>> WLDAP32.dll: -, -, -, -, -, -<BR>> msvcrt.dll: __setusermatherr, _initterm, __getmainargs, _acmdln, _adjust_fdiv, _XcptFilter, _exit, _c_exit, __p__commode, __p__fmode, __set_app_type, _except_handler3, _controlfp, _cexit, exit<BR>> KERNEL32.dll: CompareFileTime, LoadLibraryW, GetProcAddress, FreeLibrary, lstrcpyW, CreateProcessW, lstrlenW, GetVersionExW, LocalFree, LocalAlloc, GetEnvironmentVariableW, CloseHandle, lstrcatW, WaitForSingleObject, DelayLoadFailureHook, GetStartupInfoA, GetModuleHandleA, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, LoadLibraryA, InterlockedCompareExchange, LocalReAlloc, GetSystemTime, lstrcmpW, GetCurrentThread, SetThreadPriority, ExpandEnvironmentStringsW, SearchPathW, GetLastError, CreateThread, GetFileAttributesExW, GetSystemDirectoryW, SetCurrentDirectoryW, FormatMessageW, lstrcmpiW, GetCurrentProcess, GetUserDefaultLangID, GetCurrentProcessId, SetEvent, OpenEventW, Sleep, SetEnvironmentVariableW<BR><BR>( 0 exports ) <BR></td></tr></table>
Antivirus Version Last Update Result
a-squared 4.0.0.93 2009.02.20 -
AhnLab-V3 2009.2.20.1 2009.02.20 Win32/Virut.F
AntiVir 7.9.0.85 2009.02.20 W32/Virut.Gen
Authentium 5.1.0.4 2009.02.20 W32/Virut.AI!Generic
Avast 4.8.1335.0 2009.02.19 Win32:Vitro
AVG 8.0.0.237 2009.02.19 Win32/Virut
BitDefender 7.2 2009.02.20 -
CAT-QuickHeal 10.00 2009.02.20 W32.Virut.G
ClamAV 0.94.1 2009.02.20 -
Comodo 983 2009.02.19 -
DrWeb 4.44.0.09170 2009.02.20 Win32.Virut.56
eSafe 7.0.17.0 2009.02.19 -
eTrust-Vet 31.6.6367 2009.02.20 Win32/Virut.17408
F-Prot 4.4.4.56 2009.02.19 W32/Patched.E.gen!Eldorado
F-Secure 8.0.14470.0 2009.02.20 Virus.Win32.Virut.ce
Fortinet 3.117.0.0 2009.02.20 -
GData 19 2009.02.20 Win32:Vitro
Ikarus T3.1.1.45.0 2009.02.20 -
K7AntiVirus 7.10.637 2009.02.19 -
Kaspersky 7.0.0.125 2009.02.20 Virus.Win32.Virut.ce
McAfee 5530 2009.02.19 W32/Virut.n.gen
McAfee+Artemis 5530 2009.02.19 W32/Virut.n.gen
Microsoft 1.4306 2009.02.20 Virus:Win32/Virut.BM
NOD32 3871 2009.02.20 Win32/Virut.NBK
Norman 6.00.06 2009.02.19 -
nProtect 2009.1.8.0 2009.02.20 -
Panda 10.0.0.10 2009.02.20 W32/Sality.AO
PCTools 4.4.2.0 2009.02.19 -
Rising 21.17.42.00 2009.02.20 Win32.Virut.bm
SecureWeb-Gateway 6.7.6 2009.02.20 Win32.Virut.Gen
Sophos 4.38.0 2009.02.20 W32/Scribble-A
Sunbelt 3.2.1855.2 2009.02.17 Win32.Virut.cf (v)
Symantec 10 2009.02.20 W32.Virut.CF
TheHacker 6.3.2.3.261 2009.02.20 -
TrendMicro 8.700.0.1004 2009.02.20 PE_VIRUX.A-3
VBA32 3.12.10.0 2009.02.20 Virus.Win32.Virut.X5
ViRobot 2009.2.20.1616 2009.02.20 -
VirusBuster 4.5.11.0 2009.02.19 -

Additional information
File size: 43008 bytes
MD5...: 9834e0cdeb23ae248fd546c8ac4782e7
SHA1..: 634d61caafe8f5d10d48e5f6ce8a48c898453b31
SHA256: ea0e15b78b35c67b3df3c97725f79624a92b351cac40e14d6be339e8a51e8ebb
SHA512: b57e4a7a6ba72650e6a9c6519831f0fba2063e2474f1f6603132a8a362d1ef8a<BR>65c34ff4f9cc6bb1d8d20626bd3d83e78b3baa3e50bf40648f68d398aeeda715
ssdeep: 768:+RMJi8jDLIDSAaQFxfftjaLacmkLGKOqkL6/vy9f2kdqaREF4AM204o:+RMJ<BR>bDMDSA7FxffJaLaSLG9qg42XqKEi<BR>
PEiD..: -
TrID..: File type identification<BR>Generic Win/DOS Executable (49.9%)<BR>DOS Executable Generic (49.8%)<BR>Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0x1008c99<BR>timedatestamp.....: 0x480251a8 (Sun Apr 13 18:32:08 2008)<BR>machinetype.......: 0x14c (I386)<BR><BR>( 3 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>.text 0x1000 0x520e 0x5400 5.95 099b53205ad3f1c3b853a5310d08a9b1<BR>.data 0x7000 0x14c 0x200 1.86 0bb948f267e82975313a03d8c0e8a1cf<BR>.rsrc 0x8000 0x5c00 0x4e00 7.63 8fdd2730c2290c4cd2b2cce70ef5e476<BR><BR>( 9 imports ) <BR>> USER32.dll: CreateWindowExW, DestroyWindow, RegisterClassExW, DefWindowProcW, LoadRemoteFonts, wsprintfW, GetSystemMetrics, GetKeyboardLayout, SystemParametersInfoW, GetDesktopWindow, LoadStringW, MessageBoxW, ExitWindowsEx, CharNextW<BR>> ADVAPI32.dll: RegOpenKeyExA, ReportEventW, RegisterEventSourceW, DeregisterEventSource, OpenProcessToken, RegCreateKeyExW, RegSetValueExW, GetUserNameW, RegQueryValueExW, RegOpenKeyExW, RegQueryInfoKeyW, RegCloseKey, RegQueryValueExA<BR>> CRYPT32.dll: CryptProtectData<BR>> WINSPOOL.DRV: SpoolerInit<BR>> ntdll.dll: RtlLengthSid, RtlCopySid, _itow, RtlFreeUnicodeString, DbgPrint, wcslen, wcscpy, wcscat, wcscmp, RtlInitUnicodeString, NtOpenKey, NtClose, _wcsicmp, memmove, RtlConvertSidToUnicodeString, NtQueryInformationToken<BR>> NETAPI32.dll: DsGetDcNameW, NetApiBufferFree<BR>> WLDAP32.dll: -, -, -, -, -, -<BR>> msvcrt.dll: __setusermatherr, _initterm, __getmainargs, _acmdln, _adjust_fdiv, _XcptFilter, _exit, _c_exit, __p__commode, __p__fmode, __set_app_type, _except_handler3, _controlfp, _cexit, exit<BR>> KERNEL32.dll: CompareFileTime, LoadLibraryW, GetProcAddress, FreeLibrary, lstrcpyW, CreateProcessW, lstrlenW, GetVersionExW, LocalFree, LocalAlloc, GetEnvironmentVariableW, CloseHandle, lstrcatW, WaitForSingleObject, DelayLoadFailureHook, GetStartupInfoA, GetModuleHandleA, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, LoadLibraryA, InterlockedCompareExchange, LocalReAlloc, GetSystemTime, lstrcmpW, GetCurrentThread, SetThreadPriority, ExpandEnvironmentStringsW, SearchPathW, GetLastError, CreateThread, GetFileAttributesExW, GetSystemDirectoryW, SetCurrentDirectoryW, FormatMessageW, lstrcmpiW, GetCurrentProcess, GetUserDefaultLangID, GetCurrentProcessId, SetEvent, OpenEventW, Sleep, SetEnvironmentVariableW<BR><BR>( 0 exports ) <BR>
 
File svchost.exe received on 02.20.2009 11:26:29 (CET)Antivirus Version Last Update Result
a-squared 4.0.0.93 2009.02.20 -
AhnLab-V3 2009.2.20.1 2009.02.20 Win32/Virut.F
AntiVir 7.9.0.85 2009.02.20 W32/Virut.Gen
Authentium 5.1.0.4 2009.02.20 W32/Virut.AI!Generic
Avast 4.8.1335.0 2009.02.19 Win32:Vitro
AVG 8.0.0.237 2009.02.19 Win32/Virut
BitDefender 7.2 2009.02.20 -
CAT-QuickHeal 10.00 2009.02.20 W32.Virut.G
ClamAV 0.94.1 2009.02.20 -
Comodo 983 2009.02.19 -
DrWeb 4.44.0.09170 2009.02.20 Win32.Virut.56
eSafe 7.0.17.0 2009.02.19 -
eTrust-Vet 31.6.6367 2009.02.20 Win32/Virut.17408
F-Prot 4.4.4.56 2009.02.19 W32/Patched.E.gen!Eldorado
F-Secure 8.0.14470.0 2009.02.20 Virus.Win32.Virut.ce
Fortinet 3.117.0.0 2009.02.20 -
GData 19 2009.02.20 Win32:Vitro
Ikarus T3.1.1.45.0 2009.02.20 -
K7AntiVirus 7.10.637 2009.02.19 -
Kaspersky 7.0.0.125 2009.02.20 Virus.Win32.Virut.ce
McAfee 5530 2009.02.19 W32/Virut.n.gen
McAfee+Artemis 5530 2009.02.19 W32/Virut.n.gen
Microsoft 1.4306 2009.02.20 Virus:Win32/Virut.BM
NOD32 3871 2009.02.20 Win32/Virut.NBK
Norman 6.00.06 2009.02.19 -
nProtect 2009.1.8.0 2009.02.20 -
Panda 10.0.0.10 2009.02.20 W32/Sality.AO
PCTools 4.4.2.0 2009.02.19 -
Prevx1 V2 2009.02.20 -
Rising 21.17.42.00 2009.02.20 Win32.Virut.bm
SecureWeb-Gateway 6.7.6 2009.02.20 Win32.Virut.Gen
Sophos 4.38.0 2009.02.20 W32/Scribble-A
Sunbelt 3.2.1855.2 2009.02.17 Win32.Virut.cf (v)
TheHacker 6.3.2.3.261 2009.02.20 -
TrendMicro 8.700.0.1004 2009.02.20 PE_VIRUX.A-3
ViRobot 2009.2.20.1616 2009.02.20 -
VirusBuster 4.5.11.0 2009.02.19 -

Additional information
File size: 31232 bytes
MD5...: eb015b8f368f08ea457000a19175bee4
SHA1..: b375fce032c5c51736f2f9b52e61dacf9cccec70
SHA256: ceb8ab898772606390fbf58d4131b0c03e6eae0e0fe62e588e4d311a5cd3b84f
SHA512: a30b4b86f4dd6035b1ab725907cbc53baa3eeae2cbe2aa79dc8736d2b7d16df5<BR>f7e9ed8a30bebe9da032182380b88d5578d63c9582c8b684fa52a5b8ef329adf
ssdeep: 768:0NcG6xlCRaJKGOA7SHJMfKI79QAM43aeaai7+:WcG6yPzKSHJMfKI7f3aeaa<BR>i7+<BR>
PEiD..: -
TrID..: File type identification<BR>Generic Win/DOS Executable (49.9%)<BR>DOS Executable Generic (49.8%)<BR>Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0x100574c<BR>timedatestamp.....: 0x48025bc0 (Sun Apr 13 19:15:12 2008)<BR>machinetype.......: 0x14c (I386)<BR><BR>( 3 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>.text 0x1000 0x2c00 0x2c00 6.29 f6589e1ed3da6afefb0b4294d9ff7f2e<BR>.data 0x4000 0x210 0x200 1.62 cbd504e46c836e09e8faabdcfbabaec2<BR>.rsrc 0x5000 0x5600 0x4800 7.78 d9a9e58087e5c8e5355fea79c9e1280f<BR><BR>( 4 imports ) <BR>> ADVAPI32.dll: RegQueryValueExW, SetSecurityDescriptorDacl, SetEntriesInAclW, SetSecurityDescriptorGroup, SetSecurityDescriptorOwner, InitializeSecurityDescriptor, GetTokenInformation, OpenProcessToken, OpenThreadToken, SetServiceStatus, RegisterServiceCtrlHandlerW, RegCloseKey, RegOpenKeyExW, StartServiceCtrlDispatcherW<BR>> KERNEL32.dll: HeapFree, GetLastError, WideCharToMultiByte, lstrlenW, LocalFree, GetCurrentProcess, GetCurrentThread, GetProcAddress, LoadLibraryExW, LeaveCriticalSection, HeapAlloc, EnterCriticalSection, LCMapStringW, FreeLibrary, lstrcpyW, ExpandEnvironmentStringsW, lstrcmpiW, ExitProcess, GetCommandLineW, InitializeCriticalSection, GetProcessHeap, SetErrorMode, SetUnhandledExceptionFilter, RegisterWaitForSingleObject, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, UnhandledExceptionFilter, LocalAlloc, lstrcmpW, DelayLoadFailureHook<BR>> ntdll.dll: NtQuerySecurityObject, RtlFreeHeap, NtOpenKey, wcscat, wcscpy, RtlAllocateHeap, RtlCompareUnicodeString, RtlInitUnicodeString, RtlInitializeSid, RtlLengthRequiredSid, RtlSubAuthoritySid, NtClose, RtlSubAuthorityCountSid, RtlGetDaclSecurityDescriptor, RtlQueryInformationAcl, RtlGetAce, RtlImageNtHeader, wcslen, RtlUnhandledExceptionFilter, RtlCopySid<BR>> RPCRT4.dll: RpcServerUnregisterIfEx, RpcMgmtWaitServerListen, RpcMgmtSetServerStackSize, RpcServerUnregisterIf, RpcServerListen, RpcServerUseProtseqEpW, RpcServerRegisterIf, I_RpcMapWin32Status, RpcMgmtStopServerListening<BR><BR>( 0 exports ) <BR>
 
File explorer.exe received on 02.20.2009 11:46:39 (CET)Antivirus Version Last Update Result
a-squared 4.0.0.93 2009.02.20 -
AhnLab-V3 2009.2.20.1 2009.02.20 Win32/Virut.F
AntiVir 7.9.0.85 2009.02.20 W32/Virut.Gen
Authentium 5.1.0.4 2009.02.20 W32/Virut.AI!Generic
Avast 4.8.1335.0 2009.02.19 Win32:Vitro
AVG 8.0.0.237 2009.02.19 Win32/Virut
BitDefender 7.2 2009.02.20 -
CAT-QuickHeal 10.00 2009.02.20 W32.Virut.G
ClamAV 0.94.1 2009.02.20 -
Comodo 983 2009.02.19 -
DrWeb 4.44.0.09170 2009.02.20 Win32.Virut.56
eSafe 7.0.17.0 2009.02.19 -
eTrust-Vet 31.6.6367 2009.02.20 Win32/Virut.17408
F-Prot 4.4.4.56 2009.02.19 W32/Patched.E.gen!Eldorado
F-Secure 8.0.14470.0 2009.02.20 Virus.Win32.Virut.ce
Fortinet 3.117.0.0 2009.02.20 -
GData 19 2009.02.20 Win32:Vitro
Ikarus T3.1.1.45.0 2009.02.20 -
K7AntiVirus 7.10.637 2009.02.19 -
Kaspersky 7.0.0.125 2009.02.20 Virus.Win32.Virut.ce
McAfee 5530 2009.02.19 W32/Virut.n.gen
McAfee+Artemis 5530 2009.02.19 W32/Virut.n.gen
Microsoft 1.4306 2009.02.20 Virus:Win32/Virut.BM
NOD32 3871 2009.02.20 Win32/Virut.NBK
Norman 6.00.06 2009.02.19 -
nProtect 2009.1.8.0 2009.02.20 -
Panda 10.0.0.10 2009.02.20 W32/Sality.AO
PCTools 4.4.2.0 2009.02.19 -
Prevx1 V2 2009.02.20 -
Rising 21.17.42.00 2009.02.20 Win32.Virut.bm
SecureWeb-Gateway 6.7.6 2009.02.20 Win32.Virut.Gen
Sophos 4.38.0 2009.02.20 W32/Scribble-A
Sunbelt 3.2.1855.2 2009.02.17 Win32.Virut.cf (v)
Symantec 10 2009.02.20 W32.Virut.CF
TheHacker 6.3.2.3.261 2009.02.20 -
TrendMicro 8.700.0.1004 2009.02.20 PE_VIRUX.A-3
VBA32 3.12.10.0 2009.02.20 Virus.Win32.Virut.X5
ViRobot 2009.2.20.1616 2009.02.20 -
VirusBuster 4.5.11.0 2009.02.19 -

Additional information
File size: 1050624 bytes
MD5...: a70fd46df39fc22b3db23e55b4fb520c
SHA1..: ccdd04f0256eb35123dc472affc9354f150834b7
SHA256: fb4170e8399d8df98983afc70a1019e33112776b3e7bb88df5ac6f2169080e08
SHA512: 0dfcf79638c232108cee1a45b580ddb98b1dc0f5cf40ea1e99ba0e83903256a7<BR>dd53493f1156be8d103899db1683fdf119b7c984913ae4eb9db04ba023a96cd7
ssdeep: 12288:zHmcoCUyZtwAvAs4wTCyrPTloHWYUrkf8w0Vnzac1/g/J/vMS:rmfty/wA<BR>vN7lrvbkf8w0VnH1/g/J/k<BR>
PEiD..: -
TrID..: File type identification<BR>Generic Win/DOS Executable (49.9%)<BR>DOS Executable Generic (49.8%)<BR>Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0x1102731<BR>timedatestamp.....: 0x48025c30 (Sun Apr 13 19:17:04 2008)<BR>machinetype.......: 0x14c (I386)<BR><BR>( 4 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>.text 0x1000 0x44c09 0x44e00 6.38 fd89c9ce334764ffdbb62637ad9b5809<BR>.data 0x46000 0x1db4 0x1800 1.30 983f35021232560eaaa99fcbc1b7d359<BR>.rsrc 0x48000 0xb2268 0xb2400 6.63 95339c37646fa93e3695e06572a21889<BR>.reloc 0xfb000 0x8800 0x7a00 7.65 b670d40ac7c77a807212bc99f89d076b<BR><BR>( 13 imports ) <BR>> ADVAPI32.dll: RegSetValueW, RegEnumKeyExW, GetUserNameW, RegNotifyChangeKeyValue, RegEnumValueW, RegQueryValueExA, RegOpenKeyExA, RegEnumKeyW, RegCloseKey, RegCreateKeyW, RegQueryInfoKeyW, RegOpenKeyExW, RegQueryValueExW, RegCreateKeyExW, RegSetValueExW, RegDeleteValueW, RegQueryValueW<BR>> BROWSEUI.dll: -, -, -, -<BR>> GDI32.dll: GetStockObject, CreatePatternBrush, OffsetViewportOrgEx, GetLayout, CombineRgn, CreateDIBSection, GetTextExtentPoint32W, StretchBlt, CreateRectRgnIndirect, CreateRectRgn, GetClipRgn, IntersectClipRect, GetViewportOrgEx, SetViewportOrgEx, SelectClipRgn, PatBlt, GetBkColor, CreateCompatibleDC, CreateCompatibleBitmap, OffsetWindowOrgEx, DeleteDC, SetBkColor, BitBlt, ExtTextOutW, GetTextExtentPointW, GetClipBox, GetObjectW, SetTextColor, SetBkMode, CreateFontIndirectW, DeleteObject, GetTextMetricsW, SelectObject, GetDeviceCaps, TranslateCharsetInfo, SetStretchBltMode<BR>> KERNEL32.dll: GetSystemDirectoryW, CreateThread, CreateJobObjectW, ExitProcess, SetProcessShutdownParameters, ReleaseMutex, CreateMutexW, SetPriorityClass, GetCurrentProcess, GetStartupInfoW, GetCommandLineW, SetErrorMode, LeaveCriticalSection, EnterCriticalSection, ResetEvent, LoadLibraryExA, CompareFileTime, GetSystemTimeAsFileTime, SetThreadPriority, GetCurrentThreadId, GetThreadPriority, GetCurrentThread, GetUserDefaultLangID, Sleep, GetBinaryTypeW, GetModuleHandleExW, SystemTimeToFileTime, GetLocalTime, GetCurrentProcessId, GetEnvironmentVariableW, UnregisterWait, GlobalGetAtomNameW, GetFileAttributesW, MoveFileW, lstrcmpW, LoadLibraryExW, FindClose, FindNextFileW, FindFirstFileW, lstrcmpiA, SetEvent, AssignProcessToJobObject, GetDateFormatW, GetTimeFormatW, FlushInstructionCache, lstrcpynW, GetSystemWindowsDirectoryW, SetLastError, GetProcessHeap, HeapFree, HeapReAlloc, HeapSize, HeapAlloc, GetUserDefaultLCID, ReadProcessMemory, OpenProcess, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, UnhandledExceptionFilter, SetUnhandledExceptionFilter, VirtualFree, VirtualAlloc, ResumeThread, TerminateProcess, TerminateThread, GetSystemDefaultLCID, GetLocaleInfoW, CreateEventW, GetLastError, OpenEventW, DelayLoadFailureHook, WaitForSingleObject, GetTickCount, ExpandEnvironmentStringsW, GetModuleFileNameW, GetPrivateProfileStringW, lstrcmpiW, CreateProcessW, FreeLibrary, GetWindowsDirectoryW, LocalAlloc, CreateFileW, DeviceIoControl, LocalFree, GetQueuedCompletionStatus, CreateIoCompletionPort, SetInformationJobObject, CloseHandle, LoadLibraryW, GetModuleHandleW, ActivateActCtx, DeactivateActCtx, GetFileAttributesExW, GetProcAddress, DeleteCriticalSection, CreateEventA, HeapDestroy, InitializeCriticalSection, MulDiv, InitializeCriticalSectionAndSpinCount, lstrlenW, InterlockedDecrement, InterlockedIncrement, GlobalAlloc, InterlockedExchange, GetModuleHandleA, GetVersionExA, GlobalFree, GetProcessTimes, lstrcpyW, GetLongPathNameW, RegisterWaitForSingleObject<BR>> msvcrt.dll: _itow, free, memmove, realloc, _except_handler3, malloc, _ftol, _vsnwprintf<BR>> ntdll.dll: RtlNtStatusToDosError, NtQueryInformationProcess<BR>> ole32.dll: CoFreeUnusedLibraries, RegisterDragDrop, CreateBindCtx, RevokeDragDrop, CoInitializeEx, CoUninitialize, OleInitialize, CoRevokeClassObject, CoRegisterClassObject, CoMarshalInterThreadInterfaceInStream, CoCreateInstance, OleUninitialize, DoDragDrop<BR>> OLEAUT32.dll: -, -<BR>> SHDOCVW.dll: -, -, -<BR>> SHELL32.dll: -, -, SHGetFolderPathW, -, -, -, -, -, ExtractIconExW, -, -, -, -, -, -, -, -, -, -, -, -, -, -, SHGetSpecialFolderLocation, ShellExecuteExW, -, -, -, SHGetSpecialFolderPathW, -, -, -, SHBindToParent, -, -, -, SHParseDisplayName, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, SHChangeNotify, SHGetDesktopFolder, SHAddToRecentDocs, -, -, -, DuplicateIcon, -, -, -, -, -, -, -, -, SHUpdateRecycleBinIcon, SHGetFolderLocation, SHGetPathFromIDListA, -, -, -, -, -, -, -, SHGetPathFromIDListW, -, -, -<BR>> SHLWAPI.dll: StrCpyNW, -, -, -, -, StrRetToBufW, StrRetToStrW, -, -, -, -, SHQueryValueExW, PathIsNetworkPathW, -, AssocCreate, -, -, -, -, -, StrCatW, StrCpyW, -, -, -, -, -, -, SHGetValueW, -, StrCmpNIW, PathRemoveBlanksW, PathRemoveArgsW, PathFindFileNameW, StrStrIW, PathGetArgsW, -, StrToIntW, SHRegGetBoolUSValueW, SHRegWriteUSValueW, SHRegCloseUSKey, SHRegCreateUSKeyW, SHRegGetUSValueW, SHSetValueW, -, PathAppendW, PathUnquoteSpacesW, -, -, PathQuoteSpacesW, -, SHSetThreadRef, SHCreateThreadRef, -, -, -, PathCombineW, -, -, -, SHStrDupW, PathIsPrefixW, PathParseIconLocationW, AssocQueryKeyW, -, AssocQueryStringW, StrCmpW, -, -, -, -, -, -, -, -, SHRegQueryUSValueW, SHRegOpenUSKeyW, SHRegSetUSValueW, PathIsDirectoryW, PathFileExistsW, PathGetDriveNumberW, -, StrChrW, PathFindExtensionW, -, -, PathRemoveFileSpecW, PathStripToRootW, -, -, -, SHOpenRegStream2W, -, -, -, StrDupW, SHDeleteValueW, StrCatBuffW, SHDeleteKeyW, StrCmpIW, -, -, wnsprintfW, -, -, StrCmpNW, -, -<BR>> USER32.dll: TileWindows, GetDoubleClickTime, GetSystemMetrics, GetSysColorBrush, AllowSetForegroundWindow, LoadMenuW, GetSubMenu, RemoveMenu, SetParent, GetMessagePos, CheckDlgButton, EnableWindow, GetDlgItemInt, SetDlgItemInt, CopyIcon, AdjustWindowRectEx, DrawFocusRect, DrawEdge, ExitWindowsEx, WindowFromPoint, SetRect, AppendMenuW, LoadAcceleratorsW, LoadBitmapW, SendNotifyMessageW, SetWindowPlacement, CheckMenuItem, EndDialog, SendDlgItemMessageW, MessageBeep, GetActiveWindow, PostQuitMessage, MoveWindow, GetDlgItem, RemovePropW, GetClassNameW, GetDCEx, SetCursorPos, ChildWindowFromPoint, ChangeDisplaySettingsW, RegisterHotKey, UnregisterHotKey, SetCursor, SendMessageTimeoutW, GetWindowPlacement, LoadImageW, SetWindowRgn, IntersectRect, OffsetRect, EnumDisplayMonitors, RedrawWindow, SubtractRect, TranslateAcceleratorW, WaitMessage, InflateRect, CallWindowProcW, GetDlgCtrlID, SetCapture, LockSetForegroundWindow, SystemParametersInfoW, FindWindowW, CreatePopupMenu, GetMenuDefaultItem, DestroyMenu, GetShellWindow, EnumChildWindows, GetWindowLongW, SendMessageW, RegisterWindowMessageW, GetKeyState, CopyRect, MonitorFromRect, MonitorFromPoint, RegisterClassW, SetPropW, GetWindowLongA, SetWindowLongW, FillRect, GetCursorPos, MessageBoxW, LoadStringW, ReleaseDC, GetDC, EnumDisplaySettingsExW, EnumDisplayDevicesW, PostMessageW, DispatchMessageW, TranslateMessage, GetMessageW, PeekMessageW, PtInRect, BeginPaint, EndPaint, SetWindowTextW, GetAsyncKeyState, InvalidateRect, GetWindow, ShowWindowAsync, TrackPopupMenuEx, UpdateWindow, DestroyIcon, IsRectEmpty, SetActiveWindow, GetSysColor, DrawTextW, IsHungAppWindow, SetTimer, GetMenuItemID, TrackPopupMenu, EndTask, SendMessageCallbackW, GetClassLongW, LoadIconW, OpenInputDesktop, CloseDesktop, SetScrollPos, ShowWindow, BringWindowToTop, GetDesktopWindow, CascadeWindows, CharUpperBuffW, SwitchToThisWindow, InternalGetWindowText, GetScrollInfo, GetMenuItemCount, CreateWindowExW, DialogBoxParamW, MsgWaitForMultipleObjects, CharNextA, RegisterClipboardFormatW, EndDeferWindowPos, DeferWindowPos, BeginDeferWindowPos, PrintWindow, SetClassLongW, GetPropW, GetNextDlgGroupItem, GetNextDlgTabItem, ChildWindowFromPointEx, IsChild, NotifyWinEvent, TrackMouseEvent, GetCapture, GetAncestor, CharUpperW, SetWindowLongA, DrawCaption, ModifyMenuW, InsertMenuW, IsWindowEnabled, GetMenuState, LoadCursorW, GetParent, IsDlgButtonChecked, DestroyWindow, EnumWindows, IsWindowVisible, GetClientRect, UnionRect, EqualRect, GetWindowThreadProcessId, GetForegroundWindow, KillTimer, GetClassInfoExW, DefWindowProcW, RegisterClassExW, GetIconInfo, SetScrollInfo, GetLastActivePopup, SetForegroundWindow, IsWindow, GetSystemMenu, IsIconic, IsZoomed, EnableMenuItem, SetMenuDefaultItem, MonitorFromWindow, GetMonitorInfoW, GetWindowInfo, GetFocus, SetFocus, MapWindowPoints, ScreenToClient, ClientToScreen, GetWindowRect, SetWindowPos, DeleteMenu, GetMenuItemInfoW, SetMenuItemInfoW, CharNextW<BR>> UxTheme.dll: GetThemeBackgroundContentRect, GetThemeBool, GetThemePartSize, DrawThemeParentBackground, OpenThemeData, DrawThemeBackground, GetThemeTextExtent, DrawThemeText, CloseThemeData, SetWindowTheme, GetThemeBackgroundRegion, -, GetThemeMargins, GetThemeColor, GetThemeFont, GetThemeRect, IsAppThemed<BR><BR>( 0 exports ) <BR>
 
File spoolsv.exe received on 02.20.2009 11:52:29 (CET)Antivirus Version Last Update Result
a-squared 4.0.0.93 2009.02.20 Virus.Win32.Patched.B!IK
AhnLab-V3 2009.2.20.1 2009.02.20 Win32/Virut.F
AntiVir 7.9.0.85 2009.02.20 W32/Virut.Gen
Authentium 5.1.0.4 2009.02.20 W32/Virut.AI!Generic
Avast 4.8.1335.0 2009.02.19 Win32:Vitro
AVG 8.0.0.237 2009.02.19 Win32/Virut
BitDefender 7.2 2009.02.20 -
CAT-QuickHeal 10.00 2009.02.20 W32.Virut.G
ClamAV 0.94.1 2009.02.20 -
Comodo 983 2009.02.19 -
DrWeb 4.44.0.09170 2009.02.20 Win32.Virut.56
eSafe 7.0.17.0 2009.02.19 Suspicious File
eTrust-Vet 31.6.6367 2009.02.20 Win32/Virut.17408
F-Prot 4.4.4.56 2009.02.19 W32/Patched.E.gen!Eldorado
F-Secure 8.0.14470.0 2009.02.20 Virus.Win32.Virut.ce
Fortinet 3.117.0.0 2009.02.20 -
GData 19 2009.02.20 Win32:Vitro
Ikarus T3.1.1.45.0 2009.02.20 Virus.Win32.Patched.B
K7AntiVirus 7.10.637 2009.02.19 -
Kaspersky 7.0.0.125 2009.02.20 Virus.Win32.Virut.ce
McAfee 5530 2009.02.19 W32/Virut.n.gen
McAfee+Artemis 5530 2009.02.19 W32/Virut.n.gen
Microsoft 1.4306 2009.02.20 Virus:Win32/Virut.BM
NOD32 3871 2009.02.20 Win32/Virut.NBK
Norman 6.00.06 None.. -
nProtect 2009.1.8.0 2009.02.20 -
Panda 10.0.0.10 2009.02.20 W32/Sality.AO
PCTools 4.4.2.0 2009.02.19 -
Prevx1 V2 2009.02.20 -
Rising 21.17.42.00 2009.02.20 Win32.Virut.bm
SecureWeb-Gateway 6.7.6 2009.02.20 Win32.Virut.Gen
Sophos 4.38.0 2009.02.20 W32/Scribble-A
Sunbelt 3.2.1855.2 2009.02.17 Win32.Virut.cf (v)
Symantec 10 2009.02.20 W32.Virut.CF
TheHacker 6.3.2.3.261 2009.02.20 -
TrendMicro 8.700.0.1004 2009.02.20 PE_VIRUX.A-3
VBA32 3.12.10.0 2009.02.20 Virus.Win32.Virut.X5
ViRobot 2009.2.20.1616 2009.02.20 -
VirusBuster 4.5.11.0 2009.02.19 -

Additional information
File size: 74752 bytes
MD5...: 05c5ed1c4f67a4df9fbac916bea9f26c
SHA1..: d407abb869ee082816713153eb6f3d0403e6905c
SHA256: ed6b4a635987f86191ec0d23e17412b51c8b02b1fae89c0ab8e96fd26a67b6f1
SHA512: 3f366919be5e073a3a4b95efaee10316642c779031d8cee8031c83ff70ffcfc0<BR>e3570c4370ca3ce996a7ff1189c4eeebd87f691a067d39b52626f809380af02e
ssdeep: 768:2E4EVpgSavGlAMm1yMvsCeq+H8O+j8f1b1mDV3D+JMG/dXplJigoCgSPJX6a<BR>IyEM:7gSHlAMmxUC/OUVIrOgoCgSPJHI92V3<BR>
PEiD..: -
TrID..: File type identification<BR>Generic Win/DOS Executable (49.9%)<BR>DOS Executable Generic (49.8%)<BR>Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0x1013c2d<BR>timedatestamp.....: 0x48025ce1 (Sun Apr 13 19:20:01 2008)<BR>machinetype.......: 0x14c (I386)<BR><BR>( 3 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>.text 0x1000 0xba70 0xbc00 5.96 d9b4f450aa98b3936118e3a3c42ed657<BR>.data 0xd000 0x13b4 0x1400 2.24 887444c39cada5bd753c428783e0009b<BR>.rsrc 0xf000 0x5e00 0x5000 7.79 5108dfb325120646cd470bc7767c8e7d<BR><BR>( 6 imports ) <BR>> ADVAPI32.dll: SetServiceStatus, RegQueryValueExW, AllocateAndInitializeSid, FreeSid, InitializeSecurityDescriptor, SetSecurityDescriptorOwner, SetSecurityDescriptorGroup, GetLengthSid, InitializeAcl, AddAccessAllowedAce, AddAccessDeniedAce, GetAce, SetSecurityDescriptorDacl, GetSecurityDescriptorLength, MakeSelfRelativeSD, RegDisablePredefinedCache, RegOpenKeyExW, RegCloseKey, RegisterServiceCtrlHandlerExW, StartServiceCtrlDispatcherW<BR>> GDI32.dll: bMakePathNameW, GdiInitSpool, GdiGetSpoolMessage<BR>> KERNEL32.dll: GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, GetCurrentProcessId, SetUnhandledExceptionFilter, GetModuleHandleA, GetCurrentThreadId, GetTickCount, UnhandledExceptionFilter, QueryPerformanceCounter, FreeLibrary, InterlockedExchange, GetModuleHandleW, GetLastError, ExitThread, CloseHandle, WaitForSingleObject, CreateEventW, CreateThread, ExitProcess, Sleep, OpenEventW, LoadLibraryA, InitializeCriticalSection, LocalFree, LocalAlloc, SetEvent, LeaveCriticalSection, EnterCriticalSection, SetLastError, OpenProcess, InterlockedIncrement, RaiseException, InterlockedDecrement, GetProcAddress, GetSystemDirectoryW<BR>> msvcrt.dll: __initenv, _exit, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, _controlfp, _XcptFilter, wcsrchr, wcslen, _c_exit, _stricmp, _wcsnicmp, _except_handler3<BR>> ntdll.dll: RtlValidRelativeSecurityDescriptor<BR>> RPCRT4.dll: RpcServerRegisterIf2, I_RpcBindingIsClientLocal, I_RpcSessionStrictContextHandle, RpcRaiseException, RpcImpersonateClient, RpcRevertToSelf, NdrServerCall2, RpcServerUseProtseqEpA, I_RpcSsDontSerializeContext, RpcMgmtSetServerStackSize, RpcServerListen<BR><BR>( 12 exports ) <BR>YDriverUnloadComplete, YEndDocPrinter, YFlushPrinter, YGetPrinter, YGetPrinterDriver2, YGetPrinterDriverDirectory, YReadPrinter, YSeekPrinter, YSetJob, YSetPort, YSplReadPrinter, YWritePrinter<BR>
 
Hi

I suspected this might be the case. Your system is infected by Virut file infector virus and that leaves no other choice than reformat the system :sad: Virut infects all .exe and .scr files and also all web site related file types like .htm and .asp. All archive files with any of these listed file types are infected as well.
 
Also do I need to be worried about other computers on my network, and if I had been using a usb drive to transfer documents back and forth between computers?
 
Hi,

You may use external usb drive for backuping after you've first made sure it doesn't carry Virut.

1. Download Flash_Disinfector and save it to your Desktop of your clean system.
2. After downloading, double-click on Flash_Disinfector to run it.
3. Just follow the prompts and continue until it begin scanning.
4. If asked to insert your flash drive or any removable device including USB Pen Drive and Memory Stick, please do so.
5. It will scan removable drives, wait for the scan to finish. Done.

After that run Kaspersky Online Scanner on clean machine to check your USB drive.

If Kaspersky doesn't find anything bad on USB drive then you can use it to backup stuff from infected system keeping in mind that these filetypes are not allowed:
-.exe
-.scr
-all web page files (.htm, .html, .asp, .aspx etc.)
-archive files (.zip & .rar) with any of above mentioned file types


Also do I need to be worried about other computers on my network, and if I had been using a usb drive to transfer documents back and forth between computers?
Click to expand...
I recommend you run flash_disinfector + Kaspersky online scanner check for each (hopefully) clean system in your network.
 
Hi,

Both my secondary drive d:/ and my external USB drive had traces of the virut virus. I wiped the USB drive clean. Is it possible to transfer files to this drive now without getting an infection. Also, the d:/ drive didn't seem badly infected, only one file in the system volume information folder. Is there a way to clean this?

Thanks
 
You must log in or register to reply here.
Back
Top