TechSpot

Calc1 virus?

By mooney12
Jun 2, 2012
  1. Ok, I think I got this baddy removed, scanning again with malwarebytes.. is there anything you guys can do to help me make sure my system is clean and smooth?
     
  2. mooney12

    mooney12 TS Member Topic Starter Posts: 88

    130,000 files scanned 1 more item detected, stay tuned as the durandal gets screwed to oblivion!!! :(
     
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot!

    If you would like us to check the system for malware, please follow these steps: Preliminary Virus and Malware Removal.

    NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
    ============================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't follow directions given to someone else
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    Threads are closed after 5 days if there is no reply.
     
  4. mooney12

    mooney12 TS Member Topic Starter Posts: 88

    malware bytes
    gmer
    dds logs

    Malwarebytes Anti-Malware (PRO) 1.61.0.1400
    www.malwarebytes.org

    Database version: v2012.06.02.02

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 6.0.2900.5512
    Eric :: DURANDAL [administrator]

    Protection: Enabled

    6/2/2012 4:57:24 AM
    mbam-log-2012-06-02 (04-57-24).txt

    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 252703
    Time elapsed: 20 minute(s), 54 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 6.0.2900.5512
    Run by Eric at 10:45:56 on 2012-06-02
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3327.2526 [GMT -4:00]
    .
    AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ATI\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files\ATI\ATI.ACE\Core-Static\ccc.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\11.0.2\ToolbarUpdater.exe
    C:\Program Files\AVG Secure Search\vprot.exe
    C:\Program Files\AVG\AVG2012\avgwdsvc.exe
    C:\Program Files\AVG\AVG2012\avgtray.exe
    C:\Program Files\AVG\AVG2012\avgui.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Documents and Settings\Eric\My Documents\Downloads\bwh18b4d.exe
    .
    ============== Pseudo HJT Report ===============
    .
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: AVG Do Not Track: {31332eef-cb9f-458f-afeb-d30e9a66b6ba} - c:\program files\avg\avg2012\avgdtiex.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\11.0.0.9\AVG Secure Search_toolbar.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
    TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\11.0.0.9\AVG Secure Search_toolbar.dll
    uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe" /MINIMIZED
    uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet
    mRun: [StartCCC] "c:\program files\ati\ati.ace\core-static\CLIStart.exe" MSRun
    mRun: [CmPCIaudio] RunDll32 CMICNFG3.CPL,CMICtrlWnd
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
    mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - c:\program files\avg\avg2012\avgdtiex.dll
    TCP: Interfaces\{EF58EFC9-6A4E-4F67-91A0-7A182AB709F7} : DhcpNameServer = 192.168.1.1
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
    Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\11.0.2\ViProtocol.dll
    Notify: AtiExtEvent - Ati2evxx.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\eric\application data\mozilla\firefox\profiles\5n7ab7ej.default\
    FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7Bb992c3be-0020-4f20-8b15-031c06479e5a%7D&mid=e6288b2ce2af47d0826fd16a129d2f76-8bf14b7f6f768ab47dac3155673353c721026280&ds=AVG&v=11.0.0.9&lang=en&pr=fr&d=2012-06-02%2005%3A24%3A41&sap=ku&q=
    FF - prefs.js: network.proxy.type - 0
    FF - plugin: c:\program files\common files\avg secure search\sitesafetyinstaller\11.0.2\npsitesafety.dll
    FF - plugin: c:\program files\microsoft silverlight\3.0.40624.0\npctrlui.dll
    FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_235.dll
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    ============= SERVICES / DRIVERS ===============
    .
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2012-1-31 31952]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2012-2-22 235216]
    R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-12-23 41040]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2012-3-19 301248]
    R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2012-2-14 193288]
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-6-1 654408]
    R2 vToolbarUpdater11.0.2;vToolbarUpdater11.0.2;c:\program files\common files\avg secure search\vtoolbarupdater\11.0.2\ToolbarUpdater.exe [2012-6-2 932736]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2011-12-23 139856]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [2011-12-23 24144]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2011-12-23 17232]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-6-1 22344]
    S0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-4-19 24896]
    S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\avgidsagent.exe [2012-4-30 5106744]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-6-1 257696]
    S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-6-1 129976]
    S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2012-1-5 874240]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    .
    =============== Created Last 30 ================
    .
    2012-06-02 09:26:43 -------- d-----w- c:\documents and settings\eric\application data\AVG2012
    2012-06-02 09:24:54 -------- d-----w- c:\documents and settings\eric\local settings\application data\AVG Secure Search
    2012-06-02 09:24:42 -------- d-----w- c:\documents and settings\eric\application data\AVG Secure Search
    2012-06-02 09:24:41 -------- d-----w- c:\documents and settings\all users\application data\AVG Secure Search
    2012-06-02 09:24:38 -------- d-----w- c:\program files\common files\AVG Secure Search
    2012-06-02 09:24:37 -------- d-----w- c:\program files\AVG Secure Search
    2012-06-02 09:24:03 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
    2012-06-02 09:23:47 -------- d--h--w- C:\$AVG
    2012-06-02 09:23:47 -------- d-----w- c:\windows\system32\drivers\AVG
    2012-06-02 09:23:47 -------- d-----w- c:\documents and settings\all users\application data\AVG2012
    2012-06-02 09:23:35 -------- d-----w- c:\program files\AVG
    2012-06-02 08:52:56 -------- d-----w- c:\documents and settings\all users\application data\MFAData
    2012-06-02 06:36:28 -------- d-----w- c:\program files\Steam
    2012-06-02 05:46:14 274288 ----a-w- c:\windows\system32\mucltui.dll
    2012-06-02 05:46:14 215920 ----a-w- c:\windows\system32\muweb.dll
    2012-06-02 05:46:14 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
    2012-06-02 00:48:37 -------- d-----w- c:\documents and settings\eric\Tracing
    2012-06-02 00:46:59 -------- d-----w- c:\program files\Microsoft
    2012-06-02 00:46:44 -------- d-----w- c:\program files\Windows Live SkyDrive
    2012-06-02 00:45:59 4927864 ----a-w- c:\program files\common files\windows live\.cache\13efff581cd4059\Silverlight.2.0.exe
    2012-06-02 00:44:13 -------- d-----w- c:\windows\system32\SoftwareDistribution
    2012-06-02 00:44:02 -------- d-----w- c:\program files\common files\Windows Live
    2012-06-02 00:38:06 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-06-02 00:38:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-06-02 00:22:32 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-06-02 00:22:32 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-06-02 00:21:36 -------- d-----w- c:\program files\Yahoo!
    2012-06-02 00:19:05 -------- d-----w- c:\documents and settings\eric\local settings\application data\Google
    2012-06-02 00:19:05 -------- d-----w- c:\documents and settings\eric\local settings\application data\CRE
    2012-06-02 00:19:03 -------- d-----w- c:\program files\Conduit
    2012-06-02 00:19:02 -------- d-----w- c:\documents and settings\eric\local settings\application data\Temp
    2012-06-02 00:19:02 -------- d-----w- c:\documents and settings\eric\local settings\application data\Conduit
    2012-06-02 00:10:12 -------- d-----w- c:\documents and settings\eric\application data\Malwarebytes
    2012-06-02 00:10:12 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
    2012-05-30 22:12:50 -------- d-----w- C:\MEDIA
    2012-05-30 09:27:32 -------- d-----w- C:\Mega Man X series - Maverick Rising
    2012-05-30 09:27:29 -------- d-----w- C:\Wild Arms - ARMed and DANGerous
    2012-05-30 09:20:51 -------- d-----w- C:\Starcraft
    2012-05-30 04:18:51 -------- d-----w- c:\program files\tibia
    2012-05-26 15:28:29 -------- d-----w- C:\64b5ac13142b2ede404e9eb7ad
    2012-05-24 19:43:14 -------- d-----w- c:\program files\StarCraft II
    2012-05-24 19:43:14 -------- d-----w- c:\program files\common files\Blizzard Entertainment
    2012-05-24 19:43:14 -------- d-----w- c:\documents and settings\all users\application data\Blizzard Entertainment
    2012-05-19 13:39:49 -------- d-sh--w- C:\Boot
    2012-05-19 09:52:36 -------- d-sh--w- C:\$RECYCLE.BIN
    2012-05-18 19:38:05 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
    2012-05-18 19:38:05 21504 ----a-w- c:\windows\system32\hidserv.dll
    2012-05-18 19:38:02 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
    2012-05-18 19:38:02 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
    2012-05-18 19:37:52 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
    2012-05-18 19:37:52 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
    2012-05-14 18:14:29 -------- d-----w- c:\windows\system32\AGEIA
    2012-05-14 18:14:20 -------- d-----w- c:\program files\common files\Wise Installation Wizard
    2012-05-11 17:03:06 -------- d-----w- c:\documents and settings\eric\local settings\application data\WMTools Downloaded Files
    2012-05-11 16:32:22 421888 ----a-w- c:\windows\system32\ac3filter.acm
    2012-05-11 16:32:18 -------- d-----w- c:\program files\XP Codec Pack
    2012-05-06 14:28:55 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2012-05-06 14:28:55 -------- d-----w- c:\windows\system32\wbem\Repository
    2012-05-04 20:54:29 -------- d-----w- c:\program files\InterActual
    .
    ==================== Find3M ====================
    .
    2012-05-24 17:41:38 967 ----a-w- c:\windows\ScUnin.pif
    2012-05-24 17:41:38 94208 ----a-w- c:\windows\ScUnin.exe
    2012-04-19 08:50:26 24896 ----a-w- c:\windows\system32\drivers\avgidshx.sys
    2012-04-06 16:32:36 1288192 ----a-w- c:\windows\system32\VSFilter.dll
    2012-04-06 16:32:24 472576 ----a-w- c:\windows\system32\AviSplitter.ax
    2012-04-06 16:32:08 659456 ----a-w- c:\windows\system32\RealMediaSplitter.ax
    2012-04-06 16:32:00 548352 ----a-w- c:\windows\system32\MatroskaSplitter.ax
    2012-03-19 09:17:28 301248 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    .
    ============= FINISH: 10:46:09.42 ===============

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume1
    Install Date: 1/5/2012 1:40:03 PM
    System Uptime: 6/2/2012 4:55:07 AM (6 hours ago)
    .
    Motherboard: ASUSTeK Computer INC. | | P5Q SE PLUS
    Processor: Intel Pentium III Xeon processor | LGA775 | 2792/266mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 553 GiB total, 458.387 GiB free.
    E: is FIXED (NTFS) - 44 GiB total, 0.353 GiB free.
    F: is CDROM ()
    G: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: Audio Device on High Definition Audio Bus
    Device ID: HDAUDIO\FUNC_01&VEN_1002&DEV_AA01&SUBSYS_00AA0100&REV_1001\5&1E1AB84C&0&0001
    Manufacturer:
    Name: Audio Device on High Definition Audio Bus
    PNP Device ID: HDAUDIO\FUNC_01&VEN_1002&DEV_AA01&SUBSYS_00AA0100&REV_1001\5&1E1AB84C&0&0001
    Service:
    .
    Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
    Description: VIA High Definition Audio
    Device ID: HDAUDIO\FUNC_01&VEN_1106&DEV_0397&SUBSYS_10438346&REV_1000\4&22BA60&0&0001
    Manufacturer: VIA Technologies, Inc.
    Name: VIA High Definition Audio
    PNP Device ID: HDAUDIO\FUNC_01&VEN_1106&DEV_0397&SUBSYS_10438346&REV_1000\4&22BA60&0&0001
    Service: VIAHdAudAddService
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Realtek RTL8168C(P)/8111C(P) PCI-E Gigabit Ethernet NIC
    Device ID: PCI\VEN_10EC&DEV_8168&SUBSYS_82C61043&REV_02\4&20515DB1&0&00E5
    Manufacturer: Realtek Semiconductor Corp.
    Name: Realtek RTL8168C(P)/8111C(P) PCI-E Gigabit Ethernet NIC
    PNP Device ID: PCI\VEN_10EC&DEV_8168&SUBSYS_82C61043&REV_02\4&20515DB1&0&00E5
    Service: RTLE8023xp
    .
    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: SM Bus Controller
    Device ID: PCI\VEN_8086&DEV_3A30&SUBSYS_82D41043&REV_00\3&11583659&0&FB
    Manufacturer:
    Name: SM Bus Controller
    PNP Device ID: PCI\VEN_8086&DEV_3A30&SUBSYS_82D41043&REV_00\3&11583659&0&FB
    Service:
    .
    ==== System Restore Points ===================
    .
    RP47: 3/4/2012 5:02:53 PM - System Checkpoint
    RP48: 3/6/2012 6:55:23 PM - System Checkpoint
    RP49: 3/8/2012 2:18:27 AM - System Checkpoint
    RP50: 3/12/2012 6:13:59 AM - System Checkpoint
    RP51: 3/17/2012 12:34:30 PM - System Checkpoint
    RP52: 3/18/2012 3:24:31 PM - System Checkpoint
    RP53: 3/19/2012 10:29:48 PM - System Checkpoint
    RP54: 3/21/2012 5:35:17 PM - System Checkpoint
    RP55: 3/22/2012 6:13:39 PM - System Checkpoint
    RP56: 3/24/2012 4:12:31 PM - System Checkpoint
    RP57: 3/25/2012 5:50:11 PM - System Checkpoint
    RP58: 3/26/2012 6:07:25 PM - System Checkpoint
    RP59: 3/27/2012 6:43:26 PM - System Checkpoint
    RP60: 3/30/2012 3:34:10 PM - System Checkpoint
    RP61: 3/31/2012 4:47:52 PM - System Checkpoint
    RP62: 4/1/2012 5:29:28 PM - System Checkpoint
    RP63: 4/2/2012 5:47:51 PM - System Checkpoint
    RP64: 4/3/2012 6:40:26 PM - System Checkpoint
    RP65: 4/5/2012 6:30:02 PM - System Checkpoint
    RP66: 4/6/2012 6:58:27 PM - System Checkpoint
    RP67: 4/7/2012 7:22:27 PM - System Checkpoint
    RP68: 4/8/2012 8:46:27 PM - System Checkpoint
    RP69: 4/9/2012 9:22:27 PM - System Checkpoint
    RP70: 4/20/2012 3:16:34 PM - System Checkpoint
    RP71: 4/21/2012 3:28:49 PM - System Checkpoint
    RP72: 4/23/2012 2:39:56 PM - System Checkpoint
    RP73: 4/24/2012 4:56:10 PM - System Checkpoint
    RP74: 4/27/2012 1:13:40 PM - System Checkpoint
    RP75: 4/30/2012 11:43:39 AM - System Checkpoint
    RP76: 5/1/2012 9:52:32 PM - System Checkpoint
    RP77: 5/2/2012 7:01:14 PM - Installed Project64 1.6
    RP78: 5/3/2012 7:33:06 PM - System Checkpoint
    RP79: 5/6/2012 10:28:38 AM - Restore Operation
    RP80: 5/8/2012 8:48:34 AM - System Checkpoint
    RP81: 5/9/2012 11:43:45 AM - System Checkpoint
    RP82: 5/10/2012 11:47:53 AM - System Checkpoint
    RP83: 5/11/2012 12:50:11 PM - System Checkpoint
    RP84: 5/12/2012 2:54:13 PM - System Checkpoint
    RP85: 5/13/2012 3:30:50 PM - System Checkpoint
    RP86: 5/14/2012 2:14:16 PM - Installed Microsoft Visual C++ 2005 Redistributable
    RP87: 5/14/2012 2:14:27 PM - Installed AGEIA PhysX v7.07.09
    RP88: 5/14/2012 2:14:56 PM - Installed Medal of Honor Airborne
    RP89: 5/17/2012 9:05:33 AM - System Checkpoint
    RP90: 5/18/2012 11:35:14 AM - System Checkpoint
    RP91: 5/21/2012 3:14:05 PM - System Checkpoint
    RP92: 5/24/2012 11:16:00 AM - System Checkpoint
    RP93: 5/25/2012 5:30:20 AM - Installed EasyTether
    RP94: 5/25/2012 5:31:32 AM - Installed EasyTether
    RP95: 5/25/2012 5:35:47 AM - Installed EasyTether
    RP96: 5/25/2012 5:38:24 AM - Installed EasyTether
    RP97: 6/1/2012 8:45:03 PM - Installed Zune Desktop Theme
    RP98: 6/2/2012 5:23:34 AM - Installed AVG 2012
    RP99: 6/2/2012 5:23:43 AM - Installed AVG 2012
    .
    ==== Installed Programs ======================
    .
    Adobe Flash Player 11 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe Reader 9.2
    AGEIA PhysX v7.07.09
    AMD APP SDK Runtime
    AMD Catalyst Install Manager
    Arx Fatalis
    AVG 2012
    Call of Duty(R) 4 - Modern Warfare(TM)
    Catalyst Control Center
    Catalyst Control Center - Branding
    Catalyst Control Center Graphics Previews Common
    Catalyst Control Center InstallProxy
    ccc-utility
    CCC Help English
    Counter-Strike
    Counter-Strike: Condition Zero
    Counter-Strike: Condition Zero Deleted Scenes
    Counter-Strike: Source
    Day of Defeat
    Day of Defeat: Source
    Deathmatch Classic
    DOOM 3
    DOOM 3: Resurrection of Evil
    Far Cry
    GameSpy Arcade
    Genesis Rising
    Half-Life 2
    Half-Life 2: Deathmatch
    Junk Mail filter update
    Malwarebytes Anti-Malware version 1.61.0.1400
    Medal of Honor Airborne
    Microsoft .NET Framework 2.0
    Microsoft .NET Framework 4 Client Profile
    Microsoft .NET Framework 4 Extended
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Halo
    Microsoft Silverlight
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
    Morrowind
    Mozilla Firefox 12.0 (x86 en-US)
    Mozilla Maintenance Service
    MSVCRT
    MSXML 4.0 SP2 Parser and SDK
    Oblivion
    Platform
    Project64 1.6
    REALTEK GbE & FE Ethernet PCI-E NIC Driver
    Rome: Total War Gold Edition
    Segoe UI
    SimCity 3000
    Starcraft
    StarCraft II
    Stronghold Crusader
    Team Fortress Classic
    TES Construction Set
    The Elder Scrolls V: Skyrim
    Tibia 7.6
    Tom Clancy's Ghost Recon
    Unreal Tournament: Game of the Year Edition
    VIA Platform Device Manager
    WebFldrs XP
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Mail
    Windows Live Messenger
    Windows Live Sign-in Assistant
    Windows Live Upload Tool
    WinRAR 4.11 (32-bit)
    X-COM: Terror from the Deep
    XP Codec Pack
    Xtreme Sound PCI
    Xtreme Sound PCI Audio Driver
    Yahoo! Messenger
    Yahoo! Software Update
    Yahoo! Toolbar
    Zune Desktop Theme

    .==== Event Viewer Messages From Past Week ========
    .
    6/2/2012 3:44:00 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
    6/1/2012 8:32:07 PM, error: Service Control Manager [7000] - The MBAMService service failed to start due to the following error: The system cannot find the file specified.
    6/1/2012 8:30:12 PM, error: Service Control Manager [7001] - The MBAMService service depends on the MBAMProtector service which failed to start because of the following error: The system cannot find the file specified.
    6/1/2012 8:30:12 PM, error: Service Control Manager [7000] - The MBAMProtector service failed to start due to the following error: The system cannot find the file specified.
    6/1/2012 8:19:40 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC80.CRT. Reference error message: The referenced assembly is not installed on your system. .
    6/1/2012 8:19:40 PM, error: SideBySide [59] - Generate Activation Context failed for E:\Program Files (x86)\Yahoo!\Messenger\rmc_audio.dll. Reference error message: The operation completed successfully. .
    6/1/2012 8:19:40 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC80.CRT could not be found and Last Error was The referenced assembly is not installed on your system.
    5/29/2012 2:41:39 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 30 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    5/29/2012 2:26:39 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    .
    ==== End Of File ===========================
     
  5. mooney12

    mooney12 TS Member Topic Starter Posts: 88

    would also like to note that I scanned twice with avg and found nothing but tracking cookies
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    It would be helpful if you gave me some description of any actual problems you're having.
    ==================================================
    Let's talk about your system:
    Microsoft Windows XP Home Edition
    Install Date: 1/5/2012 1:40:03 PM

    1. No security updates
    2. Antivirus installed today
    3. No other security

    Please fill me in on some history of this system.
    ===============================================

    I'd like you to run Combofix- but it won't run with AVG. You will need to temporarily uninstall AVG as follows:

    Download AppRemoverand save to the desktop
    1. Double click the setup on the desktop> click Next
    2. Select “Remove Security Application”
    3. Let scan finish to determine security apps
    4. A screen like below will appear:
      [​IMG]
    5. Click on Next after choice has been made
    6. Check the AVG program you want to uninstall
    7. After uninstall shows complete, follow online prompts to Exit the program.
    Temporary AV: Use one:
    Microsoft Security Essentials
    Comodo AV
    Avast! Free Antivirus
    =============================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------

    • Download Combofix from HERE or HEREand save to the desktop
      • Double click combofix.exe [​IMG]& follow the prompts.
      • If prompted for Recovery Console, please allow.
      • Once installed, you should see a blue screen prompt that says:
      • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
      • Note: No query will be made if the Recovery Console is already on the system.
    • Close any open browsers.
    • Before you run the Combofix scan, please disable any security software you have running.
      (If you need help with this, please see HERE)
    • Click on Yes, to continue scanning for malware
    • If Combofix asks you to update the program, allow
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
    Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficultyand terminates prematurely, the connection can be manually restored by restarting your machine.
    ================================================

    To run the Eset Online Virus Scan:
    If you use Internet Explorer:
    1. Open the ESETOnlineScan
    2. Skip to #4 to "Continue with the directions"

      If you are using a browser other than Internet Explorer
    3. Open Eset Smart Installer
      [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
      [o] Double click on the desktop icon to run.
      [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
    4. Continue with the directions.
    5. Check 'Yes I accept terms of use.'
    6. Click Start button
    7. Accept any security warnings from your browser.
      [​IMG]
    8. Uncheck 'Remove found threats'
    9. Check 'Scan archives/
    10. Leave remaining settings as is.
    11. Press the Start button.
    12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    13. When the scan completes, press List of found threats
    14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    15. Push the Back button, then Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    ===========================================
    Download CKScanner and save to your desktop.
    • Doubleclick CKScanner.exe and click Search For Files.
    • When the cursor hourglass disappears, click Save List To File.
    • A message box will verify that the file is saved.
    • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.
    ===========================================
    Please leave logs in your next reply.
     
  7. mooney12

    mooney12 TS Member Topic Starter Posts: 88

    what do you need to know about the system?
     
  8. mooney12

    mooney12 TS Member Topic Starter Posts: 88

    ComboFix 12-06-02.02 - Eric 06/02/2012 12:21:25.1.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3327.2664 [GMT -4:00]
    Running from: c:\documents and settings\Eric\My Documents\Downloads\ComboFix.exe
    AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}


    AVG WAS UNSTALLED VIA APPREMOVER AND DEFAULT PROGRAMS, probably a registry error?<<<<<<<<<<<<<<<<<<<<<<<<<<<

    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Eric\WINDOWS
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-05-02 to 2012-06-02 )))))))))))))))))))))))))))))))
    .
    .
    2012-06-02 09:26 . 2012-06-02 09:26 -------- d-----w- c:\documents and settings\Eric\Application Data\AVG2012
    2012-06-02 09:24 . 2012-06-02 09:24 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
    2012-06-02 09:23 . 2012-06-02 15:50 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
    2012-06-02 09:23 . 2012-06-02 15:45 -------- d-----w- C:\$AVG
    2012-06-02 08:52 . 2012-06-02 15:46 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
    2012-06-02 06:36 . 2012-06-02 16:05 -------- d-----w- c:\program files\Steam
    2012-06-02 05:46 . 2009-08-06 23:23 274288 ----a-w- c:\windows\system32\mucltui.dll
    2012-06-02 05:46 . 2009-08-06 23:23 215920 ----a-w- c:\windows\system32\muweb.dll
    2012-06-02 00:48 . 2012-06-02 16:05 -------- d-----w- c:\documents and settings\Eric\Tracing
    2012-06-02 00:47 . 2012-06-02 00:47 -------- d-----w- c:\program files\Microsoft Silverlight
    2012-06-02 00:46 . 2012-06-02 00:46 -------- d-----w- c:\program files\Microsoft
    2012-06-02 00:46 . 2012-06-02 00:46 -------- d-----w- c:\program files\Windows Live SkyDrive
    2012-06-02 00:46 . 2012-06-02 00:47 -------- d-----w- c:\program files\Windows Live
    2012-06-02 00:44 . 2012-06-02 00:44 -------- d-----w- c:\program files\Common Files\Windows Live
    2012-06-02 00:38 . 2012-06-02 00:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-06-02 00:38 . 2012-04-04 19:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-06-02 00:22 . 2012-06-02 00:23 -------- d-----w- c:\documents and settings\Eric\Application Data\Yahoo!
    2012-06-02 00:22 . 2012-06-02 00:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
    2012-06-02 00:22 . 2012-06-02 00:55 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-06-02 00:22 . 2012-06-02 00:55 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-06-02 00:22 . 2012-06-02 00:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
    2012-06-02 00:21 . 2012-06-02 00:22 -------- d-----w- c:\program files\Yahoo!
    2012-06-02 00:19 . 2012-06-02 00:19 -------- d-----w- c:\documents and settings\Eric\Local Settings\Application Data\Google
    2012-06-02 00:19 . 2012-06-02 00:19 -------- d-----w- c:\documents and settings\Eric\Local Settings\Application Data\CRE
    2012-06-02 00:19 . 2012-06-02 00:19 -------- d-----w- c:\program files\Conduit
    2012-06-02 00:19 . 2012-06-02 08:28 -------- d-----w- c:\documents and settings\Eric\Local Settings\Application Data\Conduit
    2012-06-02 00:19 . 2012-06-02 00:19 -------- d-----w- c:\documents and settings\Eric\Local Settings\Application Data\Temp
    2012-06-02 00:10 . 2012-06-02 00:10 -------- d-----w- c:\documents and settings\Eric\Application Data\Malwarebytes
    2012-06-02 00:10 . 2012-06-02 00:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2012-06-02 00:09 . 2012-06-02 00:09 -------- d-----w- c:\documents and settings\Eric\Local Settings\Application Data\Mozilla
    2012-06-02 00:09 . 2012-06-02 00:09 -------- d-----w- c:\program files\Mozilla Maintenance Service
    2012-05-30 22:12 . 2012-05-30 22:22 -------- d-----w- C:\MEDIA
    2012-05-30 09:27 . 2012-05-30 09:27 -------- d-----w- C:\Mega Man X series - Maverick Rising
    2012-05-30 09:27 . 2012-05-30 09:27 -------- d-----w- C:\Wild Arms - ARMed and DANGerous
    2012-05-30 09:20 . 2012-06-02 07:01 -------- d-----w- C:\Starcraft
    2012-05-30 04:18 . 2012-05-30 04:18 -------- d-----w- c:\program files\tibia
    2012-05-26 15:28 . 2012-05-26 15:28 -------- d-----w- C:\64b5ac13142b2ede404e9eb7ad
    2012-05-24 19:43 . 2012-05-30 16:21 -------- d-----w- c:\program files\StarCraft II
    2012-05-24 19:43 . 2012-05-25 05:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
    2012-05-24 19:43 . 2012-05-24 20:15 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
    2012-05-19 13:39 . 2012-06-01 19:32 -------- d-----w- C:\Boot
    2012-05-18 19:38 . 2008-04-14 09:41 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
    2012-05-18 19:38 . 2008-04-14 09:41 21504 ----a-w- c:\windows\system32\hidserv.dll
    2012-05-18 19:38 . 2008-04-14 04:09 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
    2012-05-18 19:38 . 2008-04-14 04:09 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
    2012-05-18 19:37 . 2008-04-14 04:15 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
    2012-05-18 19:37 . 2008-04-14 04:15 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
    2012-05-14 18:15 . 2012-05-14 18:15 -------- d-----w- c:\program files\Electronic Arts
    2012-05-14 18:14 . 2012-05-14 18:14 -------- d-----w- c:\program files\AGEIA Technologies
    2012-05-14 18:14 . 2012-05-14 18:14 -------- d-----w- c:\windows\system32\AGEIA
    2012-05-14 18:14 . 2012-05-14 18:14 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2012-05-11 17:03 . 2012-05-11 17:03 -------- d-----w- c:\documents and settings\Eric\Local Settings\Application Data\WMTools Downloaded Files
    2012-05-11 16:32 . 2008-07-09 09:05 421888 ----a-w- c:\windows\system32\ac3filter.acm
    2012-05-11 16:32 . 2012-05-11 16:32 -------- d-----w- c:\program files\XP Codec Pack
    2012-05-11 16:07 . 2012-06-02 07:41 -------- d-----w- c:\documents and settings\Eric\Application Data\Media Player Classic
    2012-05-06 14:28 . 2012-05-06 14:28 -------- d-----w- c:\windows\system32\wbem\Repository
    2012-05-04 20:54 . 2012-05-04 20:54 -------- d-----w- c:\program files\InterActual
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-05-24 17:41 . 2012-04-05 23:07 967 ----a-w- c:\windows\ScUnin.pif
    2012-05-24 17:41 . 2012-04-05 23:07 94208 ----a-w- c:\windows\ScUnin.exe
    2012-05-02 23:01 . 2012-05-02 23:01 40960 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\NewShortcut1_9559F7CA5E344237A2D9D856464AD727.exe
    2012-05-02 23:01 . 2012-05-02 23:01 40960 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\ARPPRODUCTICON.exe
    2012-04-06 16:32 . 2012-04-06 16:32 1288192 ----a-w- c:\windows\system32\VSFilter.dll
    2012-04-06 16:32 . 2012-04-06 16:32 472576 ----a-w- c:\windows\system32\AviSplitter.ax
    2012-04-06 16:32 . 2012-04-06 16:32 659456 ----a-w- c:\windows\system32\RealMediaSplitter.ax
    2012-04-06 16:32 . 2012-04-06 16:32 548352 ----a-w- c:\windows\system32\MatroskaSplitter.ax
    2012-04-21 01:19 . 2012-06-02 00:09 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2012-05-25 6595928]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "StartCCC"="c:\program files\ATI\ATI.ACE\Core-Static\CLIStart.exe" [2011-11-10 98304]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HDAudDeck]
    2008-09-16 15:37 30023680 ----a-r- c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\steam\\Steam.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrA.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrB.exe"=
    "c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
    "c:\\Program Files\\Electronic Arts\\Medal of Honor Airborne\\UnrealEngine3\\Binaries\\MOHA.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "e:\\Program Files (x86)\\Steam\\steamapps\\sigfried01515\\counter-strike source\\hl2.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\X-COM Terror from the Deep\\runme.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\X-COM Terror from the Deep\\TFD\\Terror From the Deep_patched.exe"=
    "c:\\Program Files\\StarCraft II\\Versions\\Base21029\\SC2.exe"=
    .
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/1/2012 8:38 PM 654408]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/1/2012 8:38 PM 22344]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [6/1/2012 8:22 PM 257696]
    S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [6/1/2012 8:09 PM 129976]
    S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [1/5/2012 2:45 PM 874240]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-06-02 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-02 00:55]
    .
    .
    ------- Supplementary Scan -------
    .
    TCP: DhcpNameServer = 75.75.75.75 75.75.75.76 75.75.76.76
    FF - ProfilePath - c:\documents and settings\Eric\Application Data\Mozilla\Firefox\Profiles\5n7ab7ej.default\
    FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3072253&SearchSource=2&q=
    FF - prefs.js: network.proxy.type - 0
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKLM-Run-CmPCIaudio - CMICNFG3.CPL
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-06-02 12:23
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(644)
    c:\windows\system32\Ati2evxx.dll
    c:\windows\system32\atiadlxx.dll
    .
    - - - - - - - > 'explorer.exe'(2436)
    c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
    .
    Completion time: 2012-06-02 12:24:26
    ComboFix-quarantined-files.txt 2012-06-02 16:24
    .
    Pre-Run: 492,046,622,720 bytes free
    Post-Run: 493,124,915,200 bytes free
    .
    - - End Of File - - 1177626269214436D2BE563157F829EC

    CKScanner - Additional Security Risks - These are not necessarily bad
    c:\documents and settings\eric\desktop\music\mega man x series - maverick rising\flac\disc 3 - vile\3-09 crawfish crackdown [mmx3 - crush crawfish stage] (devastus).flac
    c:\documents and settings\eric\my documents\downloads\malwarebytes.anti.malware.v1.51.2.1300.incl.keygen-fff\fff.nfo
    c:\documents and settings\eric\my documents\downloads\malwarebytes.anti.malware.v1.51.2.1300.incl.keygen-fff\mbam-setup-1.51.2.1300.exe
    c:\documents and settings\eric\my documents\downloads\malwarebytes.anti.malware.v1.51.2.1300.incl.keygen-fff\read me.txt
    c:\program files\firefly studios\stronghold crusader\gm\cracks.gm1
    c:\program files\steam\steamapps\downloading\15300\mods\origmiss\map\mp05_docks\mp05_cracks.rsb
    c:\program files\steam\steamapps\downloading\15300\mods\origmiss\map\training\tr_flr_con_ext_cracks.rsb
    c:\program files\steam\steamapps\downloading\3230\data\resources\bodies\characters\aged_juno\a_normal_neckcrack.anim
    c:\program files\steam\steamapps\downloading\3230\data\resources\bodies\characters\juno\a_normal_neckcrack.anim
    scanner sequence 3.ED.11.EXAASH
    ----- EOF -----

    ESETSmartInstaller@High as downloader log:
    all ok
    ESETSmartInstaller@High as downloader log:
    all ok
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6583
    # api_version=3.0.2
    # EOSSerial=c14ba73a1e2a4742af76d1818084c045
    # end=finished
    # remove_checked=false
    # archives_checked=false<<<<<<< accidently skipped this step, am running a new scan
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2012-06-02 05:36:59
    # local_time=2012-06-02 01:36:59 (-0500, Eastern Standard Time)
    # country="United States"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=1024 16777175 100 0 0 0 0 0
    # compatibility_mode=3073 16777177 80 71 0 14236687 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=236334
    # found=1
    # cleaned=0
    # scan_time=3552
    E:\Users\Eric\Downloads\Programs\cnet2_ashampoo_internet_accelerator_3_3_20_sm_exe.exe a variant of Win32/InstallCore.D application (unable to clean) 00000000000000000000000000000000 I
    ESETSmartInstaller@High as downloader log:
    all ok
    esets_scanner_update returned -1 esets_gle=53251
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You pirated a free security scan to see if you have malware? Please explain the reasoning for this.
    ===================================================

    Please run the MGA Diagnostics tool
    • You will be prompted to either “Run” or “Save” the tool. Choose to “Run” the tool and follow the on-screen prompts.
    • You will receive an Internet Explorer-Security Warning dialog box for the Windows Genuine Advantage Diagnostic Tool>
    • You must choose to Run this tool when prompted.
    • Once you are presented with the Diagnostics tool choose Continue to run the diagnostic report.
    • If the RESOLVE button is available after running the diagnostics, please click RESOLVE to allow the diagnostic tool to attempt a repair.
    • After running the MGA Diagnostic tool, click on the Windows tab and then click on Copy
    • Please return to this thread and Paste the results here for review.
    ------------------------------------------
    This tool will is to look on the computer itself, in the documentation you received with the computer or with your retail purchase of Windows to see if you have a Certificate of Authenticity (COA). If you have one, tell us about the COA. Tell us:

    1. What edition of Windows is it for, Home, Pro, or Media Center, or another version of Windows?
    2. Does it read "OEM Software" or "OEM Product" in black lettering?
    3. Or, does it have the computer manufacturer's name in black lettering?
    4. DO NOT post the Product Key.

    NOTE: The data collected with the Genuine Diagnostics Tool does NOT contain any information that can personally identify you and can be fully reviewed, by you, before being posted.
     
  10. mooney12

    mooney12 TS Member Topic Starter Posts: 88

    I will uninstall it immediatley. and I did so, because I wanted the full version to keep my computer protected, but I guess thats the wrong way to go, and I dont torrent/pirate stuff anymore as it can compromise your security

    its home
    I know that my version is an oem cd that I purchased from newegg

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->
    Validation Status: Genuine
    Validation Code: 0
    Cached Validation Code: N/A
    Windows Product Key: *****-*****
    Windows Product Key Hash: LnX6kODCVjgbzNTVqt2ExJ4ACoA=
    Windows Product ID: 76477-OEM-2156761-66574
    Windows Product ID Type: 3
    Windows License Type: OEM System Builder
    Windows OS version: 5.1.2600.2.00010300.3.0.hom
    ID: {A69C8342-668E-429C-A78D-3522DD18A7C1}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: Registered, 1.9.42.0
    Signed By: Microsoft
    Product Name: N/A
    Architecture: N/A
    Build lab: N/A
    TTS Error: N/A
    Validation Diagnostic: 025D1FF3-230-1
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A
    Version: N/A

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 109 N/A
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: B4D0AA8B-543-80070002_025D1FF3-230-1

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
    Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{A69C8342-668E-429C-A78D-3522DD18A7C1}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010300.3.0.hom</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-QT2PG</PKey><PID>76477-OEM-2156761-66574</PID><PIDType>3</PIDType><SID>S-1-5-21-1275210071-113007714-1801674531</SID><SYSTEM><Manufacturer>System manufacturer</Manufacturer><Model>System Product Name</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>1501 </Version><SMBIOSVersion major="2" minor="5"/><Date>20081007000000.000000+000</Date></BIOS><HWID>B75D3F9701842079</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>

    Licensing Data-->
    N/A

    Windows Activation Technologies-->
    N/A

    HWID Data-->
    N/A

    OEM Activation 1.0 Data-->
    BIOS string matches: yes
    Marker string from BIOS: 145E0:ASUSTeK Computer Inc|15C81:GENUINE C&C INC
    Marker string from OEMBIOS.DAT: N/A, hr = 0x80004005

    OEM Activation 2.0 Data-->
    N/A
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    There is no safe site that tells me what the 'calc1 virus' is.

    calc.exe can be an entry from the ZeroAccess Rootkit. It can also be the process that runs the Microsoft Calculator which is included with the operating system.

    What I want to know about your system:

    1. The system shows Install Date: 1/5/2012. Was that a new install of Windows XP or was it reformat/reinstall of the OS??
    2. Why aren't there any security updates on the system?
    3. What happened to make you think you had a virus named calc1?
    4. What did you do to try and remove it?
    5. This file is loading: C:\Documents and Settings\Eric\My Documents\Downloads\bwh18b4d.exe. What is it?
    6. There are 2 Restore Points for AVG 2012 on 6/2/2012. Did you have antivirus protection before that?
    =====================================================
    The attempt to remove AVG before running Combofix failed. Please run the App Remover again. After AVG has been removed, repeat the Combofix scan.
    ====================================================
    Uninstall the pirated Malwarebytes you have now. Then use Windows Explorer to access Computer> Local Drive> Programs> find the program folder for Mbam and remove it with a right click> Delete.

    Reboot the computer
    ===================================================

    DO NOT use a torrent site to download the following!
    • Please download Malwarebytes' Anti-Malware from from HERE
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to
      [o] Update Malwarebytes' Anti-Malware
      [o] and Launch Malwarebytes' Anti-Malware
    • then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform Full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please attach this log with your reply
      Note: on opening Notepad, click on Format> make sure Word Wrap is unchecked.
      [o] If you accidentally close it, the log file is saved here and will be named like this:
      [o] C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    ========================

    The OS has not been activated:
    Windows License Type: OEM System Builder
    http://www.microsoft.com/oem/en/licensing/sblicensing/pages/licensing_faq.aspx#faq5
     
  12. mooney12

    mooney12 TS Member Topic Starter Posts: 88

    1. The system shows Install Date: 1/5/2012. Was that a new install of Windows XP or was it reformat/reinstall of the OS??
    2. Why aren't there any security updates on the system?
    3. What happened to make you think you had a virus named calc1?
    4. What did you do to try and remove it?
    5. This file is loading: C:\Documents and Settings\Eric\My Documents\Downloads\bwh18b4d.exe. What is it?
    6. There are 2 Restore Points for AVG 2012 on 6/2/2012. Did you have antivirus protection before that?

    1. it was a reformat
    2. never got around to it, will do so immediatley,
    3. was looking at askjolene search engine, went to a page, mb pirated version showed it in the logs, no longer have it... now when I scan my system everything seems normal
    4. remove what the virus? ran mb twice, avg twice, eset twice on BOTH partitions system clean,
    5. that file is gmer, which I downloaded from this site
    6. no and I was not connected to the internet before that

    will post mb/combofix in next reply, and also.... im 100% positive that I activated my oem key, I did so over the phone when my computer didnt have internet

    app remover does not detect avg, nor does default programs, yet when I run combofix it sais avg is active and running??

    not sure what to do at this point mb scanning both partitions, 280k files- clean



    MALWAREBYTES LOG

    Malwarebytes Anti-Malware (PRO) 1.61.0.1400
    www.malwarebytes.org

    Database version: v2012.06.05.05

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Eric :: DURANDAL [administrator]

    Protection: Disabled

    6/5/2012 12:58:55 PM
    mbam-log-2012-06-05 (12-58-55).txt

    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 447343
    Time elapsed: 1 hour(s), 36 minute(s), 22 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Get your system up to speed. Remove any pirated software. Get a firewall and at least 2 antimalware programs on the system. Activate the system properly. Put whatever updates are still available for Win XP.

    At this time, I do not any indication of what you're referring to as malware.
    =================================================
    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    -----
    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
    ------------------------------------------
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
    • Choose Disc Cleanup
    • Click "OK" to select the partition or drive you want.
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

    Empty the Recycle Bin
    ====================================================
    You may find the following helpful: (Links are Bold Blue)
    Tips for added security and safer browsing:
    1. Browser Security
      [o]Make Internet Explorer safer]
      [o] Use WOT Site Advisor..
      Have layered Security:
    2. Antivirus Software(only one):
      [o]Microsoft Security Essentials
      [o]Comodo AV
      [o]Avast! Free Antivirus
      =============================
    3. Firewall (only one)
      [o] Zone Alarm Free
      [o]Comodo Firewall Free
    4. Antispyware/Security: I recommend all of the following:
      [o]Spywareblaster:Protects against bad ActiveX.
      [o]IE/Spyad Restricts bad domains.
      [o]MVPS Hosts files Directs HOSTS file to 127.0.0.1 which is your local computer.
      [o]Google Toolbar Popup Stopper
    5. Stay current on updates:
      [o] Windows Updates. You should get All updates marked Critical and the current SP updates.
      [o] Adobe Reade. Uninstall old.
      [o]Java Uninstall old.
    6. Reset Cookies to prevent Tracking Cookies:
      [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
      [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
      I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
      AdBlock Plus
      Easy List
      [o]For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
      (First-party and third-party cookies can be set by the website you're visiting and websites that have items embedded in the website you're visiting. But when you next visit the website, only first-party cookie information is sent to the website. Third-party cookie information isn't sent back to the websites that originally set the third-party cookies.)
    7. Do regular Maintenance
      [o]To include Disc Cleanup, Defrag, Error Check/
    8. Remove Temporary Internet Files regularly:
      [o]TFC
    9. System Restore GuideUnderstand Restore Points> why you need to clean and set restore points and what information is in them.
      [*] Practice Safe Email Handling
      [o] Don't open email from anyone you don't know.
      [o] Don't open Attachments in the email. Save to your desktop and scan for viruses using a right click
      [o] Don't leave your personal email address on the internet/ Have a separate email account on free web-based mail.

    Please let me know if you find any bad links.
     
  14. mooney12

    mooney12 TS Member Topic Starter Posts: 88

    thanks for the help man, you can mark this as solved :D

    did everything on your list and I will practice safe file/email handling and regular updates
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're welcome!
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...