1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Banned from 4chan for being spambot, after saving image as .hta

Discussion in 'Virus & Other Malware Removal' started by Racthoh, Nov 30, 2011.

Thread Status:
Not open for further replies.
Advertisement
  1. Racthoh

    Racthoh Thread Starter

    Joined:
    Nov 30, 2011
    Messages:
    9
    Hello, yesterday as I was browsing 4chan I saw a thread with an image saying "save this image, open in paint, save as 4CHAN.HTA as 24 bit-mapping, then open the file again."

    I did exactly that, then deleted the file afterwards and emptied my recycle bin. Then I read the rest of the thread saying it was actually dangerous to my computer to do this and couldn't receive any help from anybody in the thread on how to undo my mistake. I was hoping just having deleted the image from my computer was enough, but today I was banned from 4chan for being an apparent spambot and posting under a name I'd never use (John Doe). So I've come here seeking help.

    If you were wondering why I've done something so stupid, it's because I thought it was just some form of trolling. Example, the image would be unscrambled, or it'd make my internet browser window bounce around the screen or something stupid to that effect.

    Here is the information you've asked me to post:

    Edit: also, yesterday I scanned my system with both Malwarebytes and AVG scanners and nothing came up at all.
     

    Attached Files:

  2. Racthoh

    Racthoh Thread Starter

    Joined:
    Nov 30, 2011
    Messages:
    9
    I can bump this every two days, right?
     
  3. Racthoh

    Racthoh Thread Starter

    Joined:
    Nov 30, 2011
    Messages:
    9
    2nd bump
     
  4. Racthoh

    Racthoh Thread Starter

    Joined:
    Nov 30, 2011
    Messages:
    9
  5. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Hiya Racthoh,

    Your logs are clean, are having any specific issues with your system...

    Kevin....
     
  6. Racthoh

    Racthoh Thread Starter

    Joined:
    Nov 30, 2011
    Messages:
    9
    Yes it looks like my pc was spamming 4chan by itself.

    Nobody but me has access to this computer so I assume it has something to do with what I explained above, saving an image as a .hta file and opening it.
     
  7. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    I do not see anything wrong with those logs you post. OK run the following:

    Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from either of the following links :-

    Link 1
    Link 2

    • Ensure that Combofix is saved directly to the Desktop <--- Very important
    • Disable all security programs as they will have a negative effect on Combofix, instructions available Here if required. Be aware the list may not have all programs listed, if you need more help please ask.
    • Close any open browsers and any other programs you might have running
    • Double click the [​IMG] icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
    • Instructions for running Combofix available Here if required.
    • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
    • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

    ****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

    Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
    Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read Here why disabling autoruns is recommended.

    *EXTRA NOTES*
    • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
    • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
    • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

    Post the log in next reply please...

    Kevin
     
  8. Racthoh

    Racthoh Thread Starter

    Joined:
    Nov 30, 2011
    Messages:
    9
    I ran this twice because I had to reboot my pc to open firefox and I hadn't saved the first log. Hadn't realized it saved it for me until it was already overwritten...

     
  9. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    The log from the first run of Combofix will be here C:\Qoobox\ComboFix2.txt let me see that file, also I need to see this file C:\Qoobox\ComboFix-quarantined-files.txt

    Do not put the logs in code or quote boxes, just copy and paste to your reply...

    Kevin
     
  10. Racthoh

    Racthoh Thread Starter

    Joined:
    Nov 30, 2011
    Messages:
    9
    ComboFix 11-12-06.02 - user 12/07/2011 18:15:29.1.4 - x64
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4095.2345 [GMT -5:00]
    Running from: c:\users\user\Desktop\ComboFix.exe
    AV: AVG Anti-Virus *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Anti-Virus *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\SysWow64\system
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-11-07 to 2011-12-07 )))))))))))))))))))))))))))))))
    .
    .
    2011-12-07 23:20 . 2011-12-07 23:20 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
    2011-12-07 23:20 . 2011-12-07 23:20 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-12-05 11:35 . 2011-12-05 21:59 -------- d-----w- c:\programdata\AVG Secure Search
    2011-12-05 11:35 . 2011-12-05 11:35 -------- d-----w- c:\program files (x86)\Common Files\AVG Secure Search
    2011-12-05 11:35 . 2011-12-05 11:35 -------- d-----w- c:\program files (x86)\AVG Secure Search
    2011-11-22 03:11 . 2011-11-22 03:11 -------- d-----w- c:\users\user\AppData\Local\Skyrim
    2011-11-21 10:11 . 2011-12-06 06:12 -------- d-----w- c:\users\user\AppData\Local\PokerStars.NET
    2011-11-21 10:10 . 2011-12-06 06:12 -------- d-----w- c:\program files (x86)\PokerStars.NET
    2011-11-16 21:42 . 2011-11-16 21:42 -------- d-----w- c:\windows\system32\Macromed
    2011-11-10 08:00 . 2011-11-10 08:02 -------- d-----w- C:\03d1b3bd92ba0379bd1e54df
    2011-11-09 10:15 . 2011-09-29 16:29 1923952 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2011-11-09 09:44 . 2011-09-29 04:03 3144704 ----a-w- c:\windows\system32\win32k.sys
    2011-11-09 09:37 . 2011-10-01 05:45 886784 ----a-w- c:\program files\Common Files\System\wab32.dll
    2011-11-09 09:37 . 2011-10-01 04:37 708608 ----a-w- c:\program files (x86)\Common Files\System\wab32.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-11-16 21:42 . 2011-05-17 06:41 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2011-10-15 08:53 . 2011-10-25 01:38 7581504 ----a-w- c:\windows\system32\nvcuda.dll
    2011-10-15 08:53 . 2011-10-25 01:38 7041856 ----a-w- c:\windows\SysWow64\nvwgf2um.dll
    2011-10-15 08:53 . 2011-10-25 01:38 68928 ----a-w- c:\windows\system32\OpenCL.dll
    2011-10-15 08:53 . 2011-10-25 01:38 61248 ----a-w- c:\windows\SysWow64\OpenCL.dll
    2011-10-15 08:53 . 2011-10-25 01:38 5578560 ----a-w- c:\windows\SysWow64\nvcuda.dll
    2011-10-15 08:53 . 2011-10-25 01:38 2542912 ----a-w- c:\windows\system32\nvcuvid.dll
    2011-10-15 08:53 . 2011-10-25 01:38 24796992 ----a-w- c:\windows\system32\nvcompiler.dll
    2011-10-15 08:53 . 2011-10-25 01:38 24742720 ----a-w- c:\windows\system32\nvoglv64.dll
    2011-10-15 08:53 . 2011-10-25 01:38 2458432 ----a-w- c:\windows\SysWow64\nvapi.dll
    2011-10-15 08:53 . 2011-10-25 01:38 2401088 ----a-w- c:\windows\SysWow64\nvcuvid.dll
    2011-10-15 08:53 . 2011-10-25 01:38 2232128 ----a-w- c:\windows\system32\nvcuvenc.dll
    2011-10-15 08:53 . 2011-10-25 01:38 2099520 ----a-w- c:\windows\SysWow64\nvcuvenc.dll
    2011-10-15 08:53 . 2011-10-25 01:38 18871616 ----a-w- c:\windows\SysWow64\nvoglv32.dll
    2011-10-15 08:53 . 2011-10-25 01:38 17248576 ----a-w- c:\windows\SysWow64\nvcompiler.dll
    2011-10-15 08:53 . 2011-10-25 01:38 12971840 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
    2011-10-15 08:53 . 2011-09-20 03:34 15693120 ----a-w- c:\windows\system32\nvd3dumx.dll
    2011-10-15 08:53 . 2011-09-20 03:34 1533248 ----a-w- c:\windows\system32\nvdispco64.dll
    2011-10-15 08:53 . 2011-09-20 03:34 1454400 ----a-w- c:\windows\system32\nvgenco64.dll
    2011-10-15 08:53 . 2011-09-20 03:34 13205312 ----a-w- c:\windows\SysWow64\nvd3dum.dll
    2011-10-15 08:53 . 2011-02-05 15:49 8791360 ----a-w- c:\windows\system32\nvwgf2umx.dll
    2011-10-15 08:53 . 2011-02-05 15:49 2808128 ----a-w- c:\windows\system32\nvapi64.dll
    2011-10-15 08:53 . 2011-01-08 00:49 837952 ----a-w- c:\windows\system32\easyUpdatusAPIU64.dll
    2011-10-15 08:53 . 2011-01-08 00:49 10406208 ----a-w- c:\windows\system32\nvcpl.dll
    2011-10-15 08:53 . 2011-01-08 00:49 5067584 ----a-w- c:\windows\system32\nvsvc64.dll
    2011-10-15 08:53 . 2011-01-08 00:48 222528 ----a-w- c:\windows\system32\nvmctray.dll
    2011-10-15 08:53 . 2011-01-08 00:48 1640768 ----a-w- c:\windows\system32\nvvsvc.exe
    2011-10-15 08:53 . 2011-01-08 00:48 137536 ----a-w- c:\windows\system32\nvshext.dll
    2011-10-15 04:54 . 2011-10-15 04:54 321856 ----a-w- c:\windows\SysWow64\nvStreaming.exe
    2011-10-03 09:06 . 2010-05-16 22:59 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
    2011-10-01 03:25 . 2011-10-12 04:50 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2011-10-01 02:42 . 2011-10-12 04:50 1638912 ----a-w- c:\windows\SysWow64\mshtml.tlb
    2011-09-13 12:31 . 2010-01-05 00:22 35664 ----a-w- c:\windows\system32\drivers\avgmfx64.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
    2011-12-05 11:35 1547104 ----a-w- c:\program files (x86)\AVG Secure Search\9.0.0.18\AVG Secure Search_toolbar.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
    "{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files (x86)\AVG Secure Search\9.0.0.18\AVG Secure Search_toolbar.dll" [2011-12-05 1547104]
    .
    [HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
    [HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
    [HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "AVG9_TRAY"="c:\progra~2\AVG\AVG9\avgtray.exe" [2011-10-24 2078048]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "vProt"="c:\program files (x86)\AVG Secure Search\vprot.exe" [2011-12-05 827232]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    R2 AVGIDSAgent;AVG9IDSAgent;c:\program files (x86)\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe AVGIDSAgent [x]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files (x86)\AVG\AVG9\Toolbar\ToolbarBroker.exe [2011-11-10 167264]
    R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files (x86)\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [2009-07-26 25832]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    S0 AVGIDSErHrw7a;AVG9IDSErHr;c:\windows\System32\Drivers\AVGIDSwa.sys [x]
    S0 AvgRkx64;avgrkx64.sys;c:\windows\System32\Drivers\avgrkx64.sys [x]
    S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
    S1 Avgfwfd;AVG network filter service;c:\windows\system32\DRIVERS\avgfwd6a.sys [x]
    S1 AvgLdx64;AVG AVI Loader Driver x64;c:\windows\System32\Drivers\avgldx64.sys [x]
    S1 AvgMfx64;AVG On-access Scanner Minifilter Driver x64;c:\windows\System32\Drivers\avgmfx64.sys [x]
    S1 AvgTdiA;AVG Network Redirector x64;c:\windows\System32\Drivers\avgtdia.sys [x]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
    S2 avg9wd;AVG WatchDog;c:\program files (x86)\AVG\AVG9\avgwdsvc.exe [2010-06-22 308136]
    S2 avgfws9;AVG Firewall;c:\program files (x86)\AVG\AVG9\avgfws9.exe [2010-11-24 2331544]
    S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-10-15 2253120]
    S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-10-15 381248]
    S2 vToolbarUpdater;vToolbarUpdater;c:\program files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\9.0.1\ToolbarUpdater.exe [2011-12-05 855904]
    S3 AVGIDSDriverw7a;AVG9IDSDriver;c:\program files (x86)\AVG\AVG9\Identity Protection\Agent\Driver\Platform_WIN764\AVGIDSDriver.sys [2010-06-22 132688]
    S3 AVGIDSFilterw7a;AVG9IDSFilter;c:\program files (x86)\AVG\AVG9\Identity Protection\Agent\Driver\Platform_WIN764\AVGIDSFilter.sys [2010-06-22 35920]
    S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-12-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-928086115-3560712615-946670377-1001Core.job
    - c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-05 00:36]
    .
    2011-12-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-928086115-3560712615-946670377-1001UA.job
    - c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-05 00:36]
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-07-21 7981088]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 165912]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 385560]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 363544]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x1
    "AppInit_DLLs"=c:\windows\System32\avgrssta.dll
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    mLocal Page = c:\windows\SysWOW64\blank.htm
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.254
    Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\9.0.1\ViProtocol.dll
    FF - ProfilePath - c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\o4ooixg0.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=DCF4DF&PC=DCF4&q=
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4b42864b&v=6.103.018.001&i=26&tp=ab&iy=&ychte=us&lng=en-US&q=
    .
    - - - - ORPHANS REMOVED - - - -
    .
    URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    AddRemove-FINAL FANTASY VIII - c:\users\user\documents\ff viii\Uninst.isu
    AddRemove-World of Logs Client - c:\windows\system32\javaws.exe
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10b.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10b.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker2"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\SysWOW64\PnkBstrA.exe
    c:\program files (x86)\AVG\AVG9\avgam.exe
    .
    **************************************************************************
    .
    Completion time: 2011-12-07 18:27:05 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-12-07 23:27
    .
    Pre-Run: 197,564,334,080 bytes free
    Post-Run: 197,908,160,512 bytes free
    .
    - - End Of File - - 93048585501B89FFFB9872EE0C7A3613


    2011-12-07 23:26:11 . 2011-12-07 23:26:11 1,112 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-World of Logs Client.reg.dat
    2011-12-07 23:26:11 . 2011-12-07 23:26:11 546 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-FINAL FANTASY VIII.reg.dat
    2011-12-07 23:26:03 . 2011-12-07 23:26:03 171 ----a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829}.reg.dat
    2011-12-07 23:25:50 . 2011-12-07 23:52:33 288 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829}.reg.dat
    2011-12-07 23:25:48 . 2011-12-07 23:25:48 118 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C}.reg.dat
    2011-12-07 23:18:02 . 2011-12-07 23:46:47 4,283 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
    2011-12-07 23:12:45 . 2011-12-07 23:39:58 153 ----a-w- C:\Qoobox\Quarantine\catchme.log
    2010-03-05 18:58:33 . 2010-03-05 18:58:33 20 ----a-w- C:\Qoobox\Quarantine\C\Windows\SysWOW64\system.vir
     
  11. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    I still see nothing to indicate the issue you have with 4chan, have you changed passwords for all email accounts?

    Your logs are good my friend, do the following:

    Step 1

    Remove Combofix now that we're done with it
    • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
      [​IMG]
    • Please follow the prompts to uninstall Combofix.
    • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
    The above procedure will delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:_OtMoveIt folder, if present
    • Reset the clock settings.
    • Hide file extensions, if required.
    • Hide System/Hidden files, if required.
    • Reset System Restore.
    It is very important that you get a successful uninstall because of the extra functions done at the same time, let me know if this does not happen.

    Step 2

    • Download OTC by OldTimer and save it to your desktop. Alternative mirror
    • Double click [​IMG] icon to start the program.
      If you are using Vista or Windows 7, please right-click and choose run as administrator
    • Then Click the big [​IMG] button.
    • You will get a prompt saying "Begining Cleanup Process". Please select Yes.
    • Restart your computer when prompted.
    • This will remove tools we have used and itself. Any tools/logs remaining on the Desktop can be deleted.

    Step 3

    Download [​IMG] TFC to your desktop, from either of the following links
    Link 1
    Link 2
    • Save any open work. TFC will close all open application windows.
    • Double-click TFC.exe to run the program. Vista or Windows 7 users right click and select “Run as Administartor”
    • If prompted, click "Yes" to reboot.
    Save any open work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. TFC may re-boot your system, if not Re-boot it yourself to complete cleaning process <---- Very Important

    Keep TFC it is an excellent utility to keep your system optimized, it empties all user temp folders, Java cache etc etc. Always remember to re-boot after a run, even if not prompted

    Step 4

    You will have several programs installed, these maybe outdated and vulnerable to exploits also. To be certain, please run the free online scan by Secunia, available Here Before clicking the Start scan button, please check the box for the option Enable thorough system inspection. Just below the "Scan Options:" section, you'll see the status of what's currently processing.... [​IMG]
    ...when the scan completes, the message "Detection completed successfully" will appear in the Programs/Result section. For each problem detected, Secunia will offer a "Solution" option. Please follow those instructions to download updated versions of the programs as recommended by Secunia.

    Let me know if those steps complete OK....

    Kevin
     
  12. Racthoh

    Racthoh Thread Starter

    Joined:
    Nov 30, 2011
    Messages:
    9
    Thanks I was able to complete all those steps successfully.

    About my passwords I have not changed any of them recently, but would that have something to do with my getting banned from 4chan?

    When I saved that image and reopened it as .hta file, I went back to 4chan a couple hours later and got a message saying I was permanently banned (coincidence I think not?) and there was a little appeal box allowing me to leave my email and a short message to appeal my ban. Then the next day I was unbanned.

    While I was banned though I did some research on the prank that was pulled on me and I was lead to believe I was put on a botnet that would spam the 4chan message boards.

    I am happy to hear it appears my computer may be safe after all.
     
  13. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Yours logs are definitely clean, no issues whatsoever. I change my email passwords every week with out fail, as email accounts are web based it is easy for them to be Hacked.

    I see you are using AVG as your security, if that is the free version I consider changing it, also if you are using Windows own Firewall i`d change that also. The W7 firewall is improved but still has flaws.

    This is my recommendation for a freebie setup:

    To keep safe when online you need a good Antivirus/Antspyware/Antimalware/Anti-Rootkit combination application. Microsoft Security Essentials covers all of those bases, but better still it is free. Go Here and hit the "Download free" tab, follow the prompts. Once installed it will want to update and carry out a quick scan, allow that to happen.

    Go Here for information that will show you how to install and use MSE.

    You also need a software Firewall, Online Armour Free Firewall is one of the best available, also go Here for an excellent tutorial that will show you how to use it.

    I`d also keep Malwarebytes free version for twice weekly quick scans and once four weekly full scans, or as required scans. Always remember to update first. If you have a spare £20 upgrade to the professional version, you get realtime protection and auto updates. It also works well with MSE and Online Armour and is a lifetime license.

    Just remember you can only have one active Firewall and one Anti-virus program with "realtime" protection engaged, any more and you will have serious issues.

    Kevin
     
  14. Racthoh

    Racthoh Thread Starter

    Joined:
    Nov 30, 2011
    Messages:
    9
    Thank you very much peace of mind as well.

    I will try all this stuff and thanks again.
     
  15. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    My pleasure, if you have no more issues here are some tips to reduce the potential for malware infection in the future:

    Make proper use of your antivirus and firewall

    Antivirus and Firewall programs are integral to your computer security. However, just having them installed isn't enough. The definitions of these programs are frequently updated to detect the latest malware, if you don't keep up with these updates then you'll be vulnerable to infection. Many antivirus and firewall programs have automatic update features, make use of those if you can. If your program doesn't, then get in the habit of routinely performing manual updates, because it's important.

    You should keep your antivirus and firewall guard enabled at all times, NEVER turn them off unless there's a specific reason to do so. Also, regularly performing a full system scan with your antivirus program is a good idea to make sure you're system remains clean. Once a week should be adequate. You can set the scan to run during a time when you don't plan to use the computer and just leave it to complete on its own.

    Install and use WinPatrol This will inform you of any attempted unauthorized changes to your system.

    WinPatrol features explained Here

    You will have several programs installed, these maybe outdated and vulnerable to exploits also. To be certain, please run the free online scan by Secunia, available Here Before clicking the Start scan button, please check the box for the option Enable thorough system inspection. Just below the "Scan Options:" section, you'll see the status of what's currently processing.... [​IMG]
    ...when the scan completes, the message "Detection completed successfully" will appear in the Programs/Result section. For each problem detected, Secunia will offer a "Solution" option. Please follow those instructions to download updated versions of the programs as recommended by Secunia.

    Use a safer web browser

    Internet Explorer is not the most secure tool for browsing the web. It has been known to be very susceptible to infection, and there are a few good free alternatives:

    Firefox,

    Opera, and

    Chrome.

    All of these are excellent faster, safer, more powerful and functional free alternatives to Internet Explorer. It's definitely worth the short period of adjustment to start using one of these. If you wish to continue using Internet Explorer, it would be a good idea to follow the tutorial HERE which will help you to make IE MUCH safer.

    These browser add-ons will help to make your browser safer:

    Web of Trust warns you about risky websites that try to scam visitors, deliver malware or send spam. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous ones:

    Available for Firefox and Internet Explorer.

    Green to go,
    Yellow for caution, and
    Red to stop.


    Available for Firefox only. NoScript helps to block malicious scripts and in general gives you much better control over what types of things webpages can do to your computer while you're browsing.

    These are just a couple of the most popular add-ons, if you're interested in more, take a look at THIS article.

    Here a couple of links by two security experts that will give some excellent tips and advice.

    So how did I get infected in the first place by Tony Klein

    How to prevent Malware by Miekiemoes

    Finally this link HERE will give a comprehensive upto date list of free Security programs. To include - Antivirus, Antispyware, Firewall, Antimalware, Online scanners and rescue CD`s.

    Don`t forget, the best form of defense is common sense. If you don`t recognize it, don`t open it. If something looks to good to be true, then it aint.

    If no remaining issues hit the “Mark Solved” tab at the top of the thread,

    Take care,

    Kevin
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1029037

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice