Constant window minimising/tab

[Kokojo]

Hi, i got a Computer, a Apple Tiger/Windows Xp hybrid, i use XP usually. Ive got a problem il try to explain at my best, however i can't find the words to describe it.

Each 30 minutes (or so) something happens for a minute, each 10 seconds. If i am playing a fullscreen game, the game minimise. If i am wacthing something on youtube, the video stops. If i am on whatever site(like this forum), the window look like if i clicked outside the Mozilla window (blue borders of the window become ligther). Sometime, like if i am playing a flash-based game, it highlight the button as if i pressed tab.

It looks like its happening more and more , and afther running a lot of anti-virus, nothing changed. I hear it was Fraps, but i closed it and it still happened.

This computer was infected like crazy some weeks ago, maintly because one of my brothers found a way to beleive Win32 was a good program that we needed. I ran a lot of antiviruses and i think we are clean now.

Thanks for your help, here is DSS log, ActiveScan.txt and extra.txt are attached. All my hopes belong to you.

Deckard's System Scanner v20071014.68
Run by Benjamin on 2008-05-04 12:43:17
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
36: 2008-05-04 16:43:20 UTC - RP198 - Deckard's System Scanner Restore Point
35: 2008-05-04 16:37:06 UTC - RP197 - Software Distribution Service 3.0
34: 2008-05-03 18:30:16 UTC - RP196 - Installé MSN Messenger 7.5 pour W2k/XP
33: 2008-05-02 21:49:16 UTC - RP195 - Point de vérification système
32: 2008-05-01 18:14:45 UTC - RP194 - Supprimé Windows Live Messenger


-- First Restore Point --
1: 2008-02-06 23:13:09 UTC - RP163 - Point de vérification système


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-04 12:44:59
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\stacsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\Brightness.exe
C:\Program Files\Apple Keyboard Support\KbdMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Fraps\Fraps\fraps.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Benjamin\Bureau\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: WebManager Class - {D5792AA9-D373-4039-8670-2CDAB6A71F15} - C:\Program Files\Get-Torrent\TorrentManager.dll
O3 - Toolbar: (no name) - SITEguard - (no file)
O4 - HKLM\..\Run: [AppleTime] C:\WINDOWS\system32\AppleTime.exe
O4 - HKLM\..\Run: [Brightness] C:\WINDOWS\system32\Brightness.exe
O4 - HKLM\..\Run: [Apple_KbdMgr] "C:\Program Files\Apple Keyboard Support\KbdMgr.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [antiviirus] C:\Program Files\antiviirus.exe
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Fraps] C:\FRAPS\FRAPS\FRAPS.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {343CE214-9998-4B21-A151-FFE970167297} () - http://xscanner.spyshredderscanner.c...up/webinst.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/game...lugin11USA.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/game...Plugin9USA.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} () - http://fpdownload.macromedia.com/pub...sh/swflash.cab
O18 - Protocol: intu-ir2007 - {52BAEC6B-9405-46f9-A131-6D50720A3CC4} - C:\Program Files\ImpotRapide 2007\ic2007pp.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: AtiExtEvent - C:\WINDOWS\system32\Ati2evxx.dll
O20 - Winlogon Notify: svshost - C:\WINDOWS\system32\svshost.dll (file missing)
O21 - SSODL: RomKernel - {377ba2a0-0ad8-4831-a2d0-0690d11500a7} - C:\WINDOWS\Installer\{377ba2a0-0ad8-4831-a2d0-0690d11500a7}\RomKernel.dll
O21 - SSODL: zip - {12233bb6-6135-43af-89d0-ead08d1a274b} - C:\WINDOWS\Installer\{12233bb6-6135-43af-89d0-ead08d1a274b}\zip.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\stacsv.exe


--
End of file - 5473 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 KeyAgent - c:\windows\system32\drivers\keyagent.sys <Not Verified; Apple Computer, Inc.; Key Magic>
R2 keymagic (USB Keyboard HID Filter) - c:\windows\system32\drivers\keymagic.sys <Not Verified; Apple Computer, Inc.; Key Magic>
R3 StartupDiskDriver - c:\windows\system32\drivers\startupdiskdriver.sys <Not Verified; Apple Computer, Inc.; Startup Disk Driver>

S3 CEDRIVER53 - c:\program files\cheat engine\dbk32.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 STacSV (SigmaTel Audio Service) - c:\windows\system32\stacsv.exe <Not Verified; SigmaTel, Inc.; C-Major Audio>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: ACPI\APP0002\A
Manufacturer:
Name:
PNP Device ID: ACPI\APP0002\A
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Device
Device ID: PCI\VEN_8086&DEV_27A3&SUBSYS_00000000&REV_03\3&B1BFB68&0&38
Manufacturer:
Name: PCI Device
PNP Device ID: PCI\VEN_8086&DEV_27A3&SUBSYS_00000000&REV_03\3&B1BFB68&0&38
Service:

Class GUID: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA}
Description: Périphérique d'interface utilisateur USB
Device ID: USB\VID_05AC&PID_8240\5&12F9C752&0&2
Manufacturer: (Périphériques système standard)
Name: Périphérique d'interface utilisateur USB
PNP Device ID: USB\VID_05AC&PID_8240\5&12F9C752&0&2
Service: HidUsb

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: ACPI\APP0001\4&38462492&0
Manufacturer:
Name:
PNP Device ID: ACPI\APP0001\4&38462492&0
Service:


-- Files created between 2008-04-04 and 2008-05-04 -----------------------------

2008-05-04 12:05:48 0 d-------- C:\WINDOWS\LastGood
2008-05-04 12:03:22 0 d-------- C:\Program Files\Panda Security
2008-05-03 22:05:50 0 d--hs---- C:\FOUND.031
2008-05-03 14:30:17 0 d-------- C:\Program Files\MSN Messenger
2008-05-01 15:24:46 12 --a------ C:\WINDOWS\bthservsdp.dat
2008-05-01 14:30:18 0 d--hs---- C:\FOUND.030
2008-05-01 13:21:36 0 d-------- C:\Program Files\Softnyx
2008-04-29 19:25:58 0 d--hs---- C:\FOUND.029
2008-04-28 23:45:18 0 d--hs---- C:\FOUND.028
2008-04-28 19:46:07 16472 --a------ C:\Program Files\tmp130859.exe
2008-04-28 18:26:37 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-28 17:37:47 0 d-------- C:\Documents and Settings\Benjamin\Application Data\.clamwin
2008-04-28 17:37:41 0 d-------- C:\Program Files\ClamWin
2008-04-28 17:37:41 0 d-------- C:\Documents and Settings\All Users\.clamwin
2008-04-28 14:49:05 16476 --a------ C:\Program Files\tmp34484.exe
2008-04-27 20:45:48 16536 --a------ C:\Program Files\tmp160765.exe
2008-04-27 20:36:05 16484 --a------ C:\Program Files\tmp36625.exe
2008-04-27 2025 16580 --a------ C:\Program Files\tmp48421.exe
2008-04-27 17:16:46 16512 --a------ C:\Program Files\tmp197625.exe
2008-04-27 06:34:43 16544 --a------ C:\Program Files\tmp327453.exe
2008-04-24 20:27:41 16488 --a------ C:\Program Files\tmp63375.exe
2008-04-22 19:54:42 16520 --a------ C:\Program Files\tmp71156.exe
2008-04-21 19:55:17 16608 --a------ C:\Program Files\tmp37562.exe
2008-04-18 22:58:30 16524 --a------ C:\Program Files\tmp40359.exe
2008-04-11 08:22:14 16444 --a------ C:\Program Files\tmp37937.exe
2008-04-04 11:28:27 16584 --a------ C:\Program Files\tmp35218.exe
2008-04-04 11:03:45 16512 --a------ C:\Program Files\tmp253156.exe
2008-04-04 11:02:05 0 d-------- C:\Documents and Settings\Pierre Julien\Application Data\Ventrilo
2008-04-04 11:00:09 16600 --a------ C:\Program Files\tmp36140.exe


-- Find3M Report ---------------------------------------------------------------

2008-05-04 12:03:24 2968 --a------ C:\WINDOWS\mozver.dat
2008-04-28 21:20:52 6891077 --ahs---- C:\WINDOWS\system32\tsohsvs.dat
2008-04-28 14:37:24 16508 --a------ C:\Program Files\tmp34546.exe
2008-04-19 17:39:44 16476 --a------ C:\Program Files\tmp61734.exe
2008-04-10 16:44:22 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2008-04-10 16:39:20 16648 --a------ C:\Program Files\tmp39593.exe
2008-03-30 15:19:12 16548 --a------ C:\Program Files\tmp40562.exe
2008-03-30 12:17:36 16448 --a------ C:\Program Files\tmp122390.exe
2008-03-30 08:39:40 0 d-------- C:\Program Files\ImpotRapide 2007
2008-03-30 08:27:18 16588 --a------ C:\Program Files\tmp129203.exe
2008-03-23 15:16:22 16560 --a------ C:\Program Files\tmp44281.exe
2008-03-21 14:32:20 16596 --a------ C:\Program Files\tmp38187.exe
2008-03-20 21:17:34 16572 --a------ C:\Program Files\tmp504375.exe
2008-03-20 14:59:58 16636 --a------ C:\Program Files\tmp37703.exe
2008-03-20 13:58:52 16652 --a------ C:\Program Files\tmp50484.exe
2008-03-19 22:53:32 16468 --a------ C:\Program Files\tmp39218.exe
2008-03-19 18:21:06 0 d-------- C:\Program Files\Common Files
2008-03-19 16:52:26 16572 --a------ C:\Program Files\tmp82343.exe
2008-03-18 21:54:12 16604 --a------ C:\Program Files\tmp37875.exe
2008-03-18 15:58:14 16440 --a------ C:\Program Files\tmp61781.exe
2008-03-17 16:05:38 16456 --a------ C:\Program Files\tmp37421.exe
2008-03-16 17:12:58 16524 --a------ C:\Program Files\tmp162375.exe
2008-03-15 19:17:52 16584 --a------ C:\Program Files\tmp84265.exe
2008-03-14 14:52:30 16564 --a------ C:\Program Files\tmp43921.exe
2008-03-14 11:42:16 16588 --a------ C:\Program Files\tmp38390.exe
2008-03-13 23:07:46 16588 --a------ C:\Program Files\tmp32171.exe
2008-03-13 22:42:32 16464 --a------ C:\Program Files\tmp127250.exe
2008-03-13 16:05:20 16648 --a------ C:\Program Files\tmp126343.exe
2008-03-12 19:00:00 0 d--hs---- C:\Program Files\Fichiers communs\WindowsLiveInstaller
2008-03-12 18:59:56 0 d-------- C:\Program Files\Windows Live
2008-03-11 20:08:02 16460 --a------ C:\Program Files\tmp173843.exe
2008-03-11 20:02:42 16452 --a------ C:\Program Files\tmp37062.exe
2008-03-11 16:33:34 16552 --a------ C:\Program Files\tmp36218.exe
2008-03-10 16:31:52 16608 --a------ C:\Program Files\tmp142375.exe
2008-03-10 00:46:14 16588 --a------ C:\Program Files\tmp172609.exe
2008-03-09 18:40:22 16472 --a------ C:\Program Files\tmp60953.exe
2008-03-09 17:41:04 16472 --a------ C:\Program Files\tmp38078.exe
2008-03-08 10:04:34 16512 --a------ C:\Program Files\tmp70734.exe
2008-03-07 19:27:44 16500 --a------ C:\Program Files\tmp38437.exe
2008-03-07 13:28:42 16544 --a------ C:\Program Files\tmp43468.exe
2008-03-07 13:10:18 16596 --a------ C:\Program Files\tmp200281.exe
2008-03-06 20:15:30 370036 --a------ C:\WINDOWS\system32\perfh00C.dat
2008-03-06 20:15:30 49346 --a------ C:\WINDOWS\system32\perfc00C.dat
2008-03-06 20:11:38 16640 --a------ C:\Program Files\tmp156984.exe
2008-03-06 18:26:44 16508 --a------ C:\Program Files\tmp131234.exe
2008-03-06 11:32:04 16536 --a------ C:\Program Files\tmp42375.exe
2008-03-06 1148 16536 --a------ C:\Program Files\tmp366218.exe
2008-03-05 19:52:50 16564 --a------ C:\Program Files\tmp35765.exe
2008-03-05 14:29:28 16508 --a------ C:\Program Files\tmp127062.exe
2008-03-05 13:43:30 16640 --a------ C:\Program Files\tmp60796.exe
2008-03-05 12:53:26 16544 --a------ C:\Program Files\tmp39750.exe
2008-03-04 17:25:58 16468 --a------ C:\Program Files\tmp60000.exe
2008-03-04 16:04:52 16456 --a------ C:\Program Files\tmp35875.exe
2008-03-03 21:02:44 16532 --a------ C:\Program Files\tmp155578.exe
2008-03-03 17:10:22 16492 --a------ C:\Program Files\tmp71906.exe
2008-03-03 14:51:56 16500 --a------ C:\Program Files\tmp39546.exe
2008-03-03 14:46:28 16548 --a------ C:\Program Files\tmp67343.exe
2008-03-03 13:53:36 16556 --a------ C:\Program Files\tmp14564328.exe
2008-03-03 13:53:36 35816 --a------ C:\Program Files\instaler.exe
2008-03-03 04:58:40 102400 --a------ C:\WINDOWS\fqspogw.exe
2008-03-03 04:58:36 237568 --a------ C:\WINDOWS\dkxrstqnog.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D5792AA9-D373-4039-8670-2CDAB6A71F15}]
02/24/2007 12:08 AM 225280 --a------ C:\Program Files\Get-Torrent\TorrentManager.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AppleTime"="C:\WINDOWS\system32\AppleTime.exe" [07/14/2006 05:18 PM]
"Brightness"="C:\WINDOWS\system32\Brightness.exe" [09/26/2006 05:17 PM]
"Apple_KbdMgr"="C:\Program Files\Apple Keyboard Support\KbdMgr.exe" [10/24/2006 05:38 PM]
"SigmatelSysTrayApp"="sttray.exe" []
"BluetoothAuthenticationAgent"="rundll32.exe" [08/05/2004 12:00 PM C:\WINDOWS\system32\rundll32.exe]
"antiviirus"="C:\Program Files\antiviirus.exe" []
"ClamWin"="C:\Program Files\ClamWin\bin\ClamTray.exe" [04/19/2008 04:35 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [08/05/2004 12:00 PM]
"Fraps"="C:\FRAPS\FRAPS\FRAPS.EXE" [07/12/2007 03:15 AM]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"RomKernel"= {377ba2a0-0ad8-4831-a2d0-0690d11500a7} - C:\WINDOWS\Installer\{377ba2a0-0ad8-4831-a2d0-0690d11500a7}\RomKernel.dll [03/03/2008 01:53 PM 18678]
"zip"= {12233bb6-6135-43af-89d0-ead08d1a274b} - C:\WINDOWS\Installer\{12233bb6-6135-43af-89d0-ead08d1a274b}\zip.dll [03/03/2008 01:53 PM 22814]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\svshost]
svshost.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\svcWRSSSDK]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ

*Newly Created Service* - RKPAVPROC



-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8300 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-05-04 12:45:18 ------------

[dorts]

Hi and welcome to TSF.

My name is Keneth and I would be helping you clean up your computer.

I am currently reviewing your log and will be back with a fix for your problem as soon as possible.

You may wish to Subscribe to this thread (Thread Tools) so that you are notified when you receive a reply.

[dorts]

Hello and welcome to TSF


Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. Please stay with me until your system has been declared clean.

IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.



P2P Software

P2P - I see you have P2P software ( Get-Torrent ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: This P2P software is malware. Please uninstall it, as it might be contributing to your current condition.

References for the risk of these programs are here,
here and here.

I would strongly recommend that you uninstall it. To uninstall this program, you can do so via Control Panel >> Add or Remove Programs.


Combofix

We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.



Please continue as follows:

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

----------------------------------------------------

If ComboFix is rebooting your system, allow it to complete the reboot into Normal Mode. Do NOT interrupt the reboot to enter Safe Mode for the next step.

After ComboFix has completed....


SDFix

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum.

HijackThis Download

Next, please download HijackThis and Save it to your Desktop.

Alternate link

Double-click on the file you just downloaded.
Click on the Unzip button to install. It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis

Upon install, HijackThis should open for you.

Should it not open, navigate to C:\Program Files\Trend Micro\HijackThis and double click on HijackThis.exe

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Please post a new HijackThis log in your next reply. Do not fix anything in HijackThis since they may be harmless.


Logs

Please post the following logs in your next reply...

• C:\ComboFix.txt
• C:\SDFix\Report.txt
• A Fresh New HijackThis Log

[Kokojo]

Hello and thanks for you instructions, time, and help.

Ive now found another thing, it seems to press the windows button, not the tab/shift.

I could't make the C:\SDFix\Report.txt . When i start my computer, i can start as a mac, or a pc, and if i start as a pc, my Keyboard isin't taken in charge until the User icons appear. So i could't even start it in safe mode.

Combo fix log : (also in joined files)

ComboFix 08-05-01.3 - Benjamin 2008-05-07 18:10:48.1 - FAT32x86
Microsoft Windows XP Professionnel 5.1.2600.2.1252.1.1036.18.681 [GMT -4:00]
Endroit: C:\Documents and Settings\Benjamin\Bureau\ComboFix.exe
Command switches used :: C:\Documents and Settings\Benjamin\Bureau\WindowsXP-KB310994-SP2-Home-BootDisk-FRA.exe
* Création d'un nouveau point de restauration

AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !!
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Menu Démarrer\Online Security Guide.url
C:\Documents and Settings\All Users\Menu Démarrer\Security Troubleshooting.url
C:\Documents and Settings\Benjamin\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat
C:\WINDOWS\dkxrstqnog.dll
C:\WINDOWS\Installer\{12233bb6-6135-43af-89d0-ead08d1a274b}
C:\WINDOWS\Installer\{12233bb6-6135-43af-89d0-ead08d1a274b}\zip.dll
C:\WINDOWS\Installer\{377ba2a0-0ad8-4831-a2d0-0690d11500a7}
C:\WINDOWS\Installer\{377ba2a0-0ad8-4831-a2d0-0690d11500a7}\RomKernel.dll
C:\WINDOWS\system32\_000007_.tmp.dll

.
((((((((((((((((((((((((((((( Fichiers créés 2008-04-07 to 2008-05-07 ))))))))))))))))))))))))))))))))))))
.

2008-05-06 18:32 . 2008-05-06 18:32 33,824 --a------ C:\WINDOWS\system32\drivers\oreans32.sys
2008-05-06 18:30 . 2008-05-06 18:30 <REP> d-------- C:\WINDOWS\system32\URTTemp
2008-05-04 12:43 . 2008-05-04 12:43 <REP> d-------- C:\Deckard
2008-05-04 12:03 . 2008-05-04 12:03 <REP> d-------- C:\Program Files\Panda Security
2008-05-03 22:05 . 2008-05-03 22:05 <REP> d--hs---- C:\FOUND.031
2008-05-03 14:30 . 2008-05-03 14:30 <REP> d-------- C:\Program Files\MSN Messenger
2008-05-01 15:24 . 2008-05-06 21:06 12 --a------ C:\WINDOWS\bthservsdp.dat
2008-05-01 14:30 . 2008-05-01 14:30 <REP> d--hs---- C:\FOUND.030
2008-05-01 13:21 . 2008-05-01 13:21 <REP> d-------- C:\Program Files\Softnyx
2008-04-29 22:29 . 2004-08-04 00:54 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-04-29 22:29 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-04-29 22:29 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\dllcache\usbscan.sys
2008-04-29 22:29 . 2001-08-23 17:47 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-04-29 19:25 . 2008-04-29 19:25 <REP> d--hs---- C:\FOUND.029
2008-04-28 23:45 . 2008-04-28 23:45 <REP> d--hs---- C:\FOUND.028
2008-04-28 19:46 . 2008-04-28 19:46 16,472 --a------ C:\Program Files\tmp130859.exe
2008-04-28 18:26 . 2008-04-28 18:26 <REP> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-28 18:26 . 2008-04-28 18:26 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-28 17:37 . 2008-04-28 17:37 <REP> d-------- C:\Program Files\ClamWin
2008-04-28 17:37 . 2008-04-28 17:37 <REP> d-------- C:\Documents and Settings\Benjamin\Application Data\.clamwin
2008-04-28 17:37 . 2008-04-28 17:37 <REP> d-------- C:\Documents and Settings\All Users\.clamwin
2008-04-28 14:49 . 2008-04-28 14:49 16,476 --a------ C:\Program Files\tmp34484.exe
2008-04-27 20:45 . 2008-04-27 20:45 16,536 --a------ C:\Program Files\tmp160765.exe
2008-04-27 20:36 . 2008-04-27 20:36 16,484 --a------ C:\Program Files\tmp36625.exe
2008-04-27 20:06 . 2008-04-27 20:06 16,580 --a------ C:\Program Files\tmp48421.exe
2008-04-27 17:57 . 2008-05-05 20:24 107,832 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2008-04-27 17:57 . 2008-04-28 14:37 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2008-04-27 17:57 . 2008-05-05 20:24 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-04-27 17:16 . 2008-04-27 17:16 16,512 --a------ C:\Program Files\tmp197625.exe
2008-04-27 06:34 . 2008-04-27 06:34 16,544 --a------ C:\Program Files\tmp327453.exe
2008-04-24 20:27 . 2008-04-24 20:27 16,488 --a------ C:\Program Files\tmp63375.exe
2008-04-22 19:54 . 2008-04-22 19:54 16,520 --a------ C:\Program Files\tmp71156.exe
2008-04-21 19:55 . 2008-04-21 19:55 16,608 --a------ C:\Program Files\tmp37562.exe
2008-04-18 22:58 . 2008-04-18 22:58 16,524 --a------ C:\Program Files\tmp40359.exe
2008-04-11 08:22 . 2008-04-11 08:22 16,444 --a------ C:\Program Files\tmp37937.exe

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-28 18:37 16,508 ----a-w C:\Program Files\tmp34546.exe
2008-04-19 21:39 16,476 ----a-w C:\Program Files\tmp61734.exe
2008-04-10 20:44 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2008-04-10 20:39 16,648 ----a-w C:\Program Files\tmp39593.exe
2008-04-04 15:28 16,584 ----a-w C:\Program Files\tmp35218.exe
2008-04-04 15:03 16,512 ----a-w C:\Program Files\tmp253156.exe
2008-04-04 15:02 --------- d-----w C:\Documents and Settings\Pierre Julien\Application Data\Ventrilo
2008-04-04 15:00 16,600 ----a-w C:\Program Files\tmp36140.exe
2008-03-30 19:19 16,548 ----a-w C:\Program Files\tmp40562.exe
2008-03-30 16:17 16,448 ----a-w C:\Program Files\tmp122390.exe
2008-03-30 12:39 --------- d-----w C:\Program Files\ImpotRapide 2007
2008-03-30 12:39 --------- d-----w C:\Documents and Settings\Pierre Julien\Application Data\Intuit Canada
2008-03-30 12:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intuit Canada
2008-03-30 12:27 16,588 ----a-w C:\Program Files\tmp129203.exe
2008-03-23 19:16 16,560 ----a-w C:\Program Files\tmp44281.exe
2008-03-21 18:32 16,596 ----a-w C:\Program Files\tmp38187.exe
2008-03-21 01:17 16,572 ----a-w C:\Program Files\tmp504375.exe
2008-03-20 18:59 16,636 ----a-w C:\Program Files\tmp37703.exe
2008-03-20 17:58 16,652 ----a-w C:\Program Files\tmp50484.exe
2008-03-20 08:09 1,845,376 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-20 08:09 1,845,376 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-20 02:53 16,468 ----a-w C:\Program Files\tmp39218.exe
2008-03-19 22:21 --------- d-----w C:\Program Files\Common Files
2008-03-19 20:52 16,572 ----a-w C:\Program Files\tmp82343.exe
2008-03-19 01:54 16,604 ----a-w C:\Program Files\tmp37875.exe
2008-03-18 19:58 16,440 ----a-w C:\Program Files\tmp61781.exe
2008-03-17 20:05 16,456 ----a-w C:\Program Files\tmp37421.exe
2008-03-16 21:12 16,524 ----a-w C:\Program Files\tmp162375.exe
2008-03-15 23:17 16,584 ----a-w C:\Program Files\tmp84265.exe
2008-03-14 18:52 16,564 ----a-w C:\Program Files\tmp43921.exe
2008-03-14 15:42 16,588 ----a-w C:\Program Files\tmp38390.exe
2008-03-14 03:07 16,588 ----a-w C:\Program Files\tmp32171.exe
2008-03-14 02:42 16,464 ----a-w C:\Program Files\tmp127250.exe
2008-03-13 20:05 16,648 ----a-w C:\Program Files\tmp126343.exe
2008-03-12 23:00 --------- d-sh--w C:\Program Files\Fichiers communs\WindowsLiveInstaller
2008-03-12 22:59 --------- d-----w C:\Program Files\Windows Live
2008-03-12 22:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-12 00:08 16,460 ----a-w C:\Program Files\tmp173843.exe
2008-03-12 00:02 16,452 ----a-w C:\Program Files\tmp37062.exe
2008-03-11 20:33 16,552 ----a-w C:\Program Files\tmp36218.exe
2008-03-10 20:31 16,608 ----a-w C:\Program Files\tmp142375.exe
2008-03-10 04:46 16,588 ----a-w C:\Program Files\tmp172609.exe
2008-03-09 22:40 16,472 ----a-w C:\Program Files\tmp60953.exe
2008-03-09 21:41 16,472 ----a-w C:\Program Files\tmp38078.exe
2008-03-08 14:04 16,512 ----a-w C:\Program Files\tmp70734.exe
2008-03-07 23:27 16,500 ----a-w C:\Program Files\tmp38437.exe
2008-03-07 17:28 16,544 ----a-w C:\Program Files\tmp43468.exe
2008-03-07 17:10 16,596 ----a-w C:\Program Files\tmp200281.exe
2008-03-07 00:11 16,640 ----a-w C:\Program Files\tmp156984.exe
2008-03-06 22:26 16,508 ----a-w C:\Program Files\tmp131234.exe
2008-03-06 15:32 16,536 ----a-w C:\Program Files\tmp42375.exe
2008-03-06 15:06 16,536 ----a-w C:\Program Files\tmp366218.exe
2008-03-05 23:52 16,564 ----a-w C:\Program Files\tmp35765.exe
2008-03-05 18:29 16,508 ----a-w C:\Program Files\tmp127062.exe
2008-03-05 17:43 16,640 ----a-w C:\Program Files\tmp60796.exe
2008-03-05 16:53 16,544 ----a-w C:\Program Files\tmp39750.exe
2008-03-04 21:25 16,468 ----a-w C:\Program Files\tmp60000.exe
2008-03-04 20:04 16,456 ----a-w C:\Program Files\tmp35875.exe
2008-03-04 01:02 16,532 ----a-w C:\Program Files\tmp155578.exe
2008-03-03 21:10 16,492 ----a-w C:\Program Files\tmp71906.exe
2008-03-03 18:51 16,500 ----a-w C:\Program Files\tmp39546.exe
2008-03-03 18:46 16,548 ----a-w C:\Program Files\tmp67343.exe
2008-03-03 17:53 35,816 ----a-w C:\Program Files\instaler.exe
2008-03-03 17:53 16,556 ----a-w C:\Program Files\tmp14564328.exe
2008-03-03 08:58 102,400 ----a-w C:\WINDOWS\fqspogw.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:35 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:35 45,568 ----a-w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:35 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-16 22:32 3,080,704 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-15 09:23 18,432 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe
2002-06-10 21:30 7,175,689 ----a-w C:\Program Files\SC4_E3_hi.mov
.

((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-05 12:00 15360]
"Fraps"="C:\FRAPS\FRAPS\FRAPS.EXE" [2007-07-12 03:15 913064]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AppleTime"="C:\WINDOWS\system32\AppleTime.exe" [2006-07-14 17:18 65536]
"Brightness"="C:\WINDOWS\system32\Brightness.exe" [2006-09-26 17:17 172032]
"Apple_KbdMgr"="C:\Program Files\Apple Keyboard Support\KbdMgr.exe" [2006-10-24 17:38 315392]
"SigmatelSysTrayApp"="sttray.exe" []
"BluetoothAuthenticationAgent"="rundll32.exe" [2004-08-05 12:00 33792 C:\WINDOWS\system32\rundll32.exe]
"ClamWin"="C:\Program Files\ClamWin\bin\ClamTray.exe" [2008-04-19 16:35 77824]
"svshost"="C:\WINDOWS\system32\svshost.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-05 12:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\svshost]
svshost.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
"msacm.ac3filter"= ac3filter.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Softnyx\\Rakion\\Bin\\rakion.bin"=
"C:\\Program Files\\Messenger\\MSMSGS.EXE"=
"C:\\ijji\\ENGLISH\\u_sf\\soldierfront.exe"=
"C:\\Program Files\\Wolfenstein - Enemy Territory\\ET.exe"=
"C:\\WINDOWS\\System32\\dpvsetup.exe"=
"C:\\WINDOWS\\System32\\RUNDLL32.EXE"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2008-05-06 18:32]
R2 KeyAgent;KeyAgent;C:\WINDOWS\system32\drivers\KeyAgent.sys [2006-10-24 17:38]
R2 keymagic;USB Keyboard HID Filter;C:\WINDOWS\system32\DRIVERS\KeyMagic.sys [2006-10-24 17:38]
R3 StartupDiskDriver;StartupDiskDriver;C:\WINDOWS\system32\DRIVERS\StartupDiskDriver.sys [2006-09-26 17:20]
S3 BLUETOOTH_KICKER;Apple Bluetooth Kicker Driver;C:\WINDOWS\system32\Drivers\BthKicker.sys [2006-08-24 23:45]
S3 CEDRIVER53;CEDRIVER53;C:\Program Files\Cheat Engine\dbk32.sys [2006-10-27 19:13]
S3 iSightUpdate;iSight Update Driver;C:\WINDOWS\system32\DRIVERS\iSightUP.sys [2006-09-05 14:08]
S3 usbscan;Pilote de scanneur USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 22:58]
S3 USBSTOR;Pilote de stockage de masse USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08]

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-07 18:11:46
Windows 5.1.2600 Service Pack 2 FAT NTAPI

Balayage processus cachés ...

Balayage caché autostart entries ...

Balayage des fichiers cachés ...

Scan terminé avec succès
Les fichiers cachés: 0

**************************************************************************
.
Temps d'accomplissement: 2008-05-07 18:11:58
ComboFix-quarantined-files.txt 2008-05-07 22:11:58

Pre-Run: 8,462,155,776 octets libres
Post-Run: 8,913,207,296 octets libres

195 --- E O F --- 2008-04-11 12:24:36

------------------------------------------------

Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:25:03 PM, on 5/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Brightness.exe
C:\Program Files\Apple Keyboard Support\KbdMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\FRAPS\FRAPS\FRAPS.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [AppleTime] C:\WINDOWS\system32\AppleTime.exe
O4 - HKLM\..\Run: [Brightness] C:\WINDOWS\system32\Brightness.exe
O4 - HKLM\..\Run: [Apple_KbdMgr] "C:\Program Files\Apple Keyboard Support\KbdMgr.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [svshost] C:\WINDOWS\system32\svshost.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Fraps] C:\FRAPS\FRAPS\FRAPS.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {343CE214-9998-4B21-A151-FFE970167297} - http://xscanner.spyshredderscanner.c...up/webinst.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/game...lugin11USA.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/game...Plugin9USA.cab
O18 - Protocol: intu-ir2007 - {52BAEC6B-9405-46F9-A131-6D50720A3CC4} - C:\Program Files\ImpotRapide 2007\ic2007pp.dll
O20 - Winlogon Notify: svshost - svshost.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe

--
End of file - 4765 bytes

[dorts]

Hello and welcome back to TSF.


S & D Spybot's Tea Timer

Before we continue. while TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent our tools from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
To disable Tea Timer:

• Open Spybot Search & Destroy.
• In the Mode menu click "Advanced mode" if not already selected.
• Choose "Yes" at the Warning prompt.
• Expand the "Tools" menu.
• Click "Resident".
• Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
• In the File menu click "Exit" to exit Spybot Search & Destroy.

Quote:

When i start my computer, i can start as a mac, or a pc, and if i start as a pc, my Keyboard isin't taken in charge until the User icons appear. So i couldn't even start it in safe mode.

To solve this issue, you would need to hook up a PS/2 keyboard instead of a USB one in order to get into safe mode.

Or another alternative you can try is to see if your computer has a setting for USB support to be handled by the BIOS instead of by the operating system. See here for more information.

Please inform me on how it goes.

--------------------------------------------

After you manage to get access to safe mode, please continue with SDFix.

• Open the extracted SDFix folder (C:\SDFix) and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum.

Logs

Please post the following logs in your next reply...

• Report.txt
• A Fresh New HijackThis Log

[Kokojo]

Okay, i used another keyboard and it worked. Thansks for your time.

I found that the '' automatic windows button pressing '' is speeding up little by little, but its speeding.

Report.txt attached

Fresh hijackThis log. (Not attached)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:31:09 PM, on 5/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Brightness.exe
C:\Program Files\Apple Keyboard Support\KbdMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\FRAPS\FRAPS\FRAPS.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [AppleTime] C:\WINDOWS\system32\AppleTime.exe
O4 - HKLM\..\Run: [Brightness] C:\WINDOWS\system32\Brightness.exe
O4 - HKLM\..\Run: [Apple_KbdMgr] "C:\Program Files\Apple Keyboard Support\KbdMgr.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Fraps] C:\FRAPS\FRAPS\FRAPS.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {343CE214-9998-4B21-A151-FFE970167297} - http://xscanner.spyshredderscanner.c...up/webinst.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/game...lugin11USA.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/game...Plugin9USA.cab
O18 - Protocol: intu-ir2007 - {52BAEC6B-9405-46F9-A131-6D50720A3CC4} - C:\Program Files\ImpotRapide 2007\ic2007pp.dll
O20 - Winlogon Notify: svshost - svshost.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe

--
End of file - 4585 bytes

[dorts]

Hello and welcome back to TSF.


Fixes with HijackThis

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)


O16 - DPF: {343CE214-9998-4B21-A151-FFE970167297} - http://xscanner.spyshredderscanner.c...up/webinst.cab
O20 - Winlogon Notify: svshost - svshost.dll (file missing)


Please remember to close all other windows, including browsers then click Fix checked.


Files and Folders Deletion

Delete the following File indicated in RED if it still exist.

C:\Program Files\instaler.exe

If the file resist deletion, please boot into safe mode and delete.


Online Scan

Using Internet Explorer, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan


Logs

Please post the following logs in your next reply...

• Kaspersky's Online Scan Log
• A Fresh New HijackThis Log

How is your system behaving now?

[Kokojo]

Hi, sorry for being late doing this, i just got a new job and all.

Kaspersky Scan file attached unter scan.txt.

I don't have my minimizing problem anymore
Problem solved, i guess.

Hijack This log :
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:04:50 PM, on 5/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Brightness.exe
C:\Program Files\Apple Keyboard Support\KbdMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\FRAPS\FRAPS\FRAPS.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [AppleTime] C:\WINDOWS\system32\AppleTime.exe
O4 - HKLM\..\Run: [Brightness] C:\WINDOWS\system32\Brightness.exe
O4 - HKLM\..\Run: [Apple_KbdMgr] "C:\Program Files\Apple Keyboard Support\KbdMgr.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Fraps] C:\FRAPS\FRAPS\FRAPS.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58