Solved Black Internet virus?

[WhatAboutGary]

I'm guessing I have the black interner virus. Lots of iExplorer.exe processes, random audio from ads...

I've tried may of the suggestions from other threads with no luck. I'm hoping someone can help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:12:20 PM, on 12/28/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe
C:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\OpenCase\OpenCASE Media Agent\MediaAgent.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLSched.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
C:\Documents and Settings\Gary\Desktop\procexp.exe
C:\Program Files\AVG\AVG2012\avgui.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4061205
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7018.1622\swg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [AVG_TRAY] "C:\Program Files\AVG\AVG2012\avgtray.exe"
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Documents and Settings\Gary\Desktop\PartyPoker.net.lnk
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Documents and Settings\Gary\Desktop\PartyPoker.net.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - https://www.microsoft.com/resources/virtuallabs/ActiveX/VMRCActiveXClient1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1165791880288
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1183243100796
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
O16 - DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} (JInitiator 1.3.1.22) -
O16 - DPF: {F8E691A0-C92E-4E42-9CDA-62FC07A9483B} (nvUnifiedControl Control) - http://actiftp.hosting4less.com/ACTIGENERAL/AP&Manual/Live Demo/nvUnifiedControl.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{D90B973F-48E9-4263-9407-DA9AC88D53EE}: NameServer = 151.164.1.7,151.164.11.218
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: GB-PVR Recording Service - WelltonWay - C:\Program Files\devnz\gbpvr\GBPVRRecordingService.exe
O23 - Service: Google Update Service (gupdate1c9aa7e74d0e73e) (gupdate1c9aa7e74d0e73e) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OpenCASE Media Agent - ExtendMedia Inc. - C:\Program Files\OpenCase\OpenCASE Media Agent\MediaAgent.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Sandboxie Service (SbieSvc) - SANDBOXIE L.T.D - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 10402 bytes

 

[Bobbye]

Welcome to TechSpot! Let's get you off to the right start:

1. We do not use HijackThis to screen for malware.
2. The version of HJT you used is outdated. Please uninstall it and delete the log. I will have you run the current version using my link, later in the cleaning.
3. Multiple versions of iexplore.exe are normal in IE v8. But malware can also hide in almost any file.
5. You are running both AVG and the Symantec antivirus. Decide which you want to keep and uninstall the other:
Note: you will have to uninstall AVG temporarily when I have you run Combox. You will then install a temporary antivirus- just be aware of that
6. Regarding this: "I've tried may of the suggestions from other threads with no luck.
You should never use malware cleaning instructions given to someone else. Although you may be asked to run some of the same programs, what we do with the result is specific for that person only.
7. Please go to Add/Remove Programs in the Control Panel and look for either or both of the following:
TibiaBot NG or K-Meleon 1.1.6 en-US
Uninstall either or both if found.
After uninstall, use Windows Explorer to access Computer> Local Drive> Programs> find program folder for each of the uninstalled programs and do a right click> Delete.
8. Questions:

Do you have this process in the Task Manager: loader.exe?
Does Internet Explorer opens with ads randomly?
Do Windows keep minimizing?
Does your computer sound will keep turning up and down randomly?
Do you hear the clicks of pages being browsed in the background?
Do some websites not load or give you any message?

==================================
If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

When you have finished, leave the logs for review in your next reply .
NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
========================================
You can also go ahead and run the Eset Online Virus Scan:
If you use Internet Explorer:

1. Open the ESETOnlineScan
2. Skip to #4 to "Continue with the directions"
   
   If you are using a browser other than Internet Explorer
3. Open Eset Smart Installer
   [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
   [o] Double click on the desktop icon to run.
   [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
   
4. Continue with the directions.
   
5. Check 'Yes I accept terms of use.'
6. Click Start button
7. Accept any security warnings from your browser.
   
   
8. Uncheck 'Remove found threats'
9. Check 'Scan archives/
10. Leave remaining settings as is.
11. Press the Start button.
12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
13. When the scan completes, press List of found threats
14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
15. Push the Back button, then Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
========================================
Please include the logs from Malwarebytes, GMER, 2 from DDS and the Eset scan in your next reply.
========================================
My Guidelines: please read and follow:

• Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
• Read my instructions carefully. If you don't understand or have a problem, ask me.
• If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
• Follow the order of the tasks I give you. Order is crucial in cleaning process.
• File sharing programs should be uninstalled or disabled during the cleaning process..
• Observe these:
  [o] Don't use any other cleaning programs or scans while I'm helping you.
  [o] Don't use a Registry cleaner or make any changes in the Registry.
  [o] Don't download and install new programs- except those I give you.
• Please let me know if there is any change in the system.

If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
=====================================

 

[WhatAboutGary]

I'm on it

I'll get on the list and get back to you.

Thanks for your help

 

[Bobbye]

Okay, fine.

New Holiday Notice! I will not be working on the threads Sat. Dec. 31 or Sunday Jan. 1 I will begin with the oldest threads first on Monday. I will do my best to get you finished or as far along as I can before that.

Please do not send a PM during those days.

 

[WhatAboutGary]

First tasks complete

Welcome to TechSpot! Let's get you off to the right start:

1. We do not use HijackThis to screen for malware.
2. The version of HJT you used is outdated. Please uninstall it and delete the log. I will have you run the current version using my link, later in the cleaning.
Removed3. Mul
tiple versions of iexplore.exe are normal in IE v8. But malware can also hide in almost any file.
5. You are running both AVG and the Symantec antivirus. Decide which you want to keep and uninstall the other:
Note: you will have to uninstall AVG temporarily when I have you run Combox. You will then install a temporary antivirus- just be aware of that
Removed Symantec
6. Regarding this: "I've tried may of the suggestions from other threads with no luck.
You should never use malware cleaning instructions given to someone else. Although you may be asked to run some of the same programs, what we do with the result is specific for that person only.
7. Please go to Add/Remove Programs in the Control Panel and look for either or both of the following:
TibiaBot NG or K-Meleon 1.1.6 en-US
Uninstall either or both if found.
After uninstall, use Windows Explorer to access Computer> Local Drive> Programs> find program folder for each of the uninstalled programs and do a right click> Delete.
Found neither

8. Questions:
Do you have this process in the Task Manager: loader.exe? No
Does Internet Explorer opens with ads randomly? Yes (sound only, no UI)
Do Windows keep minimizing? no
Does your computer sound will keep turning up and down randomly? No
Do you hear the clicks of pages being browsed in the background? Yes
Do some websites not load or give you any message? No
-----------------------------------------
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 911122605

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/29/2011 5:54:55 PM
mbam-log-2011-12-29 (17-54-55).txt

Scan type: Quick scan
Objects scanned: 184945
Time elapsed: 3 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
--------------------------------------------

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-12-29 18:24:01
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST3250824AS rev.3.ADH
Running: gmer.exe; Driver: C:\DOCUME~1\Gary\LOCALS~1\Temp\agkcipod.sys


---- System - GMER 1.0.15 ----

Code BA7F4C9C ZwRequestPort
Code BA7F4D3C ZwRequestWaitReplyPort
Code BA7F4BFC ZwTraceEvent
Code BA7F4C9B NtRequestPort
Code BA7F4D3B NtRequestWaitReplyPort
Code BA7F4BFB NtTraceEvent

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Gary at 18:25:09 on 2011-12-29
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3518.2944 [GMT -6:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe
C:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\OpenCase\OpenCASE Media Agent\MediaAgent.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/ig?hl=en&source=iglk
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>;*.local
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7018.1622\swg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {4C730913-3961-439b-83D5-F4E445520422} - c:\program files\citi virtual account numbers\CitiVAN.exe
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F4430FE8-2638-42e5-B849-800749B94EED} - c:\documents and settings\gary\desktop\PartyPoker.net.lnk
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} - hxxps://www.microsoft.com/resources/virtuallabs/ActiveX/VMRCActiveXClient1.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1165791880288
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1183243100796
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} - hxxp://offers.e-centives.com/cif/download/bin/actxcab.cab
DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF}
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {F8E691A0-C92E-4E42-9CDA-62FC07A9483B} - hxxp://actiftp.hosting4less.com/ACTIGENERAL/AP&Manual/Live%20Demo/nvUnifiedControl.ocx
TCP: Interfaces\{D90B973F-48E9-4263-9407-DA9AC88D53EE} : NameServer = 151.164.1.7,151.164.11.218
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 295248]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R2 OpenCASE Media Agent;OpenCASE Media Agent;c:\program files\opencase\opencase media agent\MediaAgent.exe [2008-8-29 835208]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-12-5 1174152]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 16720]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2010-10-17 124648]
S0 ntcdrdrv;ntcdrdrv;c:\windows\system32\drivers\ntcdrdrv.sys --> c:\windows\system32\drivers\ntcdrdrv.sys [?]
S1 2ffb830c;2ffb830c;c:\windows\system32\drivers\2ffb830c.sys --> c:\windows\system32\drivers\2ffb830c.sys [?]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
S2 gupdate1c9aa7e74d0e73e;Google Update Service (gupdate1c9aa7e74d0e73e);c:\program files\google\update\GoogleUpdate.exe [2009-3-21 133104]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-3-21 133104]
S3 PROCEXP151;PROCEXP151;\??\c:\windows\system32\drivers\procexp151.sys --> c:\windows\system32\drivers\PROCEXP151.SYS [?]
.
=============== Created Last 30 ================
.
2011-12-28 05:06:23 836 ----a-w- c:\documents and settings\all users\application data\spdqaaa.tmp
2011-12-28 05:06:18 822 ----a-w- c:\documents and settings\all users\application data\rpdqaaa.tmp
2011-12-28 05:06:13 812 ----a-w- c:\documents and settings\all users\application data\qpdqaaa.tmp
2011-12-28 05:06:08 893 ----a-w- c:\documents and settings\all users\application data\ppdqaaa.tmp
2011-12-28 05:06:03 865 ----a-w- c:\documents and settings\all users\application data\opdqaaa.tmp
2011-12-28 03:58:49 98816 ----a-w- c:\windows\sed.exe
2011-12-28 03:58:49 518144 ----a-w- c:\windows\SWREG.exe
2011-12-28 03:58:49 256000 ----a-w- c:\windows\PEV.exe
2011-12-28 03:58:49 208896 ----a-w- c:\windows\MBR.exe
2011-12-28 00:01:10 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-12-28 00:01:10 -------- d-----w- c:\windows\system32\wbem\Repository
2011-12-27 05:50:00 -------- d-sha-r- C:\cmdcons
2011-12-27 01:49:55 -------- d-----w- c:\program files\iPod
2011-12-27 01:47:36 -------- d-----w- c:\program files\Bonjour
.
==================== Find3M ====================
.
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-12 09:40:35 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37:08 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:02 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-24 03:33:20 1393736 ----a-w- c:\documents and settings\gary\gotomypc_626.exe
2011-10-18 11:13:22 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-07 11:23:48 230608 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-10-04 11:21:42 16720 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys
.
============= FINISH: 18:26:06.57 ===============
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 12/8/2006 8:47:46 PM
System Uptime: 12/29/2011 6:17:26 PM (0 hours ago)
.
Motherboard: Dell Inc | | 0CT103
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 3800+ | Socket M2 | 1803/1000mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 230 GiB total, 28.243 GiB free.
D: is CDROM ()
E: is CDROM ()
G: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Broadcom 440x 10/100 Integrated Controller
Device ID: PCI\VEN_14E4&DEV_170C&SUBSYS_01ED1028&REV_02\4&DC268A3&0&3880
Manufacturer: Broadcom
Name: Broadcom 440x 10/100 Integrated Controller
PNP Device ID: PCI\VEN_14E4&DEV_170C&SUBSYS_01ED1028&REV_02\4&DC268A3&0&3880
Service: bcm4sbxp
.
==== System Restore Points ===================
.
RP1: 12/26/2011 11:46:15 PM - System Checkpoint
RP2: 12/27/2011 5:59:44 PM - Restore Operation
RP3: 12/28/2011 8:12:27 PM - System Checkpoint
.
==== Installed Programs ======================
.
µTorrent
Adobe Flash Player 10 Plugin
Adobe Flash Player 11 ActiveX
Adobe Reader 9.4.7
Adobe Shockwave Player 11.5
AOLIcon
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
Audacity 1.2.6
Audible Download Manager
AVG 2012
AviSynth 2.5
Bonjour
Broadcom Management Programs
Catalyst Media Center
Catalyst Media Center DVD Authoring Module
CCleaner (remove only)
Citi Virtual Account Numbers
CodeStuff Starter
Combined Community Codec Pack 2010-10-10
Compatibility Pack for the 2007 Office system
Coupon Printer for Windows
Critical Update for Windows Media Player 11 (KB959772)
Dell CinePlayer
Dell System Restore
Digital Content Portal
Digital Locker Assistant
DivX Codec 3.1alpha release
Dream Aquarium
Eusing Free Registry Cleaner
Free Mp3 Wma Converter V 1.81
GB-PVR
GIMP 2.4.1
Google Chrome
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
Google Updater
GSpot Codec Information Appliance
High Definition Audio Driver Package - KB835221
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
IcoFX 1.5.01
ImgBurn
Intel A/V Codecs V2.0
ISO Recorder
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 11
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) SE Runtime Environment 6 Update 1
Learn2 Player (Uninstall Only)
Malwarebytes' Anti-Malware version 1.51.2.1300
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2572067)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office File Validation Add-In
Microsoft Office Professional Edition 2003
Microsoft Office Sounds
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Works
Move Media Player
MSXML 4.0
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Notepad++
NVIDIA Drivers
OpenCASE Media Agent
Oracle JInitiator 1.3.1.22
PartyPoker.net
PeerGuardian 2.0
PicSizer
QuickTime
RarZilla Free Unrar 2.52
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
RealUpgrade 1.1
Sandboxie 3.50
SearchAssist
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Windows (KB2564958)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2491683)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Serif PhotoPlus 6.0
Sonic Activation Module
SpiralFrog Download Manager 0.8.23
Spybot - Search & Destroy
Symantec KB-DocID:2003093015493306
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB971180)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
URL Assistant
Viewpoint Media Player
ViewSonic Windows XP Signed Files
VLC media player 1.1.11
Weather Plug-in 4.0
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows XP Service Pack 3
Xvid 1.2.1 final uninstall
ZipGenius 6 (6.0.2.1060)
.
==== Event Viewer Messages From Past Week ========
.
12/27/2011 12:24:23 AM, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
12/27/2011 12:12:58 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Beep NetBT nvatabus nvraid
12/27/2011 12:12:56 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
12/27/2011 12:12:56 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
12/26/2011 10:29:40 PM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
12/26/2011 10:11:09 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Beep nvatabus nvraid
12/26/2011 10:11:09 PM, error: Service Control Manager [7023] - The System Restore Service service terminated with the following error: The system cannot find the file specified.
12/26/2011 10:11:09 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the NVSvc service.
12/26/2011 10:11:09 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
12/26/2011 10:11:09 PM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
12/26/2011 10:09:38 PM, error: SRService [104] - The System Restore initialization process failed.
.
==== End Of File ===========================


I tried to run the ESET online scan. When enable my ip connection the virus loads 8 or more iExploer instances and makes the one i'm viewing unstable/unusable.

 

[Bobbye]

So far, you have only one of the 8 symptoms of the malware you think you might have.

You have 8 outdated versions of Java and do not have the current version. The best way to handle that is to run the following: Note: I do not want this log!

Please download JavaRa and unzip it to your desktop.

Important!***Please close any instances of Internet Explorer before continuing!***

• Double-click on JavaRa.exe to start the program.
• From the drop-down menu, choose English and click on Select.
• JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
• Click Yes when prompted. When JavaRa is done, a notice will appear that
  a logfile has been produced. Click OK.
• A logfile will pop up. Please save it to a convenient location.Note: Do not leave this log.

Download and install then most current version and update of Java RuntimeEnvironment (JRE)HERE.
Note: Uncheck 'Install Yahoo Toolbar' on the download screen before you do the update.
===========================================
Hold on the Eset scan until we get the malware off and the system more stable.
============================================
As mentioned, Combofix won't run with AVG so you will need to temporarily uninstall AVG as follows:
Download AppRemover and save to the desktop

1. Double click the setup on the desktop> click Next
2. Select “Remove Security Application”
3. Let scan finish to determine security apps
4. A screen like below will appear:
   
   
5. Click on Next after choice has been made
6. Check the AVG program you want to uninstall
7. After uninstall shows complete, follow online prompts to Exit the program.

Temporary AV: Use one:
Avira-AntiVir-Personal-Free-Antivirus
Avast Free Version
=============================
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

--------------------------------------
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop

• Double click combofix.exe & follow the prompts.
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  ***Please note: if you have downloaded Combofix to a flash drive, then run it on the infected machine> the Recovery Console will not install- just bypass and go on.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
• Once installed, you should see a blue screen prompt that says:
  The Recovery Console was successfully installed.
• .Click on Yes, to continue scanning for malware
• .If Combofix asks you to update the program, allow
• .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• .Close any open browsers.
• .Double click combofix.exe
  
  & follow the prompts to run.
• When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.

Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
=====================================

• Download the file TDSSKiller.zip and save to the desktop.
  (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
• Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
• Double click on TDSSKiller.exe. to run the scan
• When the scan is over, the utility outputs a list of detected objects with description.
  The utility automatically selects an action (Cure or Delete) for malicious objects.
  The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
• Select the action Quarantine to quarantine detected objects.
  The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
• After clicking Next, the utility applies selected actions and outputs the result.
• A reboot is required after disinfection.

===========================================
Please leave the logs for Combofix and the TDSSKiller in your next reply.

New Holiday Notice! I will not be working on the threads Sat. Dec. 31 or Sunday Jan. 1 I will begin with the oldest threads first on Monday. I will do my best to get you finished or as far along as I can before that.

Please do not send a PM during those days.

 

[WhatAboutGary]

What next?

Removed old java versions, intalled new version.
Removed SpyBot, Avg

ComboFix says: You are infected with rookit.zeroAccess

Windows Error: The exception unknown software exception 0x40000015...
ComboFix 11-12-29.05 - Gary 12/29/2011 21:30:26.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3518.3136 [GMT -6:00]
Running from: c:\documents and settings\Gary\Desktop\ComboFix.exe
FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\opdqaaa.tmp
c:\documents and settings\All Users\Application Data\ppdqaaa.tmp
c:\documents and settings\All Users\Application Data\qpdqaaa.tmp
c:\documents and settings\All Users\Application Data\rpdqaaa.tmp
c:\documents and settings\All Users\Application Data\spdqaaa.tmp
.
c:\windows\explorer.exe . . . is infected!!
.
c:\windows\system32\svchost.exe . . . is infected!! . . .Failed to restore. Attempting to replace on reboot
.
Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-30 )))))))))))))))))))))))))))))))
.
.
2011-12-30 03:20 . 2011-12-30 03:20 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-12-28 00:01 . 2011-12-28 00:01 -------- d-----w- c:\windows\system32\wbem\Repository
2011-12-27 04:19 . 2011-12-27 04:19 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2011-12-27 04:13 . 2011-12-27 04:13 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2011-12-27 02:40 . 2011-12-27 02:40 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-12-27 01:49 . 2011-12-27 01:49 -------- d-----w- c:\program files\iPod
2011-12-27 01:47 . 2011-12-27 01:47 -------- d-----w- c:\program files\Bonjour
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-30 03:20 . 2007-04-27 05:08 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-11-23 13:25 . 2004-08-10 18:51 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-12 09:40 . 2011-05-20 01:34 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-04 19:20 . 2004-08-10 18:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2004-08-10 18:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2004-08-10 18:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2004-08-10 18:51 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2004-08-10 18:51 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2004-08-10 18:50 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 2004-08-10 18:51 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2004-08-04 04:59 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-24 03:33 . 2011-10-24 03:33 1393736 ----a-w- c:\documents and settings\Gary\gotomypc_626.exe
2011-10-18 11:13 . 2004-08-10 18:51 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22 . 2004-08-10 19:02 692736 ----a-w- c:\windows\system32\inetcomm.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-24 68856]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2010-10-17 404200]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-23 7630848]
"nwiz"="nwiz.exe" [2006-08-23 1617920]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-23 86016]
"SigmatelSysTrayApp"="stsystra.exe" [2006-08-15 282624]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\OpenCase\\OpenCASE Media Agent\\PandoBinaries\\NBCPandoREST.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6346:TCP"= 6346:TCP:Shareaza
"6346:UDP"= 6346:UDP:Shareza
"57030:TCP"= 57030:TCPandoRest Listening Port
.
R2 OpenCASE Media Agent;OpenCASE Media Agent;c:\program files\OpenCase\OpenCASE Media Agent\MediaAgent.exe [8/29/2008 5:29 PM 835208]
S0 ntcdrdrv;ntcdrdrv;c:\windows\system32\DRIVERS\ntcdrdrv.sys --> c:\windows\system32\DRIVERS\ntcdrdrv.sys [?]
S1 2ffb830c;2ffb830c;c:\windows\system32\drivers\2ffb830c.sys --> c:\windows\system32\drivers\2ffb830c.sys [?]
S2 gupdate1c9aa7e74d0e73e;Google Update Service (gupdate1c9aa7e74d0e73e);c:\program files\Google\Update\GoogleUpdate.exe [3/21/2009 5:40 PM 133104]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/21/2009 5:40 PM 133104]
S3 PROCEXP151;PROCEXP151;\??\c:\windows\system32\Drivers\PROCEXP151.SYS --> c:\windows\system32\Drivers\PROCEXP151.SYS [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 18:34]
.
2011-12-26 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-26 15:00]
.
2011-12-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-21 23:40]
.
2011-12-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-21 23:40]
.
2011-12-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1182489297-1903137732-959149683-1007Core.job
- c:\documents and settings\Gary\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-26 04:03]
.
2011-12-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1182489297-1903137732-959149683-1007UA.job
- c:\documents and settings\Gary\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-26 04:03]
.
2011-12-30 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
.
2011-12-30 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1182489297-1903137732-959149683-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
.
2011-12-30 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
.
2011-12-28 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1182489297-1903137732-959149683-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en&source=iglk
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>;*.local
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
TCP: Interfaces\{D90B973F-48E9-4263-9407-DA9AC88D53EE}: NameServer = 151.164.1.7,151.164.11.218
DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF}
DPF: {F8E691A0-C92E-4E42-9CDA-62FC07A9483B} - hxxp://actiftp.hosting4less.com/ACTIGENERAL/AP&Manual/Live%20Demo/nvUnifiedControl.ocx
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-PicSizer - c:\windows\unvise32.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-29 21:43
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,39,ed,ac,0a,81,40,4e,4d,86,74,14,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,39,ed,ac,0a,81,40,4e,4d,86,74,14,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(936)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PSIService.exe
c:\program files\Sandboxie\SbieSvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\stsystra.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-12-29 21:47:30 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-30 03:47
ComboFix2.txt 2011-12-28 04:46
.
Pre-Run: 31,771,910,144 bytes free
Post-Run: 31,878,348,800 bytes free
.
- - End Of File - - C3E0453E661089D4A847A435BD4C408C





TDSSKILLER: 0 found.


Installed Avast free version.
It keeps saying it blocked trojan horse Win32:Tatched-ADQ[trj]
Then it put winlogon(2) in its virus chest.

I rebooted and login and i can see my desktop background image only. No start menu no desktop icons?

I bring up task manager c-a-del and notice it has started 7 iExplore.exe processes.

 

[Bobbye]

It is important that you do not delete any files from your Temp folder or use any temp file cleaners.

1. Download Unhide.exe and save to the desktop.

• Double-click on Unhide.exe icon to run the program.
• This program will remove the +H, or hidden, attribute from all the files on your hard drives.

Note: This does not remove the malware- only the attribute that hides icons and programs. It is important that you continue.
================================
2. Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode with Networking option when the Windows Advanced Opti; ons
  menu appears, using your up/down arrows to reach it and then press ENTER.

=======================================
3. To end the processes that belong to the rogue program:
Please click on RKill

• At the download page, click on Download now button for iExplore.exe download link and save to the desktop
• Double click on the iExplore.exe icon
• Please be patient- it may take a bit.
• The black Window will close when through and you can continue.

Note: If you get a message that RKilll is malware, ignore it> it's from the malware.
=======================================
Do not reboot your computer after runningRKilll as the malware programs will start again.
================================
4. Update and rescan with Malwarebytes:

• Select Perform Full Scan on the Scanner tab
• Click on the Scan button.
• When scan has finished, you will see this image:
  
  
• Click on OK to close box and continue.
• Click on the Show Results button.
• Click on the Remove Selected button to remove all the listed malware.
• At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format>Uncheckk Word Wrap before copying the log to paste in your next reply.

==============================
6. Correct Display Changes if needed:
If the desktop background is black or if the theme has been removed:
For Windows XP: Click on Start> Control Panel> Display> change theme and/or background if needed.
For Windows Vista or Windows 7: Click on Start> Control Panel> Appearance & Personalization> Select Change Theme or Change Desktop Background
=====================================
You can now reboot back into Normal Mode
====================================
Please try the Eset scan again.
=====================================
Advise uninstall the following:
Eusing Free Registry Cleaner> We do not recommend registry cleaners. The risk far oitweighs any benefit.
Viewpoint Media Player

 

[WhatAboutGary]

Started in safe mode
Uninstalled eusing reg cleaner
Ran Unhide
Ran iExplorer RKill (no processes terminated)
Malwarebytes Full Scan
Log says 0 found.


While malwarebytes is scanning... in process manager I can see:
system
----interrupts
--------smss.exe
-----------crss.exe
---------------Winlogon.exe
--------------------Services.exe
-------------------------svchost.exe
-----------------------------wmiprvse.exe
----------------------------------iexplore.exe hxxt://acvancedmarketingonline.com/search/?printable+coupons+for
--------------------------------------iexplore.exe scodef:6096 CREDAT:79866
-----------------------------------(+ 6 other iexplore.exe processes)

When I start iexplore.exe it starts under explorer.exe not services.exe?

I try to reboot in normal mode, no luck, I can still only see my desktop image, no desktop icons, no start button or bar. ctrl-alt-del brings up task manager
explorer.exe is not in the process tab, but I have already have several iexplore.exe processes running.

I was able to get to eset in safe mode but when i check the box to agree with the license the button to start the scan is still disabled

This is one tuff nut...

 

[Bobbye]

You have a lot of chances for malware to get into your system- unless you close those leaks, you will not stay clean- if I get you clean! And a note about logs: if I have you run a scan and it has a log, unless I tell you otherwise, you paste the log into your reply. This allows me to make sure you have run the correct program and version and the date of the scan.

Eset is an online virus scan. You cannot run it in Safe Mode.
-----------------------------------------
Missing logs and results
1. You ran Unhide> did it restore any of the 'missing' sections?
2. You ran rKill but didn't leave the log.
3. You ran TDSSKiller but did not leave the log
4. You ran a Full Scan with Malwarebytes but did not leave the log

Possible Malware
You think you have a "black Internet virus". This appears to be related to Steam and the FPSBanana site (now Gamebanana) The descriptions of this problem were very 'colorful' loaded with every word that gets a kid's mouth washed out with soap! The site was said to have numerous exploits, viruses embedded in images. It was the kind of site a secure browser wouldn't even load!

I don't find any safe or English speaking site that describe Win32:Tatched-ADQ, but I do find
Win32atched-EQ which should have responded to the TDSSKiller./.
==================================
P2P Warning
You have globally open TCP and UDP Ports for Shareaza which is a peer-to-peer file sharing client which supports the gnutella, Gnutella2 (G2), eDonkey, BitTorrent, FTP, HTTP and HTTPS network protocols and handles magnet links,[3] ed2k links, and the now deprecated gnutella and Piolet links.[4] It is available in 30 languages.
You also have uTorrent installed.
P2P or 'file sharing Warning:
Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall Shareaza and uTorrentany other P2P programs for the following reasons:

• As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
• Malware writers use these program to include malicious content.
• File sharing is usually unmonitored and there is a danger that your private files might be accessed.
• The 'sharing' also includes malware that the shared system has on it.
• Files that are illegal can be spread through file sharing.

Please read the information on P2P Warning to help you better understand these dangers.

You have a globally open port for the PandoRest Listening Port, which I think is for port forwarding.
=============================================
explorer.exe vs iexplore.exe
I want to make sure you understand that explorer.exe and iexplore.exe a 2 different processes. The first, explorer.exe is the Windows File Manager. The latter, iexplore.exe is the process for Internet Explorer. Using IE v8 is a common cause for multiple iexplore.exe

One thing you can do for the multiple iexplore.exe processes is Disable the Internet Connection Wizard which appears in the log as:
uInternet Connection Wizard,ShellNext = iexplore >> Delete the entire Connection Wizard folder (it's in \Program Files\Internet Explorer).
Use Windows Explorer to access Computer> Local Drive> Double click on Internet Explorer> look for the Connection Wizard folder and do a right click> Delete.

The Internet Connection Wizard appears every time you want to access an Internet resource, including the necessary Windows Update feature. It appears whether or not you already have Internet access set up on the computer, and for that reason, it is considered an 'annoyance'.
=========================================
Boot Mode
"When I start iexplore.exe it starts under explorer.exe not services.exe?I try to reboot in normal mode, no luck">>> Most likely due to this:

c:\windows\explorer.exe . . . is infected!!
c:\windows\system32\svchost.exe . . . is infected!! . . .Failed to restore. Attempting to replace on reboot
Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

You have Process Explorer, right? Can you use it to search the svchost.exe processes and see which one isn't functioning? I can try to replace these files, but there are multiple processes using svchost:
-----------------
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

[*]Double-click SystemLook.exe to run it.
[*]Copy the content of the following codebox into the main textfield:

:filefind
explorer.exe
svchost.exe

[*]Click the Look button to start the scan.
[*]When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
[/list]Note: The log can also be found on your Desktop entitled SystemLook.txt
==================================
Shut down the Sandboxie It's is supposedly trapping malware and it could be that we aren't reaching it to remove it.
=================================
Please handle the issues I've mentioned. I'll set up the script to run through Combofix tomorrow. The system is badly infected and this will take work.

.

 

[WhatAboutGary]

Change of direction

I removed the hard drive from the pc and connected it to another (via USB)

AVG found Win32/Patched in
explorer.exe
svchost.exe
winlogon.exe
and all my restore points.

I purchased a new drive, installed
win7
Microsoft's Security Essentials
Thinking about adding avast?

I would also like to get the MyData stuff off the other drive before i wipe it out.
Any suggestions? Anything I can do to be sure i don't transfer the virus to the new drive?

Again, thanks for all your help

 

[Bobbye]

I would also like to get the MyData stuff off the other drive before i wipe it out.
Any suggestions? Anything I can do to be sure i don't transfer the virus to the new drive?

I cannot tell you which files are safe or clean.
Although there was evidence of malware, I did not have a chance to identify what it was or the extent of it.

I suspect a possible Virut or Ramnit file infector infection. Either are not cleanable and none of the following file types can be considered safe:
1. any executable files (,exe .scr .html or .htm)
2.compressed files (zip/cab/rar) that may contain .exe or .scr files

Regarding:

Microsoft's Security Essentials
Thinking about adding avast?

Use one or the other- not both. Only one AV should be on a system. Multiple AVs actually make a system more vulnerable, not less and can also slow a system down.
Here are some security suggestions that may help after the reformat/reinstall:

Tips for added security and safer browsing: (Links are in Bold Blue)

1. Browser Security
   [o]Safe Settings (Please ignore the suggestion to use the Registry Editor in this section "Creating a Custom Security Zone")
   [o]ZonedOut. This manages the Zones in Internet Explorer. (For IE7 and IE8, Windows 2000 thru Vista. No Windows 7)
   [o]Replace the Host Files
   [o]Google Toolbar Pop Up Blocker
   [o]Web of Trust (WOT) Site Advisor. Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.
   
2. Have layered Security:
   [o]Antivirus :(only one):Both of the following programs are free and known to be good:
   [o]Avira-AntiVir-Personal-Free-Antivirus
   [o]Avast-Free Antivirus
   [o]Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
   [o]Comodo
   [o]Zone Alarm
   
3. Antimalware: I recommend all of the following:
   [o]Spywareblaster: SpywareBlaster protects against bad ActiveX.
   [o]Spybot Search & Destroy
   
4. Updates: Stay current:
   [o] the Microsoft Download Sitefrequently. All updates marked Critical and the current SP updates.
   [o]Adobe Reader Install current, uninstall old.
   [o]Java Updates Install current, uninstall old.
   
5. Tracking Cookies
   Reset Cookie:
   [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
   [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
   I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
   AdBlock Plus
   Easy List
   [o]For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
   
6. Do regular Maintenance
   Clean the temporary internet files often:
   [o] Temporary File Cleaner]
   or
   [o] ATF Cleaner by Atribune
7. Restore Points:
   [o]See System Restore Guide
8. Safe Email Handling
   [o] Don't open email from anyone you don't know.
   [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
   [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.

Please let me know if you find any bad link.

 

[WhatAboutGary]

Thanks again for all your help!

 

[Bobbye]

You're welcome.