[SomeoneSomewhere]

hi, I'm new here, was referred by HJT's website and HJT users.
anyway i have this virus that keeps making all 4 of my cores go 100% full load even when it's supposed to be idle...
and these "update.exe" 's keep showing up on my processes in Task Manager and they eat up the largest % of running stuff

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:13:48 PM, on 11/8/2009
Platform: Unknown Windows (WinNT 6.01.3504 SP2)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files (x86)\SpeedBit Video Accelerator\VideoAccelerator.exe
C:\Program Files (x86)\RocketDock\RocketDock.exe
C:\Program Files (x86)\DAEMON Tools Lite\daemon.exe
C:\Program Files (x86)\DNA\btdna.exe
C:\Program Files (x86)\DAP\DAP.exe
C:\Program Files (x86)\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files (x86)\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\ProgramData\Defence\smss.exe
C:\Program Files (x86)\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\SetPoint\x86\SetPoint32.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Users\Nino\Desktop\HijackThis.exe
C:\Windows\SysWOW64\update.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr10/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr10/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr10/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr10/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr10/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr10/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = file://C:\PROGRA~2\SPEEDB~1\vaproxy.pac
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: SBCONVERT - {31B27F2D-6BC6-451B-B3D2-4EAB36B2FC3B} - C:\Program Files (x86)\SpeedBit Video Downloader\Toolbar\tbcore3.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~2\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O2 - BHO: DAPIELoader Class - {FF6C3CF0-4B15-11D1-ABED-709549C10000} - C:\PROGRA~2\DAP\DAPIEL~1.DLL
O2 - BHO: GrabberObj Class - {FF7C3CF0-4B15-11D1-ABED-709549C10000} - C:\PROGRA~2\SPEEDB~2\Toolbar\grabber.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~2\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: SpeedBit Video Downloader - {0329E7D6-6F54-462D-93F6-F5C3118BADF2} - C:\Program Files (x86)\SpeedBit Video Downloader\Toolbar\tbcore3.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Nikon Transfer Monitor] C:\Program Files (x86)\Common Files\Nikon\Monitor\NkMonitor.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files (x86)\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [framework] framework.exe
O4 - HKLM\..\Run: [Window Proxy Service] C:\Windows\System32\update.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files (x86)\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SpeedBitVideoAccelerator] C:\Program Files (x86)\SpeedBit Video Accelerator\VideoAccelerator.exe
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files (x86)\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files (x86)\DNA\btdna.exe"
O4 - HKCU\..\Run: [DownloadAccelerator] "C:\Program Files (x86)\DAP\DAP.EXE" /STARTUP
O4 - HKCU\..\Run: [Search Protection] C:\Program Files (x86)\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files (x86)\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Defence] "C:\ProgramData\Defence\smss.exe" -SystemDefence
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: &Clean Traces - C:\Program Files (x86)\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files (x86)\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files (x86)\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~3\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O13 - Gopher Prefix: 
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: C:\PROGRA~2\Google\GOOGLE~1\GO36F4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files (x86)\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - C:\Program Files (x86)\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: FLEXnet Licensing Service 64 - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe
O23 - Service: Google Desktop Manager 5.9.909.8267 (GoogleDesktopManager-090809-085438) - Google - C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files (x86)\CDBurnerXP\NMSAccessU.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files (x86)\WinPcap\rpcapd.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: VideoAcceleratorService - Speedbit Ltd. - C:\PROGRA~2\SPEEDB~1\VideoAcceleratorService.exe
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 12732 bytes

Attached File(s)

•  hijackthis.log (12.44K)
  Number of downloads: 1

[Extremeboy]

Hi and welcome to 247Fixes! :welcome:

This seems to be a Windows 7 64bit system?

Windows 7 is fairly new. We'll see what we can do about the problem.

Quote

anyway i have this virus that keeps making all 4 of my cores go 100% full load even when it's supposed to be idle...

What do you mean all of your "4 cores"

Run a scan with OTL please.

Download and run OTL

• Download OTL by OldTimer and save it to your desktop.
  
• Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/OTL/otlDesktopIcon.png icon on your desktop. If you are using Vista, please right-click and select run as administrator
  
• Click the "Scan All Users" checkbox.
  
• Push the http://billy-oneal.com/Canned%20Speeches/speechimages/otli2/runscanbutton.png button.
  
• It will now begin to scan, please be paitent while it scans.
  
• Two reports will open once it's done.
  
• Please copy and paste them in your next reply:
  
  • OTL.txt <-- Will be opened
    
  • Extras.txt <-- Will be minimized

[SomeoneSomewhere]

hi extremeboy. thanks :D
yeah x64 win7
i'm using an Intel Quad Core Q6600, all 4 cores of the processor are being squeezed up to 100% full load each. >_< im like @ 60 degrees celsius on my cooler's heatsink and rising.

oki doki

[Extremeboy]

Okay.

Please run the OTL scan and post the results.

[SomeoneSomewhere]

OTL Logs.

--removed and saved-- ~Extremeboy

This post has been edited by Extremeboy: 08 November 2009 - 03:34 PM

[Extremeboy]

Hello.

I removed your OTL logs because my browser couldn't open this topic or it crashes so sorry about the delay.

I have saved the OTL logs so don't worry about it.

I'll review the logs shortly and post back with the next set of instructions.

With Regards,
Extremeboy

[Extremeboy]

Hello.

I see that update.exe problem you may have been having now.

However, I want you to upload two files to see what they are and see what they are exactly if it works.

Okay before we proceed any further, let's get you a ERUNT (Registry Backup)


Backup Registry with ERUNT

This tool will create a complete backup of your registry. A backup is created to ensure we have backup so encase anything goes wrong we can deal with it. Do not delete these backups until we are finished.

• Please download erunt-setup.exe to your desktop.
  
• Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  
• Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.

You can find a complete guide to using the program here:
http://www.larsheder...erunt/erunt.txt


Peer-to-Peer Programs Warning

Your log shows that you are using so called peer-to-peer or file-sharing programs (in your case UTorrent). These programs allow to share files between users as the name(s) suggest. In today's world cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

It is your decision whether or not you wish to keep your program(s) but I suggest you remove it via add/remove. However, please refrain from using them until your computer has been declared clean.

---

Submit File to Online Scanner

There is a file that I would like you to check out for me using VirusTotal/VirSCAN

• Open VirusTotal Online Scanner or VirSCAN. If one site is busy or down, try the other
  
• At the top of the page you'll see a box. Find/Paste in the following line(s) (do one line at a time).
  
  • C:\Windows\SysWOW64\update.exe
    
  • C:\ProgramData\Defence\smss.exe

• Click Submit.
  
• Wait for the scan to finish.
  
• Copy Scanner Results into your next reply.
  
• If more than one file was listed, repeat for each of them.

I also want you to run another scanner tool for me....

Download and run DDS

We need to see some information about what is happening in your machine. Please perform the following scan:

• Download DDS by sUBs from one of the following links. Save it to your desktop.
  • DDS.scr
    
  • DDS.pif
  
  
• Double click on the DDS icon, allow it to run.
  
• A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  
• Notepad will open with the results soon.
  
• Follow the instructions that pop up for posting the results and then click Ok.
  
• The black and message box window shall then disappear.
  
• Please save both log files on your desktop and post the DDS.txt and zip up and attach Attach.txt as instructed.
  

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

Post back with those logs in your next reply please.

With Regards,
Extremeboy

[SomeoneSomewhere]

for update.exe

 File update.exe received on 2009.11.08 16:32:34 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 14/39 (35.9%)
Loading server information...
Your file is queued in position: 4.
Estimated start time is between 70 and 100 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email: 	
	
Antivirus 	Version 	Last Update 	Result
a-squared	4.5.0.41	2009.11.08	Win32.SuspectCrc!IK
AhnLab-V3	5.0.0.2	2009.11.06	-
AntiVir	7.9.1.61	2009.11.06	WORM/Rbot.Gen
Antiy-AVL	2.0.3.7	2009.11.05	-
Authentium	5.2.0.5	2009.11.08	W32/Heuristic-257!Eldorado
Avast	4.8.1351.0	2009.11.08	-
AVG	8.5.0.423	2009.11.08	-
BitDefender	7.2	2009.11.08	Generic.Malware.SFYddldg.EB74D979
CAT-QuickHeal	10.00	2009.11.07	-
ClamAV	0.94.1	2009.11.08	-
Comodo	2885	2009.11.08	-
DrWeb	5.0.0.12182	2009.11.08	DLOADER.Trojan
eTrust-Vet	35.1.7108	2009.11.06	-
F-Prot	4.5.1.85	2009.11.08	W32/Heuristic-257!Eldorado
Fortinet	3.120.0.0	2009.11.08	-
GData	19	2009.11.08	Generic.Malware.SFYddldg.EB74D979
Ikarus	T3.1.1.74.0	2009.11.08	Win32.SuspectCrc
Jiangmin	11.0.800	2009.11.08	-
K7AntiVirus	7.10.891	2009.11.07	-
Kaspersky	7.0.0.125	2009.11.08	-
McAfee	5796	2009.11.08	-
McAfee+Artemis	5796	2009.11.08	Artemis!F9AF1307FBDC
McAfee-GW-Edition	6.8.5	2009.11.08	Heuristic.BehavesLike.Win32.Trojan.H
Microsoft	1.5202	2009.11.08	-
NOD32	4584	2009.11.08	-
Norman	6.03.02	2009.11.06	W32/Malware
nProtect	2009.1.8.0	2009.11.08	-
Panda	10.0.2.2	2009.11.08	-
PCTools	7.0.3.5	2009.11.06	-
Prevx	3.0	2009.11.08	Medium Risk Malware
Rising	21.54.62.00	2009.11.08	Trojan.DL.Win32.Downloader.GEN
Sophos	4.47.0	2009.11.08	Mal/Generic-A
Sunbelt	3.2.1858.2	2009.11.08	-
Symantec	1.4.4.12	2009.11.08	-
TheHacker	6.5.0.2.063	2009.11.06	-
TrendMicro	9.0.0.1003	2009.11.08	-
VBA32	3.12.10.11	2009.11.07	-
ViRobot	2009.11.6.2025	2009.11.06	-
VirusBuster	4.6.5.0	2009.11.07	-
Additional information
File size: 18432 bytes
MD5...: f9af1307fbdc1493aefd6a96f2fb3760
SHA1..: 61681a9557881712a495704342f884b1faf852ba
SHA256: 2927ddc6b64d7e7e0fac6deadc438b49983d823af75249ff88457017687d710f
ssdeep: 384:3xmxa1cj3sVVOA93CbWClr0nu6CHONDIIA69P4wehH3Rrxhj:wVYVVOA9zWW
CuNDII99ww43Rrxl
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x3eb0
timedatestamp.....: 0x4af65c5a (Sun Nov 08 05:51:22 2009)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x3154 0x3200 5.92 38334e259088c50e956db3980a787761
.rdata 0x5000 0x9c2 0xa00 4.95 749b1fc3742acb0e9f437485865d6bb7
.data 0x6000 0x764 0x800 5.82 6f76f5fa61c5a47deb6ab31527967847

( 8 imports )
> MSVCRT.dll: _controlfp, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, atoi, __p___initenv, exit, _XcptFilter, _exit, strncpy, sprintf, _except_handler3, strtok, malloc, srand, _beginthread, toupper, getenv, _snprintf, calloc, free, _ftol, ceil, strstr, strchr, _stricmp
> KERNEL32.dll: lstrcpyA, lstrcatA, lstrlenA, lstrcmpA, GetWindowsDirectoryA, WinExec, CreateThread, SetErrorMode, CreateMutexA, GetCurrentProcessId, Sleep, LoadLibraryA, GetProcAddress, FreeLibrary, GetModuleHandleA, GetModuleFileNameA, CopyFileA, GetShortPathNameA, ExitProcess, GetTickCount, QueryPerformanceFrequency, QueryPerformanceCounter, GetLocaleInfoA, GetComputerNameA, GetVersionExA, GlobalMemoryStatus, GetProcessAffinityMask, GetCurrentProcess, CloseHandle, GetLastError, DeleteFileA
> WS2_32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -
> WININET.dll: InternetReadFile, InternetOpenA, InternetOpenUrlA, InternetCloseHandle
> ADVAPI32.dll: GetUserNameA, FreeSid, EqualSid, AllocateAndInitializeSid, GetTokenInformation, OpenProcessToken, RegCloseKey, RegSetValueExA, RegCreateKeyExA, AdjustTokenPrivileges, LookupPrivilegeValueA, RegQueryValueExA, RegOpenKeyExA
> SHELL32.dll: ShellExecuteA
> ntdll.dll: NtQuerySystemInformation, ZwSystemDebugControl
> urlmon.dll: URLDownloadToFileA

( 0 exports )
RDS...: NSRL Reference Data Set
-
trid..: Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
pdfid.: -
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
<a href='http://info.prevx.com/aboutprogramtext.asp?PX5=6B41BEA2006355954818009E9A224800A57F2C86' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=6B41BEA2006355954818009E9A224800A57F2C86</a>

for smss.exe

 File smss.exe received on 2009.11.08 16:30:40 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 18/40 (45%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email: 	
	
Antivirus 	Version 	Last Update 	Result
a-squared	4.5.0.41	2009.11.08	Trojan.Win32.Buzus!IK
AhnLab-V3	5.0.0.2	2009.11.06	-
AntiVir	7.9.1.61	2009.11.06	TR/Buzus.ckyi
Antiy-AVL	2.0.3.7	2009.11.05	Trojan/Win32.Buzus.gen
Authentium	5.2.0.5	2009.11.08	-
Avast	4.8.1351.0	2009.11.08	Win32:Malware-gen
AVG	8.5.0.423	2009.11.08	-
BitDefender	7.2	2009.11.08	-
CAT-QuickHeal	10.00	2009.11.07	-
ClamAV	0.94.1	2009.11.08	-
Comodo	2885	2009.11.08	-
DrWeb	5.0.0.12182	2009.11.08	-
eTrust-Vet	35.1.7108	2009.11.06	-
F-Prot	4.5.1.85	2009.11.08	-
F-Secure	9.0.15370.0	2009.11.04	-
Fortinet	3.120.0.0	2009.11.08	W32/Buzus.CKYI!tr
GData	19	2009.11.08	Win32:Malware-gen
Ikarus	T3.1.1.74.0	2009.11.08	Trojan.Win32.Buzus
Jiangmin	11.0.800	2009.11.08	-
K7AntiVirus	7.10.891	2009.11.07	-
Kaspersky	7.0.0.125	2009.11.08	Trojan.Win32.Buzus.ckyi
McAfee	5796	2009.11.08	-
McAfee+Artemis	5796	2009.11.08	Artemis!4900CB2BCF39
McAfee-GW-Edition	6.8.5	2009.11.08	Heuristic.BehavesLike.Win32.Dropper.H
Microsoft	1.5202	2009.11.08	Trojan:Win32/Malex.gen!F
NOD32	4584	2009.11.08	-
Norman	6.03.02	2009.11.06	-
nProtect	2009.1.8.0	2009.11.08	Trojan/W32.Buzus.27136.BP
Panda	10.0.2.2	2009.11.08	Trj/Buzus.AH
PCTools	7.0.3.5	2009.11.06	Trojan.Generic
Prevx	3.0	2009.11.08	High Risk Cloaked Malware
Rising	21.54.62.00	2009.11.08	-
Sophos	4.47.0	2009.11.08	-
Sunbelt	3.2.1858.2	2009.11.08	-
Symantec	1.4.4.12	2009.11.08	Trojan Horse
TheHacker	6.5.0.2.063	2009.11.06	-
TrendMicro	9.0.0.1003	2009.11.08	TROJ_BUZUS.BJI
VBA32	3.12.10.11	2009.11.07	Trojan.Win32.Buzus.clbq
ViRobot	2009.11.6.2025	2009.11.06	-
VirusBuster	4.6.5.0	2009.11.07	-
Additional information
File size: 27136 bytes
MD5...: 4900cb2bcf39bfc9dbb1bd3d07920822
SHA1..: a705de1c8469c629c52539f9c46001ea974cf39d
SHA256: 2a62c08724610acfff435b9b5e071814b0fbecdd35179871b11c2c9a909df15e
ssdeep: 384:l3qzkCAQ/RKTPOMm/X/T45m3wtXi+2mnhw1QUpapqmjX4ANMN4LVuD0VH+se
+BC8:Q+QAWzP/TbwtFhPqmjIAxLVuIVHoC
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x20eb
timedatestamp.....: 0x4ae83bd3 (Wed Oct 28 12:40:51 2009)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x162e 0x1800 5.87 4c7ebe62127cce4935150404ce87cc95
.rdata 0x3000 0x95a 0xa00 4.86 dd7914dfc0ef1480ef1f2d0b66cc860a
.data 0x4000 0x39c 0x200 0.35 7864146ab16e0d5e4e072d9df7bc8471
.rsrc 0x5000 0x4014 0x4200 7.82 cad4ac46d79897e9e1d21be608cb0508

( 4 imports )
> MSVCR90.dll: _controlfp_s, _invoke_watson, _except_handler4_common, _decode_pointer, _onexit, _lock, __dllonexit, _unlock, _terminate@@YAXXZ, _crt_debugger_hook, __set_app_type, _encode_pointer, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _configthreadlocale, _initterm_e, _initterm, _acmdln, exit, _ismbblead, _XcptFilter, _exit, _cexit, rand, _amsg_exit, __getmainargs, memset
> KERNEL32.dll: GetCurrentProcessId, GetTickCount, QueryPerformanceCounter, IsDebuggerPresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, GetStartupInfoA, InterlockedCompareExchange, Sleep, InterlockedExchange, CreateMutexA, GetModuleFileNameA, FindResourceA, SizeofResource, LoadResource, LockResource, GetCurrentThreadId, GetComputerNameA, GetSystemTimeAsFileTime, GetVolumeInformationA, ExitProcess, GetModuleHandleA, GetProcAddress, GetEnvironmentVariableA, OpenMutexA
> USER32.dll: GetCursorPos, FindWindowA, MessageBoxA, wsprintfA, GetThreadDesktop, GetUserObjectInformationA
> ADVAPI32.dll: RegOpenKeyExA, RegCloseKey, GetUserNameA

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win64 Executable Generic (80.9%)
Win32 Executable Generic (8.0%)
Win32 Dynamic Link Library (generic) (7.1%)
Generic Win/DOS Executable (1.8%)
DOS Executable Generic (1.8%)
<a href='http://info.prevx.com/aboutprogramtext.asp?PX5=5FDEE82A00ECD2FD6AEB00AFDC19000079FFA3F4' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=5FDEE82A00ECD2FD6AEB00AFDC19000079FFA3F4</a>
sigcheck:
publisher....: n/a
copyright....: Copyright (C) 2009
product......: Stub Application
description..: Stub Application
original name: Stub.exe
internal name: Stub
file version.: 1, 0, 0, 1
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

DDS

DDS (Ver_09-10-26.01) - NTFSX64  
Run by Nino at  0:49:51.86 on Mon 11/09/2009
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_15
Microsoft Windows 7 Ultimate   6.1.7600.2.1252.63.1033.18.6143.4392 [GMT 8:00]

SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\svchost.exe -k NetworkService
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
C:\Program Files (x86)\CDBurnerXP\NMSAccessU.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\PROGRA~2\SPEEDB~1\VideoAcceleratorService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files (x86)\SpeedBit Video Accelerator\VideoAccelerator.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\RocketDock\RocketDock.exe
C:\Program Files (x86)\DAEMON Tools Lite\daemon.exe
C:\PROGRA~2\SPEEDB~1\VideoAcceleratorEngine.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files (x86)\DNA\btdna.exe
C:\Program Files (x86)\DAP\DAP.exe
C:\Program Files (x86)\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files (x86)\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Logitech\SetPoint\x86\SetPoint32.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\DllHost.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Program Files (x86)\uTorrent\uTorrent.exe
C:\Windows\notepad.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Users\Nino\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\update.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr10/*http://www.yahoo.com
uStart Page = hxxp://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr10/*http://www.yahoo.com/ext/search/search.html
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr10/*http://www.yahoo.com
mDefault_Page_URL = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
mLocal Page = c:\windows\syswow64\blank.htm
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr10/*http://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr10/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr10/*http://www.yahoo.com
BHO: SBCONVERT Class: {31b27f2d-6bc6-451b-b3d2-4eab36b2fc3b} - c:\program files (x86)\speedbit video downloader\toolbar\tbcore3.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files (x86)\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files (x86)\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files (x86)\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~2\yahoo!\companion\installs\cpn\YTSingleInstance.dll
BHO: DAPIELoader Class: {ff6c3cf0-4b15-11d1-abed-709549c10000} - c:\progra~2\dap\DAPIEL~1.DLL
BHO: GrabberObj Class: {ff7c3cf0-4b15-11d1-abed-709549c10000} - c:\progra~2\speedb~2\toolbar\grabber.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~2\yahoo!\companion\installs\cpn\yt.dll
TB: SpeedBit Video Downloader: {0329e7d6-6f54-462d-93f6-f5c3118badf2} - c:\program files (x86)\speedbit video downloader\toolbar\tbcore3.dll
uRun: [Sidebar] c:\program files (x86)\windows sidebar\sidebar.exe /autoRun
uRun: [uTorrent] "c:\program files (x86)\utorrent\uTorrent.exe"
uRun: [Messenger (Yahoo!)] "c:\program files (x86)\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [SpeedBitVideoAccelerator] c:\program files (x86)\speedbit video accelerator\VideoAccelerator.exe
uRun: [RocketDock] "c:\program files (x86)\rocketdock\RocketDock.exe"
uRun: [DAEMON Tools Lite] "c:\program files (x86)\daemon tools lite\daemon.exe" -autorun
uRun: [BitTorrent DNA] "c:\program files (x86)\dna\btdna.exe"
uRun: [DownloadAccelerator] "c:\program files (x86)\dap\DAP.EXE" /STARTUP
uRun: [Search Protection] c:\program files (x86)\yahoo!\search protection\SearchProtection.exe
uRun: [SUPERAntiSpyware] c:\program files (x86)\superantispyware\SUPERAntiSpyware.exe
uRun: [Defence] "c:\programdata\defence\smss.exe" -SystemDefence
mRun: [StartCCC] "c:\program files (x86)\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Nikon Transfer Monitor] c:\program files (x86)\common files\nikon\monitor\NkMonitor.exe
mRun: [Google Desktop Search] "c:\program files (x86)\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [SunJavaUpdateSched] "c:\program files (x86)\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files (x86)\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files (x86)\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [YSearchProtection] "c:\program files (x86)\yahoo!\search protection\SearchProtection.exe"
mRun: [GrooveMonitor] "c:\program files (x86)\microsoft office\office12\GrooveMonitor.exe"
mRun: [framework] framework.exe
mRun: [Window Proxy Service] c:\windows\system32\update.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files (x86)\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\users\nino\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files (x86)\erunt\AUTOBACK.EXE
StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
uPolicies-explorer: RestrictRun = 0 (0x0)
uPolicies-explorer: NoStartMenuEjectPC = 0 (0x0)
uPolicies-explorer: NoSimpleStartMenu = 0 (0x0)
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
uPolicies-explorer: NoStartMenuMyMusic = 0 (0x0)
uPolicies-explorer: NoSMMyPictures = 0 (0x0)
uPolicies-explorer: NoResolveTrack = 0 (0x0)
uPolicies-explorer: NoInstrumentation = 0 (0x0)
uPolicies-explorer: NoFileAssociate = 0 (0x0)
uPolicies-explorer: RestrictCpl = 0 (0x0)
uPolicies-explorer: NoThemesTab = 0 (0x0)
uPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
uPolicies-system: NoDispSettingsPage = 0 (0x0)
uPolicies-system: NoDispAppearancePage = 0 (0x0)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-explorer: RestrictRun = 0 (0x0)
mPolicies-explorer: NoStartMenuEjectPC = 0 (0x0)
mPolicies-explorer: NoSimpleStartMenu = 0 (0x0)
mPolicies-explorer: NoWindowsUpdate = 0 (0x0)
mPolicies-explorer: NoStartMenuMyMusic = 0 (0x0)
mPolicies-explorer: NoSMMyPictures = 0 (0x0)
mPolicies-explorer: NoResolveTrack = 0 (0x0)
mPolicies-explorer: NoInstrumentation = 0 (0x0)
mPolicies-explorer: NoFileAssociate = 0 (0x0)
mPolicies-explorer: RestrictCpl = 0 (0x0)
mPolicies-explorer: NoThemesTab = 0 (0x0)
mPolicies-system: ConsentPromptbehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptbehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
mPolicies-system: NoDispSettingsPage = 0 (0x0)
mPolicies-system: NoDispAppearancePage = 0 (0x0)
IE: &Clean Traces - c:\program files (x86)\dap\privacy package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files (x86)\dap\dapextie.htm
IE: Download &all with DAP - c:\program files (x86)\dap\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~2\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~2\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~2\micros~3\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files (x86)\microsoft office\office12\GrooveSystemServices.dll
Notify: !SASWinLogon - c:\program files (x86)\superantispyware\SASWINLO.dll
AppInit_DLLs: c:\progra~2\google\google~1\GO36F4~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files (x86)\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files (x86)\superantispyware\SASSEH.DLL
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB-X64: {0329E7D6-6F54-462D-93F6-F5C3118BADF2} - No File
mRun-x64: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun-x64: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

================= FIREFOX ===================

FF - ProfilePath - c:\users\nino\appdata\roaming\mozilla\firefox\profiles\4n33fbbu.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr&p=
FF - component: c:\program files (x86)\dap\dapfirefox\components\DAPFireFox.dll
FF - component: c:\program files (x86)\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\users\nino\appdata\roaming\mozilla\firefox\profiles\4n33fbbu.default\extensions\lazarus@interclue.com\platform\winnt_x86-msvc\components\WeaveCrypto.dll
FF - plugin: c:\program files (x86)\microsoft\office live\npOLW.dll
FF - plugin: c:\program files (x86)\webzen\webzengamestarter\NPGameWebStarter.dll
FF - plugin: c:\program files\itunes\mozilla plugins\npitunes.dll
FF - plugin: c:\users\nino\appdata\local\yahoo!\browserplus\2.4.17\plugins\npybrowserplus_2.4.17.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-8-14 202752]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\x86\ekrn.exe [2009-5-14 731840]
R2 epfwwfpr;epfwwfpr;c:\windows\system32\drivers\epfwwfpr.sys [2009-5-14 121152]
R2 VideoAcceleratorService;VideoAcceleratorService;c:\progra~2\speedb~1\videoacceleratorservice.exe -start -scm --> c:\progra~2\speedb~1\VideoAcceleratorService.exe -start -scm [?]
R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\common files\microsoft shared\windows live\WLIDSVC.EXE [2009-3-30 2297216]
R2 YahooAUService;Yahoo! Updater;c:\program files (x86)\yahoo!\softwareupdate\YahooAUService.exe [2008-11-10 602392]
R3 AtiHdmiService;ATI Service for HD Audio Codec;c:\windows\system32\drivers\AtiHdmi.sys [2009-7-24 119312]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x64.sys [2009-6-11 389120]
S1 SASDIFSV;SASDIFSV;c:\program files (x86)\superantispyware\sasdifsv.sys [2009-10-12 9968]
S1 SASKUTIL;SASKUTIL;c:\program files (x86)\superantispyware\SASKUTIL.SYS [2009-10-12 74480]
S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x64.sys [2009-9-26 19432]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files (x86)\dragon age\bin_ship\daupdatersvc.service.exe [2009-11-6 25832]
S3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\common files\macrovision shared\flexnet publisher\FNPLicensingService64.exe [2009-10-4 1038088]
S3 GoogleDesktopManager-090809-085438;Google Desktop Manager 5.9.909.8267;c:\program files (x86)\google\google desktop search\GoogleDesktop.exe [2009-9-30 30192]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SASENUM;SASENUM;c:\program files (x86)\superantispyware\SASENUM.SYS [2009-10-12 7408]

=============== Created Last 30 ================

2009-11-08 12:14:23	0	d-----w-	c:\program files (x86)\CCleaner
2009-11-08 10:37:45	0	d-----w-	c:\programdata\SUPERAntiSpyware.com
2009-11-08 10:37:36	0	d-----w-	c:\users\nino\appdata\roaming\SUPERAntiSpyware.com
2009-11-08 10:37:36	0	d-----w-	c:\program files (x86)\SUPERAntiSpyware
2009-11-08 10:34:38	0	d-----w-	c:\users\nino\appdata\roaming\Malwarebytes
2009-11-08 10:34:33	0	d-----w-	c:\programdata\Malwarebytes
2009-11-08 10:34:32	22104	----a-w-	c:\windows\system32\drivers\mbam.sys
2009-11-08 10:34:32	0	d-----w-	c:\program files (x86)\Malwarebytes' Anti-Malware
2009-11-08 07:44:07	18432	----a-w-	c:\windows\syswow64\update.exe
2009-11-07 20:55:06	0	d-----w-	c:\program files\Mozilla Firefox
2009-11-07 20:54:46	0	d-----w-	c:\programdata\Defence
2009-11-06 19:47:36	0	d-----w-	C:\Mp3 Output
2009-11-06 19:47:34	8676883	----a-w-	c:\windows\syswow64\mp3Media2.dll
2009-11-06 19:47:33	0	d-----w-	c:\program files (x86)\Smallvideosoft
2009-11-06 19:37:07	0	d-----w-	c:\program files (x86)\AV Music Morpher Gold
2009-11-06 19:36:20	731	----a-w-	c:\windows\1.tmp
2009-11-06 19:36:20	121	----a-w-	c:\windows\2.tmp
2009-11-06 14:23:01	0	d-----w-	c:\windows\syswow64\AGEIA
2009-11-06 12:30:23	0	d-----w-	c:\program files (x86)\Fort Zombie
2009-11-06 11:47:23	0	d-----w-	c:\program files (x86)\Microsoft XNA
2009-11-06 10:16:28	193	----a-w-	c:\windows\WORDPAD.INI
2009-11-06 05:49:00	126464	----a-w-	c:\users\nino\advpack.dll
2009-11-06 05:46:11	0	d-----w-	c:\programdata\BioWare
2009-11-06 04:25:26	0	d-----w-	c:\programdata\Media Center Programs
2009-11-06 04:15:54	0	d-----w-	c:\program files (x86)\Dragon Age
2009-11-06 04:15:54	0	d-----w-	c:\program files (x86)\common files\BioWare
2009-11-05 19:58:26	0	d-----w-	c:\program files (x86)\WinPcap
2009-11-05 19:57:47	0	d-----w-	c:\program files\Wireshark
2009-11-05 19:05:52	0	d-----w-	c:\program files (x86)\IntenseRO
2009-11-05 12:10:35	0	d-----w-	c:\users\nino\appdata\roaming\runic games
2009-11-04 14:31:41	0	d-----w-	c:\program files (x86)\Runic Games
2009-11-03 16:17:22	0	d-----w-	c:\users\nino\appdata\roaming\GameRanger
2009-11-03 03:02:28	5958656	----a-w-	c:\windows\syswow64\mshtml.dll
2009-11-01 09:20:47	0	d-----w-	c:\users\nino\appdata\roaming\Canneverbe_Limited
2009-11-01 09:20:46	0	d-----w-	c:\programdata\Canneverbe Limited
2009-10-31 14:24:33	37979	----a-w-	c:\users\nino\collegehumor.747135e7120318d63b798edce11fd98c.jpg
2009-10-31 07:49:55	68068	----a-w-	c:\users\nino\IRENE.jpg
2009-10-31 07:37:40	440113	----a-w-	c:\users\nino\IRENE.psd
2009-10-31 07:33:41	16515	----a-w-	c:\users\nino\8928_1046993871136_1714376789_89542_7524312_n.jpg
2009-10-31 07:26:50	5	----a-w-	c:\windows\syswow64\YoItzVlad.tmp
2009-10-29 12:02:45	0	d-----w-	c:\program files (x86)\AMPED
2009-10-29 12:01:44	0	d-----w-	c:\windows\Downloaded Installations
2009-10-27 17:29:29	0	d-----w-	c:\program files (x86)\2K Games
2009-10-27 12:26:55	0	d-sh--w-	c:\programdata\SecuROM
2009-10-27 11:51:41	0	d-----w-	c:\windows\D56B0E274A3E46C9B5C1D93D580C099C.TMP
2009-10-26 20:25:24	0	d-----w-	c:\program files (x86)\MagicISO
2009-10-26 18:46:44	5504	----a-w-	c:\windows\system32\drivers\StarOpen.sys
2009-10-25 17:45:44	442936570	----a-w-	c:\windows\MEMORY.DMP
2009-10-23 04:44:11	1431552	----a-w-	c:\users\nino\Dead Space Trainer V2.exe
2009-10-23 04:23:56	178800	----a-w-	c:\windows\syswow64\CmdLineExt_x64.dll
2009-10-23 04:01:30	0	d-----w-	c:\users\nino\appdata\roaming\Flock
2009-10-23 04:00:56	0	d-----w-	c:\program files (x86)\Dead Space
2009-10-23 03:57:16	53616	----a-w-	c:\windows\syswow64\CMStarter_Kor.dll
2009-10-23 03:57:16	53616	----a-w-	c:\windows\syswow64\CMStarter_Eng.dll
2009-10-23 03:57:16	364912	----a-w-	c:\windows\syswow64\CMStarterCore.exe
2009-10-23 03:57:16	0	d-----w-	c:\program files (x86)\WEBZEN
2009-10-23 03:56:08	0	d-----w-	c:\program files (x86)\Flock
2009-10-23 03:42:39	983	----a-w-	c:\users\nino\Cheat Engine.lnk
2009-10-23 03:42:38	679936	----a-w-	c:\windows\syswow64\D3DX81ab.dll
2009-10-23 03:42:38	1970176	----a-w-	c:\windows\syswow64\d3dx9.dll
2009-10-23 03:42:36	0	d-----w-	c:\program files (x86)\Cheat Engine
2009-10-23 03:19:23	0	d--h--w-	c:\windows\msdownld.tmp
2009-10-23 03:18:27	0	d-----w-	c:\windows\syswow64\directx
2009-10-22 22:20:27	0	d-----w-	c:\program files\Webzen
2009-10-21 03:34:39	0	d-----w-	c:\program files (x86)\OpenXML-ODF Translator
2009-10-20 20:50:44	0	d-----w-	c:\program files (x86)\Microsoft
2009-10-20 20:46:43	0	d-----w-	c:\program files (x86)\Classic Menu for Office
2009-10-20 20:46:35	691592	----a-w-	c:\windows\syswow64\OGACheckControl.DLL
2009-10-20 20:46:35	528744	----a-w-	c:\windows\syswow64\OGAVerify.exe
2009-10-20 20:46:35	502120	----a-w-	c:\windows\syswow64\OGAAddin.dll
2009-10-20 20:40:56	0	d-----w-	c:\windows\PCHEALTH
2009-10-20 20:39:15	0	d-----w-	c:\program files\Microsoft Office
2009-10-20 20:39:01	0	d-----w-	c:\program files (x86)\Microsoft Visual Studio 8
2009-10-20 20:38:16	0	d-----w-	c:\programdata\Microsoft Help
2009-10-20 18:20:12	105488	----a-w-	c:\windows\system32\Packet.dll
2009-10-20 18:20:06	96784	----a-w-	c:\windows\syswow64\Packet.dll
2009-10-20 18:19:58	369168	----a-w-	c:\windows\system32\wpcap.dll
2009-10-20 18:19:54	47632	----a-w-	c:\windows\system32\drivers\npf.sys
2009-10-20 18:19:54	281104	----a-w-	c:\windows\syswow64\wpcap.dll
2009-10-20 18:19:30	53299	----a-w-	c:\windows\syswow64\pthreadVC.dll
2009-10-20 14:15:16	2008480	----a-w-	c:\users\nino\RESIDENT EVIL 5 DX10 v1.0.0.129 + 15 Trainer.exe
2009-10-20 13:21:32	0	d-----w-	c:\program files (x86)\CAPCOM
2009-10-20 13:20:23	0	d-----w-	c:\windows\syswow64\xlive
2009-10-20 13:20:23	0	d-----w-	c:\program files (x86)\Microsoft Games for Windows - LIVE
2009-10-17 21:45:22	0	d-----w-	c:\program files (x86)\Mindware Studios
2009-10-16 19:46:29	0	d-----w-	c:\users\nino\extract
2009-10-16 19:30:49	0	d-----w-	C:\Perl64
2009-10-16 19:23:39	318	----a-w-	c:\windows\WPE PRO.INI
2009-10-16 19:21:25	0	d-----w-	c:\users\nino\RO Priv ID
2009-10-16 04:01:34	0	d-----w-	c:\users\nino\openkore_ready
2009-10-15 15:23:56	0	d-----w-	c:\program files (x86)\Gravity
2009-10-15 15:23:33	65536	----a-w-	c:\windows\IFinst27.exe
2009-10-14 11:14:19	0	d-----w-	c:\program files (x86)\MPGHARMIT
2009-10-14 02:45:14	0	d-----w-	c:\program files\Gravity
2009-10-13 17:55:31	311808	----a-w-	c:\windows\system32\msv1_0.dll
2009-10-13 17:55:31	257024	----a-w-	c:\windows\syswow64\msv1_0.dll
2009-10-13 17:55:25	0	d-----w-	c:\program files (x86)\MSXML 4.0
2009-10-13 17:53:03	64512	----a-w-	c:\windows\syswow64\msfeedsbs.dll
2009-10-13 17:52:57	46592	----a-w-	c:\windows\system32\msasn1.dll
2009-10-13 17:52:57	34816	----a-w-	c:\windows\syswow64\msasn1.dll
2009-10-11 04:14:28	1908	----a-w-	c:\windows\diagwrn.xml
2009-10-11 04:14:28	1908	----a-w-	c:\windows\diagerr.xml
2009-10-11 02:46:03	72200	----a-w-	c:\windows\system32\XAPOFX1_1.dll
2009-10-11 02:46:03	513544	----a-w-	c:\windows\system32\XAudio2_2.dll
2009-10-11 02:46:02	540688	----a-w-	c:\windows\system32\d3dx10_39.dll
2009-10-11 02:46:02	238088	----a-w-	c:\windows\syswow64\xactengine3_2.dll
2009-10-11 02:46:02	1942552	----a-w-	c:\windows\system32\D3DCompiler_39.dll
2009-10-11 02:46:02	177672	----a-w-	c:\windows\system32\xactengine3_2.dll
2009-10-11 02:46:01	4992520	----a-w-	c:\windows\system32\D3DX9_39.dll
2009-10-11 02:40:10	0	d-----w-	c:\program files (x86)\Codemasters
2009-10-10 15:34:08	109056	----a-w-	c:\users\nino\risen_v1.0.94946_trn+4.exe
2009-10-09 21:35:10	0	d-----w-	c:\users\nino\appdata\roaming\kalypte-user-pics
2009-10-09 19:18:18	0	d-----w-	c:\program files (x86)\Uzzap

==================== Find3M  ====================

2009-11-08 12:02:25	174	--sh--w-	c:\program files (x86)\desktop.ini
2009-11-02 12:42:06	226688	------w-	c:\windows\system32\MpSigStub.exe
2009-10-12 15:25:15	20	---h--w-	c:\programdata\PKP_DLdw.DAT
2009-10-10 00:18:29	20	---h--w-	c:\programdata\PKP_DLdu.DAT
2009-10-03 12:06:35	107008	----a-w-	c:\users\nino\Risen_V1.0_Plus_36_Trainer_By_KelSat.exe
2009-10-02 04:32:07	982600	----a-w-	c:\windows\system32\drivers\dxgkrnl.sys
2009-10-01 06:58:43	43680	----a-w-	c:\windows\system32\drivers\lirsgt.sys
2009-10-01 06:58:43	314016	----a-w-	c:\windows\system32\drivers\atksgt.sys
2009-09-30 14:50:06	245248	----a-w-	c:\users\nino\HoN_ModMan.exe
2009-09-26 19:24:02	0	---ha-w-	c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2009-09-26 19:23:57	0	---ha-w-	c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2009-09-26 18:33:18	871408	----a-w-	c:\windows\system32\drivers\sptd.sys
2009-09-26 15:24:42	0	---ha-w-	c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2009-09-26 12:34:28	106496	----a-w-	c:\windows\syswow64\ATL71.DLL
2009-09-25 14:06:45	50688	----a-w-	c:\windows\syswow64\wbhelp2.dll
2009-09-25 13:41:28	0	---ha-w-	c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2009-09-04 09:44:42	73544	----a-w-	c:\windows\system32\XAPOFX1_3.dll
2009-09-04 09:44:40	69464	----a-w-	c:\windows\syswow64\XAPOFX1_3.dll
2009-09-04 09:44:40	517960	----a-w-	c:\windows\system32\XAudio2_5.dll
2009-09-04 09:44:40	515416	----a-w-	c:\windows\syswow64\XAudio2_5.dll
2009-09-04 09:44:40	238936	----a-w-	c:\windows\syswow64\xactengine3_5.dll
2009-09-04 09:44:40	176968	----a-w-	c:\windows\system32\xactengine3_5.dll
2009-09-04 09:29:34	453456	----a-w-	c:\windows\syswow64\d3dx10_42.dll
2009-09-04 09:29:34	235344	----a-w-	c:\windows\syswow64\d3dx11_42.dll
2009-09-04 09:29:32	5501792	----a-w-	c:\windows\syswow64\d3dcsx_42.dll
2009-09-04 09:29:32	1974616	----a-w-	c:\windows\syswow64\D3DCompiler_42.dll
2009-09-04 09:29:30	1892184	----a-w-	c:\windows\syswow64\D3DX9_42.dll
2009-09-04 09:29:24	5554512	----a-w-	c:\windows\system32\d3dcsx_42.dll
2009-09-04 09:29:24	523088	----a-w-	c:\windows\system32\d3dx10_42.dll
2009-09-04 09:29:24	285024	----a-w-	c:\windows\system32\d3dx11_42.dll
2009-09-04 09:29:22	2582888	----a-w-	c:\windows\system32\D3DCompiler_42.dll
2009-09-04 09:29:20	2475352	----a-w-	c:\windows\system32\D3DX9_42.dll
2009-09-03 07:36:39	1975296	----a-w-	c:\windows\system32\CertEnroll.dll
2009-09-03 07:04:15	1320960	----a-w-	c:\windows\syswow64\CertEnroll.dll
2009-08-29 07:45:05	12625920	----a-w-	c:\windows\system32\wmploc.DLL
2009-08-29 06:59:32	11406336	----a-w-	c:\windows\syswow64\wmp.dll
2009-08-29 06:54:52	12625408	----a-w-	c:\windows\syswow64\wmploc.DLL
2009-08-17 15:33:52	1193832	----a-w-	c:\windows\syswow64\FM20.DLL
2009-08-14 05:36:18	70936	----a-w-	c:\windows\syswow64\PhysXLoader.dll
2009-08-14 02:16:22	446464	----a-w-	c:\windows\system32\ATIDEMGX.dll
2009-08-14 02:16:12	433152	----a-w-	c:\windows\system32\atieclxx.exe
2009-08-14 02:15:40	202752	----a-w-	c:\windows\system32\atiesrxx.exe
2009-08-14 02:14:22	120320	----a-w-	c:\windows\system32\atitmm64.dll
2009-08-14 02:14:04	421888	----a-w-	c:\windows\system32\atipdl64.dll
2009-08-14 02:13:56	356352	----a-w-	c:\windows\syswow64\atipdlxx.dll
2009-08-14 02:13:42	274432	----a-w-	c:\windows\syswow64\Oemdspif.dll
2009-08-14 02:13:36	12288	----a-w-	c:\windows\system32\atimuixx.dll
2009-08-14 02:13:30	59392	----a-w-	c:\windows\system32\atiedu64.dll
2009-08-14 02:13:26	43520	----a-w-	c:\windows\syswow64\ati2edxx.dll
2009-08-14 02:10:40	2896896	----a-w-	c:\windows\syswow64\atidxx32.dll
2009-08-14 02:06:56	16667136	----a-w-	c:\windows\system32\atio6axx.dll
2009-08-14 02:03:20	3441664	----a-w-	c:\windows\system32\atidxx64.dll
2009-08-14 01:55:20	3578368	----a-w-	c:\windows\syswow64\atiumdag.dll
2009-08-14 01:49:38	4629504	----a-w-	c:\windows\system32\atiumd64.dll
2009-08-14 01:44:36	12916224	----a-w-	c:\windows\syswow64\atioglxx.dll
2009-08-14 01:43:26	2491392	----a-w-	c:\windows\system32\atiumd6a.dll
2009-08-14 01:37:32	2829824	----a-w-	c:\windows\syswow64\atiumdva.dll
2009-08-14 01:25:28	53248	----a-w-	c:\windows\system32\atimpc64.dll
2009-08-14 01:25:28	53248	----a-w-	c:\windows\system32\amdpcom64.dll
2009-08-14 01:25:22	52224	----a-w-	c:\windows\syswow64\atimpc32.dll
2009-08-14 01:25:22	52224	----a-w-	c:\windows\syswow64\amdpcom32.dll
2009-08-14 01:24:58	287744	----a-w-	c:\windows\system32\atiadlxx.dll
2009-08-14 01:24:50	200704	----a-w-	c:\windows\syswow64\atiadlxy.dll
2009-08-14 01:22:44	48640	----a-w-	c:\windows\system32\aticalrt64.dll
2009-08-14 01:22:40	53248	----a-w-	c:\windows\syswow64\aticalrt.dll
2009-08-14 01:22:28	41984	----a-w-	c:\windows\system32\aticalcl64.dll
2009-08-14 01:22:26	53248	----a-w-	c:\windows\syswow64\aticalcl.dll
2009-08-14 01:22:12	4564480	----a-w-	c:\windows\system32\aticaldd64.dll
2009-08-14 01:21:16	3481600	----a-w-	c:\windows\syswow64\aticaldd.dll
2009-07-14 05:37:38	31548	----a-w-	c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 05:37:38	31548	----a-w-	c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 05:37:38	291294	----a-w-	c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 05:37:38	291294	----a-w-	c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:54:24	174	--sha-w-	c:\program files\desktop.ini
2009-07-14 01:00:34	291294	----a-w-	c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 01:00:34	291294	----a-w-	c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 01:00:32	31548	----a-w-	c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 01:00:32	31548	----a-w-	c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 20:44:08	9633792	--sha-r-	c:\windows\fonts\StaticCache.dat
2009-07-14 01:39:53	398848	--sha-w-	c:\windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_4d4d1f2f696639a2\WinMail.exe
2009-07-14 01:14:45	396800	--sha-w-	c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH:  0:50:11.97 ===============

Attached File(s)

•  Attach.zip (3.21K)
  Number of downloads: 2

[Extremeboy]

You have another topic here: http://www.malwarere...hp?f=11&t=47156

Perhaps even more elsewhere. We do not help if you post multiple forums asking for help. It wastes other helpers time.

I suggest you remove any posts/topic you have posted elsewhere regarding this SAME problem now that you are receiving help here.

Let me know once you have done that and we'll continue.

[Extremeboy]

Hello.

Let's continue. Please make sure you read my previous post too.

Yup, as expected they are infected.

I want you to upload a few files to me so I can take a look at them before we go removing them.

Submit file sample

• Open to the Submission Channel.
  
• Under Link to topic where this file was requested, input:
  

  http://www.247fixes.com/forums/topic/5466-virus-overheats-my-processor-o-o/
  

  
  
• Click Browse and select the C:\Windows\SysWOW64\update.exe
  
• Under the comments section, say that ExtremeBoy asked for the submission.
  
• Then select Send File to send it
  
• After that you should get a confirmation if it was uploaded successfully.

Please repeat the steps and upload these files as well:
c:\windows\system32\update.exe
C:\ProgramData\Defence\smss.exe
C:\Windows\system32\conhost.exe

---

Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it. (If you are using Vista, please right-click and select run as administartor)
  
• A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
  
• Copy and Paste the content of the following codebox into the main textfield under "File":
  

  :dir
  C:\ProgramData\Defence
  

  
  
• Please Confirm everything is copied and Pasted as I have provided above
  
• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan.
  
• Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt
2nd Note: The scan may take a while from several seconds to a minute or more depending on the number of files you have and how fast your computer can perform the task

Let's run an automatic scanner (malwarebytes) and see if it detects/remove anything before we manually remove this.

Uninstall your version of Malwarebytes and re-download and install it from here:

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1

• Make sure you are connected to the Internet.
  
• Double-click on Download_mbam-setup.exe to install the application.
  
• When the installation begins, follow the prompts and do not make any changes to default settings.
  
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
    
  • Launch Malwarebytes' Anti-Malware
  
  
• Then click Finish.
  
• MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  
• On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
    
  • Then click on the Scan button.
  
  
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  
• Click OK to close the message box and continue with the removal process.
  
• Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Next, download Process Explorer from here: http://technet.micro...s/bb896653.aspx

Run it and at the top click File >> Save As... and save the text file to your desktop. Attach that log file in your next reply for me please.

Post/attach the log(s) once done. Any problems/questions, please let me know.

With Regards,
Extremeboy

[SomeoneSomewhere]

SystemLook:

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 02:02 on 09/11/2009 by Nino (Administrator - Elevation successful)

========== dir ==========

C:\ProgramData\Defence - Parameters: "(none)"

---Files---
smss.exe	------ 27136 bytes	[20:54 07/11/2009]	[22:46 30/10/2009]

---Folders---
None found.

-=End Of File=-

mbam:

Malwarebytes' Anti-Malware 1.41
Database version: 3128
Windows 6.1.7600 Service Pack 2

11/9/2009 2:48:40 AM
mbam-log-2009-11-09 (02-48-40).txt

Scan type: Full Scan (C:\|)
Objects scanned: 373556
Time elapsed: 38 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

i ran malwarebytes 3 timess full scan... LOL
2 times before i posted the problem here, and the 3rd from your instructions.
i noticed before the 2nd scan, there 4-6 instances of update.exe in my processes, but now theres only 1.

Attached File(s)

•  Procexp.txt (4.92K)
  Number of downloads: 1

[Extremeboy]

Hello.

Thanks for those logs. I need to leave now so I'll check up and provide you with a fix next post once I come back home.

Please read my previous post on posting in multiple forums and the one you posted in Malwareremoval.com.

--

Just one thing I want you to check.

Right-click on My Computer and select Properties.

Let me know about the Windows Edition information section. What Service Pack is it?

With Regards,
Extremeboy

[SomeoneSomewhere]

ok.
done, service pack 2.

[SomeoneSomewhere]

SomeoneSomewhere, on 09 November 2009 - 11:28 AM, said:

ok.
done, service pack 2.

oh, i forgot to add, Windows 7 x64 Ultimate. SP2

[Extremeboy]

Download and Scan MGADiag to Validate your Windows

We need to validate/check your Windows Genuine Advantage.

• Please download Microsoft Genuine Advantage Diagnostic Tool and save it to your desktop.
  
• Double click on MGADiag.exe to run it.
  
• Click Run when you recieve the Security Warning.
  
• Click Continue.
  
• The program will now run. The diagnosis may take a several seconds to complete.
  
• Once it's complete, click on Copy button near the bottom.
  
• Please paste (right-click and select paste) to post the contents of what MGADiag produced in your next reply.

With Regards,
Extremeboy