Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Virus & Other Malware Removal Virus & Other Malware Removal
Search Search
Search for:
Tech Support Guy > > >

Solved: Internet Explorer running in background


(!)

mr_mr_r's Avatar
mr_mr_r mr_mr_r is offline
Computer Specs
Junior Member with 10 posts.
THREAD STARTER
 
Join Date: Nov 2011
Experience: Intermediate
09-Nov-2011, 08:08 AM #1
Internet Explorer running in background
Hi,

Internet Explorer keeps running in the background, I end the the process in task manager and within minutes it reopens again. The longer I leave it, the more memory it seems to use.

I have run AVG, Spybot and Malwarebytes, all of which came up with nothing.

I recently had a problem with a google redirect virus, which i think i have fixed, but it may be related.

If you need any more information just let me know and I should be able to swiftly get it for you.

Thanks in advance,

Matt

Tech Support Guy System Info Utility version 1.0.0.2
OS Version: Microsoft Windows XP Professional, Service Pack 3, 32 bit
Processor: AMD Athlon(tm) 64 Processor 3000+, x86 Family 15 Model 47 Stepping 2
Processor Count: 1
RAM: 2046 Mb
Graphics Card: NVIDIA GeForce 6600, 512 Mb
Hard Drives: C: Total - 152625 MB, Free - 80532 MB;
Motherboard: http://www.abit.com.tw/, KN8 Series(NF-CK804)
Antivirus: AVG Anti-Virus Free Edition 2012, Updated: Yes, On-Demand Scanner: Enabled
oldman960's Avatar
oldman960 oldman960 is offline oldman960 is authorized to help remove malware.
Computer Specs
Malware Removal Specialist with 166 posts.
 
Join Date: Apr 2010
09-Nov-2011, 12:56 PM #2
Hi mr_mr_r, welcome to the forum.


To make cleaning this machine easier
  • Please do not uninstall/install any programs unless asked to
    It is more difficult when files/programs are appearing in/disappearing from the logs.
  • Please do not run any scans other than those requested
  • Please follow all instructions in the order posted
  • All logs/reports, etc.. must be posted in Notepad. Please ensure that word wrap is unchecked. In notepad click format, uncheck word wrap if it is checked.
  • Do not attach any logs/reports, etc.. unless specifically requested to do so.
  • If you have problems with or do not understand the instructions, Please ask before continuing.
  • Please stay with this thread until given the All Clear. A absence of symptoms does not mean a clean machine.
Let's see if you can get these to run.


Download OTL to your desktop.
  • Double click on OTL.exe to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output
  • Check the boxes beside LOP Check and Purity Check.
  • In the window under Custom Scans/Fixes copy and paste the following

    netsvcs
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.līk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %PROGRAMFILES%\Internet Explorer\*.dat
    %APPDATA%\Mikzosoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Deskuop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs
    %USERPROFILE%\..|smtmp;true;true;true /FP
    %temp%\smtmp\*.* /s >
    /md5start
    iexplore.*
    explorer.*
    winlogon.*
    dll
    zx.dll
    hlp.dat
    /md5stop

  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.


Next

Download aswMBR.exe to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan


On completion of the scan click save log, save it to your desktop and post in your next reply


There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.


Please post back with
  • both OTL log
  • aswMBR.log
Thanks
mr_mr_r's Avatar
mr_mr_r mr_mr_r is offline
Computer Specs
Junior Member with 10 posts.
THREAD STARTER
 
Join Date: Nov 2011
Experience: Intermediate
10-Nov-2011, 05:43 AM #3
I have run OTL.exe please find attached results.

However when I try and run aswMBR.exe nothing happens, any idea why this might be?

Let me know if you need any more information.

Thanks in advance

Matt
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
oldman960's Avatar
oldman960 oldman960 is offline oldman960 is authorized to help remove malware.
Computer Specs
Malware Removal Specialist with 166 posts.
 
Join Date: Apr 2010
10-Nov-2011, 01:20 PM #4
Hi mr_mr_r,

Please copy and paste your logs into your replies unless specifically requested to attach them. It's much easier to work with them when they are posted.

Do you have a blank CD and a usb device such as a flashdrive?

I see you have used TDSSKiller, please post the log. It can be found at C:\ TDSSKiller.[Version]_[Date]_[Time]_log.txt

It may be malware or your security programs may be interfering with aswMBR. Delete the copy you have and disable AVG, Spybot's Teatimer and Windows Defender.

Download a new copy and try it again. Run this fix first.



Next, Double click on OTL.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
  • Do Not copy the word CODE
  • please note the fix starts with the :
Code:
:Services
 
:Files
C:\Documents and Settings\All Users\Application Data\~6DSS92c31Apgjk
C:\Documents and Settings\All Users\Application Data\~6DSS92c31Apgjkr
C:\Documents and Settings\All Users\Application Data\6DSS92c31Apgjk
ipconfig /flushdns /c
 
:Commands
[purity]
[emptytemp]
[createrestorepoint]
Then click the Run Fix button at the top
  • Let the program run unhindered
  • Please save the resulting log to be posted in your next reply.
Please post the OTL log and a new HJT fix log.


Please post back with
  • TDSSKiller log
  • OTL log
  • aswMBR log if you were able to get it to run.
Thanks
mr_mr_r's Avatar
mr_mr_r mr_mr_r is offline
Computer Specs
Junior Member with 10 posts.
THREAD STARTER
 
Join Date: Nov 2011
Experience: Intermediate
11-Nov-2011, 05:43 AM #5
Hi,

Firstly apologies for not posting the previous results properly, and yes I do have blank CDs and a flashdrive.

You are right in that I did download tddskiller, however much like aswMBR i was unable to get it to run. I have disabled AVG, windows defender and spybot but still nothing happens when I run both .exe files.

When I ran OTL with your below code it crashed the system, however upon restart OTL opened up with the below code in a notepad, I assume this is what you are after:

All processes killed
========== SERVICES/DRIVERS ==========
========== FILES ==========
File\Folder C:\Documents and Settings\All Users\Application Data\~6DSS92c31Apgjk not found.
File\Folder C:\Documents and Settings\All Users\Application Data\~6DSS92c31Apgjkr not found.
File\Folder C:\Documents and Settings\All Users\Application Data\6DSS92c31Apgjk not found.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Matt\Desktop\Viral\cmd.bat deleted successfully.
C:\Documents and Settings\Matt\Desktop\Viral\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

User: All Users

User: Default User
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 41620 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 4327060 bytes
->FireFox cache emptied: 3424148 bytes

User: Matt
->Temp folder emptied: 2551421 bytes
->Temporary Internet Files folder emptied: 6100090 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 41193425 bytes
->Google Chrome cache emptied: 10069688 bytes
->Opera cache emptied: 0 bytes
->Flash cache emptied: 832 bytes

User: NetworkService
->Temp folder emptied: 825116 bytes
->Temporary Internet Files folder emptied: 79078690 bytes

User: user
->Temp folder emptied: 920639749 bytes
->Temporary Internet Files folder emptied: 444396716 bytes
->Java cache emptied: 17552591 bytes
->FireFox cache emptied: 19178936 bytes
->Apple Safari cache emptied: 1019904 bytes
->Flash cache emptied: 23758 bytes

%systemdrive% .tmp files removed: 356994 bytes
%systemroot% .tmp files removed: 5235263 bytes
%systemroot%\System32 .tmp files removed: 871953 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 797 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 42613013 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 2210304 bytes

Total Files Cleaned = 1,528.00 mb

Restore point Set: OTL Restore Point (0)

OTL by OldTimer - Version 3.2.31.0 log created on 11112011_093429

Files\Folders moved on Reboot...
C:\Documents and Settings\Matt\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.

Registry entries deleted on Reboot...
oldman960's Avatar
oldman960 oldman960 is offline oldman960 is authorized to help remove malware.
Computer Specs
Malware Removal Specialist with 166 posts.
 
Join Date: Apr 2010
11-Nov-2011, 07:11 PM #6
Hi mr_mr_r,

No problem.

Ok we'll use a CD that we will make bootable. We also need a USB flashdrive that has some space on it. We will not be changing any of the data on the usb device just using it for a file.

You will also need to use FireFox to download a file as Internet Explorer seems to mangle the download.

If you have an problems with these steps please let me know. These may look complicated but it's fairly straight forward and for the most part automated.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe by double clicking it.
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and when finished, it will open BurnCDCC which will be ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD

Using FireFox, please download and save dumpit to your usb device.

You may want to print out this part as you will not be able to view these instructions.
  • Leave the usb device attached to the computer
  • Boot the infected computer with the CD you just burned
    • with the CD in the computer, restart the computer
    • The computer must be set to boot from the CD,depending on your computer you can either do this by pressing F12 and selecting the CD as the first boot option or it can be set in the BIOS
  • Once you have the computer set to boot from the CD allow it to boot
  • A Welcome to xPUD screen will appear
  • Click on File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
    (you will be able to tell if it the right one as the screen will populate with your files)
  • Locate the file you downloaded and saved earlier, dumpit
  • double click it to run it
  • a black window will open, follow the instructions to close the window when it's finished
  • a file called MBR.zip should now be placed in the right hand panel
  • Click the Home icon at top
  • Remove the CD and click Power off
  • Click restart

Once the computer has rebooted open the usb device and attach the MBR.zip file to your next reply.

Thanks
mr_mr_r's Avatar
mr_mr_r mr_mr_r is offline
Computer Specs
Junior Member with 10 posts.
THREAD STARTER
 
Join Date: Nov 2011
Experience: Intermediate
14-Nov-2011, 07:56 AM #7
Attached is the mbr.zip

Matt
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
oldman960's Avatar
oldman960 oldman960 is offline oldman960 is authorized to help remove malware.
Computer Specs
Malware Removal Specialist with 166 posts.
 
Join Date: Apr 2010
14-Nov-2011, 12:55 PM #8
Hi mr_mr_r,

Do you have aretail copy og XP? We need to use a utility that is on the disk. If you don't have a disk let me know, I'll give you instructions to create the utility we need on a disk.

Thanks
mr_mr_r's Avatar
mr_mr_r mr_mr_r is offline
Computer Specs
Junior Member with 10 posts.
THREAD STARTER
 
Join Date: Nov 2011
Experience: Intermediate
15-Nov-2011, 05:41 AM #9
I've had a look but can't seem to find a windows XP disk, I think it came preinstalled.

Could you tell me the instructions to create the utility.

Thanks in advance,

Matt
oldman960's Avatar
oldman960 oldman960 is offline oldman960 is authorized to help remove malware.
Computer Specs
Malware Removal Specialist with 166 posts.
 
Join Date: Apr 2010
15-Nov-2011, 12:14 PM #10
Hi mr_mr_r

Please read the instuctions and ask any questions if they are not clear.

To make the disk:

Burn recovery console cd
  1. Download recovery_console_cd.zip file to your drive and extract it to its own folder (c:\recoverycd for example).
  2. Download floppy disk setup package xp pro for your operating system (XP pro) and save it to the folder you extracted the zip to.
  3. Rename the floppy disk setup package to Bootdisk.exe.
  4. Insert a blank cd into your burner.
  5. Double-click the RecoveryCD.bat file and follow the prompts to burn a cd that will allow you to boot to the recovery console.
To use the disk:


Once the CD is made use it to boot the computer.
  • Make sure the computer is set to boot from the CD (you may have that option with the F12 key or will need to set in in the bios)
  • Insert the CD you made into the computer
  • Reboot the computer
1. Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.
2. When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
3. You should now see a list of installations and the prompt "Which Windows Installation would you like to log on to?"
Select the appropriate number for the Windows installation that you want to repair. If you only have one, press 1.
4. When you are prompted, type the Administrator password. If the administrator password is blank, just press ENTER.

You should now have a C:\windows> prompt

type the following command and hit enter

FIXMBR

5. Answer Y when it asks you if you want to write a new MBR
6. Type EXIT and hit enter to reboot your machine

Your computer will now boot to windows. Once it has please try running aswMBR again and post the log.
mr_mr_r's Avatar
mr_mr_r mr_mr_r is offline
Computer Specs
Junior Member with 10 posts.
THREAD STARTER
 
Join Date: Nov 2011
Experience: Intermediate
16-Nov-2011, 09:10 AM #11
Thanks for the detailed instructions, all as you said, find aswMBR log below:


aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-11-16 13:05:38
-----------------------------
13:05:38.781 OS Version: Windows 5.1.2600 Service Pack 3
13:05:38.781 Number of processors: 1 586 0x2F02
13:05:38.781 ComputerName: MIKEPC UserName: Matt
13:05:43.093 Initialize success
13:07:25.109 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000007e
13:07:25.109 Disk 0 Vendor: MAXTOR_STM3160215A 3.AAD Size: 152627MB BusType: 3
13:07:25.125 Disk 0 MBR read successfully
13:07:25.125 Disk 0 MBR scan
13:07:25.125 Disk 0 Windows XP default MBR code
13:07:25.125 Disk 0 scanning sectors +312576705
13:07:25.203 Disk 0 scanning C:\windows\system32\drivers
13:07:35.000 Service scanning
13:07:36.406 Modules scanning
13:07:51.546 Disk 0 trace - called modules:
13:07:51.562 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll nvata.sys
13:07:51.562 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a931ab8]
13:07:51.562 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\00000080[0x8a91baf8]
13:07:51.562 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\0000007e[0x8a9b3030]
13:07:52.062 Scan finished successfully
13:08:18.062 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Matt\Desktop\Viral\MBR.dat"
13:08:18.062 The log file has been saved successfully to "C:\Documents and Settings\Matt\Desktop\Viral\aswMBR.txt"
oldman960's Avatar
oldman960 oldman960 is offline oldman960 is authorized to help remove malware.
Computer Specs
Malware Removal Specialist with 166 posts.
 
Join Date: Apr 2010
16-Nov-2011, 12:16 PM #12
Hi mr_mr_r,

How's the computer? What issues are you having?
mr_mr_r's Avatar
mr_mr_r mr_mr_r is offline
Computer Specs
Junior Member with 10 posts.
THREAD STARTER
 
Join Date: Nov 2011
Experience: Intermediate
16-Nov-2011, 12:25 PM #13
Everything seems to be running fine, I haven't noticed Internet Explorer running in the background for a while and it appears as though my google redirect virus seems to have gone for good.

Has it all been cleansed away then?

Matt
oldman960's Avatar
oldman960 oldman960 is offline oldman960 is authorized to help remove malware.
Computer Specs
Malware Removal Specialist with 166 posts.
 
Join Date: Apr 2010
16-Nov-2011, 06:53 PM #14
Hi mr_mr_r,

Sometimes these infections bring friends to the party.

Please read through the instructions to familarize youself with what to expect when the tool runs.

Please download ComboFix from Link 1or Link 2 to C:\.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to C:\**

  • If you are using Firefox, make sure that your download settings are as follows:
    -Tools->Options->Main tab

    -Set to "Always ask me where to Save the files".
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix
-----------------------------------------------------------
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.


When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


Notes:
1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.






Please post back with
  • combofix log
How is the computer?
Thanks
mr_mr_r's Avatar
mr_mr_r mr_mr_r is offline
Computer Specs
Junior Member with 10 posts.
THREAD STARTER
 
Join Date: Nov 2011
Experience: Intermediate
17-Nov-2011, 05:46 AM #15
Please find below the log.txt

I think there may have been a slight issue when running it, after pressing yes to the Microsoft Windows Recovery Console, a pop up box came up saying something about unable to complete, I did screenshot it but it didn't work. I closed this window then the scan ran as usual, don't know if this is anything major.

Matt


ComboFix 11-11-17.01 - Matt 17/11/2011 9:32.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2046.1544 [GMT 0:00]
Running from: C:\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Matt\Application Data\PriceGong
c:\documents and settings\Matt\Application Data\PriceGong\Data\1.xml
c:\documents and settings\Matt\Application Data\PriceGong\Data\a.xml
c:\documents and settings\Matt\Application Data\PriceGong\Data\b.xml
c:\documents and settings\Matt\Application Data\PriceGong\Data\c.xml
c:\documents and settings\Matt\Application Data\PriceGong\Data\d.xml
c:\documents and settings\Matt\Application Data\PriceGong\Data\e.xml
c:\documents and settings\Matt\Application Data\PriceGong\Data\f.xml
c:\documents and settings\Matt\Application Data\PriceGong\Data\g.xml
c:\documents and settings\Matt\Application Data\PriceGong\Data\h.xml
c:\documents and settings\Matt\Application Data\PriceGong\Data\i.xml
c:\documents and settings\Matt\Application Data\PriceGong\Data\J.xml
c:\documents and settings\Matt\Application Data\PriceGong\Data\k.xml
c:\documents and settings\Matt\Application Data\PriceGong\Data\l.xml
c:\documents and settings\Matt\Application Data\PriceGong\Data\m.xml
c:\documents and settings\Matt\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Matt\Application Data\PriceGong\Data\n.xml
c:\documents and settings\Matt\Application Data\PriceGong\Data\o.xml
c:\documents and settings\Matt\Application Data\PriceGong\Data\p.xml
c:\documents and settings\Matt\Application Data\PriceGong\Data\q.xml
c:\documents and settings\Matt\Application Data\PriceGong\Data\r.xml
c:\documents and settings\Matt\Application Data\PriceGong\Data\s.xml
c:\documents and settings\Matt\Application Data\PriceGong\Data\t.xml
c:\documents and settings\Matt\Application Data\PriceGong\Data\u.xml
c:\documents and settings\Matt\Application Data\PriceGong\Data\v.xml
c:\documents and settings\Matt\Application Data\PriceGong\Data\w.xml
c:\documents and settings\Matt\Application Data\PriceGong\Data\x.xml
c:\documents and settings\Matt\Application Data\PriceGong\Data\y.xml
c:\documents and settings\Matt\Application Data\PriceGong\Data\z.xml
c:\documents and settings\Matt\My Documents\~WRL0754.tmp
c:\documents and settings\Matt\My Documents\~WRL1515.tmp
c:\documents and settings\Matt\My Documents\~WRL2140.tmp
c:\documents and settings\Matt\My Documents\~WRL3208.tmp
c:\documents and settings\Matt\WINDOWS
c:\documents and settings\user\WINDOWS
c:\program files\Common Files\Uninstall
c:\program files\popcorn Terms.html
c:\windows\bwUnin-7.2.0.137-8876480SL.exe
c:\windows\bwUnin-7.2.0.157-8876480SL.exe
c:\windows\bwUnin-8.1.1.50-8876480SL.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-10-17 to 2011-11-17 )))))))))))))))))))))))))))))))
.
.
2011-11-11 09:30 . 2011-11-11 09:30 -------- d-----w- C:\_OTL
2011-11-09 11:05 . 2011-11-09 11:05 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-10 14:22 . 2005-10-07 13:12 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-07 06:23 . 2011-07-11 00:13 230608 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-10-04 06:21 . 2011-07-11 00:14 16720 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys
2011-10-03 04:06 . 2011-01-05 13:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-03 01:37 . 2007-09-28 06:46 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-28 07:06 . 2006-02-28 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 10:41 . 2011-09-26 10:41 611328 ------w- c:\windows\system32\uiautomationcore.dll
2011-09-26 10:41 . 2006-02-28 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 10:41 . 2006-02-28 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-23 10:31 . 2011-07-25 14:25 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-13 05:30 . 2011-07-11 00:13 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2011-09-06 13:20 . 2006-02-28 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-31 16:00 . 2009-09-11 09:06 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-26 13:43 . 2011-08-26 13:43 204800 ----a-w- c:\documents and settings\Matt\Application DatazERBbpajkL.exe
2011-08-22 23:48 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2006-02-28 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2006-02-28 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2006-02-28 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-11-10 13:45 . 2011-09-22 09:58 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\VirtualExpanderFile.1]
@="{E4000AC4-5E5F-4956-807A-C5854405D64F}"
[HKEY_CLASSES_ROOT\CLSID\{E4000AC4-5E5F-4956-807A-C5854405D64F}]
2006-12-19 19:46 73728 ----a-w- c:\windows\system32\VirtualExpander\VEShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccleaner"="c:\program files\CCleaner\CCleaner.exe" [2011-08-25 2622784]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-24 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo RX520 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAGE.EXE" [2005-04-07 98304]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-08-31 1047208]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2011-10-24 2415456]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDef end]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Matt^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk]
path=c:\documents and settings\Matt\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk
backup=c:\windows\pss\OpenOffice.org 3.2.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-05-30 11:30 292136 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Default Manager]
2009-07-17 11:12 288080 ----a-w- c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSN Toolbar]
2009-12-08 21:29 240992 ----a-w- c:\program files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-02-06 17:51 3885408 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 09:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2007-06-28 23:43 8466432 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2007-06-28 23:43 81920 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2007-06-28 23:43 1626112 ----a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 16:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-10-31 18:42 32768 -c--a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Samsung PanelMgr]
2007-10-23 04:11 524288 ----a-w- c:\windows\Samsung\PanelMgr\SSMMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2005-05-17 10:48 77824 ----a-r- c:\windows\SOUNDMAN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-06-24 09:44 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirtualCloneDrive]
2011-03-07 13:33 89456 ----a-w- c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2006-11-03 18:20 866584 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
"WinDefend"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\ABIT\\FlashMenu\\FlashMenu.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"23115:TCP"= 23115:TCP:BitComet 23115 TCP
"23115:UDP"= 23115:UDP:BitComet 23115 UDP
"5353:TCP"= 5353:TCP:Adobe CSI CS4
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [11/07/2011 00:14 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [11/07/2011 00:13 32592]
R0 nvcchflt;NVIDIA Disk Cache Filter Driver;c:\windows\system32\drivers\nvcchflt.sys [26/07/2006 10:41 16640]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [11/07/2011 00:13 230608]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [11/07/2011 00:14 295248]
R2 ASTRA32;ASTRA32 Kernel Driver 5.2.1.0;c:\program files\ASTRA32\astra32.sys [23/11/2004 19:45 23488]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [02/08/2011 05:09 192776]
R2 NkPtpEnumP2;NkPtpEnumP2;c:\program files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe [17/06/2005 10:11 24064]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [14/11/2008 01:11 17184]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [11/07/2011 00:14 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [11/07/2011 00:14 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [11/07/2011 00:14 16720]
R3 VBus;Virtual Bus;c:\windows\system32\drivers\NkVBus.sys [17/06/2005 10:11 17664]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [12/10/2011 06:25 4433248]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [24/05/2010 11:39 136176]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [21/04/2007 14:44 17149]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [24/05/2010 11:39 136176]
S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\DRIVERS\WPN111.sys --> c:\windows\system32\DRIVERS\WPN111.sys [?]
S4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 18:19 13592]
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-17 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-06-28 08:09]
.
2011-10-21 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
2011-11-17 c:\windows\Tasks\User_Feed_Synchronization-{A1125C4A-B044-4DD6-BC32-C7A380345BF3}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]
.
2011-11-17 c:\windows\Tasks\User_Feed_Synchronization-{C7A3B0EC-B3CE-4CFC-A7F8-2BA1F8509EC0}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{0CE516B5-2538-4006-8136-CB763F6FFBD2}: NameServer = 4.2.2.2,4.2.2.3
TCP: Interfaces\{C6D48E6C-2D08-4A27-83F0-6E03512E3D68}: NameServer = 4.2.2.2,4.2.2.3
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Matt\Application Data\Mozilla\Firefox\Profiles\gp6f2lex.default\
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKU-Default-Run-msnmsgr - c:\program files\MSN Messenger\msnmsgr.exe
HKU-Default-Run-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe
MSConfigStartUp-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe
MSConfigStartUp-eBayToolbar - c:\program files\eBay\eBay Toolbar2\eBayTBDaemon.exe
MSConfigStartUp-My Web Search Bar Search Scope Monitor - c:\progra~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe
MSConfigStartUp-MyWebSearch Email Plugin - c:\progra~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
MSConfigStartUp-MyWebSearch Plugin - c:\progra~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL
MSConfigStartUp-Sony Ericsson PC Suite - c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.5.0_06\bin\jusched.exe
MSConfigStartUp-WinampAgent - c:\program files\Winamp\winampa.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-17 09:39
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01 ,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0c,7b,dd,ef,41,8e,c9,44,bc,4c,3f, \
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01 ,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0c,7b,dd,ef,41,8e,c9,44,bc,4c,3f, \
.
[HKEY_LOCAL_MACHINE\software\Microsoft\DirectPlay\Applications]
@DACL=(02 0000)
.
[HKEY_LOCAL_MACHINE\software\Microsoft\DirectPlay8\Applications]
@DACL=(02 0000)
.
Completion time: 2011-11-17 09:42:13
ComboFix-quarantined-files.txt 2011-11-17 09:41
.
Pre-Run: 85,272,264,704 bytes free
Post-Run: 85,261,611,008 bytes free
.
- - End Of File - - CFF3920550AD5AF977A0E61F7C76AE22
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


Tags
internet explorer problem, running in background, virus

(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 


WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑