TechSpot

[Closed] Google and/or site redirection

By Bluecakes
Jul 8, 2011
  1. Hello,

    For a month or so now i'd had an issue with redirecting links. If i were to search Google, links would load like normal until i clicked one to which i have a chance to be redirected else or a chance to actually load the site i clicked.

    Open in New Window and Open in New Tab have no effect on said chance.

    I also use Mozilla Firefox. Requested logs are below:

    Malwarebytes' Anti-Malware 1.51.0.1200
    www.malwarebytes.org

    Database version: 7045

    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    7/8/2011 8:23:09 PM
    mbam-log-2011-07-08 (20-23-09).txt

    Scan type: Quick scan
    Objects scanned: 169385
    Time elapsed: 2 minute(s), 42 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 4

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\Windows\Tasks\{22116563-108c-42c0-a7ce-60161b75e508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
    c:\Windows\Tasks\{bbaeaeaf-1275-40e2-bd6c-bc8f88bd114a}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
    c:\Windows\Tasks\{810401e2-dde0-454e-b0e2-aa89c9e5967c}.job (Trojan.FraudPack) -> Quarantined and deleted successfully.
    c:\Users\bluecakes\AppData\Roaming\Adobe\shed\thr1.chm (Malware.Trace) -> Quarantined and deleted successfully.

    GMER 1.0.15.15640 - http://www.gmer.net
    Rootkit scan 2011-07-08 20:41:15
    Windows 6.1.7600
    Running: ryge3bhp.exe


    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x30 0xFD 0xAD 0x17 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xF8 0x5F 0x80 0xA0 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x9A 0x71 0xDD 0xC1 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x30 0xFD 0xAD 0x17 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xF8 0x5F 0x80 0xA0 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x9A 0x71 0xDD 0xC1 ...

    ---- EOF - GMER 1.0.15 ----


    DDS (Ver_2011-06-23.01) - NTFSAMD64
    Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_22
    Run by Bluecakes at 20:28:04 on 2011-07-08
    Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.4094.2542 [GMT 10:00]
    .
    AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\PROGRA~2\AVG\AVG10\avgchsva.exe
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\system32\atiesrxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\atieclxx.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe
    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe
    C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe
    C:\Program Files (x86)\Bonjour\mDNSResponder.exe
    C:\Program Files (x86)\Gigabyte\EasySaver\ESSVR.EXE
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe
    C:\Windows\SysWOW64\XSrvSetup.exe
    C:\Program Files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe
    C:\Windows\SysWOW64\PnkBstrA.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
    C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    C:\Program Files (x86)\AVG\AVG10\avgnsa.exe
    C:\Program Files (x86)\AVG\AVG10\avgemca.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
    C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe
    C:\Program Files (x86)\DisplayFusion\DisplayFusion.exe
    C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
    C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe
    C:\Program Files (x86)\AVG\AVG10\avgtray.exe
    C:\Program Files (x86)\iTunes\iTunesHelper.exe
    C:\Program Files (x86)\Common Files\PC Tools\sMonitor\SSDMonitor.exe
    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe
    C:\Program Files (x86)\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files (x86)\DisplayFusion\DisplayFusionHookx86.exe
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
    C:\PROGRA~2\AVG\AVG10\avgrsa.exe
    C:\Program Files (x86)\AVG\AVG10\avgcsrva.exe
    C:\Windows\system32\AUDIODG.EXE
    C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
    C:\Windows\SysWOW64\NOTEPAD.EXE
    C:\Users\Bluecakes\Downloads\ryge3bhp.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\SysWOW64\cscript.exe
    .
    ============== Pseudo HJT Report ===============
    .
    mWinlogon: Userinit=userinit.exe,
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files (x86)\AVG\AVG10\avgssie.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
    uRun: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
    uRun: [DisplayFusion] "C:\Program Files (x86)\DisplayFusion\DisplayFusion.exe"
    mRun: [NUSB3MON] "C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
    mRun: [BCU] "C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe"
    mRun: [AVG_TRAY] C:\Program Files (x86)\AVG\AVG10\avgtray.exe
    mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    mRun: [SSDMonitor] C:\Program Files (x86)\Common Files\PC Tools\sMonitor\SSDMonitor.exe
    mRun: [LogMeIn Hamachi Ui] "C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start
    mRun: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    mRunOnce: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    uPolicies-explorer: NoResolveTrack = 1 (0x1)
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    TCP: DhcpNameServer = 211.29.152.116 198.142.0.51 211.29.132.12
    TCP: Interfaces\{459C3A97-4160-4E89-966F-3B04FFB88DAA} : DhcpNameServer = 211.29.152.116 198.142.0.51 211.29.132.12
    TCP: Interfaces\{75E0359C-E101-4504-BAEA-53E57F163573} : DhcpNameServer = 8.8.8.8
    TCP: Interfaces\{91377628-7637-4659-BC16-999F381B706E} : DhcpNameServer = 211.29.152.116 198.142.0.51 211.29.132.12
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG10\avgpp.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
    BHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG10\avgssie.dll
    BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File
    BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO-X64: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
    BHO-X64: Ask Toolbar BHO - No File
    BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    TB-X64: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
    mRun-x64: [NUSB3MON] "C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
    mRun-x64: [BCU] "C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe"
    mRun-x64: [AVG_TRAY] C:\Program Files (x86)\AVG\AVG10\avgtray.exe
    mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    mRun-x64: [SSDMonitor] C:\Program Files (x86)\Common Files\PC Tools\sMonitor\SSDMonitor.exe
    mRun-x64: [LogMeIn Hamachi Ui] "C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start
    mRun-x64: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    mRunOnce-x64: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - C:\Users\Bluecakes\AppData\Roaming\Mozilla\Firefox\Profiles\mx3cwfi9.default\
    FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
    FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:eek:fficial
    FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
    FF - component: C:\Program Files (x86)\AVG\AVG10\Firefox4\components\avgssff4.dll
    FF - component: C:\Program Files (x86)\AVG\AVG10\Firefox4\components\avgssff5.dll
    FF - component: C:\Users\Bluecakes\AppData\Roaming\Mozilla\Firefox\Profiles\mx3cwfi9.default\extensions\cfxHelper@Triton\components\dwmxpcom.dll
    FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
    FF - plugin: C:\Windows\system32\Wat\npWatWeb.dll
    FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Chromifox Companion: cfxHelper@Triton - %profile%\extensions\cfxHelper@Triton
    FF - Ext: Chromifox Extreme: cfxe@Triton - %profile%\extensions\cfxe@Triton
    FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - C:\Program Files (x86)\AVG\AVG10\Firefox4
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 AVGIDSEH;AVGIDSEH;C:\Windows\system32\DRIVERS\AVGIDSEH.Sys --> C:\Windows\system32\DRIVERS\AVGIDSEH.Sys [?]
    R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\system32\DRIVERS\avgrkx64.sys --> C:\Windows\system32\DRIVERS\avgrkx64.sys [?]
    R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\system32\DRIVERS\avgldx64.sys --> C:\Windows\system32\DRIVERS\avgldx64.sys [?]
    R1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\system32\DRIVERS\avgmfx64.sys --> C:\Windows\system32\DRIVERS\avgmfx64.sys [?]
    R1 Avgtdia;AVG TDI Driver;C:\Windows\system32\DRIVERS\avgtdia.sys --> C:\Windows\system32\DRIVERS\avgtdia.sys [?]
    R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
    R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
    R2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-3-9 365568]
    R2 AMD Reservation Manager;AMD Reservation Manager;C:\Program Files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe [2010-6-17 194496]
    R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [2011-4-18 7398752]
    R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe [2011-2-8 269520]
    R2 BCUService;Browser Configuration Utility Service;C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe [2010-4-30 219360]
    R2 ES lite Service;ES lite Service for program management.;C:\Program Files (x86)\Gigabyte\EasySaver\essvr.exe [2010-4-30 68136]
    R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe [2011-5-25 2275720]
    R2 JMB36X;JMB36X;C:\Windows\SysWOW64\XSrvSetup.exe [2010-4-30 65536]
    R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;C:\Program Files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe [2011-5-3 632792]
    R3 amdiox64;AMD IO Driver;C:\Windows\system32\DRIVERS\amdiox64.sys --> C:\Windows\system32\DRIVERS\amdiox64.sys [?]
    R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
    R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
    R3 AVGIDSDriver;AVGIDSDriver;C:\Windows\system32\DRIVERS\AVGIDSDriver.Sys --> C:\Windows\system32\DRIVERS\AVGIDSDriver.Sys [?]
    R3 AVGIDSFilter;AVGIDSFilter;C:\Windows\system32\DRIVERS\AVGIDSFilter.Sys --> C:\Windows\system32\DRIVERS\AVGIDSFilter.Sys [?]
    R3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;C:\Windows\system32\DRIVERS\nusb3hub.sys --> C:\Windows\system32\DRIVERS\nusb3hub.sys [?]
    R3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;C:\Windows\system32\DRIVERS\nusb3xhc.sys --> C:\Windows\system32\DRIVERS\nusb3xhc.sys [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S3 Netaapl;Apple Mobile Device Ethernet Service;C:\Windows\system32\DRIVERS\netaapl64.sys --> C:\Windows\system32\DRIVERS\netaapl64.sys [?]
    S3 npggsvc;nProtect GameGuard Service;C:\Windows\system32\GameMon.des -service --> C:\Windows\system32\GameMon.des -service [?]
    S3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
    S3 RTL8192su;%RTL8192su.DeviceDesc.DispName%;C:\Windows\system32\DRIVERS\RTL8192su.sys --> C:\Windows\system32\DRIVERS\RTL8192su.sys [?]
    S3 ScreamBAudioSvc;ScreamBee Audio;C:\Windows\system32\drivers\ScreamingBAudio64.sys --> C:\Windows\system32\drivers\ScreamingBAudio64.sys [?]
    S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
    S3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
    S3 WatAdminSvc;WatAdminSvc;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
    .
    =============== Created Last 30 ================
    .
    2011-07-08 10:19:55 -------- d-----w- C:\Users\Bluecakes\AppData\Roaming\Malwarebytes
    2011-07-08 10:19:48 39984 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
    2011-07-08 10:19:48 -------- d-----w- C:\ProgramData\Malwarebytes
    2011-07-08 10:19:44 25912 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2011-07-08 10:19:44 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2011-07-06 14:15:41 -------- d-----w- C:\sync
    2011-07-06 13:50:10 -------- d-----w- C:\Users\Bluecakes\AppData\Roaming\Microsoft Corporation
    2011-07-06 13:31:33 -------- d-----w- C:\Users\Bluecakes\AppData\Local\Temporary Projects
    2011-07-06 05:57:25 -------- d-----w- C:\Windows\SysWow64\Adobe
    2011-06-25 03:54:33 404640 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2011-06-22 00:01:13 -------- d-----w- C:\Users\Bluecakes\AppData\Roaming\LolClient
    2011-06-21 23:50:43 467984 ----a-w- C:\Windows\SysWow64\d3dx10_39.dll
    2011-06-21 23:50:43 1493528 ----a-w- C:\Windows\SysWow64\D3DCompiler_39.dll
    2011-06-21 23:50:42 3851784 ----a-w- C:\Windows\SysWow64\D3DX9_39.dll
    2011-06-21 23:48:11 -------- d-----w- C:\Riot Games
    2011-06-21 15:48:15 -------- d-----w- C:\Program Files (x86)\League of Legends
    2011-06-13 12:49:56 -------- d-----w- C:\Users\Bluecakes\AppData\Roaming\ts3overlay
    2011-06-13 12:47:07 -------- d-----w- C:\Users\Bluecakes\AppData\Roaming\TS3Client
    2011-06-13 12:45:31 -------- d-----w- C:\Program Files (x86)\TeamSpeak 3 Client
    2011-06-12 10:50:35 280768 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr
    2011-06-12 10:49:50 280768 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
    2011-06-12 10:49:50 215128 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0
    2011-06-12 10:49:49 75136 ----a-w- C:\Windows\SysWow64\PnkBstrA.exe
    2011-06-12 10:49:48 2434856 ----a-w- C:\Windows\SysWow64\pbsvc_bc2.exe
    2011-06-11 02:36:29 -------- d-----w- C:\ProgramData\Skype Extras
    .
    ==================== Find3M ====================
    .
    2011-07-08 04:21:47 25640 ----a-w- C:\Windows\gdrv.sys
    2011-07-03 03:38:39 419840 ----a-w- C:\Windows\System32\systemcpl.dll
    2011-07-03 03:38:39 14848 ----a-w- C:\Windows\System32\slwga.dll
    2011-07-03 03:38:39 13824 ----a-w- C:\Windows\SysWow64\slwga.dll
    2011-04-14 11:28:24 118864 ----a-w- C:\Windows\System32\drivers\AVGIDSDriver.sys
    .
    ============= FINISH: 20:29:21.82 ===============
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! I'll help with the malware problem.

    Please do not put logs in quote or code box. It cuts down on the available space and also means I have to navigate within the box to see the entire log.
    ====================================================
    You have some entries that indicate you may not be checking download screens for pre-checked boxes. Be sure to do that and uncheck the toolbars and other 'junk' that may be bundled with the download.
    ===================================================
    You will have to temporarily uninstall AVG to run Combofix. They left no way for it to be fully disabled to run security scans. Do as follows:
    Download AppRemover and save to the desktop
    1. Double click the setup on the desktop> click Next
    2. Select “Remove Security Application”
    3. Let scan finish to determine security apps
    4. A screen like below will appear:
      [​IMG]
    5. Click on Next after choice has been made
    6. Check the AVG program you want to uninstall
    7. After uninstall shows complete, follow online prompts to Exit the program.

    Temporary AV: Use one:
    Avira-AntiVir-Personal-Free-Antivirus
    Avast Free Version
    =============================
    Please note: If you have Combofix on the desktop already, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
    ====================================
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish

    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    ===============================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.
    If I have not replied for 2 days, you can send me a PM reminder. Include the URL of your thread. Please do not send me a PM to tell me your logs are up.
    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
     
  3. Bluecakes

    Bluecakes TS Rookie Topic Starter

    Hey Bobbye,

    Thanks for taking the time to help me, here are the logs you requested:

    ComboFix
    ---------------

    ComboFix 11-07-11.02 - Bluecakes 07/11/2011 23:00:16.1.4 - x64
    Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.4094.2305 [GMT 10:00]
    Running from: c:\users\Bluecakes\Downloads\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\Bluecakes\AppData\Roaming\Adobe\plugs
    c:\users\Bluecakes\AppData\Roaming\Adobe\shed
    H:\Autorun.inf
    J:\install.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-06-11 to 2011-07-11 )))))))))))))))))))))))))))))))
    .
    .
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-07-11 13:06 . 2010-04-30 10:04 25640 ----a-w- c:\windows\gdrv.sys
    2011-07-03 03:38 . 2009-07-13 23:36 13824 ----a-w- c:\windows\SysWow64\slwga.dll
    2011-05-23 12:11 . 2011-05-23 12:09 205984 ----a-w- c:\programdata\Microsoft\VBExpress\10.0\1033\ResourceCache.dll
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [-] 2010-09-18 . 861C4346F9281DC0380DE72C8D55D6BE . 833024 . . [6.1.7600.16385] .. c:\windows\SysWOW64\user32.dll
    [7] 2009-07-14 . E8B0FFC209E504CB7E79FC24E6C085F0 . 833024 . . [6.1.7600.16385] .. c:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_3382083abb6e47d4\user32.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2010-09-28 1400712]
    .
    [HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    2010-09-28 12:44 1400712 ----a-w- c:\program files (x86)\Ask.com\GenericAskToolbar.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2010-09-28 1400712]
    .
    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
    "DisplayFusion"="c:\program files (x86)\DisplayFusion\DisplayFusion.exe" [2010-03-17 800944]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "NUSB3MON"="c:\program files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2009-11-20 106496]
    "BCU"="c:\program files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe" [2009-08-04 346320]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
    "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-03-08 336384]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-04-26 421160]
    "SSDMonitor"="c:\program files (x86)\Common Files\PC Tools\sMonitor\SSDMonitor.exe" [2010-11-15 112600]
    "LogMeIn Hamachi Ui"="c:\program files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" [2011-05-25 1951112]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-07-04 3493720]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
    "AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg&inst=NzctNjMyNDI3NTA0LVZPUCszLVQxLVVDQUxMKzEtVUNBTEwyKzItVEI4KzItRkwrOC1RSVgxKzQtRjEwTTEwQysyLVgyMDEwKzItTElDKzIyLVNQMSsxLVNQMVRCKzEtRkwxMCsxLVNQMVMyKzEtU1VEKzEtUzFJKzEtU1UzKzEtRERUKzA&prod=90&ver=10.0.1388" [?]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoResolveTrack"= 1 (0x1)
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R3 AODDriver4.0;AODDriver4.0;c:\program files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [x]
    R3 dump_wmimmc;dump_wmimmc;c:\gpotato\Rappelz\GameGuard\dump_wmimmc.sys [x]
    R3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\DRIVERS\netaapl64.sys [x]
    R3 RTL8192su;%RTL8192su.DeviceDesc.DispName%;c:\windows\system32\DRIVERS\RTL8192su.sys [x]
    R3 ScreamBAudioSvc;ScreamBee Audio;c:\windows\system32\drivers\ScreamingBAudio64.sys [x]
    R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
    R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
    R3 WatAdminSvc;WatAdminSvc;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    R3 X6va002;X6va002;c:\users\BLUECA~1\AppData\Local\Temp\00283D3.tmp [x]
    R3 X6va003;X6va003;c:\users\BLUECA~1\AppData\Local\Temp\003A9B6.tmp [x]
    S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
    S1 aswSnx;aswSnx; [x]
    S1 aswSP;aswSP; [x]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
    S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-03-08 365568]
    S2 AMD Reservation Manager;AMD Reservation Manager;c:\program files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe [2010-06-16 194496]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
    S2 BCUService;Browser Configuration Utility Service;c:\program files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe [2009-08-04 219360]
    S2 ES lite Service;ES lite Service for program management.;c:\program files (x86)\Gigabyte\EasySaver\ESSVR.EXE [2009-08-24 68136]
    S2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files (x86)\LogMeIn Hamachi\hamachi-2.exe [2011-05-25 2275720]
    S2 JMB36X;JMB36X;c:\windows\SysWOW64\XSrvSetup.exe [2009-08-06 65536]
    S2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe [2011-01-28 632792]
    S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [x]
    S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
    S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
    S3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [x]
    S3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [x]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-07-09 c:\windows\Tasks\RMSchedule.job
    - c:\program files (x86)\Registry Mechanic\RegMech.exe [2011-05-03 03:11]
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-07-04 11:43 134384 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-12-08 9642528]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x0
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://www.ask.com?o=15442&l=dis
    uInternet Settings,ProxyOverride = *.local
    TCP: DhcpNameServer = 211.29.152.116 198.142.0.51 211.29.132.12
    FF - ProfilePath - c:\users\Bluecakes\AppData\Roaming\Mozilla\Firefox\Profiles\mx3cwfi9.default\
    FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
    FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:eek:fficial
    FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Chromifox Companion: cfxHelper@Triton - %profile%\extensions\cfxHelper@Triton
    FF - Ext: Chromifox Extreme: cfxe@Triton - %profile%\extensions\cfxe@Triton
    FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\AVAST Software\Avast\WebRep\FF
    .
    - - - - ORPHANS REMOVED - - - -
    .
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
    AddRemove-PunkBusterSvc - c:\windows\system32\pbsvc_bc2.exe
    .
    .
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\services\npggsvc]
    "ImagePath"="c:\windows\system32\GameMon.des -service"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\services\X6va002]
    "ImagePath"="\??\c:\users\BLUECA~1\AppData\Local\Temp\00283D3.tmp"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\services\X6va003]
    "ImagePath"="\??\c:\users\BLUECA~1\AppData\Local\Temp\003A9B6.tmp"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10p.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10p.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10p.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10p.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\AVAST Software\Avast\AvastSvc.exe
    c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files (x86)\Bonjour\mDNSResponder.exe
    c:\windows\SysWOW64\PnkBstrA.exe
    .
    **************************************************************************
    .
    Completion time: 2011-07-11 23:13:29 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-07-11 13:13
    .
    Pre-Run: 121,756,422,144 bytes free
    Post-Run: 121,501,880,320 bytes free
    .
    - - End Of File - - 8ECC05472303A01FA180AD388981D995



    ESET
    --------

    C:\Langames\Trackmania United Forever\Trackmania United Forever Full.iso probably a variant of Win32/Agent.JWALVLQ trojan
    C:\Users\Bluecakes\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0\23db9a00-2e167d00 multiple threats
    C:\Users\Bluecakes\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\3cc664c-7b707616 Java/TrojanDownloader.OpenStream.NBS trojan
    C:\Users\Bluecakes\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\15\747d068f-66a10d20 multiple threats
    C:\Users\Bluecakes\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31\281e7c9f-346b6250 multiple threats
    C:\Users\Bluecakes\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34\6e7a3762-118abb7f multiple threats
    C:\Users\Bluecakes\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34\c669a2-43ff6edf multiple threats
    C:\Users\Bluecakes\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\38\7a7b3066-72686c67 a variant of Java/TrojanDownloader.OpenStream.NCE trojan
    C:\Users\Bluecakes\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\45\7682016d-73032737 multiple threats
    C:\Users\Bluecakes\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\48\7bf72d70-5ee7aa65 Java/TrojanDownloader.OpenStream.NCA trojan
    C:\Users\Bluecakes\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\49\73190831-59aa7d22 a variant of Java/Exploit.CVE-2010-4452.A trojan
    C:\Users\Bluecakes\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\5\7c18d505-3a2ed31f a variant of Java/TrojanDownloader.OpenStream.NCE trojan
    C:\Users\Bluecakes\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\5\7c18d505-6ebd8738 a variant of Java/TrojanDownloader.OpenStream.NCE trojan
    C:\Users\Bluecakes\Downloads\RegistryMechanic_10.0.0.134.rar probably a variant of Win32/Agent.GMCZCJO trojan
    D:\ggf\Bulletstorm\sr-bustm.iso a variant of Win32/Packed.VMProtect.AAA trojan
    H:\Etc\Tools\MsgPlusLive-481.exe a variant of Win32/Adware.CiDHelp application
    H:\Games\Serious Sam 2\Install\rld-ss2.iso probably a variant of Win32/Agent.NFOIATG trojan
    H:\Games\Splinter Cell - Conviction\Tom.Clancys.Splinter.Cell.Conviction.Multiplayer.Crack-SKIDROW\ubiorbitapi_r2.dll a variant of Win32/Packed.VMProtect.AAA trojan
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're welcome. There is another log from DDS. It's named Attach.txt Please find it an include in your next post. Do not zip it.

    Can you tell me please what these drives are?
    H:\Autorun.inf
    J:\install.exe


    If one-or both- are flash drives, they need to be disinfected: Please use the following:
    • Please download Panda USB Vaccine(you must provide valid e-mail and they will send you download link to this e-mail address) to your desktop.
    • Install and run it.
    • Plug in USB drive and click on Vaccinate USB and Vaccinate computer.
    ==========================================
    For Eset entries, first clear Java cache::
    1. . Click Start > Control Panel.
    2. . Double-click the Java icon [​IMG] in the Control Panel.
    3. . Click Settings under Temporary Internet Files.
      http://www.java.com/en/img/download/5000020303.jpg[/b]
      There are three options on this window to clear the cache.(Version dependent)
      [o]. Delete Files
      [o]. View Applications
      [o]. View Applets
      [*]. Click OK on Delete Temporary Files window.
      Note: This deletes all the Downloaded Applications and Applets from the cache.
      [*]. Click OK on Temporary Files Settings window. [/list]

      [b]The Java is out of date. You have v6u22 and the current is v6u26. This could have contributed to the malware in the Java cache. Please update> [url=http://www.java.com/en/download/manual.jsp][b][color=blue]Java Updates[/b][/color][/url] Then uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.

      [b]Note: Uncheck 'Install Yahoo Toolbar' on the download screen [u]before[/u] you do the update.[/b]
      ======================================
      Then run this: Please download [url=http://oldtimer.geekstogo.com/OTM.exe][b][color=blue]OTMovit by Old Timer[/b][/color][/url] and save to your desktop.
      [list]
      [*] Double-click [b]OTMoveIt3.exe[/b] to run it. (Vista users, please right click on [b]OTMoveit3.exe[/b] and select "Run as an [b]Administrator[/b]")
      [*][b]Copy the file paths below to the clipboard[/b] by highlighting [b]ALL[/b] of them and [b]pressing CTRL + C[/b] (or, after highlighting, right-click and choose [b]Copy[/b]):
      [CODE]
      :Files
      C:\Langames\Trackmania United Forever\Trackmania United Forever Full.iso
      C:\Users\Bluecakes\Downloads\RegistryMechanic_10.0.0.134.rar
      D:\ggf\Bulletstorm\sr-bustm.iso
      H:\Etc\Tools\MsgPlusLive-481.exe
      H:\Games\Serious Sam 2\Install\rld-ss2.iso
      H:\Games\Splinter Cell - Conviction\Tom.Clancys.Splinter.Cell.Conviction.Multiplayer.Crack-SKIDROW\ubiorbitapi_r2.dll

      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot][/CODE]

      [*] Return to OTMoveIt3, right click in the [b]"Paste Instructions for Items to be Moved"[/b] window and choose [b]Paste[/b].
      [*]Click the red [b]Moveit![/b] button.
      [*]A log of files and folders moved will be created in the [b]c:\_OTMoveIt\MovedFiles[/b] folder in the form of Date and Time ([b]mmddyyyy_hhmmss.log[/b]). Please open this log in Notepad and post its contents in your next reply.
      [*]Close [b]OTMoveIt3[/b]
      [/list]If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose [b]Yes.[/b]
      ==========================================
      Please run this also: Download [url=http://downloads.malwareremoval.com/CKScanner.exe][b][color=blue]CKScanner[/b][/color][/url] and save to your desktop.
      [list]
      [*] Doubleclick [b]CKScanner.exe[/b] and click [b]Search For Files[/b].
      [*] When the cursor hourglass disappears, click [b]Save List To File.[/b]
      [*] A message box will verify that the file is saved.
      [*] Double-click the [b]CKFiles.txt icon[/b] on your desktop and copy/paste the contents
      in your next reply. [/list]
      =====================================

      The following drive have malware: C, H, J, D. Please identify the drives.
      I suspect you are downloading from torrent sites. This is a straight road to malware.

      I will finish reviewing Combofix tomorrow and set up script to remove some entries.
     
  5. Bluecakes

    Bluecakes TS Rookie Topic Starter

    Hey Bobbye,

    Not 100% on the Autorun.inf but the J:\install.exe program is the installer for the Seagate software that came with my external hard drive.

    Drive C is my operating system hard drive so OS, Downloads and Games
    Drive D is the spare hard drive inside my tower so it stores all kinds of thing

    Drives H and J are my external drives so they store everything from my Anime to my Tv series etc

    My apologies for not attaching Attach.log previously, here it is:

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-06-23.01)
    .
    Microsoft Windows 7 Ultimate
    Boot Device: \Device\HarddiskVolume1
    Install Date: 4/30/2010 7:40:40 PM
    System Uptime: 7/8/2011 2:20:43 PM (6 hours ago)
    .
    Motherboard: Gigabyte Technology Co., Ltd. | | GA-890GPA-UD3H
    Processor: AMD Phenom(tm) II X4 945 Processor | Socket M2 | 3000/200mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 466 GiB total, 119.654 GiB free.
    D: is FIXED (NTFS) - 466 GiB total, 35.034 GiB free.
    E: is CDROM (UDF)
    F: is CDROM (UDF)
    H: is FIXED (NTFS) - 1397 GiB total, 150.239 GiB free.
    I: is CDROM ()
    J: is FIXED (NTFS) - 1862 GiB total, 307.256 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID:
    Description: WD SES Device USB Device
    Device ID: USBSTOR\OTHER&VEN_WD&PROD_SES_DEVICE&REV_1032\574341565931343435353734&2
    Manufacturer:
    Name: WD SES Device USB Device
    PNP Device ID: USBSTOR\OTHER&VEN_WD&PROD_SES_DEVICE&REV_1032\574341565931343435353734&2
    Service:
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Hamachi Network Interface
    Device ID: ROOT\NET\0000
    Manufacturer: LogMeIn, Inc.
    Name: Hamachi Network Interface
    PNP Device ID: ROOT\NET\0000
    Service: hamachi
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Realtek PCIe GBE Family Controller
    Device ID: PCI\VEN_10EC&DEV_8168&SUBSYS_E0001458&REV_03\4&2BE2F00&0&0050
    Manufacturer: Realtek
    Name: Realtek PCIe GBE Family Controller
    PNP Device ID: PCI\VEN_10EC&DEV_8168&SUBSYS_E0001458&REV_03\4&2BE2F00&0&0050
    Service: RTL8167
    .
    ==== System Restore Points ===================
    .
    RP142: 6/22/2011 9:33:42 PM - Made by Registry Mechanic
    RP143: 6/25/2011 7:35:13 PM - Made by Registry Mechanic
    RP144: 7/3/2011 7:00:49 PM - Made by Registry Mechanic
    RP145: 7/4/2011 7:00:51 PM - Made by Registry Mechanic
    RP146: 7/7/2011 7:00:57 PM - Made by Registry Mechanic
    .
    ==== Installed Programs ======================
    .
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Shockwave Player 11.6
    Alien Swarm
    Apple Application Support
    Apple Software Update
    Ask Toolbar
    Assassin's Creed II
    Battlefield: Bad Company 2
    BitTorrent
    Browser Configuration Utility
    Call of Duty: Black Ops - Multiplayer
    Catalyst Control Center
    Catalyst Control Center - Branding
    Catalyst Control Center Graphics Previews Common
    Catalyst Control Center InstallProxy
    CCC Help English
    Combined Community Codec Pack 2008-09-21 16:18
    DisplayFusion 3.1.8.0
    EasyBits GO
    EasySaver B9.1214.1
    Garry's Mod
    GhostMouse
    Gigabyte Raid Cinfigurer
    Hero Editor V0.96
    Heroes of Newerth
    HydraVision
    ImTOO DVD Ripper Platinum 5
    iPhone Explorer 2.100
    iPhoneBrowser
    Java Auto Updater
    Java(TM) 6 Update 22
    Killing Floor
    League of Legends
    Left 4 Dead 2
    LiveUpdate 3.2 (Symantec Corporation)
    Logitech Touch Mouse Server 1.0
    LogMeIn Hamachi
    Magicka
    Malwarebytes' Anti-Malware version 1.51.0.1200
    Microsoft .NET Framework 4 Multi-Targeting Pack
    Microsoft Application Error Reporting
    Microsoft SQL Server 2008 R2 Management Objects
    Microsoft SQL Server Compact 3.5 SP2 ENU
    Microsoft SQL Server System CLR Types
    Microsoft Visual Basic 2010 Express - ENU
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4974
    Microsoft Visual Studio 2010 ADO.NET Entity Framework Tools
    Microsoft XNA Framework Redistributable 3.1
    Mozilla Firefox (3.6.18)
    NEC Electronics USB 3.0 Host Controller Driver
    NVIDIA PhysX
    Pando Media Booster
    Portal
    Prototype(TM)
    PunkBuster Services
    QuickTime
    Real Alternative 1.9.0
    Realtek Ethernet Controller Driver For Windows Vista and Later
    Realtek HDMI Audio Driver for ATI
    Realtek High Definition Audio Driver
    Registry Mechanic 10.0
    RIFT
    Security Update for CAPICOM (KB931906)
    Skype™ 5.3
    Spiral Knights
    Steam
    Symantec Ghost Standard Tools
    TeamSpeak 3 Client
    TmUnitedForever
    Trillian
    Ubisoft Game Launcher
    Visual C++ 8.0 Runtime Setup Package (x64)
    Visual Studio 2008 x64 Redistributables
    Visual Studio 2010 Tools for SQL Server Compact 3.5 SP2 ENU
    VLC media player 0.9.9
    Windows Live Sign-in Assistant
    WinRAR archiver
    XBMC
    .
    ==== Event Viewer Messages From Past Week ========
    .
    7/8/2011 8:25:13 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk3\DR3.
    7/8/2011 2:21:54 PM, Error: Service Control Manager [7000] - The AODDriver4.0 service failed to start due to the following error: The system cannot find the path specified.
    7/4/2011 8:40:11 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000003b (0x00000000c0000005, 0xfffff8800497165f, 0xfffff88009390c10, 0x0000000000000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 070411-42791-01.
    .
    ==== End Of File ===========================

    ------------------------------------------

    I have run Panda USB Vaccine on Computer and both External hard drives.

    ------------------------------------------

    OTMoveIT actually moved all the files to a folder on my C drive and then after 30 seconds or so windows crashed, i tried the second time running as an administrator but it still crashed little bit after the program closed, below is a screenshot of the folders and info made by the program as there is no log file in sight.

    [​IMG]

    ------------------------------------------

    This is the log to CKFiles.txt

    CKScanner - Additional Security Risks - These are not necessarily bad
    c:\langames\demigod\bindata\maps\map05\textures\map05_tile_cracked_d.dds
    c:\langames\demigod\bindata\maps\map05\textures\map05_tile_cracked_n.dds
    c:\langames\demigod\bindata\maps\map05\textures\map05_tile_cracked_s.dds
    c:\langames\demigod\bindata\maps\map05\textures\map05_top_crackmask.dds
    c:\program files (x86)\steam\steamapps\common\call of duty black ops\zone\common\mp_cracked.ff
    c:\program files (x86)\steam\steamapps\common\call of duty black ops\zone\english\en_mp_cracked.ff
    c:\program files (x86)\steam\steamapps\common\magicka\content\levels\textures\surface\nature\ground\dirt01_cracked_0.xnb
    c:\program files (x86)\steam\steamapps\common\magicka\content\levels\textures\surface\nature\ground\dirt01_cracked_nrm_0.xnb
    c:\program files (x86)\steam\steamapps\common\magicka\content\levels\textures\surface\structure\stone\wall_cracked01_0.xnb
    c:\program files (x86)\steam\steamapps\common\magicka\content\levels\textures\surface\structure\stone\wall_cracked_nrm_0.xnb
    c:\users\bluecakes\downloads\adobe_photoshop_cs2_keygen-paradox.rar
    c:\users\bluecakes\downloads\imtoo_dvd_ripper_platinum_5.0.46.1219_incl_keygen.rar
    c:\users\bluecakes\downloads\removewat.2.2.5.hazar.carter67.rar
    c:\users\bluecakes\downloads\1.10_item_vault_version_1.2\1.10 item vault version 1.2\uniques\exceptional\weapons\staves\ribcracker quarterstaff.d2i
    c:\users\bluecakes\downloads\1.10_item_vault_version_1.2\1.10 item vault version 1.2\uniques\exceptional\weapons\swords\cloudcrack gothic sword.d2i
    c:\users\bluecakes\downloads\6203b4beadfec93d0d34a9d3f6b9d9c8ec7\keygen.nfo
    c:\users\bluecakes\downloads\imtoo_dvd_ripper_platinum_5.0.46.1219_incl_keygen\dvd-ripper-platinum5.exe
    c:\users\bluecakes\downloads\imtoo_dvd_ripper_platinum_5.0.46.1219_incl_keygen\file list.txt
    c:\users\bluecakes\downloads\imtoo_dvd_ripper_platinum_5.0.46.1219_incl_keygen\imtoo.dvd.ripper.platinum5.keygen.tlg.[x-ray].exe
    c:\users\bluecakes\downloads\imtoo_dvd_ripper_platinum_5.0.46.1219_incl_keygen\rapidshare links apps, movies, music, tv season.url
    c:\users\bluecakes\downloads\imtoo_dvd_ripper_platinum_5.0.46.1219_incl_keygen\read me first!!!.txt
    c:\users\bluecakes\downloads\imtoo_dvd_ripper_platinum_5.0.46.1219_incl_keygen\readme.htm
    c:\users\bluecakes\downloads\imtoo_dvd_ripper_platinum_5.0.46.1219_incl_keygen\readme.txt
    c:\users\bluecakes\downloads\imtoo_dvd_ripper_platinum_5.0.46.1219_incl_keygen\tlg.nfo
    c:\users\bluecakes\downloads\registrymechanic_10.0.0.134\registrymechanic_10.0.0.134\keygen+serial\serial.txt
    c:\users\bluecakes\downloads\removewat.2.2.5.hazar.carter67\removewat.2.2.5.hazar.carter67\readme.txt
    c:\users\bluecakes\downloads\removewat.2.2.5.hazar.carter67\removewat.2.2.5.hazar.carter67\removewat.exe
    c:\users\bluecakes\downloads\removewat.2.2.5.hazar.carter67\removewat.2.2.5.hazar.carter67\removewat225.jpg
    c:\users\bluecakes\downloads\removewat.2.2.5.hazar.carter67\removewat.2.2.5.hazar.carter67\removewat_2.2.5.txt
    c:\windows\system32\slmgr.vbs.removewat
    c:\windows\syswow64\slmgr.vbs.removewat
    scanner sequence 3.ZZ.11.OVLBOI
    ----- EOF -----
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The image doesn't help me as I don't know what's in those files. I can have you run it again later.

    Keygen/Crack Warning:

    I note that you have visited crack/keygen sites - using illegal software.You have installed some programs that appear on crack/keygens sites to get access to the cracks/keygens. They install the malware on your system.

    If you visit crack sites, use cracks/keygens, you'll ALWAYS get infected.

    The danger is not only from the crack/keygen itself, but because one single click entering that site may already download and install a huge malware bundle.

    These malware bundles may contain a key logger, collecting all your passwords and installing other random malware, compromising your system including infecting other computers. And this all, because you visited some illegal sites.

    The malware can do damage a system badly enough that repair may not be an option and the only solution will be to reformat/reinstall. So this "free" software really isn't "free" at all>> it may cost you privacy, your accounts and ultimately your computer system.

    Adobe Photo shop CS2> pirated
    DVD Ripper Platinum> Pirated
    Registry Mechanic> Pirated

    And downloads to all of the above.

    They will have to be uninstalled of you want to continue support. And this leads me to the question>> Is the operating system legitimate?
     
  7. Bluecakes

    Bluecakes TS Rookie Topic Starter

    The operating system is completely Legit.

    I have removed the programs and the installers in my downloads folder.
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please update and repeat the Eset scan so I can make sure all entries were removed.
     
  9. Bluecakes

    Bluecakes TS Rookie Topic Starter

    I've run ESet again with the same settings, it came up with a few of the same results but without the applications i've removed and i also cleared the Java cache so that didnt come up this time.

    Not sure wether you want me to just delete these files or use some specific application to do it instead.

    All but MsgPlusLive are games i've got from friends, MsgPlusLive is something i've downloaded from the internet.

    D:\ggf\Bulletstorm\sr-bustm.iso a variant of Win32/Packed.VMProtect.AAA trojan
    H:\Etc\Tools\MsgPlusLive-481.exe a variant of Win32/Adware.CiDHelp application
    H:\Games\Serious Sam 2\Install\rld-ss2.iso probably a variant of Win32/Agent.NFOIATG trojan
    H:\Games\Splinter Cell - Conviction\Tom.Clancys.Splinter.Cell.Conviction.Multiplayer.Crack-SKIDROW\ubiorbitapi_r2.dll a variant of Win32/Packed.VMProtect.AAA trojan
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    This download was pirated:
    Whether you downloaded from the internet or your friends, both had malware:
    This is a copied/burned version from somewhere- file sharing?
    And this is another burned copy from somewhere:
    ===========================================
    A 'packed' file is a file in a compressed format. While this can be done to use less memory for a legitimate files a 'packed' file can only be read by the program that 'packed' it because of special codes included.

    A 'packed' malware file therefore, such as this from the pirated program:
    Win32/Packed.VMProtect.AAA trojan and same from a burned program, may contain file infectors such as Sality or Ramnit or even Virus.
    ============================================
    I'm going to move these files, then withdraw my support due to the amount of piracy:

    ============================================
    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Files 
      D:\ggf\Bulletstorm\sr-bustm.iso 
      H:\Etc\Tools\MsgPlusLive-481.exe 
      H:\Games\Serious Sam 2\Install\rld-ss2.iso 
      H:\Games\Splinter Cell - Conviction\Tom.Clancys.Splinter.Cell.Conviction.Multiplayer.Crack-SKIDROW\ubiorbitapi_r2.dll 
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...