Then I would say the AVG findings are a false postive. AVG is just not a very good anti-virus program. When researching your problem I found no other av program that found this file. I would advise you use a different anti-virus program, it certainly is one that I never recommend.
It rarely ranks among the highest or most reputable. My advice would be use [B][URL=""]Avira Free 2012[/URL][/B] or [B][URL=""]Avast Free[/URL][/B], but not AVG.
Your System restore is set way to large. You have restore points going back over six months. System Restore should never be used to go back that far, if it is used at all and then it should be only for a very few things.
Your Java is way out of date, you are running version 6 Update 25 and the most recent update is version 6 update 30.
Uninstall All Java listed in add/remove and then go here to download the latest version. [url][/url]

Blahthing commented: Very Very helpful! +1

Anything else? Those trial versions are only temporary and good for a short time I believe, not illegal unless you illegally upgrade to the paid versions without paying for them.
How many other programs are on there that are not paid for but should have been?
Nearly every infected file found by MBA-M was on there because of the use of a keygen, possibly all of them since that is one of the easiest ways to get an infection, illegal use of what are supposed to be paid programs. Obviously those two are not the only ones on the system. There are four different PAID programs listed with infected files from the MBA-M log, with keygen related infections.All serious trojans.

sony vegas 10
vegas 9
adobe photoshop cs4 v11.0
propellerhead reason 4
Approximate value of all of the above in the U.S. is around $1000.00

I am possibly also questioning the legality of your system based on these notations in the log


Do you have another Windows operating system installed someplace?

At least one of the items found by MBA-M was the Boaxxe Trojan it installs other malicious programs on your computer that disable key security features and then attempt to steal any passwords you use, such as for your banking website. Another of the real "benefits" of trying to steal paid programs...the people who write these illegal cracks get your money anyway. It just goes to them and not the legal owners of the programs you steal. So ...

Thanks so much for your kind words, they are greatly appreciated.
Happy we could get it all resolved. Good working with you too!

Ezzaral commented: You need more rep for this :) +15

You are assuming a LOT and very wrongly. The Sticky, while dated, 2008, is kept up to date on a regular basis.
[B][I][COLOR="Red"]If your "handle" appendage, 1964, is a hint of your experience, you come from a generation of IT people that were notoriously abusive to "non-techs."
Again another wrong assumption. I am not a "tech" as you assume, I have never been and never have claimed to be. I am simply an ordinary computer user who has taken up assistance in malware removal as a hobby. The 1964 "appendage" was used in order to not have to go through "umpteen" other numbers to be able to use the name I wanted to use or take on a suggested user name that I didn't want to use.

The Sticky is user friendly if a person will use it as described and if you read other threads here you will see that it is used by all when posting here.

Honestly I don't know what it is that you are expecting or what it is that you want us to do. There is no magic bullet or button to push to remove infections like this one. They all require multiple steps and tools and there is no other way to remove them. We can't give you different steps if they are not available and they are not available. There is no ONE step to remove this infection.

If you don't feel you can follow the steps then I suggest you ...

These are not the customary steps to stop these processes which can be done automatically but if this is the way you want to try it then be my guest.
His AV program shows as running. There are no temp files showing in the running processes or in auto starts. There are standard automated steps used to stop the processes which may be running, though none are seen in the DDS log, remove these infections but you are more than welcome to take over and have him run your steps.

Customary steps are those compiled by Bleepingcomputer.
For Security Shield infection;
According to Bleepingcomputer generally the files will reside in C:\Documents and Settings\ for Windows 2000/XP, C:\Users\ for Windows Vista/7, and c:\winnt\profiles\ for Windows NT.
C:\Documents and Settings\\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\\AppData\Roaming and not in %windir%\WINDOWS or %windir%\WINDOWS\system32 and even temp folder. Poster has stated the running of ATF cleaner and Spybot. There shouldn't be any temp files remaining.

flagstar commented: I guess you're right. I should not involve with virus removing problem and let more expert one like you do the work. sorry for bothering... +4

We also need to see the second log created by the DDS scanner which is labeled Attach.txt. Please copy/paste it.

Also do the following:
Run the [B]ESET Online Scanner[/B]


  • You can use Internet Explorer to complete this scan and you will need to allow an Active X to be installed or you may use Firefox
    *[B] You will need to temporarily Disable your current Anti-virus program.[/B]
  • Be sure the option to [B]Remove found threats is checked and the option to Scan unwanted applications is Checked.[/B]
  • When you have completed that scan, a scanlog ought to have been created and located at[B] C:\Program Files\EsetOnlineScanner\log.txt. [/B]

I agree with caperjack. MSE rarely ranks "up there". Avast is excellent. Avira Free is quite good, [B]however,[/B] due to Avira's recent partnering with to add the Avira SearchFree tool bar and Trialpay to help cover the cost of providing the WebGuard extra, which is included in their paid version, many forums have removed it from their lists of recommended free programs. This WebGuard with it's provided SearchFree tool bar certainly is not required and this has resulted in many, many complaints posted on their forum.
IF you watch their installs closely you can opt out of these toolbars in Avira but of course many people neglect to watch these installs and end up with these toolbars. They certainly are NOT needed and often are flagged by anti-malware scanners.

Have never been a fan of AVG. On several other forums where I post there are a lot of infection removal threads where AVG was the av program installed so I personally would not recommend it. But "to each his own".

The Rising Antivirus Software Free Edition 2011 on caperjacks link was tested by a fellow at another forum and his results were not good. With scanner settings set at Medium/Default;
Quick Scan produced very high CPU usage which remained extremely high during the entire scan. Scan took 4 minutes to scan 1509 objects. Full scan test resulted in 9 false positives during the first half of the scan. This is his test machine and some of the objects ...

jingda commented: Nice review +9

[B][I]the guy who assembled my computer gave me the xp that i have. he even took what would be equivalent to 35 dollars for that.. [/I][/B]

I hate to tell you but in US dollars $35 is not even close to the cost of a legitimate, legal copy of Windows XP. The cost of a new, legal copy of XP is generally will average around [B]$200[/B] in US Dollars. Price depends on the version you purchase and also the store where it is purchased. Some will be higher than $200 and some will be a [U]little[/U] lower than $200 but certainly [B]never[/B] only [B]$35[/B].

So I would say, as we say in the US, the guy "ripped you off". He has likely sold you a stolen operating system, also called a "pirated" copy of XP.
This is shown by the files found and removed by MBA-M, notice what they say they were:
[B]xp keygen[/B]\keygen.exe
[B]xp keygen[/B]\update_xp_cd_key.exe
[B]xp keygen[/B]\windowsxp product key viewer.exe

A keygen is a computer program that generates a[B] false product licensing key[/B], serial number, or some other registration information needed to activate a software application. In most countries, the use of keygens to activate software without purchasing a license is fraudulent. When you purchase the software, IN THE BOX, as you said you did with Kaspersky, you are purchasing that license. Each and every copy of the Windows Operating System, no matter what version you have, is issued it's own registration or license number, each copy has its ...

Salem commented: Bravo - well said!!!! +17

Jen, you can go here to get your java update. Much easier page.You evidently chose the 64bit version of the program and you are running a 32bit, that's why you got that message.

You DID do the right thing by updating IE. Even though you don't use it, you always need to keep it updated and there still ARE some websites that require that you use IE.
The KEY thing you need to update is the actual operating system. You do need SP3. Without SP3 your system is no longer supported and IS at great security risk.By updating to SP3 your system can receive critical updates until it's lifecycle expires which will be April of 2014. So it is to your advantage to do the update. Keep you a WHOLE lot safer too!

You need to go to our [B][URL=""]Read Me Before Posting[/URL][/B] sticky and follow all of the instructions and run all the scans requested there.

Once you have completed all the requested scans then post back here with copy/pastes of all the logs produced. Then we can better help determine what the next steps will be.

Hi Jen, Crunchie isn't here at the moment. The TDSKiller DID remove a rootkit. It is [B]highly likely[/B] that you[B] do[/B] still have infection on the computer.
Your version of MBA-M is a year out of date. Current version is [B][/B] and current database is at least database version 6897. So your database is over 2800 updates behind.

You need to update your MBA-M program to the latest version and latest database and run another Full Scan with it. Have it Remove Everything found and then Reboot the computer>>>this is VERY important as some of the removals may not be completed until the computer is rebooting.
Once you have done this then post back here with that new log and we will give you additional steps.

[QUOTE=Bal;1575388]Poster was looking for info, not help.

I'm sure if they get issue's if it not been cleaned right, they will be back askign for help this time.[/QUOTE]

If the poster was only looking for "info" not help then why didn't you just give information, that this file is a Trojan which can create, delete or modify files on the computer and bring in other infection processes and it likely was brought in by the original Trojan which has not been removed?
You also should have given the information that to remove this infection that all the steps given in our Read Me First Sticky should be followed and logs requested should be posted once those steps were complete? That is the information required here.

BBAD commented: Read the post -1

Please ignore the two useless posts above by sergent and jingda, neither one has the knowledge needed to assist in infection clean up.

Follow all the steps given in our Read Me Sticky and post back here with COPY/PASTES of all requested logs.


[QUOTE=justo0;1552242]i think AVG, Kaspersky and NORTON are all good~~[/QUOTE]
This thread is over 5 years old and dead.

jingda commented: Yup +6

[QUOTE=striker_1;1542030]Firstly, Thanks for reply.

The steps that you told us are "[B]Must need to be taken[/B]" steps. I would personally recommend to all users of XP (Not just Xp, But Vista ,7 and Linux users too)to backup their OS> if they dont want to buy a new HDD so Instead of Buying a new Hard Drive they can clone their Existing OS on a CD or a DVD.. Isn't it useful?, and it will save their money and time both.

Secondly, These kind of viruses (like system.exe, New Folder.exe, My Music.exe, Pictures.exe, HomeVideo.avi.exe) spread through autorun. That's why disabling aurotun will disable all these viruses. And i have also told to Use "Limited Accounts". These Viruses only activate and perform action in account with "Admin Privileges" they are disabled or deactivated in "Limited Account". Because of restrictions of "Limited Account" they can't change the system files. (The main cause of survival of these Viruses). So if you use "Limited Account" the sys-restore will be as powerfull as you want.

I am about 99% sure that you have used a account Admin Privileges (When this virus is activated) and that's why System Restore and Automatic-Updates couldn't help to remove these viruses[/QUOTE]
striker_1 you are 100% wrong about System Restore. System Restore actually operates only on a very few system files and settings. System Restore backs up your registry. System Restore does not backup your data. If you delete or damage a file, System Restore will not recover it.
System Restore will ...

Depends on the web page, if it is a public page then he would not be the only one who could listen. [B]Unless it is a private, and maybe encrypted page, [COLOR="Red"]that only you own[/COLOR], that would require a special password to enter it in the first place, that only you could create and give to him, and nothing can be downloaded FROM that page without following specific multiple steps[/B], then he could still save it on his computer at the same time he listened to it. In fact, depending on his computer configuration, his computer might require download of the file to his computer before he even could listen to it.
I would never chance it myself, especially something that there is no way I want others to see or hear. There is almost always a way to get around things in order to use them or keep them. That doesn't make it legal, it often isn't, but it is done probably millions of times daily on the internet.

As I said, once it is "out there", it is "out there" and [B]you absolutely have no control on where it goes and who has it[/B] will have [B]NO WAY[/B] to get it back, [B]EVER[/B], it is out there [B]FOREVER[/B].

You could even set something up like that so that only viewing or listening on the computer can be done by doing all the steps above, BUT that does not stop somebody from using a tape recorder, a video camera ...

You can delete the extra IE icon, you would only need one. Here is the Adblock for IE

You might consider Firefox, it is a more secure browser, slightly different from IE but generally faster, easily configured. I have used it for years, rarely use IE anymore unless I have to use it. [url][/url]

You do need to make certain you have proper security settings for IE. You want to be certain that 3rd party cookies are blocked, those are ones that are from ads on a web page and you don't want those, you only want the ones from the site you are visiting.
In IE go to Tools, Internet Options, Privacy, Advanced button. Make sure there is a dot in Allow 1st party cookies and a dot in the Don't Allow 3rd Party cookies and a check mark in allow session cookies.
Ok, your way out.

cathy crossbuck commented: Great step-by-step help through this thread. Thanks! +1

[QUOTE=royng;1514116]Try installing other anti virus program such as Kaspersky Internet Security 2011, Norton Internet Security or VIPRE Antivirus. The last one was my friend recommended to me, try it out. Do a full scan and tell me the log. As jholland has say, there might be less disk space. Backup your data on a hard disk then later erase and reinstall your computer. Do a virus scan first[/QUOTE]
There is no need to reformat the computer at this time. The poster is using a Free antivirus program that should be UNINSTALLED. There are several excellent FREE anti virus programs which can be used and have very high reputations.
[B][URL=""]Avira Free[/URL][/B] is one and [B][URL=""]Avast Free[/URL][/B] is the other.

royng commented: Good post and provide a link to the +0

[QUOTE=royng;1513352]If your problem is solved can you please mark the thread as solved. You can do that by going to the bottom. Thanks, i appreciate it.[/QUOTE]
You need to stop making this request in order to boost your own solved thread count. It is not for you to ask this.

VernonDozier commented: Yup +13

Using an expired av program to scan a computer you think is infected is a bad idea. It likely would not be able to find all the infections, if they are there. In order to find the newest infections an av program must be up to date, and I certainly would not recommend backing up something I was not sure was clean.
By all means, follow the instructions found in our Read Me sticky, then save the logs and post them all here I will be happy to take a look, maybe a reformat won't be needed if we can get it all clean. There are several excellent FREE av programs available also once we get the computer clean.
Here is the link for the Read Me sticky:

You mean a paid version of an antivirus program? You should be able to as long as you have the registration code and it is not expired. You probably would have to contact the av company to get it reactivated but that normally isn't a problem as long as you have all the key info and it's not expired.If it's expired then no you couldn't because you do have to re-register it and it wouldn't register if expired.

somjit{} commented: fast n accurate response:) thanks a lot jholland :) +1

[QUOTE=Portgas D. Ace;1489824]hahaha good call!

and sorry i didn't emphasize on going to add/remove programs and uninstall, i just assumed that they would have enough knowledge to do that... my apologies for not going into detail on uninstalling.

But.. i was right yea? :)[/QUOTE]
Yes, you were right but you always need to be sure you don't tell somebody to delete a program...because they will and all that does is delete the short cut, the program remains. It was Installed so if you want to get rid of it then you have to Uninstall it.:)

Portgas D. Ace commented: Good advice +1

This rootkit,whistler@mbr.has added the TDSS rootkit to its "arsenal" but that cannot be removed with the other tools and requires it's own removal tool and that is the TDSSKiller.

Do the following:
Please download [B]ComboFix by sUBs[/B] from


Please note that the download link will expire in 10 minutes after you click it so if you don’t click within ten minutes after reaching the page you will need to refresh the page.

• You must download it to and run it from your Desktop
• Physically disconnect from the internet.
• [B]Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.[/B]
• Double click combofix.exe & follow the prompts.
• When ComboFix has finished running, you will see a screen stating that it is preparing the log report
• This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
• Re-enable all the programs that were disabled during the running of ComboFix..
• Then post back here with that log and a new scan log from HiJackThis.

Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

[B][COLOR="Red"]Run ...

Well, now we see why you have, as you say, MANY ISSUES!

1a - 108 GiB total, 16.179 GiB free.
1b - [B][COLOR="Red"]No[/COLOR][/B] anti-virus program
1c - [B][COLOR="Red"]No[/COLOR][/B] Firewall
1d - [B][COLOR="Red"]No[/COLOR][/B] security programs on there except what you have downloaded to use in this thread
1d - uTorrent
1e - BitTorrent
2 - Advanced SystemCare 3 - which is absolute junk

The next umpteen? [B][COLOR="Red"]131+[/COLOR][/B] games & gaming sites downloaded software by my rough count and I am sure I missed some. If we gave trophies here for the most games or online games you would certainly be in the running. And as you see, it really isn't a prize you want to win, not with all that is going on with your computer. I guarantee you many of your "issues" and major infections come from both these games and anything else you have shared using uTorrent and BitTorrent including music and video which should have been paid for.

Now I know absolutely nothing about any of these games, I have to assume that at least some of these must be purchased, and all of these online Casinos require the install of ActiveX programs to play. I checked out some of these sites, not all of them, maybe a third of them and at least [B][COLOR="Red"]every 3rd one[/COLOR][/B] is a known site for installing [B][COLOR="Red"]spyware, malware, and or trojans onto a computer[/COLOR][/B].The [B]others are not necessarily good sites[/B], they are just not well known enough to have any rankings ...

Follow steps given here and post back with all logs. Please copy/paste all logs we do not open attachments.

[QUOTE=stokes1900;1381668]uninstall the security updates or restore your pc to back date[/QUOTE]
A ridiculous suggestion. If you are going to post please be aware of exactly what you are suggesting.

[QUOTE=cwarn23;1303655]That is probably why. Microsoft nolonger supports windows Vista and as far as I'm aware Microsoft never did support Windows Vista. So upgrade to Windows 7 or at the very least download linux from your local internet hub. WindowsVista==WindowsME.
For all we know Internet Explorer might not be compatible with Windows Vista.[/QUOTE]
Have no idea WHERE you saw this but Vista always [B]WAS[/B] and [B]STILL[/B] is supported until [B]April 2012[/B] by Microsoft as long as SP 2 is installed. Same goes for XP, as long as SP3 is installed it also has support until [B]April 2014[/B].

You are also [B]wrong[/B] about Internet Explorer. It is FULLY COMPATIBLE with Vista. It is part of the operating system.
You need to check your facts before posting 100% inaccurate information.

Registry Cleaners are never recommended. A good malware cleaner, like MBA-M WILL clean infected registry entries if necessary. Using a registry cleaner as a matter of "general course" can be very dangerous itself. The best way to deal with (possibly) registry-related issues is is to thoroughly research the problem and then use regedit to make any necessary changes and/or deletions (having first set a restore point or created a backup).Registry cleaning does not improve perforance.

finito commented: Selfless nature of geeks. :) +2

We prefer logs be copy/pasted not attached so you did fine.
I also made an error, for the moment I don't need the DDS log, what I need for you to run is HiJackThis.Version 2.0.4 System Scan and post the log here.

Yes the combofix log is huge so it will take me awhile to go through it. Have you tried your internet yet?