Explorer.exe INFECTED win32:malware.gen

WinXP(32bit) SP2
GA-7NNXP gigabyte motherboard

Hi folks, I need some help with this one if that is ok. Last night I finished playing WoW as normal and shut down my computer and went to bed. This morning I turned on computer and logged in as normal at welcome screen (only have 1 user account, administrator) and the desktop would not load, computer becomes idle but with a blank background, can alt-ctrl-del. Tried restarting a few times, same result. My first course of action was to run a scan with Avast in safe mode. It has detected C:\windows\explorer.exe is infected with malware called win32:malware.gen. I cannot move to chest, repair or anything. I have created another user account with no password in control panel and when I restart it breezes past welcome screen and I am presented with a fresh desktop. I can use the browser and the internet, but when I try to access My Documents or My Computer I am presented with an error

C:\WINDOWS\Explorer.EXE
Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item.

I have scheduled a boot scan with Avast and performed it, same result detects C:\windows\explorer.exe is infected with malware called win32:malware.gen and being explorer.exe I cannot move to chest or do anything.

I have done full scans with MBAB and SAS and they are clean. Any direction from this point would be much appreciated, thanks.

Hi. Welcome to the Avast forums. :slight_smile:

Can you download HijackThis? If so, install it on your desktop and let it run a scan. Then save the log and post it and I’m sure someone will come along that can aide you in removing said pest from your PC.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:26:13 PM, on 12/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\sstray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.21 V1.30\WlanCU.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [StartCCC] “C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe” MSRun
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre6\bin\jusched.exe”
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19..\RunOnce: [nlsf] cmd.exe /C move /Y “%SystemRoot%\System32\syssetub.dll” “%SystemRoot%\System32\syssetup.dll” (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-19..\RunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-19..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\RunOnce: [nlsf] cmd.exe /C move /Y “%SystemRoot%\System32\syssetub.dll” “%SystemRoot%\System32\syssetup.dll” (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\RunOnce: [nlsf] cmd.exe /C move /Y “%SystemRoot%\System32\syssetub.dll” “%SystemRoot%\System32\syssetup.dll” (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\RunOnce: [nlsf] cmd.exe /C move /Y “%SystemRoot%\System32\syssetub.dll” “%SystemRoot%\System32\syssetup.dll” (User ‘Default user’)
O4 - Global Startup: Wireless Configuration Utility.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.21 V1.30\WlanCU.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe


End of file - 4125 bytes

I have scheduled a boot scan with Avast and performed it, same result detects C:\windows\explorer.exe is infected with malware called win32:malware.gen and being explorer.exe I cannot move to chest or do anything.

I have done full scans with MBAB and SAS and they are clean. Any direction from this point would be much appreciated, thanks.


If i remeber correct someone else just had the same problem, and it was solved by running
Dr.WebCureit http://www.freedrweb.com/cureit/?lng=en

you are running WinXP SP2. SP3 was released in 2008 with A total of 1,174 fixes + all later

Windows XP Service Pack 3 has been available for over a year and provides many Critical Updates plus performance improvements.

You need to start Internet Explorer then go to Tools then Windows Update and download all of the available updates.

Go to Control Panel then Automatic Updates then select Automatic (recommended) or at least Notify me but don’t automatically download or install them.

IE8 is more secure than IE6 and has a lot better performance and security:
http://www.microsoft.com/windows/Internet-explorer/default.aspx

Go to Secunia Online Software Inspector then run it to see what other applications are vulnerable:
http://secunia.com/vulnerability_scanning/online

I ran this and it detected C:\windows\system32\cmdow.exe was tool.hidewindows

The results from Secunia were as follows:

Scan Now
The Secunia Online Software Inspector will inspect your operating system and software for insecure versions and missing security updates. A default inspection normally lasts 5-40 seconds, while a thorough inspection may take several minutes.

Detection Statistics:
8 Applications Detected in Total
1 Insecure Version Detected
7 Patched Versions Detected

Running For:
0 Minutes, 52 Seconds

Errors with the scan:
1 Error Detected

Scan Options:
Enable thorough system inspection
Display only insecure programs
Status / Currently Processing:
Detection completed with 1 error

Programs / Result Version Detected Status
Macromedia Flash Player 6.x Macromedia Flash Player 6.x 6.0.79.0 Macromedia Flash Player 6.x

This installation of Macromedia Flash Player 6.x is insecure and potentially exposes your system to security threats!

The detected version installed on your system is 6.0.79.0, however, the latest patched version released by the vendor, fixing one or more vulnerabilities, is 6.0.88.0.

Update Instructions:
Apply updates.

Flash Player 9.0.45.0 and earlier (update to version 9.0.47.0):
http://www.adobe.com/go/getflash

Flash Player 9.0.45.0 and earlier - network distribution (update to version 9.0.47.0):
http://www.adobe.com/licensing/distribution

Flash CS3 Professional (update to version 9.0.47.0):
http://www.adobe.com/support/flashplayer/downloads.html

Flash Professional 8, Flash Basic (update to version 8.0.35.0):
http://www.adobe.com/support/flashplayer/downloads.html

Flex 2.0 (update to version 9.0.47.0):
http://www.stage.adobe.com/support/flashplayer/downloads.html#fp9

Flash Player version 7.0.70.0 for Linux and Solaris reportedly fixes vulnerability #2 for Opera and Konqueror browsers.

Installed on Your System in:
C:\WINDOWS\SYSTEM32\Macromed\Flash\flash.ocx

I suspect I picked up this naughty from torrent sites the other day.

Hi

I don’t think SP3 will help a whole lot with this.

Let’s see if we can get a look at the account with the problems.

Log into the problem account. Once there you can open a browser with Task Manager.

Use alt-ctrl-del to open task manger.

[*]In Task Manager, click the Options button
[*]check mark Allways on Top
[*]This will keep Taskmanager from disappearing when you click on anything else.
[*]click file
[*]click New Task(Run…)
[*]type the following line into the open: field
iexplore.exe
[*]click ok
[]Internet Explorer should open
[
]Using your left mouse button, click on the top blue portion of Task Manager and slide it down to the lower part of your screen so it’s out of the way. Do not minimize it.

It is important that you do not minimize your browser, taskmanager or the tool I’m going to have you download. If you do you will loose them and will need to start over.

Note: When you download this tool to the specified location, it will not be visible to you. We will launch it via the run command.

Please download SystemLook from one of the links below by
[*]right clicking the link and clicking Save Target As
[*]In the Save As window, using the dropdown menu set the Save In box to Local disk (C:)
[*]make sure the filename is SystemLook.exe and the type is Application
[*]click Save

Download Mirror #1
Download Mirror #2

Next

[*]Holding down your left mouse button, highlight all the text in the codebox below.
[*]Do not copy the word CODE , please note the script starts with the :
[*]right click the highlighted text and choose copy

:filefind
explorer.ex*
:reg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe

In Task Manager
[*]click file
[*]click New Task(Run…)
[*]type the following line into the open: field
C:\Systemlook.exe
[*]click ok

SystemLook should appear on your screen.

[*]Right click anywhere in the white field and choose paste.
[*]the text you copied earlier should appear
[*]Click the Look button to start the scan.
[*]When finished, a notepad window will open with the results of the scan.
Please post this log in your next reply.

If you loose the notepad before you can post the contents, you may retrieve it copying and pasting this command in the Task Manager open box.
%userprofile%\desktop\SystemLook.txt

Thanks

edit to fix links

Hi, it says site was not found, please check the address and try again, from both locations.

Thanks

Hi Bradj,

I just fixed the links, they should work now.

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 16:12 on 06/12/2009 by Warcraft (Administrator - Elevation successful)

========== filefind ==========

Searching for “explorer.ex*”
C:\WINDOWS\explorer.exe --a— 1032192 bytes [07:50 22/10/2005] [07:50 22/10/2005] (Unable to calculate MD5)
C:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf --a— 89728 bytes [13:02 28/11/2009] [10:42 04/12/2009] 972DBB5C06EA0A3AF5C16497A294173B

========== reg ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe]
(Unable to open key - key not found)

-=End Of File=-

Hi Bradj,

You ran SystemLook from the account you are having problems with?

It looks like explorer may be patched, let’s see with what.

We need some file informantion

[]Make sure to use Internet Explorer for this
[
]Please go to VirSCAN.org FREE on-line scan service
[*]Copy and paste the following file path, one at a time if more than file is listed, into the “Suspicious files to scan” box on the top of the page:

C:\WINDOWS\explorer.exe

[*]Click on the Upload button
[*]Please ensure the scan is complete and the results saved before submitting the next.
[*]If a pop-up appears saying the file has been scanned already, please select the ReScan button.
[*]Once the Scan is completed, click on the “Copy to Clipboard” button. This will copy the link of the report into the Clipboard.
[*]Paste the contents of the Clipboard in your next reply.

Thanks

I will take this next step you advised but first I will advise the behaviour I am observing.

I initially noticed there was a problem when I first turned on the computer this morning, I use the Administrator account and log in with its password at the Welcome Screen, it was then that I noticed that the desktop would not load. I restarted into Safe Mode and made another User Account with no password and restarted, it booted up to the (fresh) desktop of this new user account. If I attempt to go into My Computer or My Documents I get a system beep and system error box saying I dont have access, and Avast immediately pops up saying C:\WINDOWS\EXPLORE.Exe is infected with Win32:Malware.gen.

Right before I performed your Systemlook test I attempted to log out of the new account back to the welcome screen where I was of course presented with the user account. I clicked on it to log straight back in but observed the same behaviour as when I first atttempted to log into Administrator, the desktop would not load, so it was at that point, since I observed same behaviour that I performed your systemlook test. Would you like me to relog into the initial Administrator account and perform your systemlook test.

Hi Bradj,

Sorry I sould have been clearer.

Yes, I’d like to have a look with SystemLook from within the problem account.

If you follow the instructions I posted first time you should be able to open IE via task manager and come back to this forum to follow the rest of those instructions.

You may as well do the VirScan also.

Thanks

VIRSCAN results:

Scanner results : 5% Scanner(s) (2/37) found malware!
Time : 2009/12/06 17:04:51 (NZDT)
Scanner Engine Ver Sig Ver Sig Date Scan result Time
a-squared 4.5.0.8 20091206090244 2009-12-06 - 4.331
AhnLab V3 2009.12.06.00 2009.12.06 2009-12-06 - 0.982
AntiVir 8.2.1.92 7.10.1.170 2009-12-05 - 0.425
Antiy 2.0.18 20091204.3347676 2009-12-04 - 0.121
Arcavir 2009 200912050612 2009-12-05 - 0.076
Authentium 5.1.1 200912051639 2009-12-05 - 2.216
AVAST! 4.7.4 091205-1 2009-12-05 Win32:Malware-gen 0.051
AVG 8.5.288 270.14.95/2547 2009-12-06 - 0.341
BitDefender 7.81008.4697249 7.29319 2009-12-06 - 4.056
CA (VET) 35.1.0 7158 2009-12-04 - 5.565
ClamAV 0.95.2 10113 2009-12-04 - 1.115
Comodo 3.13 3152 2009-12-06 - 1.285
CP Secure 1.3.0.5 2009.12.04 2009-12-04 - 0.799
Dr.Web 4.44.0.9170 2009.12.05 2009-12-05 - 9.015
F-Prot 4.4.4.56 20091205 2009-12-05 - 2.263
F-Secure 7.02.73807 2009.12.05.02 2009-12-05 - 6.748
Fortinet 11.128- 11.128 2009-12-05 - 0.218
GData 19.9184/19.607 20091206 2009-12-06 Win32:Malware-gen [Engine:B] 6.680
Ikarus T3.1.01.74 2009.12.05.74655 2009-12-05 - 4.325
JiangMin 13.0.900 2009.12.02 2009-12-02 - 4.252
Kaspersky 5.5.10 2009.12.06 2009-12-06 - 0.076
KingSoft 2009.2.5.15 2009.12.6.9 2009-12-06 - 0.550
McAfee 5.3.00 5823 2009-12-05 - 3.312
Microsoft 1.5302 2009.12.06 2009-12-06 - 6.757
Norman 6.01.09 6.01.00 2009-12-05 - 4.005
nProtect 20091203.01 6487164 2009-12-03 - 4.404
Panda 9.05.01 2009.12.05 2009-12-05 - 3.437
Quick Heal 10.00 2009.12.05 2009-12-05 - 1.561
Rising 20.0 22.24.06.01 2009-12-06 - 1.257
Sophos 3.02.0 4.48 2009-12-06 - 2.693
Sunbelt 3.9.2381.2 5546 2009-12-05 - 2.133
Symantec 1.3.0.24 20091205.006 2009-12-05 - 0.084
The Hacker 6.5.0.2 v00086 2009-12-05 - 1.230
Trend Micro 9.000-1003 6.672.06 2009-12-06 - 0.031
VBA32 3.12.12.0 20091202.2156 2009-12-02 - 2.264
ViRobot 20091204 2009.12.04 2009-12-04 - 0.442
VirusBuster 4.5.11.10 10.115.1/2003653 2009-12-05 - 4.543

The copy to clipboard for some reason wasnt a clickable button for me so I copy pasted the results, hope its the same.

The no desktop loading thing seems to happen when there is any interraction with the Welcome Screen. If I remove the password for the second account and restart it will boot up to a desktop fine. If I add a password to that 2nd account and restart and type a password at Welcome Screen I will have no desktop (I can get internet access with no desktop on 2nd account by starting IE) however If I log out of 2nd account and log in to Administrator with my password I have no desktop (no internet access either this making it tricky to post a systemlook scan).

So now I have 2 Administrator accounts, in the user accounts screen I cannot see the Administrator account anymore, just the named 2nd account, which it will not let me delete because it says it needs another administrator account which there should be, Administrator.

This is the systemlook log from the Administrator account:

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 17:46 on 06/12/2009 by Administrator (Administrator - Elevation successful)

========== filefind ==========

Searching for “explorer.ex*”
C:\WINDOWS\explorer.exe --a— 1032192 bytes [07:50 22/10/2005] [07:50 22/10/2005] (Unable to calculate MD5)
C:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf --a— 89728 bytes [13:02 28/11/2009] [10:42 04/12/2009] 972DBB5C06EA0A3AF5C16497A294173B

========== reg ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe]
(Unable to open key - key not found)

-=End Of File=-

Hi Bradj,

Thanks.

There is something going on with explorer even though those scan results say otherwise. I just tested mine and neither Avast or the online scan detected anything.

Do you have an XP CD?

As there are problems in the new account you created, lets use that one, at least you have a desktop to work from.

Download OTL to your desktop.

[*]Double click on OTL.exe to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]When the window appears, underneath Output at the top change it to Minimal Output
[*]Check the boxes beside LOP Check and Purity Check.
[*]Copy and paste the following bold text into the box under Custom Scan

netsvcs
%SYSTEMDRIVE%*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
/md5stop
%systemroot%*.* /r /s
CREATERESTOREPOINT

[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in. You will probly need to attch them as this forum has small pages.

Please post back with
[*]both OTL logs

Sorry no XP CD

I am getting a stop error a bit into the scanning with OTL:

Invalid time flag! [r]
Must be numerical.

Hi Bradj,

I asked about the XP Cd because I’m looking for a good copy of explorer.exe.

Ok, let’s see if we can get a look with these tools

Download and run Win32kDiag:

[*]Download Win32kDiag from any of the following locations and save it to your Desktop.[list]
[]Download Win32kDiag (Win32kDiag.exe) - #1
[
]Download Win32kDiag (Win32kDiag.exe) - #2
[*]Download Win32kDiag (Win32kDiag.exe) - #3

[*]Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
[*]When it states “Finished! Press any key to exit…”, press any key on your keyboard to close the program.
[*]Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.
[*]To ensure the entire contents are copied, right click anywhere in the notepad and click Select All
[*]Right click the highlited text and click copy

Please download DDS and save it to your desktop.

[*]Disable any script blocking protection
[*] Double click dds.scr to run the tool.
[*]When done, DDS.txt will open.
[*]Click Yes at the next prompt for Optional Scan.
[*]Save both reports to your desktop.


Please include the contents of the following in your next reply:

DDS.txt

Please attach the second file; Attach.txt. To attach a file.

Running from: C:\Documents and Settings\Warcraft\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Warcraft\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching ‘C:\WINDOWS’…

Finished!


DDS (Ver_09-12-01.01) - NTFSx86
Run by Warcraft at 19:47:30.95 on Sun 12/06/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.467 [GMT 13:00]

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\sstray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.21 V1.30\WlanCU.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Warcraft\Desktop\dds.scr

============== Pseudo HJT Report ===============

mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
mRun: [nForce Tray Options] sstray.exe /r
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [StartCCC] “c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe” MSRun
mRun: [SunJavaUpdateSched] “c:\program files\java\jre6\bin\jusched.exe”
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRunOnce: [nlsf] cmd.exe /C move /Y “%SystemRoot%\System32\syssetub.dll” “%SystemRoot%\System32\syssetup.dll”
dRunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\802.11 wireless lan\802.11g wireless cardbus & pci adapter hw.21 v1.30\WlanCU.exe
uPolicies-explorer: NoInternetIcon = 1 (0x1)
uPolicies-explorer: NoInstrumentation = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
dPolicies-explorer: NoSMHelp = 1 (0x1)
dPolicies-explorer: NoInternetIcon = 1 (0x1)
dPolicies-explorer: NoInstrumentation = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\warcraft\applic~1\mozilla\firefox\profiles\xcwahe5d.default
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref(“security.ssl3.rsa_seed_sha”, true);

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-11-29 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-11-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-23 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-11-29 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-11-29 138680]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-11-29 254040]
R3 TNET1130;IEEE 802.11g Wireless Cardbus/PCI Adapter;c:\windows\system32\drivers\TNET1130.sys [2004-6-17 386688]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-11-29 352920]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-23 7408]

=============== Created Last 30 ================

2009-12-06 05:53:44 0 d–h–w- c:\windows\PIF
2009-12-06 03:10:28 102660 ----a-w- C:\SystemLook.exe
2009-12-06 03:02:25 0 d-s—w- c:\documents and settings\warcraft\UserData
2009-12-06 02:08:49 0 d-----w- c:\documents and settings\warcraft\DoctorWeb
2009-12-06 00:25:55 0 d-----w- c:\program files\Trend Micro
2009-12-06 00:16:21 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-12-06 00:16:21 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-12-05 23:12:53 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-12-05 23:12:43 0 d-----w- c:\program files\SUPERAntiSpyware
2009-12-05 23:12:43 0 d-----w- c:\docume~1\warcraft\applic~1\SUPERAntiSpyware.com
2009-12-05 22:46:37 0 d-----w- c:\docume~1\warcraft\applic~1\Malwarebytes
2009-12-05 22:46:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-05 22:46:32 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-05 22:46:31 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-05 22:46:31 0 d-----w- c:\program files\Malwarebytes’ Anti-Malware
2009-12-05 22:18:56 221184 ----a-w- c:\windows\system32\wmpns.dll
2009-12-03 07:44:48 0 d-----w- c:\program files\IObit
2009-12-01 20:14:41 116 ----a-w- c:\windows\NeroDigital.ini
2009-12-01 20:10:55 133211 ------w- c:\windows\UNNeroVision.cfg
2009-12-01 20:10:54 2277376 ------w- c:\windows\UNNeroVision.exe
2009-12-01 20:03:38 106496 ------w- c:\windows\system32\TwnLib20.dll
2009-12-01 20:03:35 471040 ------w- c:\windows\system32\ImagXRA7.dll
2009-12-01 20:03:35 364544 ------w- c:\windows\system32\TwnLib4.dll
2009-12-01 20:03:35 262144 ------w- c:\windows\system32\ImagXR7.dll
2009-12-01 20:03:34 476320 ------w- c:\windows\system32\ImagXpr7.dll
2009-12-01 20:03:34 1568768 ------w- c:\windows\system32\ImagX7.dll
2009-12-01 20:03:33 38912 ------w- c:\windows\system32\picn20.dll
2009-12-01 20:03:30 155648 ----a-w- c:\windows\system32\NeroCheck.exe
2009-12-01 19:59:02 0 d-----w- c:\windows\system32\appmgmt
2009-12-01 19:01:53 24064 ------w- c:\windows\system32\msxml3a.dll
2009-12-01 11:26:24 0 d-----w- c:\program files\VideoLAN
2009-12-01 11:09:06 0 d-----w- c:\program files\uTorrent
2009-11-30 19:15:39 0 d-----w- c:\program files\common files\Blizzard Entertainment
2009-11-30 13:06:05 0 d-----w- c:\program files\Ventrilo
2009-11-30 13:06:00 262 ----a-w- c:\windows{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2009-11-30 13:05:46 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-11-29 18:48:17 0 d-----w- c:\docume~1\alluse~1\applic~1\Blizzard Entertainment
2009-11-29 01:48:29 0 d-----w- c:\program files\common files\ODBC
2009-11-29 01:48:26 0 d-----w- c:\program files\common files\SpeechEngines
2009-11-29 01:48:00 0 d-----r- c:\documents and settings\all users\Documents
2009-11-28 22:16:52 0 d-----w- c:\docume~1\alluse~1\applic~1\Blizzard
2009-11-28 21:05:24 0 d-----w- c:\program files\World of Warcraft
2009-11-28 14:37:14 0 d-----w- c:\program files\ATI
2009-11-28 13:53:48 0 d-----w- c:\program files\Driver Cleaner Pro
2009-11-28 13:22:08 0 d-----w- c:\program files\ATI Technologies
2009-11-28 13:07:09 0 d-----w- c:\program files\802.11 Wireless LAN
2009-11-28 13:06:57 0 d-----w- c:\docume~1\alluse~1\applic~1{3BF7B6DE-D2D6-4888-83BE-488663791EB5}
2009-11-28 13:00:22 0 d-sh–w- c:\documents and settings\all users\DRM
2009-11-28 13:00:19 0 d-----w- c:\program files\Messenger
2009-11-28 12:58:46 0 d–h–w- c:\program files\WindowsUpdate
2009-11-28 12:58:42 0 d-----w- c:\program files\Online Services
2009-11-28 12:58:12 0 d-----w- c:\program files\common files\MSSoap
2009-11-28 12:57:04 0 d-----w- c:\program files\MSN Gaming Zone
2009-11-28 12:56:49 0 d-----w- c:\program files\Windows NT

==================== Find3M ====================

2009-11-28 14:53:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-28 13:06:57 62865 ----a-w- c:\windows\system32\drivers\odysseyIM3.sys
2009-11-28 12:57:35 21640 ----a-w- c:\windows\system32\emptyregdb.dat

============= FINISH: 19:47:38.25 ===============

Hi Bradj,

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

Caution
These types of scans can produce false positives. Do NOT take any action on any “<— ROOKIT” entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
[*]Click NO
[*]In the right panel, you will see a bunch of boxes that have been checked … leave everything checked and ensure the Show all box is un-checked.
[*]Now click the Scan button.
Once the scan is complete, you may receive another notice about rootkit activity.
[]Click OK.
[
]GMER will produce a log. Click on the [Save…] button, and in the File name area, type in “GMER.txt
[*]Save it where you can easily find it, such as your desktop.

If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the ‘Show All’ button is unticked.

[*]Click the Scan button and let the program do its work. GMER will produce a log. Click on the [Save…] button, and in the File name area, type in “Gmer.txt” or it will save as a .log file which cannot be uploaded to your post.
[*]Save it where you can easily find it, such as your desktop

Please post the GMER log.

Thanks