# I cant Shake this virus



## MrDiehl332005

Ok so i had a bad virus a little while back and finally got rid of it. Computer seems to be working ok now Except when im on IE8 the page will close without me doing it and then starts playing music. I run the virus scanner and this is what it gives me 

"";"C:\Documents and Settings\user\Cookies\Y8DL38ZC.txt:\pro-market.net.bbf67f2d";"Found Tracking cookie.Pro-market";"Moved to Virus Vault"
"";"C:\Documents and Settings\user\Cookies\Y8DL38ZC.txt";"Found Tracking cookie.Pro-market";"Healed"
"";"C:\Documents and Settings\user\Cookies\Y33JCWOM.txt:\pointroll.com.f2d5a6f6";"Found Tracking cookie.Pointroll";"Moved to Virus Vault"
"";"C:\Documents and Settings\user\Cookies\Y33JCWOM.txt:\pointroll.com.72c0abc9";"Found Tracking cookie.Pointroll";"Moved to Virus Vault"
"";"C:\Documents and Settings\user\Cookies\Y33JCWOM.txt";"Found Tracking cookie.Pointroll";"Healed"
"";"C:\Documents and Settings\user\Cookies\T5HGSH1G.txt:\casalemedia.com.987e6b46";"Found Tracking cookie.Casalemedia";"Moved to Virus Vault"
"";"C:\Documents and Settings\user\Cookies\T5HGSH1G.txt:\casalemedia.com.80ad4799";"Found Tracking cookie.Casalemedia";"Moved to Virus Vault"
"";"C:\Documents and Settings\user\Cookies\T5HGSH1G.txt:\casalemedia.com.350339d4";"Found Tracking cookie.Casalemedia";"Moved to Virus Vault"
"";"C:\Documents and Settings\user\Cookies\T5HGSH1G.txt:\casalemedia.com.2d37ad26";"Found Tracking cookie.Casalemedia";"Moved to Virus Vault"
"";"C:\Documents and Settings\user\Cookies\T5HGSH1G.txt:\casalemedia.com.1e1e0e23";"Found Tracking cookie.Casalemedia";"Moved to Virus Vault"
"";"C:\Documents and Settings\user\Cookies\T5HGSH1G.txt:\casalemedia.com.1773afc";"Found Tracking cookie.Casalemedia";"Moved to Virus Vault"
"";"C:\Documents and Settings\user\Cookies\T5HGSH1G.txt";"Found Tracking cookie.Casalemedia";"Healed"
"";"C:\Documents and Settings\user\Cookies\T23EFTUB.txt:\mediaplex.com.f652b123";"Found Tracking cookie.Mediaplex";"Moved to Virus Vault"
"";"C:\Documents and Settings\user\Cookies\T23EFTUB.txt:\mediaplex.com.dc30fb3c";"Found Tracking cookie.Mediaplex";"Moved to Virus Vault"
"";"C:\Documents and Settings\user\Cookies\T23EFTUB.txt";"Found Tracking cookie.Mediaplex";"Healed"
"";"C:\Documents and Settings\user\Cookies\LCK5GA0L.txt:\revsci.net.2df99d79";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"";"C:\Documents and Settings\user\Cookies\LCK5GA0L.txt";"Found Tracking cookie.Revsci";"Healed"
"";"C:\Documents and Settings\user\Cookies\KL4LXXV8.txt:\adbrite.com.d5e309c2";"Found Tracking cookie.Adbrite";"Moved to Virus Vault"
"";"C:\Documents and Settings\user\Cookies\KL4LXXV8.txt:\adbrite.com.37283d89";"Found Tracking cookie.Adbrite";"Moved to Virus Vault"
"";"C:\Documents and Settings\user\Cookies\KL4LXXV8.txt";"Found Tracking cookie.Adbrite";"Healed"
"";"C:\Documents and Settings\user\Cookies\976L4IUB.txt:\ad.yieldmanager.com.ff92306";"Found Tracking cookie.Yieldmanager";"Object is inaccessible."
"";"C:\Documents and Settings\user\Cookies\976L4IUB.txt:\ad.yieldmanager.com.e626e6be";"Found Tracking cookie.Yieldmanager";"Object is inaccessible."
"";"C:\Documents and Settings\user\Cookies\976L4IUB.txt:\ad.yieldmanager.com.b68f2b7b";"Found Tracking cookie.Yieldmanager";"Object is inaccessible."
"";"C:\Documents and Settings\user\Cookies\976L4IUB.txt:\ad.yieldmanager.com.8a47878";"Found Tracking cookie.Yieldmanager";"Object is inaccessible."
"";"C:\Documents and Settings\user\Cookies\976L4IUB.txt:\ad.yieldmanager.com.830b6f08";"Found Tracking cookie.Yieldmanager";"Object is inaccessible."
"";"C:\Documents and Settings\user\Cookies\976L4IUB.txt:\ad.yieldmanager.com.557bf2b0";"Found Tracking cookie.Yieldmanager";"Object is inaccessible."
"";"C:\Documents and Settings\user\Cookies\976L4IUB.txt:\ad.yieldmanager.com.539b0606";"Found Tracking cookie.Yieldmanager";"Object is inaccessible."
"";"C:\Documents and Settings\user\Cookies\976L4IUB.txt";"Found Tracking cookie.Yieldmanager";"Object is inaccessible."
"";"C:\Documents and Settings\user\Cookies\7Z0LTYPP.txt:\fastclick.net.8a6435e9";"Found Tracking cookie.Fastclick";"Moved to Virus Vault"
"";"C:\Documents and Settings\user\Cookies\7Z0LTYPP.txt";"Found Tracking cookie.Fastclick";"Healed"
"";"C:\Documents and Settings\user\Cookies\6ZD5G75D.txt:\ru4.com.5a5e0633";"Found Tracking cookie.Ru4";"Moved to Virus Vault"
"";"C:\Documents and Settings\user\Cookies\6ZD5G75D.txt:\ru4.com.559e3746";"Found Tracking cookie.Ru4";"Moved to Virus Vault"
"";"C:\Documents and Settings\user\Cookies\6ZD5G75D.txt";"Found Tracking cookie.Ru4";"Healed"
"";"C:\Documents and Settings\user\Cookies\6B4AM42A.txt:\advertising.com.b624fa46";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
"";"C:\Documents and Settings\user\Cookies\6B4AM42A.txt:\advertising.com.82fea56";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
"";"C:\Documents and Settings\user\Cookies\6B4AM42A.txt:\advertising.com.525a5fb9";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
"";"C:\Documents and Settings\user\Cookies\6B4AM42A.txt:\advertising.com.203aa218";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
"";"C:\Documents and Settings\user\Cookies\6B4AM42A.txt";"Found Tracking cookie.Advertising";"Healed"
"";"C:\Documents and Settings\user\Cookies\3C6YQS86.txt:\burstnet.com.c4fe2ebb";"Found Tracking cookie.Burstnet";"Moved to Virus Vault"
"";"C:\Documents and Settings\user\Cookies\3C6YQS86.txt";"Found Tracking cookie.Burstnet";"Healed"
"";"C:\Documents and Settings\user\Cookies\38AO2095.txt:\tribalfusion.com.dcc03271";"Found Tracking cookie.Tribalfusion";"Moved to Virus Vault"
"";"C:\Documents and Settings\user\Cookies\38AO2095.txt";"Found Tracking cookie.Tribalfusion";"Healed"
"";"C:\Documents and Settings\user\Cookies\33RWJ56P.txt:\realmedia.com.ef906bac";"Found Tracking cookie.Realmedia";"Object is inaccessible."
"";"C:\Documents and Settings\user\Cookies\33RWJ56P.txt:\realmedia.com.9f8c11dd";"Found Tracking cookie.Realmedia";"Object is inaccessible."
"";"C:\Documents and Settings\user\Cookies\33RWJ56P.txt:\realmedia.com.855b46d";"Found Tracking cookie.Realmedia";"Object is inaccessible."
"";"C:\Documents and Settings\user\Cookies\33RWJ56P.txt:\realmedia.com.6b2e2a72";"Found Tracking cookie.Realmedia";"Object is inaccessible."
"";"C:\Documents and Settings\user\Cookies\33RWJ56P.txt";"Found Tracking cookie.Realmedia";"Object is inaccessible."
"";"C:\Documents and Settings\user\Cookies\110M62UO.txt:\atdmt.com.b3e33b5f";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
"";"C:\Documents and Settings\user\Cookies\110M62UO.txt:\atdmt.com.7247c262";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
"";"C:\Documents and Settings\user\Cookies\110M62UO.txt";"Found Tracking cookie.Atdmt";"Healed"



SO i delete it all and restart my PC then it all comes back and i dont know why. Any IDEAS?


----------



## johnb35

I take it you are using Superantispyware?  That program will always find cookies and cookies will come back right after you start browsing again and if you go back to the same old sites then thats why they come back.  Please do the following to scan for malware.

Please download *Malwarebytes' Anti-Malware *from *here* or *here* and save it to your desktop.

Double-click *mbam-setup.exe* and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
*Update Malwarebytes' Anti-Malware*
and *Launch Malwarebytes' Anti-Malware*
 
then click *Finish*.
If an update is found, it will download and install the latest version.  *Please keep updating until it says you have the latest version.*
Once the program has loaded, select *Perform quick scan*, then click *Scan*.
When the scan is complete, click *OK*, then *Show Results* to view the results.
Be sure that everything is checked, and click *Remove Selected*.
A log will be saved automatically which you can access by clicking on the *Logs* tab within Malwarebytes' Anti-Malware

If for some reason Malwarebytes will not install or run please download and run *Rkill.scr*,  *Rkill.exe*, or *Rkill.com*.  If you are still having issues running rkill then try downloading these renamed versions of the same program.

*EXPLORER.EXE*
*IEXPLORE.EXE*
*USERINIT.EXE*
*WINLOGON.EXE*

But *DO NOT *reboot the system and then try installing or running Malwarebytes.  If Rkill (which is a black box) appears and then disappears right away or you get a message saying rkill is infected, keep trying to run rkill until it over powers the infection and temporarily kills it.  Once a log appears on the screen, you can try running malwarebytes or downloading other programs.



Download the *HijackThis* installer from *here*.  
Run the installer and choose *Install*, indicating that you accept the licence agreement.  The installer will place a shortcut on your desktop and launch HijackThis.

Click *Do a system scan and save a logfile*

_Most of what HijackThis lists will be harmless or even essential, don't fix anything yet._

When the hijackthis log appears in a notepad file, click on the edit menu, click select all, then click on the edit menu again and click on copy.  Come back to your reply and right click on your mouse and click on paste.

Post the logfile that HijackThis produces along with the Malwarebytes Anti-Malware log


----------



## MrDiehl332005

Ya i ran  Malwarebytes' Anti-Malware and it doesnt come up with anything? So other ideas ???


----------



## johnb35

It would help to provide the logs I ask for.  You said you used malwarebytes already but I also asked for a hijackthis log.  



*Download and Run ComboFix*
*If you already have Combofix, please delete this copy and download it again as it's being updated regularly.*

*Download this file* here :

*Combofix*


When the page loads click on the blue combofix download link next to the BleepingComputer Mirror.
Save the file to your windows desktop.  The combofix icon will look like this when it has downloaded to your desktop.





We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:


Close all open Windows including this one. 

Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found *here*.
Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.

Please click on I agree on the disclaimer window.
ComboFix will now install itself on to your computer. When it is done, a blue screen will appear as shown below.





ComboFix is now preparing to run. When it has finished ComboFix will automatically attempt to create a System Restore point so that if any problems occur while using the program you can restore back to your previous configuration. When ComboFix has finished creating the restore point, it will then backup your Windows Registry as shown in the image below.





Once the Windows Registry has finished being backed up, ComboFix will attempt to detect if you have the Windows Recovery Console installed. If you already have it installed, you can skip to this section and continue reading. Otherwise you will see the following message as shown below:





At the above message box, please click on the Yes button in order for ComboFix to continue. Please follow the steps and instructions given by ComboFix in order to finish the installation of the Recovery Console.

Please click on yes in the next window to continue scanning for malware.

ComboFix will now disconnect your computer from the Internet, so do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet. When ComboFix has finished it will automatically restore your Internet connection.

ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.

While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to their previous settings. You will also see the text in the ComboFix window being updated as it goes through the various stages of its scan. An example of this can be seen below.





When ComboFix has finished running, you will see a screen stating that it is preparing the log report.

This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.

When ComboFix has finished, it will automatically close the program and change your clock back to its original format. It will then display the log file automatically for you.  

Now you just click on the edit menu and click on select all, then click on the edit menu again and click on copy.  Then come to the forum in your reply and right click on your mouse and click on paste.  



In your next reply please post:

The ComboFix log
A fresh HiJackThis log
An update on how your computer is running


----------



## MrDiehl332005

Combo FIX

ComboFix 11-11-11.06 - user 11/11/2011  14:14:07.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1014.411 [GMT -8:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\user\Application Data\PriceGong
c:\documents and settings\user\Application Data\PriceGong\Data\1.txt
c:\documents and settings\user\Application Data\PriceGong\Data\1707.txt
c:\documents and settings\user\Application Data\PriceGong\Data\2229.txt
c:\documents and settings\user\Application Data\PriceGong\Data\3911.txt
c:\documents and settings\user\Application Data\PriceGong\Data\4436.txt
c:\documents and settings\user\Application Data\PriceGong\Data\450.txt
c:\documents and settings\user\Application Data\PriceGong\Data\4873.txt
c:\documents and settings\user\Application Data\PriceGong\Data\6784.txt
c:\documents and settings\user\Application Data\PriceGong\Data\a.txt
c:\documents and settings\user\Application Data\PriceGong\Data\b.txt
c:\documents and settings\user\Application Data\PriceGong\Data\c.txt
c:\documents and settings\user\Application Data\PriceGong\Data\d.txt
c:\documents and settings\user\Application Data\PriceGong\Data\e.txt
c:\documents and settings\user\Application Data\PriceGong\Data\f.txt
c:\documents and settings\user\Application Data\PriceGong\Data\g.txt
c:\documents and settings\user\Application Data\PriceGong\Data\h.txt
c:\documents and settings\user\Application Data\PriceGong\Data\i.txt
c:\documents and settings\user\Application Data\PriceGong\Data\j.txt
c:\documents and settings\user\Application Data\PriceGong\Data\k.txt
c:\documents and settings\user\Application Data\PriceGong\Data\l.txt
c:\documents and settings\user\Application Data\PriceGong\Data\m.txt
c:\documents and settings\user\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\user\Application Data\PriceGong\Data\n.txt
c:\documents and settings\user\Application Data\PriceGong\Data\o.txt
c:\documents and settings\user\Application Data\PriceGong\Data\p.txt
c:\documents and settings\user\Application Data\PriceGong\Data\q.txt
c:\documents and settings\user\Application Data\PriceGong\Data\r.txt
c:\documents and settings\user\Application Data\PriceGong\Data\s.txt
c:\documents and settings\user\Application Data\PriceGong\Data\t.txt
c:\documents and settings\user\Application Data\PriceGong\Data\u.txt
c:\documents and settings\user\Application Data\PriceGong\Data\v.txt
c:\documents and settings\user\Application Data\PriceGong\Data\w.txt
c:\documents and settings\user\Application Data\PriceGong\Data\wlu.txt
c:\documents and settings\user\Application Data\PriceGong\Data\x.txt
c:\documents and settings\user\Application Data\PriceGong\Data\y.txt
c:\documents and settings\user\Application Data\PriceGong\Data\z.txt
c:\documents and settings\user\Start Menu\Programs\System Restore
c:\documents and settings\user\Start Menu\Programs\System Restore\System Restore.lnk
c:\documents and settings\user\Start Menu\Programs\System Restore\Uninstall System Restore.lnk
.
.
(((((((((((((((((((((((((   Files Created from 2011-10-11 to 2011-11-11  )))))))))))))))))))))))))))))))
.
.
2011-11-11 21:42 . 2011-11-11 21:42	28752	----a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0BC04DEE-5DC9-48E1-A182-FD1B8BF10806}\MpKsl57b2b03e.sys
2011-11-11 03:24 . 2011-11-11 03:24	28752	----a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0BC04DEE-5DC9-48E1-A182-FD1B8BF10806}\MpKsla908f3bc.sys
2011-11-11 03:23 . 2011-11-11 21:42	56200	----a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0BC04DEE-5DC9-48E1-A182-FD1B8BF10806}\offreg.dll
2011-11-11 03:23 . 2011-10-07 03:48	6668624	----a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0BC04DEE-5DC9-48E1-A182-FD1B8BF10806}\mpengine.dll
2011-11-06 01:17 . 2011-11-06 01:17	--------	d-----w-	c:\documents and settings\NetworkService\Application Data\Yahoo!
2011-10-28 23:49 . 2011-11-07 19:45	--------	d-----w-	c:\program files\MALWAREBYTES ANTI-MALWARE
2011-10-26 02:00 . 2011-10-26 02:00	--------	d-----w-	C:\$AVG
2011-10-26 01:35 . 2011-10-26 01:35	--------	d-----w-	c:\documents and settings\user\Application Data\AVG2012
2011-10-26 01:28 . 2011-11-11 17:09	--------	d-----w-	c:\windows\system32\drivers\AVG
2011-10-26 01:28 . 2011-11-06 21:08	--------	d-----w-	c:\documents and settings\All Users\Application Data\AVG2012
2011-10-26 01:27 . 2011-10-26 01:27	--------	d-----w-	c:\program files\AVG
2011-10-26 01:21 . 2011-10-26 01:21	--------	d--h--w-	c:\documents and settings\All Users\Application Data\Common Files
2011-10-26 01:20 . 2011-11-11 17:09	--------	d-----w-	c:\documents and settings\All Users\Application Data\MFAData
2011-10-25 10:01 . 2011-10-25 23:26	--------	d-----w-	c:\windows\SxsCaPendDel
2011-10-23 21:28 . 2011-10-23 21:52	--------	d-----w-	c:\documents and settings\user\Application Data\Yahoo!
2011-10-23 21:28 . 2011-10-23 21:46	--------	d-----w-	c:\documents and settings\All Users\Application Data\Yahoo! Companion
2011-10-23 21:27 . 2011-10-23 21:28	--------	d-----w-	c:\documents and settings\All Users\Application Data\Yahoo!
2011-10-23 21:25 . 2011-10-23 21:28	--------	d-----w-	c:\program files\Yahoo!
2011-10-21 20:11 . 2011-10-21 20:11	--------	d-----w-	c:\documents and settings\user\Application Data\Malwarebytes
2011-10-21 20:11 . 2011-10-21 20:11	--------	d-----w-	c:\documents and settings\All Users\Application Data\Malwarebytes
2011-10-21 20:11 . 2011-09-01 00:00	22216	----a-w-	c:\windows\system32\drivers\mbam.sys
2011-10-21 20:11 . 2011-10-21 20:11	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2011-10-21 17:51 . 2011-10-21 18:10	--------	d-----w-	C:\$WIN_NT$.~BT
2011-10-21 17:43 . 2011-10-21 17:44	--------	d-----w-	c:\documents and settings\Administrator
2011-10-21 17:12 . 2011-10-21 17:12	--------	d-----w-	C:\found.000
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-23 21:28 . 2011-08-25 20:27	414368	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22 . 2010-09-15 20:00	692736	----a-w-	c:\windows\system32\inetcomm.dll
2011-10-07 14:23 . 2011-07-11 08:13	230608	----a-w-	c:\windows\system32\drivers\avgldx86.sys
2011-10-07 03:48 . 2010-12-16 21:46	6668624	----a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-10-04 14:21 . 2011-07-11 08:14	16720	----a-w-	c:\windows\system32\drivers\AVGIDSShim.sys
2011-09-28 07:06 . 2008-04-13 23:00	599040	----a-w-	c:\windows\system32\crypt32.dll
2011-09-26 18:41 . 2008-07-29 23:59	611328	----a-w-	c:\windows\system32\uiautomationcore.dll
2011-09-26 18:41 . 2008-04-13 23:00	220160	----a-w-	c:\windows\system32\oleacc.dll
2011-09-26 18:41 . 2008-04-13 23:00	20480	----a-w-	c:\windows\system32\oleaccrc.dll
2011-09-13 13:30 . 2011-09-13 13:30	32592	----a-w-	c:\windows\system32\drivers\avgrkx86.sys
2011-09-06 13:20 . 2008-04-13 23:00	1858944	----a-w-	c:\windows\system32\win32k.sys
2011-08-24 22:04 . 2011-08-24 22:04	15939	----a-w-	c:\windows\system32\drivers\AegisP.sys
2011-08-22 23:48 . 2008-04-13 23:00	916480	----a-w-	c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2008-04-13 23:00	43520	------w-	c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2008-04-13 23:00	1469440	------w-	c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2008-04-13 23:00	385024	------w-	c:\windows\system32\html.iec
2011-08-17 13:49 . 2008-04-13 23:00	138496	----a-w-	c:\windows\system32\drivers\afd.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{88c7f2aa-f93f-432c-8f0e-b7d85967a527}"= "c:\program files\BitTorrentBar\prxtbBitT.dll" [2011-05-09 176936]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\progra~1\Yahoo!\Companion\Installs\cpn0\yt.dll" [2011-10-06 2015544]
.
[HKEY_CLASSES_ROOT\clsid\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
2011-05-09 09:49	176936	----a-w-	c:\program files\BitTorrentBar\prxtbBitT.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{88c7f2aa-f93f-432c-8f0e-b7d85967a527}"= "c:\program files\BitTorrentBar\prxtbBitT.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{88C7F2AA-F93F-432C-8F0E-B7D85967A527}"= "c:\program files\BitTorrentBar\prxtbBitT.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2011-08-22 6276408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"NGTray"="c:\program files\Symantec\Ghost\ngtray.exe" [2008-04-23 218504]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 128232]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-07-09 570664]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-06 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-09-01 449608]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2011-10-25 2415456]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]


When i click on the HiJackthis link it opened in IE Browser that shows the shit load of this ÐÏà¡±á>þÿ þÿÿÿ€ÿ€ÿ€ÿ€ÿ€ÿ€ÿ€ ÿ € ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿýÿÿÿeL  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~€ýÿÿÿRoot Entryÿÿÿÿÿÿÿÿ„ ÀFÐ*Ä×ˆÌÊ\=AðD/B¾AdA "ÿÿÿÿ þ¨SummaryInformation(ÿÿÿÿÿÿÿÿ@Hÿ?äCìAäE¬D1Hÿÿÿÿ xþÿÿÿ  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFþÿÿÿþÿÿÿþÿÿÿþÿÿÿKLMNOPQRSTUþÿÿÿWXYZ[\]^_`abcdefþÿÿÿhijkþÿÿÿmnopþÿÿÿþÿÿÿþÿÿÿþÿÿÿuvwxyzþÿÿÿ|}~€’ùßÉÄ of|‹¡Z?°0Y9ù†¿Ý¬qR{öøÞ«:[¶6DU™ÿœ(¦ ªbîûùsÉô•ÝQ)1WÄRé+£ÓR7àiYë;•¦2'ÕÅ ù(™äó¡å÷¿ìãvköa—·Ã)9°ZÓåHdï¥¿NÕd cM\–¾J7!YCÜƒ>*UÕ¾K¶Œ’‹VNÓdÊ.F·PøŒ8õ(;ýüåH^¿V}†®Ã ÞEgž]°,OÜU%95 ž/°Õ«ÅŸO O»‡5û]²ª §§x@R³€ÎôÒ7ï¿(¤šÎ>èžþPÚ$?é$A¦ÌäÛëÝÉñº„¼´™æK).ö7.vú{ÅÔ¸2ÔX§ôüáµ¡ÖFH£ê‹o;Œ MO»E¢7¶É5m‹h¢Õ>ÍgƒðÔ!<3Ö hõ?6zCÓäßy{rÇQú…|é”HÍ§Ñk÷…'–=˜ÚÅŽ¯®ò>‘S°4)Å2¼O‘wÓº€´¾åQì¾ôù+@Í{'žâ ±ïxOèù°+Ð›T‰U¨ºÁÙWÔ+J’´ŒíØþkHÀ»âçSûtÿ•áüÊë¾Ò+ó’s‡Ë«dF½’KëRPpnüs¹/<_àµ^Š¾Ü<¡g˜0ü9n„R‹O'ïOVL‰7ž1}0}{:EséäöîŸF³?¦)Uñ§Ï?€ûþ#Ÿr ,ç>•…t’`5¶Ã=]êyG¢çÉ2%s$9ÍN€Ç¸Ü$ÆÎÉö\‘uv—‹6—3«N’ÃÈõ)$* ™Y˜?…7HÝ¨AÝZHï?5©–wü“*[ù¯Ë½m’ßïù7_‹¸ðÍ¬ £€¼5ÝÜ6=‹À¯ãÊÑ'n@5!Aáù$d¹µŽ æ£®Î£w$1=e}9M Paï ©5Kí÷>ìÑq¨ ³§sÇYM€ø>U\-m†ƒ9m\ÞÜ¬iJÈX‹Å Ë´ÏU%µûÜVø_¿*%žÈ¡KÚ¨î´q b«RzôhçÁ m;÷îdzBÕ‚½?dbç”ÃÑðÉLˆctáî‡Uæ¯¿$§oYg`Ýð—o÷apž@ Ñ_lâÓæ¹JÝe` â•+cd•øá×·4;ÂWúšæ^Åïä‡üËž•Ó±^4å} MÔ[QèÌ÷$÷ä ^¹{j»ß‡Çw~Å~×ð[šß¡ÿ.“FwHø®Àÿ"(pbuC¡*|—?¬¤2 ”ØØ¹“¡¤†Ý¼dúÀ$.ìb>Pÿ1Æ±áÓŸ ÷"°Œ‘Ú'DÇÜ›ts·ùØiRþßéä…s¹‘Ï!¤Ž›£³_¢<“£!¼ä},C— ¦“0›q>ÓÒÆœ–ÞWŒÑ¥6õÇiƒð*(ŽÊA¡jÕ°bî?PÂ9{ PH¬U¢Ðv° à>ÍÇÎ9OÙÌƒ/IÅ”V^Ší¢&çß_Q_íÄœ³4=¤-gvøR¤Ëj]%·Â™ZÅŸF4Ù"ýC¤CúL2~®PíwÙ3Óûg*.ym™í‘ü2ãÔ ê:~%íîåKŠ¹%5yžÚX]8›RÜÕÆzÞ¥pÈ{<_^t:¹Ø"]R¾ äl×+A ?€$0ræê¶k\kD ¦ò/}¯SVx”Æëþò^äVÙ®D z.{qv  ’¢p ržK>$H³«(



And i just ran it so i will let you know how it is in a bit


----------



## johnb35

Please repost the full combofix log as you cut out most of it.


----------



## blue957400

Funny....all you need to do is go to Kasperskys website and download TDSS killer. I work as tech support and 9 times out of 10 this takes care of it. If not feel free to post back so we can further assist you. =]


----------



## blue957400

Here is the link:

http://support.kaspersky.com/faq/?qid=208283363


----------



## MrDiehl332005

This is the whole file log right here.. My computer still does the same thing when in IE it closes the window when ever it wants and then when IE is open it will start playing random music or ads.......

ComboFix 11-11-11.06 - user 11/11/2011  14:14:07.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1014.411 [GMT -8:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\user\Application Data\PriceGong
c:\documents and settings\user\Application Data\PriceGong\Data\1.txt
c:\documents and settings\user\Application Data\PriceGong\Data\1707.txt
c:\documents and settings\user\Application Data\PriceGong\Data\2229.txt
c:\documents and settings\user\Application Data\PriceGong\Data\3911.txt
c:\documents and settings\user\Application Data\PriceGong\Data\4436.txt
c:\documents and settings\user\Application Data\PriceGong\Data\450.txt
c:\documents and settings\user\Application Data\PriceGong\Data\4873.txt
c:\documents and settings\user\Application Data\PriceGong\Data\6784.txt
c:\documents and settings\user\Application Data\PriceGong\Data\a.txt
c:\documents and settings\user\Application Data\PriceGong\Data\b.txt
c:\documents and settings\user\Application Data\PriceGong\Data\c.txt
c:\documents and settings\user\Application Data\PriceGong\Data\d.txt
c:\documents and settings\user\Application Data\PriceGong\Data\e.txt
c:\documents and settings\user\Application Data\PriceGong\Data\f.txt
c:\documents and settings\user\Application Data\PriceGong\Data\g.txt
c:\documents and settings\user\Application Data\PriceGong\Data\h.txt
c:\documents and settings\user\Application Data\PriceGong\Data\i.txt
c:\documents and settings\user\Application Data\PriceGong\Data\j.txt
c:\documents and settings\user\Application Data\PriceGong\Data\k.txt
c:\documents and settings\user\Application Data\PriceGong\Data\l.txt
c:\documents and settings\user\Application Data\PriceGong\Data\m.txt
c:\documents and settings\user\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\user\Application Data\PriceGong\Data\n.txt
c:\documents and settings\user\Application Data\PriceGong\Data\o.txt
c:\documents and settings\user\Application Data\PriceGong\Data\p.txt
c:\documents and settings\user\Application Data\PriceGong\Data\q.txt
c:\documents and settings\user\Application Data\PriceGong\Data\r.txt
c:\documents and settings\user\Application Data\PriceGong\Data\s.txt
c:\documents and settings\user\Application Data\PriceGong\Data\t.txt
c:\documents and settings\user\Application Data\PriceGong\Data\u.txt
c:\documents and settings\user\Application Data\PriceGong\Data\v.txt
c:\documents and settings\user\Application Data\PriceGong\Data\w.txt
c:\documents and settings\user\Application Data\PriceGong\Data\wlu.txt
c:\documents and settings\user\Application Data\PriceGong\Data\x.txt
c:\documents and settings\user\Application Data\PriceGong\Data\y.txt
c:\documents and settings\user\Application Data\PriceGong\Data\z.txt
c:\documents and settings\user\Start Menu\Programs\System Restore
c:\documents and settings\user\Start Menu\Programs\System Restore\System Restore.lnk
c:\documents and settings\user\Start Menu\Programs\System Restore\Uninstall System Restore.lnk
.
.
(((((((((((((((((((((((((   Files Created from 2011-10-11 to 2011-11-11  )))))))))))))))))))))))))))))))
.
.
2011-11-11 21:42 . 2011-11-11 21:42	28752	----a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0BC04DEE-5DC9-48E1-A182-FD1B8BF10806}\MpKsl57b2b03e.sys
2011-11-11 03:24 . 2011-11-11 03:24	28752	----a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0BC04DEE-5DC9-48E1-A182-FD1B8BF10806}\MpKsla908f3bc.sys
2011-11-11 03:23 . 2011-11-11 21:42	56200	----a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0BC04DEE-5DC9-48E1-A182-FD1B8BF10806}\offreg.dll
2011-11-11 03:23 . 2011-10-07 03:48	6668624	----a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0BC04DEE-5DC9-48E1-A182-FD1B8BF10806}\mpengine.dll
2011-11-06 01:17 . 2011-11-06 01:17	--------	d-----w-	c:\documents and settings\NetworkService\Application Data\Yahoo!
2011-10-28 23:49 . 2011-11-07 19:45	--------	d-----w-	c:\program files\MALWAREBYTES ANTI-MALWARE
2011-10-26 02:00 . 2011-10-26 02:00	--------	d-----w-	C:\$AVG
2011-10-26 01:35 . 2011-10-26 01:35	--------	d-----w-	c:\documents and settings\user\Application Data\AVG2012
2011-10-26 01:28 . 2011-11-11 17:09	--------	d-----w-	c:\windows\system32\drivers\AVG
2011-10-26 01:28 . 2011-11-06 21:08	--------	d-----w-	c:\documents and settings\All Users\Application Data\AVG2012
2011-10-26 01:27 . 2011-10-26 01:27	--------	d-----w-	c:\program files\AVG
2011-10-26 01:21 . 2011-10-26 01:21	--------	d--h--w-	c:\documents and settings\All Users\Application Data\Common Files
2011-10-26 01:20 . 2011-11-11 17:09	--------	d-----w-	c:\documents and settings\All Users\Application Data\MFAData
2011-10-25 10:01 . 2011-10-25 23:26	--------	d-----w-	c:\windows\SxsCaPendDel
2011-10-23 21:28 . 2011-10-23 21:52	--------	d-----w-	c:\documents and settings\user\Application Data\Yahoo!
2011-10-23 21:28 . 2011-10-23 21:46	--------	d-----w-	c:\documents and settings\All Users\Application Data\Yahoo! Companion
2011-10-23 21:27 . 2011-10-23 21:28	--------	d-----w-	c:\documents and settings\All Users\Application Data\Yahoo!
2011-10-23 21:25 . 2011-10-23 21:28	--------	d-----w-	c:\program files\Yahoo!
2011-10-21 20:11 . 2011-10-21 20:11	--------	d-----w-	c:\documents and settings\user\Application Data\Malwarebytes
2011-10-21 20:11 . 2011-10-21 20:11	--------	d-----w-	c:\documents and settings\All Users\Application Data\Malwarebytes
2011-10-21 20:11 . 2011-09-01 00:00	22216	----a-w-	c:\windows\system32\drivers\mbam.sys
2011-10-21 20:11 . 2011-10-21 20:11	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2011-10-21 17:51 . 2011-10-21 18:10	--------	d-----w-	C:\$WIN_NT$.~BT
2011-10-21 17:43 . 2011-10-21 17:44	--------	d-----w-	c:\documents and settings\Administrator
2011-10-21 17:12 . 2011-10-21 17:12	--------	d-----w-	C:\found.000
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-23 21:28 . 2011-08-25 20:27	414368	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22 . 2010-09-15 20:00	692736	----a-w-	c:\windows\system32\inetcomm.dll
2011-10-07 14:23 . 2011-07-11 08:13	230608	----a-w-	c:\windows\system32\drivers\avgldx86.sys
2011-10-07 03:48 . 2010-12-16 21:46	6668624	----a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-10-04 14:21 . 2011-07-11 08:14	16720	----a-w-	c:\windows\system32\drivers\AVGIDSShim.sys
2011-09-28 07:06 . 2008-04-13 23:00	599040	----a-w-	c:\windows\system32\crypt32.dll
2011-09-26 18:41 . 2008-07-29 23:59	611328	----a-w-	c:\windows\system32\uiautomationcore.dll
2011-09-26 18:41 . 2008-04-13 23:00	220160	----a-w-	c:\windows\system32\oleacc.dll
2011-09-26 18:41 . 2008-04-13 23:00	20480	----a-w-	c:\windows\system32\oleaccrc.dll
2011-09-13 13:30 . 2011-09-13 13:30	32592	----a-w-	c:\windows\system32\drivers\avgrkx86.sys
2011-09-06 13:20 . 2008-04-13 23:00	1858944	----a-w-	c:\windows\system32\win32k.sys
2011-08-24 22:04 . 2011-08-24 22:04	15939	----a-w-	c:\windows\system32\drivers\AegisP.sys
2011-08-22 23:48 . 2008-04-13 23:00	916480	----a-w-	c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2008-04-13 23:00	43520	------w-	c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2008-04-13 23:00	1469440	------w-	c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2008-04-13 23:00	385024	------w-	c:\windows\system32\html.iec
2011-08-17 13:49 . 2008-04-13 23:00	138496	----a-w-	c:\windows\system32\drivers\afd.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{88c7f2aa-f93f-432c-8f0e-b7d85967a527}"= "c:\program files\BitTorrentBar\prxtbBitT.dll" [2011-05-09 176936]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\progra~1\Yahoo!\Companion\Installs\cpn0\yt.dll" [2011-10-06 2015544]
.
[HKEY_CLASSES_ROOT\clsid\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
2011-05-09 09:49	176936	----a-w-	c:\program files\BitTorrentBar\prxtbBitT.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{88c7f2aa-f93f-432c-8f0e-b7d85967a527}"= "c:\program files\BitTorrentBar\prxtbBitT.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{88C7F2AA-F93F-432C-8F0E-B7D85967A527}"= "c:\program files\BitTorrentBar\prxtbBitT.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2011-08-22 6276408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"NGTray"="c:\program files\Symantec\Ghost\ngtray.exe" [2008-04-23 218504]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 128232]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-07-09 570664]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-06 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-09-01 449608]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2011-10-25 2415456]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless USB Utility.lnk - c:\program files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe [N/A]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute	REG_MULTI_SZ   	autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Symantec\\Ghost\\ngctw32.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\BitTorrent\\BitTorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [7/11/2011 12:14 AM 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/13/2011 5:30 AM 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [7/11/2011 12:13 AM 230608]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [7/11/2011 12:14 AM 295248]
R1 MpKsl57b2b03e;MpKsl57b2b03e;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0BC04DEE-5DC9-48E1-A182-FD1B8BF10806}\MpKsl57b2b03e.sys [11/11/2011 1:42 PM 28752]
R1 MpKsla908f3bc;MpKsla908f3bc;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0BC04DEE-5DC9-48E1-A182-FD1B8BF10806}\MpKsla908f3bc.sys [11/10/2011 7:24 PM 28752]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [10/12/2011 6:25 AM 4433248]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 5:09 AM 192776]
R2 Belkin 54g Wireless USB Network Adapter Service;Belkin 54g Wireless USB Network Adapter;c:\program files\Belkin\Belkin Wireless Network Utility\WLService.exe [8/24/2011 2:04 PM 49152]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/21/2011 12:11 PM 366152]
R2 NGCLIENT;Symantec Ghost Client Agent;c:\program files\Symantec\Ghost\ngctw32.exe [4/22/2008 5:35 PM 673160]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [7/11/2011 12:14 AM 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [7/11/2011 12:14 AM 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [7/11/2011 12:14 AM 16720]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/21/2011 12:11 PM 22216]
S0 cerc6;cerc6; [x]
S1 MpKsl0475cfc4;MpKsl0475cfc4;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0A1C058A-4D71-4C59-9C63-32CE7A07BB56}\MpKsl0475cfc4.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0A1C058A-4D71-4C59-9C63-32CE7A07BB56}\MpKsl0475cfc4.sys [?]
S1 MpKsl4f28ceb2;MpKsl4f28ceb2;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9CE7845B-DD2C-4B58-B9A3-1CE5E64D6271}\MpKsl4f28ceb2.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9CE7845B-DD2C-4B58-B9A3-1CE5E64D6271}\MpKsl4f28ceb2.sys [?]
S3 bkn50USB;Belkin 54Mbps Wireless USB Network Adapter;c:\windows\system32\drivers\rt2500usb.sys [8/24/2011 2:04 PM 140416]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL57B2B03E
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 00:57]
.
2011-11-11 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 19:39]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe" //mailurl:mailto:fortnisqually@tacomaparks.com
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-11 14:54
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
c:\program files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe [25228] 0x847163B0
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-11-11  15:13:10
ComboFix-quarantined-files.txt  2011-11-11 23:12
.
Pre-Run: 60,029,407,232 bytes free
Post-Run: 60,327,718,912 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[Boot Loader]
Timeout=2
Default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[Operating Systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
c:\$win_nt$.~bt\BOOTSECT.DAT="Microsoft Windows XP Professional Setup"
.
- - End Of File - - 973065597A181753B4367E70DEB0801F


----------



## johnb35

You have a few things to do now.  Please do in order.

1.

You have AVG and Microsoft Security Essentials installed at the same time.  Please choose which program you want to keep and uninstall the other one.  You can't have 2 antivirus programs installed at the same time, there will be issues.  If you uninstall AVG then please use their removal tool afterwards to finish cleaning it off your system.

http://download.avg.com/filedir/util/avgrem/avg_remover_stf_x86_2012_1796.exe

2. 

Please download and run TDSSkiller

When the program opens, click on the start scan button.

TDSSKiller will now scan your computer for the TDSS infection. When the scan has finished it will display a result screen stating whether or not the infection was found on your computer. If it was found it will display a screen similar to the one below.






To remove the infection simply click on the Continue button and TDSSKiller will attempt to clean the infection.

When it has finished cleaning the infection you will see a report stating whether or not it was successful as shown below.






If the log says will be cured after reboot, please reboot the system by pressing the reboot now button.

After running there will be a log that will be located at the root of your c:\ drive labeled tdsskiller with a series of numbers after it.  Please open the log and copy and paste it back here.

3.

Download the *HijackThis* installer from *here*.  
Run the installer and choose *Install*, indicating that you accept the licence agreement.  The installer will place a shortcut on your desktop and launch HijackThis.

Click *Do a system scan and save a logfile*

_Most of what HijackThis lists will be harmless or even essential, don't fix anything yet._

When the hijackthis log appears in a notepad file, click on the edit menu, click select all, then click on the edit menu again and click on copy.  Come back to your reply and right click on your mouse and click on paste.

Post the logfile that HijackThis produces

4.

Combofix automatically created a logfile I need you to post as well.  Please naviage to C:\Qoobox and in that folder will be a file named "Add-remove programs.txt"  Please open that file and copy and paste the contents back here.


----------



## MrDiehl332005

So i deleted Microsoft Essentials and tried to run the TDSSkiller i download it to my desktop and try to run it and nothing happenes. I tried to restart and do it with the same result. I have my AVG disabled so it wouldnt get in the way.. any ideas? i even tried the link blue posted for me


----------



## johnb35

Have you tried it in safe mode?  It should run with no issues in regular mode.


----------



## blue957400

When you say nothing happens does that mean that nothing comes up to the screen or it does not run and you can see the program? I've seen this at work and usually the Kaspersky Virus removal tool will remove some of it so that you can then try and run TDSSKiller. Or you can try and download the older modified version, should you or Johnb35 be able to find it. So far here at work the only solution would be combofix or reformat but you've already tried combofix and this doesn't appear to have worked. I'll be looking to this thread to see if you guys find a solution. One other thing, download and run Hitmanpro. If you find that it finds a Master Boot Sector infection or a consrv.dll infection then a reformat will be neccessary. Removing or replacing either of these two (conrsv.dll or MBR) will result in a blue screen and a system restore will be necessary.


----------



## johnb35

Download *MBRCheck* to your desktop.


Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator) 
It will show a Black screen with some information that will contain either the below line if no problem is found:

Done! Press ENTER to exit... 


Or you will see more information like below if a problem is found:

Found non-standard or infected MBR. 
Enter 'Y' and hit ENTER for more options, or 'N' to exit: 


Either way, just choose to exit the program at this point since we want to see only the scan results to begin with. 
MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time. 
Attach this log to your next message.


----------



## MrDiehl332005

Blue i double click it and the mouse icon goes to the loading symbol but nothing happenes .....


John i ran MBRcheck an this is what i get

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:			
Windows Version:		Windows XP Professional
Windows Information:		Service Pack 3 (build 2600)
Logical Drives Mask:		0x0000000d

Kernel Drivers (total 127):
  0x804D7000 \WINDOWS\system32\ntoskrnl.exe
  0x80700000 \WINDOWS\system32\hal.dll
  0xF7B0C000 \WINDOWS\system32\KDCOM.DLL
  0xF7A1C000 \WINDOWS\system32\BOOTVID.dll
  0xF75BD000 ACPI.sys
  0xF7B0E000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
  0xF75AC000 pci.sys
  0xF760C000 isapnp.sys
  0xF7BD4000 pciide.sys
  0xF788C000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
  0xF761C000 MountMgr.sys
  0xF758D000 ftdisk.sys
  0xF7B10000 dmload.sys
  0xF7567000 dmio.sys
  0xF7894000 PartMgr.sys
  0xF762C000 VolSnap.sys
  0xF754F000 atapi.sys
  0xF763C000 disk.sys
  0xF764C000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
  0xF752F000 fltMgr.sys
  0xF751D000 sr.sys
  0xF7506000 KSecDD.sys
  0xF74F3000 WudfPf.sys
  0xF7466000 Ntfs.sys
  0xF7439000 NDIS.sys
  0xF741F000 Mup.sys
  0xF789C000 avgrkx86.sys
  0xF7A20000 AVGIDSEH.Sys
  0xF782C000 \SystemRoot\system32\DRIVERS\intelppm.sys
  0xF68F2000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
  0xF68DE000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
  0xF68BD000 \SystemRoot\system32\DRIVERS\b57xp32.sys
  0xF7924000 \SystemRoot\system32\DRIVERS\usbuhci.sys
  0xF6899000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
  0xF792C000 \SystemRoot\system32\DRIVERS\usbehci.sys
  0xF6859000 \SystemRoot\system32\drivers\smwdm.sys
  0xF6835000 \SystemRoot\system32\drivers\portcls.sys
  0xF783C000 \SystemRoot\system32\drivers\drmk.sys
  0xF6812000 \SystemRoot\system32\drivers\ks.sys
  0xF675F000 \SystemRoot\system32\drivers\senfilt.sys
  0xF7934000 \SystemRoot\system32\DRIVERS\fdc.sys
  0xF674B000 \SystemRoot\system32\DRIVERS\parport.sys
  0xF784C000 \SystemRoot\system32\DRIVERS\serial.sys
  0xF7B00000 \SystemRoot\system32\DRIVERS\serenum.sys
  0xF785C000 \SystemRoot\system32\DRIVERS\imapi.sys
  0xF786C000 \SystemRoot\system32\DRIVERS\cdrom.sys
  0xF787C000 \SystemRoot\system32\DRIVERS\redbook.sys
  0xF793C000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
  0xF7C51000 \SystemRoot\system32\DRIVERS\audstub.sys
  0xF766C000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
  0xF7B04000 \SystemRoot\system32\DRIVERS\ndistapi.sys
  0xF6734000 \SystemRoot\system32\DRIVERS\ndiswan.sys
  0xF767C000 \SystemRoot\system32\DRIVERS\raspppoe.sys
  0xF768C000 \SystemRoot\system32\DRIVERS\raspptp.sys
  0xF7944000 \SystemRoot\system32\DRIVERS\TDI.SYS
  0xF6723000 \SystemRoot\system32\DRIVERS\psched.sys
  0xF769C000 \SystemRoot\system32\DRIVERS\msgpc.sys
  0xF794C000 \SystemRoot\system32\DRIVERS\ptilink.sys
  0xF7954000 \SystemRoot\system32\DRIVERS\raspti.sys
  0xF66F3000 \SystemRoot\system32\DRIVERS\rdpdr.sys
  0xF76AC000 \SystemRoot\system32\DRIVERS\termdd.sys
  0xF795C000 \SystemRoot\system32\DRIVERS\kbdclass.sys
  0xF7964000 \SystemRoot\system32\DRIVERS\mouclass.sys
  0xF7B3E000 \SystemRoot\system32\DRIVERS\swenum.sys
  0xF6695000 \SystemRoot\system32\DRIVERS\update.sys
  0xF73D6000 \SystemRoot\system32\DRIVERS\mssmbios.sys
  0xF770C000 \SystemRoot\System32\Drivers\NDProxy.SYS
  0xF775C000 \SystemRoot\system32\DRIVERS\usbhub.sys
  0xF7B44000 \SystemRoot\system32\DRIVERS\USBD.SYS
  0xF78DC000 \SystemRoot\system32\DRIVERS\flpydisk.sys
  0xA79B5000 \SystemRoot\system32\DRIVERS\avgmfx86.sys
  0xF7BA2000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
  0xF7D08000 \SystemRoot\System32\Drivers\Null.SYS
  0xF7BA4000 \SystemRoot\System32\Drivers\Beep.SYS
  0xA80B8000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
  0xA80B0000 \SystemRoot\System32\drivers\vga.sys
  0xF7BA6000 \SystemRoot\System32\Drivers\mnmdd.SYS
  0xF7BA8000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
  0xA80A8000 \SystemRoot\System32\Drivers\Msfs.SYS
  0xA80A0000 \SystemRoot\System32\Drivers\Npfs.SYS
  0xA991C000 \SystemRoot\system32\DRIVERS\rasacd.sys
  0xA5EC1000 \SystemRoot\system32\DRIVERS\ipsec.sys
  0xA5E68000 \SystemRoot\system32\DRIVERS\tcpip.sys
  0xA5E21000 \SystemRoot\system32\DRIVERS\avgtdix.sys
  0xA5DFB000 \SystemRoot\system32\DRIVERS\ipnat.sys
  0xA7513000 \SystemRoot\system32\DRIVERS\wanarp.sys
  0xA5DD3000 \SystemRoot\system32\DRIVERS\netbt.sys
  0xA5D9D000 \SystemRoot\System32\drivers\afd.sys
  0xA7503000 \SystemRoot\system32\DRIVERS\netbios.sys
  0xA5D01000 \SystemRoot\system32\DRIVERS\rdbss.sys
  0xA5C91000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
  0xA74F3000 \SystemRoot\System32\Drivers\Fips.SYS
  0xA8070000 \SystemRoot\system32\DRIVERS\usbccgp.sys
  0xA83A1000 \SystemRoot\system32\DRIVERS\hidusb.sys
  0xA6E3D000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
  0xA4095000 \SystemRoot\system32\DRIVERS\avgldx86.sys
  0xF7AD8000 \SystemRoot\system32\DRIVERS\mouhid.sys
  0xAA6D3000 \SystemRoot\system32\DRIVERS\kbdhid.sys
  0xF774C000 \SystemRoot\System32\Drivers\Cdfs.SYS
  0xA0E8A000 \SystemRoot\System32\Drivers\dump_atapi.sys
  0xA5B1D000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
  0xBF800000 \SystemRoot\System32\win32k.sys
  0xA170F000 \SystemRoot\System32\drivers\Dxapi.sys
  0xA8078000 \SystemRoot\System32\watchdog.sys
  0xBF000000 \SystemRoot\System32\drivers\dxg.sys
  0xF7C75000 \SystemRoot\System32\drivers\dxgthk.sys
  0xBF020000 \SystemRoot\System32\ialmdnt5.dll
  0xBF012000 \SystemRoot\System32\ialmrnt5.dll
  0xBF042000 \SystemRoot\System32\ialmdev5.DLL
  0xBF077000 \SystemRoot\System32\ialmdd5.DLL
  0xBF15A000 \SystemRoot\System32\ATMFD.DLL
  0xF7AF0000 \??\C:\WINDOWS\system32\drivers\mbam.sys
  0xA1629000 \SystemRoot\system32\DRIVERS\AegisP.sys
  0xA1625000 \SystemRoot\system32\DRIVERS\ndisuio.sys
  0xA0574000 \SystemRoot\system32\DRIVERS\mrxdav.sys
  0xA05F1000 \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys
  0xA04CC000 \SystemRoot\system32\DRIVERS\srv.sys
  0xF79F4000 \SystemRoot\system32\DRIVERS\AVGIDSFilter.Sys
  0xA03E0000 \SystemRoot\System32\Drivers\Fastfat.SYS
  0xA0398000 \SystemRoot\system32\DRIVERS\AVGIDSDriver.Sys
  0xA008B000 \SystemRoot\system32\drivers\wdmaud.sys
  0xA0128000 \SystemRoot\system32\drivers\sysaudio.sys
  0xA0E66000 \??\C:\WINDOWS\system32\GTNDIS5.SYS
  0x9EFCF000 \SystemRoot\System32\Drivers\HTTP.sys
  0x9EAF4000 \SystemRoot\system32\DRIVERS\ipfltdrv.sys
  0x9CDAD000 \SystemRoot\system32\drivers\kmixer.sys
  0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 47):
       0 System Idle Process
       4 System
     608 C:\WINDOWS\system32\smss.exe
     868 csrss.exe
     892 C:\WINDOWS\system32\winlogon.exe
     940 C:\WINDOWS\system32\services.exe
     952 C:\WINDOWS\system32\lsass.exe
    1128 C:\WINDOWS\system32\svchost.exe
    1200 svchost.exe
    1296 C:\WINDOWS\system32\svchost.exe
    1336 C:\WINDOWS\system32\svchost.exe
    1392 svchost.exe
    1512 svchost.exe
    1744 C:\WINDOWS\system32\spoolsv.exe
    1868 svchost.exe
    1900 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    1932 C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
    1956 C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
    2020 C:\Program Files\Java\jre6\bin\jqs.exe
     176 C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
     312 C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
     328 C:\Program Files\Symantec\Ghost\ngctw32.exe
     392 C:\WINDOWS\system32\IoctlSvc.exe
     452 C:\WINDOWS\system32\svchost.exe
     556 C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    1096 C:\WINDOWS\system32\searchindexer.exe
    2516 alg.exe
    3588 C:\WINDOWS\explorer.exe
    3868 C:\Program Files\Analog Devices\Core\smax4pnp.exe
    3892 C:\WINDOWS\system32\hkcmd.exe
    3900 C:\WINDOWS\system32\igfxpers.exe
    3912 C:\Program Files\Symantec\Ghost\ngtray.exe
    3924 C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    4028 C:\Program Files\iTunes\iTunesHelper.exe
     208 C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
     436 C:\Program Files\Common Files\Java\Java Update\jusched.exe
     484 C:\WINDOWS\system32\ctfmon.exe
    2844 C:\Program Files\iPod\bin\iPodService.exe
    5120 C:\Program Files\AVG\AVG2012\avgwdsvc.exe
    5252 C:\Program Files\AVG\AVG2012\avgnsx.exe
    5904 C:\Program Files\AVG\AVG2012\avgtray.exe
    6008 C:\Program Files\Internet Explorer\iexplore.exe
    3732 C:\Program Files\AVG\AVG2012\avgui.exe
    5380 C:\WINDOWS\system32\searchprotocolhost.exe
    2556 searchfilterhost.exe
    2424 C:\WINDOWS\system32\searchprotocolhost.exe
    2760 C:\Documents and Settings\user\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00  (NTFS)

PhysicalDrive0 Model Number: HDS728080PLA380, Rev: PF2OA63A

      Size  Device Name          MBR Status
  --------------------------------------------
     74 GB  \\.\PhysicalDrive0   MBR Code Faked!
            SHA1: 38BE7869FCCF026F920DA4A541B12E68993C36ED


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit: 

Done!


----------



## MrDiehl332005

Ok i tried to everything and safe mode and still didnt allow me to.. I think im going to just reformat but i dont remember how to anymore. Someone told me i cant do it because of i cant get into a command prompt without loading windows.. So basicly i just need to know how to reformat all the way thanks  unless you guys have more ideas


----------



## blue957400

Sucks to hear that you do indeed have the infection I have seen on one too many Pc's. One last thing you may want to try is running Kaspersky removal tool 2011. It is free on kasperskys website. If this fails then all you need to do is get your windows Xp install/recovery disc. Put it in the disc drive. And then go into the BIOS and change the boot order so that it boots from the Cd first or tap f10, f11, or f12 (depends on your motherboard) to go into the boot device order and make the first boot the device your disc drive first. And then run the Windows Setup. MAKE SURE YOU DO A FULL FORMAT. After that everything else should be self explanatory. Here is a good link in case you have problems/questions. Or you can just post here and we can help you.

http://lifehacker.com/157578/geek-t...ard-drive-and-install-windows-xp-from-scratch


----------



## johnb35

We have found the culprit.

Run MBRCheck again
Wait until you see the following line: Enter 'Y' and hit ENTER for more options, or 'N' to exit: 
Please push the 'Y' key and then press Enter 
When program ask you Enter your choice: enter 2 and press the Enter key 
Now the program will ask you "Enter the physical disk number to fix (0-99, -1 to cancel)
Enter 0 and press the Enter key. 
The program will show Available MBR codes:, followed by a list of operating systems. Please enter 1 for Windows XP, and then press Enter. 
The program will prompt for confirmation. Type 'YES' and hit Enter. 
Left click on the title bar (where program name and path is written). 
From menu chose Edit -> Select All 
Hit the Enter key on your keyboard to copy selected text. 
Paste that text into Notepad, save it to your desktop as "MBRCheck results.txt" 
Important! Restart your PC for the fix to take effect. 
Post the contents of the MBRCheck results log in your next reply


----------



## MrDiehl332005

Well guys i reformated .. i couldnt take the wife and kids crying about bratz.com and facebook not working...thanks for all the help


----------

