BleepingComputer.com: Found the Fakealert!fakealert-Rep trojan

Hello, I hope i'm posting in the right section ^^'

I am running Win XP pro sp3 32 bit, i use firefox as default browser.
So far, i have no problems of popups or browser/desktop hijacking.

So last thursday, after i noticed that my internet connection was temporarily slowed down, i ran a full scan using KIS 2011 in normal mode.
It did not identified an infection or a malware however, it showed a list of PE_Patch/PECompact files/PE_Patch.PECompact files.

Finding it suspicious, i googled it and i found some websites claiming that these were: "illegal and dangerous/malicious files" Like here or here.

I tried Spyware Doctor in safe mode and it claimed to have found a "trojan agent AD". But did not gave any other precise information about it, and it said i needed to pay to get it removed. (which i did'nt)

From this point on, i ran:

• Norton online scan => found nothing.
  
• Bit defender online scan => found nothing.
  
• Eset online scan => found nothing.
  
• Panda active scan => found nothing.
  
• Vundofix.exe => found nothing.
  
• Mc affee security scan => found nothing.
  
• Kaspersky Virus removal tool => nothing on normal and safe mode except vulnerabilities.
  
• Stinger => nothing on normal mode but on safe mode:
  C:\WINDOWS\system32\sethc.exe
  C:\WINDOWS\system32\sethc.exe
  Found the FakeAlert!fakealert-REP trojan !!!
  C:\WINDOWS\system32\sethc.exe is infected with the FakeAlert!fakealert-REP virus !!!
  C:\WINDOWS\system32\sethc.exe has been deleted.

Stinger logs also revealed the presence of a C:\WINDOWS\BDOSCAN8 directory that i find strange.
And i am worried that some parts of the Fakealert trojan might still be on my computer.

After doing these scans, i followed your instructions for asking help, i disabled CD emulation (defogger) and did the DDS and GMER scans:

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Propri‚taire at 19:49:09,84 on 02/05/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.2046.1302 [GMT 2:00]
.
AV: Kaspersky Internet Security *Enabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe
C:\PROGRA~1\WinTV\EPG Services\System\EPGService.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Apoint\Apoint.exe
C:\PROGRA~1\WinTV\EPG Services\System\EPGClient.exe
C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe
C:\Program Files\Nero\Nero 7\Nero BackItUp\NBKeyScan.exe
C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\McAfee Security Scan\3.0.199\SSScheduler.exe
C:\Program Files\Fichiers communs\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Fichiers communs\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\klwtblfs.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Propriétaire\Bureau\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.club-vaio.com/
BHO: Aide pour le lien d'Adobe PDF Reader: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\fichiers communs\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\fichiers communs\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2011\ievkbd.dll
BHO: PDFCreator Toolbar Helper: {c451c08a-ec37-45df-aaad-18b51ab5e837} - c:\program files\pdfcreator toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky internet security 2011\klwtbbho.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: PDFCreator Toolbar: {31cf9ebe-5755-4a1d-ac25-2834d952d9b4} - c:\program files\pdfcreator toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\fichiers communs\ahead\lib\NMBgMonitor.exe"
uRun: [Google Update] "c:\documents and settings\propriétaire\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Spyware Doctor with AntiVirus] c:\documents and settings\propriétaire\bureau\sdasetup.exe -min
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [EPGServiceTool] c:\progra~1\wintv\epg services\system\EPGClient.exe
mRun: [ISUSPM Startup] c:\progra~1\fichie~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\fichiers communs\installshield\updateservice\issch.exe" -start
mRun: [NBKeyScan] "c:\program files\nero\nero 7\nero backitup\NBKeyScan.exe"
mRun: [ToolBoxFX] "c:\program files\hp\toolboxfx\bin\HPTLBXFX.exe" /enum:on /alerts:on /systrayIcon:on
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2011\avp.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\fichiers communs\adobe\arm\1.0\AdobeARM.exe"
mRun: [AdobeAAMUpdater-1.0] "c:\program files\fichiers communs\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\propri~1\menudm~1\progra~1\dmarra~1\micros~1.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\alluse~1\menudm~1\progra~1\dmarra~1\mcafee~1.lnk - c:\program files\mcafee security scan\3.0.199\SSScheduler.exe
IE: Ajouter à l'Anti-bannière - c:\program files\kaspersky lab\kaspersky internet security 2011\ie_banner_deny.htm
IE: Chercher dans le TLF - c:\atilf-tlfi\tlfi\pg\hn.htm
IE: E&xporter vers Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Envoyer au périphérique &Bluetooth... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Envoyer à Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: Expliquer le mot - c:\atilf-tlfi\tlfi\pg\hnexplain.htm
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky internet security 2011\klwtbbho.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2011\klwtbbho.dll
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\propri~1\applic~1\mozilla\firefox\profiles\d4bufzo6.default\
FF - prefs.js: browser.search.selectedEngine - Wikipédia (fr)
FF - component: c:\program files\mozilla firefox\extensions\kavantibanner@kaspersky.ru\components\abhelperxpcom.dll
FF - component: c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\kavlinkfilter.dll
FF - plugin: c:\documents and settings\propriã©taire\application data\mozilla\firefox\profiles\d4bufzo6.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\documents and settings\propriã©taire\local settings\application data\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\canon\mycamera download plugin\NPCIG.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
FF - Ext: Anti-bannière: KavAntiBanner@Kaspersky.ru - c:\program files\mozilla firefox\extensions\KavAntiBanner@Kaspersky.ru
FF - Ext: Analyse des liens (URL Advisor): linkfilter@kaspersky.ru - c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Read It Later: isreaditlater@ideashower.com - %profile%\extensions\isreaditlater@ideashower.com
FF - Ext: BitDefender QuickScan: {e001c731-5e37-4538-a5cb-8168736a2360} - %profile%\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}
.
============= SERVICES / DRIVERS ===============
.
R0 KL1;kl1;c:\windows\system32\drivers\kl1.sys [2010-6-9 132184]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2011-4-29 28552]
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [2010-6-9 11352]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2010-9-11 475736]
R2 AdobeActiveFileMonitor9.0;Adobe Active File Monitor V9;c:\program files\adobe\elements 9 organizer\PhotoshopElementsFileAgent.exe [2010-9-6 169408]
R2 AVP;Kaspersky Anti-Virus Service;c:\program files\kaspersky lab\kaspersky internet security 2011\avp.exe [2010-7-1 352976]
R2 EPGService;EPGService;c:\progra~1\wintv\epg services\system\EPGService.exe [2008-8-19 431104]
R3 5U870UVC;Sony Visual Communication Camera VGP-VCC7;c:\windows\system32\drivers\5U870UVCx86.sys [2008-2-4 70144]
R3 Bonifay;Bonifay;c:\windows\system32\drivers\Bonifay.sys [2010-9-26 12160]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2010-5-7 32856]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-11-2 19472]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [2007-11-15 71961]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2008-2-4 812544]
S3 Gonzales;Gonzales;c:\windows\system32\drivers\Gonzales.sys [2010-9-26 7040]
S3 HauppaugeTVServer;HauppaugeTVServer;c:\progra~1\wintv\HCWTVS~1.EXE [2008-8-19 815104]
S3 hcw95bda;Hauppauge MOD7700 Tuner Driver;c:\windows\system32\drivers\hcw95bda.sys [2008-8-19 487424]
S3 hcw95rc;Hauppauge MOD7700 IR Driver;c:\windows\system32\drivers\hcw95rc.sys [2008-8-19 15488]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\3.0.199\McCHSvc.exe [2011-2-23 237008]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasUSB.sys [2008-12-13 18432]
.
=============== Created Last 30 ================
.
2011-04-30 16:28:29 -------- d-----w- c:\windows\pss
2011-04-30 14:55:06 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin8.dll
2011-04-30 14:55:06 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin8.dll
2011-04-30 14:53:13 1409 ----a-w- c:\windows\QTFont.for
2011-04-30 14:52:17 -------- d-----w- c:\program files\fichiers communs\Apple
2011-04-30 14:52:01 -------- d-----w- c:\docume~1\propri~1\locals~1\applic~1\Apple
2011-04-29 18:32:32 -------- d-----w- C:\VundoFix Backups
2011-04-29 18:12:20 -------- d-----w- c:\docume~1\alluse~1\applic~1\McAfee Security Scan
2011-04-29 18:11:44 -------- d-----w- c:\program files\McAfee Security Scan
2011-04-29 17:54:53 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2011-04-29 17:51:56 -------- d-----w- c:\program files\Panda Security
2011-04-29 17:42:49 -------- d-----w- c:\docume~1\propri~1\applic~1\QuickScan
2011-04-29 16:47:51 -------- d-----w- c:\docume~1\alluse~1\applic~1\Norton
2011-04-29 16:47:45 -------- d-----w- c:\docume~1\propri~1\locals~1\applic~1\NPE
2011-04-29 13:54:01 -------- d-----w- c:\docume~1\propri~1\locals~1\applic~1\Threat Expert
2011-04-29 13:42:51 -------- d-----w- c:\program files\PC Tools Security
2011-04-29 13:37:54 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2011-04-16 09:03:51 45568 -c----w- c:\windows\system32\dllcache\dnsrslvr.dll
2011-04-14 01:39:02 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2011-04-14 01:39:02 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
.
==================== Find3M ====================
.
2011-03-07 05:33:47 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:36:19 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:53:37 1858048 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:05:48 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:05:47 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:05:47 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:42:13 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:54:06 5632 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:54:09 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:54:09 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:34:11 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:34:11 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 19:40:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-02 17:19:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-02 07:59:09 2067456 ----a-w- c:\windows\system32\mstscax.dll
.
============= FINISH: 19:50:37,29 ===============

This post has been edited by sempai: 15 May 2011 - 07:01 AM
Reason for edit: Remove malicious link/site

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

• If you have since resolved the original problem you were having, we would appreciate you letting us know.
  
• If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
  
  • If you are unsure about any of these characteristics just post what you can and we will guide you.
  
  
• Please tell us if you have your original Windows CD/DVD available.
  
• If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  
• If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  
• Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.
  
• If you have already posted a DDS log, please do so again, as your situation may have changed.
  
• Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

• Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • DDS.scr
    
  • DDS.pif
  
  
• Double click on the DDS icon, allow it to run.
  
• A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  
• Notepad will open with the results.
  
• Follow the instructions that pop up for posting the results.
  
• Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:



Thanks and again sorry for the delay.

Thank you very much for answering me.
I understand that dealing with malware takes time and why i had to wait my turn.

As of now, the condition of my computer has'nt changed much from what it was 10 days ago.

I looked into the C:\WINDOWS\BDOSCAN8 directory and i learned that it was from the BitDefender online scanner. So it is not a concern.

My operating system is Windows XP pro sp3, it is the 32 bit version so GMER runs fine.
The Win XP Pro Disk that i have is an OEM re-installation disk. (shipped with the PC)

This is the new DDS.txt log, the other part and the new GMER log are attached:

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Propri‚taire at 12:26:27,62 on 12/05/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.2046.1363 [GMT 2:00]
.
AV: Kaspersky Internet Security *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe
C:\PROGRA~1\WinTV\EPG Services\System\EPGService.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Apoint\Apoint.exe
C:\PROGRA~1\WinTV\EPG Services\System\EPGClient.exe
C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe
C:\Program Files\Nero\Nero 7\Nero BackItUp\NBKeyScan.exe
C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\McAfee Security Scan\3.0.199\SSScheduler.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Fichiers communs\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Fichiers communs\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\klwtblfs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Propriétaire\Bureau\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.club-vaio.com/
BHO: Aide pour le lien d'Adobe PDF Reader: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\fichiers communs\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\fichiers communs\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2011\ievkbd.dll
BHO: PDFCreator Toolbar Helper: {c451c08a-ec37-45df-aaad-18b51ab5e837} - c:\program files\pdfcreator toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky internet security 2011\klwtbbho.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: PDFCreator Toolbar: {31cf9ebe-5755-4a1d-ac25-2834d952d9b4} - c:\program files\pdfcreator toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\fichiers communs\ahead\lib\NMBgMonitor.exe"
uRun: [Google Update] "c:\documents and settings\propriétaire\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Spyware Doctor with AntiVirus] c:\documents and settings\propriétaire\bureau\sdasetup.exe -min
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [EPGServiceTool] c:\progra~1\wintv\epg services\system\EPGClient.exe
mRun: [ISUSPM Startup] c:\progra~1\fichie~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\fichiers communs\installshield\updateservice\issch.exe" -start
mRun: [NBKeyScan] "c:\program files\nero\nero 7\nero backitup\NBKeyScan.exe"
mRun: [ToolBoxFX] "c:\program files\hp\toolboxfx\bin\HPTLBXFX.exe" /enum:on /alerts:on /systrayIcon:on
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2011\avp.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\fichiers communs\adobe\arm\1.0\AdobeARM.exe"
mRun: [AdobeAAMUpdater-1.0] "c:\program files\fichiers communs\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\propri~1\menudm~1\progra~1\dmarra~1\micros~1.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\alluse~1\menudm~1\progra~1\dmarra~1\mcafee~1.lnk - c:\program files\mcafee security scan\3.0.199\SSScheduler.exe
IE: Ajouter à l'Anti-bannière - c:\program files\kaspersky lab\kaspersky internet security 2011\ie_banner_deny.htm
IE: Chercher dans le TLF - c:\atilf-tlfi\tlfi\pg\hn.htm
IE: E&xporter vers Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Envoyer au périphérique &Bluetooth... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Envoyer à Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: Expliquer le mot - c:\atilf-tlfi\tlfi\pg\hnexplain.htm
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky internet security 2011\klwtbbho.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2011\klwtbbho.dll
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\propri~1\applic~1\mozilla\firefox\profiles\d4bufzo6.default\
FF - prefs.js: browser.search.selectedEngine - Wikipédia (fr)
FF - component: c:\program files\mozilla firefox\extensions\kavantibanner@kaspersky.ru\components\abhelperxpcom.dll
FF - component: c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\kavlinkfilter.dll
FF - plugin: c:\documents and settings\propriã©taire\application data\mozilla\firefox\profiles\d4bufzo6.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\documents and settings\propriã©taire\local settings\application data\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\canon\mycamera download plugin\NPCIG.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
FF - Ext: Anti-bannière: KavAntiBanner@Kaspersky.ru - c:\program files\mozilla firefox\extensions\KavAntiBanner@Kaspersky.ru
FF - Ext: Analyse des liens (URL Advisor): linkfilter@kaspersky.ru - c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Read It Later: isreaditlater@ideashower.com - %profile%\extensions\isreaditlater@ideashower.com
FF - Ext: BitDefender QuickScan: {e001c731-5e37-4538-a5cb-8168736a2360} - %profile%\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}
.
============= SERVICES / DRIVERS ===============
.
R0 KL1;kl1;c:\windows\system32\drivers\kl1.sys [2010-6-9 132184]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2011-4-29 28552]
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [2010-6-9 11352]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2010-9-11 475736]
R2 AdobeActiveFileMonitor9.0;Adobe Active File Monitor V9;c:\program files\adobe\elements 9 organizer\PhotoshopElementsFileAgent.exe [2010-9-6 169408]
R2 AVP;Kaspersky Anti-Virus Service;c:\program files\kaspersky lab\kaspersky internet security 2011\avp.exe [2010-7-1 352976]
R2 EPGService;EPGService;c:\progra~1\wintv\epg services\system\EPGService.exe [2008-8-19 431104]
R3 5U870UVC;Sony Visual Communication Camera VGP-VCC7;c:\windows\system32\drivers\5U870UVCx86.sys [2008-2-4 70144]
R3 Bonifay;Bonifay;c:\windows\system32\drivers\Bonifay.sys [2010-9-26 12160]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2010-5-7 32856]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-11-2 19472]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [2007-11-15 71961]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2008-2-4 812544]
S3 Gonzales;Gonzales;c:\windows\system32\drivers\Gonzales.sys [2010-9-26 7040]
S3 HauppaugeTVServer;HauppaugeTVServer;c:\progra~1\wintv\HCWTVS~1.EXE [2008-8-19 815104]
S3 hcw95bda;Hauppauge MOD7700 Tuner Driver;c:\windows\system32\drivers\hcw95bda.sys [2008-8-19 487424]
S3 hcw95rc;Hauppauge MOD7700 IR Driver;c:\windows\system32\drivers\hcw95rc.sys [2008-8-19 15488]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\3.0.199\McCHSvc.exe [2011-2-23 237008]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasUSB.sys [2008-12-13 18432]
.
=============== Created Last 30 ================
.
2011-04-30 16:28:29 -------- d-----w- c:\windows\pss
2011-04-30 14:55:06 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin8.dll
2011-04-30 14:55:06 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin8.dll
2011-04-30 14:53:13 1409 ----a-w- c:\windows\QTFont.for
2011-04-30 14:52:17 -------- d-----w- c:\program files\fichiers communs\Apple
2011-04-30 14:52:01 -------- d-----w- c:\docume~1\propri~1\locals~1\applic~1\Apple
2011-04-29 18:32:32 -------- d-----w- C:\VundoFix Backups
2011-04-29 18:12:20 -------- d-----w- c:\docume~1\alluse~1\applic~1\McAfee Security Scan
2011-04-29 18:11:44 -------- d-----w- c:\program files\McAfee Security Scan
2011-04-29 17:54:53 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2011-04-29 17:51:56 -------- d-----w- c:\program files\Panda Security
2011-04-29 17:42:49 -------- d-----w- c:\docume~1\propri~1\applic~1\QuickScan
2011-04-29 16:47:51 -------- d-----w- c:\docume~1\alluse~1\applic~1\Norton
2011-04-29 16:47:45 -------- d-----w- c:\docume~1\propri~1\locals~1\applic~1\NPE
2011-04-29 13:54:01 -------- d-----w- c:\docume~1\propri~1\locals~1\applic~1\Threat Expert
2011-04-29 13:42:51 -------- d-----w- c:\program files\PC Tools Security
2011-04-29 13:37:54 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2011-04-16 09:03:51 45568 -c----w- c:\windows\system32\dllcache\dnsrslvr.dll
2011-04-14 01:39:02 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2011-04-14 01:39:02 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
.
==================== Find3M ====================
.
2011-03-07 05:33:47 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:36:19 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:53:37 1858048 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:05:48 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:05:47 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:05:47 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:42:13 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:54:06 5632 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
.
============= FINISH: 12:27:17,93 ===============

I don't know if it can help but when i run the netstat -a command from cmd.exe i have the following:
 netstat -a.JPG (124.64K)
Number of downloads: 7

And this is what i get if i type netstat -an:
 netstat -an.JPG (69.29K)
Number of downloads: 7

This is while my web browser is the only program running.

This post has been edited by Iag3ntK1889: 15 May 2011 - 07:20 AM

Hello,

This is a quick note to let you know you have not been forgotten. A team member should be with you soon.

Orange Blossom

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.

• Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.
  
  
  
• Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
  
  
  
• Please reply to this post so I know you are there.

The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

Please begin by running Combofix, Trojan FakeAlert is quite nasty so we need to go in hard

Please download ComboFix from one of these locations:

• Bleepingcomputer
  
• ForoSpyware

* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe

• Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  
• Double click on Comfix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Hi,

I did as you asked and here is the combofix.txt log:

ComboFix 11-05-15.04 - Propriétaire 16/05/2011 16:54:02.1.2 - x86
Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.2046.1329 [GMT 2:00]
Lancé depuis: c:\documents and settings\Propriétaire\Bureau\comfix.exe
AV: Kaspersky Internet Security *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
* Un nouveau point de restauration a été créé
.
.
(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Propriétaire\WINDOWS
.
.
((((((((((((((((((((((((((((( Fichiers créés du 2011-04-16 au 2011-05-16 ))))))))))))))))))))))))))))))))))))
.
.
2011-04-30 14:55 . 2011-04-30 14:55 159744 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
2011-04-30 14:55 . 2011-04-30 14:55 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin8.dll
2011-04-30 14:53 . 2011-04-30 14:53 1409 ----a-w- c:\windows\QTFont.for
2011-04-30 14:52 . 2011-04-30 14:52 -------- d-----w- c:\program files\Fichiers communs\Apple
2011-04-30 14:52 . 2011-04-30 14:52 -------- d-----w- c:\documents and settings\Propriétaire\Local Settings\Application Data\Apple
2011-04-30 14:51 . 2011-04-30 14:51 -------- d-----w- c:\program files\Apple Software Update
2011-04-30 14:51 . 2011-04-30 14:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2011-04-29 18:32 . 2011-04-29 18:32 -------- d-----w- C:\VundoFix Backups
2011-04-29 18:14 . 2011-04-29 18:14 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2011-04-29 18:12 . 2011-04-29 18:12 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2011-04-29 18:11 . 2011-04-29 18:11 -------- d-----w- c:\program files\McAfee Security Scan
2011-04-29 18:11 . 2011-04-29 18:11 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2011-04-29 17:54 . 2009-06-30 08:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2011-04-29 17:51 . 2011-04-29 17:51 -------- d-----w- c:\program files\Panda Security
2011-04-29 17:42 . 2011-04-29 17:42 -------- d-----w- c:\documents and settings\Propriétaire\Application Data\QuickScan
2011-04-29 16:47 . 2011-04-29 16:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2011-04-29 16:47 . 2011-04-29 16:54 -------- d-----w- c:\documents and settings\Propriétaire\Local Settings\Application Data\NPE
2011-04-29 14:27 . 2011-04-29 14:27 -------- d-----w- c:\documents and settings\LocalService\Bureau
2011-04-29 13:54 . 2011-04-29 13:54 -------- d-----w- c:\documents and settings\Propriétaire\Local Settings\Application Data\Threat Expert
2011-04-29 13:42 . 2011-04-29 15:45 -------- d-----w- c:\program files\PC Tools Security
2011-04-29 13:42 . 2011-04-29 15:43 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2011-04-29 13:37 . 2011-04-29 15:43 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
.
.
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-07 05:33 . 2007-11-15 12:05 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:36 . 2007-11-15 03:54 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:53 . 2007-11-15 03:54 1858048 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:05 . 2007-11-15 03:54 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:05 . 2007-11-15 03:54 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:05 . 2007-11-15 03:54 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:42 . 2007-11-15 03:54 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2007-11-15 03:54 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2007-11-15 03:54 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:54 . 2008-05-05 05:25 5632 ----a-w- c:\windows\system32\xpsp4res.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
.
((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-02-04 8491008]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-04 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-04 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-04 137752]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2008-02-04 118784]
"EPGServiceTool"="c:\progra~1\WinTV\EPG Services\System\EPGClient.exe" [2007-08-01 675840]
"ISUSPM Startup"="c:\progra~1\FICHIE~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-14 221184]
"ISUSScheduler"="c:\program files\Fichiers communs\InstallShield\UpdateService\issch.exe" [2004-06-14 81920]
"NBKeyScan"="c:\program files\Nero\Nero 7\Nero BackItUp\NBKeyScan.exe" [2008-02-21 1647912]
"ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2005-11-21 45056]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-09-23 49152]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe" [2010-09-14 352976]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Fichiers communs\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"AdobeAAMUpdater-1.0"="c:\program files\Fichiers communs\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-07-29 497648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Propri‚taire\Menu D‚marrer\Programmes\D‚marrage\
Microsoft Recherche acc‚l‚r‚e.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1996-12-17 111376]
.
c:\documents and settings\All Users\Menu D‚marrer\Programmes\D‚marrage\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\3.0.199\SSScheduler.exe [2011-2-23 272528]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\umi.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [29/04/2011 19:54 28552]
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [09/06/2010 17:43 11352]
R2 AdobeActiveFileMonitor9.0;Adobe Active File Monitor V9;c:\program files\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe [06/09/2010 03:19 169408]
R2 EPGService;EPGService;c:\progra~1\WinTV\EPG Services\System\EPGService.exe [19/08/2008 18:39 431104]
R3 5U870UVC;Sony Visual Communication Camera VGP-VCC7;c:\windows\system32\drivers\5U870UVCx86.sys [04/02/2008 13:55 70144]
R3 Bonifay;Bonifay;c:\windows\system32\drivers\Bonifay.sys [26/09/2010 16:20 12160]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [07/05/2010 12:06 32856]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [02/11/2009 20:27 19472]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [15/11/2007 15:01 71961]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [04/02/2008 14:30 812544]
S3 Gonzales;Gonzales;c:\windows\system32\drivers\Gonzales.sys [26/09/2010 16:20 7040]
S3 HauppaugeTVServer;HauppaugeTVServer;c:\progra~1\WinTV\HCWTVS~1.EXE [19/08/2008 18:38 815104]
S3 hcw95bda;Hauppauge MOD7700 Tuner Driver;c:\windows\system32\drivers\hcw95bda.sys [19/08/2008 18:34 487424]
S3 hcw95rc;Hauppauge MOD7700 IR Driver;c:\windows\system32\drivers\hcw95rc.sys [19/08/2008 18:35 15488]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\3.0.199\McCHSvc.exe [23/02/2011 16:51 237008]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasUSB.sys [13/12/2008 18:55 18432]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contenu du dossier 'Tâches planifiées'
.
2011-04-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]
.
.
------- Examen supplémentaire -------
.
uStart Page = about:blank
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.club-vaio.com/
IE: Ajouter à l'Anti-bannière - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2011\ie_banner_deny.htm
IE: Chercher dans le TLF - c:\atilf-tlfi\tlfi\pg\hn.htm
IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Envoyer au périphérique &Bluetooth... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Envoyer à Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: Expliquer le mot - c:\atilf-tlfi\tlfi\pg\hnexplain.htm
FF - ProfilePath - c:\documents and settings\Propriétaire\Application Data\Mozilla\Firefox\Profiles\d4bufzo6.default\
FF - prefs.js: browser.search.selectedEngine - Wikipédia (fr)
FF - Ext: Anti-bannière: KavAntiBanner@Kaspersky.ru - c:\program files\Mozilla Firefox\extensions\KavAntiBanner@Kaspersky.ru
FF - Ext: Analyse des liens (URL Advisor): linkfilter@kaspersky.ru - c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Read It Later: isreaditlater@ideashower.com - %profile%\extensions\isreaditlater@ideashower.com
FF - Ext: BitDefender QuickScan: {e001c731-5e37-4538-a5cb-8168736a2360} - %profile%\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}
.
- - - - ORPHELINS SUPPRIMES - - - -
.
HKCU-Run-Spyware Doctor with AntiVirus - c:\documents and settings\Propriétaire\Bureau\sdasetup.exe
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-16 17:02
Windows 5.1.2600 Service Pack 3 NTFS
.
Recherche de processus cachés ...
.
Recherche d'éléments en démarrage automatique cachés ...
.
Recherche de fichiers cachés ...
.
Scan terminé avec succès
Fichiers cachés: 0
.
**************************************************************************
.
--------------------- DLLs chargées dans les processus actifs ---------------------
.
- - - - - - - > 'explorer.exe'(3676)
c:\program files\Fichiers communs\Ahead\Lib\NeroSearchBar.dll
c:\program files\Fichiers communs\Ahead\Lib\MFC71U.DLL
c:\program files\Fichiers communs\Ahead\Lib\BCGCBPRO860un71.dll
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
.
------------------------ Autres processus actifs ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\program files\Apoint\ApMsgFwd.exe
c:\program files\Apoint\Apntex.exe
c:\program files\Fichiers communs\Ahead\Lib\NMIndexingService.exe
c:\program files\Fichiers communs\Ahead\Lib\NMIndexStoreSvr.exe
.
**************************************************************************
.
Heure de fin: 2011-05-16 17:07:00 - La machine a redémarré
ComboFix-quarantined-files.txt 2011-05-16 15:06
.
Avant-CF: 39 962 677 248 octets libres
Après-CF: 39 973 941 248 octets libres
.
WindowsXP-KB310994-SP2-Pro-BootDisk-FRA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professionnel" /noexecute=optin /fastdetect
.
- - End Of File - - 1D9269D4AC235376FB3B74B16939A4A3

That doesn't look to be too bad. Please run MBAM next

Please download Malwarebytes Anti-Malware and save it to your desktop.

• Make sure you are connected to the Internet.
  
• Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  
• When the installation begins, follow the prompts and do not make any changes to default settings.
  
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
    
  • Launch Malwarebytes' Anti-Malware
  
  
• Then click Finish.
  
• MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  If MBAM won't update then download and update MBAM on a clean computer then save the rules.ref folder to a memory stick. This file is found here: 'C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware' then transfer it across to the infected computer.
  
• On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
    
  • Then click on the Scan button.
  
  
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  
• Click OK to close the message box and continue with the removal process.
  
• Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When removal is completed, a log report will open in Notepad.
  
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Here is the MBAM log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Version de la base de données: 6592

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

16/05/2011 23:18:10
mbam-log-2011-05-16 (23-18-10).txt

Type d'examen: Examen complet (C:\|D:\|E:\|F:\|)
Elément(s) analysé(s): 355725
Temps écoulé: 1 heure(s), 13 minute(s), 56 seconde(s)

Processus mémoire infecté(s): 0
Module(s) mémoire infecté(s): 0
Clé(s) du Registre infectée(s): 0
Valeur(s) du Registre infectée(s): 0
Elément(s) de données du Registre infecté(s): 0
Dossier(s) infecté(s): 0
Fichier(s) infecté(s): 0

Processus mémoire infecté(s):
(Aucun élément nuisible détecté)

Module(s) mémoire infecté(s):
(Aucun élément nuisible détecté)

Clé(s) du Registre infectée(s):
(Aucun élément nuisible détecté)

Valeur(s) du Registre infectée(s):
(Aucun élément nuisible détecté)

Elément(s) de données du Registre infecté(s):
(Aucun élément nuisible détecté)

Dossier(s) infecté(s):
(Aucun élément nuisible détecté)

Fichier(s) infecté(s):
(Aucun élément nuisible détecté)

I think this is looking like a clean system. Please run SAS and then scan your system online at ESET

Download and scan with SUPERAntiSpyware Free for Home Users

• Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  
• An icon will be created on your desktop. Double-click that icon to launch the program.
  
• If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  
• In the Main Menu, click the Preferences... button.
  
• Click the Scanning Control tab.
  
• Under Scanner Options make sure the following are checked (leave all others unchecked):
  • Close browsers before scanning.
    
  • Scan for tracking cookies.
    
  • Terminate memory threats before quarantining.
• Click the "Close" button to leave the control center screen.
  
• Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  
• On the left, make sure you check C:\Fixed Drive.
  
• On the right, under "Complete Scan", choose Perform Complete Scan.
  
• Click "Next" to start the scan. Please be patient while it scans your computer.
  
• After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  
• Make sure everything has a checkmark next to it and click "Next".
  
• A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  
• If asked if you want to reboot, click "Yes".
  
• To retrieve the removal information after reboot, launch SUPERAntispyware again.
  • Click Preferences, then click the Statistics/Logs tab.
    
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    
  • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    
  • Please copy and paste the Scan Log results in your next reply.
• Click Close to exit the program.

Then ESET

I'd like us to scan your machine with ESET OnlineScan

• Hold down Control and click on the following link to open ESET OnlineScan in a new window.
  ESET OnlineScan
  
• Click the button.
  
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on to download the ESET Smart Installer. Save it to your desktop.
    
  • Double click on the icon on your desktop.
  
  
• Check
  
• Click the button.
  
• Accept any security warnings from your browser.
  
• Under scan settings, check and check Remove found threats
  
• Click Advanced settings and select the following:
  • Scan potentially unwanted applications
    
  • Scan for potentially unsafe applications
    
  • Enable Anti-Stealth technology
  
  
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  
• When the scan completes, push
  
• Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  
• Push the button.
  
• Push

If no log is generated that means nothing was found. Please let me know if this happens.

Here is the SAS log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/17/2011 at 03:15 PM

Application Version : 4.52.1000

Core Rules Database Version : 7071
Trace Rules Database Version: 4883

Scan type : Complete Scan
Total Scan Time : 02:03:13

Memory items scanned : 526
Memory threats detected : 0
Registry items scanned : 7263
Registry threats detected : 0
File items scanned : 201129
File threats detected : 1

Trojan.Agent/Gen-Falcomp[Cont]
C:\WINDOWS\SYSTEM32\ETEXCH32.DLL

Eset didn't find anything. (no log)

How is the machine performing now?

For the most part, my pc seems to be ok, however something about the command prompt changed after the removal of ETEXCH32.dll by SAS.

This was the command prompt before removing ETEXCH32.dll: (normal)

 cmdexe(before).JPG (14.62K)
Number of downloads: 2

And this is how it is now: (strange)

 cmdexe.JPG (14.6K)
Number of downloads: 2

Is etexch32.dll only comming from malware or was it a legitimate microsoft Windows file that was then corrupted?

Could be infected, could be a false positive...SAS knows the answer for definite so please double click the SAS icon near the time and click on Manage Quarantine. You can then highlight the file and choose Restore.

Then visit Jotti

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Go to Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

C:\WINDOWS\SYSTEM32\ETEXCH32.DLL

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at VirusTotal