Windows 7 rootkit/malware problem 888 casino popup on Google Chrome

Solved
By Izdeb
Feb 28, 2012
Topic Status:
Not open for further replies.
  1. Hello i recently have this popup problem with google chrome. I have nod32 antyvirus installed and working non stop, i've scanned with Malwarebytes' Anti-Malware in didn't show anything. I've deleted the cookies and still nothing changes. I'm pasting logs from asMBR and combofix below. Pls help.


    aswMBR version 0.9.9.1649 Copyright(c) 2011 AVAST Software
    Run date: 2012-02-28 13:14:54
    -----------------------------
    13:14:54.747 OS Version: Windows x64 6.1.7600
    13:14:54.747 Number of processors: 4 586 0x403
    13:14:54.748 ComputerName: IZDEB-PC UserName: Izdeb
    13:14:57.331 Initialize success
    13:15:17.873 AVAST engine defs: 12022801
    13:15:23.959 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
    13:15:23.961 Disk 0 Vendor: ST31000528AS CC38 Size: 953868MB BusType: 3
    13:15:23.969 Disk 0 MBR read successfully
    13:15:23.971 Disk 0 MBR scan
    13:15:23.975 Disk 0 Windows 7 default MBR code
    13:15:23.984 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
    13:15:23.997 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 99899 MB offset 206848
    13:15:24.016 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 400000 MB offset 204800000
    13:15:24.039 Disk 0 Partition 4 00 07 HPFS/NTFS NTFS 453867 MB offset 1024000000
    13:15:24.072 Disk 0 scanning C:\Windows\system32\drivers
    13:15:36.281 Service scanning
    13:15:55.735 Modules scanning
    13:15:55.753 Disk 0 trace - called modules:
    13:15:55.778 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa80046f32c0]<<spmp.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
    13:15:55.789 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004a70060]
    13:15:55.800 3 CLASSPNP.SYS[fffff8800180143f] -> nt!IofCallDriver -> [0xfffffa800494c9b0]
    13:15:55.811 5 ACPI.sys[fffff880011b3781] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8004a5c060]
    13:15:55.816 \Driver\atapi[0xfffffa8004788e70] -> IRP_MJ_CREATE -> 0xfffffa80046f32c0
    13:15:56.645 AVAST engine scan C:\Windows
    13:15:59.108 AVAST engine scan C:\Windows\system32
    13:20:03.638 AVAST engine scan C:\Windows\system32\drivers
    13:20:33.021 AVAST engine scan C:\Users\Izdeb
    13:22:39.598 AVAST engine scan C:\ProgramData
    13:24:37.522 Scan finished successfully
    13:27:48.616 Disk 0 MBR has been saved successfully to "C:\Users\Izdeb\Desktop\MBR.dat"
    13:27:48.621 The log file has been saved successfully to "C:\Users\Izdeb\Desktop\aswMBR.txt"



    ComboFix 12-02-27.02 - Izdeb 2012-02-28 13:39:27.1.4 - x64
    Microsoft Windows 7 Ultimate 6.1.7600.0.1250.48.1033.18.4095.2720 [GMT 1:00]
    Uruchomiony z: c:\users\Izdeb\Desktop\ComboFix.exe
    AV: ESET NOD32 Antivirus 4.2 *Disabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
    SP: ESET NOD32 Antivirus 4.2 *Disabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Utworzono nowy punkt przywracania
    .
    .
    ((((((((((((((((((((((((( Pliki utworzone od 2012-01-28 do 2012-02-28 )))))))))))))))))))))))))))))))
    .
    .
    2012-02-28 12:42 . 2012-02-28 12:42 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-02-28 08:24 . 2012-02-28 08:24 -------- d-----w- c:\users\Izdeb\AppData\Roaming\Malwarebytes
    2012-02-25 18:52 . 2012-02-25 18:52 -------- d-----w- c:\windows\Sun
    2012-02-22 19:40 . 2012-02-22 19:40 -------- d-----w- c:\program files (x86)\Common Files\Blizzard Entertainment
    2012-02-15 20:13 . 2012-02-15 20:13 -------- d-----w- c:\users\Izdeb\AppData\Roaming\U3
    2012-02-15 15:14 . 2012-02-19 18:47 -------- d-----w- c:\programdata\EA Logs
    2012-02-15 15:08 . 2012-02-15 15:08 -------- d-----w- c:\program files (x86)\NVIDIA Corporation
    2012-02-15 15:08 . 2012-02-15 15:08 -------- d-----w- c:\program files (x86)\Common Files\Wise Installation Wizard
    2012-02-04 16:09 . 2012-02-04 16:09 -------- d-----w- c:\users\Izdeb\AppData\Roaming\BigHugeEngine
    2012-02-03 15:25 . 2012-02-03 15:25 -------- d-----w- c:\windows\system32\appmgmt
    2012-02-02 18:32 . 2012-02-02 18:32 -------- d-----w- c:\users\Izdeb\AppData\Local\ESET
    2012-02-01 16:59 . 2012-02-01 16:59 -------- d-----w- c:\programdata\LightScribe
    2012-02-01 16:59 . 2012-02-01 17:09 -------- d-----w- c:\users\Izdeb\AppData\Roaming\Nero
    2012-02-01 16:58 . 2012-02-01 16:58 -------- d-----w- c:\program files (x86)\Common Files\Nero
    2012-02-01 16:58 . 2012-02-01 16:58 -------- d-----w- c:\program files (x86)\Nero
    2012-02-01 16:58 . 2012-02-01 16:58 -------- d-----w- c:\programdata\Nero
    2012-01-31 18:51 . 2012-01-31 18:51 -------- d-----w- c:\users\Izdeb\AppData\Roaming\LolClient
    2012-01-31 18:37 . 2008-07-12 07:18 467984 ----a-w- c:\windows\SysWow64\d3dx10_39.dll
    2012-01-31 18:37 . 2008-07-12 07:18 1493528 ----a-w- c:\windows\SysWow64\D3DCompiler_39.dll
    2012-01-31 18:37 . 2008-07-12 07:18 3851784 ----a-w- c:\windows\SysWow64\D3DX9_39.dll
    2012-01-31 16:55 . 2012-01-31 16:55 -------- d-----w- c:\program files\7-Zip
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-02-27 19:24 . 2011-12-28 19:40 282864 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr
    2012-02-27 19:24 . 2011-12-28 18:57 282864 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
    2012-02-27 19:23 . 2011-12-28 18:57 280904 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0
    2012-02-19 16:49 . 2011-12-28 18:57 76888 ----a-w- c:\windows\SysWow64\PnkBstrA.exe
    2012-01-05 15:24 . 2011-12-29 15:59 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2011-12-29 16:04 . 2011-12-29 16:04 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
    2011-12-13 20:02 . 2011-12-14 15:37 115216 ----a-w- c:\windows\system32\drivers\AtihdW76.sys
    2011-12-13 20:02 . 2011-12-14 15:37 58880 ----a-w- c:\windows\system32\coinst.dll
    2011-12-13 20:02 . 2011-12-14 15:37 40448 ----a-w- c:\windows\system32\atiuxp64.dll
    2011-12-13 20:02 . 2011-12-14 15:37 3631104 ----a-w- c:\windows\SysWow64\atiumdva.dll
    2011-12-13 20:02 . 2011-12-14 15:37 31232 ----a-w- c:\windows\SysWow64\atiuxpag.dll
    2011-12-13 20:02 . 2011-12-14 15:37 278528 ----a-w- c:\windows\SysWow64\Oemdspif.dll
    2011-12-13 20:02 . 2011-12-14 15:37 1912832 ----a-w- c:\windows\SysWow64\atiumdmv.dll
    2011-12-13 20:02 . 2011-12-14 15:37 4246016 ----a-w- c:\windows\SysWow64\atiumdag.dll
    2011-12-13 20:02 . 2011-12-14 15:37 3420672 ----a-w- c:\windows\system32\atiumd6a.dll
    2011-12-13 20:02 . 2011-12-14 15:37 1208320 ----a-w- c:\windows\system32\atiumd6v.dll
    2011-12-13 20:02 . 2011-12-14 15:37 5395968 ----a-w- c:\windows\system32\atiumd64.dll
    2011-12-13 20:02 . 2011-12-14 15:37 423424 ----a-w- c:\windows\system32\atipdl64.dll
    2011-12-13 20:02 . 2011-12-14 15:37 38912 ----a-w- c:\windows\system32\atiu9p64.dll
    2011-12-13 20:02 . 2011-12-14 15:37 356352 ----a-w- c:\windows\SysWow64\atipdlxx.dll
    2011-12-13 20:02 . 2011-12-14 15:37 29184 ----a-w- c:\windows\SysWow64\atiu9pag.dll
    2011-12-13 20:02 . 2011-12-14 15:37 17469952 ----a-w- c:\windows\SysWow64\atioglxx.dll
    2011-12-13 20:02 . 2011-12-14 15:37 120320 ----a-w- c:\windows\system32\atitmm64.dll
    2011-12-13 20:02 . 2011-12-14 15:37 332800 ----a-w- c:\windows\system32\ATIODE.exe
    2011-12-13 20:02 . 2011-12-14 15:37 51200 ----a-w- c:\windows\system32\ATIODCLI.exe
    2011-12-13 20:02 . 2011-12-14 15:37 22623232 ----a-w- c:\windows\system32\atio6axx.dll
    2011-12-13 20:02 . 2011-12-14 15:37 53760 ----a-w- c:\windows\system32\atimpc64.dll
    2011-12-13 20:02 . 2011-12-14 15:37 53760 ----a-w- c:\windows\system32\amdpcom64.dll
    2011-12-13 20:02 . 2011-12-14 15:37 52736 ----a-w- c:\windows\SysWow64\atimpc32.dll
    2011-12-13 20:02 . 2011-12-14 15:37 52736 ----a-w- c:\windows\SysWow64\amdpcom32.dll
    2011-12-13 20:02 . 2011-12-14 15:37 303616 ----a-w- c:\windows\system32\drivers\atikmpag.sys
    2011-12-13 20:02 . 2011-12-14 15:37 16384 ----a-w- c:\windows\system32\atimuixx.dll
    2011-12-13 20:02 . 2011-12-14 15:37 9319424 ----a-w- c:\windows\system32\drivers\atikmdag.sys
    2011-12-13 20:02 . 2011-12-14 15:37 59392 ----a-w- c:\windows\system32\atiedu64.dll
    2011-12-13 20:02 . 2011-12-14 15:37 5080576 ----a-w- c:\windows\system32\atidxx64.dll
    2011-12-13 20:02 . 2011-12-14 15:37 480256 ----a-w- c:\windows\system32\atieclxx.exe
    2011-12-13 20:02 . 2011-12-14 15:37 39936 ----a-w- c:\windows\system32\atig6txx.dll
    2011-12-13 20:02 . 2011-12-14 15:37 32768 ----a-w- c:\windows\SysWow64\atigktxx.dll
    2011-12-13 20:02 . 2011-12-14 15:37 203776 ----a-w- c:\windows\system32\atiesrxx.exe
    2011-12-13 20:02 . 2011-12-14 15:37 14848 ----a-w- c:\windows\system32\atig6pxx.dll
    2011-12-13 20:02 . 2011-12-14 15:37 12800 ----a-w- c:\windows\SysWow64\atiglpxx.dll
    2011-12-13 20:02 . 2011-12-14 15:37 12800 ----a-w- c:\windows\system32\atiglpxx.dll
    2011-12-13 20:02 . 2011-12-14 15:37 788480 ----a-w- c:\windows\system32\aticfx64.dll
    2011-12-13 20:02 . 2011-12-14 15:37 462848 ----a-w- c:\windows\system32\ATIDEMGX.dll
    2011-12-13 20:02 . 2011-12-14 15:37 4304896 ----a-w- c:\windows\SysWow64\atidxx32.dll
    2011-12-13 20:02 . 2011-12-14 15:37 7467008 ----a-w- c:\windows\system32\aticaldd64.dll
    2011-12-13 20:02 . 2011-12-14 15:37 671744 ----a-w- c:\windows\SysWow64\aticfx32.dll
    2011-12-13 20:02 . 2011-12-14 15:37 51200 ----a-w- c:\windows\system32\aticalrt64.dll
    2011-12-13 20:02 . 2011-12-14 15:37 46080 ----a-w- c:\windows\SysWow64\aticalrt.dll
    2011-12-13 20:02 . 2011-12-14 15:37 6098432 ----a-w- c:\windows\SysWow64\aticaldd.dll
    2011-12-13 20:02 . 2011-12-14 15:37 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
    2011-12-13 20:02 . 2011-12-14 15:37 44544 ----a-w- c:\windows\system32\aticalcl64.dll
    2011-12-13 20:02 . 2011-12-14 15:37 44032 ----a-w- c:\windows\SysWow64\aticalcl.dll
    2011-12-13 20:02 . 2011-12-14 15:37 43520 ----a-w- c:\windows\SysWow64\ati2edxx.dll
    2011-12-13 20:02 . 2011-12-14 15:37 361984 ----a-w- c:\windows\system32\atiadlxx.dll
    2011-12-13 20:02 . 2011-12-14 15:37 258048 ----a-w- c:\windows\SysWow64\atiadlxy.dll
    2011-12-13 20:02 . 2011-12-14 15:37 147456 ----a-w- c:\windows\system32\atiapfxx.exe
    2011-12-13 20:02 . 2011-12-14 15:37 118784 ----a-w- c:\windows\system32\atibtmon.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "uTorrent"="c:\program files (x86)\uTorrent\uTorrent.exe" [2012-02-22 740216]
    "DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-04-27 113288]
    "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-04-27 336384]
    "DeathAdder"="c:\program files (x86)\Razer\DeathAdder\razerhid.exe" [2011-03-21 248320]
    "GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
    "Spik"="c:\program files (x86)\Spik\Spik.exe" [2011-06-07 109424]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    R1 EIO64;EIO Driver;c:\windows\system32\DRIVERS\EIO64.sys [x]
    R3 AODDriver4.0;AODDriver4.0;c:\program files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [x]
    R4 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
    S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
    S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [x]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
    S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-04-27 365568]
    S2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [x]
    S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [2011-01-12 810144]
    S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [x]
    S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [x]
    S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
    S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
    S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
    S3 danewFltr;NewDeathAdder Mouse;c:\windows\system32\drivers\danew.sys [x]
    S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [x]
    S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [x]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
    S3 VKbms;Virtual HID Minidriver;c:\windows\system32\DRIVERS\VKbms.sys [x]
    .
    .
    --- Inne Usługi/Sterowniki w Pamięci ---
    .
    *NewlyCreated* - WS2IFSL
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-07-06 11057768]
    "egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2011-12-28 2918656]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x0
    .
    ------- Skan uzupełniający -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    mLocal Page = c:\windows\SysWOW64\blank.htm
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 10.1.1.1 153.13.250.100
    Handler: wpmsg - {2E0AC5A0-3597-11D6-B3ED-0001021DC1C3} - c:\program files (x86)\Spik\url_wpmsg.dll
    .
    - - - - USUNIĘTO PUSTE WPISY - - - -
    .
    AddRemove-Battlelog Web Plugins - c:\program files (x86)\Battlelog Web Plugins\uninstall.exe
    .
    .
    .
    --------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\ESET\ESET Security\CurrentVersion\Info]
    @Denied: (2) (LocalSystem)
    "AppDataDir"="c:\\ProgramData\\ESET\\ESET NOD32 Antivirus\\"
    "DataDir"="ESET\\ESET NOD32 Antivirus\\"
    "EditionName"=" "
    "InstallDir"="c:\\Program Files\\ESET\\ESET NOD32 Antivirus\\"
    "LanguageId"=dword:00000409
    "PackageTag"=dword:00000000
    "ProductBase"=dword:00000000
    "ProductCode"="{50E9E32F-063A-412A-9627-553D5DA57C17}"
    "ProductName"="ESET NOD32 Antivirus"
    "ProductType"="eav"
    "ProductVersion"="4.2.71.2"
    "UniqueId"="0003BE6E4EFB470D"
    "ScannerBuild"=dword:00001dd3
    "ScannerVersionId"=dword:000015fe
    "ScannerVersion"="ready"
    "ei2"=hex(b):33,fd,47,8e,0f,39,39,ed
    "ei1"=hex(b):20,cf,30,f5,53,cc,00,00
    "ei3"=hex(b):da,48,fb,4e,00,00,00,00
    "ei4"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Pozostałe uruchomione procesy ------------------------
    .
    c:\program files\ASUS\GPU Boost Driver\GpuBoostServer.exe
    c:\windows\SysWOW64\PnkBstrA.exe
    c:\program files (x86)\Razer\DeathAdder\razertra.exe
    c:\program files (x86)\Razer\DeathAdder\razerofa.exe
    c:\program files (x86)\Razer\DeathAdder\vdDaemon.exe
    .
    **************************************************************************
    .
    Czas ukończenia: 2012-02-28 13:47:25 - komputer został uruchomiony ponownie
    ComboFix-quarantined-files.txt 2012-02-28 12:47
    .
    Przed: 48*501*235*712 bajtów wolnych
    Po: 57*781*932*032 bajtów wolnych
    .
    - - End Of File - - 3DCD4AFE05009654E40AB506AFF3BFC6
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Looks like you followed someone else' directions!

    I'm not sure what this is:


    But the Eset entry in in Combofix. Please Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    ==================================
    If you would like us to check the system for malware, please follow these steps: Preliminary Virus and Malware Removal.

    NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
    ==================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
      *****************************************************
    • Observe these:
      [o] Don't follow directions given to someone else
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    ****************************************************
    If I haven't replied back to you within 48 hours, you can send a PM with your thread link in it as a reminder. Do not include technical problems from your thread. Support is given only in the forum.
    Threads are closed after 5 days if there is no reply.
  3. Izdeb

    Izdeb Newcomer, in training Topic Starter

    Log from instructions

    Ok so i did everything in the instruction. Here are the logs:
    P.S. ESET NOD32 4 is my antivirus software.



    Malwarebytes Anti-Malware 1.60.1.1000
    www.malwarebytes.org

    Wersja bazy: v2012.02.28.04

    Windows 7 x64 NTFS
    Internet Explorer 8.0.7600.16385
    Izdeb :: IZDEB-PC [administrator]

    2012-02-28 18:39:45
    mbam-log-2012-02-28 (18-39-45).txt

    Typ skanowania: Szybkie skanowanie
    Zaznaczone opcje skanowania: Pamięć | Rozruch | Rejestr | System plików | Heurystyka/Dodatkowe | Heuristyka/Shuriken | PUP | PUM
    Odznaczone opcje skanowania: P2P
    Przeskanowano obiektów: 191868
    Upłynęło: 3 minut(y), 37 sekund(y)

    Wykrytych procesów w pamięci: 0
    (Nie znaleziono zagrożeń)

    Wykrytych modułów w pamięci: 0
    (Nie znaleziono zagrożeń)

    Wykrytych kluczy rejestru: 0
    (Nie znaleziono zagrożeń)

    Wykrytych wartości rejestru: 0
    (Nie znaleziono zagrożeń)

    Wykryte wpisy rejestru systemowego: 0
    (Nie znaleziono zagrożeń)

    wykrytych folderów: 0
    (Nie znaleziono zagrożeń)

    Wykrytych plików: 0
    (Nie znaleziono zagrożeń)

    (zakończone)

    GMER

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-02-28 20:24:37
    Windows 6.1.7600
    Running: c83wzzyj.exe


    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xC6 0xC4 0x7E 0xD3 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xDA 0x84 0x0B 0x71 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xB3 0x17 0x3E 0xAF ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xC6 0xC4 0x7E 0xD3 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xDA 0x84 0x0B 0x71 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xB3 0x17 0x3E 0xAF ...

    ---- EOF - GMER 1.0.15 ----


    DDS



    .
    DDS (Ver_2011-08-26.01) - NTFSAMD64
    Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_30
    Run by Izdeb at 20:25:19 on 2012-02-28
    Microsoft Windows 7 Ultimate 6.1.7600.0.1250.48.1033.18.4095.2765 [GMT 1:00]
    .
    AV: ESET NOD32 Antivirus 4.2 *Disabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
    SP: ESET NOD32 Antivirus 4.2 *Disabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\system32\atiesrxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\atieclxx.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
    C:\Windows\system32\taskhost.exe
    C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\ASUS\GPU Boost Driver\GpuBoostServer.exe
    C:\Windows\Explorer.EXE
    C:\Windows\SysWOW64\PnkBstrA.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
    C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
    C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
    C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe
    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    C:\Program Files (x86)\Razer\DeathAdder\razertra.exe
    C:\Program Files (x86)\Razer\DeathAdder\razerofa.exe
    C:\Program Files (x86)\Razer\DeathAdder\vdDaemon.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\SysWOW64\cscript.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~1\Office12\GR469A~1.DLL
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    uRun: [uTorrent] "C:\Program Files (x86)\uTorrent\uTorrent.exe" /MINIMIZED
    uRun: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
    mRun: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
    mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    mRun: [DeathAdder] C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe
    mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
    mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun: [Spik] C:\Program Files (x86)\Spik\Spik.exe -autostart
    mRunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
    IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
    TCP: DhcpNameServer = 10.1.1.1 153.13.250.100
    TCP: Interfaces\{699F4EE6-2420-43BF-A274-6F0EA38FB4EE} : DhcpNameServer = 10.1.1.1 153.13.250.100
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~2\MICROS~1\Office12\GRA32A~1.DLL
    Handler: wpmsg - {2E0AC5A0-3597-11D6-B3ED-0001021DC1C3} - C:\Program Files (x86)\Spik\url_wpmsg.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~1\Office12\GR469A~1.DLL
    {18DF081C-E8AD-4283-A596-FA578C2EBDC3}
    {72853161-30C5-4D22-B7F9-0BBC1D38A37E}
    {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
    {9030D464-4C02-4ABF-8ECC-5164760863C6}
    {DBC80044-A445-435b-BC74-9C25C1C588A9}
    mRun-x64: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
    mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    mRun-x64: [DeathAdder] C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe
    mRun-x64: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
    mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun-x64: [Spik] C:\Program Files (x86)\Spik\Spik.exe -autostart
    mRunOnce-x64: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    SEH-X64: {B5A7F190-DDA6-4420-B3BA-52453494E6CD}: Groove GFS Stub Execution Hook
    .
    ============= SERVICES / DRIVERS ===============
    .
    R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
    R2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-4-27 365568]
    R2 eamonm;eamonm;C:\Windows\system32\DRIVERS\eamonm.sys --> C:\Windows\system32\DRIVERS\eamonm.sys [?]
    R2 ekrn;ESET Service;C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [2011-1-12 810144]
    R2 epfwwfpr;epfwwfpr;C:\Windows\system32\DRIVERS\epfwwfpr.sys --> C:\Windows\system32\DRIVERS\epfwwfpr.sys [?]
    R3 amdiox64;AMD IO Driver;C:\Windows\system32\DRIVERS\amdiox64.sys --> C:\Windows\system32\DRIVERS\amdiox64.sys [?]
    R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
    R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
    R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]
    R3 danewFltr;NewDeathAdder Mouse;C:\Windows\system32\drivers\danew.sys --> C:\Windows\system32\drivers\danew.sys [?]
    R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\system32\DRIVERS\nusb3hub.sys --> C:\Windows\system32\DRIVERS\nusb3hub.sys [?]
    R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\system32\DRIVERS\nusb3xhc.sys --> C:\Windows\system32\DRIVERS\nusb3xhc.sys [?]
    R3 VKbms;Virtual HID Minidriver;C:\Windows\system32\DRIVERS\VKbms.sys --> C:\Windows\system32\DRIVERS\VKbms.sys [?]
    S3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
    S4 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-6-6 64952]
    .
    =============== Created Last 30 ================
    .
    2012-02-28 17:38:54 23152 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2012-02-28 17:38:54 -------- d-----w- C:\ProgramData\Malwarebytes
    2012-02-28 17:38:54 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2012-02-28 17:24:06 -------- d-s---w- C:\ComboFix
    2012-02-28 12:53:02 -------- d-sh--w- C:\$RECYCLE.BIN
    2012-02-28 08:24:10 -------- d-----w- C:\Users\Izdeb\AppData\Roaming\Malwarebytes
    2012-02-22 19:40:04 -------- d-----w- C:\Program Files (x86)\Common Files\Blizzard Entertainment
    2012-02-15 15:14:45 -------- d-----w- C:\ProgramData\EA Logs
    2012-02-15 15:08:37 -------- d-----w- C:\Program Files (x86)\NVIDIA Corporation
    2012-02-15 15:08:32 -------- d-----w- C:\Program Files (x86)\Common Files\Wise Installation Wizard
    2012-02-04 16:09:13 -------- d-----w- C:\Users\Izdeb\AppData\Roaming\BigHugeEngine
    2012-02-03 15:25:55 -------- d-----w- C:\Windows\System32\appmgmt
    2012-02-02 18:32:52 -------- d-----w- C:\Users\Izdeb\AppData\Local\ESET
    2012-02-01 16:59:14 -------- d-----w- C:\ProgramData\LightScribe
    2012-02-01 16:58:19 -------- d-----w- C:\Program Files (x86)\Nero
    2012-02-01 16:58:12 -------- d-----w- C:\ProgramData\Nero
    2012-01-31 18:51:52 -------- d-----w- C:\Users\Izdeb\AppData\Roaming\LolClient
    2012-01-31 18:37:25 467984 ----a-w- C:\Windows\SysWow64\d3dx10_39.dll
    2012-01-31 18:37:25 1493528 ----a-w- C:\Windows\SysWow64\D3DCompiler_39.dll
    2012-01-31 18:37:20 3851784 ----a-w- C:\Windows\SysWow64\D3DX9_39.dll
    .
    ==================== Find3M ====================
    .
    2012-02-28 14:24:31 282864 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr
    2012-02-28 14:24:31 282864 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
    2012-02-28 14:24:15 280904 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0
    2012-02-19 16:49:57 76888 ----a-w- C:\Windows\SysWow64\PnkBstrA.exe
    2012-01-05 15:24:14 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2011-12-29 16:04:19 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
    2011-12-28 16:39:02 0 ----a-w- C:\Windows\ativpsrm.bin
    .
    ============= FINISH: 20:25:33,51 ===============




    ATTACH.txt




    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows 7 Ultimate
    Boot Device: \Device\HarddiskVolume1
    Install Date: 2011-12-14 17:31:22
    System Uptime: 2012-02-28 15:06:25 (5 hours ago)
    .
    Motherboard: ASUSTeK Computer INC. | | M4A88TD-V EVO/USB3
    Processor: AMD Phenom(tm) II X4 955 Processor | AM3 | 2080/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 98 GiB total, 57,101 GiB free.
    D: is FIXED (NTFS) - 391 GiB total, 53,417 GiB free.
    E: is FIXED (NTFS) - 443 GiB total, 302,989 GiB free.
    F: is CDROM ()
    G: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Realtek PCIe GBE Family Controller
    Device ID: PCI\VEN_10EC&DEV_8168&SUBSYS_84321043&REV_06\C9000000684CE00000
    Manufacturer: Realtek
    Name: Realtek PCIe GBE Family Controller
    PNP Device ID: PCI\VEN_10EC&DEV_8168&SUBSYS_84321043&REV_06\C9000000684CE00000
    Service: RTL8167
    .
    ==== System Restore Points ===================
    .
    RP37: 2012-02-28 18:24:19 - ComboFix created restore point
    .
    ==== Installed Programs ======================
    .
    .
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe Reader X (10.1.1)
    AMD VISION Engine Control Center
    µTorrent
    Battlefield 3™
    Battlelog Web Plugins
    Catalyst Control Center - Branding
    Catalyst Control Center InstallProxy
    Catalyst Control Center Localization All
    Catalyst Control Center Profiles Desktop
    CCC Help Chinese Standard
    CCC Help Chinese Traditional
    CCC Help Czech
    CCC Help Danish
    CCC Help Dutch
    CCC Help English
    CCC Help Finnish
    CCC Help French
    CCC Help German
    CCC Help Greek
    CCC Help Hungarian
    CCC Help Italian
    CCC Help Japanese
    CCC Help Korean
    CCC Help Norwegian
    CCC Help Polish
    CCC Help Portuguese
    CCC Help Russian
    CCC Help Spanish
    CCC Help Swedish
    CCC Help Thai
    CCC Help Turkish
    ESN Sonar
    Google Chrome
    GPU Boost Driver
    HD Tune Pro 5.00
    HydraVision
    Java Auto Updater
    Java(TM) 6 Update 30
    Kingdoms of Amalur Reckoning
    League of Legends
    Malwarebytes Anti-Malware wersja 1.60.1.1000
    Microsoft Games for Windows - LIVE Redistributable
    Microsoft Games for Windows Marketplace
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2005 Redistributable - KB2467175
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
    NapiProjekt 1.0.6.9
    NEC DISPLAY SOLUTIONS: Desktop Monitor Installer
    Nero Burning ROM 10
    Nero Control Center 10
    Nero Core Components 10
    NVIDIA PhysX
    Origin
    PunkBuster Services
    Razer DeathAdder(TM) Mouse
    Realtek Ethernet Controller Driver For Windows 7
    Realtek High Definition Audio Driver
    Renesas Electronics USB 3.0 Host Controller Driver
    Skype™ 5.5
    Spik
    TeamSpeak 3 Client
    VLC media player 1.1.11
    Winamp
    .
    ==== End Of File ===========================
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Sorry for delay- some email feedback for replies didn't get through. I thought I had found them all.

    Can you tell me what this is> Spik.
    There is another language on the system and I can't identify it.

    Malwarebytes was run entirely in a language. Fortunately I see 0 for malware entry sections so it's okay even though I can't read it. But please make the scans in English
    ===================================
    We need to stop Daemon Tools:
    To disable CD Emulation programs using DeFogger please perform these steps:
    1. . Please download DeFogger to your desktop.
    2. . Double-click on the DeFogger icon to start the tool.
    3. . The application window will> appear> click on the Disable button to disable your CD Emulation drivers
    4. . At prompt to continue> click on the Yes button to continue
    5. . When the program has completed you will see a Finished! message. Click on the OK button to exit the program.
    DeFogger will now ask you to reboot the machine. Please allow it to do so by clicking on the OK button.
    ---------------------------
    The following can be done when we're finished:
    =======================================

    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Before you run the Combofix scan, please disable any security software you have running.

    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe [​IMG]& follow the prompts.
    • If prompted for Recovery Console, please allow.
    • Once installed, you should see a blue screen prompt that says:
      • The Recovery Console was successfully installed.[/b]
      • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
      • Note: No query will be made if the Recovery Console is already on the system.
    • .Close/disable all anti virus and anti malware programs
      (If you need help with this, please see HERE)
    • .Close any open browsers.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
    Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    ====================================
    Download CKScanner and save to your desktop.
    • Doubleclick CKScanner.exe and click Search For Files.
    • When the cursor hourglass disappears, click Save List To File.
    • A message box will verify that the file is saved.
    • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.
    =====================================
    Follow with Eset scan:
    To run the Eset Online Virus Scan:
    If you use Internet Explorer:
    1. Open the ESETOnlineScan
    2. Skip to #4 to "Continue with the directions"

      If you are using a browser other than Internet Explorer
    3. Open Eset Smart Installer
      [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
      [o] Double click on the desktop icon to run.
      [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
    4. Continue with the directions.
    5. Check 'Yes I accept terms of use.'
    6. Click Start button
    7. Accept any security warnings from your browser.
      [​IMG]
    8. Uncheck 'Remove found threats'
    9. Check 'Scan archives/
    10. Leave remaining settings as is.
    11. Press the Start button.
    12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    13. When the scan completes, press List of found threats
    14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    15. Push the Back button, then Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    =================================
    Please leave logs for Combofix, CK Scan and Eset scn in your next reply.
  5. Izdeb

    Izdeb Newcomer, in training Topic Starter

    Hello, sory for the polish language logs. The combofix doesn't have a choose language option but You can google translate the parts you want or ask me to explain.

    SPIK is my polish communicator, had it for meny years no problems.

    So the first log from combofix:


    ComboFix 12-03-02.01 - Izdeb 2012-03-03 12:44:51.2.4 - x64
    Microsoft Windows 7 Ultimate 6.1.7600.0.1250.48.1033.18.4095.2918 [GMT 1:00]
    Uruchomiony z: c:\users\Izdeb\Desktop\ComboFix.exe
    AV: ESET NOD32 Antivirus 4.2 *Disabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
    SP: ESET NOD32 Antivirus 4.2 *Disabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Utworzono nowy punkt przywracania
    .
    .
    ((((((((((((((((((((((((( Pliki utworzone od 2012-02-03 do 2012-03-03 )))))))))))))))))))))))))))))))
    .
    .
    2012-03-03 11:48 . 2012-03-03 11:48 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-02-28 17:38 . 2012-02-28 17:38 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2012-02-28 17:38 . 2012-02-28 17:38 -------- d-----w- c:\programdata\Malwarebytes
    2012-02-28 17:38 . 2011-12-10 14:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-02-28 08:24 . 2012-02-28 08:24 -------- d-----w- c:\users\Izdeb\AppData\Roaming\Malwarebytes
    2012-02-25 18:52 . 2012-02-25 18:52 -------- d-----w- c:\windows\Sun
    2012-02-22 19:40 . 2012-02-22 19:40 -------- d-----w- c:\program files (x86)\Common Files\Blizzard Entertainment
    2012-02-15 20:13 . 2012-02-15 20:13 -------- d-----w- c:\users\Izdeb\AppData\Roaming\U3
    2012-02-15 15:14 . 2012-02-19 18:47 -------- d-----w- c:\programdata\EA Logs
    2012-02-15 15:08 . 2012-02-15 15:08 -------- d-----w- c:\program files (x86)\NVIDIA Corporation
    2012-02-15 15:08 . 2012-02-15 15:08 -------- d-----w- c:\program files (x86)\Common Files\Wise Installation Wizard
    2012-02-04 16:09 . 2012-02-04 16:09 -------- d-----w- c:\users\Izdeb\AppData\Roaming\BigHugeEngine
    2012-02-03 15:25 . 2012-02-03 15:25 -------- d-----w- c:\windows\system32\appmgmt
    2012-02-02 18:32 . 2012-02-02 18:32 -------- d-----w- c:\users\Izdeb\AppData\Local\ESET
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-03-01 20:53 . 2011-12-28 19:40 282864 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr
    2012-03-01 20:53 . 2011-12-28 18:57 282864 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
    2012-03-01 20:52 . 2011-12-28 18:57 280904 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0
    2012-02-19 16:49 . 2011-12-28 18:57 76888 ----a-w- c:\windows\SysWow64\PnkBstrA.exe
    2012-01-05 15:24 . 2011-12-29 15:59 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2011-12-29 16:04 . 2011-12-29 16:04 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
    2011-12-28 16:49 . 2011-12-28 16:49 834544 ----a-w- c:\windows\system32\drivers\sptd.sys
    2011-12-13 20:02 . 2011-12-14 15:37 115216 ----a-w- c:\windows\system32\drivers\AtihdW76.sys
    2011-12-13 20:02 . 2011-12-14 15:37 58880 ----a-w- c:\windows\system32\coinst.dll
    2011-12-13 20:02 . 2011-12-14 15:37 40448 ----a-w- c:\windows\system32\atiuxp64.dll
    2011-12-13 20:02 . 2011-12-14 15:37 3631104 ----a-w- c:\windows\SysWow64\atiumdva.dll
    2011-12-13 20:02 . 2011-12-14 15:37 31232 ----a-w- c:\windows\SysWow64\atiuxpag.dll
    2011-12-13 20:02 . 2011-12-14 15:37 278528 ----a-w- c:\windows\SysWow64\Oemdspif.dll
    2011-12-13 20:02 . 2011-12-14 15:37 1912832 ----a-w- c:\windows\SysWow64\atiumdmv.dll
    2011-12-13 20:02 . 2011-12-14 15:37 4246016 ----a-w- c:\windows\SysWow64\atiumdag.dll
    2011-12-13 20:02 . 2011-12-14 15:37 3420672 ----a-w- c:\windows\system32\atiumd6a.dll
    2011-12-13 20:02 . 2011-12-14 15:37 1208320 ----a-w- c:\windows\system32\atiumd6v.dll
    2011-12-13 20:02 . 2011-12-14 15:37 5395968 ----a-w- c:\windows\system32\atiumd64.dll
    2011-12-13 20:02 . 2011-12-14 15:37 423424 ----a-w- c:\windows\system32\atipdl64.dll
    2011-12-13 20:02 . 2011-12-14 15:37 38912 ----a-w- c:\windows\system32\atiu9p64.dll
    2011-12-13 20:02 . 2011-12-14 15:37 356352 ----a-w- c:\windows\SysWow64\atipdlxx.dll
    2011-12-13 20:02 . 2011-12-14 15:37 29184 ----a-w- c:\windows\SysWow64\atiu9pag.dll
    2011-12-13 20:02 . 2011-12-14 15:37 17469952 ----a-w- c:\windows\SysWow64\atioglxx.dll
    2011-12-13 20:02 . 2011-12-14 15:37 120320 ----a-w- c:\windows\system32\atitmm64.dll
    2011-12-13 20:02 . 2011-12-14 15:37 332800 ----a-w- c:\windows\system32\ATIODE.exe
    2011-12-13 20:02 . 2011-12-14 15:37 51200 ----a-w- c:\windows\system32\ATIODCLI.exe
    2011-12-13 20:02 . 2011-12-14 15:37 22623232 ----a-w- c:\windows\system32\atio6axx.dll
    2011-12-13 20:02 . 2011-12-14 15:37 53760 ----a-w- c:\windows\system32\atimpc64.dll
    2011-12-13 20:02 . 2011-12-14 15:37 53760 ----a-w- c:\windows\system32\amdpcom64.dll
    2011-12-13 20:02 . 2011-12-14 15:37 52736 ----a-w- c:\windows\SysWow64\atimpc32.dll
    2011-12-13 20:02 . 2011-12-14 15:37 52736 ----a-w- c:\windows\SysWow64\amdpcom32.dll
    2011-12-13 20:02 . 2011-12-14 15:37 303616 ----a-w- c:\windows\system32\drivers\atikmpag.sys
    2011-12-13 20:02 . 2011-12-14 15:37 16384 ----a-w- c:\windows\system32\atimuixx.dll
    2011-12-13 20:02 . 2011-12-14 15:37 9319424 ----a-w- c:\windows\system32\drivers\atikmdag.sys
    2011-12-13 20:02 . 2011-12-14 15:37 59392 ----a-w- c:\windows\system32\atiedu64.dll
    2011-12-13 20:02 . 2011-12-14 15:37 5080576 ----a-w- c:\windows\system32\atidxx64.dll
    2011-12-13 20:02 . 2011-12-14 15:37 480256 ----a-w- c:\windows\system32\atieclxx.exe
    2011-12-13 20:02 . 2011-12-14 15:37 39936 ----a-w- c:\windows\system32\atig6txx.dll
    2011-12-13 20:02 . 2011-12-14 15:37 32768 ----a-w- c:\windows\SysWow64\atigktxx.dll
    2011-12-13 20:02 . 2011-12-14 15:37 203776 ----a-w- c:\windows\system32\atiesrxx.exe
    2011-12-13 20:02 . 2011-12-14 15:37 14848 ----a-w- c:\windows\system32\atig6pxx.dll
    2011-12-13 20:02 . 2011-12-14 15:37 12800 ----a-w- c:\windows\SysWow64\atiglpxx.dll
    2011-12-13 20:02 . 2011-12-14 15:37 12800 ----a-w- c:\windows\system32\atiglpxx.dll
    2011-12-13 20:02 . 2011-12-14 15:37 788480 ----a-w- c:\windows\system32\aticfx64.dll
    2011-12-13 20:02 . 2011-12-14 15:37 462848 ----a-w- c:\windows\system32\ATIDEMGX.dll
    2011-12-13 20:02 . 2011-12-14 15:37 4304896 ----a-w- c:\windows\SysWow64\atidxx32.dll
    2011-12-13 20:02 . 2011-12-14 15:37 7467008 ----a-w- c:\windows\system32\aticaldd64.dll
    2011-12-13 20:02 . 2011-12-14 15:37 671744 ----a-w- c:\windows\SysWow64\aticfx32.dll
    2011-12-13 20:02 . 2011-12-14 15:37 51200 ----a-w- c:\windows\system32\aticalrt64.dll
    2011-12-13 20:02 . 2011-12-14 15:37 46080 ----a-w- c:\windows\SysWow64\aticalrt.dll
    2011-12-13 20:02 . 2011-12-14 15:37 6098432 ----a-w- c:\windows\SysWow64\aticaldd.dll
    2011-12-13 20:02 . 2011-12-14 15:37 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
    2011-12-13 20:02 . 2011-12-14 15:37 44544 ----a-w- c:\windows\system32\aticalcl64.dll
    2011-12-13 20:02 . 2011-12-14 15:37 44032 ----a-w- c:\windows\SysWow64\aticalcl.dll
    2011-12-13 20:02 . 2011-12-14 15:37 43520 ----a-w- c:\windows\SysWow64\ati2edxx.dll
    2011-12-13 20:02 . 2011-12-14 15:37 361984 ----a-w- c:\windows\system32\atiadlxx.dll
    2011-12-13 20:02 . 2011-12-14 15:37 258048 ----a-w- c:\windows\SysWow64\atiadlxy.dll
    2011-12-13 20:02 . 2011-12-14 15:37 147456 ----a-w- c:\windows\system32\atiapfxx.exe
    2011-12-13 20:02 . 2011-12-14 15:37 118784 ----a-w- c:\windows\system32\atibtmon.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "uTorrent"="c:\program files (x86)\uTorrent\uTorrent.exe" [2012-02-22 740216]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-04-27 113288]
    "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-04-27 336384]
    "DeathAdder"="c:\program files (x86)\Razer\DeathAdder\razerhid.exe" [2011-03-21 248320]
    "GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
    "Spik"="c:\program files (x86)\Spik\Spik.exe" [2011-06-07 109424]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    R1 EIO64;EIO Driver;c:\windows\system32\DRIVERS\EIO64.sys [x]
    R3 AODDriver4.0;AODDriver4.0;c:\program files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [x]
    R4 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
    R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
    S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [x]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
    S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-04-27 365568]
    S2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [x]
    S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [2011-01-12 810144]
    S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [x]
    S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [x]
    S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
    S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
    S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
    S3 danewFltr;NewDeathAdder Mouse;c:\windows\system32\drivers\danew.sys [x]
    S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [x]
    S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [x]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
    S3 VKbms;Virtual HID Minidriver;c:\windows\system32\DRIVERS\VKbms.sys [x]
    .
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-07-06 11057768]
    "egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2011-12-28 2918656]
    .
    ------- Skan uzupełniający -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    mLocal Page = c:\windows\SysWOW64\blank.htm
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 10.1.1.1 153.13.250.100
    Handler: wpmsg - {2E0AC5A0-3597-11D6-B3ED-0001021DC1C3} - c:\program files (x86)\Spik\url_wpmsg.dll
    .
    - - - - USUNIĘTO PUSTE WPISY - - - -
    .
    AddRemove-Battlelog Web Plugins - c:\program files (x86)\Battlelog Web Plugins\uninstall.exe
    .
    .
    .
    --------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\ESET\ESET Security\CurrentVersion\Info]
    @Denied: (2) (LocalSystem)
    "AppDataDir"="c:\\ProgramData\\ESET\\ESET NOD32 Antivirus\\"
    "DataDir"="ESET\\ESET NOD32 Antivirus\\"
    "EditionName"=" "
    "InstallDir"="c:\\Program Files\\ESET\\ESET NOD32 Antivirus\\"
    "LanguageId"=dword:00000409
    "PackageTag"=dword:00000000
    "ProductBase"=dword:00000000
    "ProductCode"="{50E9E32F-063A-412A-9627-553D5DA57C17}"
    "ProductName"="ESET NOD32 Antivirus"
    "ProductType"="eav"
    "ProductVersion"="4.2.71.2"
    "UniqueId"="0003BE6E4EFB470D"
    "ScannerBuild"=dword:00001dd3
    "ScannerVersionId"=dword:000015fe
    "ScannerVersion"="ready"
    "ei2"=hex(b):33,fd,47,8e,0f,39,39,ed
    "ei1"=hex(b):20,cf,30,f5,53,cc,00,00
    "ei3"=hex(b):da,48,fb,4e,00,00,00,00
    "ei4"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Pozostałe uruchomione procesy ------------------------
    .
    c:\program files\ASUS\GPU Boost Driver\GpuBoostServer.exe
    c:\windows\SysWOW64\PnkBstrA.exe
    c:\program files (x86)\Razer\DeathAdder\razertra.exe
    c:\program files (x86)\Razer\DeathAdder\razerofa.exe
    c:\program files (x86)\Razer\DeathAdder\vdDaemon.exe
    .
    **************************************************************************
    .
    Czas ukończenia: 2012-03-03 12:52:24 - komputer został uruchomiony ponownie
    ComboFix-quarantined-files.txt 2012-03-03 11:52
    .
    Przed: 60*313*587*712 bajtów wolnych
    Po: 60*163*665*920 bajtów wolnych
    .
    - - End Of File - - D78D549E13C53FBE55EAF80505EABA81

    =================================================================

    CK:


    CKScanner - Additional Security Risks - These are not necessarily bad
    scanner sequence 3.MN.11.DWAPUX
    ----- EOF -----


    ===============================

    The eset scan didn't show any threats.


    I'm using google chrome with some extentions maybe one of them is causing this??...
    Again to show exactly whats is happening:
    Some times when i click new page or link a new google chrome window appears with this addres " Edit: HijackSite URL deleted by Bobbye

    List of extentions:

    AdBlock2.5.20

    Adblock Plus (Beta)1.2

    Auto HD For YouTube2.0

    P.S. i have two adlockers because one of them didn't block youtube ads.
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Unfortunately, there is no information from Chrome in these logs. Is this redirect or browser hijack to with the site the only problem you're having now? (BTW- Please don't leave any questionable site URL as a hyperlink. Either just leave the domain name or chenge the http to hxxp- this will stop other from clicking on the site and possibly loading it)

    It is possible that if you ever visited this site and don't have 3rd party Cookies blocked, that it is causing the site to reload
    ===============================
    1. You need to block a Domain.
    For Internet Explorer: Control Panel (or Tools) > Internet Options> Security tab> Trusted Sites> Sites> highlight and block the following:
    media.888.com
    *.888.com
    888.*


    Fox Firefox and Chrome: Please see the information to block Domains>
    http://userscripts.org/scripts/show/95205
    ====================================
    2. You will need to delete the temporary internet files and Cookies
    =====================================
    3. You should Reset Cookies
    For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
    (First-party and third-party cookies can be set by the website you're visiting and websites that have items embedded in the website you're visiting. But when you next visit the website, only first-party cookie information is sent to the website. Third-party cookie information isn't sent back to the websites that originally set the third-party cookies.)

    Suggest Add Easy List . It is an additional filter block for ADP.

    I have both AdBlockPlus and Easy List on my Firefox, You should be able to add Easy List to Chrome.
    ------------------------
    For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

    For Firefox: Tools> Options> Privacy> Cookies> CHECK ‘accept Cookies from Sites’> UNCHECK 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: forFirefox v33.5, after Privacy click on 'use custom settings for History.')
    =======================================
    4. Find and remove Tracking Cookies
    • Please downloadSuperAntiSpyware from HERE
    • LaunchSuperAntiSpywaree and click on 'Check for updates'.
    • Wait for the updates to be installed
    • On the main screen click on 'Scan your computer'.
    • Check: 'Perform Complete Scan then Click 'Next' to start the scan.
    • Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
    • Make sure everything found has a checkmark next to it,then press 'Next'.
    • Click on 'Finish' when you've done.
    It's possible that the program will ask you to reboot in order to delete some files.

    Obtain theSuperAntiSpyware log as follows:
    • Click on 'Preferences'.
    • Click on the 'Statistics/Logs' tab.
    • Under 'Scanner Logs' double click on SuperAntiSpyware Scan Log'.
    It will then open in your default text editor,such as Notepad. Paste the notepad file here on your reply
  7. Izdeb

    Izdeb Newcomer, in training Topic Starter

    Sory for the web adress. Yes this popup page is the only problem i have, very strange the popup pops once a day maybe twice. I know it's not a major problem but still...

    This script to block domains didnt work with chrome, so i found a domain blocker in the chrome://settings/content popups and blocked 888.com and media.888.com. Couldn't use the *888.com it didn't recognized it.
    It still doesn't block the popup:(.

    Also deleted the cookies and temp again. Blocked third party cookies as you told me.

    Scaned with superantispyware, log below:


    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 03/10/2012 at 11:52 AM

    Application Version : 5.0.1146

    Core Rules Database Version : 8324
    Trace Rules Database Version: 6136

    Scan type : Complete Scan
    Total Scan Time : 00:41:21

    Operating System Information
    Windows 7 Ultimate 64-bit (Build 6.01.7600)
    UAC Off - Administrator

    Memory items scanned : 733
    Memory threats detected : 0
    Registry items scanned : 65630
    Registry threats detected : 0
    File items scanned : 72652
    File threats detected : 117

    Adware.Tracking Cookie
    C:\Users\Izdeb\AppData\Roaming\Microsoft\Windows\Cookies\2R22VPMY.txt [ /zanox.com ]
    C:\Users\Izdeb\AppData\Roaming\Microsoft\Windows\Cookies\COYQG14V.txt [ /tradedoubler.com ]
    C:\Users\Izdeb\AppData\Roaming\Microsoft\Windows\Cookies\GAC6J30O.txt [ /tracking.novem.pl ]
    C:\Users\Izdeb\AppData\Roaming\Microsoft\Windows\Cookies\V34FWMNF.txt [ /atdmt.com ]
    C:\Users\Izdeb\AppData\Roaming\Microsoft\Windows\Cookies\IUA89USZ.txt [ /ads.idg.pl ]
    C:\Users\Izdeb\AppData\Roaming\Microsoft\Windows\Cookies\PQPCEWY2.txt [ /c.atdmt.com ]
    C:\Users\Izdeb\AppData\Roaming\Microsoft\Windows\Cookies\5SLOHK50.txt [ /doubleclick.net ]
    C:\Users\Izdeb\AppData\Roaming\Microsoft\Windows\Cookies\VIPDPEF5.txt [ /media6degrees.com ]
    C:\Users\Izdeb\AppData\Roaming\Microsoft\Windows\Cookies\CAEKGU7P.txt [ /adxpose.com ]
    C:\Users\Izdeb\AppData\Roaming\Microsoft\Windows\Cookies\6I0AMNLV.txt [ /advertising.com ]
    C:\Users\Izdeb\AppData\Roaming\Microsoft\Windows\Cookies\2MZSCIJ5.txt [ /at.atwola.com ]
    C:\Users\Izdeb\AppData\Roaming\Microsoft\Windows\Cookies\D215FHE0.txt [ /serving-sys.com ]
    C:\Users\Izdeb\AppData\Roaming\Microsoft\Windows\Cookies\6TNUD427.txt [ /tacoda.at.atwola.com ]
    C:\Users\Izdeb\AppData\Roaming\Microsoft\Windows\Cookies\UF7OO2WN.txt [ /ar.atwola.com ]
    C:\Users\Izdeb\AppData\Roaming\Microsoft\Windows\Cookies\P5IPPO1F.txt [ /ad.zanox.com ]
    C:\Users\Izdeb\AppData\Roaming\Microsoft\Windows\Cookies\WHHBR063.txt [ /invitemedia.com ]
    C:\Users\Izdeb\AppData\Roaming\Microsoft\Windows\Cookies\3MQSJ0UO.txt [ /revsci.net ]
    C:\Users\Izdeb\AppData\Roaming\Microsoft\Windows\Cookies\OT52GJ2D.txt [ /ad.yieldmanager.com ]
    C:\Users\Izdeb\AppData\Roaming\Microsoft\Windows\Cookies\EM4EXQSO.txt [ /yieldmanager.net ]
    C:\Users\Izdeb\AppData\Roaming\Microsoft\Windows\Cookies\FXHB7E2P.txt [ /atwola.com ]
    C:\USERS\IZDEB\AppData\Roaming\Microsoft\Windows\Cookies\C3QQYL0W.txt [ Cookie:izdeb@adsonar.com/adserving ]
    C:\USERS\IZDEB\Cookies\2R22VPMY.txt [ Cookie:izdeb@zanox.com/ ]
    C:\USERS\IZDEB\Cookies\COYQG14V.txt [ Cookie:izdeb@tradedoubler.com/ ]
    C:\USERS\IZDEB\Cookies\GAC6J30O.txt [ Cookie:izdeb@tracking.novem.pl/ ]
    C:\USERS\IZDEB\Cookies\V34FWMNF.txt [ Cookie:izdeb@atdmt.com/ ]
    C:\USERS\IZDEB\Cookies\5SLOHK50.txt [ Cookie:izdeb@doubleclick.net/ ]
    C:\USERS\IZDEB\Cookies\C3QQYL0W.txt [ Cookie:izdeb@adsonar.com/adserving ]
    C:\USERS\IZDEB\Cookies\VIPDPEF5.txt [ Cookie:izdeb@media6degrees.com/ ]
    C:\USERS\IZDEB\Cookies\CAEKGU7P.txt [ Cookie:izdeb@adxpose.com/ ]
    C:\USERS\IZDEB\Cookies\6I0AMNLV.txt [ Cookie:izdeb@advertising.com/ ]
    C:\USERS\IZDEB\Cookies\2MZSCIJ5.txt [ Cookie:izdeb@at.atwola.com/ ]
    C:\USERS\IZDEB\Cookies\D215FHE0.txt [ Cookie:izdeb@serving-sys.com/ ]
    C:\USERS\IZDEB\Cookies\UF7OO2WN.txt [ Cookie:izdeb@ar.atwola.com/ ]
    C:\USERS\IZDEB\Cookies\WHHBR063.txt [ Cookie:izdeb@invitemedia.com/ ]
    C:\USERS\IZDEB\Cookies\3MQSJ0UO.txt [ Cookie:izdeb@revsci.net/ ]
    C:\USERS\IZDEB\Cookies\OT52GJ2D.txt [ Cookie:izdeb@ad.yieldmanager.com/ ]
    C:\USERS\IZDEB\Cookies\EM4EXQSO.txt [ Cookie:izdeb@yieldmanager.net/ ]
    C:\USERS\IZDEB\Cookies\FXHB7E2P.txt [ Cookie:izdeb@atwola.com/ ]
    fr.sitestat.com [ C:\USERS\IZDEB\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\COOKIES ]
    fr.sitestat.com [ C:\USERS\IZDEB\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\COOKIES ]
    .doubleclick.net [ C:\USERS\IZDEB\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\COOKIES ]
    .doubleclick.net [ C:\USERS\IZDEB\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\COOKIES ]
    .imrworldwide.com [ C:\USERS\IZDEB\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\COOKIES ]
    .imrworldwide.com [ C:\USERS\IZDEB\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\COOKIES ]
    ia.media-imdb.com [ C:\USERS\IZDEB\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\HQE2M382 ]
    secure-us.imrworldwide.com [ C:\USERS\IZDEB\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\HQE2M382 ]
    statse.webtrendslive.com [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\GXA62RWG.DEFAULT\COOKIES.SQLITE ]
    .doubleclick.net [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\GXA62RWG.DEFAULT\COOKIES.SQLITE ]
    .doubleclick.net [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\GXA62RWG.DEFAULT\COOKIES.SQLITE ]
    .kontera.com [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\GXA62RWG.DEFAULT\COOKIES.SQLITE ]
    .legolas-media.com [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\GXA62RWG.DEFAULT\COOKIES.SQLITE ]
    .legolas-media.com [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\GXA62RWG.DEFAULT\COOKIES.SQLITE ]
    .legolas-media.com [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\GXA62RWG.DEFAULT\COOKIES.SQLITE ]
    .legolas-media.com [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\GXA62RWG.DEFAULT\COOKIES.SQLITE ]
    .doubleclick.net [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XOZ68A2K.DEFAULT\COOKIES.SQLITE ]
    .microsoftsto.112.2o7.net [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XOZ68A2K.DEFAULT\COOKIES.SQLITE ]
    .apmebf.com [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XOZ68A2K.DEFAULT\COOKIES.SQLITE ]
    .apmebf.com [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XOZ68A2K.DEFAULT\COOKIES.SQLITE ]
    .doubleclick.net [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XOZ68A2K.DEFAULT\COOKIES.SQLITE ]
    .www.burstnet.com [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XOZ68A2K.DEFAULT\COOKIES.SQLITE ]
    .burstnet.com [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XOZ68A2K.DEFAULT\COOKIES.SQLITE ]
    .amazon-adsystem.com [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XOZ68A2K.DEFAULT\COOKIES.SQLITE ]
    .amazon-adsystem.com [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XOZ68A2K.DEFAULT\COOKIES.SQLITE ]
    .kontera.com [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XOZ68A2K.DEFAULT\COOKIES.SQLITE ]
    tracking.hostgator.com [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XOZ68A2K.DEFAULT\COOKIES.SQLITE ]
    .burstnet.com [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XOZ68A2K.DEFAULT\COOKIES.SQLITE ]
    www.burstnet.com [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XOZ68A2K.DEFAULT\COOKIES.SQLITE ]
    .tribalfusion.com [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XOZ68A2K.DEFAULT\COOKIES.SQLITE ]
    .mm.chitika.net [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XOZ68A2K.DEFAULT\COOKIES.SQLITE ]
    www.burstnet.com [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XOZ68A2K.DEFAULT\COOKIES.SQLITE ]
    .fastclick.net [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XOZ68A2K.DEFAULT\COOKIES.SQLITE ]
    banners.moreniche.com [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XOZ68A2K.DEFAULT\COOKIES.SQLITE ]
    ad.yieldmanager.com [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XOZ68A2K.DEFAULT\COOKIES.SQLITE ]
    ad.yieldmanager.com [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XOZ68A2K.DEFAULT\COOKIES.SQLITE ]
    ad.yieldmanager.com [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XOZ68A2K.DEFAULT\COOKIES.SQLITE ]
    ad.yieldmanager.com [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XOZ68A2K.DEFAULT\COOKIES.SQLITE ]
    ad.yieldmanager.com [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XOZ68A2K.DEFAULT\COOKIES.SQLITE ]
    counter.top.ge [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XOZ68A2K.DEFAULT\COOKIES.SQLITE ]
    counter.top.ge [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XOZ68A2K.DEFAULT\COOKIES.SQLITE ]
    counter.top.ge [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XOZ68A2K.DEFAULT\COOKIES.SQLITE ]
    counter.top.ge [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XOZ68A2K.DEFAULT\COOKIES.SQLITE ]
    .eaeacom.112.2o7.net [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XOZ68A2K.DEFAULT\COOKIES.SQLITE ]
    statse.webtrendslive.com [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XOZ68A2K.DEFAULT\COOKIES.SQLITE ]
    .statcounter.com [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XOZ68A2K.DEFAULT\COOKIES.SQLITE ]
    .neccorp.112.2o7.net [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XOZ68A2K.DEFAULT\COOKIES.SQLITE ]
    tracking.metalyzer.com [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XOZ68A2K.DEFAULT\COOKIES.SQLITE ]
    delivery.way2traffic.com [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XOZ68A2K.DEFAULT\COOKIES.SQLITE ]
    delivery.way2traffic.com [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XOZ68A2K.DEFAULT\COOKIES.SQLITE ]
    delivery.way2traffic.com [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XOZ68A2K.DEFAULT\COOKIES.SQLITE ]
    delivery.way2traffic.com [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XOZ68A2K.DEFAULT\COOKIES.SQLITE ]
    delivery.way2traffic.com [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XOZ68A2K.DEFAULT\COOKIES.SQLITE ]
    delivery.way2traffic.com [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XOZ68A2K.DEFAULT\COOKIES.SQLITE ]
    delivery.way2traffic.com [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XOZ68A2K.DEFAULT\COOKIES.SQLITE ]
    delivery.way2traffic.com [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XOZ68A2K.DEFAULT\COOKIES.SQLITE ]
    delivery.way2traffic.com [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XOZ68A2K.DEFAULT\COOKIES.SQLITE ]
    delivery.way2traffic.com [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XOZ68A2K.DEFAULT\COOKIES.SQLITE ]
    delivery.way2traffic.com [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XOZ68A2K.DEFAULT\COOKIES.SQLITE ]
    delivery.way2traffic.com [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XOZ68A2K.DEFAULT\COOKIES.SQLITE ]
    delivery.way2traffic.com [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XOZ68A2K.DEFAULT\COOKIES.SQLITE ]
    delivery.way2traffic.com [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XOZ68A2K.DEFAULT\COOKIES.SQLITE ]
    .liveperson.net [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XOZ68A2K.DEFAULT\COOKIES.SQLITE ]
    .liveperson.net [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XOZ68A2K.DEFAULT\COOKIES.SQLITE ]
    sales.liveperson.net [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XOZ68A2K.DEFAULT\COOKIES.SQLITE ]
    .imrworldwide.com [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XOZ68A2K.DEFAULT\COOKIES.SQLITE ]
    .imrworldwide.com [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XOZ68A2K.DEFAULT\COOKIES.SQLITE ]
    accounts.youtube.com [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XOZ68A2K.DEFAULT\COOKIES.SQLITE ]
    accounts.google.com [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XOZ68A2K.DEFAULT\COOKIES.SQLITE ]
    accounts.google.com [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XOZ68A2K.DEFAULT\COOKIES.SQLITE ]
    accounts.google.com [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XOZ68A2K.DEFAULT\COOKIES.SQLITE ]
    tracking.novem.pl [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XOZ68A2K.DEFAULT\COOKIES.SQLITE ]
    tracking.novem.pl [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XOZ68A2K.DEFAULT\COOKIES.SQLITE ]
    aleseriale.pl [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XOZ68A2K.DEFAULT\COOKIES.SQLITE ]
    .aleseriale.pl [ C:\USERS\IZDEB\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\XOZ68A2K.DEFAULT\COOKIES.SQLITE ]
    secure-us.imrworldwide.com [ C:\WINDOWS.OLD\USERS\IZDEB\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\K6ER9HF8 ]
    C:\WINDOWS.OLD\USERS\IZDEB\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\LOW\IZDEB@DOUBLECLICK[1].TXT [ /DOUBLECLICK ]

    Trojan.Agent/Gen-Autorun[Swisyn]
    D:\KOMP\IMPPAN\KONFERENCJE\PRAGA 2002\KATALIZATOR\CON123-2.EXE

    Trojan.Agent/Gen-Frauder
    E:\GRY\KINGDOMS OF AMALUR RECKONING\LAUNCHER.EXE

    ==========================================================


    The Trojans are false positive as far as I know.
    Oh and theese cookies from mozilla are because i was using firefox before chrome. Now only using chrome.
    And still having popups :(

    I'm thinking of formating... But will it even help?
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    No, I don't think they are False Positives:

    Trojan.Agent/Gen-Autorun[Swisyn]>>> keygen
    D:\KOMP\IMPPAN\KONFERENCJE\PRAGA 2002\KATALIZATOR\CON123-2.EXE
    D: \ COMP \ IMP PAN \ Conferences \ PRAGUE 2002 \ CATALYST \ CON123-2.exe> Eng.

    Trojan.Agent/Gen-Frauder
    E:\GRY\KINGDOMS OF AMALUR RECKONING\LAUNCHER.EXE

    There is a concern that these Trojans are on Drive D and Drive E. What are those drives?

    Please run the following again:
    Download CKScanner and save to your desktop.
    • Doubleclick CKScanner.exe and click Search For Files.
    • When the cursor hourglass disappears, click Save List To File.
    • A message box will verify that the file is saved.
    • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.
    =====================================
    Why did you think an occasional popup like this was a rootkit? You have been on some sites that brought Warnings as having poor reputations per my Site Advisor. The best was to remove the source is to delete all of the temporary internet files and Cookies.

    Additionally, you should use a Use a Site Advisor/WOT.

    You should also use a Popup Blocker. If Chrome has one, please be sure it's activated.
    There is also a popup blocker in the Google Toolbar, but they are removing it in the near future.
  9. Izdeb

    Izdeb Newcomer, in training Topic Starter

    D and E drives are partitions of my hdd for movies and games, C drive has the windows 7 on it. 100Gb so its easy to format when needed. Just a habit from the old days i think.

    The trojan on D drive i've never clicked on i'm sure. And its deleted now.
    The trojan on E drive is a crack for a game, they usually are false positives (i download from reliable source). Anyway deleted also.

    Log from ckskanner

    CKScanner - Additional Security Risks - These are not necessarily bad
    scanner sequence 3.RP.11.UNCPVT
    ----- EOF -----


    I deleted the cookies and temp many times now as i was saying in previous posts.
    I activated the popup blocker in chrome but it doesnt work. I have never had any problems with popups and i always use the internet responsibly and very coucious. As i'm using for 20 years now. And manage to resolve every problem i had since. So that's why i'm posting here. I don't know if this is a rootkit but what i read from other threads that is usually the case.

    Ofcourse there is a possibility that the this popups are only triggered by opening thepiratebay.se site. But this is just come to my mind i have to check it, because the popups are rare. And i have the site in my tabs open all the time.
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    To clarify:A crack or a keygen is not a False Positive. It means you pirated the program. If you mean a FP in terms of a virus or Trojan, the in that context it isn't. However, we don't support piracy.

    If you are frequenting the piratebay site for the purpose of pirating, leaving it on the tab open always, then expect to get malware- and no support.
  11. Izdeb

    Izdeb Newcomer, in training Topic Starter

    As it seems, this popup only comes from thepiratebay site. Sory for all the trouble. I just wont go there anymore.
    Thanks for all the help. I think i'm safe now. I need to find a better popup blocker, or switch browsers in the future.
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Remove all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
      [o] Click START> then RUN
      [o] Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    • Download OTCleanIt by OldTimer and save it to your Desktop.
      [o] Double click OTCleanIt.exe.
      [o] Click the CleanUp! button.
      [o] If you are prompted to Reboot during the cleanup, select Yes.
      [o]The tool will delete itself once it finishes.
      Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
      Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
    • Set a new, clean Restore Point
      [o] Click on Start> right click on Computer> Properties
      [o] Select System Protection
      [o] Click on the Create button (near bottom)
      [o] Type a name for the Restore Point
      [o] Click on Create again to save the restore point.
    • Deleting all but the most recent System Protection point in Windows 7
      [o] Click Start> Computer> right click the C Drive and choose Properties> enter.
      [o] Click Disk Cleanup from there.
      [​IMG]
      [o] Click Clean up system files
      This restarts Disk Cleanup to run in elevated mode.
      [o] Click the More Options tab
      [​IMG]
      [o] Click the Clean up under System Restore and Shadow Copies.
      [o] Click OK.
      [o] You will get a confirmation screen> Just click Delete.
      [o] Click OK on the Disk Cleanup Screen.
      [o] Click Delete Files on the Confirmation screen.
    [​IMG]
    This runs the Disk Cleanup utility along with other selections if you have chosen any. (if you had a lot System Restore points, you will see a significant change in the free space in C drive)
    Images courtesy lytebyte.

    Empty the Recycle Bin
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.