TechSpot

Help with win32/heur

By asouperman
Jan 17, 2011
  1. I followed your 8 step removal and here are the logs.
    Thank You
    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5538

    Windows 5.1.2600 Service Pack 2
    Internet Explorer 8.0.6001.18702

    1/17/2011 2:28:38 PM
    mbam-log-2011-01-17 (14-28-38).txt

    Scan type: Quick scan
    Objects scanned: 143474
    Time elapsed: 6 minute(s), 25 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 1
    Registry Keys Infected: 59
    Registry Values Infected: 6
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 4

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    c:\WINDOWS\system32\msctfime.iem (Trojan.GamesThief) -> Delete on reboot.

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360hotfix.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rp.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360sd.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360se.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360SoftMgrSvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360speedld.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ast.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avmailc.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwebgrd.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavstart.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kissvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kmailmon.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfw32.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfwsvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\krnl360svc.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kswebshield.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kwatch.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mcagent.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcmscsvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McNASvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mcods.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McProxy.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McSACore.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mcshield.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcsysmon.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcvsshld.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpfSrv.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPMon.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC1.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC2.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msksrver.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qutmserv.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rsnetsvr.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsTray.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ScanFrm.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sched.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SfCtlCom.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TMBMSRV.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TmProxy.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UfSeAgnt.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zhudongfangyu.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ÐÞ¸´¹¤¾ß.exe (Security.Hijack) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdAgent.exe\Debugger (Security.Hijack) -> Value: Debugger -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\Debugger (Security.Hijack) -> Value: Debugger -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe\Debugger (Security.Hijack) -> Value: Debugger -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\livesrv.exe\Debugger (Security.Hijack) -> Value: Debugger -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\seccenter.exe\Debugger (Security.Hijack) -> Value: Debugger -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsserv.exe\Debugger (Security.Hijack) -> Value: Debugger -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\WINDOWS\system32\gbvgbv12.exe (Trojan.GamesThief) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\msctfime.iem (Trojan.GamesThief) -> Delete on reboot.
    c:\WINDOWS\windowsupdata7.jpg (Trojan.Traces) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\gbvgbv07.exe (Trojan.OnlineGames) -> Quarantined and deleted successfully.


    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2011-01-17 18:20:50
    Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 HTS541010G9AT00 rev.MBZOA60A
    Running: sqmeuizi[1].exe; Driver: C:\DOCUME~1\Tony\LOCALS~1\Temp\pxtdqpow.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
    AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

    ---- EOF - GMER 1.0.15 ----


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-12-12.02)

    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume1
    Install Date: 5/19/2006 9:54:08 AM
    System Uptime: 1/17/2011 6:15:32 PM (0 hours ago)

    Motherboard: Gateway | |
    Processor: AMD Turion(tm) 64 Mobile Technology ML-32 | Socket 754 | 1790/200mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 86 GiB total, 75.582 GiB free.
    D: is FIXED (FAT32) - 7 GiB total, 4.993 GiB free.
    E: is CDROM ()

    ==== Disabled Device Manager Items =============

    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Marvell Yukon 88E8036 PCI-E Fast Ethernet Controller
    Device ID: PCI\VEN_11AB&DEV_4351&SUBSYS_0300107B&REV_10\4&2EA2911C&0&0030
    Manufacturer: Marvell
    Name: Marvell Yukon 88E8036 PCI-E Fast Ethernet Controller
    PNP Device ID: PCI\VEN_11AB&DEV_4351&SUBSYS_0300107B&REV_10\4&2EA2911C&0&0030
    Service: yukonwxp

    ==== System Restore Points ===================

    No restore point in system.

    ==== Installed Programs ======================

    Adobe Flash Player 9 ActiveX
    Adobe Reader 7.0
    Adobe Shockwave Player
    AiO_Scan_CDA
    AiOSoftwareNPI
    ArcSoft Software Suite
    ATI - Software Uninstall Utility
    ATI Control Panel
    ATI Display Driver
    AVG 2011
    Broadcom 802.11 Network Adapter
    BufferChm
    Conexant AC-Link Audio
    CP_Package_Variety1
    CP_Package_Variety2
    CP_Package_Variety3
    CustomerResearchQFolder
    Destinations
    DeviceManagementQFolder
    DocProc
    DVD Solution
    eSupportQFolder
    F300
    F300_Help
    F300Trb
    Fax_CDA
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB893357)
    Hotfix for Windows XP (KB895953)
    Hotfix for Windows XP (KB896256)
    Hotfix for Windows XP (KB896344)
    Hotfix for Windows XP (KB906569)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    HPProductAssistant
    Internet Explorer Security Plugin 2006
    J2SE Runtime Environment 5.0 Update 2
    Malwarebytes' Anti-Malware
    MarketResearch
    Media-Codec 4.0
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Digital Image Library 9 - Blocker
    Microsoft Digital Image Starter Edition 2006
    Microsoft Digital Image Starter Edition 2006 Editor
    Microsoft Digital Image Starter Edition 2006 Library
    Microsoft Money 2006
    Microsoft Office 2003 Web Components
    Microsoft Office Standard Edition 2003
    Microsoft Office XP Web Components
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Works
    MSN
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6 Service Pack 2 (KB973686)
    MyITLab ActiveX Installer 2.7.5.312
    NewCopy_CDA
    Power2Go 4.0
    PowerDVD
    ProductContextNPI
    Public Messenger ver 2.03
    QuickTime
    Readme
    RealPlayer Basic
    Recovery Software Suite Gateway
    Scan
    ScannerCopy
    Security Update for Step By Step Interactive Training (KB898458)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows Media Player 10 (KB936782)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB883939)
    Security Update for Windows XP (KB890046)
    Security Update for Windows XP (KB893756)
    Security Update for Windows XP (KB896358)
    Security Update for Windows XP (KB896422)
    Security Update for Windows XP (KB896423)
    Security Update for Windows XP (KB896424)
    Security Update for Windows XP (KB896428)
    Security Update for Windows XP (KB896688)
    Security Update for Windows XP (KB899587)
    Security Update for Windows XP (KB899588)
    Security Update for Windows XP (KB899589)
    Security Update for Windows XP (KB899591)
    Security Update for Windows XP (KB900725)
    Security Update for Windows XP (KB901017)
    Security Update for Windows XP (KB901214)
    Security Update for Windows XP (KB902400)
    Security Update for Windows XP (KB903235)
    Security Update for Windows XP (KB904706)
    Security Update for Windows XP (KB905414)
    Security Update for Windows XP (KB905749)
    Security Update for Windows XP (KB905915)
    Security Update for Windows XP (KB908519)
    Security Update for Windows XP (KB911562)
    Security Update for Windows XP (KB911567)
    Security Update for Windows XP (KB911927)
    Security Update for Windows XP (KB912919)
    Security Update for Windows XP (KB913580)
    Security Update for Windows XP (KB914388)
    Security Update for Windows XP (KB914389)
    Security Update for Windows XP (KB917159)
    Security Update for Windows XP (KB917344)
    Security Update for Windows XP (KB917422)
    Security Update for Windows XP (KB917953)
    Security Update for Windows XP (KB918118)
    Security Update for Windows XP (KB918439)
    Security Update for Windows XP (KB918899)
    Security Update for Windows XP (KB919007)
    Security Update for Windows XP (KB920213)
    Security Update for Windows XP (KB920214)
    Security Update for Windows XP (KB920670)
    Security Update for Windows XP (KB920683)
    Security Update for Windows XP (KB920685)
    Security Update for Windows XP (KB921398)
    Security Update for Windows XP (KB921503)
    Security Update for Windows XP (KB921883)
    Security Update for Windows XP (KB922616)
    Security Update for Windows XP (KB922760)
    Security Update for Windows XP (KB922819)
    Security Update for Windows XP (KB923191)
    Security Update for Windows XP (KB923414)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB923694)
    Security Update for Windows XP (KB923980)
    Security Update for Windows XP (KB924191)
    Security Update for Windows XP (KB924270)
    Security Update for Windows XP (KB924496)
    Security Update for Windows XP (KB924667)
    Security Update for Windows XP (KB925454)
    Security Update for Windows XP (KB925486)
    Security Update for Windows XP (KB925902)
    Security Update for Windows XP (KB926255)
    Security Update for Windows XP (KB926436)
    Security Update for Windows XP (KB927779)
    Security Update for Windows XP (KB927802)
    Security Update for Windows XP (KB928090)
    Security Update for Windows XP (KB928255)
    Security Update for Windows XP (KB928843)
    Security Update for Windows XP (KB929123)
    Security Update for Windows XP (KB929969)
    Security Update for Windows XP (KB930178)
    Security Update for Windows XP (KB931261)
    Security Update for Windows XP (KB931768)
    Security Update for Windows XP (KB931784)
    Security Update for Windows XP (KB932168)
    Security Update for Windows XP (KB933566)
    Security Update for Windows XP (KB933729)
    Security Update for Windows XP (KB935839)
    Security Update for Windows XP (KB935840)
    Security Update for Windows XP (KB936021)
    Security Update for Windows XP (KB937143)
    Security Update for Windows XP (KB938127)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB938829)
    Security Update for Windows XP (KB939653)
    Security Update for Windows XP (KB941202)
    Security Update for Windows XP (KB941568)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB941644)
    Security Update for Windows XP (KB941693)
    Security Update for Windows XP (KB942615)
    Security Update for Windows XP (KB943055)
    Security Update for Windows XP (KB943460)
    Security Update for Windows XP (KB943485)
    Security Update for Windows XP (KB944338)
    Security Update for Windows XP (KB944533)
    Security Update for Windows XP (KB944653)
    Security Update for Windows XP (KB945553)
    Security Update for Windows XP (KB946026)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB947864)
    Security Update for Windows XP (KB948590)
    Security Update for Windows XP (KB948881)
    Security Update for Windows XP (KB950749)
    Security Update for Windows XP (KB950759)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953838)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956390)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958215)
    Security Update for Windows XP (KB958470)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960714)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB963027)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969897)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972260)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974455)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Soft Data Fax Modem with SmartCP
    SolutionCenter
    Status
    Synaptics Pointing Device Driver
    Texas Instruments PCIxx21/x515/xx12 drivers.
    TIPCI
    Toolbox
    TrayApp
    Unload
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows XP (KB894391)
    Update for Windows XP (KB896727)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB900485)
    Update for Windows XP (KB908531)
    Update for Windows XP (KB910437)
    Update for Windows XP (KB911280)
    Update for Windows XP (KB916595)
    Update for Windows XP (KB920872)
    Update for Windows XP (KB922582)
    Update for Windows XP (KB925720)
    Update for Windows XP (KB927891)
    Update for Windows XP (KB929338)
    Update for Windows XP (KB930916)
    Update for Windows XP (KB931836)
    Update for Windows XP (KB933360)
    Update for Windows XP (KB938828)
    Update for Windows XP (KB942763)
    Update for Windows XP (KB942840)
    Update for Windows XP (KB946627)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB953356)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Viewpoint Media Player
    WebFldrs XP
    WebReg
    Windows Backup Utility
    Windows Imaging Component
    Windows Installer 3.1 (KB893803)
    Windows Internet Explorer 8
    Windows Media Format Runtime
    Windows Media Player 10
    Windows XP Hotfix - KB834707
    Windows XP Hotfix - KB867282
    Windows XP Hotfix - KB873333
    Windows XP Hotfix - KB873339
    Windows XP Hotfix - KB885250
    Windows XP Hotfix - KB885835
    Windows XP Hotfix - KB885836
    Windows XP Hotfix - KB886185
    Windows XP Hotfix - KB887472
    Windows XP Hotfix - KB888113
    Windows XP Hotfix - KB888239
    Windows XP Hotfix - KB888302
    Windows XP Hotfix - KB890047
    Windows XP Hotfix - KB890175
    Windows XP Hotfix - KB890859
    Windows XP Hotfix - KB890923
    Windows XP Hotfix - KB891781
    Windows XP Hotfix - KB893066
    Windows XP Hotfix - KB893086

    ==== Event Viewer Messages From Past Week ========

    1/17/2011 6:16:57 PM, error: System Error [1003] - Error code 000000f7, parameter1 84d9d000, parameter2 000062d8, parameter3 ffff9d27, parameter4 00000000.
    1/17/2011 6:07:42 PM, error: Service Control Manager [7023] - The System Restore Service service terminated with the following error: The system cannot find the file specified.
    1/17/2011 6:07:40 PM, error: SRService [104] - The System Restore initialization process failed.
    1/17/2011 2:17:16 PM, error: Service Control Manager [7034] - The PrismXL service terminated unexpectedly. It has done this 1 time(s).
    1/17/2011 2:17:16 PM, error: Service Control Manager [7034] - The Broadcom Wireless LAN Tray Service service terminated unexpectedly. It has done this 1 time(s).
    1/17/2011 2:17:16 PM, error: Service Control Manager [7034] - The Ati HotKey Poller service terminated unexpectedly. It has done this 1 time(s).
    1/17/2011 2:13:43 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
    1/17/2011 2:13:28 PM, error: Service Control Manager [7023] - The COM+ Event System service terminated with the following error: Invalid access to memory location.
    1/17/2011 1:58:18 PM, error: Service Control Manager [7001] - The System Event Notification service depends on the COM+ Event System service which failed to start because of the following error: Invalid access to memory location.
    1/17/2011 1:58:14 PM, error: Workstation [5728] - Could not load any transport.
    1/17/2011 1:36:46 PM, error: Service Control Manager [7023] - The Background Intelligent Transfer Service service terminated with the following error: The specified module could not be found.
    1/17/2011 1:31:54 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: abp480n5 adpu160m agp440 agpCPQ Aha154x aic78u2 aic78xx AliIde alim1541 amdagp amsint asc asc3350p asc3550 cbidf cd20xrnt CmdIde Cpqarray dac2w2k dac960nt dpti2o hpn i2omp ini910u IntelIde mraid35x perc2 perc2hib ql1080 Ql10wnt ql12160 ql1240 ql1280 sisagp Sparrow symc810 symc8xx sym_hi sym_u3 TosIde ultra viaagp ViaIde

    ==== End Of File ===========================

    DDS (Ver_10-12-12.02) - NTFSx86
    Run by Tony at 18:22:28.25 on Mon 01/17/2011
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.958.368 [GMT -5:00]

    AV: AVG Internet Security 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    FW: AVG Firewall *Enabled*

    ============== Running Processes ===============

    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\System32\wltrysvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\AVG\AVG10\avgwdsvc.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    "C:\WINDOWS\system32\svchost.exe"
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\AVG\AVG10\avgtray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\ArcSoft\Software Suite\TotalMedia Backup & Record\uBBMonitor.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\MsiExec.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    C:\Program Files\AVG\AVG10\avgfws.exe
    C:\Program Files\AVG\AVG10\avgnsx.exe
    C:\Program Files\AVG\AVG10\avgchsvx.exe
    C:\Program Files\AVG\AVG10\avgrsx.exe
    C:\Program Files\AVG\AVG10\avgcsrvx.exe
    C:\Program Files\AVG\AVG10\avgam.exe
    C:\Program Files\AVG\AVG10\avgcsrvx.exe
    C:\Documents and Settings\Tony\Local Settings\Temporary Internet Files\Content.IE5\YTD33KFS\dds[1].scr

    ============== Pseudo HJT Report ===============

    uSearch Bar = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6440
    uStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6440
    mWinlogon: SFCDisable=-99 (0xffffff9d)
    EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
    mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
    mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
    mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
    mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [Cleanup] c:\docume~1\owner\locals~1\temp\2011116211644_mcappins.exe /v=3 /cleanup
    mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
    dRun: [Power2GoExpress] NA
    dRunOnce: [RunNarrator] Narrator.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\totalm~1.lnk - c:\program files\arcsoft\software suite\totalmedia backup & record\uBBMonitor.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
    Trusted Zone: amaena.com
    Trusted Zone: avsystemcare.com
    Trusted Zone: gomyhit.com
    Trusted Zone: imageservr.com
    Trusted Zone: imagesrvr.com
    Trusted Zone: onerateld.com
    Trusted Zone: safetydownload.com
    Trusted Zone: storageguardsoft.com
    Trusted Zone: trustedantivirus.com
    Trusted Zone: virusschlacht.com
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
    Notify: AtiExtEvent - Ati2evxx.dll
    STS: {2be26361-58a2-4836-be57-b838f02fec3f} - No File

    ============= SERVICES / DRIVERS ===============

    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]
    R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]
    R2 avgfws;AVG Firewall;c:\program files\avg\avg10\avgfws.exe [2010-11-22 3226632]
    R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-11-23 6128208]
    R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
    R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30432]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]
    R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2006-4-18 200576]
    S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30432]

    =============== Created Last 30 ================

    2011-01-17 17:28:33 -------- d--h--w- C:\$AVG
    2011-01-17 17:22:40 -------- d-----w- c:\docume~1\tony\applic~1\AVG10
    2011-01-17 17:21:15 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
    2011-01-17 17:18:16 -------- d-----w- c:\windows\system32\drivers\AVG
    2011-01-17 17:18:16 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
    2011-01-17 17:17:35 -------- d-----w- c:\program files\AVG
    2011-01-17 17:05:03 267776 ----a-w- c:\windows\system32\ddraw.dll
    2011-01-17 16:13:17 -------- d-----w- c:\docume~1\tony\applic~1\Malwarebytes
    2011-01-17 16:12:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-01-17 16:12:27 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2011-01-17 16:12:23 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-01-17 16:12:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-01-17 15:29:51 -------- d-----w- c:\program files\CleanUp!
    2011-01-17 13:52:22 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
    2011-01-17 13:50:05 -------- d-sh--w- c:\documents and settings\tony\PrivacIE
    2011-01-17 13:26:01 -------- dc-h--w- c:\windows\ie8
    2011-01-17 02:58:12 -------- d-----w- c:\windows\pss
    2011-01-17 02:19:17 50232 ----a-w- c:\windows\system32\dbr24002.ocx
    2011-01-17 02:19:17 33280 ----a-w- c:\windows\system32\gbvgbv24.exe
    2011-01-17 02:19:09 33280 ----a-w- c:\windows\system32\gbvgbv23.exe
    2011-01-17 02:18:53 33280 ----a-w- c:\windows\system32\gbvgbv21.exe
    2011-01-17 02:18:45 33280 ----a-w- c:\windows\system32\gbvgbv20.exe
    2011-01-17 02:18:36 33280 ----a-w- c:\windows\system32\gbvgbv19.exe
    2011-01-17 02:18:28 33280 ----a-w- c:\windows\system32\gbvgbv18.exe
    2011-01-17 02:18:20 33280 ----a-w- c:\windows\system32\gbvgbv16.exe
    2011-01-17 02:18:12 33280 ----a-w- c:\windows\system32\gbvgbv15.exe
    2011-01-17 02:18:04 33280 ----a-w- c:\windows\system32\gbvgbv02.exe
    2011-01-17 02:17:56 33280 ----a-w- c:\windows\system32\gbvgbv14.exe
    2011-01-17 02:17:48 33280 ----a-w- c:\windows\system32\gbvgbv05.exe
    2011-01-17 02:17:40 33280 ----a-w- c:\windows\system32\gbvgbv22.exe
    2011-01-17 02:17:39 49208 ----a-w- c:\windows\system32\dbr22002.ocx
    2011-01-17 02:17:22 33280 ----a-w- c:\windows\system32\gbvgbv17.exe
    2011-01-17 02:17:13 33280 ----a-w- c:\windows\system32\gbvgbv00.exe
    2011-01-17 02:17:04 33280 ----a-w- c:\windows\system32\gbvgbv08.exe
    2011-01-17 02:16:47 49208 ----a-w- c:\windows\system32\dbr01013.ocx
    2011-01-17 02:16:47 33280 ----a-w- c:\windows\system32\gbvgbv01.exe
    2011-01-17 02:16:39 33280 ----a-w- c:\windows\system32\gbvgbv10.exe
    2011-01-17 02:16:31 33280 ----a-w- c:\windows\system32\gbvgbv13.exe
    2011-01-17 02:16:06 33280 ----a-w- c:\windows\system32\gbvgbv11.exe
    2011-01-17 02:15:58 33280 ----a-w- c:\windows\system32\gbvgbv06.exe
    2011-01-17 02:15:50 33280 ----a-w- c:\windows\system32\gbvgbv09.exe
    2011-01-17 02:15:42 33280 ----a-w- c:\windows\system32\gbvgbv03.exe

    ==================== Find3M ====================

    2011-01-17 17:05:11 369152 ----a-w- c:\windows\system32\dsound.dll
    2011-01-17 17:05:03 369152 ----a-w- c:\windows\system32\dsound.dll.bak
    2011-01-17 17:01:58 267776 ----a-w- c:\windows\system32\ddraw.dll.bak
    2011-01-17 17:01:49 793600 ----a-w- c:\windows\system32\comres.dll
    2011-01-17 13:44:26 793600 ----a-w- c:\windows\system32\comres.dll.bak

    ============= FINISH: 18:23:48.04 ===============
     
  2. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    Enter N to exit.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.

    =======================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  3. asouperman

    asouperman TS Rookie Topic Starter

    MBR

    Here is the MBR report appremover failed to remove avg.


    BRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Home Edition
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x0000001c

    Kernel Drivers (total 182):
    0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
    0x806D0000 \WINDOWS\system32\hal.dll
    0xF7A72000 \WINDOWS\system32\KDCOM.DLL
    0xF7982000 \WINDOWS\system32\BOOTVID.dll
    0xF7443000 ACPI.sys
    0xF7A74000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xF7432000 pci.sys
    0xF7572000 isapnp.sys
    0xF7986000 compbatt.sys
    0xF798A000 \WINDOWS\system32\DRIVERS\BATTC.SYS
    0xF7B3A000 pciide.sys
    0xF77F2000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    0xF7A76000 aliide.sys
    0xF7A78000 cmdide.sys
    0xF7A7A000 toside.sys
    0xF7A7C000 viaide.sys
    0xF7A7E000 intelide.sys
    0xF7414000 pcmcia.sys
    0xF7582000 MountMgr.sys
    0xF73F5000 ftdisk.sys
    0xF77FA000 PartMgr.sys
    0xF798E000 ACPIEC.sys
    0xF7B3B000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
    0xF7592000 VolSnap.sys
    0xF7992000 cpqarray.sys
    0xF73DD000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
    0xF73C5000 atapi.sys
    0xF7996000 aha154x.sys
    0xF7802000 sparrow.sys
    0xF799A000 symc810.sys
    0xF75A2000 aic78xx.sys
    0xF799E000 dac960nt.sys
    0xF75B2000 ql10wnt.sys
    0xF79A2000 amsint.sys
    0xF780A000 asc.sys
    0xF79A6000 asc3550.sys
    0xF7812000 mraid35x.sys
    0xF781A000 i2omp.sys
    0xF79AA000 ini910u.sys
    0xF75C2000 ql1240.sys
    0xF75D2000 aic78u2.sys
    0xF7822000 symc8xx.sys
    0xF782A000 sym_hi.sys
    0xF7832000 sym_u3.sys
    0xF783A000 ABP480N5.SYS
    0xF7842000 asc3350p.sys
    0xF7A80000 cd20xrnt.sys
    0xF75E2000 ultra.sys
    0xF73AC000 adpu160m.sys
    0xF784A000 dpti2o.sys
    0xF75F2000 ql1080.sys
    0xF7602000 ql1280.sys
    0xF7612000 ql12160.sys
    0xF7852000 perc2.sys
    0xF7A82000 perc2hib.sys
    0xF785A000 hpn.sys
    0xF79AE000 cbidf2k.sys
    0xF7380000 dac2w2k.sys
    0xF7622000 disk.sys
    0xF7632000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xF7360000 fltmgr.sys
    0xF7349000 KSecDD.sys
    0xF72BC000 Ntfs.sys
    0xF728F000 NDIS.sys
    0xF7642000 sisagp.sys
    0xF7652000 viaagp.sys
    0xF7662000 ohci1394.sys
    0xF7672000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
    0xF7275000 Mup.sys
    0xF7862000 avgrkx86.sys
    0xF7682000 AVGIDSEH.Sys
    0xF7692000 agp440.sys
    0xF76A2000 alim1541.sys
    0xF76B2000 amdagp.sys
    0xF76C2000 agpCPQ.sys
    0xF76E2000 \SystemRoot\system32\DRIVERS\nic1394.sys
    0xF76F2000 \SystemRoot\system32\DRIVERS\AmdK8.sys
    0xF7A2E000 \SystemRoot\system32\DRIVERS\CmBatt.sys
    0xF702F000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
    0xF701B000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xF78DA000 \SystemRoot\system32\DRIVERS\usbohci.sys
    0xF6FF7000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xF78E2000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xF7702000 \SystemRoot\system32\DRIVERS\imapi.sys
    0xF78EA000 \SystemRoot\system32\drivers\Afc.sys
    0xF7712000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0xF7722000 \SystemRoot\system32\DRIVERS\redbook.sys
    0xF6FD4000 \SystemRoot\system32\DRIVERS\ks.sys
    0xF7732000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0xF7902000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xF6FA6000 \SystemRoot\system32\DRIVERS\SynTP.sys
    0xF7A86000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xF7912000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xF6F4B000 \SystemRoot\system32\DRIVERS\bcmwl5.sys
    0xF6F23000 \SystemRoot\system32\drivers\tifm21.sys
    0xF6F0F000 \SystemRoot\system32\DRIVERS\sdbus.sys
    0xF6EB9000 \SystemRoot\system32\drivers\camc6hal.sys
    0xF7742000 \SystemRoot\system32\drivers\camc6aud.sys
    0xF6E95000 \SystemRoot\system32\drivers\portcls.sys
    0xF7752000 \SystemRoot\system32\drivers\drmk.sys
    0xF6DC4000 \SystemRoot\system32\DRIVERS\HSFHWATI.sys
    0xF6CC6000 \SystemRoot\system32\DRIVERS\HSF_DPV.sys
    0xF6C1A000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
    0xF7942000 \SystemRoot\System32\Drivers\Modem.SYS
    0xF7952000 \SystemRoot\system32\DRIVERS\avgfwdx.sys
    0xF7BE5000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xF7762000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xF7A52000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xF6C03000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xF7772000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xF7782000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xF7972000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xF6BF2000 \SystemRoot\system32\DRIVERS\psched.sys
    0xF7792000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xF7882000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xF7892000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xF77A2000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xF7A8E000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xF6B94000 \SystemRoot\system32\DRIVERS\update.sys
    0xF7A62000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xF77B2000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xF77E2000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xF7168000 \SystemRoot\System32\Drivers\i2omgmt.SYS
    0xF7255000 \SystemRoot\system32\DRIVERS\avgmfx86.sys
    0xF7A98000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xF7C2B000 \SystemRoot\System32\Drivers\Null.SYS
    0xF7A9C000 \SystemRoot\System32\Drivers\Beep.SYS
    0xF78BA000 \SystemRoot\System32\drivers\vga.sys
    0xF7AA0000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xF7AA4000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xF78CA000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xF78F2000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xF7160000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xF2A01000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xF29A8000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xF2960000 \SystemRoot\system32\DRIVERS\avgtdix.sys
    0xF293A000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xF7245000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xF7235000 \SystemRoot\system32\DRIVERS\arp1394.sys
    0xF2912000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xF7A32000 \SystemRoot\System32\drivers\ws2ifsl.sys
    0xF28F0000 \SystemRoot\System32\drivers\afd.sys
    0xF7225000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xF28C5000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xF2855000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xF71F5000 \SystemRoot\System32\Drivers\Fips.SYS
    0xF27F3000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
    0xF27B7000 \SystemRoot\system32\DRIVERS\avgldx86.sys
    0xF276B000 \SystemRoot\System32\Drivers\Fastfat.SYS
    0xF26DB000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xF7AFA000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xF270F000 \SystemRoot\System32\drivers\Dxapi.sys
    0xF2A84000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xF7B96000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF012000 \SystemRoot\System32\ati2dvag.dll
    0xBF04E000 \SystemRoot\System32\ati2cqag.dll
    0xBF080000 \SystemRoot\System32\atikvmag.dll
    0xBF0B2000 \SystemRoot\System32\ati3duag.dll
    0xBF2E6000 \SystemRoot\System32\ativvaxx.dll
    0xF055F000 \SystemRoot\system32\DRIVERS\AegisP.sys
    0xF0557000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xF02E6000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0xF7AC8000 \SystemRoot\System32\Drivers\ASCTRM.SYS
    0xF6E45000 \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys
    0xF02DE000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
    0xF0154000 \SystemRoot\system32\DRIVERS\srv.sys
    0xF025E000 \SystemRoot\system32\DRIVERS\AVGIDSFilter.Sys
    0xF0064000 \SystemRoot\system32\DRIVERS\AVGIDSDriver.Sys
    0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
    0xEFCB7000 \SystemRoot\system32\drivers\wdmaud.sys
    0xF0104000 \SystemRoot\system32\drivers\sysaudio.sys
    0xF7AE4000
    0xEFC6C000
    0xEFE14000
    0xEFE34000
    0xEFC41000 \SystemRoot\system32\drivers\kmixer.sys
    0xF7BCE000
    0xEFA29000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xEF8B0000 \SystemRoot\System32\Drivers\HTTP.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 51):
    0 System Idle Process
    4 System
    840 C:\WINDOWS\system32\smss.exe
    872 C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
    928 C:\PROGRA~1\AVG\AVG10\avgrsx.exe
    1076 csrss.exe
    1116 C:\WINDOWS\system32\winlogon.exe
    1188 C:\WINDOWS\system32\services.exe
    1200 C:\WINDOWS\system32\lsass.exe
    1424 C:\WINDOWS\system32\ati2evxx.exe
    1444 C:\WINDOWS\system32\svchost.exe
    1552 svchost.exe
    1596 C:\WINDOWS\system32\svchost.exe
    1708 svchost.exe
    1748 svchost.exe
    2040 C:\WINDOWS\system32\WLTRYSVC.EXE
    116 C:\WINDOWS\system32\BCMWLTRY.EXE
    192 C:\WINDOWS\system32\spoolsv.exe
    272 svchost.exe
    316 C:\Program Files\AVG\AVG10\avgfws.exe
    620 C:\Program Files\AVG\AVG10\avgwdsvc.exe
    824 C:\WINDOWS\system32\HPZipm12.exe
    1052 C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    1152 C:\WINDOWS\system32\svchost.exe
    1328 wdfmgr.exe
    1988 C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    1204 C:\WINDOWS\system32\wuauclt.exe
    2016 C:\Program Files\AVG\AVG10\avgam.exe
    336 C:\Program Files\AVG\AVG10\avgnsx.exe
    2084 C:\WINDOWS\system32\ati2evxx.exe
    2228 wmiprvse.exe
    2260 C:\WINDOWS\explorer.exe
    3060 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    3128 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    3184 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    3256 C:\Program Files\Internet Explorer\iexplore.exe
    3268 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    3328 C:\WINDOWS\system32\WLTRAY.EXE
    3416 C:\Program Files\QuickTime\qttask.exe
    3640 C:\Program Files\AVG\AVG10\avgtray.exe
    3892 C:\WINDOWS\system32\ctfmon.exe
    3988 alg.exe
    792 C:\Program Files\ArcSoft\Software Suite\TotalMedia Backup & Record\uBBMonitor.exe
    2184 C:\Program Files\AVG\AVG10\avgcsrvx.exe
    3764 C:\Program Files\Internet Explorer\iexplore.exe
    2420 C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSMonitor.exe
    3056 C:\Program Files\Internet Explorer\iexplore.exe
    3852 C:\Program Files\Internet Explorer\iexplore.exe
    2568 C:\Documents and Settings\Tony\Local Settings\Temporary Internet Files\Content.IE5\MCLARLL7\MBRCheck[1].exe
    1976 C:\WINDOWS\system32\wuauclt.exe
    2644 C:\WINDOWS\SoftwareDistribution\Download\dde4ab1aadf2bde9aad7fd6adf8b4bae\update\update.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000001`b5ce7a00 (NTFS)
    \\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (FAT32)

    PhysicalDrive0 Model Number: HTS541010G9AT00, Rev: MBZOA60A

    Size Device Name MBR Status
    --------------------------------------------
    93 GB \\.\PhysicalDrive0 Unknown MBR code
    SHA1: B912FB73863AB8851B2740E0251894FAEECAF4CD


    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:

    Done!
     
  4. asouperman

    asouperman TS Rookie Topic Starter

    combofix

    here is the combofix report.
    Thank You for your help!

    ComboFix 11-01-17.01 - Tony 01/17/2011 19:49:13.1.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.646 [GMT -5:00]
    Running from: c:\documents and settings\Tony\My Documents\tony-log.exe
    FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\program files\media-codec
    c:\program files\media-codec\ot.ico
    c:\program files\media-codec\ts.ico
    c:\windows\system32\_000006_.tmp.dll
    c:\windows\system32\_000007_.tmp.dll
    c:\windows\system32\c_30218.nls
    c:\windows\system32\dbr01013.ocx
    c:\windows\system32\dbr22002.ocx
    c:\windows\system32\dbr24002.ocx
    c:\windows\system32\ddraw.dll.bak
    c:\windows\system32\gbvgbv00.exe
    c:\windows\system32\gbvgbv01.exe
    c:\windows\system32\gbvgbv02.exe
    c:\windows\system32\gbvgbv03.exe
    c:\windows\system32\gbvgbv05.exe
    c:\windows\system32\gbvgbv06.exe
    c:\windows\system32\gbvgbv08.exe
    c:\windows\system32\gbvgbv09.exe
    c:\windows\system32\gbvgbv10.exe
    c:\windows\system32\gbvgbv11.exe
    c:\windows\system32\gbvgbv13.exe
    c:\windows\system32\gbvgbv14.exe
    c:\windows\system32\gbvgbv15.exe
    c:\windows\system32\gbvgbv16.exe
    c:\windows\system32\gbvgbv17.exe
    c:\windows\system32\gbvgbv18.exe
    c:\windows\system32\gbvgbv19.exe
    c:\windows\system32\gbvgbv20.exe
    c:\windows\system32\gbvgbv21.exe
    c:\windows\system32\gbvgbv22.exe
    c:\windows\system32\gbvgbv23.exe
    c:\windows\system32\gbvgbv24.exe
    c:\windows\system32\stu2.exe
    D:\Autorun.inf

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_FORTER


    ((((((((((((((((((((((((( Files Created from 2010-12-18 to 2011-01-18 )))))))))))))))))))))))))))))))
    .

    2011-01-18 00:06 . 2011-01-18 00:06 -------- d-----w- c:\windows\system32\scripting
    2011-01-18 00:06 . 2011-01-18 00:06 -------- d-----w- c:\windows\l2schemas
    2011-01-18 00:06 . 2011-01-18 00:06 -------- d-----w- c:\windows\system32\en
    2011-01-18 00:06 . 2011-01-18 00:06 -------- d-----w- c:\windows\system32\bits
    2011-01-17 23:53 . 2011-01-17 23:53 -------- d-----w- c:\windows\EHome
    2011-01-17 23:38 . 2011-01-17 23:38 -------- d-----w- c:\program files\Trend Micro
    2011-01-17 17:21 . 2011-01-17 17:21 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
    2011-01-17 17:18 . 2011-01-18 00:37 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
    2011-01-17 17:17 . 2011-01-17 17:17 -------- d-----w- c:\program files\AVG
    2011-01-17 17:05 . 2008-04-14 00:11 279552 ----a-w- c:\windows\system32\ddraw.dll
    2011-01-17 16:12 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-01-17 16:12 . 2011-01-17 16:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-01-17 16:12 . 2011-01-17 16:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-01-17 16:12 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-01-17 15:29 . 2011-01-17 17:28 -------- d-----w- c:\program files\CleanUp!
    2011-01-17 13:52 . 2011-01-17 17:17 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
    2011-01-17 13:44 . 2008-04-14 00:11 792064 ----a-w- c:\windows\system32\comres.dll
    2011-01-17 13:44 . 2011-01-17 13:50 -------- d-----w- c:\documents and settings\Tony
    2011-01-17 13:36 . 2011-01-17 13:36 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
    2011-01-17 13:33 . 2011-01-17 13:33 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE
    2011-01-17 13:33 . 2011-01-17 13:33 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2011-01-17 13:32 . 2011-01-17 13:32 -------- d-sh--w- c:\documents and settings\Owner\IETldCache
    2011-01-17 13:26 . 2011-01-17 13:27 -------- dc-h--w- c:\windows\ie8

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-01-17 17:05 . 2004-08-26 16:11 369152 ----a-w- c:\windows\system32\dsound.dll.bak
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
    "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
    "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
    "Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
    "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
    "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-29 344064]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-04-19 98304]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "Power2GoExpress"="NA" [X]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2008-04-14 53760]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    TotalMedia Backup & Record Monitor.lnk - c:\program files\ArcSoft\Software Suite\TotalMedia Backup & Record\uBBMonitor.exe [2006-12-10 266240]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=

    R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [4/18/2006 7:44 PM 200576]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6440
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    Trusted Zone: amaena.com
    Trusted Zone: avsystemcare.com
    Trusted Zone: imageservr.com
    Trusted Zone: imagesrvr.com
    Trusted Zone: onerateld.com
    Trusted Zone: safetydownload.com
    Trusted Zone: storageguardsoft.com
    Trusted Zone: trustedantivirus.com
    Trusted Zone: virusschlacht.com
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    .
    - - - - ORPHANS REMOVED - - - -

    AddRemove-All ATI Software - c:\program files\ATI Technologies\UninstallAll\AtiCimUn.exe
    AddRemove-CNXT_AUDIO - c:\program files\CONEXANT\CNXT_AUDIO\HXFSETUP.EXE
    AddRemove-CNXT_MODEM_PCI_VEN_1002&DEV_4378&SUBSYS_0300107B - c:\program files\CONEXANT\CNXT_MODEM_PCI_VEN_1002&DEV_4378&SUBSYS_0300107B\HXFSETUP.EXE
    AddRemove-Help and Support - c:\progra~1\VERIZO~1\HELPSU~1\Uninstall.exe
    AddRemove-Internet Explorer Security Plugin 2006 - c:\program files\Media-Codec\iesuninst.exe
    AddRemove-Media-Codec - c:\program files\Media-Codec\uninst.exe
    AddRemove-Money2006b - c:\program files\Microsoft Money 2006\MNYCoreFiles\Setup\uninst.exe
    AddRemove-MSNINST - c:\program files\MSN\MsnInstaller\msninst.exe
    AddRemove-Public Messenger ver 2.03 - c:\program files\Media-Codec\pmuninst.exe
    AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9c.exe
    AddRemove-ViewpointMediaPlayer - c:\program files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-01-17 19:54
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(640)
    c:\windows\system32\Ati2evxx.dll
    c:\windows\System32\BCMLogon.dll

    - - - - - - - > 'explorer.exe'(3884)
    c:\windows\system32\SynTPFcs.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\OneX.DLL
    c:\windows\system32\eappprxy.dll
    c:\windows\system32\webcheck.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\Ati2evxx.exe
    c:\windows\System32\wltrysvc.exe
    c:\windows\System32\bcmwltry.exe
    c:\windows\system32\HPZipm12.exe
    c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    c:\windows\system32\wdfmgr.exe
    c:\windows\system32\Ati2evxx.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\system32\WLTRAY.exe
    .
    **************************************************************************
    .
    Completion time: 2011-01-17 19:58:12 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-01-18 00:58

    Pre-Run: 80,790,265,856 bytes free
    Post-Run: 80,704,266,240 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

    - - End Of File - - 63693A5F5EE41B023DE1BB0711375DC2
     
  5. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    We need to double check your MBR...

    Download Bootkit Remover to your Desktop.

    • You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
    • After extracing remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.

    =======================================================================

    Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • IMPORTANT! UN-check Remove found threats
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
     
  6. asouperman

    asouperman TS Rookie Topic Starter

    boot remover

    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com

    Program version: 1.2.0.0
    OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000001`b5ce7a00
    Boot sector MD5 is: 1c2cb8572a044a14cace6d033e5575b7

    Size Device Name MBR Status
    --------------------------------------------
    93 GB \\.\PhysicalDrive0 Unknown boot code

    Unknown boot code has been found on some of your physical disks.
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>


    Done;
    Press any key to quit...
     
  7. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    I still need Eset scan.
     
  8. asouperman

    asouperman TS Rookie Topic Starter

    eset scan

    when i try the eset scan after accepting and start the screen just stays blank.
     
  9. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Try different browser.
     
  10. asouperman

    asouperman TS Rookie Topic Starter

    different browser

    eset is still scanning.
     
  11. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    OK...............
     
  12. asouperman

    asouperman TS Rookie Topic Starter

    eset file

    C:\Documents and Settings\Owner\Shared\celebrate me home kenny.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan
    C:\Documents and Settings\Owner\Shared\listen beyonce.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan
    C:\Documents and Settings\Owner\Shared\love you i do jennifer hudson.mp3 WMA/TrojanDownloader.GetCodec.C trojan
    C:\Documents and Settings\Owner\Shared\nothing bout love makes sense.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan
    C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig\ENU\ReadMe.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\AntivirusGolden\Logs\scan_log_09242006-224536.html HTML/ScrInject.B.Gen virus
    C:\Program Files\AntivirusGolden\Logs\scan_log_09252006-104518.html HTML/ScrInject.B.Gen virus
    C:\Program Files\AntivirusGolden\Logs\scan_log_09252006-155229.html HTML/ScrInject.B.Gen virus
    C:\Program Files\AntivirusGolden\Logs\scan_log_09252006-181946.html HTML/ScrInject.B.Gen virus
    C:\Program Files\AntivirusGolden\Logs\scan_log_09252006-221753.html HTML/ScrInject.B.Gen virus
    C:\Program Files\AntivirusGolden\Logs\scan_log_09262006-083922.html HTML/ScrInject.B.Gen virus
    C:\Program Files\AntivirusGolden\Logs\scan_log_09262006-091741.html HTML/ScrInject.B.Gen virus
    C:\Program Files\AntivirusGolden\Logs\scan_log_09262006-111052.html HTML/ScrInject.B.Gen virus
    C:\Program Files\AntivirusGolden\Logs\scan_log_09272006-143254.html HTML/ScrInject.B.Gen virus
    C:\Program Files\AntivirusGolden\Logs\scan_log_09272006-151138.html HTML/ScrInject.B.Gen virus
    C:\Program Files\AntivirusGolden\Logs\scan_log_09272006-160449.html HTML/ScrInject.B.Gen virus
    C:\Program Files\ArcSoft\Software Suite\Panorama Maker 4\Support\Help\How to shoot.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\ArcSoft\Software Suite\Panorama Maker 4\Support\Help\Shooting Checklist.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\ArcSoft\Software Suite\Panorama Maker 4\Support\Registration\registration.html HTML/ScrInject.B.Gen virus
    C:\Program Files\ArcSoft\Software Suite\Photo Greeting Card\Support\Registration\registration.html HTML/ScrInject.B.Gen virus
    C:\Program Files\ArcSoft\Software Suite\Scrapbook Creator\Web Registration\registration.html HTML/ScrInject.B.Gen virus
    C:\Program Files\ArcSoft\Software Suite\TotalMedia Backup & Record\Support\Registration\registration.html HTML/ScrInject.B.Gen virus
    C:\Program Files\ArcSoft\Software Suite\Web\webserve.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\AVG\AVG10\Notification\BuyFull_cz.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\AVG\AVG10\Notification\BuyFull_da.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\AVG\AVG10\Notification\BuyFull_es.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\AVG\AVG10\Notification\BuyFull_fr.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\AVG\AVG10\Notification\BuyFull_ge.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\AVG\AVG10\Notification\BuyFull_hu.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\AVG\AVG10\Notification\BuyFull_id.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\AVG\AVG10\Notification\BuyFull_in.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\AVG\AVG10\Notification\BuyFull_it.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\AVG\AVG10\Notification\BuyFull_jp.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\AVG\AVG10\Notification\BuyFull_ko.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\AVG\AVG10\Notification\BuyFull_ms.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\AVG\AVG10\Notification\BuyFull_nl.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\AVG\AVG10\Notification\BuyFull_pb.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\AVG\AVG10\Notification\BuyFull_pl.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\AVG\AVG10\Notification\BuyFull_pt.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\AVG\AVG10\Notification\BuyFull_ru.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\AVG\AVG10\Notification\BuyFull_sc.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\AVG\AVG10\Notification\BuyFull_sk.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\AVG\AVG10\Notification\BuyFull_sp.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\AVG\AVG10\Notification\BuyFull_tr.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\AVG\AVG10\Notification\BuyFull_us.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\AVG\AVG10\Notification\BuyFull_zh.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\AVG\AVG10\Notification\BuyFull_zt.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\BigFix\__Data\BigFix\proxy.html HTML/ScrInject.B.Gen virus
    C:\Program Files\BigFix\__Data\BigFix\TutorialPage1.html HTML/ScrInject.B.Gen virus
    C:\Program Files\BigFix\__Data\BigFix\TutorialPage2.html HTML/ScrInject.B.Gen virus
    C:\Program Files\BigFix\__Data\BigFix\TutorialPage3.html HTML/ScrInject.B.Gen virus
    C:\Program Files\BigFix\__Data\BigFix\TutorialPage4.html HTML/ScrInject.B.Gen virus
    C:\Program Files\BigFix\__Data\BigFix\TutorialPage5.html HTML/ScrInject.B.Gen virus
    C:\Program Files\BigFix\__Data\BigFix\TutorialPage6.html HTML/ScrInject.B.Gen virus
    C:\Program Files\BigFix\__Data\BigFix\TutorialPage7.html HTML/ScrInject.B.Gen virus
    C:\Program Files\BigFix\__Data\BigFix\TutorialPage8.html HTML/ScrInject.B.Gen virus
    C:\Program Files\BigFix\__Data\Gateway\ad.html HTML/ScrInject.B.Gen virus
    C:\Program Files\BigFix\__Data\Gateway\ad_main.html HTML/ScrInject.B.Gen virus
    C:\Program Files\CyberLink\Power2Go\Readme.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\CyberLink\Power2Go\p2go-upgrade\p2go-upgrade.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\CyberLink\PowerDVD\Readme.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\CyberLink\PowerDVD\AVSettings\Audio.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\CyberLink\PowerDVD\AVSettings\AVSetMenu.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\CyberLink\PowerDVD\AVSettings\Color.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\CyberLink\PowerDVD\AVSettings\Default.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\CyberLink\PowerDVD\AVSettings\Main.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\CyberLink\PowerDVD\AVSettings\Main_Audio.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\CyberLink\PowerDVD\AVSettings\Video.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\CyberLink\PowerDVD\pdvd6-dlx-audiopack\pdvd6-dvdaudio.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\CyberLink\PowerDVD\pdvd6-dlx-dts\pdvd6-dlx-dts.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\CyberLink\PowerDVD\pdvd6-interactual\pdvd6-interactual.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\CyberLink\PowerDVD\pdvd6-mobility\pdvd6-mobility.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\CyberLink\PowerDVD\pdvd6-upgrade\pdvd6-upgrade.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\CyberLink\PowerDVD\pdvd6_dolby\pdvd6-dolby.html HTML/ScrInject.B.Gen virus
    C:\Program Files\HP\Digital Imaging\Skins\oov1\sc\scan.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\HP\Digital Imaging\Skins\oov1\ul\CamDate.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\HP\Digital Imaging\Skins\oov1\ul\DeviceSelect.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\HP\Digital Imaging\Skins\oov1\ul\PhotoDate.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\HP\Digital Imaging\Skins\oov1\ul\Progress.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\HP\Digital Imaging\Skins\oov1\ul\Startup.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\HP\Digital Imaging\Skins\oov1\ul\Summary.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\Microsoft Digital Image 2006\1033\Movies\adveditingpro.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\Microsoft Digital Image 2006\1033\Movies\exploringpro.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\Microsoft Digital Image 2006\1033\Movies\facepro.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\Microsoft Digital Image 2006\1033\Movies\organizepro.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\Microsoft Digital Image 2006\1033\Movies\touchuppro.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\Microsoft Digital Image 2006\Plug-Ins\Alien Skinformation.html HTML/ScrInject.B.Gen virus
    C:\Program Files\Microsoft Money 2006\MNYCoreFiles\WebCache\AccountsTutorial.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\Microsoft Money 2006\MNYCoreFiles\WebCache\backuphelp.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\Microsoft Money 2006\MNYCoreFiles\WebCache\BillsTutorial.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\Microsoft Money 2006\MNYCoreFiles\WebCache\BudgetTutorial.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\Microsoft Money 2006\MNYCoreFiles\WebCache\CreditTOC.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\Microsoft Money 2006\MNYCoreFiles\WebCache\finsrv_DLX.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\Microsoft Money 2006\MNYCoreFiles\WebCache\finsrv_PRM.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\Microsoft Money 2006\MNYCoreFiles\WebCache\finsrv_STD.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\Microsoft Money 2006\MNYCoreFiles\WebCache\GettingISP.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\Microsoft Money 2006\MNYCoreFiles\WebCache\gksell_DLX.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\Microsoft Money 2006\MNYCoreFiles\WebCache\invessentials.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\Microsoft Money 2006\MNYCoreFiles\WebCache\InvestmentQIFImport.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\Microsoft Money 2006\MNYCoreFiles\WebCache\InvestmentResearch.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\Microsoft Money 2006\MNYCoreFiles\WebCache\InvResearchOnline.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\Microsoft Money 2006\MNYCoreFiles\WebCache\LAUNCHER.HTM HTML/ScrInject.B.Gen virus
    C:\Program Files\Microsoft Money 2006\MNYCoreFiles\WebCache\newfeat.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\Microsoft Money 2006\MNYCoreFiles\WebCache\newfeat_lps.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\Microsoft Money 2006\MNYCoreFiles\WebCache\newfeat_std.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\Microsoft Money 2006\MNYCoreFiles\WebCache\newsvc.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\Microsoft Money 2006\MNYCoreFiles\WebCache\newsvc_biz.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\Microsoft Money 2006\MNYCoreFiles\WebCache\newsvc_prm.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\Microsoft Money 2006\MNYCoreFiles\WebCache\newsvc_std.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\Microsoft Money 2006\MNYCoreFiles\WebCache\osp_std.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\Microsoft Money 2006\MNYCoreFiles\WebCache\PocketPCInfo.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\Microsoft Money 2006\MNYCoreFiles\WebCache\privacy.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\Microsoft Money 2006\MNYCoreFiles\WebCache\quote.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\Microsoft Money 2006\MNYCoreFiles\WebCache\taxessentials.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\Microsoft Money 2006\MNYCoreFiles\WebCache\Tour.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\Microsoft Office\OFFICE11\INTLBAND.HTM HTML/ScrInject.B.Gen virus
    C:\Program Files\Microsoft Office\OFFICE11\1033\OFREADME.HTM HTML/ScrInject.B.Gen virus
    C:\Program Files\Microsoft Office\OFFICE11\1033\OLREADME.HTM HTML/ScrInject.B.Gen virus
    C:\Program Files\Microsoft Office\OFFICE11\1033\PPREADME.HTM HTML/ScrInject.B.Gen virus
    C:\Program Files\Microsoft Office\OFFICE11\1033\PVREADME.HTM HTML/ScrInject.B.Gen virus
    C:\Program Files\Microsoft Office\OFFICE11\1033\WDREADME.HTM HTML/ScrInject.B.Gen virus
    C:\Program Files\Microsoft Office\OFFICE11\1033\XLREADME.HTM HTML/ScrInject.B.Gen virus
    C:\Program Files\QuickTime\QuickTime Read Me.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\Real\RealPlayer\playrlic.html HTML/ScrInject.B.Gen virus
    C:\Program Files\Real\RealPlayer\Readme.html HTML/ScrInject.B.Gen virus
    C:\Program Files\Slingo ® Deluxe\HowToPlay\HowToPlay.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\Slingo ® Deluxe\HowToPlay\Pages\Contents.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\Slingo ® Deluxe\HowToPlay\Pages\FAQ.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\Slingo ® Deluxe\HowToPlay\Pages\Rules.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\Slingo ® Deluxe\HowToPlay\Pages\Strategy.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\Slingo ® Deluxe\HowToPlay\Pages\Welcome.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\Verizon Online\Help Support\page\apperror.html HTML/ScrInject.B.Gen virus
    C:\Program Files\Verizon Online\Help Support\page\auth_error.html HTML/ScrInject.B.Gen virus
    C:\Program Files\Verizon Online\Help Support\page\error.html HTML/ScrInject.B.Gen virus
    C:\Program Files\Verizon Online\Help Support\page\home.html HTML/ScrInject.B.Gen virus
    C:\Program Files\Verizon Online\Help Support\page\index.html HTML/ScrInject.B.Gen virus
    C:\Program Files\Verizon Online\Help Support\page\pocfrontdoor.html HTML/ScrInject.B.Gen virus
    C:\Program Files\Verizon Online\Help Support\page\summary.html HTML/ScrInject.B.Gen virus
    C:\Program Files\Verizon Online\Help Support\SmartBridge\AlertTmpl.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\Verizon Online\Help Support\SmartBridge\AlertTmplType1.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\Verizon Online\Help Support\SmartBridge\AlertTmplType2.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\Verizon Online\Help Support\SmartBridge\AlertTmplType3.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\Verizon Online\Help Support\SmartBridge\AlertTmplType4.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\Verizon Online\Help Support\SmartBridge\AlertTmplType5.htm HTML/ScrInject.B.Gen virus
    C:\Program Files\Verizon Online\Help Support\SmartBridge\SmartBridgeUpdate.htm HTML/ScrInject.B.Gen virus
    C:\Qoobox\Quarantine\C\WINDOWS\system32\dbr01013.ocx.vir probably a variant of Win32/PSW.OnLineGames.QLH trojan
    C:\Qoobox\Quarantine\C\WINDOWS\system32\dbr22002.ocx.vir probably a variant of Win32/PSW.OnLineGames.QLH trojan
    C:\Qoobox\Quarantine\C\WINDOWS\system32\dbr24002.ocx.vir probably a variant of Win32/PSW.OnLineGames.QLH trojan
    C:\WINDOWS\$NtServicePackUninstall$\userinit.exe a variant of Win32/TrojanDownloader.FakeAlert.AAB trojan
    D:\MiniNT\system32\6to4.dll Win32/AutoRun.AntiAV.T worm
    D:\MiniNT\system32\DHCP.dll Win32/AutoRun.AntiAV.T worm
    D:\MiniNT\system32\AppMgmt.dll Win32/AutoRun.AntiAV.T worm
    D:\MiniNT\system32\AudioSrv.dll Win32/AutoRun.AntiAV.T worm
    D:\MiniNT\system32\CryptSvc.dll Win32/AutoRun.AntiAV.T worm
    D:\MiniNT\system32\ERSvc.dll Win32/AutoRun.AntiAV.T worm
    D:\MiniNT\system32\EventSystem.dll Win32/AutoRun.AntiAV.T worm
    D:\MiniNT\system32\HidServ.dll Win32/AutoRun.AntiAV.T worm
    D:\MiniNT\system32\Ias.dll Win32/AutoRun.AntiAV.T worm
    D:\MiniNT\system32\Iprip.dll Win32/AutoRun.AntiAV.T worm
    D:\MiniNT\system32\Irmon.dll Win32/AutoRun.AntiAV.T worm
    D:\MiniNT\system32\LanmanServer.dll Win32/AutoRun.AntiAV.T worm
    D:\MiniNT\system32\LanmanWorkstation.dll Win32/AutoRun.AntiAV.T worm
    D:\MiniNT\system32\Messenger.dll Win32/AutoRun.AntiAV.T worm
    D:\MiniNT\system32\Nla.dll Win32/AutoRun.AntiAV.T worm
    D:\MiniNT\system32\Ntmssvc.dll Win32/AutoRun.AntiAV.T worm
    D:\MiniNT\system32\NWCWorkstation.dll Win32/AutoRun.AntiAV.T worm
    D:\MiniNT\system32\Nwsapagent.dll Win32/AutoRun.AntiAV.T worm
    D:\MiniNT\system32\Rasauto.dll Win32/AutoRun.AntiAV.T worm
    D:\MiniNT\system32\Remoteaccess.dll Win32/AutoRun.AntiAV.T worm
    D:\MiniNT\system32\Schedule.dll Win32/AutoRun.AntiAV.T worm
    D:\MiniNT\system32\Seclogon.dll Win32/AutoRun.AntiAV.T worm
    D:\MiniNT\system32\SENS.dll Win32/AutoRun.AntiAV.T worm
    D:\MiniNT\system32\Sharedaccess.dll Win32/AutoRun.AntiAV.T worm
    D:\MiniNT\system32\SRService.dll Win32/AutoRun.AntiAV.T worm
    D:\MiniNT\system32\Tapisrv.dll Win32/AutoRun.AntiAV.T worm
    D:\MiniNT\system32\TrkWks.dll Win32/AutoRun.AntiAV.T worm
    D:\i386\Apps\App04782\money\accoun~1.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App04782\money\bakhelp.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App04782\money\billst~1.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App04782\money\budget~1.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App04782\money\credit~2.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App04782\money\finsrvd.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App04782\money\finsrvp.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App04782\money\finsrvs.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App04782\money\gkselld.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App04782\money\invess~1.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App04782\money\invest~1.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App04782\money\invest~2.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App04782\money\invres~1.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App04782\money\launcher.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App04782\money\newfeat.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App04782\money\newfeats.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App04782\money\newfea~1.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App04782\money\newsvc.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App04782\money\newsvcb.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App04782\money\newsvcp.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App04782\money\newsvcs.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App04782\money\osp_std.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App04782\money\ppcinfo.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App04782\money\privacy.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App04782\money\quote.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App04782\money\taxess~1.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App04782\money\tour.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App04782\money\warranty.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App23139\releasenotes.html HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App31327\p2go\readme\read_chs.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App31327\p2go\readme\read_cht.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App31327\p2go\readme\read_deu.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App31327\p2go\readme\read_enu.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App31327\p2go\readme\read_esp.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App31327\p2go\readme\read_fra.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App31327\p2go\readme\read_ita.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App31327\p2go\readme\read_jpn.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App31327\p2go\readme\read_kor.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App31327\pdvd\readme\readchs.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App31327\pdvd\readme\readcht.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App31327\pdvd\readme\readdeu.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App31327\pdvd\readme\readenu.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App31327\pdvd\readme\readesp.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App31327\pdvd\readme\readfra.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App31327\pdvd\readme\readita.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App31327\pdvd\readme\readjpn.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App31327\pdvd\readme\readkor.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App01607\common\msshared\wkshared\oem\ws06warr.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App01607\pfiles\msworks\standard\help.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App01607\pfiles\msworks\standard\pages.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App01607\pfiles\msworks\standard\start.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App01607\pfiles\msworks\standard\tasks.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App01607\pfiles\msworks\standard\wksgsg.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App01607\pfiles\msworks\suite\help.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App01607\pfiles\msworks\suite\pages.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App01607\pfiles\msworks\suite\start.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App01607\pfiles\msworks\suite\tasks.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App01607\pfiles\msworks\suite\wksgsg.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App01607\pfiles\office\ppv\pvreadme.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App07342\readme.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App07342\setup.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App07342\files\pfiles\msoffice\office11\1033\ofreadme.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App07342\files\pfiles\msoffice\office11\1033\olreadme.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App07342\files\pfiles\msoffice\office11\1033\ppreadme.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App07342\files\pfiles\msoffice\office11\1033\pvreadme.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App07342\files\pfiles\msoffice\office11\1033\wdreadme.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App07342\files\pfiles\msoffice\office11\1033\xlreadme.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App23742\pi\1033\movies\advedi_1.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App23742\pi\1033\movies\explor_1.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App23742\pi\1033\movies\facepro.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App23742\pi\1033\movies\organi_1.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App23742\pi\1033\movies\touchu_1.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App23742\pi\plug_ins\aliens_1.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App24318\actshell.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App24318\amd.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App24318\dtsgnup.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App24318\msobshel.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App24318\error\dialtone.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App24318\html\dslmain\dslmain.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App24318\html\dslmain\dsl_a.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App24318\html\dslmain\dsl_b.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App24318\html\oemcust\aolchoos.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App24318\html\oemcust\bbgwbuy.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App24318\html\oemcust\bbsetup.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App24318\html\oemcust\byoachos.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App24318\html\oemcust\espbasic.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App24318\html\oemcust\espcc.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App24318\html\oemcust\espquestion.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App24318\html\oemcust\espterms.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App24318\html\oemcust\espthankyou.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App24318\html\oemcust\netscape.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App24318\html\oemcust\oemcust.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App24318\html\oemcust\sellbyoa.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App24318\html\oemhw\oemhw.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App24318\html\oemreg\oemadd.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App24318\isperror\ispdtone.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App24318\regerror\rdtone.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App24318\setup\badeula.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App24318\setup\compname.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App24318\setup\dialup.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App24318\setup\drdyisp.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App24318\setup\drdyref.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App24318\setup\fini.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App24318\setup\ics.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App24318\setup\isp.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App24318\setup\miglist.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App24318\setup\neweula.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App24318\setup\oempriv.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App24318\setup\prvcyms.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App24318\setup\reg1.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App24318\setup\reg3.htm HTML/ScrInject.B.Gen virus
    D:\i386\Apps\App24318\setup\welcome.htm HTML/ScrInject.B.Gen virus
     
  13. asouperman

    asouperman TS Rookie Topic Starter

    eset

    any suggestions?
     
  14. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    This doesn't look good.

    I need some more info...
    Is this legit Windows version?
    What is drive D?
    Are all those programs listed above, like Microsoft Office, CyberLink Power2Go, ArcSoft, AVG, etc. some downloaded, cracked applications?
     
  15. asouperman

    asouperman TS Rookie Topic Starter

    legit

    As far as i know it's all legit.someone gave me this laptop because it wouldn't work.
    I don't know what d drive is
     
  16. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    OK, we can try to clean it, but I can't guarantee, everything will work afterwards.
    You don't know much about this computer, since it was given to you, but for me it looks like there is a lot of illegal cracked software there, including (maybe) Windows itself.

    In my opinion, clean Windows installation would be the best choice here.

    If you don't want to do this, or you can't do it.....

    Let's start with re-running Eset and this time mark all found items for deletions.

    Keep in mind my initial warning.
     
  17. asouperman

    asouperman TS Rookie Topic Starter

    ok

    I already did the eset with the deletion. I'll reload windows tomorrow.
    Thank You very much for your help.
     
  18. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    That's always the best solution to any used computer.

    Good luck :)
     
  19. asouperman

    asouperman TS Rookie Topic Starter

    Thank s

    Thank You!
     
  20. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Sure thing :)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...