hello everyone, newbie here -
A quick summary, if possible, of events.
I was surfing the web w/o anti virsus software installed when i suddenly got about 12 windows opening informing me of a corrupt entry in system 32 lib.
Then i got a System Check window basically saying i have everything possible wrong with my machine, i.e. hardware, software, registry errors. Upon reboot, i got MISSING OS SYSTEM. As a last resort, i cleaned my machine, which has helped things in the past, and it was dirty. Loaded the Recovery Console, DSKCHK ran ok, no problems supposedly. I did a FIXMBR cmd which finished in a micro sec.
Surprisingly, on reboot, it saw the hard disk & loaded. My desktop was missing many items so i ran a system restore to a recent good checkpoint successfully which brought back my desktop icons. My browsers, FireFox & IE, will not start. They enter PROCESSES in task manager but leave shortly afterwards w/o doing nothing, no window opens. I loaded AVG 2012 free anti-virsus and did a whole computer scan. That software removed 18 items to the Virsus Vault. Here is a sysnopsis of that run which i did before coming here.
AVG 2012 anti-virsus, free edition, whole computer scan follows...
======================= infections follow ==================
"";"C:\System Volume Information\_restore{6995F97A-0C11-46E7-AD16-F4EBACBCE82E}\RP346\A0199282.exe";"May be infected by unknown virus Win32/DH.00000000{00040001-00000035-00000000}";"Moved to Virus Vault"
"";"C:\System Volume Information\_restore{6995F97A-0C11-46E7-AD16-F4EBACBCE82E}\RP346\A0199157.exe";"Trojan horse Generic_r.AHC";"Moved to Virus Vault"
"";"C:\System Volume Information\_restore{6995F97A-0C11-46E7-AD16-F4EBACBCE82E}\RP346\A0199103.exe";"Trojan horse Generic_r.AHK";"Moved to Virus Vault"
"";"C:\System Volume Information\_restore{6995F97A-0C11-46E7-AD16-F4EBACBCE82E}\RP345\A0198012.exe";"Trojan horse Generic_r.AHC";"Moved to Virus Vault"
"";"C:\System Volume Information\_restore{6995F97A-0C11-46E7-AD16-F4EBACBCE82E}\RP344\A0197955.exe";"Trojan horse Generic_r.AHK";"Moved to Virus Vault"
"";"C:\System Volume Information\_restore{6995F97A-0C11-46E7-AD16-F4EBACBCE82E}\RP344\A0197954.exe";"Trojan horse Generic_r.AHK";"Moved to Virus Vault"
"";"C:\System Volume Information\_restore{6995F97A-0C11-46E7-AD16-F4EBACBCE82E}\RP342\A0197907.exe";"Trojan horse Generic_r.AHK";"Moved to Virus Vault"
"";"C:\System Volume Information\_restore{6995F97A-0C11-46E7-AD16-F4EBACBCE82E}\RP342\A0197906.exe";"Trojan horse Generic_r.AHK";"Moved to Virus Vault"
"";"C:\System Volume Information\_restore{6995F97A-0C11-46E7-AD16-F4EBACBCE82E}\RP340\A0197853.exe";"Trojan horse Generic_r.AHK";"Moved to Virus Vault"
"";"C:\System Volume Information\_restore{6995F97A-0C11-46E7-AD16-F4EBACBCE82E}\RP339\A0196821.exe";"Trojan horse Generic_r.AHK";"Moved to Virus Vault"
"";"C:\Documents and Settings\dad\removeme.exe";"May be infected by unknown virus Win32/DH.00000000{00040001-00000035-00000000}";"Moved to Virus Vault"
"";"C:\Documents and Settings\dad\Local Settings\Temp\gigiti.exe";"Trojan horse Downloader.Zlob.BFZG";"Moved to Virus Vault"
"";"C:\Documents and Settings\All Users\Application Data\isecurity.exe";"Trojan horse Dropper.Generic5.YRY";"Moved to Virus Vault"
==================== spyware follows ======================
"";"C:\WINDOWS\basra1.dll";"Adware Generic4.AGJX";"Moved to Virus Vault"
"";"C:\System Volume Information\_restore{6995F97A-0C11-46E7-AD16-F4EBACBCE82E}\RP346\A0199281.dll";"Adware Generic4.AGJX";"Moved to Virus Vault"
==================== warnings follows =====================
"";"C:\WINDOWS\system32\TFTP964";"Corrupted executable file";"Moved to Virus Vault"
"";"C:\WINDOWS\system32\randomiser.exe";"Corrupted executable file";"Moved to Virus Vault"
"";"C:\System Volume Information\_restore{6995F97A-0C11-46E7-AD16-F4EBACBCE82E}\RP346\A0199280.exe";"Corrupted executable file";"Moved to Virus Vault"
===========================================================
Then sometime later during a reboot i got stuck in a CHKDSK loop. Safe Mode would not complete loading. Loaded the Recovery Console and reran CHKDSK. This time it reported an error on the drive. Ran it again with the -p option ok, then ran with the -r option ok. System loaded finally. I did run a cleanup utility called Cleanup.exe, i haved used it often in the past. My browsers still will not load, i am able to load it & use it by navigatiing to Start/Help & Support/Use Tools/clicking on a link to Go To A Windows Newsgroup, then it loads, i haven't used any tools although my disk shows needing defragmentation which i haven't done. Also, IE loads thru Start/Control Panel/Automatic Updates and clicking on the link for the microsoft update site. I then ran Malwarebytes Anti-Malware in the 5 step solution for virsuses malware spyware, Here is that log;
Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org
Database version: v2012.01.27.07
Windows XP Service Pack 2 x86 FAT32
Internet Explorer 8.0.6001.18702
dad :: PREFERRE-406GQB [administrator]
1/27/2012 4:27:58 PM
mbam-log-2012-01-27 (16-27-58).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 431570
Time elapsed: 24 minute(s), 10 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 20
HKCR\CLSID\{597A9974-8CB0-4f41-B61F-ED065738A397} (PUP.RewardsArcade) -> Quarantined and deleted successfully.
HKCR\TypeLib\{60BE6B2E-F2F5-4404-AA1E-4381D4A6EEA2} (PUP.RewardsArcade) -> Quarantined and deleted successfully.
HKCR\Interface\{6427058B-217C-4C7F-A6CE-C7934C0BDCEB} (PUP.RewardsArcade) -> Quarantined and deleted successfully.
HKCR\RewardsArcade.BHO.1 (PUP.RewardsArcade) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{597A9974-8CB0-4F41-B61F-ED065738A397} (PUP.RewardsArcade) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{597A9974-8CB0-4F41-B61F-ED065738A397} (PUP.RewardsArcade) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{597A9974-8CB0-4F41-B61F-ED065738A397} (PUP.RewardsArcade) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{00A6FAF1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{014DA6C1-189F-421A-88CD-07CFE51CFF10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{014DA6C1-189F-421A-88CD-07CFE51CFF10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{014DA6C9-189F-421A-88CD-07CFE51CFF10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{014DA6C9-189F-421A-88CD-07CFE51CFF10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{54160F28-994B-48DD-8D83-1B2F6B9EB054} (Trojan.BHO) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{54160F28-994B-48DD-8D83-1B2F6B9EB054} (Trojan.BHO) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\MediaLoads (Adware.Medload) -> Quarantined and deleted successfully.
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 3
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main|SearchMigratedDefaultURL (Hijack.SearchPage) -> Bad: (http://internetsearchservice.com/search?q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w| (Hijack.SearchPage) -> Bad: (http://internetsearchservice.com/search?q=%s) Good: (http://www.Google.com/) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
Folders Detected: 14
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498 (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\facebox (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\facebox\Images (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\defaults (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\defaults\preferences (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\locale (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\locale\en-US (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\skin (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Chrome (PUP.RewardsArcade) -> Quarantined and deleted successfully.
Files Detected: 42
C:\Documents and Settings\nate\My Documents\Downloads\Retrogamer.exe (Adware.FunWeb) -> Quarantined and deleted successfully.
C:\Documents and Settings\dad\Local Settings\Temp\8.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\uninstall.ico (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome.manifest (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\install.rdf (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\background.html (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\browser.xul (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\crossrider.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\crossriderapi.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\manage-apps-style.css (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\manage-apps.html (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\messaging.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\options.xul (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\push.html (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\socialapi.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\update.html (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\utilityapi.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\workers_chain.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\faye-browser-min.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\jquery-1.4.2.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\facebox\facebox.css (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\facebox\facebox.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\facebox\Images\b.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\facebox\Images\bl.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\facebox\Images\br.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\facebox\Images\closelabel.gif (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\facebox\Images\loading.gif (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\facebox\Images\tl.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\facebox\Images\tr.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\defaults\preferences\prefs.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\locale\en-US\translations.dtd (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\skin\button1.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\skin\button2.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\skin\button3.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\skin\button4.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\skin\button5.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\skin\crossrider_statusbar.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\skin\icon24.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\skin\skin.css (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\skin\update.css (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Chrome\rewardsarcade.crx (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\WINDOWS\smdat32m.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
(end)
Tried running GMER next but i get a LoadDriver (C:\Docs & Settings\dad\local settings\Temp\awncapoc.sys) error 0xc000010E: cannot create a stable subkey under a volatile parent key. Pressing OK & GMER1.0.15.15641 window opens. Press the scan key and get C:\windows\system32\config\system, process cant access the file because it is being used by another process. Press OK, and same message but this time for system32\config\software. Only a few boxes are checked in GMER, the Services, Registry, Files is checked. Below that, C:\ is checked. Below that, ADS is checked. And finally GMER hasn't found any system modification. Don't believe it ran at all. That is where i am at in that procedure, any help greatly appreciated. System ran better afterwards, was getting 100% cpu in task manager, mostly the SERVICES & CSRSS execs, before running. It dropped down sigficiantly afterwards but was unable to continue. Today, it is the CSRSS exec at 20+% and avgwdsvc.exe at 70+%. What should i do next? my mind is dazed & confused, thanks in advance.
A quick summary, if possible, of events.
I was surfing the web w/o anti virsus software installed when i suddenly got about 12 windows opening informing me of a corrupt entry in system 32 lib.
Then i got a System Check window basically saying i have everything possible wrong with my machine, i.e. hardware, software, registry errors. Upon reboot, i got MISSING OS SYSTEM. As a last resort, i cleaned my machine, which has helped things in the past, and it was dirty. Loaded the Recovery Console, DSKCHK ran ok, no problems supposedly. I did a FIXMBR cmd which finished in a micro sec.
Surprisingly, on reboot, it saw the hard disk & loaded. My desktop was missing many items so i ran a system restore to a recent good checkpoint successfully which brought back my desktop icons. My browsers, FireFox & IE, will not start. They enter PROCESSES in task manager but leave shortly afterwards w/o doing nothing, no window opens. I loaded AVG 2012 free anti-virsus and did a whole computer scan. That software removed 18 items to the Virsus Vault. Here is a sysnopsis of that run which i did before coming here.
AVG 2012 anti-virsus, free edition, whole computer scan follows...
======================= infections follow ==================
"";"C:\System Volume Information\_restore{6995F97A-0C11-46E7-AD16-F4EBACBCE82E}\RP346\A0199282.exe";"May be infected by unknown virus Win32/DH.00000000{00040001-00000035-00000000}";"Moved to Virus Vault"
"";"C:\System Volume Information\_restore{6995F97A-0C11-46E7-AD16-F4EBACBCE82E}\RP346\A0199157.exe";"Trojan horse Generic_r.AHC";"Moved to Virus Vault"
"";"C:\System Volume Information\_restore{6995F97A-0C11-46E7-AD16-F4EBACBCE82E}\RP346\A0199103.exe";"Trojan horse Generic_r.AHK";"Moved to Virus Vault"
"";"C:\System Volume Information\_restore{6995F97A-0C11-46E7-AD16-F4EBACBCE82E}\RP345\A0198012.exe";"Trojan horse Generic_r.AHC";"Moved to Virus Vault"
"";"C:\System Volume Information\_restore{6995F97A-0C11-46E7-AD16-F4EBACBCE82E}\RP344\A0197955.exe";"Trojan horse Generic_r.AHK";"Moved to Virus Vault"
"";"C:\System Volume Information\_restore{6995F97A-0C11-46E7-AD16-F4EBACBCE82E}\RP344\A0197954.exe";"Trojan horse Generic_r.AHK";"Moved to Virus Vault"
"";"C:\System Volume Information\_restore{6995F97A-0C11-46E7-AD16-F4EBACBCE82E}\RP342\A0197907.exe";"Trojan horse Generic_r.AHK";"Moved to Virus Vault"
"";"C:\System Volume Information\_restore{6995F97A-0C11-46E7-AD16-F4EBACBCE82E}\RP342\A0197906.exe";"Trojan horse Generic_r.AHK";"Moved to Virus Vault"
"";"C:\System Volume Information\_restore{6995F97A-0C11-46E7-AD16-F4EBACBCE82E}\RP340\A0197853.exe";"Trojan horse Generic_r.AHK";"Moved to Virus Vault"
"";"C:\System Volume Information\_restore{6995F97A-0C11-46E7-AD16-F4EBACBCE82E}\RP339\A0196821.exe";"Trojan horse Generic_r.AHK";"Moved to Virus Vault"
"";"C:\Documents and Settings\dad\removeme.exe";"May be infected by unknown virus Win32/DH.00000000{00040001-00000035-00000000}";"Moved to Virus Vault"
"";"C:\Documents and Settings\dad\Local Settings\Temp\gigiti.exe";"Trojan horse Downloader.Zlob.BFZG";"Moved to Virus Vault"
"";"C:\Documents and Settings\All Users\Application Data\isecurity.exe";"Trojan horse Dropper.Generic5.YRY";"Moved to Virus Vault"
==================== spyware follows ======================
"";"C:\WINDOWS\basra1.dll";"Adware Generic4.AGJX";"Moved to Virus Vault"
"";"C:\System Volume Information\_restore{6995F97A-0C11-46E7-AD16-F4EBACBCE82E}\RP346\A0199281.dll";"Adware Generic4.AGJX";"Moved to Virus Vault"
==================== warnings follows =====================
"";"C:\WINDOWS\system32\TFTP964";"Corrupted executable file";"Moved to Virus Vault"
"";"C:\WINDOWS\system32\randomiser.exe";"Corrupted executable file";"Moved to Virus Vault"
"";"C:\System Volume Information\_restore{6995F97A-0C11-46E7-AD16-F4EBACBCE82E}\RP346\A0199280.exe";"Corrupted executable file";"Moved to Virus Vault"
===========================================================
Then sometime later during a reboot i got stuck in a CHKDSK loop. Safe Mode would not complete loading. Loaded the Recovery Console and reran CHKDSK. This time it reported an error on the drive. Ran it again with the -p option ok, then ran with the -r option ok. System loaded finally. I did run a cleanup utility called Cleanup.exe, i haved used it often in the past. My browsers still will not load, i am able to load it & use it by navigatiing to Start/Help & Support/Use Tools/clicking on a link to Go To A Windows Newsgroup, then it loads, i haven't used any tools although my disk shows needing defragmentation which i haven't done. Also, IE loads thru Start/Control Panel/Automatic Updates and clicking on the link for the microsoft update site. I then ran Malwarebytes Anti-Malware in the 5 step solution for virsuses malware spyware, Here is that log;
Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org
Database version: v2012.01.27.07
Windows XP Service Pack 2 x86 FAT32
Internet Explorer 8.0.6001.18702
dad :: PREFERRE-406GQB [administrator]
1/27/2012 4:27:58 PM
mbam-log-2012-01-27 (16-27-58).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 431570
Time elapsed: 24 minute(s), 10 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 20
HKCR\CLSID\{597A9974-8CB0-4f41-B61F-ED065738A397} (PUP.RewardsArcade) -> Quarantined and deleted successfully.
HKCR\TypeLib\{60BE6B2E-F2F5-4404-AA1E-4381D4A6EEA2} (PUP.RewardsArcade) -> Quarantined and deleted successfully.
HKCR\Interface\{6427058B-217C-4C7F-A6CE-C7934C0BDCEB} (PUP.RewardsArcade) -> Quarantined and deleted successfully.
HKCR\RewardsArcade.BHO.1 (PUP.RewardsArcade) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{597A9974-8CB0-4F41-B61F-ED065738A397} (PUP.RewardsArcade) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{597A9974-8CB0-4F41-B61F-ED065738A397} (PUP.RewardsArcade) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{597A9974-8CB0-4F41-B61F-ED065738A397} (PUP.RewardsArcade) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{00A6FAF1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{014DA6C1-189F-421A-88CD-07CFE51CFF10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{014DA6C1-189F-421A-88CD-07CFE51CFF10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{014DA6C9-189F-421A-88CD-07CFE51CFF10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{014DA6C9-189F-421A-88CD-07CFE51CFF10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{54160F28-994B-48DD-8D83-1B2F6B9EB054} (Trojan.BHO) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{54160F28-994B-48DD-8D83-1B2F6B9EB054} (Trojan.BHO) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\MediaLoads (Adware.Medload) -> Quarantined and deleted successfully.
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 3
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main|SearchMigratedDefaultURL (Hijack.SearchPage) -> Bad: (http://internetsearchservice.com/search?q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w| (Hijack.SearchPage) -> Bad: (http://internetsearchservice.com/search?q=%s) Good: (http://www.Google.com/) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
Folders Detected: 14
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498 (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\facebox (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\facebox\Images (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\defaults (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\defaults\preferences (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\locale (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\locale\en-US (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\skin (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Chrome (PUP.RewardsArcade) -> Quarantined and deleted successfully.
Files Detected: 42
C:\Documents and Settings\nate\My Documents\Downloads\Retrogamer.exe (Adware.FunWeb) -> Quarantined and deleted successfully.
C:\Documents and Settings\dad\Local Settings\Temp\8.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\uninstall.ico (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome.manifest (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\install.rdf (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\background.html (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\browser.xul (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\crossrider.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\crossriderapi.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\manage-apps-style.css (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\manage-apps.html (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\messaging.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\options.xul (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\push.html (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\socialapi.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\update.html (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\utilityapi.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\workers_chain.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\faye-browser-min.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\jquery-1.4.2.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\facebox\facebox.css (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\facebox\facebox.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\facebox\Images\b.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\facebox\Images\bl.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\facebox\Images\br.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\facebox\Images\closelabel.gif (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\facebox\Images\loading.gif (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\facebox\Images\tl.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\chrome\content\lib\facebox\Images\tr.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\defaults\preferences\prefs.js (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\locale\en-US\translations.dtd (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\skin\button1.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\skin\button2.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\skin\button3.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\skin\button4.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\skin\button5.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\skin\crossrider_statusbar.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\skin\icon24.png (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\skin\skin.css (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Firefox\skin\update.css (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\Documents and Settings\nate\Local Settings\Application Data\RewardsArcade\498\Chrome\rewardsarcade.crx (PUP.RewardsArcade) -> Quarantined and deleted successfully.
C:\WINDOWS\smdat32m.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
(end)
Tried running GMER next but i get a LoadDriver (C:\Docs & Settings\dad\local settings\Temp\awncapoc.sys) error 0xc000010E: cannot create a stable subkey under a volatile parent key. Pressing OK & GMER1.0.15.15641 window opens. Press the scan key and get C:\windows\system32\config\system, process cant access the file because it is being used by another process. Press OK, and same message but this time for system32\config\software. Only a few boxes are checked in GMER, the Services, Registry, Files is checked. Below that, C:\ is checked. Below that, ADS is checked. And finally GMER hasn't found any system modification. Don't believe it ran at all. That is where i am at in that procedure, any help greatly appreciated. System ran better afterwards, was getting 100% cpu in task manager, mostly the SERVICES & CSRSS execs, before running. It dropped down sigficiantly afterwards but was unable to continue. Today, it is the CSRSS exec at 20+% and avgwdsvc.exe at 70+%. What should i do next? my mind is dazed & confused, thanks in advance.