Black Internet virus?

By WhatAboutGary · 13 replies
Dec 28, 2011
  1. I'm guessing I have the black interner virus. Lots of iExplorer.exe processes, random audio from ads...

    I've tried may of the suggestions from other threads with no luck. I'm hoping someone can help.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:12:20 PM, on 12/28/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\Program Files\AVG\AVG2012\avgcsrvx.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\AVG\AVG2012\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe
    C:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\AVG\AVG2012\avgnsx.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\OpenCase\OpenCASE Media Agent\MediaAgent.exe
    C:\Program Files\Sandboxie\SbieSvc.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLSched.exe
    C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
    C:\Program Files\AVG\AVG2012\avgtray.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Sandboxie\SbieCtrl.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    C:\Documents and Settings\Gary\Desktop\procexp.exe
    C:\Program Files\AVG\AVG2012\avgui.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL =
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
    O2 - BHO: IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7018.1622\swg.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [AVG_TRAY] "C:\Program Files\AVG\AVG2012\avgtray.exe"
    O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
    O9 - Extra 'Tools' menuitem: - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Documents and Settings\Gary\Desktop\
    O9 - Extra 'Tools' menuitem: - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Documents and Settings\Gary\Desktop\
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) -
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} -
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
    O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) -
    O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) -
    O16 - DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} (JInitiator -
    O16 - DPF: {F8E691A0-C92E-4E42-9CDA-62FC07A9483B} (nvUnifiedControl Control) - Demo/nvUnifiedControl.ocx
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D90B973F-48E9-4263-9407-DA9AC88D53EE}: NameServer =,
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
    O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\avgwdsvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe
    O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLSched.exe
    O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe
    O23 - Service: GB-PVR Recording Service - WelltonWay - C:\Program Files\devnz\gbpvr\GBPVRRecordingService.exe
    O23 - Service: Google Update Service (gupdate1c9aa7e74d0e73e) (gupdate1c9aa7e74d0e73e) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: OpenCASE Media Agent - ExtendMedia Inc. - C:\Program Files\OpenCase\OpenCASE Media Agent\MediaAgent.exe
    O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
    O23 - Service: Sandboxie Service (SbieSvc) - SANDBOXIE L.T.D - C:\Program Files\Sandboxie\SbieSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    End of file - 10402 bytes
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Welcome to TechSpot! Let's get you off to the right start:

    1. We do not use HijackThis to screen for malware.
    2. The version of HJT you used is outdated. Please uninstall it and delete the log. I will have you run the current version using my link, later in the cleaning.
    3. Multiple versions of iexplore.exe are normal in IE v8. But malware can also hide in almost any file.
    5. You are running both AVG and the Symantec antivirus. Decide which you want to keep and uninstall the other:
    Note: you will have to uninstall AVG temporarily when I have you run Combox. You will then install a temporary antivirus- just be aware of that
    6. Regarding this: "I've tried may of the suggestions from other threads with no luck.
    You should never use malware cleaning instructions given to someone else. Although you may be asked to run some of the same programs, what we do with the result is specific for that person only.
    7. Please go to Add/Remove Programs in the Control Panel and look for either or both of the following:
    TibiaBot NG or K-Meleon 1.1.6 en-US
    Uninstall either or both if found.
    After uninstall, use Windows Explorer to access Computer> Local Drive> Programs> find program folder for each of the uninstalled programs and do a right click> Delete.
    8. Questions:
    If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
    You can also go ahead and run the Eset Online Virus Scan:
    If you use Internet Explorer:
    1. Open the ESETOnlineScan
    2. Skip to #4 to "Continue with the directions"

      If you are using a browser other than Internet Explorer
    3. Open Eset Smart Installer
      [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
      [o] Double click on the desktop icon to run.
      [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
    4. Continue with the directions.
    5. Check 'Yes I accept terms of use.'
    6. Click Start button
    7. Accept any security warnings from your browser.
    8. Uncheck 'Remove found threats'
    9. Check 'Scan archives/
    10. Leave remaining settings as is.
    11. Press the Start button.
    12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    13. When the scan completes, press List of found threats
    14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    15. Push the Back button, then Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    Please include the logs from Malwarebytes, GMER, 2 from DDS and the Eset scan in your next reply.
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.

    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
  3. WhatAboutGary

    WhatAboutGary TS Rookie Topic Starter

    I'm on it

    I'll get on the list and get back to you.

    Thanks for your help
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Okay, fine.

    New Holiday Notice! I will not be working on the threads Sat. Dec. 31 or Sunday Jan. 1 I will begin with the oldest threads first on Monday. I will do my best to get you finished or as far along as I can before that.

    Please do not send a PM during those days.
  5. WhatAboutGary

    WhatAboutGary TS Rookie Topic Starter

    First tasks complete

  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    So far, you have only one of the 8 symptoms of the malware you think you might have.

    You have 8 outdated versions of Java and do not have the current version. The best way to handle that is to run the following: Note: I do not want this log!

    Please download JavaRa and unzip it to your desktop.

    Important!***Please close any instances of Internet Explorer before continuing!***
    • Double-click on JavaRa.exe to start the program.
    • From the drop-down menu, choose English and click on Select.
    • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
    • Click Yes when prompted. When JavaRa is done, a notice will appear that
      a logfile has been produced. Click OK.
    • A logfile will pop up. Please save it to a convenient location.Note: Do not leave this log.
    Download and install then most current version and update of Java RuntimeEnvironment (JRE)HERE.
    Note: Uncheck 'Install Yahoo Toolbar' on the download screen before you do the update.
    Hold on the Eset scan until we get the malware off and the system more stable.
    As mentioned, Combofix won't run with AVG so you will need to temporarily uninstall AVG as follows:
    Download AppRemover and save to the desktop
    1. Double click the setup on the desktop> click Next
    2. Select “Remove Security Application”
    3. Let scan finish to determine security apps
    4. A screen like below will appear:
    5. Click on Next after choice has been made
    6. Check the AVG program you want to uninstall
    7. After uninstall shows complete, follow online prompts to Exit the program.

    Temporary AV: Use one:
    Avast Free Version
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
      ***Please note: if you have downloaded Combofix to a flash drive, then run it on the infected machine> the Recovery Console will not install- just bypass and go on.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
    • Download the file and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • After clicking Next, the utility applies selected actions and outputs the result.
    • A reboot is required after disinfection.
    Please leave the logs for Combofix and the TDSSKiller in your next reply.

    New Holiday Notice! I will not be working on the threads Sat. Dec. 31 or Sunday Jan. 1 I will begin with the oldest threads first on Monday. I will do my best to get you finished or as far along as I can before that.

    Please do not send a PM during those days.
  7. WhatAboutGary

    WhatAboutGary TS Rookie Topic Starter

    What next?

    Removed old java versions, intalled new version.
    Removed SpyBot, Avg

    ComboFix says: You are infected with rookit.zeroAccess

    Windows Error: The exception unknown software exception 0x40000015...
    ComboFix 11-12-29.05 - Gary 12/29/2011 21:30:26.2.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3518.3136 [GMT -6:00]
    Running from: c:\documents and settings\Gary\Desktop\ComboFix.exe
    FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    c:\documents and settings\All Users\Application Data\opdqaaa.tmp
    c:\documents and settings\All Users\Application Data\ppdqaaa.tmp
    c:\documents and settings\All Users\Application Data\qpdqaaa.tmp
    c:\documents and settings\All Users\Application Data\rpdqaaa.tmp
    c:\documents and settings\All Users\Application Data\spdqaaa.tmp
    c:\windows\explorer.exe . . . is infected!!
    c:\windows\system32\svchost.exe . . . is infected!! . . .Failed to restore. Attempting to replace on reboot
    Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
    Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe
    ((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-30 )))))))))))))))))))))))))))))))
    2011-12-30 03:20 . 2011-12-30 03:20 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-12-28 00:01 . 2011-12-28 00:01 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-12-27 04:19 . 2011-12-27 04:19 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
    2011-12-27 04:13 . 2011-12-27 04:13 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
    2011-12-27 02:40 . 2011-12-27 02:40 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2011-12-27 01:49 . 2011-12-27 01:49 -------- d-----w- c:\program files\iPod
    2011-12-27 01:47 . 2011-12-27 01:47 -------- d-----w- c:\program files\Bonjour
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    2011-12-30 03:20 . 2007-04-27 05:08 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-11-23 13:25 . 2004-08-10 18:51 1859584 ----a-w- c:\windows\system32\win32k.sys
    2011-11-12 09:40 . 2011-05-20 01:34 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-11-04 19:20 . 2004-08-10 18:51 916992 ----a-w- c:\windows\system32\wininet.dll
    2011-11-04 19:20 . 2004-08-10 18:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-11-04 19:20 . 2004-08-10 18:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-11-04 11:23 . 2004-08-10 18:51 385024 ----a-w- c:\windows\system32\html.iec
    2011-11-01 16:07 . 2004-08-10 18:51 1288704 ----a-w- c:\windows\system32\ole32.dll
    2011-10-28 05:31 . 2004-08-10 18:50 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2011-10-25 13:37 . 2004-08-10 18:51 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-10-25 12:52 . 2004-08-04 04:59 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-10-24 03:33 . 2011-10-24 03:33 1393736 ----a-w- c:\documents and settings\Gary\gotomypc_626.exe
    2011-10-18 11:13 . 2004-08-10 18:51 186880 ----a-w- c:\windows\system32\encdec.dll
    2011-10-10 14:22 . 2004-08-10 19:02 692736 ----a-w- c:\windows\system32\inetcomm.dll
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    *Note* empty entries & legit default entries are not shown
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-24 68856]
    "SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2010-10-17 404200]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-23 7630848]
    "nwiz"="nwiz.exe" [2006-08-23 1617920]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-23 86016]
    "SigmatelSysTrayApp"="stsystra.exe" [2006-08-15 282624]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableNotifications"= 1 (0x1)
    "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\OpenCase\\OpenCASE Media Agent\\PandoBinaries\\NBCPandoREST.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
    "c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
    "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "6346:TCP"= 6346:TCP:Shareaza
    "6346:UDP"= 6346:UDP:Shareza
    "57030:TCP"= 57030:TCP:pandoRest Listening Port
    R2 OpenCASE Media Agent;OpenCASE Media Agent;c:\program files\OpenCase\OpenCASE Media Agent\MediaAgent.exe [8/29/2008 5:29 PM 835208]
    S0 ntcdrdrv;ntcdrdrv;c:\windows\system32\DRIVERS\ntcdrdrv.sys --> c:\windows\system32\DRIVERS\ntcdrdrv.sys [?]
    S1 2ffb830c;2ffb830c;c:\windows\system32\drivers\2ffb830c.sys --> c:\windows\system32\drivers\2ffb830c.sys [?]
    S2 gupdate1c9aa7e74d0e73e;Google Update Service (gupdate1c9aa7e74d0e73e);c:\program files\Google\Update\GoogleUpdate.exe [3/21/2009 5:40 PM 133104]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/21/2009 5:40 PM 133104]
    S3 PROCEXP151;PROCEXP151;\??\c:\windows\system32\Drivers\PROCEXP151.SYS --> c:\windows\system32\Drivers\PROCEXP151.SYS [?]
    Contents of the 'Scheduled Tasks' folder
    2011-11-25 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 18:34]
    2011-12-26 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-26 15:00]
    2011-12-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-03-21 23:40]
    2011-12-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-03-21 23:40]
    2011-12-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1182489297-1903137732-959149683-1007Core.job
    - c:\documents and settings\Gary\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-26 04:03]
    2011-12-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1182489297-1903137732-959149683-1007UA.job
    - c:\documents and settings\Gary\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-26 04:03]
    2011-12-30 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-18.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
    2011-12-30 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1182489297-1903137732-959149683-1007.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
    2011-12-30 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-18.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
    2011-12-28 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1182489297-1903137732-959149683-1007.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
    ------- Supplementary Scan -------
    uStart Page = hxxp://
    uSearchMigratedDefaultURL = hxxp://{searchTerms}&sourceid=ie7&
    mStart Page = hxxp://
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = <local>;*.local
    uSearchAssistant = hxxp://
    uSearchURL,(Default) = hxxp://
    IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    TCP: Interfaces\{D90B973F-48E9-4263-9407-DA9AC88D53EE}: NameServer =,
    DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF}
    DPF: {F8E691A0-C92E-4E42-9CDA-62FC07A9483B} - hxxp://
    - - - - ORPHANS REMOVED - - - -
    AddRemove-PicSizer - c:\windows\unvise32.exe
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
    Rootkit scan 2011-12-29 21:43
    Windows 5.1.2600 Service Pack 3 NTFS
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    --------------------- LOCKED REGISTRY KEYS ---------------------
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (LocalSystem)
    --------------------- DLLs Loaded Under Running Processes ---------------------
    - - - - - - - > 'explorer.exe'(936)
    ------------------------ Other Running Processes ------------------------
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\program files\Sandboxie\SbieSvc.exe
    c:\program files\iPod\bin\iPodService.exe
    Completion time: 2011-12-29 21:47:30 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-12-30 03:47
    ComboFix2.txt 2011-12-28 04:46
    Pre-Run: 31,771,910,144 bytes free
    Post-Run: 31,878,348,800 bytes free
    - - End Of File - - C3E0453E661089D4A847A435BD4C408C

    TDSSKILLER: 0 found.

    Installed Avast free version.
    It keeps saying it blocked trojan horse Win32:Tatched-ADQ[trj]
    Then it put winlogon(2) in its virus chest.

    I rebooted and login and i can see my desktop background image only. No start menu no desktop icons?

    I bring up task manager c-a-del and notice it has started 7 iExplore.exe processes.
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    It is important that you do not delete any files from your Temp folder or use any temp file cleaners.

    1. Download Unhide.exe and save to the desktop.
    • Double-click on Unhide.exe icon to run the program.
    • This program will remove the +H, or hidden, attribute from all the files on your hard drives.
    Note: This does not remove the malware- only the attribute that hides icons and programs. It is important that you continue.
    2. Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode with Networking option when the Windows Advanced Opti; ons
      menu appears, using your up/down arrows to reach it and then press ENTER.
    3. To end the processes that belong to the rogue program:
    Please click on RKill
    • At the download page, click on Download now button for iExplore.exe download link and save to the desktop
    • Double click on the iExplore.exe icon
    • Please be patient- it may take a bit.
    • The black Window will close when through and you can continue.
    Note: If you get a message that RKilll is malware, ignore it> it's from the malware.
    Do not reboot your computer after runningRKilll as the malware programs will start again.
    4. Update and rescan with Malwarebytes:
    • Select Perform Full Scan on the Scanner tab
    • Click on the Scan button.
    • When scan has finished, you will see this image:
    • Click on OK to close box and continue.
    • Click on the Show Results button.
    • Click on the Remove Selected button to remove all the listed malware.
    • At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format>Uncheckk Word Wrap before copying the log to paste in your next reply.
    6. Correct Display Changes if needed:
    If the desktop background is black or if the theme has been removed:
    For Windows XP: Click on Start> Control Panel> Display> change theme and/or background if needed.
    For Windows Vista or Windows 7: Click on Start> Control Panel> Appearance & Personalization> Select Change Theme or Change Desktop Background
    You can now reboot back into Normal Mode
    Please try the Eset scan again.
    Advise uninstall the following:
    Eusing Free Registry Cleaner> We do not recommend registry cleaners. The risk far oitweighs any benefit.
    Viewpoint Media Player
  9. WhatAboutGary

    WhatAboutGary TS Rookie Topic Starter

    Started in safe mode
    Uninstalled eusing reg cleaner
    Ran Unhide
    Ran iExplorer RKill (no processes terminated)
    Malwarebytes Full Scan
    Log says 0 found.

    While malwarebytes is scanning... in process manager I can see:
    ----------------------------------iexplore.exe hxxt://
    --------------------------------------iexplore.exe scodef:6096 CREDAT:79866
    -----------------------------------(+ 6 other iexplore.exe processes)

    When I start iexplore.exe it starts under explorer.exe not services.exe?

    I try to reboot in normal mode, no luck, I can still only see my desktop image, no desktop icons, no start button or bar. ctrl-alt-del brings up task manager
    explorer.exe is not in the process tab, but I have already have several iexplore.exe processes running.

    I was able to get to eset in safe mode but when i check the box to agree with the license the button to start the scan is still disabled

    This is one tuff nut...
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    You have a lot of chances for malware to get into your system- unless you close those leaks, you will not stay clean- if I get you clean! And a note about logs: if I have you run a scan and it has a log, unless I tell you otherwise, you paste the log into your reply. This allows me to make sure you have run the correct program and version and the date of the scan.

    Eset is an online virus scan. You cannot run it in Safe Mode.
    Missing logs and results
    1. You ran Unhide> did it restore any of the 'missing' sections?
    2. You ran rKill but didn't leave the log.
    3. You ran TDSSKiller but did not leave the log
    4. You ran a Full Scan with Malwarebytes but did not leave the log

    Possible Malware
    You think you have a "black Internet virus". This appears to be related to Steam and the FPSBanana site (now Gamebanana) The descriptions of this problem were very 'colorful' loaded with every word that gets a kid's mouth washed out with soap! The site was said to have numerous exploits, viruses embedded in images. It was the kind of site a secure browser wouldn't even load!

    I don't find any safe or English speaking site that describe Win32:Tatched-ADQ, but I do find
    Win32:patched-EQ which should have responded to the TDSSKiller./.
    P2P Warning
    You have globally open TCP and UDP Ports for Shareaza which is a peer-to-peer file sharing client which supports the gnutella, Gnutella2 (G2), eDonkey, BitTorrent, FTP, HTTP and HTTPS network protocols and handles magnet links,[3] ed2k links, and the now deprecated gnutella and Piolet links.[4] It is available in 30 languages.
    You also have uTorrent installed.
    P2P or 'file sharing Warning:
    Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall Shareaza and uTorrentany other P2P programs for the following reasons:
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • File sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.

    Please read the information on P2P Warning to help you better understand these dangers.

    You have a globally open port for the PandoRest Listening Port, which I think is for port forwarding.
    explorer.exe vs iexplore.exe
    I want to make sure you understand that explorer.exe and iexplore.exe a 2 different processes. The first, explorer.exe is the Windows File Manager. The latter, iexplore.exe is the process for Internet Explorer. Using IE v8 is a common cause for multiple iexplore.exe

    One thing you can do for the multiple iexplore.exe processes is Disable the Internet Connection Wizard which appears in the log as:
    uInternet Connection Wizard,ShellNext = iexplore >> Delete the entire Connection Wizard folder (it's in \Program Files\Internet Explorer).
    Use Windows Explorer to access Computer> Local Drive> Double click on Internet Explorer> look for the Connection Wizard folder and do a right click> Delete.

    The Internet Connection Wizard appears every time you want to access an Internet resource, including the necessary Windows Update feature. It appears whether or not you already have Internet access set up on the computer, and for that reason, it is considered an 'annoyance'.
    Boot Mode
    "When I start iexplore.exe it starts under explorer.exe not services.exe?I try to reboot in normal mode, no luck">>> Most likely due to this:

    c:\windows\explorer.exe . . . is infected!!
    c:\windows\system32\svchost.exe . . . is infected!! . . .Failed to restore. Attempting to replace on reboot
    Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
    Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

    You have Process Explorer, right? Can you use it to search the svchost.exe processes and see which one isn't functioning? I can try to replace these files, but there are multiple processes using svchost:
    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    [*]Double-click SystemLook.exe to run it.
    [*]Copy the content of the following codebox into the main textfield:
    [*]Click the Look button to start the scan.
    [*]When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    [/list]Note: The log can also be found on your Desktop entitled SystemLook.txt
    Shut down the Sandboxie It's is supposedly trapping malware and it could be that we aren't reaching it to remove it.
    Please handle the issues I've mentioned. I'll set up the script to run through Combofix tomorrow. The system is badly infected and this will take work.

  11. WhatAboutGary

    WhatAboutGary TS Rookie Topic Starter

    Change of direction

    I removed the hard drive from the pc and connected it to another (via USB)

    AVG found Win32/Patched in
    and all my restore points.

    I purchased a new drive, installed
    Microsoft's Security Essentials
    Thinking about adding avast?

    I would also like to get the MyData stuff off the other drive before i wipe it out.
    Any suggestions? Anything I can do to be sure i don't transfer the virus to the new drive?

    Again, thanks for all your help
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    I cannot tell you which files are safe or clean.
    Although there was evidence of malware, I did not have a chance to identify what it was or the extent of it.

    I suspect a possible Virut or Ramnit file infector infection. Either are not cleanable and none of the following file types can be considered safe:
    1. any executable files (,exe .scr .html or .htm)
    2.compressed files (zip/cab/rar) that may contain .exe or .scr files

    Use one or the other- not both. Only one AV should be on a system. Multiple AVs actually make a system more vulnerable, not less and can also slow a system down.
    Here are some security suggestions that may help after the reformat/reinstall:

    Tips for added security and safer browsing: (Links are in Bold Blue)
    1. Browser Security
      [o]Safe Settings (Please ignore the suggestion to use the Registry Editor in this section "Creating a Custom Security Zone")
      [o]ZonedOut. This manages the Zones in Internet Explorer. (For IE7 and IE8, Windows 2000 thru Vista. No Windows 7)
      [o]Replace the Host Files
      [o]Google Toolbar Pop Up Blocker
      [o]Web of Trust (WOT) Site Advisor. Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.
    2. Have layered Security:
      [o]Antivirus :(only one):Both of the following programs are free and known to be good:
      [o]Avast-Free Antivirus
      [o]Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
      [o]Zone Alarm
    3. Antimalware: I recommend all of the following:
      [o]Spywareblaster: SpywareBlaster protects against bad ActiveX.
      [o]Spybot Search & Destroy
    4. Updates: Stay current:
      [o] the Microsoft Download Sitefrequently. All updates marked Critical and the current SP updates.
      [o]Adobe Reader Install current, uninstall old.
      [o]Java Updates Install current, uninstall old.
    5. Tracking Cookies
      Reset Cookie:
      [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
      [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
      I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
      AdBlock Plus
      Easy List
      [o]For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
    6. Do regular Maintenance
      Clean the temporary internet files often:
      [o] Temporary File Cleaner]
      [o] ATF Cleaner by Atribune
    7. Restore Points:
      [o]See System Restore Guide
    8. Safe Email Handling
      [o] Don't open email from anyone you don't know.
      [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
      [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.
    Please let me know if you find any bad link.
  13. WhatAboutGary

    WhatAboutGary TS Rookie Topic Starter

    Thanks again for all your help!
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    You're welcome.
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...