Avira Virus Detections on Startup

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:14:08 PM, on 11/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS.1\System32\smss.exe
C:\WINDOWS.1\system32\winlogon.exe
C:\WINDOWS.1\system32\services.exe
C:\WINDOWS.1\system32\lsass.exe
C:\WINDOWS.1\system32\Ati2evxx.exe
C:\WINDOWS.1\system32\svchost.exe
C:\WINDOWS.1\System32\svchost.exe
C:\WINDOWS.1\system32\Ati2evxx.exe
C:\WINDOWS.1\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS.1\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINDOWS.1\system32\wscntfy.exe
C:\WINDOWS.1\Explorer.EXE
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS.1\system32\ctfmon.exe
C:\WINDOWS.1\System32\svchost.exe
C:\Documents and Settings\Alexander\Application Data\Microsoft\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Alexander\Desktop\Hi-JackThis.scr

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.ijji.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [StartCCC] "c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS.1\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [svchost.exe] C:\Documents and Settings\Alexander\Application Data\Microsoft\svchost.exe
O9 - Extra button: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing)
O9 - Extra 'Tools' menuitem: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.1\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.1\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows.1\system32\nwprovau.dll
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS.1\system32\Ati2evxx.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS.1\system32\GameMon.des.exe (file missing)
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe

--
End of file - 4440 bytes

Please download Malwarebytes Anti-Malware from here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• Please save the log to a location you will remember.
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Malwarebytes' Anti-Malware 1.41
Database version: 3192
Windows 5.1.2600 Service Pack 3

11/18/2009 1:35:55 AM
mbam-log-2009-11-18 (01-35-49).txt

Scan type: Full Scan (C:\|)
Objects scanned: 266143
Time elapsed: 1 hour(s), 47 minute(s), 18 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
C:\Documents and Settings\Alexander\Application Data\Microsoft\svchost.exe (Backdoor.Bot) -> No action taken.
C:\Program Files\Common Files\alg.exe (Trojan.Agent) -> No action taken.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SVCHOST.EXE (Trojan.Downloader) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\application layer gateway (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\gamedl.exe (Trojan.MultiDropper) -> No action taken.
C:\systemgl.exe (Trojan.MultiDropper) -> No action taken.
C:\System Volume Information\_restore{63A5D182-34EB-488C-BB19-6743AC41A337}\RP721\A1047538.exe (Trojan.MultiDropper) -> No action taken.
C:\System Volume Information\_restore{63A5D182-34EB-488C-BB19-6743AC41A337}\RP728\A1054052.dll (Malware.Packer.T) -> No action taken.
C:\System Volume Information\_restore{63A5D182-34EB-488C-BB19-6743AC41A337}\RP736\A1068684.dll (Malware.Packer.T) -> No action taken.
C:\System Volume Information\_restore{63A5D182-34EB-488C-BB19-6743AC41A337}\RP744\A1085617.exe (Trojan.VkHost) -> No action taken.
C:\Documents and Settings\Alexander\Desktop\CellBot NG 1.0.5\CellBot NG 1.0.5\cclear.exe (Trojan.VkHost) -> No action taken.
C:\Documents and Settings\Alexander\Local Settings\Temporary Internet Files\Content.IE5\8LO45BBU\systemgl[1].txt (Trojan.MultiDropper) -> No action taken.
C:\Documents and Settings\Alexander\Local Settings\Temporary Internet Files\Content.IE5\IL7Q6DRR\gamedl[1].txt (Trojan.MultiDropper) -> No action taken.
C:\Documents and Settings\Alexander\Local Settings\Temp\hi.bat (Malware.Trace) -> No action taken.
C:\Documents and Settings\Alexander\Application Data\Microsoft\svchost.exe (Trojan.Downloader) -> No action taken.
C:\Program Files\Common Files\alg.exe (Trojan.Agent) -> No action taken.

Please remove those items, and post a new log.

Please use Internet Explorer and run a BitDefender Online scan

• Please check I agree with the Terms and Conditions and click Start Here
  
• You will need to allow an Active X install for the scan to run.
  
• Leave the scanning options at default and click Start Scan
  

Please post the results in your next reply, along with the Malwarebytes results.

I'll get that done right now, but I would also like to let you know that I get this on start-up as well:



EDIT: BitDefender Online Scanner







Scan report generated at: Wed, Nov 18, 2009 - 15:53:53









Scan path: C:\;D:\;















Statistics

Time


03:44:16

Files


1196093

Folders


12902

Boot Sectors


0

Archives


4713

Packed Files


29457







Results

Identified Viruses


4

Infected Files


7

Suspect Files


0

Warnings


0

Disinfected


0

Deleted Files


6







Engines Info

Virus Definitions


4553785

Engine build


AVCORE v2.1 Windows/i386 11.0.0.26 (Oct 20 2009)

Scan plugins


17

Archive plugins


44

Unpack plugins


8

E-mail plugins


6

System plugins


4







Scan Settings

First Action


Disinfect

Second Action


Delete

Heuristics


Yes

Enable Warnings


Yes

Scanned Extensions


*;

Exclude Extensions




Scan Emails


Yes

Scan Archives


Yes

Scan Packed


Yes

Scan Files


Yes

Scan Boot


Yes








Scanned File


Status

C:\Documents and Settings\Alexander\Application Data\Microsoft\svchost.exe


Infected with: Trojan.Generic.2635760

C:\Documents and Settings\Alexander\Application Data\Microsoft\svchost.exe


Deleted

C:\Program Files\Common Files\alg.exe


Infected with: Trojan.Generic.2641808

C:\Program Files\Common Files\alg.exe


Delete failed

C:\Program Files\Common Files\openfile.exe


Infected with: Trojan.Downloader.JMMN

C:\Program Files\Common Files\openfile.exe


Deleted

C:\System Volume Information\_restore{63A5D182-34EB-488C-BB19-6743AC41A337}\RP736\A1072595.dll


Detected with: Application.Generic.233241

C:\System Volume Information\_restore{63A5D182-34EB-488C-BB19-6743AC41A337}\RP736\A1072595.dll


Disinfection failed

C:\System Volume Information\_restore{63A5D182-34EB-488C-BB19-6743AC41A337}\RP736\A1072595.dll


Deleted

C:\System Volume Information\_restore{B12E1698-7BC1-4CE5-986B-87406C819A40}\RP28\A0007979.exe


Infected with: Trojan.Generic.2635760

C:\System Volume Information\_restore{B12E1698-7BC1-4CE5-986B-87406C819A40}\RP28\A0007979.exe


Deleted

C:\System Volume Information\_restore{B12E1698-7BC1-4CE5-986B-87406C819A40}\RP39\A0013718.exe


Infected with: Trojan.Generic.2635760

C:\System Volume Information\_restore{B12E1698-7BC1-4CE5-986B-87406C819A40}\RP39\A0013718.exe


Deleted

C:\System Volume Information\_restore{B12E1698-7BC1-4CE5-986B-87406C819A40}\RP39\A0013719.exe


Infected with: Trojan.Downloader.JMMN

C:\System Volume Information\_restore{B12E1698-7BC1-4CE5-986B-87406C819A40}\RP39\A0013719.exe


Deleted

Last edited by Restricted on 19th November 2009, 3:42 am; edited 1 time in total

Hello.
Did you remove what MBAM found? weird why BitDefender found something MBAM should have shifted.

I didn't see the instruction to remove them with MBAM at first. Sorry, my mistake. So I did it after bit defender scanned. Should I run either one of them again?

Restricted wrote:

I'll get that done right now, but I would also like to let you know that I get this on start-up as well:

This appears to be a .net framework and graphic driver issue.

Please download and install .net framework 1.1 from here.

Then, to check your system information, please do the following:
Please download the latest version of Kaspersky GetSystemInfo (GSI) from Kaspersky.fr and save it to your Desktop.

• Please close all other applications running on your system.
  
• Please double click GetSystemInfo.exe to open it.
  
• Click the Settings button.
  
• Set it to Maximum
  
• IMPORTANT! Then please click Customize - choose Driver / Ports tab and
• Uncheck Scan Ports.
  
• Click Create Report to run it.
  
• It will create a zip folder called GetSystemInfo_XXXXXXXXXXXXXX.zip on your Desktop. Please upload the folder to Kaspersky GSI Parser and click the Submit button.
  

Please copy and paste the url of the GSI Parser report (not the log) in your next reply.

Please download the OTM.exe by OldTimer.

• Save it to your Desktop.
  
• Please double-click OTM.exe to run it.
  
• Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  C:\WINDOWS.1\system32\ascbalo3N.dll
  C:\WINDOWS.1\system32\ascbalon.dll
  
  
  
  
• Return to OTM.exe, right click in the "Paste Instructions for Items to be Moved" window (under the light yellow bar) and choose Paste.
  
  
• Click the red Moveit! button.
  
• A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTM.exe
  

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

==

Do you have a driver disc for the computer? You need a driver update for ATI RADEON XPRESS 200 Series by ATI Technologies Inc..

Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!

OTM by OldTimer - Version 3.1.2.0 log created on 11192009_124001

I do not have the disc, I downloaded the software off their website.
By the way, the Framework did not fix the problem with the box that I posted above. It still came up during start up.

Please delete these files manually:

C:\WINDOWS.1\system32\ascbalo3N.dll
C:\WINDOWS.1\system32\ascbalon.dll

==

Then, please reinstall your graphic drivers manually, if you are aware of the location of the file.

When I reformatted my computer, I downloaded drivers from the HP website. Should I just do that again?
Also, I deleted those files manually.

Yes. Then install them.

Done

Are you still getting the error message?

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan. Remove selected, and post the log in your next reply.

Malwarebytes found nothing, and now Avira is not updating.

Avira has a new updating engine. Please uninstall Avira, then download the new version from http://www.free-av.com

Install it, then let me know if it updates.

I did that and tried to update, still an error.

Please download RootRepeal from GooglePages.com.

• Extract the program file to your Desktop.
  
• Run the program RootRepeal.exe and go to the Report tab and click on the Scan button.
  
  
  
• Select ALL of the checkboxes and then click OK and it will start scanning your system.
  
  
• If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
  
• When done, click on Save Report
  
• Save it to the Desktop.
  
• Please copy/paste the contents of the report in your next reply.
  

Please remove any e-mail address in the RootRepeal report (if present).

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/11/25 22:26
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS.1\System32\Drivers\dump_atapi.sys
Address: 0xF1514000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS.1\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B74000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS.1\system32\drivers\rootrepeal.sys
Address: 0xEE1F0000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\ijji\english\u_sf\gameguard\npsc.erl
Status: Allocation size mismatch (API: 65536, Raw: 0)

Path: C:\Documents and Settings\Alexander\Local Settings\Temp\plugtmp\plugin-people_V14_spec_468_60.xml
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Alexander\Application Data\Mozilla\Firefox\Profiles\7hl0alie.default\sessionstore.js
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Alex\Local Settings\Apps\2.0\J4HMZ05N.1GO\5AO7WBMO.11L\manifests\clickonce_bootstrap.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Alex\Local Settings\Apps\2.0\J4HMZ05N.1GO\5AO7WBMO.11L\manifests\clickonce_bootstrap.exe.manifest
Status: Locked to the Windows API!

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "" at address 0xf7bea396

#: 053 Function Name: NtCreateThread
Status: Hooked by "" at address 0xf7bea38c

#: 063 Function Name: NtDeleteKey
Status: Hooked by "" at address 0xf7bea39b

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "" at address 0xf7bea3a5

#: 098 Function Name: NtLoadKey
Status: Hooked by "" at address 0xf7bea3aa

#: 122 Function Name: NtOpenProcess
Status: Hooked by "" at address 0xf7bea378

#: 128 Function Name: NtOpenThread
Status: Hooked by "" at address 0xf7bea37d

#: 193 Function Name: NtReplaceKey
Status: Hooked by "" at address 0xf7bea3b4

#: 204 Function Name: NtRestoreKey
Status: Hooked by "" at address 0xf7bea3af

#: 247 Function Name: NtSetValueKey
Status: Hooked by "" at address 0xf7bea3a0

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "" at address 0xf7bea387

==EOF==

If you already have HijackThis then ignore these instructions. I need a new log, please.

Please download: HijackThis to your Desktop.

• Double Click the HijackThis icon, located on your Desktop.
  
• By Default, it will install to: C:\Program Files\Trend Micro\HijackThis
  It will also create a shortcut on your Desktop.
  
• Accept the license agreement.
  
• Click Do a System Scan and Save a Logfile.
  
• Please post the log in your next reply.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:13:32 PM, on 11/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS.1\System32\smss.exe
C:\WINDOWS.1\system32\winlogon.exe
C:\WINDOWS.1\system32\services.exe
C:\WINDOWS.1\system32\lsass.exe
C:\WINDOWS.1\system32\Ati2evxx.exe
C:\WINDOWS.1\system32\svchost.exe
C:\WINDOWS.1\System32\svchost.exe
C:\WINDOWS.1\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS.1\system32\Ati2evxx.exe
C:\WINDOWS.1\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Lexmark X5400 Series\lxdvmon.exe
C:\Program Files\Lexmark X5400 Series\lxdvamon.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS.1\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS.1\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS.1\system32\lxdvcoms.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINDOWS.1\system32\svchost.exe
C:\WINDOWS.1\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS.1\system32\wscntfy.exe
C:\WINDOWS.1\System32\svchost.exe
C:\Documents and Settings\Alexander\Desktop\Hi-JackThis.scr

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.ijji.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [StartCCC] "c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [alq] C:\Program Files\Common Files\alq.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
O4 - HKLM\..\Run: [ATICCC] "c:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [lxdvmon.exe] "C:\Program Files\Lexmark X5400 Series\lxdvmon.exe"
O4 - HKLM\..\Run: [lxdvamon] "C:\Program Files\Lexmark X5400 Series\lxdvamon.exe"
O4 - HKLM\..\Run: [Lexmark X5400 Series Fax Server] "C:\Program Files\Lexmark X5400 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS.1\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS.1\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS.1\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.1\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.1\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows.1\system32\nwprovau.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS.1\system32\Ati2evxx.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxdvCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS.1\System32\spool\DRIVERS\W32X86\3\\lxdvserv.exe
O23 - Service: lxdv_device - - C:\WINDOWS.1\system32\lxdvcoms.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS.1\system32\GameMon.des.exe (file missing)
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe

--
End of file - 6582 bytes

Do you still have BitDefender installed? It seems to be conflicting with other software.

I don't see it anywhere.
Here is an uninstall list from HJT

ABBYY FineReader 6.0 Sprint
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
AMD Processor Driver
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Catalyst Control Center
ATI Display Driver
ATI Problem Report Wizard
AutoHotkey 1.0.48.05
Avira AntiVir Personal - Free Antivirus
Battlefield Heroes
Big City Adventure New York 1.00
Broadcom NetXtreme Ethernet Controller
Catalyst Control Center - Branding
CCleaner
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
HydraVision
ijji REACTOR
Java DB 10.4.2.1
Java(TM) 6 Update 17
Java(TM) SE Development Kit 6 Update 17
Lexmark X5400 Series
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile Beta 1
Microsoft .NET Framework 4 Client Profile Beta 1
Microsoft .NET Framework 4 Extended Beta 1
Microsoft .NET Framework 4 Extended Beta 1
Microsoft Office Access MUI (English) 2010 (Beta)
Microsoft Office Access Setup Metadata MUI (English) 2010 (Beta)
Microsoft Office Excel MUI (English) 2010 (Beta)
Microsoft Office Groove MUI (English) 2010 (Beta)
Microsoft Office InfoPath MUI (English) 2010 (Beta)
Microsoft Office OneNote MUI (English) 2010 (Beta)
Microsoft Office Outlook MUI (English) 2010 (Beta)
Microsoft Office PowerPoint MUI (English) 2010 (Beta)
Microsoft Office Professional Plus 2010
Microsoft Office Professional Plus 2010 (Beta)
Microsoft Office Proof (English) 2010 (Beta)
Microsoft Office Proof (French) 2010 (Beta)
Microsoft Office Proof (Spanish) 2010 (Beta)
Microsoft Office Proofing (English) 2010 (Beta)
Microsoft Office Publisher MUI (English) 2010 (Beta)
Microsoft Office Shared MUI (English) 2010 (Beta)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (Beta)
Microsoft Office Word MUI (English) 2010 (Beta)
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2010 Beta 1 x86 Redistributable - 10.0.20506
Mozilla Firefox (3.5.5)
PC Tools Firewall Plus 6.0
Realtek AC'97 Audio
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970483)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Soldier Front
TortoiseSVN 1.6.6.17493 (32 bit)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Windows Internet Explorer 8
WinRAR archiver
Your Product

Let me go ahead and give you a background on the situation as of now. After taking a closer look at the log above, it appears a rootkit has been strangling the Registry. It is called nProtect GameGuard. The program was once good, but it has now - by my research - been declared malware.

I also have seen a backdoor trojan that is nagging your computer.

This is not meant to scare you, but it is the synopsis of a very close look of the log above. It was hard to figure out the situation, so a closer look was my only option.

Most of the time, this is a means for a reformat and reinstall of your Operating System. However, I can help you avoid that. But, here is some information to help you stay safe from the threat of this, and to make your decision:

Backdoor trojans are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker.
I would counsel you to immediately disconnect this PC from the Internet and from your network if it is on a network. Disconnect the infected computer until the computer can be cleaned.
Then, access this information from a non-compromised computer to follow the steps needed.
If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. Do NOT change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information. (If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again.) Banking and credit card institutions should be notified to apprise them of your situation (possible security breach). To protect your information that may have been compromised, I recommend reading these references:

• How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
  
• What Should I Do If I've Become A Victim Of Identity Theft?
  
• Identity Theft Victims Guide - What to do
  

Though the backdoor has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a backdoor trojan. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove backdoor trojans cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with such a piece of malware, the best course of action would be a reformat and clean reinstall of the OS. This is something I don't like to recommend normally, but in most cases it is the best solution for your safety. Making this decision is based on what the computer is used for, and what information can be accessed from it. For more information, please read these references very carefully:

• When should I re-format? How should I reinstall?
  
• Help: I Got Hacked. Now What Do I Do?
  
• Help: I Got Hacked. Now What Do I Do? Part II
  
• Where to draw the line? When to recommend a format and reinstall?
  

Guides for format and reinstall: http://www.geekpolice.net/tutorials-guides-f13/how-to-reformat-and-reinstall-your-operating-system-t15119.htm#95115

http://www.helpmyos.com/tutorials-software-alternatives-to-proprietary-f19/how-to-reformat-and-reinstall-your-operating-system-the-easy-way-t1307.htm#3143
However, if you do not have the resources to reinstall your computer's OS and would like me to attempt to clean it, I will be happy to do so. But please consider carefully before deciding against a reformat.
If you do make that decision, I will do my best to help you clean the computer of any infections, but you must understand that once a machine has been taken over by this type of malware, I cannot guarantee that it will be 100% secure even after disinfection or that the removal will be successful.

Please let me know what you have decided to do in your next post. Should you have any questions, please feel free to ask.

If you want your computer clean, please follow the instructions above to prevent identity theft, and instead of reformat and reinstall, please do this:


Please re-open HijackThis and scan. Check the boxes to the left of all the entries listed below.

O4 - HKLM\..\Run: [alq] C:\Program Files\Common Files\alq.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS.1\system32\GameMon.des.exe (file missing)

Then, please exit all programs except for HijackThis (System Tray (bottom right of screen): right-click on each program icon and click an Exit or shut down option, etc.), then click Fix Checked.

After it completes its process, please close HijackThis and reboot your computer.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete this file (if present):

C:\Program Files\Common Files\alq.exe


Please reboot your computer again.

==

Please download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
  
• Type Y to begin the cleanup process.
  
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  
• Press any Key and it will restart the PC.
  
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  
• Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
  

SDFix: Version 1.240
Run by Alexander on Fri 11/27/2009 at 10:12 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS.EXE - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-27 22:28:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden services & system hive ...

scanning hȋdden registry entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden processes: 0
hȋdden services: 0
hȋdden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS.1\\system32\\usmt\\migwiz.exe"="C:\\WINDOWS.1\\system32\\usmt\\migwiz.exe:*:Enabled:Files and Settings Transfer Wizard"
"C:\\Documents and Settings\\Alexander\\Local Settings\\Temp\\usmt\\migwiz.exe"="C:\\Documents and Settings\\Alexander\\Local Settings\\Temp\\usmt\\migwiz.exe:*:Enabled:Files and Settings Transfer Wizard"
"C:\\Program Files\\Steam\\Steam.exe"="C:\\Program Files\\Steam\\Steam.exe:*:Enabled:Steam"
"C:\\Program Files\\Steam\\steamapps\\common\\left 4 dead 2 demo\\left4dead2.exe"="C:\\Program Files\\Steam\\steamapps\\common\\left 4 dead 2 demo\\left4dead2.exe:*:Enabled:left4dead2"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\WINDOWS.1\\system32\\PnkBstrA.exe"="C:\\WINDOWS.1\\system32\\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\\WINDOWS.1\\system32\\PnkBstrB.exe"="C:\\WINDOWS.1\\system32\\PnkBstrB.exe:*:Enabled:PnkBstrB"
"C:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE:*:Enabled:Microsoft SharePoint Workspace"
"C:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\WINDOWS.1\\system32\\lxdvcoms.exe"="C:\\WINDOWS.1\\system32\\lxdvcoms.exe:*:Enabled:X5400 Series Server"
"C:\\Program Files\\Lexmark X5400 Series\\lxdvmon.exe"="C:\\Program Files\\Lexmark X5400 Series\\lxdvmon.exe:*:Enabled:Printer Device Monitor"
"C:\\WINDOWS.1\\system32\\spool\\drivers\\w32x86\\3\\lxdvpswx.exe"="C:\\WINDOWS.1\\system32\\spool\\drivers\\w32x86\\3\\lxdvpswx.exe:*:Enabled:Printer Status Window Interface"
"C:\\WINDOWS.1\\system32\\spool\\drivers\\w32x86\\3\\lxdvjswx.exe"="C:\\WINDOWS.1\\system32\\spool\\drivers\\w32x86\\3\\lxdvjswx.exe:*:Enabled:Job Status Window Interface"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with hȋdden Attributes :

Mon 26 Jan 2009 1,740,632 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 26 Jan 2009 5,365,592 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 26 Jan 2009 2,144,088 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"

Finished!

Here is another HJT log just in case you need to see anything new:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:35:12 PM, on 11/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS.1\System32\smss.exe
C:\WINDOWS.1\system32\winlogon.exe
C:\WINDOWS.1\system32\services.exe
C:\WINDOWS.1\system32\lsass.exe
C:\WINDOWS.1\system32\Ati2evxx.exe
C:\WINDOWS.1\system32\svchost.exe
C:\WINDOWS.1\System32\svchost.exe
C:\WINDOWS.1\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS.1\system32\Ati2evxx.exe
C:\WINDOWS.1\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS.1\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS.1\system32\lxdvcoms.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINDOWS.1\system32\svchost.exe
C:\WINDOWS.1\system32\wscntfy.exe
C:\WINDOWS.1\system32\notepad.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS.1\System32\svchost.exe
C:\Program Files\Lexmark X5400 Series\lxdvmon.exe
C:\Program Files\Lexmark X5400 Series\lxdvamon.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS.1\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Alexander\Desktop\Hi-JackThis.scr

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.ijji.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [StartCCC] "c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
O4 - HKLM\..\Run: [ATICCC] "c:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [lxdvmon.exe] "C:\Program Files\Lexmark X5400 Series\lxdvmon.exe"
O4 - HKLM\..\Run: [lxdvamon] "C:\Program Files\Lexmark X5400 Series\lxdvamon.exe"
O4 - HKLM\..\Run: [Lexmark X5400 Series Fax Server] "C:\Program Files\Lexmark X5400 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS.1\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS.1\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS.1\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.1\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.1\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows.1\system32\nwprovau.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS.1\system32\Ati2evxx.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxdvCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS.1\System32\spool\DRIVERS\W32X86\3\\lxdvserv.exe
O23 - Service: lxdv_device - - C:\WINDOWS.1\system32\lxdvcoms.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS.1\system32\GameMon.des.exe (file missing)
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe

--
End of file - 6468 bytes

Download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

How is your computer running?

Results of screen317's Security Check version 0.99.1
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
Avira AntiVir Personal - Free Antivirus
PC Tools Firewall Plus 6.0
Antivirus out of date!
``````````````````````````````
Anti-malware/Other Utilities Check:
HijackThis 2.0.2
CCleaner
Java(TM) 6 Update 17
Java(TM) SE Development Kit 6 Update 17
Java DB 10.4.2.1
Adobe Flash Player 10
``````````````````````````````
Process Check:
objlist.exe by Laurent
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
PC Tools Firewall Plus FWService.exe
PC Tools Firewall Plus FirewallGUI.exe
``````````````````````````````
DNS Vulnerability Check:
[color]nslookup.exe missing![/color]
GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````


Good.
Is there anything else that needs to happen to make sure it is all gone?

EDIT: Avira still wont update.

I do not think there is too much more to do and your computer is clean. If the computer gets re-infected, we are still here.

Like I had said earlier, we cannot be too sure your computer is 100% clean, since the backdoor trojan your computer had was very severe.

I am going the recommend that you change Antivirus software since Avira is not cooperating.

Antivirus/Antispyware

• Microsoft Security Essentials: this is Microsoft's free antivirus/antispyware program. It equips you with protection against viruses, spyware, trojans, rootkits, and worms. It is also light on the computer's performance. Note: when installing this, you have both an antivirus and antispyware. Make sure you also get a firewall.
  
• AVG Free: this is one of the most powerful, and easiest to use security software. The free version equips you with protection against viruses, spyware, trojans, rootkits, worms, and rogue software. Note: when installing this, you have both an antivirus and antispyware. Make sure you also get a firewall.

Thank you for choosing GeekPolice. Please see this page if you would like to leave feedback or contribute to our site. Do you have any more questions?

Nope that should be all.
Thanks a lot.

You are welcome.