Free Malware Removal Forum

[firefreak]

Hi,

My name is Matthew Faust

Ok, I have a deep spyware issue. Every 5-10 minutes a spyware popup ensures. My Trend Toolbar Stoops it from opening the contents but trend Micro or any other program cant remove the pop-up. It is one of the most notorious URL.URTBUK ones.

It is very annoying. I work on a game and I cant afford to have a URL.UTBUK pop-up happen after a few clicks of firefox.

I suspect the System32 directory, as my Windows folders have MANY random file names in them. Some are suspicious but im afraid to touch any. I ALWAYS update windows and check manually all the time. All software is always up-to-date.

My Hi-Jack this Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:12:34 PM, on 17/11/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18828)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Dell\DellDock\DellDock.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Windows\System32\wpcumi.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe
C:\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Trend Micro\TrendSecure\RemoteFileLock\FLMain.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Trend Micro\TrendSecure\TISProToolbar\PlatformDependent\ProToolbarComm.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\conime.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Users\Matt\AppData\Local\Temp\jre-6u17-windows-i586-iftw-rv.exe
C:\Program Files\Adobe\Adobe Dreamweaver CS4\Dreamweaver.exe
C:\Windows\system32\DllHost.exe
C:\Windows\explorer.exe
C:\Program Files\CoreFTP\coreftp.exe
C:\Trend Micro\Internet Security\UfNavi.exe
C:\Windows\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {007A0AD3-64E9-4621-8C75-91C1FBE782Df} - C:\Windows\System32\cscapi32.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Trend Micro Toolbar BHO - {43C6D902-A1C5-45c9-91F6-FD9E90337E18} - C:\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Trend Micro Toolbar - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - C:\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [UpdReg] C:\Windows\UpdReg.EXE
O4 - HKLM\..\Run: [RunDLLEntry] C:\Windows\system32\RunDLL32.exe C:\Windows\system32\AmbRunE.dll,RunDLLEntry
O4 - HKLM\..\Run: [Dell Webcam Central] "C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [WPCUMI] C:\Windows\system32\WpcUmi.exe
O4 - HKLM\..\Run: [MobileConnect] %programfiles%\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe /silent
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [TrendSecure Remote File Lock] C:\Trend Micro\TrendSecure\RemoteFileLock\FLMain.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Users\Matt\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\StartRegistryBooster.exe
O4 - HKCU\..\Run: [OE] "C:\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'Default user')
O4 - Startup: Dell Dock.lnk = C:\Program Files\Dell\DellDock\DellDock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O16 - DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} (WMI Class) - http://supportapj.dell.com/systemprofiler/SysProExe.CAB
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - C:\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O20 - AppInit_DLLs: C:\Windows\System32\dssenh32.dll
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative ALchemy AL6 Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\AL6Licensing.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Sound Blaster X-Fi MB Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\XMBLicensing.exe
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Vodafone Mobile Connect Service (VMCService) - Vodafone - C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: Marvell Yukon Service (yksvc) - Unknown owner - RUNDLL32.EXE (file missing)

--
End of file - 11729 bytes

[Wingman]

Hello... Welcome to the forum.

My name is Wingman, and I'll be helping you with any malware problems.
The logs I request can take a while to research, so please be patient.

I am currently under the guidance of the MRU teachers, everything I post to you, has been reviewed by them.
This additional review process can add some extra time to my responses...but not too much.

Before we begin...please read and follow these important guidelines, so things will proceed smoothly.

1. The instructions being given are for YOUR computer and system only!
   Using these instructions on a different computer can cause damage to that computer and possibly render it inoperable!
2. DO NOT run any other fix or removal tools unless instructed to do so!
3. DO NOT install any other software (or hardware) during the cleaning process. This adds more items to be researched.
4. Only- post your problem at (1) one help site. Applying fixes from multiple help sites can cause problems.
5. Print each set of instructions...if possible...your Internet connection will not be available during some fix processes.
6. Only- reply to this thread, do not start another ... Please, continue responding, until I give you the "All Clean"

I am currently reviewing your log and will return, as soon as possible, with additional instructions. In the meantime...
Please take time to read the Malware Removal Forum Guidelines and Rules where the conditions for receiving help at this forum are explained.

Please read all instructions carefully before executing and perform the steps, in the order given.
lf, you have any questions or problems, executing these instructions, <<STOP>> do not proceed, post back with the question or problem.

Step 1.
HJT - Uninstall Manager Log
Using Vista, you must right click (hijackthis.exe) and choose "Run As Administrator".

Please run HijackThis Located in: C:\Program Files\Trend Micro\hijackthis.exe

If you are on the "scan & fix stuff" page... Press the "Main Menu"...button.
1. From the Main Menu...Press the "Open the Misc Tools"...button.
2. Press the "Open Uninstall Manager... button.
3. Press only the Save List...button.
4. Press the "Save" button. The file "uninstall_list.txt" will be saved in your HJT folder.
5. Copy and paste the contents of "uninstall_list.txt' in your next reply.

Step 2.
Please include in your next reply:

1. HJT uninstall_list.txt file contents

Thanks,
Wingman

[firefreak]

Unistall list

Adobe AIR
Adobe AIR
Adobe Anchor Service CS4
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color - Photoshop Specific CS4
Adobe Color EU Recommended Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Extra Settings CS4
Adobe Color Video Profiles CS CS4
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS4
Adobe Dreamweaver CS4
Adobe Dreamweaver CS4
Adobe Drive CS4
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Linguistics CS4
Adobe Media Player
Adobe Media Player
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS4
Adobe Photoshop CS4
Adobe Photoshop CS4
Adobe Photoshop CS4 Support
Adobe Reader 9.2
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Setup
Adobe Shockwave Player 11.5
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
Advanced Audio FX Engine
Age of Empires III
Apple Application Support
Apple Software Update
Audacity 1.2.6
Battlefield 1942
Battlefield 1942: Secret Weapons of WWII
Battlefield 1942: The Road To Rome
Battlefield 2142 Deluxe Edition
Canon MP Navigator EX 1.2
Canon MP190 series MP Drivers
Catalyst Control Center - Branding
Cisco EAP-FAST Module
Cisco PEAP Module
Combat Arms
Command & Conquer 3
Compatibility Pack for the 2007 Office system
Connect
Core FTP LE 2.1
Dell Dock
Dell Dock
Dell Edoc Viewer
Dell Support Center (Support Software)
Dell Touchpad
Dell Video Chat
Dell Webcam Central
Dell Wireless WLAN Card Utility
DesertCombat 0.7
GameSpy Comrade
Google Earth
Google Earth Plug-in
Google Update Helper
Google Updater
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Integrated Webcam Driver (1.02.01.0320)
Intel® Matrix Storage Manager
Java(TM) 6 Update 17
kuler
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Age of Empires
Microsoft Choice Guard
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 2007
Microsoft Office Live Add-in 1.4
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Suite Activation Assistant
Microsoft Office Word MUI (English) 2007
Microsoft Rise Of Nations
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox (3.5.5)
Mozilla Firefox (3.6b2)
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB954430)
MSXML4 Parser
OGA Notifier 2.0.0048.0
Pando Media Booster
PDF Settings CS4
Photoshop Camera Raw
PowerDVD
PunkBuster for Battlefield 1942
QuickTime
Rise of Nations Thrones and Patriots
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler 3
Roxio Update Manager
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB973704)
Security Update for Microsoft Office Excel 2007 (KB973593)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Sid Meier's Civilization 4 - Beyond the Sword
Sid Meier's Civilization 4 Complete
Sid Meier's Railroad Tycoon
Skype web features
Skype™ 4.1
Sound Blaster X-Fi MB
Spelling Dictionaries Support For Adobe Reader 9
Suite Shared Configuration CS4
Trend Micro Internet Security Pro
Trend Micro Internet Security Pro
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 (KB974561)
Update for Microsoft Office Word 2007 Help (KB963665)
Vodafone Mobile Connect Lite
Vodafone Mobile Connect Lite Runtime Components
WIDCOMM Bluetooth Software 6.2.0.6600
WildTangent ORB Game Console
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Sync
Windows Live Upload Tool
WinRAR archiver
Yahoo! Messenger

[Wingman]

Hi Matthew,

Please do not make any changes to your system, by installing new software/hardware, do not run any "fix" programs and/or remove any files unless instructed to do so, by me.
Please read these instructions carefully before executing and then perform the steps, in the order given.
lf you have any questions or problems, executing these instructions, <<STOP>> do not proceed, post back with the question or problem.

Step 1.
CKScanner
Please download CKScanner ... Save it to your desktop.
Make sure that CKScanner.exe is on the your desktop before running the application!

1. Double-click on the CKScanner.exe icon... then click the Search For Files button.
   Using Vista, you must right click the (CKScanner.exe) icon and choose "Run As Administrator", then click the "Search For Files" button.
2. When the scan is finished (the cursor hourglass disappears) click the Save List To File button.
   A text file will be created on your desktop named "ckfiles.txt"
3. Click OK at the file saved message box. Double-click on the ckfiles.txt icon on your desktop.
4. Please copy/paste the contents of ckfiles.txt in your next reply.

Step 2.
GMER
The downloaded file will have a random name... this prevents malware from detecting and blocking it.
Please download GMER... random file name.exe by GMER. An alternate (zip file) download site.
Note: Do not run any programs while Gmer is running.
**Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

1. Double click on the random named.exe to execute. If asked, allow the gmer.sys driver load.
   Using Vista, you must right click random named.exe and choose "Run As Administrator".
2. If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO <--- Important!
3. On the right side panel, several boxes have been checked. Please UNCHECK the following: (see image below)
   
   • Sections
   • IAT/EAT
   • Drives/Partition other than Systemdrive (typically C:\)
   • Show All <-- don't miss this one
   
   
   Click on image to enlarge
   
   
4. If you don't get a warning then... Click the Rootkit/Malware tab at the top of the GMER window.
5. Click the Scan button.
6. Once the scan has finished... click Copy.
7. Open Notepad and paste (Ctrl+V) what you copied.
8. Select "Save As" in Notepad...saving the file to your desktop as "gmerRK.txt"... then close Notepad.
9. Copy and paste the contents of the files gmerRK.txt in your next reply.

Step 3.
RSIT (Random's System Information Tool)
Please download RSIT by random/random... save it to your desktop.

1. Right click on RSIT.exe and select "Run As Administrator" to run it. If Windows UAC prompts you, please allow it.
2. Please read the disclaimer... click on Continue.
3. RSIT will start running. When done... 2 logs files...will be produced.
   The first one, "log.txt", <<will be maximized... the second one, "info.txt", <<will be minimized.
4. Please post both... "log.txt" and "info.txt", file contents in your next reply.

(These logs can be lengthy, so post 1 log per reply please.)

Step 4.
Please include in your next reply:

1. Any problem executing the instructions?
2. CKScanner ckfiles.txt file contents.
3. GMER gmerRK.txt file contents
4. RSIT log.txt and info.txt file contents.
5. How is the computer behaving?

Thanks,
Wingman

[firefreak]

Before I continue, two things. One, I had a phase were I had alot of torrents. I have unistalled before i began, all p2p programs and basically all my cracked or torrented programs. Alot of the files in the step 1 scan are scraps left over.

Two, I cant go any further that step 2. Every time I run it, when it is running for about 17 seconds (same prob as ad-aware scan), it shuts down the program. With or without all programs open or closed. On GMER, it seems to end when it hits volumeshadowcopy3 or something like that. This is very suspicous as it happens with two programs now.

Also, my computer is doing some strange activity recently. My system32 folder has 3.58GB in size, 20, 152 files and 1,571 folders. Something is up here as my trend micro is picking up a threat called TROJ_CODEC.XXX

Actually just now as I opened a IE page via Trend Micro for threat info the pop-up came. It had been silent recently as i cut down on using internet but now as I browse again its back.

Trend Page: http://threatinfo.trendmicro.com/vinfo/ ... _CODEC.XXX
Pop-up page: http://url.urtbk.com/cpv.jsp?p=111211&a ... Id=7562545

Something is different here, as the URTBK pop-up opens after browsing a few pages. Also, both URLS are similar.

So, with that said, I believe I have more malware then I thought. Here is My step 1 log:

CKScanner - Additional Security Risks - These are not necessarily bad
c:\program files\2k games\firaxis games\sid meier's civilization 4 complete\assets\sounds\units\crackneck-000.wav
c:\program files\2k games\firaxis games\sid meier's civilization 4 complete\assets\sounds\units\crackneck-001.wav
c:\program files\2k games\firaxis games\sid meier's civilization 4 complete\assets\sounds\units\crackneck-002.wav
c:\program files\2k games\firaxis games\sid meier's civilization 4 complete\assets\sounds\units\crackneck-003.wav
c:\program files\2k games\firaxis games\sid meier's civilization 4 complete\assets\sounds\units\crackneck-004.wav
c:\program files\2k games\firaxis games\sid meier's civilization 4 complete\beyond the sword\mods\afterworld\assets\art\terrain\features\afterworldwalls\shadow_wall_2_cracked.dds
c:\program files\2k games\firaxis games\sid meier's civilization 4 complete\beyond the sword\mods\afterworld\assets\art\terrain\features\afterworldwalls\wall_2_cracked.nif
c:\program files\2k games\firaxis games\sid meier's civilization 4 complete\beyond the sword\mods\afterworld\assets\art\terrain\features\afterworldwalls\wall_2_cracked_diff.dds
c:\program files\2k games\firaxis games\sid meier's civilization 4 complete\warlords\assets\sounds\units\firecrackerexplode-000.wav
c:\program files\2k games\firaxis games\sid meier's civilization 4 complete\warlords\assets\sounds\units\firecrackerexplode-001.wav
c:\program files\2k games\firaxis games\sid meier's civilization 4 complete\warlords\assets\sounds\units\firecrackerexplode-002.wav
c:\program files\2k games\firaxis games\sid meier's civilization 4 complete\warlords\assets\sounds\units\firecrackerexplode-003.wav
c:\users\matt\appdata\roaming\utorrent\adobe cs4 keygen 1.02.torrent
c:\users\matt\appdata\roaming\utorrent\driver detective 6.4.0.7 keygen.zip.torrent
c:\users\matt\appdata\roaming\utorrent\driver detective 6.4.1.3 + keygen.torrent
c:\users\matt\appdata\roaming\utorrent\driver detective 6.4.1.3 keygen + patch.exe.1.torrent
c:\users\matt\appdata\roaming\utorrent\driver detective 6.4.1.3 keygen + patch.exe.torrent
c:\users\matt\appdata\roaming\utorrent\driver detective 6.4.1.3 keygen.exe.torrent
c:\users\matt\appdata\roaming\utorrent\roller coaster tycoon 2.iso + no-cd crack[english].torrent
c:\users\matt\documents\4.5 engine download\minineab\neab\sm2\effects\stone_crack.mp3
c:\users\matt\documents\fury of fire\sm2\effects\stone_crack.mp3
c:\users\matt\documents\minineab\neab\sm2\effects\stone_crack.mp3
c:\users\matt\documents\new_fof_default\minineab\neab\sm2\effects\stone_crack.mp3
c:\users\matt\downloads\adobe_dreamweaver_cs4___keygen___activation_patch.4678653.tpb.torrent
c:\users\matt\downloads\age_of_empires_ii___expantion_(automatic_crack).5098140.tpb.torrent
c:\users\matt\downloads\driver detective 6.4.0.7 keygen.zip
c:\users\matt\downloads\[isohunt] driver detective 6.4.0.7 keygen.torrent
c:\users\matt\downloads\[isohunt] driver detective 6.4.1.3 keygen.torrent
c:\users\matt\downloads\[isohunt] driver detective 6.4.1.3 keygen.exe.torrent
c:\users\matt\downloads\adobe\keygen\adobe_all_products_keymaker_v1.01_by_chattchitto.4743615.tpb.torrent
c:\users\matt\downloads\adobe\keygen\adobe_cs4_keygen_1.02.5068369.tpb.torrent
c:\users\matt\downloads\adobe\keygen\adobe cs4 all products keymaker v1.02 only [core] [rh]\img_adobe cs4- keymaker v1.02.jpg
c:\users\matt\downloads\adobe\keygen\adobe cs4 all products keymaker v1.02 only [core] [rh]\readme.txt
c:\users\matt\downloads\adobe cs4 keygen 1.02\adobe cs4 keygen 1.02.exe
c:\users\matt\downloads\age of empires ii\[ pc games ] - age of empires ii(full)(2)\crack.zip
c:\users\matt\downloads\chat_error\minineab\neab\sm2\effects\stone_crack.mp3
c:\users\matt\downloads\rollercoaster tycoon\no-cd crack\how to crack (readme).txt
c:\users\matt\downloads\rollercoaster tycoon\no-cd crack\rct.exe
c:\users\matt\music\tycoon moon crack core fixed.zip
c:\xampp\htdocs\neab\sm2\effects\stone_crack.mp3
scanner sequence 3.ZZ.11
----- EOF -----

[Wingman]

Hi Matthew,

You definitely have a lot of cracked software files on your system... in order for me to provide cleaning, we need to get rid of all the cracked software and files you have. This may take several passes to complete.

Please do not make any changes to your system, run any "fix" programs and/or remove any files unless instructed to do so, by me.

Please read these instructions carefully before executing and then perform the steps, in the order given.
lf, you have any questions or problems, executing these instructions, <<STOP>> do not proceed, post back with the question or problem.

Please print these instructions, as you will be asked to reboot your computer and will not have access to them.

Step 1.
Uninstall Programs
Some programs are listed more than once... that's because they are listed more than once in the Uninstall list. If only one is found, that's OK.

1. Click on Start...then... Click the Start Search box on the Start Menu.
2. Copy and paste the value below, into the open text entry box:
   control appwiz.cpl
   
   Depending on your current view setting ...
   
   • Double click on Programs and Features.
   • Under Programs, click on Uninstall a program.
3. Locate the following program(s):
   Adobe AIR
   Adobe AIR
   Adobe Anchor Service CS4
   Adobe Bridge CS4
   Adobe CMaps CS4
   Adobe Color - Photoshop Specific CS4
   Adobe Color EU Recommended Settings CS4
   Adobe Color JA Extra Settings CS4
   Adobe Color NA Extra Settings CS4
   Adobe Color Video Profiles CS CS4
   Adobe CSI CS4
   Adobe Default Language CS4
   Adobe Device Central CS4
   Adobe Dreamweaver CS4
   Adobe Dreamweaver CS4
   Adobe Drive CS4
   Adobe ExtendScript Toolkit CS4
   Adobe Extension Manager CS4
   Adobe Flash Player 10 ActiveX
   Adobe Flash Player 10 Plugin
   Adobe Fonts All
   Adobe Linguistics CS4
   Adobe Media Player
   Adobe Media Player
   Adobe Output Module
   Adobe PDF Library Files CS4
   Adobe Photoshop CS4
   Adobe Photoshop CS4
   Adobe Photoshop CS4
   Adobe Photoshop CS4 Support
   Adobe Reader 9.2
   Adobe Search for Help
   Adobe Service Manager Extension
   Adobe Setup
   Adobe Setup
   Adobe Shockwave Player 11.5
   Adobe Type Support CS4
   Adobe Update Manager CS4
   Adobe WinSoft Linguistics Plugin
   Adobe XMP Panels CS4
   AdobeColorCommonSetCMYK
   AdobeColorCommonSetRGB
   
   
4. Select the program and click on Uninstall to uninstall it.
5. Repeat steps 3 - 4 for each program in the list. When finished... Close the Control Panel window.

Step 2.
OTM

1. Please download OTM.exe...by Old Timer. Save it to your desktop.
2. Right click on OTM.exe and select Run As Administrator to run it. If Windows UAC prompts, please allow it.
3. Please copy and paste the text in the Code box below, into OTM (1).
   Please refer to the OTM screen image below, for reference.
   Warning: Do not type it out... errors could damage your machine.
   

   Code: Select all

   :Processes
   :Files
   c:\users\matt\appdata\roaming\utorrent\
   c:\users\matt\downloads\adobe_dreamweaver_cs4___keygen___activation_patch.4678653.tpb.torrent
   c:\users\matt\downloads\age_of_empires_ii___expantion_(automatic_crack).5098140.tpb.torrent
   c:\users\matt\downloads\driver detective 6.4.0.7 keygen.zip
   c:\users\matt\downloads\[isohunt] driver detective 6.4.0.7 keygen.torrent
   c:\users\matt\downloads\[isohunt] driver detective 6.4.1.3 keygen.torrent
   c:\users\matt\downloads\[isohunt] driver detective 6.4.1.3 keygen.exe.torrent
   c:\users\matt\downloads\adobe\keygen\
   c:\users\matt\downloads\adobe cs4 keygen 1.02\
   c:\users\matt\downloads\age of empires ii\[ pc games ] - age of empires ii(full)(2)\crack.zip
   c:\users\matt\downloads\rollercoaster tycoon\no-cd crack\
   c:\users\matt\music\tycoon moon crack core fixed.zip
   :Commands
   [EmptyTemp]
   [Start Explorer]
   [Reboot]
   

   
   
   Please refer to this image to use OTM.
   
   
   
4. Click on MoveIt! (2)
5. The end results of the processing will be in 2 places:
   • The Results window on the right side of the OTM screen.
   • A log (text) file created in "C:\_OTM\MovedFiles\mmddyyyy_hhmmss.log"
6. Copy all the text from the Results window... Open Notepad, paste the OTM results into the Notepad file, save it on your desktop.
7. Click Exit (3) when done.
8. Please paste the entire content from the OTM (Results) window (Notepad file) or the OTM log file, in your next reply.

NOTE: If your computer did not automatically reboot... please reboot it (normally) now!

Step 3.
CKScanner
You should still have this on your desktop, so just ignore the download instructions.
Please download CKScanner ... Save it to your desktop.
Make sure that CKScanner.exe is on the your desktop before running the application!

1. Double-click on the CKScanner.exe icon... then click the Search For Files button.
   Using Vista, you must right click the (CKScanner.exe) icon and choose "Run As Administrator", then click the "Search For Files" button.
2. When the scan is finished (the cursor hourglass disappears) click the Save List To File button.
   A text file will be created on your desktop named "ckfiles.txt"
3. Click OK at the file saved message box. Double-click on the ckfiles.txt icon on your desktop.
4. Please copy/paste the contents of ckfiles.txt in your next reply.

You had a problem the last time trying to run GMER... you should still have it on your desktop, so ignore the download instructions, unless needed.
This time I want you reboot your system and try running GMER is SAFE MODE.
Boot to SAFE Mode
- Restart your computer.
- When the computer starts you will see your computer's hardware being listed.
- Press the F8 key repeatedly until you are presented with the Windows Vista Advanced Boot Options.
- Select the Safe Mode option using the arrow keys. (Do Not select Safe Mode with Network...)
- Press the enter key, to boot into Vista Safe Mode.

Step 4.
GMER
Make sure you are in SAFE MODE, before executing
The downloaded file will have a random name... this prevents malware from detecting and blocking it.
Please download GMER... random file name.exe by GMER. An alternate (zip file) download site.
Note: Do not run any programs while Gmer is running.
**Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

1. Double click on the random named.exe to execute. If asked, allow the gmer.sys driver load.
   Using Vista, you must right click random named.exe and choose "Run As Administrator".
2. If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO <--- Important!
3. On the right side panel, several boxes have been checked. Please UNCHECK the following: (see image below)
   
   • Sections
   • IAT/EAT
   • Drives/Partition other than Systemdrive (typically C:\)
   • Show All <-- don't miss this one
   
   
   Click on image to enlarge
   
   
4. If you don't get a warning then... Click the Rootkit/Malware tab at the top of the GMER window.
5. Click the Scan button.
6. Once the scan has finished... click Copy.
7. Open Notepad and paste (Ctrl+V) what you copied.
8. Select "Save As" in Notepad...saving the file to your desktop as "gmerRK.txt"... then close Notepad.
9. Copy and paste the contents of the files gmerRK.txt in your next reply.

Reboot your computer normally now!

Step 5.
RSIT (Random's System Information Tool)
Please download RSIT by random/random... save it to your desktop.

1. Right click on RSIT.exe and select "Run As Administrator" to run it. If Windows UAC prompts you, please allow it.
2. Please read the disclaimer... click on Continue.
3. RSIT will start running. When done... 2 logs files...will be produced.
   The first one, "log.txt", <<will be maximized... the second one, "info.txt", <<will be minimized.
4. Please post both... "log.txt" and "info.txt", file contents in your next reply.

(These logs can be lengthy, so post 1 log per reply please.)

Step 6.
Please include in your next reply:

1. Any problem executing the instructions?
2. OTM results
3. CKScanner ckfiles.txt file contents.
4. GMER gmerRK.txt file contents
5. RSIT log.txt and info.txt file contents
6. How is the computer behaving?

Thanks,
Wingman

[firefreak]

Ok, I few troubles with GMER.

But first, computer behaviour. Since the only browsing im doing until the malware is removed is this forum and hotmail, the pop-up hasnt shown. This is probably only because I havent been full out browsing, leaving it with not enough pages to pop-up. Other than that, everything is normal, except that the trojan thing is constantly detected by Trend Micro and that the System32 folder grows larger.

Step 1: Full Success

I have uninstalled every possible adobe program or component. I finally feel free of the knowledge that I have cracked software on my laptop. Everything went well here.

Step 2: Strange but good.

I have only the commands log. For some reason it froze just before it went onto the commands so I lost the first half of the log. So I then ran the commands part by itself and it worked, giving me a log of that. And the file moving was succesful. So altogether went well.

Commands Log:

All processes killed
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes

User: Matt
->Temp folder emptied: 364576 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 6440815 bytes
->Google Chrome cache emptied: 0 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 12303 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 32904 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 741 bytes
RecycleBin emptied: 2536346205 bytes

Total Files Cleaned = -1670.62 mb


OTM by OldTimer - Version 3.1.2.0 log created on 11232009_100459

Files moved on Reboot...

Registry entries deleted on Reboot...


Step 3: Full Success

Everything fine here

Log:

CKScanner - Additional Security Risks - These are not necessarily bad
c:\program files\2k games\firaxis games\sid meier's civilization 4 complete\assets\sounds\units\crackneck-000.wav
c:\program files\2k games\firaxis games\sid meier's civilization 4 complete\assets\sounds\units\crackneck-001.wav
c:\program files\2k games\firaxis games\sid meier's civilization 4 complete\assets\sounds\units\crackneck-002.wav
c:\program files\2k games\firaxis games\sid meier's civilization 4 complete\assets\sounds\units\crackneck-003.wav
c:\program files\2k games\firaxis games\sid meier's civilization 4 complete\assets\sounds\units\crackneck-004.wav
c:\program files\2k games\firaxis games\sid meier's civilization 4 complete\beyond the sword\mods\afterworld\assets\art\terrain\features\afterworldwalls\shadow_wall_2_cracked.dds
c:\program files\2k games\firaxis games\sid meier's civilization 4 complete\beyond the sword\mods\afterworld\assets\art\terrain\features\afterworldwalls\wall_2_cracked.nif
c:\program files\2k games\firaxis games\sid meier's civilization 4 complete\beyond the sword\mods\afterworld\assets\art\terrain\features\afterworldwalls\wall_2_cracked_diff.dds
c:\program files\2k games\firaxis games\sid meier's civilization 4 complete\warlords\assets\sounds\units\firecrackerexplode-000.wav
c:\program files\2k games\firaxis games\sid meier's civilization 4 complete\warlords\assets\sounds\units\firecrackerexplode-001.wav
c:\program files\2k games\firaxis games\sid meier's civilization 4 complete\warlords\assets\sounds\units\firecrackerexplode-002.wav
c:\program files\2k games\firaxis games\sid meier's civilization 4 complete\warlords\assets\sounds\units\firecrackerexplode-003.wav
c:\users\matt\documents\4.5 engine download\minineab\neab\sm2\effects\stone_crack.mp3
c:\users\matt\documents\fury of fire\sm2\effects\stone_crack.mp3
c:\users\matt\documents\minineab\neab\sm2\effects\stone_crack.mp3
c:\users\matt\documents\new_fof_default\minineab\neab\sm2\effects\stone_crack.mp3
c:\users\matt\downloads\[isohunt] driver detective 6.4.1.3 keygen.torrent
c:\users\matt\downloads\chat_error\minineab\neab\sm2\effects\stone_crack.mp3
c:\xampp\htdocs\neab\sm2\effects\stone_crack.mp3
c:\_otm\movedfiles\11232009_095924\c_users\matt\appdata\roaming\utorrent\adobe cs4 keygen 1.02.torrent
c:\_otm\movedfiles\11232009_095924\c_users\matt\appdata\roaming\utorrent\driver detective 6.4.0.7 keygen.zip.torrent
c:\_otm\movedfiles\11232009_095924\c_users\matt\appdata\roaming\utorrent\driver detective 6.4.1.3 + keygen.torrent
c:\_otm\movedfiles\11232009_095924\c_users\matt\appdata\roaming\utorrent\driver detective 6.4.1.3 keygen + patch.exe.1.torrent
c:\_otm\movedfiles\11232009_095924\c_users\matt\appdata\roaming\utorrent\driver detective 6.4.1.3 keygen + patch.exe.torrent
c:\_otm\movedfiles\11232009_095924\c_users\matt\appdata\roaming\utorrent\driver detective 6.4.1.3 keygen.exe.torrent
c:\_otm\movedfiles\11232009_095924\c_users\matt\appdata\roaming\utorrent\roller coaster tycoon 2.iso + no-cd crack[english].torrent
c:\_otm\movedfiles\11232009_095924\c_users\matt\downloads\adobe_dreamweaver_cs4___keygen___activation_patch.4678653.tpb.torrent
c:\_otm\movedfiles\11232009_095924\c_users\matt\downloads\age_of_empires_ii___expantion_(automatic_crack).5098140.tpb.torrent
c:\_otm\movedfiles\11232009_095924\c_users\matt\downloads\driver detective 6.4.0.7 keygen.zip
c:\_otm\movedfiles\11232009_095924\c_users\matt\downloads\[isohunt] driver detective 6.4.0.7 keygen.torrent
c:\_otm\movedfiles\11232009_095924\c_users\matt\downloads\[isohunt] driver detective 6.4.1.3 keygen.exe.torrent
c:\_otm\movedfiles\11232009_095924\c_users\matt\downloads\adobe\keygen\adobe_all_products_keymaker_v1.01_by_chattchitto.4743615.tpb.torrent
c:\_otm\movedfiles\11232009_095924\c_users\matt\downloads\adobe\keygen\adobe_cs4_keygen_1.02.5068369.tpb.torrent
c:\_otm\movedfiles\11232009_095924\c_users\matt\downloads\adobe\keygen\adobe cs4 all products keymaker v1.02 only [core] [rh]\img_adobe cs4- keymaker v1.02.jpg
c:\_otm\movedfiles\11232009_095924\c_users\matt\downloads\adobe\keygen\adobe cs4 all products keymaker v1.02 only [core] [rh]\readme.txt
c:\_otm\movedfiles\11232009_095924\c_users\matt\downloads\adobe cs4 keygen 1.02\adobe cs4 keygen 1.02.exe
c:\_otm\movedfiles\11232009_095924\c_users\matt\downloads\age of empires ii\[ pc games ] - age of empires ii(full)(2)\crack.zip
c:\_otm\movedfiles\11232009_095924\c_users\matt\downloads\rollercoaster tycoon\no-cd crack\how to crack (readme).txt
c:\_otm\movedfiles\11232009_095924\c_users\matt\downloads\rollercoaster tycoon\no-cd crack\rct.exe
c:\_otm\movedfiles\11232009_095924\c_users\matt\music\tycoon moon crack core fixed.zip
scanner sequence 3.ZZ.11
----- EOF -----


Step 4: Complete Failure

I started the computer in safe mode, ran GMER in safe mode and it failed grousemly. I ran it the first time, and it had to shut down GMER the minute it began. So, i ran it again and the second i pressed scan the computer said ERROR in that blue screen and had to reboot. I tried the exact same thing again and got the same results.

So, im stuck again at GMER.

[firefreak]

Anything wrong here? No reply for 2 days, nearly 3

[Wingman]

Hi Matthew,

Sorry for the delay in replying... with the forum being very busy and the Thanksgiving holiday, responses can take a little extra time. Remember I am under the guidance of MRU teachers, so I must wait until they respond to my suggested post, before I can post it to you, this also adds some additional time.
Know that I am going to stick with you until we have resolved any malware problems you have or have exhausted all possible fixes.

Thanks for hanging in there, these cleanups can be tedious.

I would like to try the GMER scan one more time... note the additional item to uncheck in the list. If the GMER step still refuses to run, please continue with the rest of the steps. There is still a crack file/folder that needs to be removed, so we'll run the OTM step again, see note regarding downloading again..

Please do not make any changes to your system, run any "fix" programs and/or remove any files unless instructed to do so, by me.

Please read these instructions carefully before executing and then perform the steps, in the order given.
lf, you have any questions or problems, executing these instructions, <<STOP>> do not proceed, post back with the question or problem.

Please print these instructions, as you will be asked to reboot your computer and will not have access to them. [


Let's try the GMER scan again... still trying to run it in SAFE MODE.[/b]
Boot to SAFE Mode
- Restart your computer.
- When the computer starts you will see your computer's hardware being listed.
- Press the F8 key repeatedly until you are presented with the Windows Vista Advanced Boot Options.
- Select the Safe Mode option using the arrow keys. (Do Not select Safe Mode with Network...)
- Press the enter key, to boot into Vista Safe Mode.

Step 1.
GMER
Make sure you are in SAFE MODE, before executing
Note: Do not run any programs while Gmer is running.
**Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

1. Double click on the random named.exe to execute. If asked, allow the gmer.sys driver load.
   Using Vista, you must right click random named.exe and choose "Run As Administrator".
2. If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO <--- Important!
3. On the right side panel, several boxes have been checked. Please UNCHECK the following: (see image below)
   
   • Sections
   • IAT/EAT
   • Devices <<--- New item to uncheck!
   • Drives/Partition other than Systemdrive (typically C:\)
   • Show All <-- don't miss this one
   
   
   Click on image to enlarge
   
   
4. If you don't get a warning then... Click the Rootkit/Malware tab at the top of the GMER window.
5. Click the Scan button.
6. Once the scan has finished... click Copy.
7. Open Notepad and paste (Ctrl+V) what you copied.
8. Select "Save As" in Notepad...saving the file to your desktop as "gmerRK.txt"... then close Notepad.
9. Copy and paste the contents of the files gmerRK.txt in your next reply.

Reboot your computer normally now, before proceeding!

Step 2.
OTM
Please delete the existing OTM.exe file on your desktop and download again. This program has been updated since we began.

1. Please download OTM.exe...by Old Timer. Save it to your desktop.
2. Right click on OTM.exe and select Run As Administrator to run it. If Windows UAC prompts, please allow it.
3. Please copy and paste the text in the Code box below, into OTM (1).
   Please refer to the OTM screen image below, for reference.
   Warning: Do not type it out... errors could damage your machine.
   

   Code: Select all

   :Processes
   :Files
   c:\users\matt\downloads\[isohunt] driver detective 6.4.1.3 keygen.torrent
   :Commands
   [EmptyTemp]
   [Start Explorer]
   [Reboot]
   

   
   
   Please refer to this image to use OTM.
   
   
   
   
4. Click on MoveIt! (2)
5. The end results of the processing will be in 2 places:
   • The Results window on the right side of the OTM screen.
   • A log (text) file created in "C:\_OTM\MovedFiles\mmddyyyy_hhmmss.log"
6. Copy all the text from the Results window... Open Notepad, paste the OTM results into the Notepad file, save it on your desktop.
7. Click Exit (3) when done.
8. Please paste the entire content from the OTM (Results) window (Notepad file) or the OTM log file, in your next reply.

NOTE: If your computer did not automatically reboot... please reboot it (normally) now!

Step 3.
RSIT (Random's System Information Tool)
Please download RSIT by random/random... save it to your desktop.

1. Right click on RSIT.exe and select "Run As Administrator" to run it. If Windows UAC prompts you, please allow it.
2. Please read the disclaimer... click on Continue.
3. RSIT will start running. When done... 2 logs files...will be produced.
   The first one, "log.txt", <<will be maximized... the second one, "info.txt", <<will be minimized.
4. Please post both... "log.txt" and "info.txt", file contents in your next reply.

(These logs can be lengthy, so post 1 log per reply please.)

Step 4.
SysProt AntiRootkit
If you successfully ran the GMER step, bypass this step. Otherwise...
Please download SysProt.zip ... by swatkat. Save it to your desktop.
Alternate download sites include: Softpedia, MajorGeeks, BetaNews and FreewareGeeks
If you have a 3rd party "unzipping" program...use it to open the zipped file...then skip to Step 5. Otherwise...

1. Right click on SysProt.zip and select "Extract All"....
2. Click Next on the "Welcome to the Compressed (zipped) Folders Extraction Wizard."
3. Click on the Browse...button, then click on Desktop, then click OK.
4. Once done, check (tick) the Show extracted files box and click Finish.
5. Open the SysProt folder... Double click Sysprot.exe to start the program.
   Using VISTA, you must right-click "Sysprot.exe" and select "Run As Administrator", to start the program.
6. Click on the Log tab.
7. In the Write to log box... check ALL items... then check Hidden Objects Only at the bottom of the window.
8. Click the Create Log button... (After a few seconds a new window should appear.)
9. Select Scan root drive only... then click the Start button, to begin scanning.
   When completed, a window appears indicating the scan finished & a log file was successfully created.
   The SysProt folder on your desktop, will contain the scan results file named "SysProtLog.txt".
10. Please copy and paste the contents of SysProtLog.txt into your next reply.

Step 5.
Please include in your next reply:

1. Any problem executing the instructions?
2. GMER gmerRK.txt file contents
3. OTM results
4. RSIT log.txt and info.txt file contents
5. SysProt SysProtLog.txt file contents (if applicable).
6. How is the computer behaving?

Thanks,
Wingman

[firefreak]

Sorry for the late reply, been very busy. Will post answers tommorow.

[Wingman]

Hi Matthew,
No problem... thanks for letting me know.

[firefreak]

Sorry, I wont be able to reply until friday or saturday because im moving back to Australia. Talk then, bye!

[Wingman]

Hi Matthew,

Thanks for keeping me up-to-date.

Because it is going to be almost another week before you will be able to reply, I am going to suggest we close this topic.
Then when you have time to pursue your computer issues, please post a new HJT log in the Malware Removal forum and wait for another helper.
This is being suggested for several reasons:

• Some malware can morph overtime and appear differently or cause different / additional problems. By postponing steps to resolve existing issues, it may present a totally different situation, when next investigated.
• It takes the pressure off of you to respond within a given time frame, especially when you have a lot going on.
• It frees me to begin helping others, now, who are looking for assistance.

So, I will request this topic be closed. Please return when you have the time and a volunteer helper will be glad to assist you.

Thanks... hope the move goes well.
Wingman

[chryssi2001]

this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.