Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Malware bytes wont update, random popups, redirecting me when i click a link

  • This topic is locked This topic is locked
17 replies to this topic

#1 Jnmac


  • Members
  • 8 posts
  • Local time:12:11 PM

Posted 07 February 2011 - 02:47 AM

Hello, i have had this problem for a while, malwarebytes would not update, i keep getting the MBAM_Error_Updating (12007,0,WinHttpSendRequest)message. Also when i try to search for things on google, or any other search engine, it tries to redirect me. This can be worked around by not loading the page most of the time

here is the dds log

DDS (Ver_10-12-12.02) - NTFSx86
Run by Jorge at 21:21:34.53 on Sun 02/06/2011
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2559.1656 [GMT -8:00]

AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

G:\WINDOWS\system32\svchost -k DcomLaunch
G:\WINDOWS\System32\svchost.exe -k netsvcs
G:\Program Files\Alwil Software\Avast5\AvastSvc.exe
G:\Program Files\Common Files\Java\Java Update\jusched.exe
G:\Program Files\iTunes\iTunesHelper.exe
G:\Program Files\PowerISO\PWRISOVM.EXE
G:\Program Files\DivX\DivX Update\DivXUpdate.exe
G:\Program Files\AIM\aim.exe
G:\Program Files\Steam\steam.exe
G:\Program Files\uTorrent\uTorrent.exe
G:\Program Files\Windows Live\Messenger\msnmsgr.exe
G:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
G:\Program Files\Messenger\msmsgs.exe
G:\Documents and Settings\Jorge\Local Settings\Apps\2.0\L1O9RQ21.RJ2\5D7ECB8X.QLD\curs..tion_eee711038731a406_0004.0000_efb506202a7c3b08\CurseClient.exe
G:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
G:\Program Files\Java\jre6\bin\jqs.exe
G:\WINDOWS\system32\svchost.exe -k imgsvc
G:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
G:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
G:\Program Files\iPod\bin\iPodService.exe
G:\Program Files\Skype\Phone\Skype.exe
G:\Program Files\Skype\Plugin Manager\skypePM.exe
G:\Program Files\Mozilla Firefox\firefox.exe
G:\Program Files\Mozilla Firefox\plugin-container.exe
G:\Program Files\WinRAR\WinRAR.exe
G:\Documents and Settings\Jorge\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://search.live.com
mSearchAssistant = hxxp://search.live.com/sphome.aspx
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - g:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - g:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - g:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - g:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - g:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SMTTB2009 Class: {fcbccb87-9224-4b8d-b117-f56d924beb18} - g:\program files\hypercam toolbar\tbcore3.dll
TB: HyperCam Toolbar: {338b4dfe-2e2c-4338-9e41-e176d497299e} - g:\program files\hypercam toolbar\tbcore3.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [Aim] "g:\program files\aim\aim.exe" /d locale=en-US
uRun: [Steam] "g:\program files\steam\steam.exe" -silent
uRun: [uTorrent] "g:\program files\utorrent\uTorrent.exe"
uRun: [msnmsgr] "g:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [SpybotSD TeaTimer] g:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [MSMSGS] "g:\program files\messenger\msmsgs.exe" /background
uRun: [Skype] "g:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [SunJavaUpdateSched] "g:\program files\common files\java\java update\jusched.exe"
mRun: [avast5] g:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [QuickTime Task] "g:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "g:\program files\itunes\iTunesHelper.exe"
mRun: [PWRISOVM.EXE] g:\program files\poweriso\PWRISOVM.EXE
mRun: [DivXUpdate] "g:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [NvMediaCenter] RUNDLL32.EXE g:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE g:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] g:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRunOnce: [Malwarebytes' Anti-Malware] g:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: g:\documents and settings\jorge\start menu\programs\startup\CurseClientStartup.ccip
StartupFolder: g:\docume~1\alluse~1\startm~1\programs\startup\satara~1.lnk - g:\program files\silicon image\3114 sataraid5\sam.jar
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - g:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - g:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - g:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
TCP: {44C66100-3596-4962-9E9D-DADE09B6BA67} =,
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - g:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - g:\progra~1\common~1\skype\SKYPE4~1.DLL
Hosts: www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - g:\docume~1\jorge\applic~1\mozilla\firefox\profiles\evtuca25.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - component: g:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: g:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: g:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: g:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: g:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: g:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: g:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: g:\windows\system32\npOGPPlugin.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - g:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - g:\program files\mozilla firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - g:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: HyperCamToolbar: {75656794-AB59-4712-BFBC-5D816D56F3BC} - %profile%\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}
FF - Ext: Java Quick Starter: jqs@sun.com - g:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - g:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;g:\windows\system32\drivers\aswSP.sys [2010-8-21 165584]
R2 aswFsBlk;aswFsBlk;g:\windows\system32\drivers\aswFsBlk.sys [2010-8-21 17744]
R2 avast! Antivirus;avast! Antivirus;g:\program files\alwil software\avast5\AvastSvc.exe [2010-8-21 40384]
R3 avast! Mail Scanner;avast! Mail Scanner;g:\program files\alwil software\avast5\AvastSvc.exe [2010-8-21 40384]
R3 avast! Web Scanner;avast! Web Scanner;g:\program files\alwil software\avast5\AvastSvc.exe [2010-8-21 40384]
S3 XDva296;XDva296;\??\g:\windows\system32\xdva296.sys --> g:\windows\system32\XDva296.sys [?]

=============== Created Last 30 ================

2011-02-07 04:19:36 38224 ----a-w- g:\windows\system32\drivers\mbamswissarmy.sys
2011-02-07 04:19:33 20952 ----a-w- g:\windows\system32\drivers\mbam.sys
2011-02-07 04:19:33 -------- d-----w- g:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2010-12-26 15:30:36 1 ----a-w- g:\windows\system32\nvdrssel.bin
2010-12-26 15:30:35 240592 ----a-w- g:\windows\system32\nvdrsdb0.bin
2010-12-26 15:30:34 240592 ----a-w- g:\windows\system32\nvdrsdb1.bin
2010-11-18 18:12:44 81920 ----a-w- g:\windows\system32\isign32.dll
2010-11-09 14:52:35 249856 ----a-w- g:\windows\system32\odbc32.dll

============= FINISH: 21:22:34.00 ===============

Thank you for your help :)

Attached Files

BC AdBot (Login to Remove)


#2 rigacci



  • Members
  • 2,604 posts
  • Gender:Male
  • Local time:04:11 PM

Posted 07 February 2011 - 11:02 AM

Hello and welcome to the forum. :welcome:

I apologize for the delay in responding to your request for help but it is very busy here and we can get overwhelmed at times.

If you have since resolved the original problem you were having, we would appreciate you letting us know.

If you still do need our help, please note the following:
  • While working we us, please refrain from running tools or applying updates other than those we suggest while we are cleaning your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received and do not proceed if you need clarification.
  • Please also include a clear description of the problems you're having.
  • After 5 days if your topic is not replied I will assume it has been abandoned and will close it.

Please be patient while I analyze your logs. All of my fixes are checked by higher level forum members before posting.

Thank you.


#3 Jnmac

  • Topic Starter

  • Members
  • 8 posts
  • Local time:12:11 PM

Posted 07 February 2011 - 11:39 AM

No worries! Thank you for checking this out, my main problem is malware bytes wont update, i get a error message saying "PROGRAM_ERROR_UPDATING(12007, 0, WinHttpSendRequest" And when ever i use a search engine, it trys to redirect me to some random advertisement

Edited by Jnmac, 07 February 2011 - 11:48 AM.

#4 rigacci



  • Members
  • 2,604 posts
  • Gender:Male
  • Local time:04:11 PM

Posted 08 February 2011 - 02:42 PM

OK, Jnmac:

Going over your logs I noticed that you have uTorrent installed.

•Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.

•They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.

•Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.

The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care.

Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."
It is pretty much certain that if you continue to use P2P programs, you will get infected again.

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

I would recommend that you uninstall uTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.

We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy

This next fix should reset your TCP/IP stack:
Click on Rebuild TCP/IP and download that to your desktop.
Double-click the file and allow it to run.

To resolve your problem with Malwarebytes Anti-Malware not updating, let's try a complete Uninstall of MBAM.

Go to Start>Control Panel>Add or remove Programs and Uninstall MBAM. Reboot after uninstalling.

Next download a new copy of Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

And please tell me how your computer is running at the moment.



#5 Jnmac

  • Topic Starter

  • Members
  • 8 posts
  • Local time:12:11 PM

Posted 09 February 2011 - 03:14 AM

Thank you for the reply :), I removed utorrent, disabled the spybots teatimer, downloaded and ran the tcp/ip reset and ran it, and uninstalled and reinstalled malwarebytes, but after it was done installing it tried to update and gave me the same error, at the moment my computer is running fine, it started shutting down random programs all of the sudden, Skype, curse client, saying that they were no longer responding.
Also the " If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install." link does not work, so i was not able to try it

Edited by Jnmac, 09 February 2011 - 03:16 AM.

#6 rigacci



  • Members
  • 2,604 posts
  • Gender:Male
  • Local time:04:11 PM

Posted 09 February 2011 - 07:39 AM

Sorry about the dead link. Try HERE for manual updates.

How about the redirection?


#7 Jnmac

  • Topic Starter

  • Members
  • 8 posts
  • Local time:12:11 PM

Posted 09 February 2011 - 10:28 AM

Oh my goodness, i had made it a daily thing where i automatically clicked stop loading this page that i didnt even notice you had fixed it :) Very nice! Thanks alot! It no longer trys to redirect me.

The redirect came back, i dont know if it had just happend that once, or what. But its back

Edited by Jnmac, 09 February 2011 - 12:17 PM.

#8 Jnmac

  • Topic Starter

  • Members
  • 8 posts
  • Local time:12:11 PM

Posted 09 February 2011 - 01:39 PM

And that link did not work either

#9 rigacci



  • Members
  • 2,604 posts
  • Gender:Male
  • Local time:04:11 PM

Posted 10 February 2011 - 08:05 AM

Hey Jnmac!

Please Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable Security Programs

•Double click on ComboFix.exe & follow the prompts.

Posted Image

If running XP, Click on YES and allow the Recovery Console to install. If running Vista or 7, click on NO to continue the scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy/Paste in your next reply.


1.Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. ComboFix disconnects your machine from the internet. The connection is automatically restored before ComboFix completes its run.

Give it at least 20-30 minutes to finish if needed.

Please do not attach the scan results from ComboFix. Use copy/paste.

Also please describe how your computer behaves at the moment.



#10 Jnmac

  • Topic Starter

  • Members
  • 8 posts
  • Local time:12:11 PM

Posted 10 February 2011 - 10:18 AM

The computer will go unresponsive from time to time, for about maybe 10-15 seconds, then it will jolt back to normal,other than that its running pretty smooth. I still do have the browser problems with redirecting and some times add pop ups.

#11 rigacci



  • Members
  • 2,604 posts
  • Gender:Male
  • Local time:04:11 PM

Posted 10 February 2011 - 01:47 PM

Ok that's good information. :thumbup2:

Can you do the instructions in the above post, running ComboFix please? :whistle:

Besides cleaning Malware, CF creates a very thorough log and will assist us in determining our next step. :thumbup2:



#12 Jnmac

  • Topic Starter

  • Members
  • 8 posts
  • Local time:12:11 PM

Posted 10 February 2011 - 02:37 PM

Yeah sorry, i tried to early this morning but the forums wouldn't let me on, and i had to step out for a bit, here it is.
ComboFix 11-02-09.05 - Jorge 02/10/2011 11:23:09.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2815.2207 [GMT -8:00]
Running from: g:\documents and settings\Jorge\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

((((((((((((((((((((((((( Files Created from 2011-01-10 to 2011-02-10 )))))))))))))))))))))))))))))))

2011-02-10 19:12 . 2011-02-10 19:12 -------- d-----w- G:\spoolerlogs
2011-02-09 20:18 . 2011-02-09 20:18 -------- d-----w- g:\windows\SxsCaPendDel
2011-02-09 17:32 . 2011-01-08 03:27 941160 ----a-w- g:\windows\system32\nvdispco322090.dll
2011-02-09 17:32 . 2011-01-08 03:27 837736 ----a-w- g:\windows\system32\nvgenco322040.dll
2011-02-09 08:09 . 2010-12-21 02:09 38224 ----a-w- g:\windows\system32\drivers\mbamswissarmy.sys
2011-02-09 08:09 . 2011-02-09 08:09 -------- d-----w- g:\program files\Malwarebytes' Anti-Malware
2011-02-09 08:09 . 2010-12-21 02:08 20952 ----a-w- g:\windows\system32\drivers\mbam.sys
2011-02-07 20:14 . 2011-02-07 20:17 -------- d-----w- g:\documents and settings\Jorge\Application Data\RIFT
2011-02-07 20:14 . 2011-02-09 20:18 -------- d-----w- g:\documents and settings\Jorge\Local Settings\Application Data\RIFT Beta
2011-01-21 14:44 . 2011-01-21 14:44 439296 -c----w- g:\windows\system32\dllcache\shimgvw.dll

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2011-01-21 14:44 . 2005-07-08 12:00 439296 ----a-w- g:\windows\system32\shimgvw.dll
2011-01-13 08:47 . 2010-08-22 05:57 38848 ----a-w- g:\windows\avastSS.scr
2011-01-13 08:47 . 2010-08-22 05:57 188216 ----a-w- g:\windows\system32\aswBoot.exe
2011-01-13 08:41 . 2010-08-22 05:57 294608 ----a-w- g:\windows\system32\drivers\aswSP.sys
2011-01-13 08:40 . 2010-08-22 05:57 47440 ----a-w- g:\windows\system32\drivers\aswTdi.sys
2011-01-13 08:40 . 2010-08-22 05:57 100176 ----a-w- g:\windows\system32\drivers\aswmon2.sys
2011-01-13 08:39 . 2010-08-22 05:57 94544 ----a-w- g:\windows\system32\drivers\aswmon.sys
2011-01-13 08:37 . 2010-08-22 05:57 23632 ----a-w- g:\windows\system32\drivers\aswRdr.sys
2011-01-13 08:37 . 2010-08-22 05:57 29392 ----a-w- g:\windows\system32\drivers\aavmker4.sys
2011-01-13 08:37 . 2010-08-22 05:57 17744 ----a-w- g:\windows\system32\drivers\aswFsBlk.sys
2011-01-08 03:56 . 2011-01-08 03:56 81920 ----a-w- g:\windows\system32\nvwddi.dll
2011-01-08 03:56 . 2011-01-08 03:56 580200 ----a-w- g:\windows\system32\easyUpdatusAPIU.dll
2011-01-08 03:56 . 2011-01-08 03:56 277608 ----a-w- g:\windows\system32\nvmccs.dll
2011-01-08 03:56 . 2011-01-08 03:56 156776 ----a-w- g:\windows\system32\nvsvc32.exe
2011-01-08 03:56 . 2011-01-08 03:56 145000 ----a-w- g:\windows\system32\nvcolor.exe
2011-01-08 03:56 . 2011-01-08 03:56 13880424 ----a-w- g:\windows\system32\nvcpl.dll
2011-01-08 03:56 . 2011-01-08 03:56 111208 ----a-w- g:\windows\system32\nvmctray.dll
2011-01-08 03:27 . 2010-12-26 15:30 4980736 ----a-w- g:\windows\system32\nvcuda.dll
2011-01-08 03:27 . 2010-08-14 23:30 9888672 ----a-w- g:\windows\system32\drivers\nv4_mini.sys
2011-01-08 03:27 . 2010-08-14 23:30 61440 ----a-w- g:\windows\system32\OpenCL.dll
2011-01-08 03:27 . 2010-08-14 23:30 14671872 ----a-w- g:\windows\system32\nvoglnt.dll
2011-01-08 03:27 . 2010-08-14 23:30 2916968 ----a-w- g:\windows\system32\nvcuvid.dll
2011-01-08 03:27 . 2010-08-14 23:30 2251368 ----a-w- g:\windows\system32\nvcuvenc.dll
2011-01-08 03:27 . 2010-08-14 23:30 1958400 ----a-w- g:\windows\system32\nvapi.dll
2011-01-08 03:27 . 2010-08-14 23:30 13004800 ----a-w- g:\windows\system32\nvcompiler.dll
2011-01-08 03:27 . 2010-08-14 23:30 6397824 ----a-w- g:\windows\system32\nv4_disp.dll
2011-01-07 14:09 . 2005-07-08 12:00 290048 ----a-w- g:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2005-07-08 12:00 1854976 ----a-w- g:\windows\system32\win32k.sys
2010-12-22 12:34 . 2005-07-08 12:00 301568 ----a-w- g:\windows\system32\kerberos.dll
2010-12-20 22:15 . 2005-07-08 12:00 667136 ----a-w- g:\windows\system32\wininet.dll
2010-12-20 22:15 . 2005-07-08 12:00 61952 ----a-w- g:\windows\system32\tdc.ocx
2010-12-20 22:15 . 2005-07-08 12:00 81920 ----a-w- g:\windows\system32\ieencode.dll
2010-12-20 17:26 . 2005-07-08 12:00 730112 ----a-w- g:\windows\system32\lsasrv.dll
2010-12-20 15:30 . 2005-07-08 12:00 369664 ----a-w- g:\windows\system32\html.iec
2010-12-09 15:15 . 2005-07-08 12:00 718336 ----a-w- g:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2005-07-08 12:00 33280 ----a-w- g:\windows\system32\csrsrv.dll
2010-12-09 13:38 . 2005-07-08 12:00 2192768 ----a-w- g:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2004-08-03 22:59 2069376 ----a-w- g:\windows\system32\ntkrnlpa.exe
2010-12-06 03:06 . 2009-08-18 19:30 564632 ----a-w- g:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\wlidui.dll
2010-12-06 03:06 . 2009-08-18 19:24 17816 ----a-w- g:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2010-11-18 18:12 . 2010-08-14 22:55 81920 -c--a-w- g:\windows\system32\isign32.dll

((((((((((((((((((((((((((((( SnapShot@2011-02-10_16.34.17 )))))))))))))))))))))))))))))))))))))))))
+ 2011-02-10 19:19 . 2011-02-10 19:19 16384 g:\windows\Temp\Perflib_Perfdata_3a8.dat
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown

"Aim"="g:\program files\AIM\aim.exe" [2010-09-16 4425048]
"Steam"="g:\program files\Steam\steam.exe" [2010-11-17 1242448]
"msnmsgr"="g:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]
"Skype"="g:\program files\Skype\Phone\Skype.exe" [2010-10-12 14940040]

"SoundMan"="SOUNDMAN.EXE" [2004-11-15 77824]
"SunJavaUpdateSched"="g:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="g:\program files\QuickTime\qttask.exe" [2010-08-10 421888]
"iTunesHelper"="g:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
"PWRISOVM.EXE"="g:\program files\PowerISO\PWRISOVM.EXE" [2010-04-12 180224]
"DivXUpdate"="g:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]
"NvMediaCenter"="g:\windows\system32\NvMcTray.dll" [2011-01-08 111208]
"NvCplDaemon"="g:\windows\system32\NvCpl.dll" [2011-01-08 13880424]
"nwiz"="g:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-11-04 1753192]

g:\documents and settings\Jorge\Start Menu\Programs\Startup\
CurseClientStartup.cc?p [2010-12-31 0]

g:\documents and settings\All Users\Start Menu\Programs\Startup\
SATARAID5.lnk - g:\program files\Silicon Image\3114 SATARAID5\sam.jar [2010-8-14 1510757]

"g:\\Program Files\\AIM\\aim.exe"=
"g:\\Program Files\\Steam\\Steam.exe"=
"g:\\Riot Games\\League of Legends\\air\\LolClient.exe"=
"g:\\Riot Games\\League of Legends\\game\\League of Legends.exe"=
"g:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"g:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"g:\\Program Files\\Steam\\steamapps\\sinslayer_909\\team fortress 2\\hl2.exe"=
"g:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"g:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"g:\\Program Files\\iTunes\\iTunes.exe"=
"g:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"g:\\Program Files\\Steam\\steamapps\\sinslayer_909\\counter-strike source\\hl2.exe"=
"g:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"g:\\World of Warcraft\\Launcher.exe"=
"g:\\Program Files\\World of Warcraft\\Launcher.exe"=
"g:\\World of Warcraft\\Blizzard Downloader.exe"=
"g:\\Program Files\\Steam\\steamapps\\common\\plain sight\\PlainSight.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"g:\\Program Files\\Ignition Entertainment\\Blacklight - Tango Down\\Binaries\\Win32\\BLTD.exe"=
"g:\\Program Files\\Steam\\steamapps\\common\\nation red\\NationRed.exe"=
"g:\\Program Files\\Skype\\Phone\\Skype.exe"=
"g:\\Program Files\\Steam\\steamapps\\common\\killingfloor\\System\\KillingFloor.exe"=
"g:\\Program Files\\Steam\\steamapps\\sinslayer_909\\bloody good time\\bgt.exe"=
"g:\\Program Files\\Steam\\steamapps\\common\\left 4 dead 2\\left4dead2.exe"=
"g:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"g:\\Program Files\\Steam\\steamapps\\common\\magicka\\Magicka.exe"=
"g:\\Documents and Settings\\Jorge\\Local Settings\\Apps\\2.0\\L1O9RQ21.RJ2\\5D7ECB8X.QLD\\curs..tion_eee711038731a406_0004.0000_efb506202a7c3b08\\CurseClient.exe"=
"g:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"g:\\Riot Games\\League of Legends\\lol.launcher.exe"=

"58610:TCP"= 58610:TCP:Pando Media Booster
"58610:UDP"= 58610:UDP:Pando Media Booster
"8378:TCP"= 8378:TCP:League of Legends Launcher
"8378:UDP"= 8378:UDP:League of Legends Launcher
"8379:TCP"= 8379:TCP:League of Legends Launcher
"8379:UDP"= 8379:UDP:League of Legends Launcher
"8380:TCP"= 8380:TCP:League of Legends Launcher
"8380:UDP"= 8380:UDP:League of Legends Launcher
"25565:TCP"= 25565:TCP:Minecraft
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"8381:TCP"= 8381:TCP:League of Legends Launcher
"8381:UDP"= 8381:UDP:League of Legends Launcher
"1119:TCP"= 1119:TCP:*:Disabled:Real id
"6986:TCP"= 6986:TCP:League of Legends Launcher
"6986:UDP"= 6986:UDP:League of Legends Launcher
"6886:TCP"= 6886:TCP:League of Legends Launcher
"6886:UDP"= 6886:UDP:League of Legends Launcher
"6890:TCP"= 6890:TCP:League of Legends Launcher
"6890:UDP"= 6890:UDP:League of Legends Launcher
"6914:TCP"= 6914:TCP:League of Legends Launcher
"6914:UDP"= 6914:UDP:League of Legends Launcher
"6935:TCP"= 6935:TCP:League of Legends Launcher
"6935:UDP"= 6935:UDP:League of Legends Launcher
"59085:TCP"= 59085:TCP:Pando Media Booster
"59085:UDP"= 59085:UDP:Pando Media Booster
"8393:TCP"= 8393:TCP:League of Legends Lobby
"8393:UDP"= 8393:UDP:League of Legends Lobby
"8390:TCP"= 8390:TCP:League of Legends Game Client
"8390:UDP"= 8390:UDP:League of Legends Game Client
"6884:TCP"= 6884:TCP:League of Legends Launcher
"6884:UDP"= 6884:UDP:League of Legends Launcher

R1 aswSP;aswSP;g:\windows\system32\drivers\aswSP.sys [8/21/2010 9:57 PM 294608]
R2 aswFsBlk;aswFsBlk;g:\windows\system32\drivers\aswFsBlk.sys [8/21/2010 9:57 PM 17744]
S3 XDva296;XDva296;\??\g:\windows\system32\XDva296.sys --> g:\windows\system32\XDva296.sys [?]
Contents of the 'Scheduled Tasks' folder

2011-02-07 g:\windows\Tasks\AppleSoftwareUpdate.job
- g:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]

2011-02-10 g:\windows\Tasks\WGASetup.job
- g:\windows\system32\KB905474\wgasetup.exe [2010-08-24 05:18]
------- Supplementary Scan -------
FF - ProfilePath - g:\documents and settings\Jorge\Application Data\Mozilla\Firefox\Profiles\evtuca25.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - g:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - g:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: HyperCamToolbar: {75656794-AB59-4712-BFBC-5D816D56F3BC} - %profile%\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}
FF - Ext: Java Quick Starter: jqs@sun.com - g:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - g:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false


catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-10 11:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

--------------------- LOCKED REGISTRY KEYS ---------------------

@Denied: (A 2) (Everyone)




@Denied: (A 2) (Everyone)


Completion time: 2011-02-10 11:35:33
ComboFix-quarantined-files.txt 2011-02-10 19:35
ComboFix2.txt 2011-02-10 16:36

Pre-Run: 179,708,125,184 bytes free
Post-Run: 179,710,550,016 bytes free

- - End Of File - - EA85507015299D0DC42744BF4302D7C6

#13 rigacci



  • Members
  • 2,604 posts
  • Gender:Male
  • Local time:04:11 PM

Posted 11 February 2011 - 09:09 AM

Hi Jnmac!

I have some questions and directions.

I see you have a LOT of games loaded onto that machine. Are there some that you could uninstall? Each one can open a series of ports and it is always preferred to keep closed as many ports as possible.

If you are finished with them, go to Start>Control Panel>Add or Remove Programs and uninstall as many as possible. (some games have their own "uninstall" file which can be used)

I would like to get some information from your router. Can you also tell me if it is possible to reset your router without screwing up anything? Any special "Port forwarding" or other items?

Please open Notepad and Copy/Paste the following into it:

@echo off
>Log1.txt (
ipconfig /all
nslookup google.com
nslookup yahoo.com
ping -n 2 google.com
ping -n 2 yahoo.com
route print
start Log1.txt
del %0

This should create a log file that you should include in your next post.

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • This page should check your installed version and determine if you need an update.
  • Look for "JDK 6 Update 23 (JDK or JRE)" (may not be necessary if it does it automatically).
  • Click the "Download JRE".
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
Some older programs require older Java. If that is why you still have this version of Java Java 2 Runtime Environment, SE v1.4.2_04, leave it. Otherwise, I would uninstall it.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u23-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

If the computer is preventing you from updating MBAM, try using the Malwarebytes manual update process:

Using another PC, download the Malwarebytes database installer from http://data.mbamupdates.com/tools/mbam-rules.exe
Save mbam-rules.exe on a USB or flash drive and transfer it to the affected computer
Double-Click mbam-rules.exe to start updating MBAM

Posted Image]

If the rogue program or any malicious software in the PC is preventing you to open mbam-rules.exe, you need to try another method which is to install Malwarebytes program in clean computer. Then, update the database for Malwarebytes and then copy the database of MBAM (file name is rules.ref) to a USB or flash drive. You can find rules.ref in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware of Windows 2000 and XP; or C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware for Windows 7 and Vista.
Note that the database version using Malwarebytes database installer is not current. It's a week or few days old because the vendor is not releasing a daily update for the said manual database update installer. If the copy of your MBAM has a newer database version, you need not use the manual database installer. You should be fixing the computer instead by removing the infection.

Please post the router information, the MBAM log (if it updates and runs) and tell me how your computer is running at the moment.



#14 rigacci



  • Members
  • 2,604 posts
  • Gender:Male
  • Local time:04:11 PM

Posted 12 February 2011 - 08:09 AM

Are you still with us? :whistle:


#15 Jnmac

  • Topic Starter

  • Members
  • 8 posts
  • Local time:12:11 PM

Posted 18 February 2011 - 11:38 PM

I am, i apologize i had to run out of town unexpectedly. Im back now, and if your still willing i would love your help with this<3

Im going to do what you said in the last post now

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users