DVD Shrink won't run / MSWINSCK.OCX missing or invalid

[brennan_oz]

I have had many problems involving virus/malware over the last 3 weeks (they started 16/8 around the same time as the install of NET Framework).

The first thing to go was DVDShrink, the application appears in Task Manager briefly but never starts. Task Manager was the next to go with it being disabled in Group Policy followed by the ability to edit Registry. Along the way there were the Porno/Nude tube shortcuts, Win32/Rustock.Q, Win32WormNyxem,Win32/Induc.A, Win32Backdoor.Delf, Trojan horse Dropper.Agent.OEK, Trojan horse Clicker.AAZY, Trojan horse Downloader.Generic8.BJDH, Win32/Heur, Trojan horse SpamBot.W, Win32/Virut, Trojan horse PSW.Agent.HOJ, Trojan horse SHeur2.AXPX and these were many and often. There were numerous infected Session Restore files, and problems (just today), with Yahoo Messenger not loading and Firefox Browser Pages opening but not reaching URL. Please Help!!!



DDS (Ver_09-07-30.01) - NTFSx86
Run by David Mills at 9:08:07.26 on Fri 04/09/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.759.264 [GMT 10:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\WgaTray.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
svchost.exe C:\WINDOWS\TEMP\VRT7.tmp
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\3 MobileBroadband\3 MobileBroadband.exe
svchost.exe C:\WINDOWS\TEMP\VRT73.tmp
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\David Mills\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
mStart Page = about:blank
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\documents and settings\david mills\fisaoe.exe \s
BHO: MSN helper: {9bc9c69a-6384-4a7c-a4d3-f8c697f4253f} - smyrp.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Mobile Partner] "c:\program files\3 mobilebroadband\3 MobileBroadband.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [Smapp] c:\program files\analog devices\soundmax\SMTray.exe
mRun: [DrvLsnr] c:\program files\analog devices\soundmax\DrvLsnr.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [trmwo] c:\windows\system32\trmwo.exe \u
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
mExplorerRun: [exec] c:\windows\fonts\services.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 5.0\distillr\AcroTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe
dPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1251816789500
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
TCP: {2D8F2F14-C2E1-4596-9F53-2F910DE269AD} = 10.176.66.71 10.188.66.103
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = :\windows\system3

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\davidm~1\applic~1\mozilla\firefox\profiles\3187umew.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=GRxdm024YYAU&fl=0&ptb=1rZoHP9HJr2S9c6OYq6WEA&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor=
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\david mills\local settings\application data\yahoo!\browserplus\2.4.17\plugins\npybrowserplus_2.4.17.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-8-22 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-8-16 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-8-16 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-8-16 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-8-16 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-8-16 297752]
R2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\common files\nero\nero backitup 4\NBService.exe [2009-7-20 935208]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512]
S2 gupdate1ca22b0dfc81260;Google Update Service (gupdate1ca22b0dfc81260);c:\program files\google\update\GoogleUpdate.exe [2009-8-22 133104]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-4 1029456]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-8-27 34064]

=============== Created Last 30 ================

2009-09-04 08:59 62,496 a------- c:\windows\MSWINSCK.OCX
2009-09-04 08:48 45,056 a------- c:\windows\system32\WNASPI32.DLL
2009-09-04 08:48 16,877 a------- c:\windows\system32\drivers\ASPI32.SYS
2009-09-04 08:48 5,600 a------- c:\windows\system\WINASPI.DLL
2009-09-04 08:48 4,672 a------- c:\windows\system\WOWPOST.EXE
2009-09-04 08:48 288,433 a------- c:\temp\aspi32.exe
2009-09-04 08:48 <DIR> --d----- c:\temp\Aspi 470
2009-09-04 08:48 173,056 a------- c:\temp\UNWISE.EXE
2009-09-04 08:48 <DIR> --d----- C:\Temp
2009-09-04 08:40 1 a------- c:\windows\system32\idm.dat
2009-09-04 08:40 1 a------- c:\windows\system32\c2d.dat
2009-09-04 08:40 62,496 a------- c:\windows\system32\MSWINSCK.OCX
2009-09-04 08:39 1 a------- c:\windows\system32\75.tmp
2009-09-04 08:39 88 a------- c:\windows\system32\74.tmp
2009-09-04 04:00 1 a------- c:\windows\system32\25.tmp
2009-09-04 04:00 88 a------- c:\windows\system32\1A.tmp
2009-09-04 03:55 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-09-04 03:54 <DIR> --d----- c:\program files\Microsoft SQL Server Compact Edition
2009-09-04 03:53 <DIR> --d----- c:\program files\DVD Ripper
2009-09-03 23:08 2,535 a------- C:\a.jpg
2009-09-03 23:06 1 a------- c:\windows\system32\28.tmp
2009-09-03 23:06 88 a------- c:\windows\system32\24.tmp
2009-09-03 14:44 1 a------- c:\windows\system32\23.tmp
2009-09-03 14:44 88 a------- c:\windows\system32\22.tmp
2009-09-03 12:03 1 a------- c:\windows\system32\21.tmp
2009-09-03 12:03 88 a------- c:\windows\system32\20.tmp
2009-09-03 09:14 262,144 a------- C:\ntuser.dat
2009-09-03 01:14 45 a------- c:\windows\system32\ca.dat
2009-09-03 01:13 1 a------- c:\windows\system32\1F.tmp
2009-09-03 01:13 88 a------- c:\windows\system32\1E.tmp
2009-09-02 12:45 <DIR> --d----- c:\program files\Yahoo!
2009-09-02 07:22 1 a------- c:\windows\system32\1D.tmp
2009-09-02 07:22 88 a------- c:\windows\system32\1B.tmp
2009-09-02 06:57 1 a------- c:\windows\system32\1C.tmp
2009-09-02 06:55 <DIR> --d----- c:\program files\DVD Shrink
2009-09-02 03:44 1 a------- c:\windows\system32\19.tmp
2009-09-02 03:44 88 a------- c:\windows\system32\18.tmp
2009-09-02 02:58 1 a------- c:\windows\system32\17.tmp
2009-09-02 02:58 88 a------- c:\windows\system32\16.tmp
2009-09-02 02:37 <DIR> --d----- c:\windows\SxsCaPendDel
2009-09-02 01:57 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-09-02 01:54 1 a------- c:\windows\system32\12.tmp
2009-09-02 01:54 88 a------- c:\windows\system32\10.tmp
2009-09-02 01:40 1 a------- c:\windows\system32\33.tmp
2009-09-02 01:40 88 a------- c:\windows\system32\32.tmp
2009-09-02 01:33 135,168 a------- c:\windows\system32\igfxres.dll
2009-09-02 00:18 1 a------- c:\windows\system32\F.tmp
2009-09-02 00:18 88 a------- c:\windows\system32\C.tmp
2009-09-01 23:51 <DIR> --d----- c:\program files\Audacity
2009-09-01 22:49 67 a------- c:\windows\#1 DVD Ripper.INI
2009-09-01 16:09 1 a------- c:\windows\system32\B.tmp
2009-09-01 16:09 88 a------- c:\windows\system32\A.tmp
2009-09-01 14:05 1 a------- c:\windows\system32\15.tmp
2009-09-01 14:05 88 a------- c:\windows\system32\13.tmp
2009-08-30 22:02 1 a------- c:\windows\system32\9.tmp
2009-08-30 22:02 88 a------- c:\windows\system32\8.tmp
2009-08-30 21:18 1 a------- c:\windows\system32\20D8.tmp
2009-08-30 21:18 88 a------- c:\windows\system32\20D7.tmp
2009-08-30 17:00 1 a------- c:\windows\system32\20D4.tmp
2009-08-30 17:00 88 a------- c:\windows\system32\20D3.tmp
2009-08-30 12:34 1 a------- c:\windows\system32\q1.dat
2009-08-30 12:09 1 a------- c:\windows\system32\40.tmp
2009-08-30 12:09 88 a------- c:\windows\system32\3E.tmp
2009-08-30 06:36 45,056 a------- c:\windows\system32\smarp.dll
2009-08-30 06:36 1 a------- c:\windows\system32\E.tmp
2009-08-30 06:36 88 a------- c:\windows\system32\D.tmp
2009-08-29 23:48 56,320 a------- c:\windows\system32\inform.dat
2009-08-29 23:48 45,056 a------- c:\windows\system32\smyrp.dll
2009-08-29 23:48 3 a------- c:\windows\system32\lkd
2009-08-29 23:48 1 a------- c:\windows\system32\14.tmp
2009-08-29 23:48 0 a------- c:\windows\SC.INS
2009-08-29 23:48 0 a------- c:\windows\sc.exe
2009-08-29 23:48 <DIR> --d----- c:\program files\Protection System
2009-08-29 23:48 361,600 a------- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-08-29 23:48 88 a------- c:\windows\system32\11.tmp
2009-08-29 23:25 <DIR> --d----- c:\docume~1\davidm~1\applic~1\AVS4YOU
2009-08-29 23:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVS4YOU
2009-08-29 20:14 348,160 a------- c:\windows\system32\msvcr71.dll
2009-08-29 20:09 1,700,352 a------- c:\windows\system32\GdiPlus.dll
2009-08-29 20:09 24,576 a------- c:\windows\system32\msxml3a.dll
2009-08-27 03:52 34,064 a------- c:\windows\system32\drivers\npf.sys
2009-08-27 03:52 240,248 a------- c:\windows\system32\wpcap.dll
2009-08-27 03:52 88,704 a------- c:\windows\system32\Packet.dll
2009-08-27 03:52 53,299 a------- c:\windows\system32\pthreadVC.dll
2009-08-27 03:52 <DIR> --d----- c:\windows\SysWOW64
2009-08-27 00:36 872,192 a------- c:\windows\system32\drivers\mod7700.sys
2009-08-27 00:36 103,168 a------- c:\windows\system32\drivers\ewusbfake.sys
2009-08-27 00:36 101,376 a------- c:\windows\system32\drivers\ewusbmdm.sys
2009-08-27 00:36 100,992 a------- c:\windows\system32\drivers\ewusbnet.sys
2009-08-27 00:36 24,448 a------- c:\windows\system32\drivers\ewdcsc.sys
2009-08-24 14:36 15,688 a------- c:\windows\system32\lsdelete.exe
2009-08-22 08:52 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-08-22 08:43 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-22 08:42 <DIR> --d----- c:\program files\Lavasoft
2009-08-21 10:35 4 a------- c:\windows\system32\micr0st.dll
2009-08-21 10:27 <DIR> --d----- c:\docume~1\davidm~1\applic~1\GetRightToGo
2009-08-20 21:05 16,752 a------- c:\docume~1\davidm~1\applic~1\GDIPFONTCACHEV1.DAT
2009-08-20 19:40 221,184 a------- c:\windows\system32\wmpns.dll
2009-08-20 17:44 411,368 a------- c:\windows\system32\deploytk.dll
2009-08-20 17:44 73,728 a------- c:\windows\system32\javacpl.cpl
2009-08-20 09:48 47,580 a------- C:\_005347_.tmp.dll
2009-08-20 09:47 47,580 a------- c:\windows\NTDETECT.COM
2009-08-20 09:47 47,580 a------- C:\_005343_.tmp.dll
2009-08-20 09:47 47,580 a------- C:\_005342_.tmp.dll
2009-08-20 08:55 152,848 a------- c:\windows\system32\COMDLG32.OCX
2009-08-20 08:55 <DIR> --d----- c:\program files\common files\wcs
2009-08-20 07:49 258,048 -c------ c:\windows\system32\dllcache\wmvds32.ax
2009-08-20 07:49 4,096 -c------ c:\windows\system32\dllcache\wmvdmoe2.dll
2009-08-20 07:49 1,327,616 -c------ c:\windows\system32\dllcache\WMSPDMOE.dll
2009-08-20 07:49 303,616 -c------ c:\windows\system32\dllcache\wmstream.dll
2009-08-20 07:49 278,559 -c------ c:\windows\system32\dllcache\wmv8ds32.ax
2009-08-20 07:49 4,096 -c------ c:\windows\system32\dllcache\wmvdmod.dll
2009-08-20 07:47 77,307 -c------ c:\windows\system32\dllcache\plyr_err.chm
2009-08-20 07:46 221,184 -c------ c:\windows\system32\dllcache\msadds32.ax
2009-08-20 07:45 10,752 -------- c:\windows\system32\smtpapi.dll
2009-08-20 07:45 9,728 -------- c:\windows\system32\rwnh.dll
2009-08-20 07:45 81,920 -------- c:\windows\system32\ieencode.dll
2009-08-20 07:45 19,569 a------- c:\windows\005031_.tmp
2009-08-19 23:06 442,368 a----r-- c:\windows\system32\vp6vfw.dll
2009-08-19 22:39 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-08-19 22:39 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-08-19 22:36 <DIR> -cd-h--- c:\windows\ie8
2009-08-16 13:26 12,160 ac------ c:\windows\system32\dllcache\mouhid.sys
2009-08-16 13:26 12,160 a------- c:\windows\system32\drivers\mouhid.sys
2009-08-16 13:26 10,368 a------- c:\windows\system32\drivers\hidusb.sys
2009-08-16 05:51 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-08-16 05:40 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-16 05:40 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-08-16 05:39 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-08-16 05:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-08-16 05:39 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-16 05:39 <DIR> --d----- c:\program files\AVG
2009-08-16 05:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-08-16 05:31 1,409 a------- c:\windows\QTFont.for
2009-08-15 18:41 617,472 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-15 18:41 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-15 18:41 117,760 -------- c:\windows\system32\prntvpt.dll
2009-08-15 18:40 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-08-15 18:40 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-15 18:40 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-08-15 18:40 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-08-15 18:40 <DIR> --d----- C:\95264b7f1e6e8c22474dccc8da38
2009-08-14 18:48 <DIR> --d----- c:\program files\Nero
2009-08-14 18:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Nero
2009-08-14 03:25 594,432 -c------ c:\windows\system32\dllcache\msfeeds.dll
2009-08-14 03:25 1,985,536 -c------ c:\windows\system32\dllcache\iertutil.dll
2009-08-14 03:25 55,296 -c------ c:\windows\system32\dllcache\msfeedsbs.dll
2009-08-14 03:25 59,904 ac------ c:\windows\system32\dllcache\icardie.dll
2009-08-14 03:25 33,792 -c------ c:\windows\system32\dllcache\ieudinit.exe
2009-08-14 03:25 445,952 ac------ c:\windows\system32\dllcache\ieapfltr.dll
2009-08-14 03:25 3,698,584 ac------ c:\windows\system32\dllcache\ieapfltr.dat
2009-08-14 03:25 1,241,088 ac------ c:\windows\system32\dllcache\ieframe.dll.mui
2009-08-14 03:25 11,067,392 -c------ c:\windows\system32\dllcache\ieframe.dll
2009-08-13 16:42 <DIR> --d----- c:\windows\system32\LogFiles
2009-08-13 05:19 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll
2009-08-13 05:19 2,066,432 -c------ c:\windows\system32\dllcache\mstscax.dll
2009-08-13 05:16 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-08-13 05:16 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-08-13 05:16 130,560 -c------ c:\windows\system32\dllcache\services.exe
2009-08-13 05:16 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-08-13 05:16 247,808 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-08-13 05:16 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-08-13 05:16 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-08-13 05:16 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-08-13 05:16 2,145,280 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-08-13 05:16 2,189,056 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-08-13 05:16 2,023,936 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-08-13 05:13 203,136 -c------ c:\windows\system32\dllcache\rmcast.sys
2009-08-13 05:11 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-08-13 05:11 333,952 -c------ c:\windows\system32\dllcache\srv.sys
2009-08-13 05:11 331,776 -c------ c:\windows\system32\dllcache\msadce.dll
2009-08-13 05:11 691,712 -c------ c:\windows\system32\dllcache\inetcomm.dll
2009-08-13 05:09 247,326 -c------ c:\windows\system32\dllcache\strmdll.dll
2009-08-13 05:09 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll
2009-08-13 05:07 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-08-13 05:07 235,520 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-08-10 16:01 <DIR> --d----- c:\documents and settings\david mills\Tracing
2009-08-10 15:48 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2009-08-10 15:48 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-08-10 15:11 3,426,072 a------- c:\windows\system32\d3dx9_32.dll
2009-08-10 15:10 <DIR> --d----- c:\program files\Microsoft
2009-08-10 15:09 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-08-10 13:49 <DIR> --d----- c:\windows\system32\wbem\Repository.001
2009-08-10 13:42 233,632 a------- C:\_005338_.tmp.dll
2009-08-10 13:42 233,632 a------- C:\_005337_.tmp.dll
2009-08-10 12:42 233,632 a------- C:\_005115_.tmp.dll
2009-08-10 12:41 233,632 a------- c:\windows\ntldr.original
2009-08-10 12:41 233,632 a------- C:\_005339_.tmp.dll
2009-08-10 12:41 233,632 a------- C:\_005333_.tmp.dll
2009-08-10 12:41 233,632 a------- C:\_005117_.tmp.dll
2009-08-10 12:41 233,632 a------- C:\_005116_.tmp.dll
2009-08-10 12:00 233,632 a------- c:\windows\ntldr
2009-08-10 12:00 233,632 a------- C:\ntldr
2009-08-10 11:00 437,248 a------- c:\windows\system32\wbem\SET5B0.tmp
2009-08-10 11:00 218,112 a------- c:\windows\system32\wbem\SET5AF.tmp
2009-08-10 11:00 276,480 a------- c:\windows\system32\SET27E.tmp
2009-08-10 11:00 37,888 a------- c:\windows\system32\SET293.tmp
2009-08-10 11:00 55,808 a------- c:\windows\system32\SET2F9.tmp
2009-08-10 11:00 581,120 a------- c:\windows\system32\SET311.tmp
2009-08-10 11:00 7,208 -------- c:\windows\system32\secupd.sig
2009-08-10 11:00 4,569 -------- c:\windows\system32\secupd.dat
2009-08-10 11:00 245,248 a------- c:\windows\system32\SET3A2.tmp
2009-08-10 11:00 57,667 a------- c:\windows\system32\ieuinit.inf
2009-08-10 11:00 472,064 a------- c:\windows\system32\wbem\SET5D4.tmp
2009-08-10 07:39 1,082,368 a------- c:\windows\system32\esent.dll
2009-08-09 22:33 354,304 a------- c:\windows\system32\winhttp.dll
2009-08-09 22:33 18,944 a------- c:\windows\system32\qmgrprxy.dll
2009-08-09 16:44 159,232 a------- c:\windows\system32\ptpusd.dll
2009-08-08 23:54 213,528 a------- c:\windows\system32\wuaucpl.cpl
2009-08-08 11:49 <DIR> --d----- c:\windows\setup.pss
2009-08-05 21:24 52,864 a------- c:\windows\system32\drivers\dmusic.sys
2009-08-05 21:24 6,272 a------- c:\windows\system32\drivers\splitter.sys
2009-08-05 21:22 15,104 a------- c:\windows\system32\drivers\usbscan.sys
2009-08-05 21:21 57,600 a------- c:\windows\system32\drivers\redbook.sys
2009-08-05 21:20 40,840 a------- c:\windows\system32\drivers\termdd.sys
2009-08-05 21:20 196,224 a------- c:\windows\system32\drivers\rdpdr.sys
2009-08-05 21:16 1,116,816 a------- c:\windows\setupapi.log.0.old
2009-08-05 19:01 204,800 -c------ c:\windows\system32\dllcache\mswebdvd.dll

==================== Find3M ====================

2009-08-29 23:48 361,600 a------- c:\windows\system32\drivers\TCPIP.SYS
2009-08-16 11:54 1,674 a------- c:\windows\pchealth\helpctr\config\incstore.bin
2009-08-10 12:55 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-08-05 19:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-29 14:37 119,808 a------- c:\windows\system32\t2embed.dll
2009-07-29 14:37 81,920 a------- c:\windows\system32\fontsub.dll
2009-07-18 04:55 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 11:50 92,064 a------- c:\documents and settings\david mills\mqdmmdm.sys
2009-07-17 11:50 79,328 a------- c:\documents and settings\david mills\mqdmserd.sys
2009-07-17 11:50 66,656 a------- c:\documents and settings\david mills\mqdmbus.sys
2009-07-17 11:50 25,600 a------- c:\documents and settings\david mills\usbsermptxp.sys
2009-07-17 11:50 22,768 a------- c:\documents and settings\david mills\usbsermpt.sys
2009-07-17 11:50 9,232 a------- c:\documents and settings\david mills\mqdmmdfl.sys
2009-07-17 11:50 6,208 a------- c:\documents and settings\david mills\mqdmcmnt.sys
2009-07-17 11:50 5,936 a------- c:\documents and settings\david mills\mqdmwhnt.sys
2009-07-17 11:50 4,048 a------- c:\documents and settings\david mills\mqdmcr.sys
2009-07-17 04:33 832,896 a------- C:\Sevinst.exe
2009-07-16 23:47 34,528 a------- c:\windows\system32\drivers\Pcouffin.sys
2009-07-12 12:21 233,472 a------- c:\windows\system32\wmpdxm.dll
2009-07-04 03:09 915,456 a------- c:\windows\system32\wininet.dll
2009-06-26 04:36 661,504 a------- c:\windows\system32\mqqm.dll
2009-06-26 04:36 517,120 a------- c:\windows\system32\mqsnap.dll
2009-06-26 04:36 471,552 a------- c:\windows\system32\mqutil.dll
2009-06-26 04:36 225,280 a------- c:\windows\system32\mqoa.dll
2009-06-26 04:36 186,880 a------- c:\windows\system32\mqtrig.dll
2009-06-26 04:36 177,152 a------- c:\windows\system32\mqrt.dll
2009-06-26 04:36 138,240 a------- c:\windows\system32\mqad.dll
2009-06-26 04:36 123,392 a------- c:\windows\system32\mqrtdep.dll
2009-06-26 04:36 95,744 a------- c:\windows\system32\mqsec.dll
2009-06-26 04:36 48,640 a------- c:\windows\system32\mqupgrd.dll
2009-06-26 04:36 47,104 a------- c:\windows\system32\mqdscli.dll
2009-06-26 04:36 16,896 a------- c:\windows\system32\mqise.dll
2009-06-25 18:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 18:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 18:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 18:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 18:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 18:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-22 21:49 137,216 a------- c:\windows\system32\mqtgsvc.exe
2009-06-22 21:49 39,936 a------- c:\windows\system32\mqbkup.exe
2009-06-22 21:49 24,576 a------- c:\windows\system32\mqsvc.exe
2009-06-12 22:31 100,864 a------- c:\windows\system32\tlntsess.exe
2009-06-12 22:31 96,256 a------- c:\windows\system32\telnet.exe
2009-06-11 00:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 16:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll

============= FINISH: 9:08:31.64 ===============

[chemist]

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Please go to: VirusTotal

• On the page you'll find a Browse button.
  
• Next to the Browse button you'll see a box to enter text.
• Please copy/paste the following bolded text into the box:
  
  C:\WINDOWS\Explorer.EXE
  
  
• Then click the Send File button just below.
• This will scan the file. Please be patient.
• If you get a message saying File has already been analysed: click Reanalyse file now
• Once scanned, copy and paste the results in your next reply.
• Please repeat for the following files:
  
  
  • C:\WINDOWS\system32\userinit.exe
  • c:\windows\system32\spoolsv.exe

------------------------------------------------------

[brennan_oz]

Please find following 3 scan results.....

File Explorer.EXE received on 2009.09.06 0202 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 26/41 (63.42%)
Loading server information...
Your file is queued in position: 3.
Estimated start time is between 54 and 77 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.


Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.09.05 Trojan.Win32.Patched!IK
AhnLab-V3 5.0.0.2 2009.09.05 -
AntiVir 7.9.1.8 2009.09.04 W32/Virut.Gen
Antiy-AVL 2.0.3.7 2009.09.04 -
Authentium 5.1.2.4 2009.09.05 W32/Virut.AI!Generic
Avast 4.8.1351.0 2009.09.05 -
AVG 8.5.0.409 2009.09.05 -
BitDefender 7.2 2009.09.06 Win32.Virtob.Gen.12
CAT-QuickHeal 10.00 2009.09.05 W32.Virut.G
ClamAV 0.94.1 2009.09.05 -
Comodo 2204 2009.09.06 -
DrWeb 5.0.0.12182 2009.09.06 Win32.Virut.56
eSafe 7.0.17.0 2009.09.03 -
eTrust-Vet 31.6.6721 2009.09.04 Win32/Virut.17408
F-Prot 4.5.1.85 2009.09.05 W32/Virut.AI!Generic
F-Secure 8.0.14470.0 2009.09.05 Virus.Win32.Virut.ce
Fortinet 3.120.0.0 2009.09.05 W32/Virut.NBP
GData 19 2009.09.06 Win32.Virtob.Gen.12
Ikarus T3.1.1.72.0 2009.09.05 Trojan.Win32.Patched
Jiangmin 11.0.800 2009.09.05 -
K7AntiVirus 7.10.837 2009.09.05 -
Kaspersky 7.0.0.125 2009.09.06 Virus.Win32.Virut.ce
McAfee 5732 2009.09.05 W32/Virut.n.gen
McAfee+Artemis 5732 2009.09.05 W32/Virut.n.gen
McAfee-GW-Edition 6.8.5 2009.09.06 Heuristic.LooksLike.Win32.Suspicious.H
Microsoft 1.5005 2009.09.05 Virus:Win32/Virut.BM
NOD32 4399 2009.09.05 Win32/Virut.NBP
Norman 6.01.09 2009.09.04 W32/Virut.DI
nProtect 2009.1.8.0 2009.09.06 Virus/W32.Virut.H
Panda 10.0.2.2 2009.09.05 W32/Sality.AO
PCTools 4.4.2.0 2009.09.04 -
Prevx 3.0 2009.09.06 -
Rising 21.45.14.00 2009.09.01 -
Sophos 4.45.0 2009.09.06 W32/Scribble-B
Sunbelt 3.2.1858.2 2009.09.05 Virus.Win32.Virut.ce (v)
Symantec 1.4.4.12 2009.09.06 W32.Virut.CF
TheHacker 6.3.4.3.396 2009.09.04 -
TrendMicro 8.950.0.1094 2009.09.05 PE_VIRUX.J
VBA32 3.12.10.10 2009.09.05 Virus.Win32.Virut.X6
ViRobot 2009.9.4.1919 2009.09.04 -
VirusBuster 4.6.5.0 2009.09.05 -
Additional information
File size: 1053696 bytes
MD5...: b5af72f447119dbe00aaad075689274f
SHA1..: 321a998b498b385c34d4cdce074c2910ab737c98
SHA256: 71a7d982d46d4d71d28a2b0758361b4aec9c455ece583950a318f7e981bc2aa0
ssdeep: 12288:HHmcoCUyZtwAvAs4wTCyrPTloHWYUrkf8w0Vnzac1/g/J/vMS:nmfty/wA
vN7lrvbkf8w0VnH1/g/J/k
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0xfe994
timedatestamp.....: 0xc8c916bdL (invalid)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x44c09 0x44e00 6.38 fd89c9ce334764ffdbb62637ad9b5809
.data 0x46000 0x1db4 0x1800 1.30 983f35021232560eaaa99fcbc1b7d359
.rsrc 0x48000 0xb2268 0xb2400 6.63 95339c37646fa93e3695e06572a21889
.reloc 0xfb000 0x8800 0x8600 7.69 e6d53dd5cd2da6417bba8b2400fb6a51

( 13 imports )
> ADVAPI32.dll: RegSetValueW, RegEnumKeyExW, GetUserNameW, RegNotifyChangeKeyValue, RegEnumValueW, RegQueryValueExA, RegOpenKeyExA, RegEnumKeyW, RegCloseKey, RegCreateKeyW, RegQueryInfoKeyW, RegOpenKeyExW, RegQueryValueExW, RegCreateKeyExW, RegSetValueExW, RegDeleteValueW, RegQueryValueW
> BROWSEUI.dll: -, -, -, -
> GDI32.dll: GetStockObject, CreatePatternBrush, OffsetViewportOrgEx, GetLayout, CombineRgn, CreateDIBSection, GetTextExtentPoint32W, StretchBlt, CreateRectRgnIndirect, CreateRectRgn, GetClipRgn, IntersectClipRect, GetViewportOrgEx, SetViewportOrgEx, SelectClipRgn, PatBlt, GetBkColor, CreateCompatibleDC, CreateCompatibleBitmap, OffsetWindowOrgEx, DeleteDC, SetBkColor, BitBlt, ExtTextOutW, GetTextExtentPointW, GetClipBox, GetObjectW, SetTextColor, SetBkMode, CreateFontIndirectW, DeleteObject, GetTextMetricsW, SelectObject, GetDeviceCaps, TranslateCharsetInfo, SetStretchBltMode
> KERNEL32.dll: GetSystemDirectoryW, CreateThread, CreateJobObjectW, ExitProcess, SetProcessShutdownParameters, ReleaseMutex, CreateMutexW, SetPriorityClass, GetCurrentProcess, GetStartupInfoW, GetCommandLineW, SetErrorMode, LeaveCriticalSection, EnterCriticalSection, ResetEvent, LoadLibraryExA, CompareFileTime, GetSystemTimeAsFileTime, SetThreadPriority, GetCurrentThreadId, GetThreadPriority, GetCurrentThread, GetUserDefaultLangID, Sleep, GetBinaryTypeW, GetModuleHandleExW, SystemTimeToFileTime, GetLocalTime, GetCurrentProcessId, GetEnvironmentVariableW, UnregisterWait, GlobalGetAtomNameW, GetFileAttributesW, MoveFileW, lstrcmpW, LoadLibraryExW, FindClose, FindNextFileW, FindFirstFileW, lstrcmpiA, SetEvent, AssignProcessToJobObject, GetDateFormatW, GetTimeFormatW, FlushInstructionCache, lstrcpynW, GetSystemWindowsDirectoryW, SetLastError, GetProcessHeap, HeapFree, HeapReAlloc, HeapSize, HeapAlloc, GetUserDefaultLCID, ReadProcessMemory, OpenProcess, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, UnhandledExceptionFilter, SetUnhandledExceptionFilter, VirtualFree, VirtualAlloc, ResumeThread, TerminateProcess, TerminateThread, GetSystemDefaultLCID, GetLocaleInfoW, CreateEventW, GetLastError, OpenEventW, DelayLoadFailureHook, WaitForSingleObject, GetTickCount, ExpandEnvironmentStringsW, GetModuleFileNameW, GetPrivateProfileStringW, lstrcmpiW, CreateProcessW, FreeLibrary, GetWindowsDirectoryW, LocalAlloc, CreateFileW, DeviceIoControl, LocalFree, GetQueuedCompletionStatus, CreateIoCompletionPort, SetInformationJobObject, CloseHandle, LoadLibraryW, GetModuleHandleW, ActivateActCtx, DeactivateActCtx, GetFileAttributesExW, GetProcAddress, DeleteCriticalSection, CreateEventA, HeapDestroy, InitializeCriticalSection, MulDiv, InitializeCriticalSectionAndSpinCount, lstrlenW, InterlockedDecrement, InterlockedIncrement, GlobalAlloc, InterlockedExchange, GetModuleHandleA, GetVersionExA, GlobalFree, GetProcessTimes, lstrcpyW, GetLongPathNameW, RegisterWaitForSingleObject
> msvcrt.dll: _itow, free, memmove, realloc, _except_handler3, malloc, _ftol, _vsnwprintf
> ntdll.dll: RtlNtStatusToDosError, NtQueryInformationProcess
> ole32.dll: CoFreeUnusedLibraries, RegisterDragDrop, CreateBindCtx, RevokeDragDrop, CoInitializeEx, CoUninitialize, OleInitialize, CoRevokeClassObject, CoRegisterClassObject, CoMarshalInterThreadInterfaceInStream, CoCreateInstance, OleUninitialize, DoDragDrop
> OLEAUT32.dll: -, -
> SHDOCVW.dll: -, -, -
> SHELL32.dll: -, -, SHGetFolderPathW, -, -, -, -, -, ExtractIconExW, -, -, -, -, -, -, -, -, -, -, -, -, -, -, SHGetSpecialFolderLocation, ShellExecuteExW, -, -, -, SHGetSpecialFolderPathW, -, -, -, SHBindToParent, -, -, -, SHParseDisplayName, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, SHChangeNotify, SHGetDesktopFolder, SHAddToRecentDocs, -, -, -, DuplicateIcon, -, -, -, -, -, -, -, -, SHUpdateRecycleBinIcon, SHGetFolderLocation, SHGetPathFromIDListA, -, -, -, -, -, -, -, SHGetPathFromIDListW, -, -, -
> SHLWAPI.dll: StrCpyNW, -, -, -, -, StrRetToBufW, StrRetToStrW, -, -, -, -, SHQueryValueExW, PathIsNetworkPathW, -, AssocCreate, -, -, -, -, -, StrCatW, StrCpyW, -, -, -, -, -, -, SHGetValueW, -, StrCmpNIW, PathRemoveBlanksW, PathRemoveArgsW, PathFindFileNameW, StrStrIW, PathGetArgsW, -, StrToIntW, SHRegGetBoolUSValueW, SHRegWriteUSValueW, SHRegCloseUSKey, SHRegCreateUSKeyW, SHRegGetUSValueW, SHSetValueW, -, PathAppendW, PathUnquoteSpacesW, -, -, PathQuoteSpacesW, -, SHSetThreadRef, SHCreateThreadRef, -, -, -, PathCombineW, -, -, -, SHStrDupW, PathIsPrefixW, PathParseIconLocationW, AssocQueryKeyW, -, AssocQueryStringW, StrCmpW, -, -, -, -, -, -, -, -, SHRegQueryUSValueW, SHRegOpenUSKeyW, SHRegSetUSValueW, PathIsDirectoryW, PathFileExistsW, PathGetDriveNumberW, -, StrChrW, PathFindExtensionW, -, -, PathRemoveFileSpecW, PathStripToRootW, -, -, -, SHOpenRegStream2W, -, -, -, StrDupW, SHDeleteValueW, StrCatBuffW, SHDeleteKeyW, StrCmpIW, -, -, wnsprintfW, -, -, StrCmpNW, -, -
> USER32.dll: TileWindows, GetDoubleClickTime, GetSystemMetrics, GetSysColorBrush, AllowSetForegroundWindow, LoadMenuW, GetSubMenu, RemoveMenu, SetParent, GetMessagePos, CheckDlgButton, EnableWindow, GetDlgItemInt, SetDlgItemInt, CopyIcon, AdjustWindowRectEx, DrawFocusRect, DrawEdge, ExitWindowsEx, WindowFromPoint, SetRect, AppendMenuW, LoadAcceleratorsW, LoadBitmapW, SendNotifyMessageW, SetWindowPlacement, CheckMenuItem, EndDialog, SendDlgItemMessageW, MessageBeep, GetActiveWindow, PostQuitMessage, MoveWindow, GetDlgItem, RemovePropW, GetClassNameW, GetDCEx, SetCursorPos, ChildWindowFromPoint, ChangeDisplaySettingsW, RegisterHotKey, UnregisterHotKey, SetCursor, SendMessageTimeoutW, GetWindowPlacement, LoadImageW, SetWindowRgn, IntersectRect, OffsetRect, EnumDisplayMonitors, RedrawWindow, SubtractRect, TranslateAcceleratorW, WaitMessage, InflateRect, CallWindowProcW, GetDlgCtrlID, SetCapture, LockSetForegroundWindow, SystemParametersInfoW, FindWindowW, CreatePopupMenu, GetMenuDefaultItem, DestroyMenu, GetShellWindow, EnumChildWindows, GetWindowLongW, SendMessageW, RegisterWindowMessageW, GetKeyState, CopyRect, MonitorFromRect, MonitorFromPoint, RegisterClassW, SetPropW, GetWindowLongA, SetWindowLongW, FillRect, GetCursorPos, MessageBoxW, LoadStringW, ReleaseDC, GetDC, EnumDisplaySettingsExW, EnumDisplayDevicesW, PostMessageW, DispatchMessageW, TranslateMessage, GetMessageW, PeekMessageW, PtInRect, BeginPaint, EndPaint, SetWindowTextW, GetAsyncKeyState, InvalidateRect, GetWindow, ShowWindowAsync, TrackPopupMenuEx, UpdateWindow, DestroyIcon, IsRectEmpty, SetActiveWindow, GetSysColor, DrawTextW, IsHungAppWindow, SetTimer, GetMenuItemID, TrackPopupMenu, EndTask, SendMessageCallbackW, GetClassLongW, LoadIconW, OpenInputDesktop, CloseDesktop, SetScrollPos, ShowWindow, BringWindowToTop, GetDesktopWindow, CascadeWindows, CharUpperBuffW, SwitchToThisWindow, InternalGetWindowText, GetScrollInfo, GetMenuItemCount, CreateWindowExW, DialogBoxParamW, MsgWaitForMultipleObjects, CharNextA, RegisterClipboardFormatW, EndDeferWindowPos, DeferWindowPos, BeginDeferWindowPos, PrintWindow, SetClassLongW, GetPropW, GetNextDlgGroupItem, GetNextDlgTabItem, ChildWindowFromPointEx, IsChild, NotifyWinEvent, TrackMouseEvent, GetCapture, GetAncestor, CharUpperW, SetWindowLongA, DrawCaption, ModifyMenuW, InsertMenuW, IsWindowEnabled, GetMenuState, LoadCursorW, GetParent, IsDlgButtonChecked, DestroyWindow, EnumWindows, IsWindowVisible, GetClientRect, UnionRect, EqualRect, GetWindowThreadProcessId, GetForegroundWindow, KillTimer, GetClassInfoExW, DefWindowProcW, RegisterClassExW, GetIconInfo, SetScrollInfo, GetLastActivePopup, SetForegroundWindow, IsWindow, GetSystemMenu, IsIconic, IsZoomed, EnableMenuItem, SetMenuDefaultItem, MonitorFromWindow, GetMonitorInfoW, GetWindowInfo, GetFocus, SetFocus, MapWindowPoints, ScreenToClient, ClientToScreen, GetWindowRect, SetWindowPos, DeleteMenu, GetMenuItemInfoW, SetMenuItemInfoW, CharNextW
> UxTheme.dll: GetThemeBackgroundContentRect, GetThemeBool, GetThemePartSize, DrawThemeParentBackground, OpenThemeData, DrawThemeBackground, GetThemeTextExtent, DrawThemeText, CloseThemeData, SetWindowTheme, GetThemeBackgroundRegion, -, GetThemeMargins, GetThemeColor, GetThemeFont, GetThemeRect, IsAppThemed

( 0 exports )
RDS...: NSRL Reference Data Set
-
trid..: Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
pdfid.: -


File userinit.exe received on 2009.09.06 02:11:02 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 24/41 (58.54%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 46 and 66 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.


Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.09.05 -
AhnLab-V3 5.0.0.2 2009.09.05 -
AntiVir 7.9.1.8 2009.09.04 W32/Virut.Gen
Antiy-AVL 2.0.3.7 2009.09.04 -
Authentium 5.1.2.4 2009.09.05 W32/Virut.AI!Generic
Avast 4.8.1351.0 2009.09.05 -
AVG 8.5.0.409 2009.09.05 -
BitDefender 7.2 2009.09.06 Win32.Virtob.Gen.12
CAT-QuickHeal 10.00 2009.09.05 W32.Virut.G
ClamAV 0.94.1 2009.09.05 -
Comodo 2204 2009.09.06 -
DrWeb 5.0.0.12182 2009.09.06 Win32.Virut.56
eSafe 7.0.17.0 2009.09.03 -
eTrust-Vet 31.6.6721 2009.09.04 Win32/Virut.17408
F-Prot 4.5.1.85 2009.09.05 W32/Virut.AI!Generic
F-Secure 8.0.14470.0 2009.09.05 Virus.Win32.Virut.ce
Fortinet 3.120.0.0 2009.09.05 W32/Virut.NBP
GData 19 2009.09.06 Win32.Virtob.Gen.12
Ikarus T3.1.1.72.0 2009.09.05 -
Jiangmin 11.0.800 2009.09.05 -
K7AntiVirus 7.10.837 2009.09.05 -
Kaspersky 7.0.0.125 2009.09.06 Virus.Win32.Virut.ce
McAfee 5732 2009.09.05 W32/Virut.n.gen
McAfee+Artemis 5732 2009.09.05 W32/Virut.n.gen
McAfee-GW-Edition 6.8.5 2009.09.06 Heuristic.LooksLike.Win32.SuspiciousPE.H
Microsoft 1.5005 2009.09.05 Virus:Win32/Virut.BM
NOD32 4399 2009.09.05 Win32/Virut.NBP
Norman 6.01.09 2009.09.04 W32/Virut.DI
nProtect 2009.1.8.0 2009.09.06 Virus/W32.Virut.H
Panda 10.0.2.2 2009.09.05 W32/Sality.AO
PCTools 4.4.2.0 2009.09.04 -
Prevx 3.0 2009.09.06 -
Rising 21.45.14.00 2009.09.01 -
Sophos 4.45.0 2009.09.06 W32/Scribble-B
Sunbelt 3.2.1858.2 2009.09.05 Virus.Win32.Virut.ce (v)
Symantec 1.4.4.12 2009.09.06 W32.Virut.CF
TheHacker 6.3.4.3.396 2009.09.04 -
TrendMicro 8.950.0.1094 2009.09.05 PE_VIRUX.J
VBA32 3.12.10.10 2009.09.05 Virus.Win32.Virut.X6
ViRobot 2009.9.4.1919 2009.09.04 -
VirusBuster 4.6.5.0 2009.09.05 -
Additional information
File size: 46080 bytes
MD5...: d955a0e14afda1a59397b23b911c93ba
SHA1..: 75af2ad5d334b3673fca31dbe5aff136445fe42d
SHA256: f5117f99c15d09f5595d30d9e54751ef0f5eee5ae74b97be55169fdb6b1377a1
ssdeep: 768:dRMJi8jDLIDSAaQFxfftjaLacmkLGKOqZKk648+4Tv7cFV6KD1YY:dRMJbDM
DSA7FxffJaLaSLG9qZ1pbkoF/
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x8c89
timedatestamp.....: 0xc8c916bdL (invalid)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x520e 0x5400 5.95 099b53205ad3f1c3b853a5310d08a9b1
.data 0x7000 0x14c 0x200 1.86 0bb948f267e82975313a03d8c0e8a1cf
.rsrc 0x8000 0x5c00 0x5a00 7.68 d84de3a7f9cec0b5a3ffb77e107be7ab

( 9 imports )
> USER32.dll: CreateWindowExW, DestroyWindow, RegisterClassExW, DefWindowProcW, LoadRemoteFonts, wsprintfW, GetSystemMetrics, GetKeyboardLayout, SystemParametersInfoW, GetDesktopWindow, LoadStringW, MessageBoxW, ExitWindowsEx, CharNextW
> ADVAPI32.dll: RegOpenKeyExA, ReportEventW, RegisterEventSourceW, DeregisterEventSource, OpenProcessToken, RegCreateKeyExW, RegSetValueExW, GetUserNameW, RegQueryValueExW, RegOpenKeyExW, RegQueryInfoKeyW, RegCloseKey, RegQueryValueExA
> CRYPT32.dll: CryptProtectData
> WINSPOOL.DRV: SpoolerInit
> ntdll.dll: RtlLengthSid, RtlCopySid, _itow, RtlFreeUnicodeString, DbgPrint, wcslen, wcscpy, wcscat, wcscmp, RtlInitUnicodeString, NtOpenKey, NtClose, _wcsicmp, memmove, RtlConvertSidToUnicodeString, NtQueryInformationToken
> NETAPI32.dll: DsGetDcNameW, NetApiBufferFree
> WLDAP32.dll: -, -, -, -, -, -
> msvcrt.dll: __setusermatherr, _initterm, __getmainargs, _acmdln, _adjust_fdiv, _XcptFilter, _exit, _c_exit, __p__commode, __p__fmode, __set_app_type, _except_handler3, _controlfp, _cexit, exit
> KERNEL32.dll: CompareFileTime, LoadLibraryW, GetProcAddress, FreeLibrary, lstrcpyW, CreateProcessW, lstrlenW, GetVersionExW, LocalFree, LocalAlloc, GetEnvironmentVariableW, CloseHandle, lstrcatW, WaitForSingleObject, DelayLoadFailureHook, GetStartupInfoA, GetModuleHandleA, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, LoadLibraryA, InterlockedCompareExchange, LocalReAlloc, GetSystemTime, lstrcmpW, GetCurrentThread, SetThreadPriority, ExpandEnvironmentStringsW, SearchPathW, GetLastError, CreateThread, GetFileAttributesExW, GetSystemDirectoryW, SetCurrentDirectoryW, FormatMessageW, lstrcmpiW, GetCurrentProcess, GetUserDefaultLangID, GetCurrentProcessId, SetEvent, OpenEventW, Sleep, SetEnvironmentVariableW

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)


File spoolsv.exe received on 2009.09.06 02:17:18 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 25/41 (60.98%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.


Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.09.05 -
AhnLab-V3 5.0.0.2 2009.09.05 -
AntiVir 7.9.1.8 2009.09.04 W32/Virut.Gen
Antiy-AVL 2.0.3.7 2009.09.04 -
Authentium 5.1.2.4 2009.09.05 W32/Virut.AI!Generic
Avast 4.8.1351.0 2009.09.05 -
AVG 8.5.0.409 2009.09.05 -
BitDefender 7.2 2009.09.06 Win32.Virtob.Gen.12
CAT-QuickHeal 10.00 2009.09.05 W32.Virut.G
ClamAV 0.94.1 2009.09.05 -
Comodo 2204 2009.09.06 -
DrWeb 5.0.0.12182 2009.09.06 Win32.Virut.56
eSafe 7.0.17.0 2009.09.03 Suspicious File
eTrust-Vet 31.6.6721 2009.09.04 Win32/Virut.17408
F-Prot 4.5.1.85 2009.09.05 W32/Virut.AI!Generic
F-Secure 8.0.14470.0 2009.09.05 Virus.Win32.Virut.ce
Fortinet 3.120.0.0 2009.09.05 W32/Virut.NBP
GData 19 2009.09.06 Win32.Virtob.Gen.12
Ikarus T3.1.1.72.0 2009.09.05 -
Jiangmin 11.0.800 2009.09.05 -
K7AntiVirus 7.10.837 2009.09.05 -
Kaspersky 7.0.0.125 2009.09.06 Virus.Win32.Virut.ce
McAfee 5732 2009.09.05 W32/Virut.n.gen
McAfee+Artemis 5732 2009.09.05 W32/Virut.n.gen
McAfee-GW-Edition 6.8.5 2009.09.06 Heuristic.BehavesLike.Win32.Virus.H
Microsoft 1.5005 2009.09.05 Virus:Win32/Virut.BM
NOD32 4399 2009.09.05 Win32/Virut.NBP
Norman 6.01.09 2009.09.04 W32/Virut.DI
nProtect 2009.1.8.0 2009.09.06 Virus/W32.Virut.H
Panda 10.0.2.2 2009.09.05 W32/Sality.AO
PCTools 4.4.2.0 2009.09.04 -
Prevx 3.0 2009.09.06 -
Rising 21.45.14.00 2009.09.01 -
Sophos 4.45.0 2009.09.06 W32/Scribble-B
Sunbelt 3.2.1858.2 2009.09.05 Virus.Win32.Virut.ce (v)
Symantec 1.4.4.12 2009.09.06 W32.Virut.CF
TheHacker 6.3.4.3.396 2009.09.04 -
TrendMicro 8.950.0.1094 2009.09.05 PE_VIRUX.J
VBA32 3.12.10.10 2009.09.05 Virus.Win32.Virut.X6
ViRobot 2009.9.4.1919 2009.09.04 -
VirusBuster 4.6.5.0 2009.09.05 -
Additional information
File size: 77824 bytes
MD5...: 822a4971711da9fd971b355d25a3c2a4
SHA1..: 4fa2c3a96f811bbd534234cf0667e55a4f72a69e
SHA256: 9222361fc83ffe1834b28f86e13a81d7d6ae884aeef7cdd5d7025c525ebe86d4
ssdeep: 768:nE4EVpgSavGlAMm1yMvsCeq+H8O+j8f1b1mDV3D+JMG/dXplJigo6NRZpb9z
BxbD:+gSHlAMmxUC/OUVIrOgo6NzyXpuw
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x14b5d
timedatestamp.....: 0xc8c916bdL (invalid)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xba70 0xbc00 5.96 d9b4f450aa98b3936118e3a3c42ed657
.data 0xd000 0x13b4 0x1400 2.24 887444c39cada5bd753c428783e0009b
.rsrc 0xf000 0x5e00 0x5c00 7.83 091cb1e9299556b2dbb079efc047dd0f

( 6 imports )
> ADVAPI32.dll: SetServiceStatus, RegQueryValueExW, AllocateAndInitializeSid, FreeSid, InitializeSecurityDescriptor, SetSecurityDescriptorOwner, SetSecurityDescriptorGroup, GetLengthSid, InitializeAcl, AddAccessAllowedAce, AddAccessDeniedAce, GetAce, SetSecurityDescriptorDacl, GetSecurityDescriptorLength, MakeSelfRelativeSD, RegDisablePredefinedCache, RegOpenKeyExW, RegCloseKey, RegisterServiceCtrlHandlerExW, StartServiceCtrlDispatcherW
> GDI32.dll: bMakePathNameW, GdiInitSpool, GdiGetSpoolMessage
> KERNEL32.dll: GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, GetCurrentProcessId, SetUnhandledExceptionFilter, GetModuleHandleA, GetCurrentThreadId, GetTickCount, UnhandledExceptionFilter, QueryPerformanceCounter, FreeLibrary, InterlockedExchange, GetModuleHandleW, GetLastError, ExitThread, CloseHandle, WaitForSingleObject, CreateEventW, CreateThread, ExitProcess, Sleep, OpenEventW, LoadLibraryA, InitializeCriticalSection, LocalFree, LocalAlloc, SetEvent, LeaveCriticalSection, EnterCriticalSection, SetLastError, OpenProcess, InterlockedIncrement, RaiseException, InterlockedDecrement, GetProcAddress, GetSystemDirectoryW
> msvcrt.dll: __initenv, _exit, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, _controlfp, _XcptFilter, wcsrchr, wcslen, _c_exit, _stricmp, _wcsnicmp, _except_handler3
> ntdll.dll: RtlValidRelativeSecurityDescriptor
> RPCRT4.dll: RpcServerRegisterIf2, I_RpcBindingIsClientLocal, I_RpcSessionStrictContextHandle, RpcRaiseException, RpcImpersonateClient, RpcRevertToSelf, NdrServerCall2, RpcServerUseProtseqEpA, I_RpcSsDontSerializeContext, RpcMgmtSetServerStackSize, RpcServerListen

( 12 exports )
YDriverUnloadComplete, YEndDocPrinter, YFlushPrinter, YGetPrinter, YGetPrinterDriver2, YGetPrinterDriverDirectory, YReadPrinter, YSeekPrinter, YSetJob, YSetPort, YSplReadPrinter, YWritePrinter
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win64 Executable Generic (59.6%)
Win32 Executable MS Visual C++ (generic) (26.2%)
Win32 Executable Generic (5.9%)
Win32 Dynamic Link Library (generic) (5.2%)
Generic Win/DOS Executable (1.3%)



I hope this is correct.

Thanks.

[chemist]

Hello brennan_oz. I hate to be the bearer of bad news, but your system is infected with a polymorphic file infector called Virut. Virut is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr). However, the problem is that the virus has a number of bugs in its code, and as a result, it may missinfect a proportion of executable files and therefore, the files are corrupted beyond repair. As of now, security experts suggest that a clean reformat is the only way to clean the infection and it is the only way to return the machine to its normal working state.

Read here and here

Virut is also a backdoor trojan.

This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

------------------------------------------------------

You will have to wipe all your drives and reformat.

Backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (softwares), screensavers (*.scr), .htm, .html, .iso, .asp, or .jpg files. It attempts to infect any accessed .exe or .scr files by appending itself to the executable.

Also, try to avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Virut can penetrate and infect .exe files inside compressed files too.

Do not back up to another machine, as it may become compromised. Burn to DVD/CD, or to an external drive which has nothing else on it, and which you can format should it happen to become infected from the backups. There has been one documented case in which .pdf, .doc, and .php files were also infected by Virut.

If you need help with a clean reformat and reinstall of Windows, I suggest you seek expert advice in our Windows XP Support Forum

They are more knowledgeable about this procedure and can answer your questions or help you in case something goes wrong.

Remember to immediately install an antivirus program and to then reinstall all the Windows Updates.

These infections are usually picked up from cracksites/warezsites.

SPYWARE PREVENTION
This is a good time to set up protection against further attacks. In light of your recent problem, I'm sure you'd like to avoid any future infections. Please read these well written articles:

• How Did I Get Infected In The First Place? by TonyKlein
• How to Prevent Malware by miekiemoes

------------------------------------------------------

[brennan_oz]

Running from old machine * System W2K Pro/256Mb RAM * 500/66 MHz PII

Following the diagnosis I immediately formatted my drive and re-installed Win XP Pro. I then, however, thought about the health of my USB Modem.
Is it possible that the .exe files in the USB storage device could have been infected? Is there a way I can check the device before using it on my system?

You also mentioned NOT to backup .JPG files. Does that mean only .JPG image files or .BMP's, .GIF's & .PSP's as well? And at the risk of sounding melodramatic, should I also be warning anyone that I've shared .JPG files with in the last 3 weeks (post-infection)?

Any advice you can give would be most appreciated. I will remain working from this 'dinosaur' until this threads finality.

Thank you Chemist, for your help thus far.

[chemist]

Hello brennan_oz. It is possible that files on your USB are also infected along with other image files. You can scan the files at VirusTotal or run an online scan at Kaspersky(see below), but you will be taking a chance on re-infecting your reformatted system. It is also possible you spread the infection to(or received it from) others you have shared files with.

Please run this online scan to help look for remnants. Ensure your external and/or USB drives are inserted during the scan.

Establish an internet connection & perform an online scan at Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at any Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs.
• Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

------------------------------------------------------

[brennan_oz]

Hello Chemist,
I have performed the Kaspersky Online Scan. No infections were found on newly reformatted system. No infections found on USB Modem / Storage Drive.
I did scan CD's I had used to backup images 2 weeks ago. Kaspersky found [5 Virut.*] viruses attached to several images. I also scanned CD's I have had for years to find that several had Trojan viruses - ie. I have been inadvertently re-infecting my system over years. I have thrown them out and now can start anew.

Thankyou for your help with this problem.

[chemist]

You're very welcome, brennan_oz! Glad to have helped.

------------------------------------------------------

MICROSOFT UPDATES
It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

SPYWARE PREVENTION
This is a good time to set up protection against further attacks. In light of your recent problem, I'm sure you'd like to avoid any future infections. Please read these well written articles:

• How Did I Get Infected In The First Place? by TonyKlein
• How to Prevent Malware by miekiemoes

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

• WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
  • Green to go
  • Yellow for caution
  • Red to stop
  WOT has an add-on available for both Firefox and IE.
  
• SpywareBlaster prevents the installation of ActiveX-based malware, blocks cookies, and restricts the actions of "bad" sites in Internet Explorer. See tutorial here
  
• MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. It basically prevents your computer from connecting to those sites by redirecting the attempted connections to 127.0.0.1, which is the IP of your local computer. See guide here and for Windows Vista here
  • Download Host.zip and Save it to your Desktop.
  • Right-click hosts.zip and select 'Extract all files' or 'Extract files...'.
  • Follow the prompts and click 'Finish'.
  • This will open the newly created hosts folder on your Desktop.
  • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
  • Once updated you should see another prompt that the task was completed.
• IE-Spyad is another excellent program that places over 5000 dubious websites and domains in the IE Restricted list, which will help prevent attempts to infect your system. It basically prevents any downloads from the sites listed, although you will still be able to connect to the site. See tutorial here

Keep your antivirus program and antispyware programs updated and scan with them on a regular basis.