Solved Calc1 virus?

[mooney12]

Ok, I think I got this baddy removed, scanning again with malwarebytes.. is there anything you guys can do to help me make sure my system is clean and smooth?

 

[mooney12]

130,000 files scanned 1 more item detected, stay tuned as the durandal gets screwed to oblivion!!!

 

[Bobbye]

Welcome to TechSpot!

If you would like us to check the system for malware, please follow these steps: Preliminary Virus and Malware Removal.

NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

When you have finished, leave the logs for review in your next reply .
NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
============================================
My Guidelines: please read and follow:

• Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
• Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
• If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
• File sharing programs should be uninstalled or disabled during the cleaning process..
• Observe these:
  [o] Don't follow directions given to someone else
  [o] Don't use any other cleaning programs or scans while I'm helping you.
  [o] Don't use a Registry cleaner or make any changes in the Registry.
  [o] Don't download and install new programs- except those I give you.

Threads are closed after 5 days if there is no reply.

 

[mooney12]

malware bytes
gmer
dds logs

Malwarebytes Anti-Malware (PRO) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.02.02

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 6.0.2900.5512
Eric :: DURANDAL [administrator]

Protection: Enabled

6/2/2012 4:57:24 AM
mbam-log-2012-06-02 (04-57-24).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 252703
Time elapsed: 20 minute(s), 54 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.5512
Run by Eric at 10:45:56 on 2012-06-02
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3327.2526 [GMT -4:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\11.0.2\ToolbarUpdater.exe
C:\Program Files\AVG Secure Search\vprot.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\AVG\AVG2012\avgui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Eric\My Documents\Downloads\bwh18b4d.exe
.
============== Pseudo HJT Report ===============
.
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Do Not Track: {31332eef-cb9f-458f-afeb-d30e9a66b6ba} - c:\program files\avg\avg2012\avgdtiex.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\11.0.0.9\AVG Secure Search_toolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\11.0.0.9\AVG Secure Search_toolbar.dll
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe" /MINIMIZED
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [StartCCC] "c:\program files\ati\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [CmPCIaudio] RunDll32 CMICNFG3.CPL,CMICtrlWnd
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - c:\program files\avg\avg2012\avgdtiex.dll
TCP: Interfaces\{EF58EFC9-6A4E-4F67-91A0-7A182AB709F7} : DhcpNameServer = 192.168.1.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\11.0.2\ViProtocol.dll
Notify: AtiExtEvent - Ati2evxx.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\eric\application data\mozilla\firefox\profiles\5n7ab7ej.default\
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7Bb992c3be-0020-4f20-8b15-031c06479e5a%7D&mid=e6288b2ce2af47d0826fd16a129d2f76-8bf14b7f6f768ab47dac3155673353c721026280&ds=AVG&v=11.0.0.9&lang=en&pr=fr&d=2012-06-02%2005%3A24%3A41&sap=ku&q=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\common files\avg secure search\sitesafetyinstaller\11.0.2\npsitesafety.dll
FF - plugin: c:\program files\microsoft silverlight\3.0.40624.0\npctrlui.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_235.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============
.
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2012-1-31 31952]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2012-2-22 235216]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-12-23 41040]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2012-3-19 301248]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2012-2-14 193288]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-6-1 654408]
R2 vToolbarUpdater11.0.2;vToolbarUpdater11.0.2;c:\program files\common files\avg secure search\vtoolbarupdater\11.0.2\ToolbarUpdater.exe [2012-6-2 932736]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2011-12-23 139856]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [2011-12-23 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2011-12-23 17232]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-6-1 22344]
S0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-4-19 24896]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\avgidsagent.exe [2012-4-30 5106744]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-6-1 257696]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-6-1 129976]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2012-1-5 874240]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-06-02 09:26:43 -------- d-----w- c:\documents and settings\eric\application data\AVG2012
2012-06-02 09:24:54 -------- d-----w- c:\documents and settings\eric\local settings\application data\AVG Secure Search
2012-06-02 09:24:42 -------- d-----w- c:\documents and settings\eric\application data\AVG Secure Search
2012-06-02 09:24:41 -------- d-----w- c:\documents and settings\all users\application data\AVG Secure Search
2012-06-02 09:24:38 -------- d-----w- c:\program files\common files\AVG Secure Search
2012-06-02 09:24:37 -------- d-----w- c:\program files\AVG Secure Search
2012-06-02 09:24:03 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2012-06-02 09:23:47 -------- d--h--w- C:\$AVG
2012-06-02 09:23:47 -------- d-----w- c:\windows\system32\drivers\AVG
2012-06-02 09:23:47 -------- d-----w- c:\documents and settings\all users\application data\AVG2012
2012-06-02 09:23:35 -------- d-----w- c:\program files\AVG
2012-06-02 08:52:56 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2012-06-02 06:36:28 -------- d-----w- c:\program files\Steam
2012-06-02 05:46:14 274288 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 05:46:14 215920 ----a-w- c:\windows\system32\muweb.dll
2012-06-02 05:46:14 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-06-02 00:48:37 -------- d-----w- c:\documents and settings\eric\Tracing
2012-06-02 00:46:59 -------- d-----w- c:\program files\Microsoft
2012-06-02 00:46:44 -------- d-----w- c:\program files\Windows Live SkyDrive
2012-06-02 00:45:59 4927864 ----a-w- c:\program files\common files\windows live\.cache\13efff581cd4059\Silverlight.2.0.exe
2012-06-02 00:44:13 -------- d-----w- c:\windows\system32\SoftwareDistribution
2012-06-02 00:44:02 -------- d-----w- c:\program files\common files\Windows Live
2012-06-02 00:38:06 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-02 00:38:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-06-02 00:22:32 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-02 00:22:32 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-02 00:21:36 -------- d-----w- c:\program files\Yahoo!
2012-06-02 00:19:05 -------- d-----w- c:\documents and settings\eric\local settings\application data\Google
2012-06-02 00:19:05 -------- d-----w- c:\documents and settings\eric\local settings\application data\CRE
2012-06-02 00:19:03 -------- d-----w- c:\program files\Conduit
2012-06-02 00:19:02 -------- d-----w- c:\documents and settings\eric\local settings\application data\Temp
2012-06-02 00:19:02 -------- d-----w- c:\documents and settings\eric\local settings\application data\Conduit
2012-06-02 00:10:12 -------- d-----w- c:\documents and settings\eric\application data\Malwarebytes
2012-06-02 00:10:12 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-05-30 22:12:50 -------- d-----w- C:\MEDIA
2012-05-30 09:27:32 -------- d-----w- C:\Mega Man X series - Maverick Rising
2012-05-30 09:27:29 -------- d-----w- C:\Wild Arms - ARMed and DANGerous
2012-05-30 09:20:51 -------- d-----w- C:\Starcraft
2012-05-30 04:18:51 -------- d-----w- c:\program files\tibia
2012-05-26 15:28:29 -------- d-----w- C:\64b5ac13142b2ede404e9eb7ad
2012-05-24 19:43:14 -------- d-----w- c:\program files\StarCraft II
2012-05-24 19:43:14 -------- d-----w- c:\program files\common files\Blizzard Entertainment
2012-05-24 19:43:14 -------- d-----w- c:\documents and settings\all users\application data\Blizzard Entertainment
2012-05-19 13:39:49 -------- d-sh--w- C:\Boot
2012-05-19 09:52:36 -------- d-sh--w- C:\$RECYCLE.BIN
2012-05-18 19:38:05 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2012-05-18 19:38:05 21504 ----a-w- c:\windows\system32\hidserv.dll
2012-05-18 19:38:02 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2012-05-18 19:38:02 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2012-05-18 19:37:52 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2012-05-18 19:37:52 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2012-05-14 18:14:29 -------- d-----w- c:\windows\system32\AGEIA
2012-05-14 18:14:20 -------- d-----w- c:\program files\common files\Wise Installation Wizard
2012-05-11 17:03:06 -------- d-----w- c:\documents and settings\eric\local settings\application data\WMTools Downloaded Files
2012-05-11 16:32:22 421888 ----a-w- c:\windows\system32\ac3filter.acm
2012-05-11 16:32:18 -------- d-----w- c:\program files\XP Codec Pack
2012-05-06 14:28:55 -------- d-----w- c:\windows\system32\wbem\repository\FS
2012-05-06 14:28:55 -------- d-----w- c:\windows\system32\wbem\Repository
2012-05-04 20:54:29 -------- d-----w- c:\program files\InterActual
.
==================== Find3M ====================
.
2012-05-24 17:41:38 967 ----a-w- c:\windows\ScUnin.pif
2012-05-24 17:41:38 94208 ----a-w- c:\windows\ScUnin.exe
2012-04-19 08:50:26 24896 ----a-w- c:\windows\system32\drivers\avgidshx.sys
2012-04-06 16:32:36 1288192 ----a-w- c:\windows\system32\VSFilter.dll
2012-04-06 16:32:24 472576 ----a-w- c:\windows\system32\AviSplitter.ax
2012-04-06 16:32:08 659456 ----a-w- c:\windows\system32\RealMediaSplitter.ax
2012-04-06 16:32:00 548352 ----a-w- c:\windows\system32\MatroskaSplitter.ax
2012-03-19 09:17:28 301248 ----a-w- c:\windows\system32\drivers\avgtdix.sys
.
============= FINISH: 10:46:09.42 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 1/5/2012 1:40:03 PM
System Uptime: 6/2/2012 4:55:07 AM (6 hours ago)
.
Motherboard: ASUSTeK Computer INC. | | P5Q SE PLUS
Processor: Intel Pentium III Xeon processor | LGA775 | 2792/266mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 553 GiB total, 458.387 GiB free.
E: is FIXED (NTFS) - 44 GiB total, 0.353 GiB free.
F: is CDROM ()
G: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Audio Device on High Definition Audio Bus
Device ID: HDAUDIO\FUNC_01&VEN_1002&DEV_AA01&SUBSYS_00AA0100&REV_1001\5&1E1AB84C&0&0001
Manufacturer:
Name: Audio Device on High Definition Audio Bus
PNP Device ID: HDAUDIO\FUNC_01&VEN_1002&DEV_AA01&SUBSYS_00AA0100&REV_1001\5&1E1AB84C&0&0001
Service:
.
Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: VIA High Definition Audio
Device ID: HDAUDIO\FUNC_01&VEN_1106&DEV_0397&SUBSYS_10438346&REV_1000\4&22BA60&0&0001
Manufacturer: VIA Technologies, Inc.
Name: VIA High Definition Audio
PNP Device ID: HDAUDIO\FUNC_01&VEN_1106&DEV_0397&SUBSYS_10438346&REV_1000\4&22BA60&0&0001
Service: VIAHdAudAddService
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Realtek RTL8168C(P)/8111C(P) PCI-E Gigabit Ethernet NIC
Device ID: PCI\VEN_10EC&DEV_8168&SUBSYS_82C61043&REV_02\4&20515DB1&0&00E5
Manufacturer: Realtek Semiconductor Corp.
Name: Realtek RTL8168C(P)/8111C(P) PCI-E Gigabit Ethernet NIC
PNP Device ID: PCI\VEN_10EC&DEV_8168&SUBSYS_82C61043&REV_02\4&20515DB1&0&00E5
Service: RTLE8023xp
.
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: SM Bus Controller
Device ID: PCI\VEN_8086&DEV_3A30&SUBSYS_82D41043&REV_00\3&11583659&0&FB
Manufacturer:
Name: SM Bus Controller
PNP Device ID: PCI\VEN_8086&DEV_3A30&SUBSYS_82D41043&REV_00\3&11583659&0&FB
Service:
.
==== System Restore Points ===================
.
RP47: 3/4/2012 5:02:53 PM - System Checkpoint
RP48: 3/6/2012 6:55:23 PM - System Checkpoint
RP49: 3/8/2012 2:18:27 AM - System Checkpoint
RP50: 3/12/2012 6:13:59 AM - System Checkpoint
RP51: 3/17/2012 12:34:30 PM - System Checkpoint
RP52: 3/18/2012 3:24:31 PM - System Checkpoint
RP53: 3/19/2012 10:29:48 PM - System Checkpoint
RP54: 3/21/2012 5:35:17 PM - System Checkpoint
RP55: 3/22/2012 6:13:39 PM - System Checkpoint
RP56: 3/24/2012 4:12:31 PM - System Checkpoint
RP57: 3/25/2012 5:50:11 PM - System Checkpoint
RP58: 3/26/2012 6:07:25 PM - System Checkpoint
RP59: 3/27/2012 6:43:26 PM - System Checkpoint
RP60: 3/30/2012 3:34:10 PM - System Checkpoint
RP61: 3/31/2012 4:47:52 PM - System Checkpoint
RP62: 4/1/2012 5:29:28 PM - System Checkpoint
RP63: 4/2/2012 5:47:51 PM - System Checkpoint
RP64: 4/3/2012 6:40:26 PM - System Checkpoint
RP65: 4/5/2012 6:30:02 PM - System Checkpoint
RP66: 4/6/2012 6:58:27 PM - System Checkpoint
RP67: 4/7/2012 7:22:27 PM - System Checkpoint
RP68: 4/8/2012 8:46:27 PM - System Checkpoint
RP69: 4/9/2012 9:22:27 PM - System Checkpoint
RP70: 4/20/2012 3:16:34 PM - System Checkpoint
RP71: 4/21/2012 3:28:49 PM - System Checkpoint
RP72: 4/23/2012 2:39:56 PM - System Checkpoint
RP73: 4/24/2012 4:56:10 PM - System Checkpoint
RP74: 4/27/2012 1:13:40 PM - System Checkpoint
RP75: 4/30/2012 11:43:39 AM - System Checkpoint
RP76: 5/1/2012 9:52:32 PM - System Checkpoint
RP77: 5/2/2012 7:01:14 PM - Installed Project64 1.6
RP78: 5/3/2012 7:33:06 PM - System Checkpoint
RP79: 5/6/2012 10:28:38 AM - Restore Operation
RP80: 5/8/2012 8:48:34 AM - System Checkpoint
RP81: 5/9/2012 11:43:45 AM - System Checkpoint
RP82: 5/10/2012 11:47:53 AM - System Checkpoint
RP83: 5/11/2012 12:50:11 PM - System Checkpoint
RP84: 5/12/2012 2:54:13 PM - System Checkpoint
RP85: 5/13/2012 3:30:50 PM - System Checkpoint
RP86: 5/14/2012 2:14:16 PM - Installed Microsoft Visual C++ 2005 Redistributable
RP87: 5/14/2012 2:14:27 PM - Installed AGEIA PhysX v7.07.09
RP88: 5/14/2012 2:14:56 PM - Installed Medal of Honor Airborne
RP89: 5/17/2012 9:05:33 AM - System Checkpoint
RP90: 5/18/2012 11:35:14 AM - System Checkpoint
RP91: 5/21/2012 3:14:05 PM - System Checkpoint
RP92: 5/24/2012 11:16:00 AM - System Checkpoint
RP93: 5/25/2012 5:30:20 AM - Installed EasyTether
RP94: 5/25/2012 5:31:32 AM - Installed EasyTether
RP95: 5/25/2012 5:35:47 AM - Installed EasyTether
RP96: 5/25/2012 5:38:24 AM - Installed EasyTether
RP97: 6/1/2012 8:45:03 PM - Installed Zune Desktop Theme
RP98: 6/2/2012 5:23:34 AM - Installed AVG 2012
RP99: 6/2/2012 5:23:43 AM - Installed AVG 2012
.
==== Installed Programs ======================
.
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 9.2
AGEIA PhysX v7.07.09
AMD APP SDK Runtime
AMD Catalyst Install Manager
Arx Fatalis
AVG 2012
Call of Duty(R) 4 - Modern Warfare(TM)
Catalyst Control Center
Catalyst Control Center - Branding
Catalyst Control Center Graphics Previews Common
Catalyst Control Center InstallProxy
ccc-utility
CCC Help English
Counter-Strike
Counter-Strike: Condition Zero
Counter-Strike: Condition Zero Deleted Scenes
Counter-Strike: Source
Day of Defeat
Day of Defeat: Source
Deathmatch Classic
DOOM 3
DOOM 3: Resurrection of Evil
Far Cry
GameSpy Arcade
Genesis Rising
Half-Life 2
Half-Life 2: Deathmatch
Junk Mail filter update
Malwarebytes Anti-Malware version 1.61.0.1400
Medal of Honor Airborne
Microsoft .NET Framework 2.0
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Halo
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Morrowind
Mozilla Firefox 12.0 (x86 en-US)
Mozilla Maintenance Service
MSVCRT
MSXML 4.0 SP2 Parser and SDK
Oblivion
Platform
Project64 1.6
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Rome: Total War Gold Edition
Segoe UI
SimCity 3000
Starcraft
StarCraft II
Stronghold Crusader
Team Fortress Classic
TES Construction Set
The Elder Scrolls V: Skyrim
Tibia 7.6
Tom Clancy's Ghost Recon
Unreal Tournament: Game of the Year Edition
VIA Platform Device Manager
WebFldrs XP
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
WinRAR 4.11 (32-bit)
X-COM: Terror from the Deep
XP Codec Pack
Xtreme Sound PCI
Xtreme Sound PCI Audio Driver
Yahoo! Messenger
Yahoo! Software Update
Yahoo! Toolbar
Zune Desktop Theme

.==== Event Viewer Messages From Past Week ========
.
6/2/2012 3:44:00 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
6/1/2012 8:32:07 PM, error: Service Control Manager [7000] - The MBAMService service failed to start due to the following error: The system cannot find the file specified.
6/1/2012 8:30:12 PM, error: Service Control Manager [7001] - The MBAMService service depends on the MBAMProtector service which failed to start because of the following error: The system cannot find the file specified.
6/1/2012 8:30:12 PM, error: Service Control Manager [7000] - The MBAMProtector service failed to start due to the following error: The system cannot find the file specified.
6/1/2012 8:19:40 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC80.CRT. Reference error message: The referenced assembly is not installed on your system. .
6/1/2012 8:19:40 PM, error: SideBySide [59] - Generate Activation Context failed for E:\Program Files (x86)\Yahoo!\Messenger\rmc_audio.dll. Reference error message: The operation completed successfully. .
6/1/2012 8:19:40 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC80.CRT could not be found and Last Error was The referenced assembly is not installed on your system.
5/29/2012 2:41:39 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 30 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
5/29/2012 2:26:39 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
.
==== End Of File ===========================

 

[mooney12]

would also like to note that I scanned twice with avg and found nothing but tracking cookies

 

[Bobbye]

It would be helpful if you gave me some description of any actual problems you're having.
==================================================
Let's talk about your system:
Microsoft Windows XP Home Edition
Install Date: 1/5/2012 1:40:03 PM

1. No security updates
2. Antivirus installed today
3. No other security

Please fill me in on some history of this system.
===============================================

I'd like you to run Combofix- but it won't run with AVG. You will need to temporarily uninstall AVG as follows:

Download AppRemoverand save to the desktop

1. Double click the setup on the desktop> click Next
2. Select “Remove Security Application”
3. Let scan finish to determine security apps
4. A screen like below will appear:
   
   
5. Click on Next after choice has been made
6. Check the AVG program you want to uninstall
7. After uninstall shows complete, follow online prompts to Exit the program.

Temporary AV: Use one:
Microsoft Security Essentials
Comodo AV
Avast! Free Antivirus
=============================
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

--------------------------------------

• 
  Download Combofix from HERE or HEREand save to the desktop
  • Double click combofix.exe
    
    & follow the prompts.
  • If prompted for Recovery Console, please allow.
  • Once installed, you should see a blue screen prompt that says:
    

    The Recovery Console was successfully installed.

  • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
  • Note: No query will be made if the Recovery Console is already on the system.
• Close any open browsers.
• Before you run the Combofix scan, please disable any security software you have running.
  (If you need help with this, please see HERE)
• Click on Yes, to continue scanning for malware
• If Combofix asks you to update the program, allow
• When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.
Note 1o not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficultyand terminates prematurely, the connection can be manually restored by restarting your machine.
================================================

To run the Eset Online Virus Scan:
If you use Internet Explorer:

1. Open the ESETOnlineScan
2. Skip to #4 to "Continue with the directions"
   
   If you are using a browser other than Internet Explorer
3. Open Eset Smart Installer
   [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
   [o] Double click on the desktop icon to run.
   [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
4. Continue with the directions.
5. Check 'Yes I accept terms of use.'
6. Click Start button
7. Accept any security warnings from your browser.
   
   
8. Uncheck 'Remove found threats'
9. Check 'Scan archives/
10. Leave remaining settings as is.
11. Press the Start button.
12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
13. When the scan completes, press List of found threats
14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
15. Push the Back button, then Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
===========================================
Download CKScanner and save to your desktop.

• Doubleclick CKScanner.exe and click Search For Files.
• When the cursor hourglass disappears, click Save List To File.
• A message box will verify that the file is saved.
• Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

===========================================
Please leave logs in your next reply.

 

[mooney12]

what do you need to know about the system?

 

[mooney12]

ComboFix 12-06-02.02 - Eric 06/02/2012 12:21:25.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3327.2664 [GMT -4:00]
Running from: c:\documents and settings\Eric\My Documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}


AVG WAS UNSTALLED VIA APPREMOVER AND DEFAULT PROGRAMS, probably a registry error?<<<<<<<<<<<<<<<<<<<<<<<<<<<

.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Eric\WINDOWS
.
.
((((((((((((((((((((((((( Files Created from 2012-05-02 to 2012-06-02 )))))))))))))))))))))))))))))))
.
.
2012-06-02 09:26 . 2012-06-02 09:26 -------- d-----w- c:\documents and settings\Eric\Application Data\AVG2012
2012-06-02 09:24 . 2012-06-02 09:24 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2012-06-02 09:23 . 2012-06-02 15:50 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
2012-06-02 09:23 . 2012-06-02 15:45 -------- d-----w- C:\$AVG
2012-06-02 08:52 . 2012-06-02 15:46 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2012-06-02 06:36 . 2012-06-02 16:05 -------- d-----w- c:\program files\Steam
2012-06-02 05:46 . 2009-08-06 23:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 05:46 . 2009-08-06 23:23 215920 ----a-w- c:\windows\system32\muweb.dll
2012-06-02 00:48 . 2012-06-02 16:05 -------- d-----w- c:\documents and settings\Eric\Tracing
2012-06-02 00:47 . 2012-06-02 00:47 -------- d-----w- c:\program files\Microsoft Silverlight
2012-06-02 00:46 . 2012-06-02 00:46 -------- d-----w- c:\program files\Microsoft
2012-06-02 00:46 . 2012-06-02 00:46 -------- d-----w- c:\program files\Windows Live SkyDrive
2012-06-02 00:46 . 2012-06-02 00:47 -------- d-----w- c:\program files\Windows Live
2012-06-02 00:44 . 2012-06-02 00:44 -------- d-----w- c:\program files\Common Files\Windows Live
2012-06-02 00:38 . 2012-06-02 00:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-06-02 00:38 . 2012-04-04 19:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-02 00:22 . 2012-06-02 00:23 -------- d-----w- c:\documents and settings\Eric\Application Data\Yahoo!
2012-06-02 00:22 . 2012-06-02 00:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2012-06-02 00:22 . 2012-06-02 00:55 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-02 00:22 . 2012-06-02 00:55 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-02 00:22 . 2012-06-02 00:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2012-06-02 00:21 . 2012-06-02 00:22 -------- d-----w- c:\program files\Yahoo!
2012-06-02 00:19 . 2012-06-02 00:19 -------- d-----w- c:\documents and settings\Eric\Local Settings\Application Data\Google
2012-06-02 00:19 . 2012-06-02 00:19 -------- d-----w- c:\documents and settings\Eric\Local Settings\Application Data\CRE
2012-06-02 00:19 . 2012-06-02 00:19 -------- d-----w- c:\program files\Conduit
2012-06-02 00:19 . 2012-06-02 08:28 -------- d-----w- c:\documents and settings\Eric\Local Settings\Application Data\Conduit
2012-06-02 00:19 . 2012-06-02 00:19 -------- d-----w- c:\documents and settings\Eric\Local Settings\Application Data\Temp
2012-06-02 00:10 . 2012-06-02 00:10 -------- d-----w- c:\documents and settings\Eric\Application Data\Malwarebytes
2012-06-02 00:10 . 2012-06-02 00:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-06-02 00:09 . 2012-06-02 00:09 -------- d-----w- c:\documents and settings\Eric\Local Settings\Application Data\Mozilla
2012-06-02 00:09 . 2012-06-02 00:09 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-05-30 22:12 . 2012-05-30 22:22 -------- d-----w- C:\MEDIA
2012-05-30 09:27 . 2012-05-30 09:27 -------- d-----w- C:\Mega Man X series - Maverick Rising
2012-05-30 09:27 . 2012-05-30 09:27 -------- d-----w- C:\Wild Arms - ARMed and DANGerous
2012-05-30 09:20 . 2012-06-02 07:01 -------- d-----w- C:\Starcraft
2012-05-30 04:18 . 2012-05-30 04:18 -------- d-----w- c:\program files\tibia
2012-05-26 15:28 . 2012-05-26 15:28 -------- d-----w- C:\64b5ac13142b2ede404e9eb7ad
2012-05-24 19:43 . 2012-05-30 16:21 -------- d-----w- c:\program files\StarCraft II
2012-05-24 19:43 . 2012-05-25 05:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2012-05-24 19:43 . 2012-05-24 20:15 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2012-05-19 13:39 . 2012-06-01 19:32 -------- d-----w- C:\Boot
2012-05-18 19:38 . 2008-04-14 09:41 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2012-05-18 19:38 . 2008-04-14 09:41 21504 ----a-w- c:\windows\system32\hidserv.dll
2012-05-18 19:38 . 2008-04-14 04:09 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2012-05-18 19:38 . 2008-04-14 04:09 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2012-05-18 19:37 . 2008-04-14 04:15 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2012-05-18 19:37 . 2008-04-14 04:15 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2012-05-14 18:15 . 2012-05-14 18:15 -------- d-----w- c:\program files\Electronic Arts
2012-05-14 18:14 . 2012-05-14 18:14 -------- d-----w- c:\program files\AGEIA Technologies
2012-05-14 18:14 . 2012-05-14 18:14 -------- d-----w- c:\windows\system32\AGEIA
2012-05-14 18:14 . 2012-05-14 18:14 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2012-05-11 17:03 . 2012-05-11 17:03 -------- d-----w- c:\documents and settings\Eric\Local Settings\Application Data\WMTools Downloaded Files
2012-05-11 16:32 . 2008-07-09 09:05 421888 ----a-w- c:\windows\system32\ac3filter.acm
2012-05-11 16:32 . 2012-05-11 16:32 -------- d-----w- c:\program files\XP Codec Pack
2012-05-11 16:07 . 2012-06-02 07:41 -------- d-----w- c:\documents and settings\Eric\Application Data\Media Player Classic
2012-05-06 14:28 . 2012-05-06 14:28 -------- d-----w- c:\windows\system32\wbem\Repository
2012-05-04 20:54 . 2012-05-04 20:54 -------- d-----w- c:\program files\InterActual
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-24 17:41 . 2012-04-05 23:07 967 ----a-w- c:\windows\ScUnin.pif
2012-05-24 17:41 . 2012-04-05 23:07 94208 ----a-w- c:\windows\ScUnin.exe
2012-05-02 23:01 . 2012-05-02 23:01 40960 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\NewShortcut1_9559F7CA5E344237A2D9D856464AD727.exe
2012-05-02 23:01 . 2012-05-02 23:01 40960 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\ARPPRODUCTICON.exe
2012-04-06 16:32 . 2012-04-06 16:32 1288192 ----a-w- c:\windows\system32\VSFilter.dll
2012-04-06 16:32 . 2012-04-06 16:32 472576 ----a-w- c:\windows\system32\AviSplitter.ax
2012-04-06 16:32 . 2012-04-06 16:32 659456 ----a-w- c:\windows\system32\RealMediaSplitter.ax
2012-04-06 16:32 . 2012-04-06 16:32 548352 ----a-w- c:\windows\system32\MatroskaSplitter.ax
2012-04-21 01:19 . 2012-06-02 00:09 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2012-05-25 6595928]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI\ATI.ACE\Core-Static\CLIStart.exe" [2011-11-10 98304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HDAudDeck]
2008-09-16 15:37 30023680 ----a-r- c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\steam\\Steam.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Electronic Arts\\Medal of Honor Airborne\\UnrealEngine3\\Binaries\\MOHA.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"e:\\Program Files (x86)\\Steam\\steamapps\\sigfried01515\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\X-COM Terror from the Deep\\runme.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\X-COM Terror from the Deep\\TFD\\Terror From the Deep_patched.exe"=
"c:\\Program Files\\StarCraft II\\Versions\\Base21029\\SC2.exe"=
.
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/1/2012 8:38 PM 654408]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/1/2012 8:38 PM 22344]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [6/1/2012 8:22 PM 257696]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [6/1/2012 8:09 PM 129976]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [1/5/2012 2:45 PM 874240]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-02 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-02 00:55]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 75.75.75.75 75.75.75.76 75.75.76.76
FF - ProfilePath - c:\documents and settings\Eric\Application Data\Mozilla\Firefox\Profiles\5n7ab7ej.default\
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3072253&SearchSource=2&q=
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-CmPCIaudio - CMICNFG3.CPL
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-02 12:23
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(644)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
- - - - - - - > 'explorer.exe'(2436)
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
.
Completion time: 2012-06-02 12:24:26
ComboFix-quarantined-files.txt 2012-06-02 16:24
.
Pre-Run: 492,046,622,720 bytes free
Post-Run: 493,124,915,200 bytes free
.
- - End Of File - - 1177626269214436D2BE563157F829EC

CKScanner - Additional Security Risks - These are not necessarily bad
c:\documents and settings\eric\desktop\music\mega man x series - maverick rising\flac\disc 3 - vile\3-09 crawfish crackdown [mmx3 - crush crawfish stage] (devastus).flac
c:\documents and settings\eric\my documents\downloads\malwarebytes.anti.malware.v1.51.2.1300.incl.keygen-fff\fff.nfo
c:\documents and settings\eric\my documents\downloads\malwarebytes.anti.malware.v1.51.2.1300.incl.keygen-fff\mbam-setup-1.51.2.1300.exe
c:\documents and settings\eric\my documents\downloads\malwarebytes.anti.malware.v1.51.2.1300.incl.keygen-fff\read me.txt
c:\program files\firefly studios\stronghold crusader\gm\cracks.gm1
c:\program files\steam\steamapps\downloading\15300\mods\origmiss\map\mp05_docks\mp05_cracks.rsb
c:\program files\steam\steamapps\downloading\15300\mods\origmiss\map\training\tr_flr_con_ext_cracks.rsb
c:\program files\steam\steamapps\downloading\3230\data\resources\bodies\characters\aged_juno\a_normal_neckcrack.anim
c:\program files\steam\steamapps\downloading\3230\data\resources\bodies\characters\juno\a_normal_neckcrack.anim
scanner sequence 3.ED.11.EXAASH
----- EOF -----

ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=c14ba73a1e2a4742af76d1818084c045
# end=finished
# remove_checked=false
# archives_checked=false<<<<<<< accidently skipped this step, am running a new scan
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-06-02 05:36:59
# local_time=2012-06-02 01:36:59 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1024 16777175 100 0 0 0 0 0
# compatibility_mode=3073 16777177 80 71 0 14236687 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=236334
# found=1
# cleaned=0
# scan_time=3552
E:\Users\Eric\Downloads\Programs\cnet2_ashampoo_internet_accelerator_3_3_20_sm_exe.exe a variant of Win32/InstallCore.D application (unable to clean) 00000000000000000000000000000000 I
ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=53251

 

[Bobbye]

c:\documents and settings\eric\my documents\downloads\malwarebytes.anti.malware.v1.51.2.1300.incl.keygen-fff\fff.nfo
c:\documents and settings\eric\my documents\downloads\malwarebytes.anti.malware.v1.51.2.1300.incl.keygen-fff\mbam-setup-1.51.2.1300.exe
c:\documents and settings\eric\my documents\downloads\malwarebytes.anti.malware.v1.51.2.1300.incl.keygen-fff\read me.txt

You pirated a free security scan to see if you have malware? Please explain the reasoning for this.
===================================================

Please run the MGA Diagnostics tool

• You will be prompted to either “Run” or “Save” the tool. Choose to “Run” the tool and follow the on-screen prompts.
• You will receive an Internet Explorer-Security Warning dialog box for the Windows Genuine Advantage Diagnostic Tool>
• You must choose to Run this tool when prompted.
• Once you are presented with the Diagnostics tool choose Continue to run the diagnostic report.
• If the RESOLVE button is available after running the diagnostics, please click RESOLVE to allow the diagnostic tool to attempt a repair.
• After running the MGA Diagnostic tool, click on the Windows tab and then click on Copy
• Please return to this thread and Paste the results here for review.

------------------------------------------
This tool will is to look on the computer itself, in the documentation you received with the computer or with your retail purchase of Windows to see if you have a Certificate of Authenticity (COA). If you have one, tell us about the COA. Tell us:

1. What edition of Windows is it for, Home, Pro, or Media Center, or another version of Windows?
2. Does it read "OEM Software" or "OEM Product" in black lettering?
3. Or, does it have the computer manufacturer's name in black lettering?
4. DO NOT post the Product Key.

NOTE: The data collected with the Genuine Diagnostics Tool does NOT contain any information that can personally identify you and can be fully reviewed, by you, before being posted.

 

[mooney12]

I will uninstall it immediatley. and I did so, because I wanted the full version to keep my computer protected, but I guess thats the wrong way to go, and I dont torrent/pirate stuff anymore as it can compromise your security

its home
I know that my version is an oem cd that I purchased from newegg

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Genuine
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key: *****-*****
Windows Product Key Hash: LnX6kODCVjgbzNTVqt2ExJ4ACoA=
Windows Product ID: 76477-OEM-2156761-66574
Windows Product ID Type: 3
Windows License Type: OEM System Builder
Windows OS version: 5.1.2600.2.00010300.3.0.hom
ID: {A69C8342-668E-429C-A78D-3522DD18A7C1}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: Registered, 1.9.42.0
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A
Version: N/A

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: B4D0AA8B-543-80070002_025D1FF3-230-1

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{A69C8342-668E-429C-A78D-3522DD18A7C1}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010300.3.0.hom</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-QT2PG</PKey><PID>76477-OEM-2156761-66574</PID><PIDType>3</PIDType><SID>S-1-5-21-1275210071-113007714-1801674531</SID><SYSTEM><Manufacturer>System manufacturer</Manufacturer><Model>System Product Name</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>1501 </Version><SMBIOSVersion major="2" minor="5"/><Date>20081007000000.000000+000</Date></BIOS><HWID>B75D3F9701842079</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>

Licensing Data-->
N/A

Windows Activation Technologies-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 145E0:ASUSTeK Computer Inc|15C81:GENUINE C&C INC
Marker string from OEMBIOS.DAT: N/A, hr = 0x80004005

OEM Activation 2.0 Data-->
N/A

 

[Bobbye]

I think I got this baddy removed, Calc1 virus.

There is no safe site that tells me what the 'calc1 virus' is.

calc.exe can be an entry from the ZeroAccess Rootkit. It can also be the process that runs the Microsoft Calculator which is included with the operating system.

What I want to know about your system:

1. The system shows Install Date: 1/5/2012. Was that a new install of Windows XP or was it reformat/reinstall of the OS??
2. Why aren't there any security updates on the system?
3. What happened to make you think you had a virus named calc1?
4. What did you do to try and remove it?
5. This file is loading: C:\Documents and Settings\Eric\My Documents\Downloads\bwh18b4d.exe. What is it?
6. There are 2 Restore Points for AVG 2012 on 6/2/2012. Did you have antivirus protection before that?
=====================================================
The attempt to remove AVG before running Combofix failed. Please run the App Remover again. After AVG has been removed, repeat the Combofix scan.
====================================================
Uninstall the pirated Malwarebytes you have now. Then use Windows Explorer to access Computer> Local Drive> Programs> find the program folder for Mbam and remove it with a right click> Delete.

Reboot the computer
===================================================

DO NOT use a torrent site to download the following!

• Please download Malwarebytes' Anti-Malware from from HERE
• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  [o] Update Malwarebytes' Anti-Malware
  [o] and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform Full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please attach this log with your reply
  Note: on opening Notepad, click on Format> make sure Word Wrap is unchecked.
  [o] If you accidentally close it, the log file is saved here and will be named like this:
  [o] C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

========================

The OS has not been activated:
Windows License Type: OEM System Builder

A. All customers who acquire retail packaged products or OEM System Builder products are required to activate the software. The software on a new PC from a system builder may be activated by the system builder. Product activation will not be required for licenses acquired by a customer through a Microsoft Volume Licensing program, such as Open License or Select License. Under these Volume Licensing programs, customers will be given a Volume License Key that will bypass activation.

http://www.microsoft.com/oem/en/licensing/sblicensing/pages/licensing_faq.aspx#faq5

 

[mooney12]

1. The system shows Install Date: 1/5/2012. Was that a new install of Windows XP or was it reformat/reinstall of the OS??
2. Why aren't there any security updates on the system?
3. What happened to make you think you had a virus named calc1?
4. What did you do to try and remove it?
5. This file is loading: C:\Documents and Settings\Eric\My Documents\Downloads\bwh18b4d.exe. What is it?
6. There are 2 Restore Points for AVG 2012 on 6/2/2012. Did you have antivirus protection before that?

1. it was a reformat
2. never got around to it, will do so immediatley,
3. was looking at askjolene search engine, went to a page, mb pirated version showed it in the logs, no longer have it... now when I scan my system everything seems normal
4. remove what the virus? ran mb twice, avg twice, eset twice on BOTH partitions system clean,
5. that file is gmer, which I downloaded from this site
6. no and I was not connected to the internet before that

will post mb/combofix in next reply, and also.... im 100% positive that I activated my oem key, I did so over the phone when my computer didnt have internet

app remover does not detect avg, nor does default programs, yet when I run combofix it sais avg is active and running??

not sure what to do at this point mb scanning both partitions, 280k files- clean



MALWAREBYTES LOG

Malwarebytes Anti-Malware (PRO) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.05.05

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Eric :: DURANDAL [administrator]

Protection: Disabled

6/5/2012 12:58:55 PM
mbam-log-2012-06-05 (12-58-55).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 447343
Time elapsed: 1 hour(s), 36 minute(s), 22 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

 

[Bobbye]

Get your system up to speed. Remove any pirated software. Get a firewall and at least 2 antimalware programs on the system. Activate the system properly. Put whatever updates are still available for Win XP.

At this time, I do not any indication of what you're referring to as malware.
=================================================
Removing all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• Select Yes when the "Begin cleanup Process?" prompt appears.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

-----
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
------------------------------------------

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
• Choose Disc Cleanup
• Click "OK" to select the partition or drive you want.
• Click the "More Options" Tab.
• Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin
====================================================
You may find the following helpful: (Links are Bold Blue)
Tips for added security and safer browsing:

1. Browser Security
   [o]Make Internet Explorer safer]
   [o] Use WOT Site Advisor..
   Have layered Security:
2. Antivirus Software(only one):
   [o]Microsoft Security Essentials
   [o]Comodo AV
   [o]Avast! Free Antivirus
   =============================
3. Firewall (only one)
   [o] Zone Alarm Free
   [o]Comodo Firewall Free
4. Antispyware/Security: I recommend all of the following:
   [o]Spywareblaster:Protects against bad ActiveX.
   [o]IE/Spyad Restricts bad domains.
   [o]MVPS Hosts files Directs HOSTS file to 127.0.0.1 which is your local computer.
   [o]Google Toolbar Popup Stopper
5. Stay current on updates:
   [o] Windows Updates. You should get All updates marked Critical and the current SP updates.
   [o] Adobe Reade. Uninstall old.
   [o]Java Uninstall old.
6. Reset Cookies to prevent Tracking Cookies:
   [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
   [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
   I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
   AdBlock Plus
   Easy List
   [o]For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
   (First-party and third-party cookies can be set by the website you're visiting and websites that have items embedded in the website you're visiting. But when you next visit the website, only first-party cookie information is sent to the website. Third-party cookie information isn't sent back to the websites that originally set the third-party cookies.)
7. Do regular Maintenance
   [o]To include Disc Cleanup, Defrag, Error Check/
8. Remove Temporary Internet Files regularly:
   [o]TFC
9. System Restore GuideUnderstand Restore Points> why you need to clean and set restore points and what information is in them.
   [*] Practice Safe Email Handling
   [o] Don't open email from anyone you don't know.
   [o] Don't open Attachments in the email. Save to your desktop and scan for viruses using a right click
   [o] Don't leave your personal email address on the internet/ Have a separate email account on free web-based mail.

Please let me know if you find any bad links.

 

[mooney12]

thanks for the help man, you can mark this as solved

did everything on your list and I will practice safe file/email handling and regular updates

 

[Bobbye]

You're welcome!