Google Redirect and PING.exe

Geeks to Go Forums > Security > Virus, Spyware, Malware Removal

Today's New Content

Google Redirect and PING.exe

#1 badlands31

Group: Member
Posts: 9
Joined: 29-October 05

Posted 25 August 2011 - 11:33 PM

Hi,

I recently clicked a link on reddit.com that led to a website that most likely infected my pc. First my computer randomly restarted and then my google searches started redirecting me. I opened my task manager and noticed a couple of .exe's that didn't seem right. These include api-ms-win-core-localization-l1-1-032.exe.vir located in my programdata folder, PING.exe being active without myself pinging anything and the memory usage was very high, and these other three .exe's popped up:
c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\zzy1rw1cv.exe
c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\y270mssr.exe
c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\n4f9.exe
but only the n4f9.exe was running.

I ran malwarebytes and it removed some stuff then TDSKiller that only cured one file.

Thank you for your assistance.

Here is my OTL Log

OTL logfile created on: 8/26/2011 1:16:01 AM - Run 1
OTL by OldTimer - Version 3.2.26.5 Folder = C:\Users\Zack\Desktop
64bit- An unknown product (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 2.66 Gb Available Physical Memory | 66.61% Memory free
8.00 Gb Paging File | 6.32 Gb Available in Paging File | 79.04% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 465.66 Gb Total Space | 171.90 Gb Free Space | 36.92% Space Free | Partition Type: NTFS
Drive D: | 931.51 Gb Total Space | 172.09 Gb Free Space | 18.47% Space Free | Partition Type: NTFS
Drive N: | 7.46 Gb Total Space | 6.73 Gb Free Space | 90.21% Space Free | Partition Type: FAT32

Computer Name: BADLANDS | User Name: Zack | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/08/26 01:15:43 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Users\Zack\Desktop\OTL.exe
PRC - [2011/08/16 23:37:13 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe
PRC - [2011/07/15 20:01:52 | 000,554,496 | ---- | M] (AIDEX Team) -- C:\Windows\SysWOW64\qmgrprxy32.exe
PRC - [2011/07/15 20:01:52 | 000,554,496 | ---- | M] (AIDEX Team) -- C:\ProgramData\api-ms-win-core-localization-l1-1-032.exe
PRC - [2011/05/25 16:07:14 | 024,176,560 | ---- | M] (Dropbox, Inc.) -- C:\Users\Zack\AppData\Roaming\Dropbox\bin\Dropbox.exe
PRC - [2010/12/20 23:10:37 | 000,075,136 | ---- | M] () -- C:\Windows\SysWOW64\PnkBstrA.exe
PRC - [2010/03/10 01:38:18 | 000,086,016 | ---- | M] () -- C:\Program Files\Autodesk\3ds Max 2011\mentalimages\satellite\raysat_3dsmax2011_64server.exe
PRC - [2010/01/06 18:23:32 | 000,142,648 | ---- | M] (FSPro Labs) -- C:\Windows\SysWOW64\fsproflt.exe
PRC - [2009/10/09 09:07:22 | 000,493,248 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
PRC - [2009/01/26 15:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) -- C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
PRC - [2009/01/08 09:44:06 | 000,070,936 | ---- | M] (Octoshape ApS) -- C:\Users\Zack\AppData\Roaming\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe

========== Modules (No Company Name) ==========

MOD - [2011/08/16 23:37:13 | 001,000,920 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\js3250.dll
MOD - [2011/08/10 17:33:21 | 006,277,280 | ---- | M] () -- C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll

========== Win32 Services (SafeList) ==========

SRV:64bit: - [2011/04/19 22:04:18 | 000,203,776 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility)
SRV:64bit: - [2010/10/12 23:54:08 | 001,436,424 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe -- (FLEXnet Licensing Service 64)
SRV:64bit: - [2010/03/10 01:38:18 | 000,086,016 | ---- | M] () [Auto | Running] -- C:\Program Files\Autodesk\3ds Max 2011\mentalimages\satellite\raysat_3dsmax2011_64server.exe -- (mi-raysat_3dsmax2011_64)
SRV:64bit: - [2009/07/13 21:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2009/07/13 21:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
SRV:64bit: - [2008/07/29 13:20:28 | 004,737,024 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x64\msvsmon.exe -- (msvsmon90)
SRV - [2011/08/03 00:35:20 | 003,542,616 | ---- | M] () [Auto | Running] -- c:\Program Files (x86)\Common Files\Akamai\netsession_win_2da1ebd.dll -- (Akamai)
SRV - [2011/07/15 20:01:52 | 000,554,496 | ---- | M] (AIDEX Team) [Auto | Running] -- C:\Windows\SysWOW64\qmgrprxy32.exe -- (ShellHWDetection32)
SRV - [2011/07/12 21:56:48 | 000,411,432 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2010/12/20 23:10:37 | 000,075,136 | ---- | M] () [Auto | Running] -- C:\Windows\SysWOW64\PnkBstrA.exe -- (PnkBstrA)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010/01/06 18:23:32 | 000,142,648 | ---- | M] (FSPro Labs) [Auto | Running] -- C:\Windows\SysWOW64\fsproflt.exe -- (fsproflt)
SRV - [2009/10/09 09:07:22 | 000,493,248 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe -- (vpnagent)
SRV - [2009/07/26 06:43:14 | 000,025,832 | ---- | M] (BioWare) [On_Demand | Stopped] -- C:\Program Files (x86)\Dragon Age\bin_ship\daupdatersvc.service.exe -- (DAUpdaterSvc)
SRV - [2009/06/10 17:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2009/01/26 15:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) [Auto | Running] -- C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe -- (SBSDWSCService)

========== Driver Services (SafeList) ==========

DRV:64bit: - [2011/04/19 22:44:48 | 009,319,936 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (amdkmdag)
DRV:64bit: - [2011/04/19 21:22:32 | 000,306,176 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmpag.sys -- (amdkmdap)
DRV:64bit: - [2010/11/17 08:04:32 | 000,115,216 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\AtihdW76.sys -- (AtiHDAudioService)
DRV:64bit: - [2010/05/06 05:21:46 | 000,125,456 | ---- | M] (ATI Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\AtiHdmi.sys -- (AtiHdmiService)
DRV:64bit: - [2010/04/19 20:47:42 | 000,050,688 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbaapl64.sys -- (USBAAPL64)
DRV:64bit: - [2009/10/09 08:50:50 | 000,024,248 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\vpnva64.sys -- (vpnva)
DRV:64bit: - [2009/08/21 01:52:10 | 000,079,976 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\xusb21.sys -- (xusb21)
DRV:64bit: - [2009/07/13 21:52:21 | 000,106,576 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2009/07/13 21:52:21 | 000,028,752 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2009/07/13 21:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 21:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 21:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2009/07/13 21:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/07/13 20:10:47 | 000,011,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\rootmdm.sys -- (ROOTMODEM)
DRV:64bit: - [2009/06/10 16:35:42 | 000,187,392 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
DRV:64bit: - [2009/06/10 16:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 16:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 16:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 16:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2009/05/18 13:17:08 | 000,034,152 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:64bit: - [2009/01/09 15:02:08 | 000,031,744 | ---- | M] (Research in Motion Ltd) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\RimSerial_AMD64.sys -- (RimVSerPort)
DRV:64bit: - [2008/06/06 16:35:46 | 000,055,440 | ---- | M] (FSPro Labs) [File_System | Boot | Running] -- C:\Windows\SysNative\drivers\FSPFltd.sys -- (FSProFilter)
DRV:64bit: - [2008/05/20 18:33:36 | 000,028,416 | ---- | M] (Research In Motion Limited) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\RimUsb_AMD64.sys -- (RimUsb)
DRV - [2009/07/13 21:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = A3 37 17 93 AA 63 CC 01 [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = FC AE A1 16 7B B3 AC 47 86 EA E7 C0 A6 62 69 6D [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:60182

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {e4a8a97b-f2ed-450b-b12d-ee082ba24781}:0.8.20100408.6
FF - prefs.js..extensions.enabledItems: {DDC359D1-844A-42a7-9AA1-88A850A938A8}:1.1.10
FF - prefs.js..extensions.enabledItems: {9EB34849-81D3-4841-939D-666D522B889A}:1.4.0.111
FF - prefs.js..extensions.enabledItems: pencil@evolus.vn:1.2.0
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 60182
FF - prefs.js..network.proxy.type: 4

FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@idsoftware.com/QuakeLive: C:\ProgramData\id Software\QuakeLive\npquakezero.dll (id Software Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Oracle)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files (x86)\Microsoft Silverlight\4.0.60310.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@nexon.net/NxGame: C:\ProgramData\NexonUS\NGM\npNxGameUS.dll (Nexon)
FF - HKLM\Software\MozillaPlugins\@onlive.com/OlGameDetect,version=1.1.0.70351: C:\Program Files (x86)\OnLive\FirefoxPlugin\npolgdet.dll (OnLive)
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF - HKLM\Software\MozillaPlugins\@rayv.com/rayvplugin: C:\Program Files (x86)\RayV\RayV\plugins\nprayvplugin.dll (RayV)
FF - HKLM\Software\MozillaPlugins\@RIM.com/WebSLLauncher,version=1.0: C:\Program Files (x86)\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll ()
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@octoshape.com/Octoshape Streaming Services,version=1.0: C:\Users\Zack\AppData\Roaming\Octoshape\Octoshape Streaming Services\sua-1101262-0-npoctoshape.dll (Octoshape ApS)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Zack\AppData\Local\Google\Update\1.3.21.65\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Zack\AppData\Local\Google\Update\1.3.21.65\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.20\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2011/08/16 23:37:14 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.20\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2011/08/16 23:37:14 | 000,000,000 | ---D | M]

[2010/07/23 19:29:40 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Zack\AppData\Roaming\Mozilla\Extensions
[2011/08/26 00:35:47 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Zack\AppData\Roaming\Mozilla\Firefox\Profiles\6bjxzua0.default\extensions
[2011/01/12 18:29:26 | 000,000,000 | ---D | M] (WebSlingPlayer) -- C:\Users\Zack\AppData\Roaming\Mozilla\Firefox\Profiles\6bjxzua0.default\extensions\{9EB34849-81D3-4841-939D-666D522B889A}
[2010/09/28 18:37:01 | 000,000,000 | ---D | M] (DownThemAll!) -- C:\Users\Zack\AppData\Roaming\Mozilla\Firefox\Profiles\6bjxzua0.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
[2010/07/26 02:53:40 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Users\Zack\AppData\Roaming\Mozilla\Firefox\Profiles\6bjxzua0.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
[2011/05/06 16:35:54 | 000,000,000 | ---D | M] ("Pencil") -- C:\Users\Zack\AppData\Roaming\Mozilla\Firefox\Profiles\6bjxzua0.default\extensions\pencil@evolus.vn
[2011/08/26 00:35:47 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2010/07/23 18:48:46 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/07/23 18:48:43 | 000,423,656 | ---- | M] (Oracle) -- C:\Program Files (x86)\mozilla firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2011/08/26 00:16:41 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O4:64bit: - HKLM..\Run: [XboxStat] C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe (Microsoft Corporation)
O4 - HKLM..\Run: [ATICustomerCare] C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKCU..\Run: [Octoshape Streaming Services] C:\Users\Zack\AppData\Roaming\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe (Octoshape ApS)
O4 - Startup: C:\Users\Zack\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\Zack\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 vpnweb.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18:64bit: - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - Reg Error: Key error. File not found
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/11/26 19:34:48 | 000,000,000 | ---D | M] - C:\Autodesk -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/08/26 01:15:40 | 000,580,096 | ---- | C] (OldTimer Tools) -- C:\Users\Zack\Desktop\OTL.exe
[2011/08/26 00:56:58 | 001,406,768 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Zack\Desktop\blahhh2.exe
[2011/08/26 00:43:34 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ESET
[2011/08/26 00:38:03 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Trend Micro
[2011/08/26 00:38:03 | 000,000,000 | ---D | C] -- C:\Users\Zack\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HiJackThis
[2011/08/26 00:31:46 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2011/08/26 00:30:40 | 000,554,496 | ---- | C] (AIDEX Team) -- C:\ProgramData\api-ms-win-core-localization-l1-1-032.exe
[2011/08/26 00:21:54 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2011/08/26 00:16:50 | 000,055,808 | ---- | C] ( ) -- C:\Users\Zack\AppData\Roaming\n4f9.exe
[2011/08/26 00:03:54 | 000,000,000 | ---D | C] -- C:\ComboFix
[2011/08/22 19:49:06 | 000,000,000 | ---D | C] -- C:\Users\Zack\Documents\KONAMI
[2011/08/22 19:45:19 | 000,000,000 | ---D | C] -- C:\Users\Zack\Desktop\PES2012DEMO
[2011/08/19 23:54:55 | 000,000,000 | ---D | C] -- C:\Users\Zack\Desktop\TheWeeknd_____Thursday
[2011/08/13 21:36:18 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\id Software
[2011/08/13 21:36:18 | 000,000,000 | ---D | C] -- C:\ProgramData\id Software
[2011/08/12 00:46:48 | 000,000,000 | ---D | C] -- C:\Users\Zack\Desktop\California
[2011/08/11 23:48:26 | 000,000,000 | ---D | C] -- C:\Users\Zack\Desktop\Of Porcelain - A Southern Summer's Breeze
[2011/08/08 19:58:47 | 000,000,000 | ---D | C] -- C:\Users\Zack\AppData\Roaming\IrfanView
[2011/08/08 19:58:47 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\IrfanView
[2011/08/08 19:58:10 | 001,512,448 | ---- | C] (Irfan Skiljan) -- C:\Users\Zack\Desktop\iview430_setup.exe
[2011/08/08 17:06:00 | 000,000,000 | ---D | C] -- C:\Users\Zack\Desktop\Eternal+Life+Vol.+1
[2011/08/06 23:48:41 | 000,000,000 | ---D | C] -- C:\Users\Zack\Desktop\August Music
[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/08/26 01:15:43 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Users\Zack\Desktop\OTL.exe
[2011/08/26 01:06:16 | 000,014,752 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/08/26 01:06:16 | 000,014,752 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/08/26 00:58:58 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/08/26 00:58:48 | 3220,037,632 | -HS- | M] () -- C:\hiberfil.sys
[2011/08/26 00:56:29 | 001,390,139 | ---- | M] () -- C:\Users\Zack\Desktop\tdsskiller.zip
[2011/08/26 00:38:03 | 000,002,971 | ---- | M] () -- C:\Users\Zack\Desktop\HiJackThis.lnk
[2011/08/26 00:37:37 | 001,402,880 | ---- | M] () -- C:\Users\Zack\Desktop\HiJackThis.msi
[2011/08/26 00:25:00 | 000,000,904 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2511343510-2362421710-3736614235-1001UA.job
[2011/08/26 00:16:50 | 000,000,180 | ---- | M] () -- C:\Users\Zack\AppData\Roaming\80f82bi6.bat
[2011/08/26 00:16:41 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
[2011/08/25 23:47:38 | 000,000,004 | -H-- | M] () -- C:\Users\Zack\AppData\Roaming\mlog
[2011/08/25 23:46:43 | 000,000,120 | ---- | M] () -- C:\Users\Zack\AppData\Local\Lziyezakoboxag.dat
[2011/08/25 23:46:43 | 000,000,000 | ---- | M] () -- C:\Users\Zack\AppData\Local\Jyawecavalegac.bin
[2011/08/25 23:46:22 | 000,000,004 | -H-- | M] () -- C:\Users\Zack\AppData\Roaming\ylog
[2011/08/25 23:42:55 | 000,000,144 | ---- | M] () -- C:\Users\Zack\AppData\Roaming\91f92cj7.bat
[2011/08/25 23:42:51 | 000,055,808 | ---- | M] ( ) -- C:\Users\Zack\AppData\Roaming\n4f9.exe
[2011/08/25 23:25:00 | 000,000,852 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2511343510-2362421710-3736614235-1001Core.job
[2011/08/25 22:18:19 | 000,280,736 | ---- | M] () -- C:\Windows\SysWow64\PnkBstrB.xtr
[2011/08/25 22:18:19 | 000,280,736 | ---- | M] () -- C:\Windows\SysWow64\PnkBstrB.exe
[2011/08/25 22:07:44 | 000,215,128 | ---- | M] () -- C:\Windows\SysWow64\PnkBstrB.ex0
[2011/08/22 19:34:33 | 1334,519,140 | ---- | M] () -- C:\Users\Zack\Desktop\PES2012DEMO.zip
[2011/08/22 15:48:36 | 001,406,768 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Zack\Desktop\blahhh2.exe
[2011/08/18 21:08:36 | 384,118,330 | ---- | M] () -- C:\Users\Zack\Desktop\gc11_darksouls_pres_part2.wmv
[2011/08/18 20:55:20 | 611,370,469 | ---- | M] () -- C:\Users\Zack\Desktop\gc11_darksouls_pres_part1.wmv
[2011/08/16 20:32:43 | 116,887,687 | ---- | M] () -- C:\Users\Zack\Desktop\gc11_bf3_ea.wmv
[2011/08/16 18:03:12 | 304,168,240 | ---- | M] () -- C:\Users\Zack\Desktop\bf3_gamescom_caspianborder_pegi_1080p60_20mbps.mov
[2011/08/16 01:32:30 | 005,717,815 | ---- | M] () -- C:\Users\Zack\Desktop\0e54e0b.jpg
[2011/08/15 19:55:47 | 000,686,144 | ---- | M] () -- C:\Users\Zack\Desktop\Nappa-Sterling-Family-Desktop.jpg
[2011/08/10 00:14:37 | 000,471,086 | ---- | M] () -- C:\Users\Zack\Desktop\000339.pdf
[2011/08/09 23:24:58 | 000,380,796 | ---- | M] () -- C:\Users\Zack\Desktop\UTkRc.jpg
[2011/08/08 19:58:47 | 000,001,002 | ---- | M] () -- C:\Users\Zack\Desktop\IrfanView.lnk
[2011/08/08 19:58:12 | 001,512,448 | ---- | M] (Irfan Skiljan) -- C:\Users\Zack\Desktop\iview430_setup.exe
[2011/08/08 00:52:05 | 001,248,324 | ---- | M] () -- C:\Users\Zack\Desktop\imp2.jpg
[2011/08/08 00:52:00 | 001,259,848 | ---- | M] () -- C:\Users\Zack\Desktop\imp3.jpg
[2011/08/08 00:49:03 | 001,606,703 | ---- | M] () -- C:\Users\Zack\Desktop\02048_thecliffs_1920x1080.jpg
[2011/08/06 15:06:54 | 009,712,899 | ---- | M] () -- C:\Users\Zack\Desktop\Bassnectar & Seth Drake -- Above & Beyond.mp3
[2011/08/03 14:23:57 | 000,063,463 | ---- | M] () -- C:\Users\Zack\Desktop\Returned Property Receipt Mailed rev.pdf
[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/08/26 00:56:26 | 001,390,139 | ---- | C] () -- C:\Users\Zack\Desktop\tdsskiller.zip
[2011/08/26 00:38:03 | 000,002,971 | ---- | C] () -- C:\Users\Zack\Desktop\HiJackThis.lnk
[2011/08/26 00:37:35 | 001,402,880 | ---- | C] () -- C:\Users\Zack\Desktop\HiJackThis.msi
[2011/08/26 00:16:50 | 000,000,180 | ---- | C] () -- C:\Users\Zack\AppData\Roaming\80f82bi6.bat
[2011/08/25 23:46:43 | 000,000,120 | ---- | C] () -- C:\Users\Zack\AppData\Local\Lziyezakoboxag.dat
[2011/08/25 23:46:43 | 000,000,000 | ---- | C] () -- C:\Users\Zack\AppData\Local\Jyawecavalegac.bin
[2011/08/25 23:46:29 | 000,000,004 | -H-- | C] () -- C:\Users\Zack\AppData\Roaming\mlog
[2011/08/25 23:46:16 | 000,000,004 | -H-- | C] () -- C:\Users\Zack\AppData\Roaming\ylog
[2011/08/25 23:42:55 | 000,000,144 | ---- | C] () -- C:\Users\Zack\AppData\Roaming\91f92cj7.bat
[2011/08/22 19:16:32 | 1334,519,140 | ---- | C] () -- C:\Users\Zack\Desktop\PES2012DEMO.zip
[2011/08/18 21:00:58 | 384,118,330 | ---- | C] () -- C:\Users\Zack\Desktop\gc11_darksouls_pres_part2.wmv
[2011/08/18 20:45:49 | 611,370,469 | ---- | C] () -- C:\Users\Zack\Desktop\gc11_darksouls_pres_part1.wmv
[2011/08/16 20:27:15 | 116,887,687 | ---- | C] () -- C:\Users\Zack\Desktop\gc11_bf3_ea.wmv
[2011/08/16 17:59:08 | 304,168,240 | ---- | C] () -- C:\Users\Zack\Desktop\bf3_gamescom_caspianborder_pegi_1080p60_20mbps.mov
[2011/08/16 01:32:29 | 005,717,815 | ---- | C] () -- C:\Users\Zack\Desktop\0e54e0b.jpg
[2011/08/15 19:55:46 | 000,686,144 | ---- | C] () -- C:\Users\Zack\Desktop\Nappa-Sterling-Family-Desktop.jpg
[2011/08/10 00:14:36 | 000,471,086 | ---- | C] () -- C:\Users\Zack\Desktop\000339.pdf
[2011/08/09 23:24:57 | 000,380,796 | ---- | C] () -- C:\Users\Zack\Desktop\UTkRc.jpg
[2011/08/08 19:58:47 | 000,001,002 | ---- | C] () -- C:\Users\Zack\Desktop\IrfanView.lnk
[2011/08/08 00:52:04 | 001,248,324 | ---- | C] () -- C:\Users\Zack\Desktop\imp2.jpg
[2011/08/08 00:51:59 | 001,259,848 | ---- | C] () -- C:\Users\Zack\Desktop\imp3.jpg
[2011/08/08 00:49:02 | 001,606,703 | ---- | C] () -- C:\Users\Zack\Desktop\02048_thecliffs_1920x1080.jpg
[2011/08/06 15:06:51 | 009,712,899 | ---- | C] () -- C:\Users\Zack\Desktop\Bassnectar & Seth Drake -- Above & Beyond.mp3
[2011/08/03 14:23:56 | 000,063,463 | ---- | C] () -- C:\Users\Zack\Desktop\Returned Property Receipt Mailed rev.pdf
[2011/07/06 22:42:34 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2011/07/06 22:42:34 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2011/07/06 22:42:34 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2011/07/06 22:42:34 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2011/07/06 22:42:34 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2011/05/05 01:28:10 | 000,059,904 | ---- | C] () -- C:\Windows\SysWow64\OVDecode.dll
[2011/03/17 13:51:44 | 000,003,929 | ---- | C] () -- C:\Windows\SysWow64\atipblag.dat
[2011/03/02 19:39:39 | 000,000,028 | ---- | C] () -- C:\Windows\UML.INI
[2010/12/20 23:00:30 | 002,434,856 | ---- | C] () -- C:\Windows\SysWow64\pbsvc_bc2.exe
[2010/11/04 16:14:37 | 000,000,600 | ---- | C] () -- C:\Users\Zack\AppData\Local\PUTTY.RND
[2010/10/14 02:36:44 | 000,179,263 | ---- | C] () -- C:\Windows\SysWow64\xlive.dll.cat
[2010/09/09 23:25:05 | 000,256,844 | -H-- | C] () -- C:\Windows\SysWow64\mlfcache.dat
[2010/08/01 12:29:46 | 000,000,056 | -H-- | C] () -- C:\Windows\SysWow64\ezsidmv.dat
[2010/07/27 18:46:21 | 000,000,262 | ---- | C] () -- C:\Windows\{EEB3F6BB-318D-4CE5-989F-8191FCBFB578}_WiseFW.ini
[2010/07/23 20:11:19 | 000,881,086 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2010/07/23 20:10:15 | 000,280,736 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrB.exe
[2010/07/23 20:10:15 | 000,075,136 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrA.exe
[2010/07/23 20:10:14 | 002,373,712 | ---- | C] () -- C:\Windows\SysWow64\pbsvc.exe
[2010/07/23 18:49:17 | 000,790,528 | ---- | C] () -- C:\Windows\SysWow64\xvidcore.dll
[2010/07/23 18:49:17 | 000,165,376 | ---- | C] () -- C:\Windows\SysWow64\unrar.dll
[2010/07/23 18:49:17 | 000,134,144 | ---- | C] () -- C:\Windows\SysWow64\xvidvfw.dll
[2010/07/23 18:49:17 | 000,108,032 | ---- | C] () -- C:\Windows\SysWow64\ff_vfw.dll
[2010/07/23 18:49:17 | 000,000,038 | ---- | C] () -- C:\Windows\avisplitter.ini
[2010/07/23 18:35:57 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2009/07/14 01:38:36 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009/07/13 22:35:51 | 000,000,741 | ---- | C] () -- C:\Windows\SysWow64\NOISE.DAT
[2009/07/13 22:34:42 | 000,215,943 | ---- | C] () -- C:\Windows\SysWow64\dssec.dat
[2009/07/13 20:10:29 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009/07/13 19:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 17:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2009/07/08 21:03:02 | 000,058,880 | ---- | C] () -- C:\Windows\SysWow64\bdmpegv.dll
[2009/06/10 17:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\SysWow64\mlang.dat
[2003/07/07 12:08:54 | 000,028,672 | ---- | C] () -- C:\Windows\SysWow64\frapsvid.dll

========== LOP Check ==========

[2010/11/28 01:39:53 | 000,000,000 | ---D | M] -- C:\Users\Zack\AppData\Roaming\Autodesk
[2010/08/27 18:06:00 | 000,000,000 | ---D | M] -- C:\Users\Zack\AppData\Roaming\Blackberry Desktop
[2010/12/19 18:47:04 | 000,000,000 | ---D | M] -- C:\Users\Zack\AppData\Roaming\Braid
[2011/08/26 00:59:44 | 000,000,000 | ---D | M] -- C:\Users\Zack\AppData\Roaming\Dropbox
[2010/11/04 21:32:00 | 000,000,000 | ---D | M] -- C:\Users\Zack\AppData\Roaming\FileZilla
[2011/08/08 19:58:47 | 000,000,000 | ---D | M] -- C:\Users\Zack\AppData\Roaming\IrfanView
[2010/07/24 11:32:23 | 000,000,000 | ---D | M] -- C:\Users\Zack\AppData\Roaming\Launchy
[2010/11/07 22:14:01 | 000,000,000 | ---D | M] -- C:\Users\Zack\AppData\Roaming\LolClient
[2010/11/04 17:11:46 | 000,000,000 | ---D | M] -- C:\Users\Zack\AppData\Roaming\Notepad++
[2010/08/27 19:15:38 | 000,000,000 | ---D | M] -- C:\Users\Zack\AppData\Roaming\Octoshape
[2011/01/14 22:04:07 | 000,000,000 | ---D | M] -- C:\Users\Zack\AppData\Roaming\OnLive App
[2010/10/22 20:15:22 | 000,000,000 | ---D | M] -- C:\Users\Zack\AppData\Roaming\RayV
[2010/08/27 18:00:17 | 000,000,000 | ---D | M] -- C:\Users\Zack\AppData\Roaming\Research In Motion
[2011/05/18 17:47:11 | 000,000,000 | ---D | M] -- C:\Users\Zack\AppData\Roaming\RIFT
[2011/01/12 18:29:28 | 000,000,000 | ---D | M] -- C:\Users\Zack\AppData\Roaming\Sling Media
[2011/07/21 22:10:19 | 000,000,000 | ---D | M] -- C:\Users\Zack\AppData\Roaming\Spotify
[2010/12/06 19:19:36 | 000,000,000 | ---D | M] -- C:\Users\Zack\AppData\Roaming\SQL Developer
[2010/07/23 19:34:44 | 000,000,000 | ---D | M] -- C:\Users\Zack\AppData\Roaming\Trillian
[2011/08/16 20:39:42 | 000,000,000 | ---D | M] -- C:\Users\Zack\AppData\Roaming\uTorrent
[2011/07/06 22:27:09 | 000,032,620 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

========== Files - Unicode (All) ==========
[2010/10/28 19:14:34 | 000,000,000 | ---D | M](C:\Users\Zack\Documents\?? ???) -- C:\Users\Zack\Documents\넥슨 플러그
[2010/10/28 19:14:34 | 000,000,000 | ---D | C](C:\Users\Zack\Documents\?? ???) -- C:\Users\Zack\Documents\넥슨 플러그

< End of report >

#2 Gammo

Group: Malware Removal
Posts: 2,299
Joined: 21-December 08

Posted 27 August 2011 - 06:43 AM

Hi,

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
SRV - [2011/07/15 20:01:52 | 000,554,496 | ---- | M] (AIDEX Team) [Auto | Running] -- C:\Windows\SysWOW64\qmgrprxy32.exe -- (ShellHWDetection32)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:60182
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 60182
FF - prefs.js..network.proxy.type: 4
[2011/08/26 00:30:40 | 000,554,496 | ---- | C] (AIDEX Team) -- C:\ProgramData\api-ms-win-core-localization-l1-1-032.exe
[2011/08/26 00:16:50 | 000,055,808 | ---- | C] ( ) -- C:\Users\Zack\AppData\Roaming\n4f9.exe
[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[2011/08/26 00:16:50 | 000,000,180 | ---- | M] () -- C:\Users\Zack\AppData\Roaming\80f82bi6.bat
[2011/08/25 23:47:38 | 000,000,004 | -H-- | M] () -- C:\Users\Zack\AppData\Roaming\mlog
[2011/08/25 23:46:43 | 000,000,120 | ---- | M] () -- C:\Users\Zack\AppData\Local\Lziyezakoboxag.dat
[2011/08/25 23:46:43 | 000,000,000 | ---- | M] () -- C:\Users\Zack\AppData\Local\Jyawecavalegac.bin
[2011/08/25 23:46:22 | 000,000,004 | -H-- | M] () -- C:\Users\Zack\AppData\Roaming\ylog
[2011/08/25 23:42:55 | 000,000,144 | ---- | M] () -- C:\Users\Zack\AppData\Roaming\91f92cj7.bat
[2011/08/25 23:42:51 | 000,055,808 | ---- | M] ( ) -- C:\Users\Zack\AppData\Roaming\n4f9.exe

:Services

:Reg

:Files
ipconfig /flushdns /c
C:\ProgramData\*.*              
C:\Users\Zack\AppData\Roaming\*.*
C:\Users\Zack\AppData\Local\*.bin
C:\Users\Zack\AppData\Local\*.dat
c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\*.*

:Commands
[purity]
[resethosts]
[emptytemp]
[emptyflash]
[createrestorepoint]
[reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done

Download and Install Combofix

Download ComboFix from one of the following locations:

Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop *

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

Double click on ComboFix.exe & follow the prompts.
Accept the disclaimer and allow to update if it asks
When finished, it shall produce a log for you.
Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the ComboFix log in your next reply as well as describe how your computer is running now

#3 badlands31

Group: Member
Posts: 9
Joined: 29-October 05

Posted 27 August 2011 - 08:44 AM

The programs/.exe's I was having issues with are no longer in my task manager and the redirecting seems to have stopped. Here are the logs. Thank you for your assistance so far!

OTL Log:

All processes killed
========== OTL ==========
Error: Unable to stop service ShellHWDetection32!
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ShellHWDetection32 deleted successfully.
C:\Windows\SysWOW64\qmgrprxy32.exe moved successfully.
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
Prefs.js: "127.0.0.1" removed from network.proxy.http
Prefs.js: 60182 removed from network.proxy.http_port
Prefs.js: 4 removed from network.proxy.type
C:\ProgramData\api-ms-win-core-localization-l1-1-032.exe moved successfully.
C:\Users\Zack\AppData\Roaming\n4f9.exe moved successfully.
C:\Windows\1C4551A64743409391E41477CD655043.TMP\WiseCustomCalla.dll deleted successfully.
C:\Windows\1C4551A64743409391E41477CD655043.TMP folder deleted successfully.
C:\Windows\B83FC356B7C0441F8A4DD71E088E7974.TMP\WiseCustomCalla.dll deleted successfully.
C:\Windows\B83FC356B7C0441F8A4DD71E088E7974.TMP folder deleted successfully.
C:\Users\Zack\AppData\Roaming\80f82bi6.bat moved successfully.
C:\Users\Zack\AppData\Roaming\mlog moved successfully.
C:\Users\Zack\AppData\Local\Lziyezakoboxag.dat moved successfully.
C:\Users\Zack\AppData\Local\Jyawecavalegac.bin moved successfully.
C:\Users\Zack\AppData\Roaming\ylog moved successfully.
C:\Users\Zack\AppData\Roaming\91f92cj7.bat moved successfully.
File C:\Users\Zack\AppData\Roaming\n4f9.exe not found.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Zack\Desktop\cmd.bat deleted successfully.
C:\Users\Zack\Desktop\cmd.txt deleted successfully.
File\Folder C:\ProgramData\*.* not found.
C:\Users\Zack\AppData\Roaming\lrrqu.log moved successfully.
C:\Users\Zack\AppData\Roaming\Rim.Desktop.Exception.log moved successfully.
C:\Users\Zack\AppData\Roaming\Rim.Desktop.HttpServerSetup.log moved successfully.
File\Folder C:\Users\Zack\AppData\Local\*.bin not found.
C:\Users\Zack\AppData\Local\GDIPFONTCACHEV1.DAT moved successfully.
c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\lrrqu.log moved successfully.
c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\MouseDriver.bat moved successfully.
c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\n4f9.exe moved successfully.
c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\y270mssr.exe moved successfully.
c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\zzy1rw1cv.exe moved successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: Zack
->Temp folder emptied: 88520643 bytes
->Temporary Internet Files folder emptied: 7982164 bytes
->Java cache emptied: 11762716 bytes
->FireFox cache emptied: 103733438 bytes
->Google Chrome cache emptied: 31863260 bytes
->Flash cache emptied: 1316438 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 67563 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 234.00 mb

[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: Public

User: Zack
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

Restore point Set: OTL Restore Point

OTL by OldTimer - Version 3.2.26.5 log created on 08272011_101201

Files\Folders moved on Reboot...
C:\Users\Zack\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

Registry entries deleted on Reboot...

Combofix Log:

ComboFix 11-08-27.01 - Zack 08/27/2011 10:21:56.4.2 - x64
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.4094.2832 [GMT -4:00]
Running from: c:\users\Zack\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-07-27 to 2011-08-27 )))))))))))))))))))))))))))))))
.
.
2011-08-27 14:30 . 2011-08-27 14:30 -------- d-----w- c:\users\Public\AppData\Local\temp
2011-08-27 14:30 . 2011-08-27 14:30 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-08-27 14:12 . 2011-08-27 14:12 -------- d-----w- C:\_OTL
2011-08-26 04:43 . 2011-08-26 04:43 -------- d-----w- c:\program files (x86)\ESET
2011-08-26 04:38 . 2011-08-26 04:38 388096 ----a-r- c:\users\Zack\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-08-26 04:38 . 2011-08-26 04:38 -------- d-----w- c:\program files (x86)\Trend Micro
2011-08-14 01:36 . 2011-08-14 01:36 -------- d-----w- c:\programdata\id Software
2011-08-08 23:58 . 2011-08-08 23:58 -------- d-----w- c:\users\Zack\AppData\Roaming\IrfanView
2011-08-08 23:58 . 2011-08-08 23:58 -------- d-----w- c:\program files (x86)\IrfanView
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-26 02:18 . 2010-12-21 03:01 280736 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr
2011-08-26 02:18 . 2010-07-24 00:10 280736 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
2011-08-26 02:07 . 2010-07-24 00:10 215128 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0
2011-08-10 21:33 . 2011-05-18 21:09 404640 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((( SnapShot_2011-08-26_04.16.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-08-26 04:27 . 2011-08-26 04:31 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2011-08-26 04:29 . 2011-08-26 04:31 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012011082620110827\index.dat
+ 2011-08-26 04:27 . 2011-08-26 04:31 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
+ 2010-07-24 15:32 . 2011-08-27 14:20 35704 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
- 2009-07-14 05:10 . 2011-08-26 03:56 36824 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2011-08-27 14:20 36824 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-07-23 22:37 . 2011-08-27 14:20 13766 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2511343510-2362421710-3736614235-1001_UserData.bin
- 2010-07-23 22:36 . 2011-08-26 04:16 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-07-23 22:36 . 2011-08-27 14:31 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-07-23 22:36 . 2011-08-27 14:31 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-07-23 22:36 . 2011-08-26 04:16 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-07-23 22:36 . 2011-08-26 04:16 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-07-23 22:36 . 2011-08-27 14:31 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-07-23 22:36 . 2011-08-27 14:31 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-07-23 22:36 . 2011-08-26 04:16 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-07-23 22:36 . 2011-08-27 14:31 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-07-23 22:36 . 2011-08-26 04:16 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-08-26 04:16 . 2011-08-26 04:16 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-08-27 14:31 . 2011-08-27 14:31 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-08-26 04:16 . 2011-08-26 04:16 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-08-27 14:31 . 2011-08-27 14:31 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-14 04:54 . 2011-08-26 04:31 114688 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2011-08-26 04:31 131072 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2011-08-26 04:31 2916352 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-07-24 07:46 . 2011-08-26 04:14 1808312 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2010-07-24 07:46 . 2011-08-27 14:30 1808312 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2011-08-26 04:37 . 2011-08-26 04:37 1402880 c:\windows\Installer\1493f8.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Zack\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Zack\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Zack\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Zack\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1475072]
"Octoshape Streaming Services"="c:\users\Zack\AppData\Roaming\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" [2009-01-08 70936]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-01-26 336384]
"ATICustomerCare"="c:\program files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-05-04 311296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
.
c:\users\Zack\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Zack\AppData\Roaming\Dropbox\bin\Dropbox.exe [2011-5-25 24176560]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files (x86)\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [2009-07-26 25832]
R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2010-10-13 1436424]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files (x86)\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2008-07-10 47128]
R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2008-07-10 369688]
S0 FSProFilter;FSPro File Filter;c:\windows\System32\Drivers\FSPFltd.sys [x]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 27136]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 fsproflt;FSPro Filter Service;c:\windows\SysWOW64\fsproflt.exe [2010-01-06 142648]
S2 mi-raysat_3dsmax2011_64;mental ray 3.8 Satellite for Autodesk 3ds Max 2011 64-bit 64-bit;c:\program files\Autodesk\3ds Max 2011\mentalimages\satellite\raysat_3dsmax2011_64server.exe [2010-03-10 86016]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2009-10-09 493248]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2511343510-2362421710-3736614235-1001Core.job
- c:\users\Zack\AppData\Local\Google\Update\GoogleUpdate.exe [2010-07-23 23:11]
.
2011-08-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2511343510-2362421710-3736614235-1001UA.job
- c:\users\Zack\AppData\Local\Google\Update\GoogleUpdate.exe [2010-07-23 23:11]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\Zack\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\Zack\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\Zack\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\Zack\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2009-09-30 825184]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab
FF - ProfilePath - c:\users\Zack\AppData\Roaming\Mozilla\Firefox\Profiles\6bjxzua0.default\
FF - prefs.js: network.proxy.http -
FF - prefs.js: network.proxy.http_port -
FF - prefs.js: network.proxy.type -
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
FF - Ext: WebSlingPlayer: {9EB34849-81D3-4841-939D-666D522B889A} - %profile%\extensions\{9EB34849-81D3-4841-939D-666D522B889A}
FF - Ext: Pencil: pencil@evolus.vn - %profile%\extensions\pencil@evolus.vn
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-Octoshape add-in for Adobe Flash Player - c:\users\Zack\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2511343510-2362421710-3736614235-1001\Software\SecuROM\License information*]
"datasecu"=hex:8e,80,d5,df,04,35,f4,ff,5d,74,ad,cc,94,de,e3,9b,56,74,8c,5c,4f,
5a,1c,4d,d9,9a,e3,45,0e,43,5e,b6,ed,6c,05,5d,04,9b,1d,7f,79,53,77,3d,3e,e1,\
"rkeysecu"=hex:55,3c,15,51,f5,ef,7d,d5,76,84,bd,57,64,a0,f4,50
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}]
@Denied: (A 2) (Everyone)
@="IFlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\TypeLib]
@="{6EF568F4-D437-4466-AA63-A3645136D93E}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\program files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\windows\SysWOW64\PnkBstrA.exe
.
**************************************************************************
.
Completion time: 2011-08-27 10:36:30 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-27 14:36
ComboFix2.txt 2011-08-26 04:21
ComboFix3.txt 2011-07-18 02:33
ComboFix4.txt 2011-07-07 02:57
.
Pre-Run: 184,750,829,568 bytes free
Post-Run: 184,549,629,952 bytes free
.
- - End Of File - - 3C772760F0C92FDA25D20CE1EB058635

#4 Gammo

Group: Malware Removal
Posts: 2,299
Joined: 21-December 08

Posted 27 August 2011 - 08:51 AM

Hi,

Please download Malwarebytes' Anti-Malware

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, click the "Update" tab and click the "Check For updates" button.
Once the updates were downloaded, click the "Scanner" tab, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

Please go here then click on:

Quote
Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
Select the option YES, I accept the Terms of Use then click on:
When prompted allow the Add-On/Active X to install.
Make sure that the option Scan archives is checked.
Now click on Advanced Settings and select the following:

Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology

Now click on:
The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
When completed the Online Scan will begin automatically. The scan may take several hours.
Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
Now click on:
Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

#5 badlands31

Group: Member
Posts: 9
Joined: 29-October 05

Posted 27 August 2011 - 12:10 PM

Am I supposed to select delete quarantined files on close for the ESET scanner? I still have it open but here are the logs.

ESET Log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.7600.16385 (win7_rtm.090713-1255)
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=42a5e79fdf36a644849eaca607ea0d98
# end=stopped
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-08-26 04:52:28
# local_time=2011-08-26 12:52:28 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7600 NT
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=5893 16776573 100 94 33644234 65877414 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=1315
# found=0
# cleaned=0
# scan_time=384
# version=7
# iexplore.exe=8.00.7600.16385 (win7_rtm.090713-1255)
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=42a5e79fdf36a644849eaca607ea0d98
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-08-27 05:57:21
# local_time=2011-08-27 01:57:21 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7600 NT
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=5893 16776573 100 94 33768450 66001630 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=286696
# found=23
# cleaned=23
# scan_time=9661
C:\Program Files (x86)\Fraps\fraps.exe probably a variant of Win32/TrojanDownloader.Agent.IGPHFIS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files (x86)\Trend Micro\HiJackThis\backups\backup-20110826-003950-943.dll a variant of Win32/Kryptik.QSR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Users\Zack\AppData\Roaming\dwm.exe.vir Win32/Cycbot.AF trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Users\Zack\AppData\Roaming\manager.exe.vir probably a variant of Win32/TrojanClicker.VB.NRQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Users\Zack\AppData\Roaming\Microsoft\conhost.exe.vir a variant of Win32/Kryptik.QAD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Users\Zack\AppData\Roaming\Mozilla\Firefox\Profiles\6bjxzua0.default\extensions\{6667b42c-fb8a-49e6-86bc-648fe807ae10}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Users\Zack\AppData\Roaming\Mozilla\Firefox\Profiles\6bjxzua0.default\extensions\{6667b42c-fb8a-49e6-86bc-648fe807ae10}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Windows\SysWOW64\Nwsapagents.dll.vir Win32/Agent.OLC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Zack\AppData\Local\Google\Chrome\User Data\Default\Default\mapeadaemllcbhbgfbhecgbphodapcjo\contentscript.js Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\_OTL\MovedFiles\08272011_101201\C_ProgramData\api-ms-win-core-localization-l1-1-032.exe a variant of Win32/Kryptik.QSR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\_OTL\MovedFiles\08272011_101201\C_Users\Zack\AppData\Roaming\n4f9.exe a variant of Win32/VB.PWQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\_OTL\MovedFiles\08272011_101201\C_Windows\SysWOW64\qmgrprxy32.exe a variant of Win32/Kryptik.QSR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\_OTL\MovedFiles\08272011_101201\C_Windows\SysWOW64\config\systemprofile\AppData\Roaming\n4f9.exe a variant of Win32/VB.PWQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\_OTL\MovedFiles\08272011_101201\C_Windows\SysWOW64\config\systemprofile\AppData\Roaming\y270mssr.exe probably a variant of Win32/TrojanClicker.VB.NRQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\_OTL\MovedFiles\08272011_101201\C_Windows\SysWOW64\config\systemprofile\AppData\Roaming\zzy1rw1cv.exe probably a variant of Win32/TrojanClicker.VB.NRQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
D:\Container\Games\Street Fighter IV Unlocker.exe Win32/HackTool.CheatEngine.AB application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
D:\Container\Games\psp\pspvideo9-408-setup.exe Win32/OpenCandy application (deleted - quarantined) 00000000000000000000000000000000 C
D:\Container\Games\SF4 Backup\Uninstalled\Decapre___Cammy_Mod_for_SFIV_by_IceBreakker.rar Win32/HackTool.CheatEngine.AB application (deleted - quarantined) 00000000000000000000000000000000 C
D:\Container\Other\ObjectDock Plus v1.90.rar a variant of Win32/HackTool.Patcher.J application (deleted - quarantined) 00000000000000000000000000000000 C
D:\Container\Other\Stardock WB & ODPlus.rar a variant of Win32/HackTool.Patcher.J application (deleted - quarantined) 00000000000000000000000000000000 C
D:\Container\Other\ultramon 3.rar a variant of Win32/Keygen.AD application (deleted - quarantined) 00000000000000000000000000000000 C
D:\Container\Other\Installers\Fraps_setup.rar probably a variant of Win32/TrojanDownloader.Agent.IGPHFIS trojan (deleted - quarantined) 00000000000000000000000000000000 C
D:\Container\Other\Installers\unlocker1.8.7.exe a variant of Win32/Adware.ADON application (deleted - quarantined) 00000000000000000000000000000000 C

MBAM Log:

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7587

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

8/27/2011 11:13:12 AM
mbam-log-2011-08-27 (11-13-12).txt

Scan type: Quick scan
Objects scanned: 176070
Time elapsed: 2 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 Gammo

Group: Malware Removal
Posts: 2,299
Joined: 21-December 08

Posted 27 August 2011 - 02:14 PM

Hi,

Your logs appear to be clean now. There is only a bit of cleanup that we will deal with in this post, as well as prevention from future infections. ^_^

Remove Combofix now that we're done with it.

Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
Please follow the prompts to uninstall Combofix.
You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download OTC to your desktop and run it
A list of tool components used in the Cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
Click Yes to begin the Cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Keep a backup of your important files
Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Make proper use of your anti-virus and firewall
You should keep your anti-virus and firewall guard enabled at all times, don't shut them off unless there's a specific reason to do so.

Also, regularly performing a full system scan with your anti-virus program is a good idea to make sure nothing has slipped through your protection. Once every two weeks works well for many people. You can set the scan to run during a time when you don't plan to use the computer and just leave it to complete on its own.

Keep in mind that anti-virus programs are far from perfect. They don't protect you against every piece of malware that's out there, so don't trust them blindly. If an anti-virus reports a file as 'clean' then it's doesn't necessarily has to mean it is.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Keep all your software updated
It is important to keep up on system updates from Microsoft by regularly checking their website at: http://windowsupdate.microsoft.com/, as these patch critical security vulnerabilities and help to keep you safe.

It's also important to keep programs up to date so that malware doesn't exploit any old security flaws. FileHippo Update Checker is an extremely helpful program that will tell you which of your programs need to be updated. Java and Adobe Reader are two of the main security vulnerabilities. You can find the latest version of Java here, you will want the Java SE Runtime Environment (JRE) one. You can find the latest version of Adobe Reader here.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Use a safer web browser
Internet Explorer is not the most secure tool for browsing the web. It has been known to be very susceptible to infection, and there are a couple good free alternatives: Firefox and Opera. Both are excellent faster, safer, more powerful and functional free alternatives to Internet Explorer. It's definitely worth the short period of adjustment to start using one of these. If you wish to continue using Internet Explorer, it would be a good idea to follow the tutorial here which will help you to make IE much safer.

If you decide to use the Firefox browser, the McAfee SiteAdvisor add-on will nicely help to enhance your security. This add-on tells you whether the sites you are about to visit are safe or not. A must if you do a lot of Googling.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Some other security programs

It is wise these days to have a few security programs installed and running on your machine except from just an anti-virus and a firewall. I will list some of them.

A good anti-spyware program installed on your pc is very important to help remove any spyware that may have gotten on your computer. I highly recommend Malwarebytes' Anti-Malware.
SpywareBlaster to help prevent spyware from installing in the first place.
MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites in the future.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Be careful
Having security programs installed is very helpful to you, but none of them have the gift of human thought. The best way to make sure you don't get infected is to exercise common sense. Be careful of what websites you visit - if a site looks suspicious, trust your instincts and get out of there. Be careful of what attachments you open in emails and files you download from websites - check them over carefully to make sure that you know what you're getting.

Using peer-to-peer programs (eg: LimeWire, BitTorrent, uTorrent, Kazaa) or downloading cracks and keygens is something else to avoid. These are the most common way to get infected. Malware writers use these programs to spread infections as it is the easiest way for them. The majority of infections we see in the Malware Removal forum are due to people using p2p programs to download cracks/keygens/warez. These are not only illegal, but will always contain some form of malware. You have no way of verifying that the things you download are legitimate or that they don't contain malware. Even with an up to date anti-virus and firewall, some of these things will still infect you. It is highly recommend that you uninstall all peer-to-peer programs. It just isn't worth it.

Other common ways of getting infected are dis-reputable sites forcing you to download and install a codec. Or viruses using Instant Messaging programs (Windows Live Messenger, MSN Messenger, AIM) to send a file claiming it to be "photos" from a friend, only for it to turn out to be a virus.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Slow computer?
If your computer begins to slow down in the future for no particular reason, your first step should not be to come to the malware forum. As your computer ages and is used, it's parts wear, files and programs accumulate, and its performance can decrease. To restore your computer's performance to its best possible level, follow the steps in this page written by malware expert Miekiemoes.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I'll leave this thread open for a couple days in case you come across any lingering problems that need fixing, then I'll close it up. If you need it reopened for any reason just shoot me a PM. It's been a pleasure working with you, now best of luck!

Cheers,
Gammo

Back to Virus, Spyware, Malware Removal

Share this topic:

Page 1 of 1

Please log in to reply

Google Redirect and PING.exe - Geeks to Go Forums