TechSpot

[Closed] Random adverts start playing in the background, malware scan shows trojans

By Spax88
Jul 26, 2011
Topic Status:
Not open for further replies.
  1. So I've got some Malware, I downloaded a bad link. My antivirus (ESETNod32) flagged it up and said it was quarantined but then random adverts started playing in the background (and as much as I want rock hard abs in under three months, I don't want to hear about it). So Malware quick scan performed, 10 objects found, restart done, data log to follow.

    So do I need to do anything else or has Malware done the job?

    Malwarebytes' Anti-Malware 1.51.1.1800
    www.malwarebytes.org

    Database version: 7283

    Windows 6.1.7601 Service Pack 1
    Internet Explorer 8.0.7601.17514

    26/07/2011 19:08:56
    mbam-log-2011-07-26 (19-08-56).txt

    Scan type: Quick scan
    Objects scanned: 181461
    Time elapsed: 12 minute(s), 47 second(s)

    Memory Processes Infected: 1
    Memory Modules Infected: 0
    Registry Keys Infected: 4
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 4

    Memory Processes Infected:
    c:\Users\Joss\AppData\Local\Temp\Twg.exe (Trojan.FakeAlert.SA) -> 2540 -> Unloaded process successfully.

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\8DDYX0ZBPZ (Trojan.FakeAlert.SA) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\NtWqIVLZEWZU (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\XMZH42I4GI (Trojan.FakeAlert.SA) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8DDYX0ZBPZ (Trojan.FakeAlert.SA) -> Value: 8DDYX0ZBPZ -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\Windows\Tasks\{22116563-108c-42c0-a7ce-60161b75e508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
    c:\Windows\Tasks\{bbaeaeaf-1275-40e2-bd6c-bc8f88bd114a}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
    c:\Windows\Tasks\{810401e2-dde0-454e-b0e2-aa89c9e5967c}.job (Trojan.FraudPack) -> Quarantined and deleted successfully.
    c:\Users\NAME REMOVED\AppData\Local\Temp\Twg.exe (Trojan.FakeAlert.SA) -> Quarantined and deleted successfully.
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Welcome to TechSpot! I'll help with the malware.

    Trojan.FakeAlert is a trojan which installs via fake codecs or browser exploits. Once installed it delivers popup advertisements for useless products. These symptoms will be accompanied by the installation of a rogue application with no user prompts or action required.

    We should be able to remove it.It's important that you don't act on any 'alerts' or messages you get.
    =============================================
    Please follow the additional steps in the Preliminary Virus and Malware Removal thread HERE.

    You don't need to repeat Malwarebytes at this time.
    .
    NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
    =======================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.
    If I have not replied for 2 days, you can send me a PM reminder. Include the URL of your thread. Please do not send me a PM to tell me your logs are up.
    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
     
  3. Spax88

    Spax88 TS Rookie Topic Starter

    .
    DDS (Ver_2011-06-23.01) - NTFSAMD64
    Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_26
    Run by Joss at 21:05:36 on 2011-07-26
    Microsoft Windows 7 Ultimate 6.1.7601.1.1252.44.1033.18.3001.1360 [GMT 1:00]
    .
    AV: ESET NOD32 Antivirus 4.2 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
    SP: ESET NOD32 Antivirus 4.2 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
    C:\Program Files (x86)\O2Micro Flash Memory Card Driver\o2flash.exe
    C:\Program Files (x86)\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\alg.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\taskhost.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Windows\WindowsMobile\wmdcBase.exe
    C:\Program Files\Microsoft IntelliType Pro\itype.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Windows\system32\svchost.exe -k WindowsMobile
    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
    C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
    C:\Program Files (x86)\MOTU\Audio\MFWAKeys.exe
    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Program Files (x86)\Renoise 2.7.0\Renoise.exe
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Users\Joss\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Joss\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Joss\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Joss\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Joss\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Joss\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Joss\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Joss\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Joss\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Joss\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Joss\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Windows\system32\wuauclt.exe
    C:\Users\Joss\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Windows\SysWOW64\rundll32.exe
    C:\Users\Joss\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Joss\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Joss\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
    C:\Users\Joss\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Joss\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Joss\Downloads\c2fixc5b.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\SysWOW64\cscript.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uInternet Settings,ProxyServer = http=;ftp=;https=;
    uURLSearchHooks: H - No File
    mWinlogon: Userinit=userinit.exe,
    BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    TB: {88C7F2AA-F93F-432C-8F0E-B7D85967A527} - No File
    uRun: [<NO NAME>] C:\Users\Joss\AppData\Local\Temp\Crack\RealHideIP.exe
    uRun: [Google Update] "C:\Users\Joss\AppData\Local\Google\Update\GoogleUpdate.exe" /c
    mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
    StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MOTUPE~1.LNK - C:\Program Files (x86)\MOTU\Audio\MFWAKeys.exe
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    Trusted Zone: clonewarsadventures.com
    Trusted Zone: freerealms.com
    Trusted Zone: soe.com
    Trusted Zone: sony.com
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
    TCP: Interfaces\{F5C8A099-E88E-48E9-BD36-F5951290968D} : NameServer = 208.67.222.222,208.67.220.220
    TCP: Interfaces\{F5C8A099-E88E-48E9-BD36-F5951290968D} : DhcpNameServer = 194.168.4.100 194.168.8.100
    TCP: Interfaces\{F5C8A099-E88E-48E9-BD36-F5951290968D}\24F6F6D624F6F6D6 : DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{F5C8A099-E88E-48E9-BD36-F5951290968D}\4616E6 : NameServer = 208.67.222.222,208.67.220.220
    TCP: Interfaces\{F5C8A099-E88E-48E9-BD36-F5951290968D}\4616E6 : DhcpNameServer = 192.168.2.1 194.168.4.100 194.168.8.100
    TCP: Interfaces\{F5C8A099-E88E-48E9-BD36-F5951290968D}\6796277696E6D65646961693039383437393 : DhcpNameServer = 194.168.4.100 194.168.8.100
    TCP: Interfaces\{F5C8A099-E88E-48E9-BD36-F5951290968D}\7657E69647 : DhcpNameServer = 192.168.1.1
    BHO-X64: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
    BHO-X64: Increase performance and video formats for your HTML5 <video> - No File
    BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    TB-X64: {88C7F2AA-F93F-432C-8F0E-B7D85967A527} - No File
    mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun-x64: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
    .
    ============= SERVICES / DRIVERS ===============
    .
    R2 eamonm;eamonm;C:\Windows\system32\DRIVERS\eamonm.sys --> C:\Windows\system32\DRIVERS\eamonm.sys [?]
    R2 epfwwfpr;epfwwfpr;C:\Windows\system32\DRIVERS\epfwwfpr.sys --> C:\Windows\system32\DRIVERS\epfwwfpr.sys [?]
    R3 motubus;MOTU Audio MIDI Extension;C:\Windows\system32\drivers\MotuBus64.sys --> C:\Windows\system32\drivers\MotuBus64.sys [?]
    R3 O2MDRDR;O2MDRDR;C:\Windows\system32\DRIVERS\o2mdx64.sys --> C:\Windows\system32\DRIVERS\o2mdx64.sys [?]
    R3 O2SDRDR;O2SDRDR;C:\Windows\system32\DRIVERS\o2sdx64.sys --> C:\Windows\system32\DRIVERS\o2sdx64.sys [?]
    R3 seehcri;Sony Ericsson seehcri Device Driver;C:\Windows\system32\DRIVERS\seehcri.sys --> C:\Windows\system32\DRIVERS\seehcri.sys [?]
    S3 MFWAMIDI64;MOTU Audio MIDI for 64 bit;C:\Windows\system32\drivers\MFWAMIDI64.sys --> C:\Windows\system32\drivers\MFWAMIDI64.sys [?]
    S3 MFWAWAVE64;MOTU Audio Wave for 64 bit;C:\Windows\system32\drivers\MFWAWAVE64.sys --> C:\Windows\system32\drivers\MFWAWAVE64.sys [?]
    S3 MotuFWA64;MotuFWA64;C:\Windows\system32\drivers\Motufwa64.sys --> C:\Windows\system32\drivers\Motufwa64.sys [?]
    S3 OSFMount;OSFMount;C:\Program Files\OSFMount\OSFMount.sys [2011-7-25 539712]
    S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?]
    S3 s1018bus;Sony Ericsson Device 1018 driver (WDM);C:\Windows\system32\DRIVERS\s1018bus.sys --> C:\Windows\system32\DRIVERS\s1018bus.sys [?]
    S3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;C:\Windows\system32\DRIVERS\s1018mdfl.sys --> C:\Windows\system32\DRIVERS\s1018mdfl.sys [?]
    S3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;C:\Windows\system32\DRIVERS\s1018mdm.sys --> C:\Windows\system32\DRIVERS\s1018mdm.sys [?]
    S3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);C:\Windows\system32\DRIVERS\s1018mgmt.sys --> C:\Windows\system32\DRIVERS\s1018mgmt.sys [?]
    S3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);C:\Windows\system32\DRIVERS\s1018nd5.sys --> C:\Windows\system32\DRIVERS\s1018nd5.sys [?]
    S3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;C:\Windows\system32\DRIVERS\s1018obex.sys --> C:\Windows\system32\DRIVERS\s1018obex.sys [?]
    S3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);C:\Windows\system32\DRIVERS\s1018unic.sys --> C:\Windows\system32\DRIVERS\s1018unic.sys [?]
    .
    =============== File Associations ===============
    .
    cmdfile=NOTEPAD.EXE %1
    JSEFile=NOTEPAD.EXE %1
    VBSFile=NOTEPAD.EXE %1
    .
    =============== Created Last 30 ================
    .
    2011-07-26 16:52:13 266752 ----a-w- C:\Windows\Tzigoa.exe
    2011-07-26 16:48:15 -------- d-----w- C:\Program Files (x86)\energyXT
    2011-07-26 15:11:51 765952 ----a-w- C:\Windows\SysWow64\msvcp71d.dll
    2011-07-26 15:11:51 544768 ----a-w- C:\Windows\SysWow64\msvcr71d.dll
    2011-07-26 15:11:48 -------- d-----w- C:\Program Files (x86)\BBE Sound
    2011-07-25 22:22:55 233472 ----a-w- C:\Windows\SysWow64\REX Shared Library.dll
    2011-07-25 15:22:36 -------- d-----w- C:\Program Files (x86)\Common Files\DivX Shared
    2011-07-25 02:38:25 -------- d-----w- C:\Program Files (x86)\Native Instruments
    2011-07-25 02:21:30 -------- d-----w- C:\Program Files\OSFMount
    2011-07-25 01:03:03 -------- d-----w- C:\Users\Joss\TruePianos Settings
    2011-07-25 01:01:59 -------- d-----w- C:\Users\Joss\AppData\Roaming\Cakewalk
    2011-07-25 01:01:28 -------- dc----w- C:\ProgramData\{D69A48BF-7653-4AA8-94BC-5847522A4573}
    2011-07-24 23:32:21 487424 ----a-w- C:\Windows\SysWow64\msvcp70.dll
    2011-07-24 23:32:21 1047552 ----a-w- C:\Windows\SysWow64\mfc71u.dll
    2011-07-24 23:09:44 -------- d-----w- C:\ProgramData\Cakewalk
    2011-07-23 17:28:08 -------- d-----w- C:\Windows\MOTU
    2011-07-23 17:27:59 -------- d-----w- C:\Program Files (x86)\MOTU
    2011-07-23 17:27:57 -------- d-----w- C:\Program Files\MOTU
    2011-07-23 17:25:21 -------- d-----w- C:\Users\Joss\AppData\Local\Applications
    2011-07-22 13:43:16 -------- d-----w- C:\Program Files (x86)\Renoise 2.7.0
    2011-07-22 11:56:11 8578896 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{AD5C8475-6F07-4E5D-8C5C-0092BA804465}\mpengine.dll
    2011-07-15 01:02:43 -------- d-----w- C:\Program Files\ESET
    2011-07-13 14:55:50 -------- d-----w- C:\Windows\System32\SPReview
    2011-07-13 14:48:53 2565632 ----a-w- C:\Windows\System32\esent.dll
    2011-07-13 14:42:10 48976 ----a-w- C:\Windows\System32\netfxperf.dll
    2011-07-13 14:42:10 1942856 ----a-w- C:\Windows\System32\dfshim.dll
    2011-07-13 14:40:59 320352 ----a-w- C:\Windows\System32\PresentationHost.exe
    2011-07-13 14:39:59 1619456 ----a-w- C:\Windows\SysWow64\WMVDECOD.DLL
    2011-07-13 14:38:59 293376 ----a-w- C:\Program Files\Internet Explorer\IEShims.dll
    2011-07-13 14:37:59 287744 ----a-w- C:\Program Files\Internet Explorer\jsprofilerui.dll
    2011-07-13 14:36:59 89600 ----a-w- C:\Windows\SysWow64\wbem\WmiApRpl.dll
    2011-07-13 14:35:59 402944 ----a-w- C:\Windows\SysWow64\drmmgrtn.dll
    2011-07-13 14:34:59 33280 ----a-w- C:\Windows\System32\drivers\kbdhid.sys
    2011-07-13 14:33:57 209920 ----a-w- C:\Windows\SysWow64\PkgMgr.exe
    2011-07-13 14:33:57 189952 ----a-w- C:\Windows\SysWow64\wdscore.dll
    2011-07-13 14:33:23 323072 ----a-w- C:\Windows\SysWow64\drvstore.dll
    2011-07-13 14:33:22 257024 ----a-w- C:\Windows\SysWow64\dpx.dll
    2011-07-13 14:33:13 606208 ----a-w- C:\Windows\SysWow64\wbem\fastprox.dll
    2011-07-13 14:33:13 363008 ----a-w- C:\Windows\SysWow64\wbemcomn.dll
    2011-07-13 14:25:41 529408 ----a-w- C:\Windows\System32\wbemcomn.dll
    2011-07-13 14:25:41 524288 ----a-w- C:\Windows\System32\wmicmiplugin.dll
    2011-07-13 14:25:41 1225216 ----a-w- C:\Windows\System32\wbem\wbemcore.dll
    2011-07-13 14:25:15 933376 ----a-w- C:\Windows\System32\SmiEngine.dll
    2011-07-13 14:25:01 199168 ----a-w- C:\Windows\System32\PkgMgr.exe
    2011-07-13 14:23:22 422912 ----a-w- C:\Windows\System32\drvstore.dll
    2011-07-13 14:23:19 399872 ----a-w- C:\Windows\System32\dpx.dll
    2011-07-11 00:49:34 691551 ----a-w- C:\Program Files (x86)\Uninstall Information\{ABAF1232-6213-4062-9D52-04E04A730CEA}\unins000.exe
    2011-07-11 00:21:59 -------- d-----w- C:\Users\Joss\AppData\Local\ESET
    2011-07-04 06:59:06 1544192 ----a-w- C:\Windows\System32\DWrite.dll
    2011-07-04 06:59:06 1139200 ----a-w- C:\Windows\System32\FntCache.dll
    2011-07-04 06:59:05 902656 ----a-w- C:\Windows\System32\d2d1.dll
    2011-07-04 06:59:05 739840 ----a-w- C:\Windows\SysWow64\d2d1.dll
    2011-07-04 06:59:05 1076736 ----a-w- C:\Windows\SysWow64\DWrite.dll
    2011-07-04 06:59:01 142336 ----a-w- C:\Windows\System32\poqexec.exe
    2011-07-04 06:59:01 123904 ----a-w- C:\Windows\SysWow64\poqexec.exe
    2011-07-04 06:57:40 31232 ----a-w- C:\Windows\SysWow64\prevhost.exe
    2011-07-04 06:57:40 31232 ----a-w- C:\Windows\System32\prevhost.exe
    2011-07-03 08:58:59 778752 ----a-w- C:\Windows\System32\mssvp.dll
    2011-07-03 08:57:58 404480 ----a-w- C:\Windows\System32\umpnpmgr.dll
    2011-07-03 08:49:15 90624 ----a-w- C:\Windows\System32\drivers\bowser.sys
    2011-06-27 11:31:37 -------- d-----w- C:\Users\Joss\AppData\Local\SCE
    .
    ==================== Find3M ====================
    .
    2011-07-13 15:51:59 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll
    2011-07-13 15:51:57 175616 ----a-w- C:\Windows\System32\msclmd.dll
    2011-07-06 18:52:42 41272 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
    2011-07-06 18:52:42 25912 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2011-06-27 11:55:43 404640 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2011-06-11 03:07:25 3137536 ----a-w- C:\Windows\System32\win32k.sys
    2011-06-10 18:20:28 2892 ----a-w- C:\Windows\SysWow64\audcon.sys
    2011-06-03 06:57:45 362496 ----a-w- C:\Windows\System32\wow64win.dll
    2011-06-03 06:57:45 243200 ----a-w- C:\Windows\System32\wow64.dll
    2011-06-03 06:57:45 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
    2011-06-03 06:57:44 214528 ----a-w- C:\Windows\System32\winsrv.dll
    2011-06-03 06:57:38 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
    2011-06-03 06:56:38 421888 ----a-w- C:\Windows\System32\KernelBase.dll
    2011-06-03 06:53:33 338944 ----a-w- C:\Windows\System32\conhost.exe
    2011-06-03 06:00:53 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
    2011-06-03 05:57:52 44032 ----a-w- C:\Windows\apppatch\acwow64.dll
    2011-06-03 05:57:33 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
    2011-06-03 05:56:12 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
    2011-06-03 05:56:11 272384 ----a-w- C:\Windows\SysWow64\KernelBase.dll
    2011-06-03 03:53:31 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
    2011-06-03 03:53:31 2048 ----a-w- C:\Windows\SysWow64\user.exe
    2011-06-03 03:48:32 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
    2011-06-03 03:48:31 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
    2011-06-03 03:48:31 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
    2011-06-03 03:48:31 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
    2011-05-28 03:30:09 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
    2011-05-28 02:53:58 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
    2011-05-24 18:14:10 270720 ------w- C:\Windows\System32\MpSigStub.exe
    2011-05-24 10:40:05 64512 ----a-w- C:\Windows\SysWow64\devobj.dll
    2011-05-24 10:40:05 44544 ----a-w- C:\Windows\SysWow64\devrtl.dll
    2011-05-24 10:39:38 145920 ----a-w- C:\Windows\SysWow64\cfgmgr32.dll
    2011-05-24 10:37:54 252928 ----a-w- C:\Windows\SysWow64\drvinst.exe
    2011-05-04 05:25:03 2315776 ----a-w- C:\Windows\System32\tquery.dll
    2011-05-04 05:22:25 2223616 ----a-w- C:\Windows\System32\mssrch.dll
    2011-05-04 05:22:24 75264 ----a-w- C:\Windows\System32\msscntrs.dll
    2011-05-04 05:22:24 491520 ----a-w- C:\Windows\System32\mssph.dll
    2011-05-04 05:22:24 288256 ----a-w- C:\Windows\System32\mssphtb.dll
    2011-05-04 05:19:28 591872 ----a-w- C:\Windows\System32\SearchIndexer.exe
    2011-05-04 05:19:28 249856 ----a-w- C:\Windows\System32\SearchProtocolHost.exe
    2011-05-04 05:19:28 113664 ----a-w- C:\Windows\System32\SearchFilterHost.exe
    2011-05-04 04:34:43 1549312 ----a-w- C:\Windows\SysWow64\tquery.dll
    2011-05-04 04:32:02 666624 ----a-w- C:\Windows\SysWow64\mssvp.dll
    2011-05-04 04:32:01 337408 ----a-w- C:\Windows\SysWow64\mssph.dll
    2011-05-04 04:32:01 197120 ----a-w- C:\Windows\SysWow64\mssphtb.dll
    2011-05-04 04:32:01 1401344 ----a-w- C:\Windows\SysWow64\mssrch.dll
    2011-05-04 04:32:00 59392 ----a-w- C:\Windows\SysWow64\msscntrs.dll
    2011-05-04 04:28:31 86528 ----a-w- C:\Windows\SysWow64\SearchFilterHost.exe
    2011-05-04 04:28:31 427520 ----a-w- C:\Windows\SysWow64\SearchIndexer.exe
    2011-05-04 04:28:31 164352 ----a-w- C:\Windows\SysWow64\SearchProtocolHost.exe
    2011-05-04 03:52:22 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
    2011-05-03 05:29:29 976896 ----a-w- C:\Windows\System32\inetcomm.dll
    2011-05-03 04:30:02 741376 ----a-w- C:\Windows\SysWow64\inetcomm.dll
    2011-04-29 03:06:10 467456 ----a-w- C:\Windows\System32\drivers\srv.sys
    2011-04-29 03:05:49 410112 ----a-w- C:\Windows\System32\drivers\srv2.sys
    2011-04-29 03:05:37 168448 ----a-w- C:\Windows\System32\drivers\srvnet.sys
    .
    ============= FINISH: 21:06:57.67 ===============
     

    Attached Files:

  4. Spax88

    Spax88 TS Rookie Topic Starter

    The Gmer scan came up with nothing. Is this right or has something gone wrong?
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    GMER can leave a short log. Did the scan seem to run okay?

    Please paste the Attach.txt log in the next reply. You missed this:
    ===================================================
    You have quite a few entries that need to be removed and others that need to be identified.
    If you have any more programs or app that have been pirated, please remove them> example:
    Piracy and file sharing are straight roads to malware.
    =======
    Download CKScanner and save to your desktop.
    • Doubleclick CKScanner.exe and click Search For Files.
    • When the cursor hourglass disappears, click Save List To File.
    • A message box will verify that the file is saved.
    • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents
      in your next reply.
    ==================================================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.

    Please leave all 3 logs pasted into your next reply.
     
  6. Spax88

    Spax88 TS Rookie Topic Starter

    The Gmer scan ran fine and then a pop up came up saying it had detected no changes. Do you want me to run it again?

    The attach.txt log was attached to my first post.

    DDS (Ver_2011-06-23.01)
    .
    Microsoft Windows 7 Ultimate
    Boot Device: \Device\HarddiskVolume1
    Install Date: 07/05/2010 16:23:48
    System Uptime: 26/07/2011 19:10:21 (2 hours ago)
    .
    Motherboard: Acer | | Homa
    Processor: Intel(R) Pentium(R) Dual CPU T3400 @ 2.16GHz | U2E1 | 996/166mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 143 GiB total, 19.323 GiB free.
    D: is CDROM ()
    E: is CDROM ()
    F: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP225: 25/07/2011 17:03:22 - Scheduled Checkpoint
    .
    ==== Installed Programs ======================
    .
    7-Zip 4.65
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Apple Software Update
    ASIO4ALL
    Atheros Driver Installation Program
    Avanquest update
    Bass Station 1.50
    BBE Sonic Sweet Bundle VST RTAS v1.0
    DivX Setup
    Drumazon
    eLicenser Control
    energyXT 2.5.3
    energyXT 2.5.4
    Foxit Reader
    GEAR driver installer for x86 and x64
    Google Chrome
    Google Update Helper
    Hot Corners 2
    Intel(R) C++ Redistributables for Windows* on IA-64
    Java Auto Updater
    Java(TM) 6 Update 26
    Live 8.2.2
    MagicDisc 2.7.106
    Malwarebytes' Anti-Malware version 1.51.1.1800
    Microsoft Silverlight
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022.218
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Native Instruments Guitar Rig 3
    Nepheton
    Ohm Force - Ohmicide VST
    OhmForce Predatohm VST2
    OpenOffice.org 3.2
    QuickTime
    Realtek High Definition Audio Driver
    reFX Vanguard 1.7.2
    Sonic Charge Bitspeek VST
    Sonic Charge Bitspeek VST v1.0
    Sony Ericsson PC Suite 6.009.00
    Synapse Junglist VSTi v3.2
    Tunatic
    VC80CRTRedist - 8.0.50727.4053
    VLC media player 1.1.9
    Vuze
    .
    ==== Event Viewer Messages From Past Week ========
    .
    26/07/2011 19:10:46, Error: Microsoft-Windows-WLAN-AutoConfig [10000] - WLAN Extensibility Module has failed to start. Module Path: C:\Windows\system32\athExt.dll Error Code: 126
    26/07/2011 16:43:34, Error: Service Control Manager [7031] - The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
    25/07/2011 22:40:51, Error: bowser [8003] - The master browser has received a server announcement from the computer STUFF-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{F5C8A099-E88E-48E9-BD36-F5951290968D}. The master browser is stopping or an election is being forced.
    25/07/2011 14:14:30, Error: Microsoft-Windows-SharedAccess_NAT [31004] - The DNS proxy agent was unable to allocate 0 bytes of memory. This may indicate that the system is low on virtual memory, or that the memory manager has encountered an internal error.
    25/07/2011 03:31:16, Error: volsnap [36] - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.
    24/07/2011 14:18:18, Error: NetBT [4321] - The name "WORKGROUP :1d" could not be registered on the interface with IP address 192.168.0.6. The computer with the IP address 192.168.0.9 did not allow the name to be claimed by this computer.
    23/07/2011 18:24:38, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR1.
    23/07/2011 12:16:37, Error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{F5C8A099-E88E-48E9-BD36-F5951290968D} because another computer on the network has the same name. The server could not start.
    23/07/2011 12:16:37, Error: NetBT [4321] - The name "BILLYBOLLOCKS :20" could not be registered on the interface with IP address 169.254.255.107. The computer with the IP address 192.168.0.6 did not allow the name to be claimed by this computer.
    23/07/2011 12:16:37, Error: NetBT [4321] - The name "BILLYBOLLOCKS :0" could not be registered on the interface with IP address 169.254.255.107. The computer with the IP address 192.168.0.6 did not allow the name to be claimed by this computer.
    23/07/2011 12:16:26, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.
    .
    ==== End Of File ===========================

    The pirated file you highlighted I only used for a day before getting rid of it, that folder was just left over after uninstalling, I've removed it now.

    CKScanner results:
    CKScanner - Additional Security Risks - These are not necessarily bad
    c:\program files (x86)\image-line\sawer\presets\ambient\mc cracked.sawer
    c:\users\joss\documents\ableton\presets\audio effects\vinyl distortion\crack.adv
    c:\users\joss\documents\ableton\presets\instruments\instrument rack\guitars and plucked\synthetic\lead-cracker.adg
    c:\users\joss\music\metal and rock\post metal\mastodon\crack the skye\01 oblivion.m4a
    c:\users\joss\music\metal and rock\post metal\mastodon\crack the skye\02 divinations.m4a
    c:\users\joss\music\metal and rock\post metal\mastodon\crack the skye\03 quintessence.m4a
    c:\users\joss\music\metal and rock\post metal\mastodon\crack the skye\04 the czar_ i. usurper ii. escape i.m4a
    c:\users\joss\music\metal and rock\post metal\mastodon\crack the skye\05 ghost of karelia.m4a
    c:\users\joss\music\metal and rock\post metal\mastodon\crack the skye\06 crack the skye.m4a
    c:\users\joss\music\metal and rock\post metal\mastodon\crack the skye\07 the last baron.m4a
    c:\users\joss\music\metal and rock\sonic youth\nyc ghosts & flowers\04 small flowers crack concrete.m4a
    c:\users\joss\renoise ting\samples\wrong music sample pack vol. 1 - ebola\other noises\crackly.wav.asd
    scanner sequence 3.GE.11.LECANO
    ----- EOF -----

    Combo Fix log:
    ComboFix 11-07-29.03 - Joss 30/07/2011 16:00:02.1.2 - x64
    Microsoft Windows 7 Ultimate 6.1.7601.1.1252.44.1033.18.3001.1362 [GMT 1:00]
    Running from: c:\users\Joss\Downloads\ComboFix.exe
    AV: ESET NOD32 Antivirus 4.2 *Disabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
    SP: ESET NOD32 Antivirus 4.2 *Disabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\install.exe
    c:\programdata\hpe6AF2.dll
    c:\users\Joss\AppData\Local\Microsoft\Windows\Temporary Internet Files\Programs7067.Settings_Collection.bin
    c:\windows\SysWow64\msvfd32.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-06-28 to 2011-07-30 )))))))))))))))))))))))))))))))
    .
    .
    2011-07-30 15:06 . 2011-07-30 15:06 -------- d-----w- c:\users\Guest\AppData\Local\temp
    2011-07-30 15:06 . 2011-07-30 15:06 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-07-27 11:58 . 2011-07-13 04:53 8578896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B23ED091-F40A-4745-8642-8E08A4B48088}\mpengine.dll
    2011-07-26 22:59 . 2011-07-26 22:59 -------- d-----w- c:\users\Joss\AppData\Local\Chromium
    2011-07-26 22:59 . 2011-07-26 22:59 -------- d-----w- c:\program files (x86)\SRWare Iron
    2011-07-26 16:48 . 2011-07-26 17:04 -------- d-----w- c:\program files (x86)\energyXT
    2011-07-26 15:11 . 2003-03-18 18:04 765952 ----a-w- c:\windows\SysWow64\msvcp71d.dll
    2011-07-26 15:11 . 2003-03-18 18:03 544768 ----a-w- c:\windows\SysWow64\msvcr71d.dll
    2011-07-26 15:11 . 2011-07-26 15:11 -------- d-----w- c:\program files (x86)\BBE Sound
    2011-07-25 22:22 . 2011-03-29 13:38 233472 ----a-w- c:\windows\SysWow64\REX Shared Library.dll
    2011-07-25 15:22 . 2011-07-25 15:24 -------- d-----w- c:\program files (x86)\Common Files\DivX Shared
    2011-07-25 02:38 . 2011-07-25 02:38 -------- d-----w- c:\program files (x86)\Native Instruments
    2011-07-25 02:21 . 2011-07-25 02:21 -------- d-----w- c:\program files\OSFMount
    2011-07-25 01:03 . 2011-07-25 01:03 -------- d-----w- c:\users\Joss\TruePianos Settings
    2011-07-25 01:01 . 2011-07-25 02:40 -------- d-----w- c:\users\Joss\AppData\Roaming\Cakewalk
    2011-07-25 01:01 . 2011-07-25 01:01 -------- dc----w- c:\programdata\{D69A48BF-7653-4AA8-94BC-5847522A4573}
    2011-07-24 23:32 . 2006-02-24 08:00 487424 ----a-w- c:\windows\SysWow64\msvcp70.dll
    2011-07-24 23:32 . 2006-02-24 08:00 1047552 ----a-w- c:\windows\SysWow64\mfc71u.dll
    2011-07-24 23:09 . 2011-07-25 02:42 -------- d-----w- c:\programdata\Cakewalk
    2011-07-23 17:28 . 2011-07-23 17:28 -------- d-----w- c:\windows\MOTU
    2011-07-23 17:27 . 2011-07-23 17:28 -------- d-----w- c:\program files (x86)\MOTU
    2011-07-23 17:27 . 2011-07-23 17:28 -------- d-----w- c:\program files\MOTU
    2011-07-23 17:25 . 2011-07-23 17:25 -------- d-----w- c:\users\Joss\AppData\Local\Applications
    2011-07-22 13:43 . 2011-07-26 18:47 -------- d-----w- c:\program files (x86)\Renoise 2.7.0
    2011-07-15 01:02 . 2011-07-15 01:02 -------- d-----w- c:\program files\ESET
    2011-07-13 14:55 . 2011-07-13 14:55 -------- d-----w- c:\windows\system32\SPReview
    2011-07-13 14:48 . 2011-03-11 06:41 1659776 ----a-w- c:\windows\system32\drivers\ntfs.sys
    2011-07-13 14:42 . 2010-11-05 01:57 48976 ----a-w- c:\windows\system32\netfxperf.dll
    2011-07-13 14:42 . 2010-11-05 01:57 1942856 ----a-w- c:\windows\system32\dfshim.dll
    2011-07-13 14:40 . 2010-11-05 01:53 320352 ----a-w- c:\windows\system32\PresentationHost.exe
    2011-07-13 14:39 . 2010-11-20 13:34 215936 ----a-w- c:\windows\system32\drivers\vhdmp.sys
    2011-07-13 14:38 . 2010-11-20 13:33 289664 ----a-w- c:\windows\system32\drivers\fltMgr.sys
    2011-07-13 14:37 . 2010-11-20 13:33 152960 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
    2011-07-13 14:36 . 2010-11-20 13:27 446976 ----a-w- c:\windows\system32\sqlcese30.dll
    2011-07-13 14:35 . 2010-11-20 13:27 337920 ----a-w- c:\windows\system32\raschap.dll
    2011-07-13 14:34 . 2010-11-20 13:27 10752 ----a-w- c:\windows\system32\riched32.dll
    2011-07-13 14:33 . 2010-11-20 12:17 209920 ----a-w- c:\windows\SysWow64\PkgMgr.exe
    2011-07-13 14:33 . 2010-11-20 12:18 323072 ----a-w- c:\windows\SysWow64\drvstore.dll
    2011-07-13 14:33 . 2010-11-20 12:18 257024 ----a-w- c:\windows\SysWow64\dpx.dll
    2011-07-13 14:33 . 2010-11-20 12:19 606208 ----a-w- c:\windows\SysWow64\wbem\fastprox.dll
    2011-07-13 14:25 . 2010-11-20 13:27 524288 ----a-w- c:\windows\system32\wmicmiplugin.dll
    2011-07-13 14:25 . 2010-11-20 13:27 529408 ----a-w- c:\windows\system32\wbemcomn.dll
    2011-07-13 14:25 . 2010-11-20 13:27 1225216 ----a-w- c:\windows\system32\wbem\wbemcore.dll
    2011-07-13 14:25 . 2010-11-20 13:27 933376 ----a-w- c:\windows\system32\SmiEngine.dll
    2011-07-13 14:25 . 2010-11-20 13:25 199168 ----a-w- c:\windows\system32\PkgMgr.exe
    2011-07-13 14:23 . 2010-11-20 13:26 422912 ----a-w- c:\windows\system32\drvstore.dll
    2011-07-13 14:23 . 2010-11-20 13:26 399872 ----a-w- c:\windows\system32\dpx.dll
    2011-07-11 11:57 . 2011-07-11 11:57 -------- d-----w- c:\users\Joss\AppData\Roaming\Media Player Classic
    2011-07-11 00:49 . 2011-07-11 10:14 691551 ----a-w- c:\program files (x86)\Uninstall Information\{ABAF1232-6213-4062-9D52-04E04A730CEA}\unins000.exe
    2011-07-11 00:21 . 2011-07-11 00:21 -------- d-----w- c:\users\Joss\AppData\Local\ESET
    2011-07-04 06:59 . 2011-02-19 12:05 1139200 ----a-w- c:\windows\system32\FntCache.dll
    2011-07-04 06:59 . 2011-02-19 12:04 1544192 ----a-w- c:\windows\system32\DWrite.dll
    2011-07-04 06:59 . 2011-02-19 12:04 902656 ----a-w- c:\windows\system32\d2d1.dll
    2011-07-04 06:59 . 2011-02-19 06:30 1076736 ----a-w- c:\windows\SysWow64\DWrite.dll
    2011-07-04 06:59 . 2011-02-19 06:30 739840 ----a-w- c:\windows\SysWow64\d2d1.dll
    2011-07-04 06:59 . 2011-04-09 06:58 142336 ----a-w- c:\windows\system32\poqexec.exe
    2011-07-04 06:59 . 2011-04-09 05:56 123904 ----a-w- c:\windows\SysWow64\poqexec.exe
    2011-07-04 06:57 . 2011-02-18 10:51 31232 ----a-w- c:\windows\system32\prevhost.exe
    2011-07-04 06:57 . 2011-02-18 05:39 31232 ----a-w- c:\windows\SysWow64\prevhost.exe
    2011-07-03 08:58 . 2011-05-04 05:22 778752 ----a-w- c:\windows\system32\mssvp.dll
    2011-07-03 08:57 . 2011-05-24 11:42 404480 ----a-w- c:\windows\system32\umpnpmgr.dll
    2011-07-03 08:49 . 2011-02-23 04:55 90624 ----a-w- c:\windows\system32\drivers\bowser.sys
    2011-07-03 08:23 . 2011-07-03 08:23 -------- d-----w- c:\program files (x86)\Common Files\Java
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-07-13 15:51 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
    2011-07-13 15:51 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
    2011-07-06 18:52 . 2011-04-10 16:51 41272 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
    2011-07-06 18:52 . 2011-04-10 16:51 25912 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-06-27 11:55 . 2011-06-12 20:12 404640 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2011-06-25 16:22 . 2010-05-09 13:14 2588952 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
    2011-06-25 16:22 . 2010-08-09 11:34 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
    2011-06-16 14:30 . 2010-05-16 13:13 2588952 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
    2011-06-16 14:20 . 2010-06-13 16:58 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
    2011-06-15 03:59 . 2010-05-09 13:14 710976 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
    2011-06-10 18:20 . 2011-06-10 18:20 2892 ----a-w- c:\windows\SysWow64\audcon.sys
    2011-06-09 16:50 . 2010-05-16 13:13 710976 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
    2011-06-03 05:57 . 2011-07-13 14:48 44032 ----a-w- c:\windows\apppatch\acwow64.dll
    2011-06-03 05:56 . 2011-07-13 14:48 5120 ----a-w- c:\windows\SysWow64\wow32.dll
    2011-06-03 03:53 . 2011-07-13 14:48 2048 ----a-w- c:\windows\SysWow64\user.exe
    2011-05-24 18:14 . 2010-05-08 12:32 270720 ------w- c:\windows\system32\MpSigStub.exe
    2011-05-04 03:52 . 2010-08-10 19:43 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
    "DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    MOTU Pedal Service.lnk - c:\program files (x86)\MOTU\Audio\MFWAKeys.exe [2011-3-14 188784]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\run-]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" -atboottime
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe"
    .
    R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-29 136176]
    R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [x]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-29 136176]
    R3 MFWAMIDI64;MOTU Audio MIDI for 64 bit;c:\windows\system32\drivers\MFWAMIDI64.sys [x]
    R3 MFWAWAVE64;MOTU Audio Wave for 64 bit;c:\windows\system32\drivers\MFWAWAVE64.sys [x]
    R3 MotuFWA64;MotuFWA64;c:\windows\system32\drivers\Motufwa64.sys [x]
    R3 OSFMount;OSFMount;c:\program files\OSFMount\OSFMount.sys [2011-06-27 539712]
    R3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [x]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
    R3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\DRIVERS\s1018bus.sys [x]
    R3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;c:\windows\system32\DRIVERS\s1018mdfl.sys [x]
    R3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;c:\windows\system32\DRIVERS\s1018mdm.sys [x]
    R3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\s1018mgmt.sys [x]
    R3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);c:\windows\system32\DRIVERS\s1018nd5.sys [x]
    R3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\s1018obex.sys [x]
    R3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);c:\windows\system32\DRIVERS\s1018unic.sys [x]
    R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
    R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
    R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
    R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
    R3 WatAdminSvc;WatAdminSvc;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [x]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
    S2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [x]
    S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [2011-01-12 810144]
    S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [x]
    S2 OMSI download service;Sony Ericsson OMSI download service;c:\program files (x86)\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe [2009-04-30 90112]
    S3 motubus;MOTU Audio MIDI Extension;c:\windows\system32\drivers\MotuBus64.sys [x]
    S3 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2mdx64.sys [x]
    S3 O2SDRDR;O2SDRDR;c:\windows\system32\DRIVERS\o2sdx64.sys [x]
    S3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\DRIVERS\seehcri.sys [x]
    S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [x]
    S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [x]
    S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [x]
    S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-07-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-29 22:27]
    .
    2011-07-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-29 22:27]
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-02-22 1220392]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-02 159232]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-02 380928]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-02 358912]
    "Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdcBase.exe" [2007-05-31 660360]
    "itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2010-07-21 2306448]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2010-07-21 2327952]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-12-23 11725928]
    "egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2011-01-12 2918656]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x1
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uInternet Settings,ProxyServer = http=;ftp=;https=;
    Trusted Zone: clonewarsadventures.com
    Trusted Zone: freerealms.com
    Trusted Zone: soe.com
    Trusted Zone: sony.com
    TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
    TCP: Interfaces\{F5C8A099-E88E-48E9-BD36-F5951290968D}: NameServer = 208.67.222.222,208.67.220.220
    TCP: Interfaces\{F5C8A099-E88E-48E9-BD36-F5951290968D}\4616E6: NameServer = 208.67.222.222,208.67.220.220
    CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\shell32.dll
    .
    .
    ------- File Associations -------
    .
    JSEFile=NOTEPAD.EXE %1
    .
    - - - - ORPHANS REMOVED - - - -
    .
    URLSearchHooks-{88c7f2aa-f93f-432c-8f0e-b7d85967a527} - (no file)
    Wow6432Node-HKLM-Run-WinampAgent - c:\program files (x86)\Winamp\winampa.exe
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    WebBrowser-{88C7F2AA-F93F-432C-8F0E-B7D85967A527} - (no file)
    AddRemove-Sonic Charge Bitspeek VST - c:\program files (x86)\VstPlugins\SonicCharge\Uninstall Sonic Charge Bitspeek.exe
    AddRemove-{0B8565BA-BAD5-4732-B122-5FD78EFC50A9} - c:\programdata\{A397AF63-B3A1-40DF-AA85-5C5368304B60}\Service Center Setup.exe
    AddRemove-{491DF203-7B61-4F0E-BDCB-A1218C4DAFE9} - c:\programdata\{C2686527-0D57-4F0B-ADAB-EE203CA30FC6}\Massive Setup.exe
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10t_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10t_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Windows CE Services]
    "SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\O2Micro Flash Memory Card Driver\o2flash.exe
    .
    **************************************************************************
    .
    Completion time: 2011-07-30 16:16:20 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-07-30 15:16
    .
    Pre-Run: 22,177,566,720 bytes free
    Post-Run: 34,512,289,792 bytes free
    .
    - - End Of File - - 74104FC6B2E5DE674CCC983C49564CF9


    Edit: Please don't put the logs in a quote box. It looks nice, but it takes up a lot of real estate.
    Deleted duplicate Combofix log
    ComboFix 11-07-29.03 - Joss 30/07/2011 16:00:02.1.2 - x64
    ComboFix 11-07-29.03 - Joss 30/07/2011 16:00:02.1.2 - x64
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    Folder::
    c:\users\Guest\AppData\Local\temp
    c:\users\Default\AppData\Local\temp
    DDS::
    uInternet Settings,ProxyServer = http=;ftp=;https=;
    uURLSearchHooks: H - No File
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    TB: {88C7F2AA-F93F-432C-8F0E-B7D85967A527} - No File
    uRun: [<NO NAME>] C:\Users\Joss\AppData\Local\Temp\Crack\RealHideIP.exe
    BHO-X64: Increase performance and video formats for your HTML5 <video> - No File
    BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    TB-X64: {88C7F2AA-F93F-432C-8F0E-B7D85967A527} - No File
    mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun-x64: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
    FileLook::
    C:\Windows\Tzigoa.exe
    C:\Program Files (x86)\Uninstall Information\{ABAF1232-6213-4062-9D52-04E04A730CEA}\unins000.exe
    C:\Windows\SysWow64\setup16.exe
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ru n]
    "QuickTime Task"=-
    "SunJavaUpdateSched"=-
    "DivXUpdate"=-
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\ru n-]
    "QuickTime Task"=-
    "SunJavaUpdateSched"=-
    RegLock::
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Windows CE Services]
    "SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00, 79,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00, \
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish

    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    ===========================================
    Recommend that you remove all of these ou od the Trusted Zone:
    Trusted Zone: clonewarsadventures.com
    Trusted Zone: freerealms.com
    Trusted Zone: soe.com
    Trusted Zone: sony.com

    Nothing needs to be in the Trusted Zone. The security is lower in that zone and these sites are a vulnerability.
     
  8. Spax88

    Spax88 TS Rookie Topic Starter

    Are you referring to the trusted zone in IE because I don't use IE at all, I use Iron Browser. Or does Iron have a trusted zone as well?

    ComboFix scan log:
    ComboFix 11-08-01.05 - Joss 01/08/2011 21:54:01.2.2 - x64
    Microsoft Windows 7 Ultimate 6.1.7601.1.1252.44.1033.18.3001.2025 [GMT 1:00]
    Running from: c:\users\Joss\Desktop\ComboFix.exe
    Command switches used :: c:\users\Joss\Desktop\CFScript.txt
    AV: ESET NOD32 Antivirus 4.2 *Disabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
    SP: ESET NOD32 Antivirus 4.2 *Disabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\Default\AppData\Local\temp
    c:\users\Guest\AppData\Local\temp
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-07-01 to 2011-08-01 )))))))))))))))))))))))))))))))
    .
    .
    2011-08-01 15:24 . 2011-08-01 15:24 -------- dc-h--w- c:\programdata\{13A9B825-42CB-4973-913D-2194B5A4CF94}
    2011-08-01 15:23 . 2011-08-01 15:23 -------- d-----w- c:\program files\Common Files\Native Instruments
    2011-08-01 13:09 . 2011-07-13 04:53 8578896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{59D780DC-97EB-4223-9682-E3A5DD426E95}\mpengine.dll
    2011-07-26 22:59 . 2011-07-26 22:59 -------- d-----w- c:\users\Joss\AppData\Local\Chromium
    2011-07-26 22:59 . 2011-07-26 22:59 -------- d-----w- c:\program files (x86)\SRWare Iron
    2011-07-26 16:48 . 2011-07-26 17:04 -------- d-----w- c:\program files (x86)\energyXT
    2011-07-26 15:11 . 2003-03-18 18:04 765952 ----a-w- c:\windows\SysWow64\msvcp71d.dll
    2011-07-26 15:11 . 2003-03-18 18:03 544768 ----a-w- c:\windows\SysWow64\msvcr71d.dll
    2011-07-26 15:11 . 2011-07-26 15:11 -------- d-----w- c:\program files (x86)\BBE Sound
    2011-07-25 22:22 . 2011-03-29 13:38 233472 ----a-w- c:\windows\SysWow64\REX Shared Library.dll
    2011-07-25 15:22 . 2011-07-25 15:24 -------- d-----w- c:\program files (x86)\Common Files\DivX Shared
    2011-07-25 02:38 . 2011-07-25 02:38 -------- d-----w- c:\program files (x86)\Native Instruments
    2011-07-25 02:21 . 2011-07-25 02:21 -------- d-----w- c:\program files\OSFMount
    2011-07-25 01:03 . 2011-07-25 01:03 -------- d-----w- c:\users\Joss\TruePianos Settings
    2011-07-25 01:01 . 2011-07-25 02:40 -------- d-----w- c:\users\Joss\AppData\Roaming\Cakewalk
    2011-07-25 01:01 . 2011-07-25 01:01 -------- dc----w- c:\programdata\{D69A48BF-7653-4AA8-94BC-5847522A4573}
    2011-07-24 23:32 . 2006-02-24 08:00 487424 ----a-w- c:\windows\SysWow64\msvcp70.dll
    2011-07-24 23:32 . 2006-02-24 08:00 1047552 ----a-w- c:\windows\SysWow64\mfc71u.dll
    2011-07-24 23:09 . 2011-07-25 02:42 -------- d-----w- c:\programdata\Cakewalk
    2011-07-23 17:28 . 2011-07-23 17:28 -------- d-----w- c:\windows\MOTU
    2011-07-23 17:27 . 2011-07-23 17:28 -------- d-----w- c:\program files (x86)\MOTU
    2011-07-23 17:27 . 2011-07-23 17:28 -------- d-----w- c:\program files\MOTU
    2011-07-23 17:25 . 2011-07-23 17:25 -------- d-----w- c:\users\Joss\AppData\Local\Applications
    2011-07-22 13:43 . 2011-07-26 18:47 -------- d-----w- c:\program files (x86)\Renoise 2.7.0
    2011-07-15 01:02 . 2011-07-15 01:02 -------- d-----w- c:\program files\ESET
    2011-07-13 14:55 . 2011-07-13 14:55 -------- d-----w- c:\windows\system32\SPReview
    2011-07-13 14:48 . 2011-03-11 06:41 1659776 ----a-w- c:\windows\system32\drivers\ntfs.sys
    2011-07-13 14:42 . 2010-11-05 01:57 48976 ----a-w- c:\windows\system32\netfxperf.dll
    2011-07-13 14:42 . 2010-11-05 01:57 1942856 ----a-w- c:\windows\system32\dfshim.dll
    2011-07-13 14:40 . 2010-11-05 01:53 320352 ----a-w- c:\windows\system32\PresentationHost.exe
    2011-07-13 14:39 . 2010-11-20 12:21 1619456 ----a-w- c:\windows\SysWow64\WMVDECOD.DLL
    2011-07-13 14:38 . 2010-11-20 13:33 289664 ----a-w- c:\windows\system32\drivers\fltMgr.sys
    2011-07-13 14:37 . 2010-11-20 13:33 152960 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
    2011-07-13 14:36 . 2010-11-20 13:27 446976 ----a-w- c:\windows\system32\sqlcese30.dll
    2011-07-13 14:35 . 2010-11-20 13:27 337920 ----a-w- c:\windows\system32\raschap.dll
    2011-07-13 14:34 . 2010-11-20 13:27 10752 ----a-w- c:\windows\system32\riched32.dll
    2011-07-13 14:33 . 2010-11-20 12:21 189952 ----a-w- c:\windows\SysWow64\wdscore.dll
    2011-07-13 14:33 . 2010-11-20 12:17 209920 ----a-w- c:\windows\SysWow64\PkgMgr.exe
    2011-07-13 14:33 . 2010-11-20 12:18 323072 ----a-w- c:\windows\SysWow64\drvstore.dll
    2011-07-13 14:33 . 2010-11-20 12:18 257024 ----a-w- c:\windows\SysWow64\dpx.dll
    2011-07-13 14:33 . 2010-11-20 12:21 363008 ----a-w- c:\windows\SysWow64\wbemcomn.dll
    2011-07-13 14:33 . 2010-11-20 12:19 606208 ----a-w- c:\windows\SysWow64\wbem\fastprox.dll
    2011-07-13 14:25 . 2010-11-20 13:27 524288 ----a-w- c:\windows\system32\wmicmiplugin.dll
    2011-07-13 14:25 . 2010-11-20 13:27 529408 ----a-w- c:\windows\system32\wbemcomn.dll
    2011-07-13 14:25 . 2010-11-20 13:27 1225216 ----a-w- c:\windows\system32\wbem\wbemcore.dll
    2011-07-13 14:25 . 2010-11-20 13:27 933376 ----a-w- c:\windows\system32\SmiEngine.dll
    2011-07-13 14:25 . 2010-11-20 13:25 199168 ----a-w- c:\windows\system32\PkgMgr.exe
    2011-07-13 14:23 . 2010-11-20 13:26 422912 ----a-w- c:\windows\system32\drvstore.dll
    2011-07-13 14:23 . 2010-11-20 13:26 399872 ----a-w- c:\windows\system32\dpx.dll
    2011-07-11 11:57 . 2011-07-11 11:57 -------- d-----w- c:\users\Joss\AppData\Roaming\Media Player Classic
    2011-07-11 00:49 . 2011-07-11 10:14 691551 ----a-w- c:\program files (x86)\Uninstall Information\{ABAF1232-6213-4062-9D52-04E04A730CEA}\unins000.exe
    2011-07-11 00:21 . 2011-07-11 00:21 -------- d-----w- c:\users\Joss\AppData\Local\ESET
    2011-07-04 06:59 . 2011-02-19 12:05 1139200 ----a-w- c:\windows\system32\FntCache.dll
    2011-07-04 06:59 . 2011-02-19 12:04 1544192 ----a-w- c:\windows\system32\DWrite.dll
    2011-07-04 06:59 . 2011-02-19 12:04 902656 ----a-w- c:\windows\system32\d2d1.dll
    2011-07-04 06:59 . 2011-02-19 06:30 1076736 ----a-w- c:\windows\SysWow64\DWrite.dll
    2011-07-04 06:59 . 2011-02-19 06:30 739840 ----a-w- c:\windows\SysWow64\d2d1.dll
    2011-07-04 06:59 . 2011-04-09 06:58 142336 ----a-w- c:\windows\system32\poqexec.exe
    2011-07-04 06:59 . 2011-04-09 05:56 123904 ----a-w- c:\windows\SysWow64\poqexec.exe
    2011-07-04 06:57 . 2011-02-18 10:51 31232 ----a-w- c:\windows\system32\prevhost.exe
    2011-07-04 06:57 . 2011-02-18 05:39 31232 ----a-w- c:\windows\SysWow64\prevhost.exe
    2011-07-03 08:58 . 2011-05-04 05:22 778752 ----a-w- c:\windows\system32\mssvp.dll
    2011-07-03 08:57 . 2011-05-24 11:42 404480 ----a-w- c:\windows\system32\umpnpmgr.dll
    2011-07-03 08:49 . 2011-02-23 04:55 90624 ----a-w- c:\windows\system32\drivers\bowser.sys
    2011-07-03 08:23 . 2011-07-03 08:23 -------- d-----w- c:\program files (x86)\Common Files\Java
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-07-13 15:51 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
    2011-07-13 15:51 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
    2011-07-06 18:52 . 2011-04-10 16:51 41272 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
    2011-07-06 18:52 . 2011-04-10 16:51 25912 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-06-27 11:55 . 2011-06-12 20:12 404640 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2011-06-25 16:22 . 2010-05-09 13:14 2588952 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
    2011-06-25 16:22 . 2010-08-09 11:34 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
    2011-06-16 14:30 . 2010-05-16 13:13 2588952 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
    2011-06-16 14:20 . 2010-06-13 16:58 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
    2011-06-15 03:59 . 2010-05-09 13:14 710976 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
    2011-06-10 18:20 . 2011-06-10 18:20 2892 ----a-w- c:\windows\SysWow64\audcon.sys
    2011-06-09 16:50 . 2010-05-16 13:13 710976 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
    2011-06-03 05:57 . 2011-07-13 14:48 44032 ----a-w- c:\windows\apppatch\acwow64.dll
    2011-05-24 18:14 . 2010-05-08 12:32 270720 ------w- c:\windows\system32\MpSigStub.exe
    2011-05-04 03:52 . 2010-08-10 19:43 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
    .
    .
    (((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    --- c:\program files (x86)\Uninstall Information\{ABAF1232-6213-4062-9D52-04E04A730CEA}\unins000.exe ---
    Company:
    File Description: Setup/Uninstall
    File Version: 51.49.0.0
    Product Name:
    Copyright:
    Original Filename:
    File size: 691551
    Created time: 2011-07-11 00:49
    Modified time: 2011-07-11 10:14
    MD5: FE767632C09A933DA2230B1E83EBB48E
    SHA1: 05F8CE4E2AFA9040B9A8356B4E39C0BB8D8D0AED
    .
    .
    --- c:\windows\SysWow64\setup16.exe ---
    Company: Microsoft Corporation
    File Description: MS-Setup Setup Exe
    File Version: 3.01 (win7_rtm.090713-1255)
    Product Name: Microsoft® Windows® Operating System
    Copyright: Copyright © Microsoft Corp. 1991-1997
    Original Filename: SETUP.EXE.MUI
    File size: 25600
    Created time: 2011-07-13 14:48
    Modified time: 2011-06-03 05:57
    MD5: 026C31765BB3B867818F9C95450226C7
    SHA1: 2FF8D20C964F6A3834A38901126D46940B4BE6D1
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-07-30_15.09.33 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2009-07-14 05:10 . 2011-08-01 21:24 40774 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
    + 2010-05-07 15:26 . 2011-08-01 21:24 18928 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-223097677-2296790081-3549509352-1000_UserData.bin
    - 2010-05-07 14:20 . 2011-07-27 13:31 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2010-05-07 14:20 . 2011-08-01 18:10 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2010-05-07 14:20 . 2011-07-27 13:31 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2010-05-07 14:20 . 2011-08-01 18:10 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2009-07-14 04:54 . 2011-07-27 13:31 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-07-14 04:54 . 2011-08-01 18:10 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2010-05-08 12:21 . 2011-08-01 21:05 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2010-05-08 12:21 . 2011-07-30 15:10 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-07-14 04:46 . 2011-07-31 06:26 90520 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
    + 2010-05-08 12:21 . 2011-08-01 21:05 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2010-05-08 12:21 . 2011-07-30 15:10 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2010-05-08 12:21 . 2011-07-30 15:10 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2010-05-08 12:21 . 2011-08-01 21:05 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2010-05-07 15:27 . 2011-07-30 15:10 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2010-05-07 15:27 . 2011-08-01 21:06 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2010-05-07 15:27 . 2011-08-01 21:06 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2010-05-07 15:27 . 2011-07-30 15:10 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2011-08-01 13:36 . 2011-08-01 13:36 25088 c:\windows\Installer\1c7979.msi
    + 2011-08-01 21:03 . 2011-08-01 21:03 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2011-07-30 15:08 . 2011-07-30 15:08 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2011-07-30 15:08 . 2011-07-30 15:08 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2011-08-01 21:03 . 2011-08-01 21:03 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2010-05-07 23:45 . 2011-08-01 15:11 182762 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
    + 2009-07-14 05:12 . 2011-08-01 18:10 262144 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
    - 2009-07-14 05:12 . 2011-07-17 10:32 262144 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
    - 2009-07-14 05:01 . 2011-07-30 15:07 283324 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2009-07-14 05:01 . 2011-08-01 21:01 283324 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2011-08-01 15:23 . 2011-08-01 15:23 528384 c:\windows\Installer\7e14bb.msi
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
    "DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    MOTU Pedal Service.lnk - c:\program files (x86)\MOTU\Audio\MFWAKeys.exe [2011-3-14 188784]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\run-]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" -atboottime
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe"
    .
    R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-29 136176]
    R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [x]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-29 136176]
    R3 MFWAMIDI64;MOTU Audio MIDI for 64 bit;c:\windows\system32\drivers\MFWAMIDI64.sys [x]
    R3 MFWAWAVE64;MOTU Audio Wave for 64 bit;c:\windows\system32\drivers\MFWAWAVE64.sys [x]
    R3 MotuFWA64;MotuFWA64;c:\windows\system32\drivers\Motufwa64.sys [x]
    R3 OSFMount;OSFMount;c:\program files\OSFMount\OSFMount.sys [2011-06-27 539712]
    R3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [x]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
    R3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\DRIVERS\s1018bus.sys [x]
    R3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;c:\windows\system32\DRIVERS\s1018mdfl.sys [x]
    R3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;c:\windows\system32\DRIVERS\s1018mdm.sys [x]
    R3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\s1018mgmt.sys [x]
    R3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);c:\windows\system32\DRIVERS\s1018nd5.sys [x]
    R3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\s1018obex.sys [x]
    R3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);c:\windows\system32\DRIVERS\s1018unic.sys [x]
    R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
    R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
    R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
    R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
    R3 WatAdminSvc;WatAdminSvc;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [x]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
    S2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [x]
    S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [2011-01-12 810144]
    S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [x]
    S2 OMSI download service;Sony Ericsson OMSI download service;c:\program files (x86)\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe [2009-04-30 90112]
    S3 motubus;MOTU Audio MIDI Extension;c:\windows\system32\drivers\MotuBus64.sys [x]
    S3 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2mdx64.sys [x]
    S3 O2SDRDR;O2SDRDR;c:\windows\system32\DRIVERS\o2sdx64.sys [x]
    S3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\DRIVERS\seehcri.sys [x]
    S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [x]
    S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [x]
    S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [x]
    S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-08-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-29 22:27]
    .
    2011-08-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-29 22:27]
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-02-22 1220392]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-02 159232]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-02 380928]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-02 358912]
    "Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdcBase.exe" [2007-05-31 660360]
    "itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2010-07-21 2306448]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2010-07-21 2327952]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-12-23 11725928]
    "egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2011-01-12 2918656]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    Trusted Zone: clonewarsadventures.com
    Trusted Zone: freerealms.com
    Trusted Zone: soe.com
    Trusted Zone: sony.com
    TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
    TCP: Interfaces\{F5C8A099-E88E-48E9-BD36-F5951290968D}: NameServer = 208.67.222.222,208.67.220.220
    TCP: Interfaces\{F5C8A099-E88E-48E9-BD36-F5951290968D}\4616E6: NameServer = 208.67.222.222,208.67.220.220
    CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\shell32.dll
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10t_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10t_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Windows CE Services]
    "SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\O2Micro Flash Memory Card Driver\o2flash.exe
    .
    **************************************************************************
    .
    Completion time: 2011-08-01 22:28:24 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-08-01 21:28
    ComboFix2.txt 2011-07-30 15:16
    .
    Pre-Run: 34,536,787,968 bytes free
    Post-Run: 34,482,634,752 bytes free
    .
    - - End Of File - - 43A449F6CD116A45C7EBAFDF54A27E70



    C:\Users\Joss\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\21\43d86215-408da194 multiple threats
    C:\Users\Joss\Documents\Vuze Downloads\Windows 7 Loader eXtreme Edition v3.503-NAPALUM~DiBYA\w7lxe.exe a variant of Win32/HackKMS.A application
    C:\Users\Joss\Renoise Ting\Novation\n.exe a variant of Win32/Keygen.AD application

    Edit: Quote attributes remove again. Please do not put logs in Quotes
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    The operating system has been pirated:
    Windows 7 Loader Extreme Edition – is a tool that can be used to to activate any version of Windows 7/ Vista/ Server 2008 R2/ 2008.

    C:\Users\Joss\Documents\Vuze Downloads\Windows 7 Loader eXtreme Edition v3.503-NAPALUM~DiBYA\w7lxe.exe a variant of Win32/HackKMS.A application

    As has Novation:
    C:\Users\Joss\Renoise Ting\Novation\n.exe a variant of Win32/Keygen.AD application

    And you're going to keep getting malware.

    Support is withdrawn.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.