View Full Version : Viruses and Me

2012-05-23, 08:24
I'm pretty new to forums, and certainly new to requesting help via forums so hopefully i'm not too much trouble ^_^.

I ran spybot and got W3i.IQ5.fraud detected. The fixing failed.

This system was used by four college kids for a while so it has picked up a number of viruses and probably a rootkit or two over the years which have been for the most part kept in check with amateur fixes of varius types...many virus removal tools and most likely some registry checks/editors:confused: have been run by my cousin at some point in the past.

Now I'm the only person who will be using it and i would love to finally clean this without missing some underlying problem.

I noticed that the DDS log shows AVG enabled and updated...I'm almost positive that was removed, or was intended to be removed to make room for malwarebytes. I'm not even sure if those do the same things but that's what i remember. I can't visually see AVG anywhere except for a broken shortcut in a desktop folder.

Two things to note perhaps...there's a shortcut labeled iExplorere.exe that has a wierd picture and prompts me before it will open (I did not open it), and about two weeks ago my internet stopped working via ethernet cable (cable not detected)...that one's probably hardware but i read somewhere this W3i thing could mess with hardware.

THANK YOU FOR YOUR TIME I KNOW THIS ISN'T EASY, and hopefully i didn't miss anything/drone on about things that don't matter.

Here's the short spybot log :cowboy:.

--- Search result list ---
Hint of the Day: Click the bar at the right of this to see more information! ()

W3i.IQ5.fraud: [SBI $5ADC6E84] Program directory (Directory, fixing failed)

...and here's the not so short DDS log :rockon:

Sorry about those two links there...not sure why there's links in a log but i'm pretty sure at least the sushi one is malicious. Not sure what i should do.

2012-05-30, 11:25

Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.

Running programs with Vista or Windows 7 , you need to Right Click on the program and select RUN AS ADMINISTATOR

AVG is a Antivirus program, Malwarebytes is a Anti Malware, you can keep them both. Does AVG run at all ?

Dont fool around with any registry cleaners, if the wrong entries are removed it can make your system unbootable.

Open Malwarebytes, go to the update tab and update it, then the scan tab and run the quick scan and post the log please

OTL by OldTimer

Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Click the "Scan All Users" checkbox.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.

2012-05-31, 10:34
No, AVG does not run at all from what i can tell. Can't find any trace of it anywhere except at the beginning of that LOP check section of the OTL log. :lip: I did find "AVG_remover_stf_x86_2012_1796" in start search along with its run log.

Malwarebytes Anti-Malware

Database version: v2012.05.31.01

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
richard :: BILL [administrator]

Protection: Enabled

5/31/2012 12:44:25 AM
mbam-log-2012-05-31 (00-44-25).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 217656
Time elapsed: 1 minute(s), 3 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)



2012-05-31, 10:42
========== HKEY_USERS Uninstall List ==========

"090215de958f1060" = Curse Client

2012-05-31, 11:51

Lets do this and then I will give you a link to the AVG removal tool, there are a lot of leftover entries for it along with dogpile and a few others that are trackware and not recommended.

AVG Remover

Also, you need to install Antivirus software, this is a free one from Microsoft, download and install it unless you have plans on purchasing one on your own


Open OTL.exe

Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL


IE - HKLM\..\SearchScopes,DefaultScope = {CCC7A320-B3CA-4199-B1A6-9F516DD69829}
IE - HKLM\..\SearchScopes\{031949b3-28b6-43a4-90e2-dde1cfe21390}: "URL" = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?
IE - HKU\.DEFAULT\..\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}: "URL" = http://search.avg.com/route/?d=4e96e99a&v={searchTerms}&lng={language}&iy=&ychte=us
IE - HKU\S-1-5-18\..\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}: "URL" = http://search.avg.com/route/?d=4e96e99a&v={searchTerms}&lng={language}&iy=&ychte=us
IE - HKU\S-1-5-21-3916996827-18406454-3383277520-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = http://www.dogpile.com/
IE - HKU\S-1-5-21-3916996827-18406454-3383277520-1000\..\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}: "URL" = http://isearch.avg.com/search?cid={489EA029-A600-4B1B-8194-1C4F0609F588}&mid=13496ef7b34347d1b142d15b5169efac-595041a2fc7a28adbb1649a0d937d056c8ab4d7e&lang=us&ds=AVG&pr=fr&d=2011-12-12 03:26:57&v={searchTerms}
IE - HKU\S-1-5-21-3916996827-18406454-3383277520-1000\..\SearchScopes\{031949b3-28b6-43a4-90e2-dde1cfe21390}: "URL" = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=Y9xdm002YYus&ptb=CF5D092C-BC69-465F-AD4C-3AE7B4321CF4&ind=2011080121&ptnrS=Y9xdm002YYus&si=radiopi&n=77dea5b9&psa=&st=sb&searchfor={searchTerms}
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG10\Firefox4\
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\avg@igeared: C:\Program Files\AVG\AVG10\Toolbar\Firefox\avg@igeared
[2011/12/12 04:27:21 | 000,003,766 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\avg-secure-search.xml
O2 - BHO: (no name) - {399C60D2-38B1-4E25-B9E7-6498C1BC2DCD} - No CLSID value found.
O2 - BHO: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll ()
O3 - HKLM\..\Toolbar: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll ()
O3 - HKLM\..\Toolbar: (no name) - {C53FE659-316A-4F56-A194-A5BE491BE866} - No CLSID value found.
O3 - HKU\S-1-5-21-3916996827-18406454-3383277520-1000\..\Toolbar\WebBrowser: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll ()



ipconfig /flushdns /c

[start explorer]

Then click the Run Fix button at the top. <--Not run Scan
Let the program run unhindered, reboot when it is done
Then post the results of the log it produces.
Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )

2012-05-31, 23:02
========== Standard Registry (SafeList) ==========

2012-05-31, 23:11
I still see a couple of entries for AVG, did you run the removal tool ?

2012-06-01, 00:18
Yes I ran the removal tool, but I took these two links provided in the opposite order so maybe It was just the PC tune up stuff that was left? I ran it again to be sure.

AVG Remover

:laugh: I'm not entirely sure how to disable security essentials. My first guess was security center but "the security center service cannot be started".

SecEss detected a few java exploits after i downloaded it. I updated java but haven't done anything to the detections.

2012-06-01, 00:30
Nevermind, ^_^ found a checkbox for "real time protection"

2012-06-01, 03:47
C:\Program Files\RadioPI_4eEI\Installr\2.bin\4eEIPlug.dll Win32/Toolbar.MyWebSearch application
C:\Program Files\RadioPI_4eEI\Installr\2.bin\NP4eEISb.dll Win32/Toolbar.MyWebSearch application
C:\Program Files\RegServe\SilentRemover.exe a variant of Win32/Adware.RegDefense application
C:\ProgramData\Spybot - Search & Destroy\Recovery\WinAgentws1.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\WinAgentws1.zip Win32/Bagle.gen.zip worm
C:\Users\richard\Desktop\uhhh\softonic-us-silent-2.exe Win32/Toolbar.Zugo application
C:\Users\richard\Downloads\regserve-setup.exe a variant of Win32/Adware.RegDefense application
C:\Users\richard\Downloads\Saya_no_Uta___English.exe Win32/Adware.1ClickDownload application
C:\Users\richard\Downloads\SoftonicDownloader_for_skype.exe a variant of Win32/SoftonicDownloader.A application
C:\Users\richard\Downloads\vlcmediaplayer-setup.exe Win32/DownloadAdmin.A.Gen application
C:\Windows.old\Users\All Users\Spybot - Search & Destroy\Recovery\WinAgentws1.zip Win32/Bagle.gen.zip worm
C:\Windows.old.000\Documents and Settings\All Users\Spybot - Search & Destroy\Recovery\WinAgentws1.zip Win32/Bagle.gen.zip worm
C:\Windows.old.000\Documents and Settings\richard\Desktop\uhhh\softonic-us-silent-2.exe Win32/Toolbar.Zugo application
C:\Windows.old.000\Documents and Settings\richard\Downloads\regserve-setup.exe a variant of Win32/Adware.RegDefense application
C:\Windows.old.000\Documents and Settings\richard\Downloads\Saya_no_Uta___English.exe Win32/Adware.1ClickDownload application
C:\Windows.old.000\Documents and Settings\richard\Downloads\SoftonicDownloader_for_skype.exe a variant of Win32/SoftonicDownloader.A application
C:\Windows.old.000\Documents and Settings\richard\Downloads\vlcmediaplayer-setup.exe Win32/DownloadAdmin.A.Gen application
C:\Windows.old.000\ProgramData\Application Data\Spybot - Search & Destroy\Recovery\WinAgentws1.zip Win32/Bagle.gen.zip worm
C:\Windows.old.000\Users\All Users\Spybot - Search & Destroy\Recovery\WinAgentws1.zip Win32/Bagle.gen.zip worm
C:\_OTL\MovedFiles\05312012_134429\C_Program Files\Search Toolbar\SearchToolbar.dll Win32/Toolbar.Zugo application

2012-06-01, 03:50
"Windows Defender" was still registered as active before the scan...hopefully that didn't affect anything.

2012-06-01, 15:44
Good Morning,
I would uninstall both of these programs

C:\Program Files\RadioPI_4eEI
C:\Program Files\RegServe

Then go into Spybots Recovery folder and remove it all

C:\ProgramData\Spybot - Search & Destroy\Recovery

Delete this from your desktop


Go into the downloads folder and delete it all but not the download folder itself


Did you create this
C:\Windows.old <---

What I would do is rerun ESET, this time let it remove what it finds

2012-06-02, 01:46
I personally didn't intentionally create windows.old...it's possible someone else did but i have no idea.

there's two of them with the same date of creation from 2008...windows.old and windows.old.000

ESET ran and cleaned one issue after all preliminary actions were taken =).

2012-06-02, 03:19
Did it clean everything in the old folder ?

2012-06-02, 06:48
After the ESET fix scan i couldn't find a log, maybe because i didn't delete the first log beforehand, but i'm almost positive the entry that was "fixed" was C:\_OTL\MovedFiles\05312012_134429\C_Program Files\Search Toolbar\SearchToolbar.dll Win32/Toolbar.Zugo application. There was definately only a single entry fixed.

You probably have already seen this but all the .old.000 entries from the first scan seem to be doubles of all the regular entries...maybe some mirror thing going on. wierd :euro:

Here's system look =D


2012-06-02, 12:56
Lets go here and do the same thing and delete those files

C:\Windows.old\Users\All Users\Spybot - Search & Destroy\Recovery\WinAgentws1.zip
C:\Windows.old.000\Users\All Users\Spybot - Search & Destroy\Recovery\WinAgentws1.zip
C:\Windows.old.000\Documents and Settings\All Users\Spybot - Search & Destroy\Recovery\WinAgentws1.zip
C:\Windows.old.000\Documents and Settings\richard\Desktop\uhhh\softonic-us-silent-2.exe
C:\Windows.old.000\Documents and Settings\richard\Downloads\regserve-setup.exe
C:\Windows.old.000\Documents and Settings\richard\Downloads\Saya_no_Uta___English.exe
C:\Windows.old.000\Documents and Settings\richard\Downloads\SoftonicDownloader_for_skype.exe
C:\Windows.old.000\Documents and Settings\richard\Downloads\vlcmediaplayer-setup.exe
C:\Windows.old.000\ProgramData\Application Data\Spybot - Search & Destroy\Recovery\WinAgentws1.zip
C:\_OTL\MovedFiles\05312012_134429\C_Program Files\Search Toolbar

Let me know how it went .

Then run a new scan with ESET and post the log please

2012-06-02, 20:54
C:\_OTL\MovedFiles\05312012_134429\C_Program Files\Search Toolbar was the only file i could find and ESET turned up clean.

Things to note...C:\users\richard and C:\windows.old.000\documents and setting\richard are 100% identicle...i couldn't get into C:\windows.old.000\documents and settings\richard without using start search...the folder didn't exist going through computer-->local disk.

The exact same thing applied to C:\Windows.old.000\Users\All Users and C:\ProgramData...all files contained are identicle and i couldn't find C:\Windows.old.000\Users\All Users without using start search.

inside this C:\Windows.old\Users\All Users\Spybot - Search & Destroy\Recovery...WinAgentws1.zip was no longer there, but i did find a bunch of .zip files with names i recognized as malicious? There's about five in there but two examples are GameVancePlaySushi5.zip and WiIQfraud2.zip (there's multiple copies of all of them)...The GUI for spybot shows the recovery section as empty.

Here's ESET :D: I went to sleep when i started the scan so i wasn't able to get the regular looking log (as far as i know) hopefully this is the same thing.

2012-06-02, 23:49
It looks like those folders may have been from a previous installation of windows. Did you buy this computer used ?


Lets go a bit further, plug these into System Look


2012-06-03, 02:01
This system was put together brand new by myself and a couple other highschool kids at the time :eek: so it's very possible we did something wierd.

2012-06-03, 02:25
I think that to be safe you can copy these to a folder you can create on your desktop and then delete them, then in a few days when things are running ok you can delete the new folder as well. If you dont feel comfortable doing it its fine, there is nothing malicious in there anymore


2012-06-03, 02:48
I'll just leave it alone for now :D:...but to clarify...i would need to copy C:\Windows.old (and the other one) into a desktop folder...and then i would delete the folders inside C:\? If you don't mind me asking :red:, what does putting them on the desktop do?...is it just like a backup?

2012-06-03, 03:30
Yes, if there was a problem you could always copy and paste them from the desktop folder back to your C:/ Drive where they where but I betting there not needed.

Everything running OK ?

2012-06-03, 04:01
Windows.old.000 was deleted without any issues.

when i try to delete windows.old i get a "you need to confirm this operation"...so i click the "continue" button that has the administrator picture next to it. Then i get a second prompt that darkens the screen and sais "windows needs your permission to continue"...so i hit continue...but then i get a message that sais destination folder access denied "you need permission to perform this action" and the file stays.

2012-06-03, 04:02
but yes, everything seems to be running fine =)

2012-06-03, 04:07
windows.old also took a long time to copy and prompted me with a few "detected duplicate files what would you like to do" screens.

2012-06-03, 13:19
Good Morning,

Why dont you just hang on for a bit and let me inquiry about these, no malware inside any longer and they may just be clutter but let me double check. I will be back as soon as I can.

2012-06-03, 16:54
sounds good ^_^

2012-06-04, 02:39

I have been part of this wonderful tech community for about 12 years, the cooperation between forums helping one another with issues or passing along information about the latest threats is unbelievable , whenever I have anyone that posts in the Malware forum for a problem and then we find no malware and decide its a windows or hardware problems I always send them to http://www.whatthetech.com/ for help, the people manning the windows forums are the best.

Had a windows guy ( one of the best on the internet ) look over our posts and this is what he came up with, basically he is saying that windows.old is not taking up much space and it could be beneficial in the future so he recommends just keeping it.

Most people who have upgraded their OS don't realize that windows.old even exists on their machine.
In a manner of thinking, windows.old is similar to a "parallel installation of Windows" and includes not just the prior Windows OS, but all the applications previously installed, all the Users, and all the data belonging to those users.

They never notice it, and probably wouldn't know what to do with it if they ever did need it.
Just as a FYI...Here's the MS instructions for restoring from windows.old (again, this is just FYI and I am not suggesting that you use it at this time, and probably never)
Yes, windows.old is "clutter", and can be removed...... ****BUT
If ever this OP needed to restore the machine to the prior OS, at that time windows.old would be "essential".

Whether or not it becomes an important issue to this OP depends upon any future occurance of catastrophic failure and more importantly depends upon what other backup/restore options they have available.

e.g. Does OP have available in their possession:
OEM factory restore CD (related to the prior Windows installation)
Installation media for this current Vista Basic
.iso full drive and partitions backup (i.e. Acronis or Macrium, or similar)
*This machine probably does not have a system recovery partition, the likes of which come standard on OEM computers with pre-installed Windows where there is no accompanying CD/DVD installation media.
**I say this because OP describes throwing this machine together in collaboration with other high schoold buddies, therefore they would probably not have been Microsoft Partners, and would not have used Microsoft OPK (OEM Preinstallation Kit) through which they might have included the creation of a recovery partition on the machine Hard Drive.

Arguement against "using" windows.old:
Using windows.old would result in the machine reverting to XP or whatever prior OS had been installed.

Note: There is different situation in which windows.old "might" be essential...
That is, (If the installation of Vista Basic was an "upgrade")
In that case, if ever the OP needs to reinstall Vista Basic as an Upgrade, they will also be required to provide "proof of prior qualifying OS" to support the upgrade.
Reinstalling Vista Basic (as an upgrade procedure) would benefit from the existance of Windows.old as the qualifying reference.

Therefore, my recommendation:

>> Keep Windows.old. <<

Other considerations:

OP has 102.66 Gb Free Space on C:\ which is about 22% of their 500GB HD.
That should be sufficient (at least for now)
And any gain from deleting windows.old would be trivial.

Other observations:
We don't know if windows.old is "competent".
IF it is not, then it is wasted space.
IF it is, then it "might" be needed and useful in the future.
and I don't know any method for verifying windows.old, except to actually use it to try to restore to prior Windows OS and configuration.
(** I am "not" suggesting to do that, since OP apparently wants to continue with the current Vista Basic and you don't want to throw OP back to whatever they had before Vista Basic)

Unrelated Observation:

OP initially had 149GB Free Space on C:\
--- then you instructed some procedures
After which OP had 102GB Free Space on C:\

What's up with that?
Do you anticipate that when you do your final cleanup and uninstall the various speicialized tools, that the Free Space will then be recovered?

Further Unrelated Observaton:

This machine has several Game installations plus Steam installation to make the games run(better).
There are also game related utilities such as Ventrilo and download assists and bearshare

There seem to be a bunch of broken Registry Items.

Even the Registry Reference to Paging File seems to be missing or broken.

You have rightly cautioned OP to avoid using automated Registry Cleaners.
But the damage may already have been done.

If ever there was a machine, OS, configuration, and installed applications that was ripe for a Format and Reinstall... this might be it.

On the otherhand, the machine is running.
It would be tedious, time-consuming and possibly costly to go through the process of downloading and reinstalling all of those games and utilities after formating and reinstalling and updating Windows Vista Basic.

Depending upon OP's intentions (Maybe OP will be using the machine only for school work, office functions, and browsing)...
If OP wishes to continue with the same gaming activity, they might be better off just continuing as is.

But if they are moving away from gaming, a fresh installation may improve the function and avoid residual conflicts.


I don't know how to repair the Registry link for Paging File.
But Paging / Swap File pseudo-ram resources might improve gaming functionality.

What I would do....

Go to Start - Computer - (right-click)Properties - Advanced(tab) - Settings(button)
I would select:
"No Paging file"

Go to Start - Computer - (right-click)Properties - Advanced(tab) - Settings(button)
Then Select: "Automatically manage paging file size for all drives"

Paging File "should" then be addressed and available without errors in the Registry links.

So with that said unless you feel you have any other issues you think are related to malware I will close this thread, please reply back and let me know

Ken :)

2012-06-04, 04:19
I do still have one thing i'd like to ask about...this one is from my first post with spybot search and destroy. Spybot seems to be the only scan that has picked up W3i.IQ5.fraud at C:\Windows\System32\AI_RecycleBin\? Is it possible this is just a faulty detection?

Thank for the awesome info! =D Your help has been invaluable and on top of all things i've learned a lot ^_^. You guys really do an amazing job with these forums.

2012-06-04, 11:07
That file appears to be in your Recycle Bin, empty it out and run a new scan with Spybot and see if it goes away