Expert: Brian Benosky - 7/5/2010

Question
QUESTION: Hi Brian-
Alas, I have the dreaded iexplore virus as evidenced by

Full page pop-ups
Audio "congratulations" when no window is open
iexplore is in task manager even when no iexplorer window is open
also the volume on speakers gets put in off position

I have tried several steps to detect and eradicate it.
Avast, Malabytes and a couple of others.

When doing a search for the iexplore file it is found here:
C:\7ce2c22da339fa54a5fc1e9d87
iexplore.exe.mui is found here
C:\7ce2c22da339fa54a5fc1e9d87

A copy is also found in prefetch which I've deleted but comes back.

If you could be of any assistance in helping me rid myself of this thing, I would be enormously grateful.

Thanks Much!

Steve F.

ANSWER: Hi Steve

I would like for you to run another Malwarebytes scan, this time in Safe Mode.  Reboot your computer and keep tapping the F8 key on boot until a black screen with a menu appears.  Use the arrow keys to highlight and choose Start Windows in Safe Mode With Networking.  Log on as usual.  Start Malwarebytes and first run an update, then run a full scan.  When completed click to show results, then click the remove the selected files.  The program may ask for a reboot, so please do so.  When completed, Malwarebytes will show a log of the results.  Save it and copy and paste the text to me in a follow-up.  
I would also like a copy of a HijackThis report.  To do so:
Please download HijackThis to your desktop from here:
http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe
Make sure you close EVERY open window and ALL browser windows. The only thing that should be open is the HijackThis program.
Double-click on the file you just downloaded.
Click on the "Install" button.
Upon install, HijackThis should open for you.
Should it not open, go to C:\Program Files\Trend Micro\HijackThis and double click on HijackThis.exe
Choose 'Do a system scan and save a log file'.
Copy the text file which opens in Notepad and paste it in your follow-up.

Brian

---------- FOLLOW-UP ----------

QUESTION: Thanks so much for such a quick reply and offer to help Brian

These are the results of my Hijackthis scan:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\User\Desktop\Useful programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nyc.rr.com/
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 5308 bytes

I did a malwarebytes scan but there was no "clicking to show results" and "removing the select files". The log just appeared. Here it is:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4278

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 6.0.2900.5512

7/5/2010 1:14:43 PM
mbam-log-2010-07-05 (13-14-43).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 306780
Time elapsed: 50 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Don't know whether this info tells you what you need to know. Let me know
if not.

And again(but not the last time)   

THANK YOU!!

Steve F.

ANSWER: Hi Steve

I don't see any infection from your HJT log, but let's try a trojan scan before we go deeper into Windows.  Download and run Trojan Remover from this link:

http://www.simplysupersoft.com/download/dl/trjsetup681.exe

Install, update, then run a complete scan and let me know the results.  Thanks.


Brian

---------- FOLLOW-UP ----------

QUESTION: Starting to feel bad for putting you through all this work. My only hope is that part of you likes the Detective Work aspect of this task. I appreciate what you're doing man. The trojan scan came up with no malicious files.
The log is attached below.

I guess this proves what they say...which is that this is a elusive, pesky, little virus.

Hopin' these are just the initial arrows in your arsenal.

Much obliged Brian

Steve F.

***** NORMAL SCAN FOR ACTIVE MALWARE *****
Trojan Remover Ver 6.8.2.2595. For information, email
[Unregistered version]
Scan started at: 6:55:29 PM 05 Jul 2010
Using Database v7541
Operating System:  Windows XP Professional (SP3) [Build: 5.1.2600]
File System:       NTFS
UserData directory: C:\Documents and Settings\User\Application Data\Simply Super Software\Trojan Remover\
Database directory: C:\Documents and Settings\All Users.WINDOWS\Application Data\Simply Super Software\Trojan Remover\Data\
Logfile directory:  C:\Documents and Settings\User\My Documents\Simply Super Software\Trojan Remover Logfiles\
Program directory:  C:\Program Files\Trojan Remover\
Running with Administrator privileges

************************************************************
PC appears to be in SAFE MODE with Network Support.

************************************************************


************************************************************
6:55:29 PM: ----- SCANNING FOR ROOTKIT SERVICES -----
No hidden Services were detected.

************************************************************
6:55:30 PM: Scanning -----WINDOWS REGISTRY-----
--------------------
Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
This key's "Shell" value calls the following program(s):
Key value: [Explorer.exe]
File: Explorer.exe
C:\WINDOWS\Explorer.exe
1033728 bytes
Created:  8/4/2004 8:00 AM
Modified: 4/13/2008 8:12 PM
Company:  Microsoft Corporation
----------
This key's "Userinit" value calls the following program(s):
Key value: [C:\WINDOWS\system32\userinit.exe,]
File: C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\userinit.exe
26112 bytes
Created:  8/4/2004 8:00 AM
Modified: 4/13/2008 8:12 PM
Company:  Microsoft Corporation
----------
This key's "System" value appears to be blank
----------
This key's "UIHost" value calls the following program:
Key value: [logonui.exe]
File: logonui.exe
C:\WINDOWS\system32\logonui.exe
514560 bytes
Created:  8/4/2004 8:00 AM
Modified: 4/13/2008 8:12 PM
Company:  Microsoft Corporation
----------
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
--------------------
Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Value Name: run
The Data Value for this entry appears to be blank
--------------------
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value Name: avast!
Value Data: C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
81000 bytes
Created:  5/23/2009 7:22 PM
Modified: 9/15/2009 6:56 AM
Company:  ALWIL Software
--------------------
Value Name: Adobe Reader Speed Launcher
Value Data: "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
35760 bytes
Created:  6/19/2010 10:04 PM
Modified: 6/19/2010 10:04 PM
Company:  Adobe Systems Incorporated
--------------------
Value Name: Adobe ARM
Value Data: "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
976832 bytes
Created:  3/24/2010 2:17 PM
Modified: 6/9/2010 4:06 AM
Company:  Adobe Systems Incorporated
--------------------
Value Name: TrojanScanner
Value Data: C:\Program Files\Trojan Remover\Trjscan.exe /boot
C:\Program Files\Trojan Remover\Trjscan.exe
1167296 bytes
Created:  7/5/2010 6:48 PM
Modified: 7/5/2010 6:49 PM
Company:  Simply Super Software
--------------------
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
This Registry Key appears to be empty
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
This Registry Key appears to be empty
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
This Registry Key appears to be empty
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Value Name: SunJavaUpdateSched
Value Data: C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
148888 bytes
Created:  12/9/2008 10:32 PM
Modified: 3/19/2009 1:11 PM
Company:  Sun Microsystems, Inc.
--------------------
Value Name: HP Software Update
Value Data: C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
49152 bytes
Created:  10/14/2007 9:17 PM
Modified: 10/14/2007 9:17 PM
Company:  Hewlett-Packard
--------------------
Value Name: Adobe Reader Speed Launcher
Value Data: C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
35760 bytes
Created:  6/19/2010 10:04 PM
Modified: 6/19/2010 10:04 PM
Company:  Adobe Systems Incorporated
--------------------
Value Name: Adobe ARM
Value Data: C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
976832 bytes
Created:  3/24/2010 2:17 PM
Modified: 6/9/2010 4:06 AM
Company:  Adobe Systems Incorporated
--------------------
Value Name: ctfmon.exe
Value Data: C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe
15360 bytes
Created:  8/4/2004 8:00 AM
Modified: 4/13/2008 8:12 PM
Company:  Microsoft Corporation
--------------------
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Value Name: FlashPlayerUpdate
Value Data: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p
C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
256280 bytes
Created:  1/26/2010 9:07 PM
Modified: 1/26/2010 9:07 PM
Company:  Adobe Systems, Inc.
--------------------
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
This Registry Key appears to be empty
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
This Registry Key appears to be empty
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
This Registry Key appears to be empty

************************************************************
6:55:33 PM: Scanning -----SHELLEXECUTEHOOKS-----
ValueName: {AEB6717E-7E19-11d0-97EE-00C04FD91972}
File:      shell32.dll - this file is expected and has been left in place
----------
ValueName: {56F9679E-7826-4C84-81F3-532071A8BCC5}
File:      C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll
C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll
304128 bytes
Created:  5/26/2008 11:19 PM
Modified: 5/24/2009 10:41 PM
Company:  Microsoft Corporation
----------

************************************************************
6:55:34 PM: Scanning -----HIDDEN REGISTRY ENTRIES-----
Taskdir check completed
----------
No Hidden File-loading Registry Entries found
----------

************************************************************
6:55:34 PM: Scanning -----ACTIVE SCREENSAVER-----
ScreenSaver: C:\WINDOWS\system32\logon.scr
C:\WINDOWS\system32\logon.scr
220672 bytes
Created:  8/4/2004 8:00 AM
Modified: 4/13/2008 8:12 PM
Company:  Microsoft Corporation
--------------------

************************************************************
6:55:34 PM: Scanning ----- REGISTRY ACTIVE SETUP KEYS -----

************************************************************
6:55:35 PM: Scanning ----- SERVICEDLL REGISTRY KEYS -----
Key:  getPlusHelper
Path: C:\Program Files\NOS\bin\getPlus_Helper.dll
C:\Program Files\NOS\bin\getPlus_Helper.dll
68000 bytes
Created:  2/10/2010 4:22 PM
Modified: 3/29/2010 8:51 AM
Company:  NOS Microsystems Ltd.
--------------------

************************************************************
6:55:36 PM: Scanning ----- SERVICES REGISTRY KEYS -----
Key:       aswFsBlk
ImagePath: system32\DRIVERS\aswFsBlk.sys
C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys
20560 bytes
Created:  5/23/2009 7:22 PM
Modified: 9/15/2009 6:55 AM
Company:  ALWIL Software
----------
Key:       aswUpdSv
ImagePath: "C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
18752 bytes
Created:  5/23/2009 7:22 PM
Modified: 9/15/2009 6:49 AM
Company:  ALWIL Software
----------
Key:       atapi
ImagePath: system32\DRIVERS\atapi.sys
C:\WINDOWS\system32\DRIVERS\atapi.sys
96512 bytes
Created:  8/4/2004 8:00 AM
Modified: 4/13/2008 2:40 PM
Company:  Microsoft Corporation
----------
Key:       avast! Antivirus
ImagePath: "C:\Program Files\Alwil Software\Avast4\ashServ.exe"
C:\Program Files\Alwil Software\Avast4\ashServ.exe
138680 bytes
Created:  5/23/2009 7:22 PM
Modified: 9/15/2009 6:56 AM
Company:  ALWIL Software
----------
Key:       avast! Mail Scanner
ImagePath: "C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
254040 bytes
Created:  5/23/2009 7:22 PM
Modified: 9/15/2009 6:56 AM
Company:  ALWIL Software
----------
Key:       avast! Web Scanner
ImagePath: "C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
352920 bytes
Created:  5/23/2009 7:22 PM
Modified: 9/15/2009 6:54 AM
Company:  ALWIL Software
----------
Key:       HPZid412
ImagePath: system32\DRIVERS\HPZid412.sys
C:\WINDOWS\system32\DRIVERS\HPZid412.sys
49920 bytes
Created:  3/19/2009 3:02 PM
Modified: 1/17/2007 8:37 AM
Company:  HP
----------
Key:       HPZipr12
ImagePath: system32\DRIVERS\HPZipr12.sys
C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
16496 bytes
Created:  3/19/2009 3:02 PM
Modified: 1/17/2007 8:37 AM
Company:  HP
----------
Key:       HPZius12
ImagePath: system32\DRIVERS\HPZius12.sys
C:\WINDOWS\system32\DRIVERS\HPZius12.sys
21568 bytes
Created:  1/17/2007 8:37 AM
Modified: 1/17/2007 8:37 AM
Company:  HP
----------
Key:       IDriverT
ImagePath: "C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe"
C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
69632 bytes
Created:  11/14/2005 2:06 AM
Modified: 11/14/2005 2:06 AM
Company:  Macrovision Corporation
----------
Key:       Maxtor Sync Service
ImagePath: "C:\Program Files\Maxtor\Sync\SyncServices.exe"
C:\Program Files\Maxtor\Sync\SyncServices.exe
193888 bytes
Created:  7/21/2008 5:15 PM
Modified: 7/21/2008 5:15 PM
Company:  Seagate Technology LLC
----------
Key:       MSCSPTISRV
ImagePath: "C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe"
C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
45056 bytes
Created:  12/14/2006 2:21 AM
Modified: 12/14/2006 2:21 AM
Company:  Sony Corporation
----------
Key:       MXOPSWD
ImagePath: system32\DRIVERS\mxopswd.sys
C:\WINDOWS\system32\DRIVERS\mxopswd.sys
22152 bytes
Created:  5/3/2007 1:37 PM
Modified: 5/3/2007 1:37 PM
Company:  Maxtor Corp.
----------
Key:       PACSPTISVR
ImagePath: "C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe"
C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
57344 bytes
Created:  12/14/2006 1:46 AM
Modified: 12/14/2006 1:46 AM
Company:  
----------
Key:       Partizan
ImagePath: system32\drivers\Partizan.sys
C:\WINDOWS\system32\drivers\Partizan.sys
34760 bytes
Created:  4/28/2009 9:43 PM
Modified: 4/28/2009 9:43 PM
Company:  Greatis Software
----------
Key:       pcouffin
ImagePath: System32\Drivers\pcouffin.sys
C:\WINDOWS\System32\Drivers\pcouffin.sys
47360 bytes
Created:  3/21/2009 4:51 PM
Modified: 3/21/2009 4:51 PM
Company:  VSO Software
----------
Key:       RimUsb
ImagePath: System32\Drivers\RimUsb.sys
C:\WINDOWS\System32\Drivers\RimUsb.sys
22784 bytes
Created:  5/20/2008 6:33 PM
Modified: 5/20/2008 6:33 PM
Company:  Research In Motion Limited
----------
Key:       RimVSerPort
ImagePath: system32\DRIVERS\RimSerial.sys
C:\WINDOWS\system32\DRIVERS\RimSerial.sys
-R- 27136 bytes
Created:  4/16/2010 4:05 PM
Modified: 1/9/2009 4:18 PM
Company:  Research in Motion Ltd
----------
Key:       SonicStage Back-End Service
ImagePath: "C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe"
C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
112184 bytes
Created:  1/30/2009 12:35 PM
Modified: 2/5/2007 11:11 AM
Company:  Sony Corporation
----------
Key:       SPTISRV
ImagePath: "C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe"
C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
69632 bytes
Created:  12/14/2006 2:02 AM
Modified: 12/14/2006 2:02 AM
Company:  Sony Corporation
----------
Key:       SSScsiSV
ImagePath: C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
75320 bytes
Created:  1/30/2009 12:35 PM
Modified: 2/5/2007 11:11 AM
Company:  Sony Corporation
----------
Key:       SwPrv
ImagePath: C:\WINDOWS\system32\dllhost.exe /Processid:{5FA5CA11-7A55-420B-825F-FD9EF2E6494A}
C:\WINDOWS\system32\dllhost.exe
5120 bytes
Created:  8/4/2004 8:00 AM
Modified: 4/13/2008 8:12 PM
Company:  Microsoft Corporation
----------

************************************************************
6:55:43 PM: Scanning -----VXD ENTRIES-----

************************************************************
6:55:43 PM: Scanning ----- WINLOGON\NOTIFY DLLS -----

************************************************************
6:55:43 PM: Scanning ----- CONTEXTMENUHANDLERS -----
Key:   avast
CLSID: {472083B0-C522-11CF-8763-00608CC02F24}
Path:  C:\Program Files\Alwil Software\Avast4\ashShell.dll
C:\Program Files\Alwil Software\Avast4\ashShell.dll
76880 bytes
Created:  5/23/2009 7:22 PM
Modified: 9/15/2009 6:52 AM
Company:  ALWIL Software
----------
Key:   Trojan Remover
CLSID: {52B87208-9CCF-42C9-B88E-069281105805}
Path:  C:\PROGRA~1\Trojan Remover\Trshlex.dll
C:\PROGRA~1\Trojan Remover\Trshlex.dll
484304 bytes
Created:  7/5/2010 6:48 PM
Modified: 7/5/2010 6:49 PM
Company:  Simply Super Software
----------
Key:   ZipGenius 6
CLSID: {C169E5F0-E2B3-41F3-B81A-7BA529CBE193}
Path:  C:\PROGRA~1\ZIPGEN~1\contmenu.dll
C:\PROGRA~1\ZIPGEN~1\contmenu.dll
1013760 bytes
Created:  5/18/2010 8:27 PM
Modified: 11/1/2005 12:05 PM
Company:  M.Dev Software
----------

************************************************************
6:55:44 PM: Scanning ----- FOLDER\COLUMNHANDLERS -----
Key:  {7D4D6379-F301-4311-BEBA-E26EB0561882}
File: C:\Program Files\Common Files\Nero\Lib\NeroDigitalExt.dll
C:\Program Files\Common Files\Nero\Lib\NeroDigitalExt.dll
1946920 bytes
Created:  3/21/2009 12:03 PM
Modified: 3/5/2008 11:41 AM
Company:  Nero AG
----------

************************************************************
6:55:44 PM: Scanning ----- BROWSER HELPER OBJECTS -----
Key: {000123B4-9B42-4900-B3F7-F4B073EFC214}
BHO: C:\Program Files\Orbitdownloader\orbitcth.dll
C:\Program Files\Orbitdownloader\orbitcth.dll
240912 bytes
Created:  11/22/2007 3:18 PM
Modified: 12/21/2009 12:24 PM
Company:  Orbitdownloader.com
----------

************************************************************
6:55:45 PM: Scanning ----- SHELLSERVICEOBJECTS -----

************************************************************
6:55:45 PM: Scanning ----- SHAREDTASKSCHEDULER ENTRIES -----

************************************************************
6:55:45 PM: Scanning ----- IMAGEFILE DEBUGGERS -----
No "Debugger" entries found.

************************************************************
6:55:45 PM: Scanning ----- APPINIT_DLLS -----
The AppInit_DLLs value is blank or does not exist

************************************************************
6:55:45 PM: Scanning ----- SECURITY PROVIDER DLLS -----

************************************************************
6:55:45 PM: Scanning ------ COMMON STARTUP GROUP ------
[C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup]
The Common Startup Group attempts to load the following file(s) at boot time:
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\desktop.ini
-HS- 84 bytes
Created:  3/18/2009 7:33 PM
Modified: 3/19/2009 12:50 AM
Company:  [no info]
--------------------

************************************************************
6:55:46 PM: Scanning ------ USER STARTUP GROUPS ------
--------------------
Checking Startup Group for: Administrator
[C:\Documents and Settings\Administrator\START MENU\PROGRAMS\STARTUP]
The Startup Group for Administrator attempts to load the following file(s):
C:\Documents and Settings\Administrator\START MENU\PROGRAMS\STARTUP\desktop.ini
-HS- 84 bytes
Created:  3/17/2009 9:27 PM
Modified: 5/7/2003 5:49 AM
Company:  [no info]
----------
--------------------
Checking Startup Group for: All Users.WINDOWS
[C:\Documents and Settings\All Users.WINDOWS\START MENU\PROGRAMS\STARTUP]
The Startup Group for All Users.WINDOWS attempts to load the following file(s):
C:\Documents and Settings\All Users.WINDOWS\START MENU\PROGRAMS\STARTUP\desktop.ini
-HS- 84 bytes
Created:  3/18/2009 7:33 PM
Modified: 3/19/2009 12:50 AM
Company:  [no info]
----------
--------------------
Checking Startup Group for: steve frank
[C:\Documents and Settings\steve frank\START MENU\PROGRAMS\STARTUP]
The Startup Group for steve frank attempts to load the following file(s):
C:\Documents and Settings\steve frank\START MENU\PROGRAMS\STARTUP\desktop.ini
-HS- 84 bytes
Created:  5/7/2003 6:17 AM
Modified: 5/7/2003 5:49 AM
Company:  [no info]
----------
--------------------
Checking Startup Group for: User
[C:\Documents and Settings\User\START MENU\PROGRAMS\STARTUP]
The Startup Group for User attempts to load the following file(s):
C:\Documents and Settings\User\START MENU\PROGRAMS\STARTUP\desktop.ini
-HS- 84 bytes
Created:  3/19/2009 12:57 AM
Modified: 3/19/2009 12:50 AM
Company:  [no info]
----------

************************************************************
6:55:47 PM: Scanning ----- SCHEDULED TASKS -----
Scheduled Tasks not scanned: running in SAFE mode so Task Scheduler service not running

************************************************************
6:55:47 PM: Scanning ----- SHELLICONOVERLAYIDENTIFIERS -----

************************************************************
6:55:47 PM: Scanning ----- DEVICE DRIVER ENTRIES -----
Value: VIDC.YV12
File:  yv12vfw.dll
C:\WINDOWS\system32\yv12vfw.dll
217088 bytes
Created:  12/6/2009 4:00 PM
Modified: 1/25/2004 12:18 PM
Company:  www.helixcommunity.org
----------
Value: msacm.ac3acm
File:  ac3acm.acm
C:\WINDOWS\system32\ac3acm.acm
118784 bytes
Created:  12/6/2009 4:00 PM
Modified: 9/20/2007 8:52 PM
Company:  fccHandler
----------
Value: msacm.lameacm
File:  lameACM.acm
C:\WINDOWS\system32\lameACM.acm
839680 bytes
Created:  12/6/2009 4:00 PM
Modified: 9/24/2008 2:41 PM
Company:  http://www.mp3dev.org/
----------
Value: VIDC.FFDS
File:  ff_vfw.dll
C:\WINDOWS\system32\ff_vfw.dll
85504 bytes
Created:  12/6/2009 4:00 PM
Modified: 11/9/2009 2:00 PM
Company:  [no info]
----------
Value: vidc.H264
File:  C:\PROGRA~1\Hax264\h264vfw.dll
C:\PROGRA~1\Hax264\h264vfw.dll
77824 bytes
Created:  6/18/2010 11:35 AM
Modified: 8/13/2009 2:41 PM
Company:  Dave Haxton
----------

************************************************************
6:55:48 PM: ----- ADDITIONAL CHECKS -----
PE386 rootkit checks completed
----------
Winlogon registry rootkit checks completed
----------
Heuristic checks for hidden files/drivers completed
----------
Layered Service Provider entries checks completed
----------
Windows Explorer Policies checks completed
----------
Desktop Wallpaper entry is blank
----------
Web Desktop Wallpaper entry is blank
----------
Checks for rogue DNS NameServers completed
----------
Additional checks completed

************************************************************
6:55:50 PM: Scanning ----- RUNNING PROCESSES -----

C:\WINDOWS\System32\smss.exe
50688 bytes
Created:  8/4/2004 8:00 AM
Modified: 4/13/2008 8:12 PM
Company:  Microsoft Corporation
--------------------
C:\WINDOWS\system32\winlogon.exe
507904 bytes
Created:  8/4/2004 8:00 AM
Modified: 4/13/2008 8:12 PM
Company:  Microsoft Corporation
--------------------
C:\WINDOWS\system32\services.exe
110592 bytes
Created:  8/4/2004 8:00 AM
Modified: 2/6/2009 7:11 AM
Company:  Microsoft Corporation
--------------------
C:\WINDOWS\system32\lsass.exe
13312 bytes
Created:  8/4/2004 8:00 AM
Modified: 4/13/2008 8:12 PM
Company:  Microsoft Corporation
--------------------
C:\WINDOWS\system32\svchost.exe
14336 bytes
Created:  8/4/2004 8:00 AM
Modified: 4/13/2008 8:12 PM
Company:  Microsoft Corporation
--------------------
C:\WINDOWS\system32\svchost.exe - file already scanned
--------------------
C:\WINDOWS\system32\svchost.exe - file already scanned
--------------------
C:\WINDOWS\system32\svchost.exe - file already scanned
--------------------
C:\WINDOWS\Explorer.EXE - file already scanned
--------------------
C:\Program Files\Outlook Express\msimn.exe
60416 bytes
Created:  3/3/2003 7:57 PM
Modified: 4/13/2008 8:12 PM
Company:  Microsoft Corporation
--------------------
C:\Program Files\Messenger\msmsgs.exe
1695232 bytes
Created:  4/14/2003 10:30 PM
Modified: 4/13/2008 8:12 PM
Company:  Microsoft Corporation
--------------------
C:\WINDOWS\system32\ctfmon.exe - file already scanned
--------------------
C:\Program Files\Mozilla Firefox\firefox.exe
910296 bytes
Created:  1/26/2009 11:24 PM
Modified: 3/30/2010 10:07 AM
Company:  Mozilla Corporation
--------------------
C:\Documents and Settings\User\Application Data\Simply Super Software\Trojan Remover\ahp5.exe
FileSize:          3687344
[This is a Trojan Remover component]
--------------------

************************************************************
6:55:54 PM: Checking HOSTS file
No malicious entries were found in the HOSTS file

************************************************************
------ INTERNET EXPLORER HOME/START/SEARCH SETTINGS ------
HKLM\Software\Microsoft\Internet Explorer\Main\"Start Page":
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={S
HKLM\Software\Microsoft\Internet Explorer\Main\"Local Page":
%SystemRoot%\system32\blank.htm
HKLM\Software\Microsoft\Internet Explorer\Main\"Search Page":
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main\"Default_Page_URL":
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKLM\Software\Microsoft\Internet Explorer\Main\"Default_Search_URL":
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Search\"CustomizeSearch":
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
HKLM\Software\Microsoft\Internet Explorer\Search\"SearchAssistant":
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKCU\Software\Microsoft\Internet Explorer\Main\"Start Page":
http://nyc.rr.com/
HKCU\Software\Microsoft\Internet Explorer\Main\"Local Page":
C:\WINDOWS\system32\blank.htm
HKCU\Software\Microsoft\Internet Explorer\Main\"Search Page":
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

************************************************************
=== NO CHANGES HAVE BEEN MADE TO YOUR SYSTEM FILES ===
Scan completed at: 6:55:54 PM 05 Jul 2010
Total Scan time: 00:00:24
************************************************************

Answer
Hi Steve

Yes, you can start the computer normally.  Next, I would like for you to run a ComboFix scan as follows:
Please download ComboFix from this link:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
*Important*-Save it to your desktop.
Double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall.  If asked to install the Windows Recovery Console, please allow the program to do so.  ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.  If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. ComboFix may also restart your computer.  Do not intervene.  Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.  It will then display the log file automatically for you.  Post me that log and a new HJT scan log in your next follow-up.

Brian