RomanArmstrong

June 19, 2012

I don't know if this affects whatever process you'll suggest--I highly doubt it removed the virus, itself--but, as per the instructions of HiRez Studios' tech support for the problem that originally brought me here, I copied the files from [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections] DefaultConnectionSettings and pasted them in [HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections] DefaultConnectionSettings. For the moment, the patcher is working perfectly, and I'm having nor more trouble with search result redirection.

June 19, 2012

ComboFix 12-06-16.02 - Roman2 06/18/2012 20:20:39.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1283 [GMT -5:00]

Running from: c:\documents and settings\Roman2.RICHARD\My Documents\Downloads\ComboFix.exe

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\TEMP

c:\documents and settings\Elizabeth\Application Data\Dealio

c:\documents and settings\Elizabeth\Application Data\Dealio\res\widgets.xml

c:\documents and settings\Elizabeth\Application Data\Dealio\temp\http___www_dealio_com_rss_coupons-deals_dotd_.xml

c:\documents and settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\5vgaz1qy.default\extensions\{a759f96e-0c16-4e31-80a4-5e2c26e77bd0}

c:\documents and settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\5vgaz1qy.default\extensions\{a759f96e-0c16-4e31-80a4-5e2c26e77bd0}\chrome.manifest

c:\documents and settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\5vgaz1qy.default\extensions\{a759f96e-0c16-4e31-80a4-5e2c26e77bd0}\chrome\xulcache.jar

c:\documents and settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\5vgaz1qy.default\extensions\{a759f96e-0c16-4e31-80a4-5e2c26e77bd0}\defaults\preferences\xulcache.js

c:\documents and settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\5vgaz1qy.default\extensions\{a759f96e-0c16-4e31-80a4-5e2c26e77bd0}\install.rdf

c:\documents and settings\Roman2.RICHARD\Application Data\Mozilla\Firefox\Profiles\190cxai2.default\extensions\{a759f96e-0c16-4e31-80a4-5e2c26e77bd0}

c:\documents and settings\Roman2.RICHARD\Application Data\Mozilla\Firefox\Profiles\190cxai2.default\extensions\{a759f96e-0c16-4e31-80a4-5e2c26e77bd0}\chrome.manifest

c:\documents and settings\Roman2.RICHARD\Application Data\Mozilla\Firefox\Profiles\190cxai2.default\extensions\{a759f96e-0c16-4e31-80a4-5e2c26e77bd0}\chrome\xulcache.jar

c:\documents and settings\Roman2.RICHARD\Application Data\Mozilla\Firefox\Profiles\190cxai2.default\extensions\{a759f96e-0c16-4e31-80a4-5e2c26e77bd0}\defaults\preferences\xulcache.js

c:\documents and settings\Roman2.RICHARD\Application Data\Mozilla\Firefox\Profiles\190cxai2.default\extensions\{a759f96e-0c16-4e31-80a4-5e2c26e77bd0}\install.rdf

c:\documents and settings\Roman2\Application Data\Mozilla\Firefox\Profiles\190cxai2.default\extensions\{a759f96e-0c16-4e31-80a4-5e2c26e77bd0}

c:\documents and settings\Roman2\Application Data\Mozilla\Firefox\Profiles\190cxai2.default\extensions\{a759f96e-0c16-4e31-80a4-5e2c26e77bd0}\chrome.manifest

c:\documents and settings\Roman2\Application Data\Mozilla\Firefox\Profiles\190cxai2.default\extensions\{a759f96e-0c16-4e31-80a4-5e2c26e77bd0}\chrome\xulcache.jar

c:\documents and settings\Roman2\Application Data\Mozilla\Firefox\Profiles\190cxai2.default\extensions\{a759f96e-0c16-4e31-80a4-5e2c26e77bd0}\defaults\preferences\xulcache.js

c:\documents and settings\Roman2\Application Data\Mozilla\Firefox\Profiles\190cxai2.default\extensions\{a759f96e-0c16-4e31-80a4-5e2c26e77bd0}\install.rdf

c:\documents and settings\Roman2\llmbjmvywn.tmp

c:\documents and settings\Susan.RICHARD\WINDOWS

c:\documents and settings\Susan\Application Data\Dealio

c:\documents and settings\Susan\Application Data\Dealio\res\widgets.xml

c:\documents and settings\Susan\Application Data\Dealio\temp\http___www_dealio_com_rss_coupons-deals_dotd_.xml

c:\documents and settings\Susan\Application Data\Mozilla\Firefox\Profiles\ugmvoz4s.default\extensions\{a759f96e-0c16-4e31-80a4-5e2c26e77bd0}

c:\documents and settings\Susan\Application Data\Mozilla\Firefox\Profiles\ugmvoz4s.default\extensions\{a759f96e-0c16-4e31-80a4-5e2c26e77bd0}\chrome.manifest

c:\documents and settings\Susan\Application Data\Mozilla\Firefox\Profiles\ugmvoz4s.default\extensions\{a759f96e-0c16-4e31-80a4-5e2c26e77bd0}\chrome\xulcache.jar

c:\documents and settings\Susan\Application Data\Mozilla\Firefox\Profiles\ugmvoz4s.default\extensions\{a759f96e-0c16-4e31-80a4-5e2c26e77bd0}\defaults\preferences\xulcache.js

c:\documents and settings\Susan\Application Data\Mozilla\Firefox\Profiles\ugmvoz4s.default\extensions\{a759f96e-0c16-4e31-80a4-5e2c26e77bd0}\install.rdf

C:\install.exe

c:\program files\filesubmit

c:\program files\filesubmit\wfs\wfs.zip

c:\program files\OApps\bhO_project.dll

c:\windows\system32\_000005_.tmp.dll

c:\windows\system32\SET37C.tmp

c:\windows\system32\SET37D.tmp

c:\windows\system32\SET37E.tmp

c:\windows\system32\SET382.tmp

c:\windows\system32\SET383.tmp

c:\windows\system32\SET384.tmp

c:\windows\system32\SET388.tmp

c:\windows\system32\SET38A.tmp

.

((((((((((((((((((((((((( Files Created from 2012-05-19 to 2012-06-19 )))))))))))))))))))))))))))))))

.

2012-06-17 22:21 . 2012-06-17 22:21 388096 ----a-r- c:\documents and settings\Roman2.RICHARD\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2012-06-17 22:21 . 2012-06-17 22:21 -------- d-----w- c:\program files\Trend Micro

2012-06-16 03:54 . 2012-06-19 01:25 -------- d-----w- c:\program files\OApps

2012-06-16 03:54 . 2012-06-16 03:57 -------- d-----w- c:\program files\TorrentSearch

2012-06-16 03:54 . 2012-06-16 03:56 -------- d-----w- c:\program files\intellidownload

2012-06-16 00:09 . 2012-06-16 00:09 -------- d-----w- c:\documents and settings\All Users\Application Data\GoldWave

2012-06-15 23:54 . 2012-06-17 22:25 -------- d-----w- c:\program files\WAV to MP3 Encoder

2012-06-15 23:54 . 2002-08-23 04:27 348160 ----a-w- c:\windows\system32\FlatBtn6.ocx

2012-06-15 23:54 . 2001-12-12 16:35 348160 ----a-w- c:\windows\system32\MEnc.ocx

2012-06-15 23:07 . 2012-06-15 23:07 -------- d-----w- c:\program files\GoldWave

2012-06-15 05:16 . 2012-06-15 05:20 -------- d-----w- c:\documents and settings\Roman2.RICHARD\Application Data\MinerWars

2012-06-15 04:57 . 2012-06-15 04:57 -------- d-----w- c:\program files\Keen Software House

2012-06-15 04:56 . 2012-06-15 04:56 -------- d-----w- c:\program files\SlimDX SDK (September 2011)

2012-06-15 04:55 . 2012-06-15 04:55 -------- d-----w- c:\program files\Microsoft XNA

2012-06-14 21:31 . 2012-06-14 21:31 -------- d-----w- c:\documents and settings\Roman2.RICHARD\Local Settings\Application Data\ArmA 2 Free

2012-06-14 21:28 . 2012-06-14 21:28 -------- d-----w- c:\program files\Bohemia Interactive

2012-06-13 11:55 . 2012-05-11 14:42 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll

2012-06-08 04:58 . 2012-06-14 20:34 -------- d-----w- c:\program files\Hero Editor

2012-06-08 04:57 . 2012-06-08 04:57 249856 ------w- c:\windows\Setup1.exe

2012-06-08 04:57 . 2012-06-08 04:57 73216 ----a-w- c:\windows\ST6UNST.EXE

2012-06-07 03:57 . 2012-06-07 03:57 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll

2012-06-07 03:57 . 2012-06-07 03:57 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll

2012-06-04 21:13 . 2012-06-04 21:13 -------- d-----w- c:\windows\Diablo II

2012-06-04 21:12 . 2012-06-14 20:33 -------- d-----w- C:\Diablo II

2012-06-04 00:57 . 2012-06-04 00:58 21840 ----atw- c:\windows\system32\SIntfNT.dll

2012-06-04 00:57 . 2012-06-04 00:58 17212 ----atw- c:\windows\system32\SIntf32.dll

2012-06-04 00:57 . 2012-06-04 00:58 12067 ----atw- c:\windows\system32\SIntf16.dll

2012-06-01 07:34 . 2012-06-01 07:34 -------- d-----w- c:\documents and settings\Roman2.RICHARD\Local Settings\Application Data\Unity

2012-05-22 23:12 . 2012-05-22 23:13 -------- d-----w- c:\documents and settings\Elizabeth.RICHARD\Local Settings\Application Data\Skyrim

2012-05-22 18:57 . 2012-05-22 19:01 -------- d-----w- c:\documents and settings\Roman2.RICHARD\Local Settings\Application Data\Skyrim

2012-05-22 18:55 . 2012-05-22 18:55 -------- d-----w- C:\214eddf86e80e1587dc4

2012-05-22 15:18 . 2012-05-22 15:18 -------- d-----w- c:\documents and settings\Rick.RICHARD\Local Settings\Application Data\Temp

2012-05-22 15:18 . 2012-05-22 15:18 -------- d-----w- c:\documents and settings\Rick.RICHARD\Local Settings\Application Data\Adobe

2012-05-22 15:05 . 2012-05-22 15:05 -------- d-----w- c:\documents and settings\Rick.RICHARD\Application Data\vlc

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-06-18 01:36 . 2012-04-19 03:25 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-06-18 01:36 . 2011-05-15 20:23 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-06-02 20:19 . 2008-10-16 19:09 22040 ----a-w- c:\windows\system32\wucltui.dll.mui

2012-06-02 20:19 . 2009-08-25 17:52 329240 ----a-w- c:\windows\system32\wucltui.dll

2012-06-02 20:19 . 2009-08-25 17:52 219160 ----a-w- c:\windows\system32\wuaucpl.cpl

2012-06-02 20:19 . 2009-08-25 17:52 210968 ----a-w- c:\windows\system32\wuweb.dll

2012-06-02 20:19 . 2008-10-16 19:07 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui

2012-06-02 20:19 . 2009-08-25 17:52 35864 ----a-w- c:\windows\system32\wups.dll

2012-06-02 20:19 . 2009-08-25 17:40 53784 ----a-w- c:\windows\system32\wuauclt.exe

2012-06-02 20:19 . 2008-10-16 19:09 45080 ----a-w- c:\windows\system32\wups2.dll

2012-06-02 20:19 . 2008-10-16 19:07 15384 ----a-w- c:\windows\system32\wuapi.dll.mui

2012-06-02 20:19 . 2001-08-23 12:00 97304 ----a-w- c:\windows\system32\cdm.dll

2012-06-02 20:19 . 2008-10-16 19:07 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui

2012-06-02 20:19 . 2009-08-25 17:52 577048 ----a-w- c:\windows\system32\wuapi.dll

2012-06-02 20:19 . 2009-08-25 17:40 1933848 ----a-w- c:\windows\system32\wuaueng.dll

2012-06-02 20:18 . 2010-06-18 14:19 275696 ----a-w- c:\windows\system32\mucltui.dll

2012-06-02 20:18 . 2010-06-18 14:19 214256 ----a-w- c:\windows\system32\muweb.dll

2012-06-02 20:18 . 2010-06-18 14:19 17136 ----a-w- c:\windows\system32\mucltui.dll.mui

2012-05-31 13:22 . 2001-08-23 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll

2012-05-16 15:08 . 2001-08-23 12:00 916992 ----a-w- c:\windows\system32\wininet.dll

2012-05-15 13:20 . 2001-08-23 12:00 1863168 ------w- c:\windows\system32\win32k.sys

2012-05-11 14:42 . 2001-08-23 12:00 43520 ------w- c:\windows\system32\licmgr10.dll

2012-05-11 14:42 . 2001-08-23 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2012-05-11 11:38 . 2009-08-25 17:52 385024 ------w- c:\windows\system32\html.iec

2012-05-04 13:16 . 2001-08-23 12:00 2148352 ------w- c:\windows\system32\ntoskrnl.exe

2012-05-04 12:32 . 2001-08-17 13:48 2026496 ------w- c:\windows\system32\ntkrnlpa.exe

2012-05-02 13:46 . 2009-08-25 17:40 139656 ------w- c:\windows\system32\drivers\rdpwd.sys

2012-04-29 22:28 . 2012-04-29 22:28 335504 ----a-w- c:\windows\system32\drivers\TrufosAlt.sys

2012-04-19 23:39 . 2012-04-02 22:08 73728 ----a-w- c:\windows\system32\javacpl.cpl

2012-04-19 23:39 . 2010-09-02 16:25 472808 ----a-w- c:\windows\system32\deployJava1.dll

2012-04-19 03:30 . 2012-02-20 18:52 242240 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys

2012-04-04 20:56 . 2010-05-27 14:34 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-06-16 21:34 . 2011-09-28 01:32 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]

@="{472083B0-C522-11CF-8763-00608CC02F24}"

[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]

2012-03-06 23:15 123536 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Steam"="c:\program files\Steam\steam.exe" [2012-01-12 1242448]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SchedulingAgent"="mstinit.exe" [2008-04-14 12288]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-05-16 213936]

"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-05-04 311296]

"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-06 4241512]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-03-09 98304]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]

.

c:\documents and settings\Roman2\Start Menu\Programs\Startup\

GammaTray.lnk - c:\program files\MagicTune Premium\GammaTray.exe [2009-9-2 36864]

NCProTray.lnk - c:\program files\SEC\Natural Color Pro\NCProTray.exe [2009-9-2 49220]

.

c:\documents and settings\Susan\Start Menu\Programs\Startup\

OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]

.

c:\documents and settings\Elizabeth\Start Menu\Programs\Startup\

OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]

.

c:\documents and settings\Elizabeth.RICHARD\Start Menu\Programs\Startup\

OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]

.

c:\documents and settings\Roman2.RICHARD\Start Menu\Programs\Startup\

GammaTray.lnk - c:\program files\MagicTune Premium\GammaTray.exe [2009-9-2 36864]

NCProTray.lnk - c:\program files\SEC\Natural Color Pro\NCProTray.exe [2009-9-2 49220]

OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

GammaTray.lnk - c:\program files\MagicTune Premium\GammaTray.exe [2009-9-2 36864]

NCProTray.lnk - c:\program files\SEC\Natural Color Pro\NCProTray.exe [2009-9-2 49220]

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\ComicRack\\ComicRack.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

"c:\\Program Files\\Steam\\SteamApps\\nitroximos\\team fortress 2\\hl2.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Steam\\SteamApps\\common\\skyrim\\SkyrimLauncher.exe"=

"c:\\Program Files\\TorrentSearch\\easydownload.exe"=

.

P2 HiPatchService;Hi-Rez Studios Authenticate and Update Service;c:\program files\Hi-Rez Studios\HiPatchService.exe [2/23/2012 5:55 PM 8704]

R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [12/10/2011 4:12 PM 14776]

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [6/30/2011 10:35 PM 612184]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [9/1/2010 5:48 PM 337880]

R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2/20/2012 1:52 PM 242240]

R2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files\IObit\Advanced SystemCare 5\ASCService.exe [4/18/2012 11:02 PM 913752]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/1/2010 5:48 PM 20696]

R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [4/19/2012 1:38 PM 21992]

R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [4/18/2012 7:09 PM 100368]

R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/18/2012 10:25 PM 257224]

S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [4/24/2012 6:10 PM 113120]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]

S4 Freemake Improver;Freemake Improver;"c:\documents and settings\All Users\Application Data\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe" --> c:\documents and settings\All Users\Application Data\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe [?]

.

Contents of the 'Scheduled Tasks' folder

.

2012-06-19 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-19 01:36]

.

2012-06-12 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 23:57]

.

2012-06-18 c:\windows\Tasks\Game_Booster_Startup.job

- c:\program files\IObit\Game Booster\gbtray.exe [2011-03-29 19:51]

.

2012-06-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1757981266-1715567821-839522115-1003Core.job

- c:\documents and settings\Rick.RICHARD\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-04-18 23:47]

.

2012-06-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1757981266-1715567821-839522115-1003UA.job

- c:\documents and settings\Rick.RICHARD\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-04-18 23:47]

.

2012-06-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1757981266-1715567821-839522115-1005Core.job

- c:\documents and settings\Susan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-01 18:42]

.

2012-06-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1757981266-1715567821-839522115-1005UA.job

- c:\documents and settings\Susan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-01 18:42]

.

2012-06-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1757981266-1715567821-839522115-1006Core.job

- c:\documents and settings\Elizabeth\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-04-02 13:28]

.

2012-06-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1757981266-1715567821-839522115-1006UA.job

- c:\documents and settings\Elizabeth\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-04-02 13:28]

.

2012-06-18 c:\windows\Tasks\SmartDefrag_Startup.job

- c:\program files\IObit\Smart Defrag 2\SmartDefrag.exe [2011-03-29 16:35]

.

------- Supplementary Scan -------

.

uStart Page = about:blank

TCP: DhcpNameServer = 192.168.11.1

.

- - - - ORPHANS REMOVED - - - -

.

HKCU-Run-BitTorrent - c:\program files\BitTorrent\BitTorrent.exe

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-06-18 20:27

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

C:\avast! sandbox

.

scan completed successfully

hidden files: 1

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f5,06,08,49,32,c1,13,4b,b3,dd,26,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f5,06,08,49,32,c1,13,4b,b3,dd,26,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(960)

c:\windows\system32\Ati2evxx.dll

c:\windows\system32\atiadlxx.dll

.

Completion time: 2012-06-18 20:29:30

ComboFix-quarantined-files.txt 2012-06-19 01:29

.

Pre-Run: 44,650,725,376 bytes free

Post-Run: 46,700,744,704 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /usepmtimer /NoExecute=OptIn

.

- - End Of File - - D618B24BE403EFB838EB3CCB078F784D

June 18, 2012

I uninstalled Bittorrent (which, maybe to be a little facetious, I'll say isn't technically illegal), but I did have to manually remove some files before it stopped showing up in the DDS log. Anyway, the MBAM log follows:

Malwarebytes Anti-Malware 1.61.0.1400

www.malwarebytes.org

Database version: v2012.06.18.09

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

Roman2 :: RICHARD [administrator]

6/18/2012 5:42:39 PM

mbam-log-2012-06-18 (17-42-39).txt

Scan type: Quick scan

Scan options disabled: P2P

Objects scanned: 407047

Time elapsed: 13 minute(s), 19 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

And the DDS log:

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Roman2 at 18:07:18 on 2012-06-18

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1377 [GMT -5:00]

.

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

============== Running Processes ===============

.

C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\Program Files\AVAST Software\Avast\AvastSvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Hi-Rez Studios\HiPatchService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe

C:\Program Files\AVAST Software\Avast\avastUI.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Steam\steam.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Program Files\MagicTune Premium\GammaTray.exe

C:\Program Files\SEC\Natural Color Pro\NCProTray.exe

C:\Program Files\OpenOffice.org 3\program\soffice.exe

C:\Program Files\OpenOffice.org 3\program\soffice.bin

C:\WINDOWS\system32\wscntfy.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = about:blank

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: VideoFileDownload: {e78a5c92-6a2b-4369-ab14-0ed3b2b18584} - c:\program files\oapps\bho_project.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [steam] "c:\program files\steam\steam.exe" -silent

uRun: [bitTorrent] "c:\program files\bittorrent\BitTorrent.exe" /MINIMIZED

mRun: [schedulingAgent] mstinit.exe /firstlogon

mRun: [iSUSPM] "c:\program files\common files\installshield\updateservice\isuspm.exe" -scheduler

mRun: [ATICustomerCare] "c:\program files\ati\aticustomercare\ATICustomerCare.exe"

mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui

mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

dRun: [oxawluwe] c:\documents and settings\networkservice\local settings\application data\xirmigofw\fxiyjhttssd.exe

StartupFolder: c:\docume~1\roman2~1.ric\startm~1\programs\startup\gammat~1.lnk - c:\program files\magictune premium\GammaTray.exe

StartupFolder: c:\docume~1\roman2~1.ric\startm~1\programs\startup\ncprot~1.lnk - c:\program files\sec\natural color pro\NCProTray.exe

StartupFolder: c:\docume~1\roman2~1.ric\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\gammat~1.lnk - c:\program files\magictune premium\GammaTray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ncprot~1.lnk - c:\program files\sec\natural color pro\NCProTray.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

TCP: DhcpNameServer = 192.168.11.1

TCP: Interfaces\{3D162B0D-0EB1-438B-845C-1E0A75072117} : DhcpNameServer = 192.168.11.1

Notify: AtiExtEvent - Ati2evxx.dll

.

============= SERVICES / DRIVERS ===============

.

P2 HiPatchService;Hi-Rez Studios Authenticate and Update Service;c:\program files\hi-rez studios\HiPatchService.exe [2012-2-23 8704]

R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2011-12-10 14776]

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-6-30 612184]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-9-1 337880]

R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2012-2-20 242240]

R2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files\iobit\advanced systemcare 5\ASCService.exe [2012-4-18 913752]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-9-1 20696]

R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2012-4-18 44768]

R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [2012-4-19 21992]

R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [2012-4-18 100368]

R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-18 257224]

S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-24 113120]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

S4 Freemake Improver;Freemake Improver;"c:\documents and settings\all users\application data\freemake\freemakeutilsservice\freemakeutilsservice.exe" --> c:\documents and settings\all users\application data\freemake\freemakeutilsservice\FreemakeUtilsService.exe [?]

.

=============== Created Last 30 ================

.

2012-06-17 22:21:01 388096 ----a-r- c:\documents and settings\roman2.richard\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe

2012-06-17 22:21:00 -------- d-----w- c:\program files\Trend Micro

2012-06-16 03:54:42 -------- d-----w- c:\program files\OApps

2012-06-16 03:54:37 -------- d-----w- c:\program files\TorrentSearch

2012-06-16 03:54:23 -------- d-----w- c:\program files\intellidownload

2012-06-16 00:09:33 -------- d-----w- c:\documents and settings\all users\application data\GoldWave

2012-06-15 23:54:12 348160 ----a-w- c:\windows\system32\MEnc.ocx

2012-06-15 23:54:12 348160 ----a-w- c:\windows\system32\FlatBtn6.ocx

2012-06-15 23:54:12 -------- d-----w- c:\program files\WAV to MP3 Encoder

2012-06-15 23:07:55 -------- d-----w- c:\program files\GoldWave

2012-06-15 05:16:37 -------- d-----w- c:\documents and settings\roman2.richard\application data\MinerWars

2012-06-15 04:57:25 -------- d-----w- c:\program files\Keen Software House

2012-06-15 04:56:47 -------- d-----w- c:\program files\SlimDX SDK (September 2011)

2012-06-15 04:55:22 -------- d-----w- c:\program files\Microsoft XNA

2012-06-14 21:31:28 -------- d-----w- c:\documents and settings\roman2.richard\local settings\application data\ArmA 2 Free

2012-06-14 21:28:40 -------- d-----w- c:\program files\Bohemia Interactive

2012-06-13 11:55:03 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll

2012-06-08 04:58:01 -------- d-----w- c:\program files\Hero Editor

2012-06-08 04:57:54 249856 ------w- c:\windows\Setup1.exe

2012-06-08 04:57:53 73216 ----a-w- c:\windows\ST6UNST.EXE

2012-06-07 03:57:11 770384 ----a-w- c:\program files\mozilla firefox\msvcr100.dll

2012-06-07 03:57:11 421200 ----a-w- c:\program files\mozilla firefox\msvcp100.dll

2012-06-04 21:13:00 -------- d-----w- c:\windows\Diablo II

2012-06-04 21:12:57 -------- d-----w- C:\Diablo II

2012-06-04 00:57:16 21840 ----atw- c:\windows\system32\SIntfNT.dll

2012-06-04 00:57:16 17212 ----atw- c:\windows\system32\SIntf32.dll

2012-06-04 00:57:16 12067 ----atw- c:\windows\system32\SIntf16.dll

2012-06-01 07:34:02 -------- d-----w- c:\documents and settings\roman2.richard\local settings\application data\Unity

2012-05-22 18:57:00 -------- d-----w- c:\documents and settings\roman2.richard\local settings\application data\Skyrim

2012-05-22 18:55:26 -------- d-----w- C:\214eddf86e80e1587dc4

.

==================== Find3M ====================

.

2012-06-18 01:36:42 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-06-18 01:36:42 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-06-02 20:19:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui

2012-06-02 20:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl

2012-06-02 20:19:38 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui

2012-06-02 20:19:34 15384 ----a-w- c:\windows\system32\wuapi.dll.mui

2012-06-02 20:19:30 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui

2012-06-02 20:18:58 275696 ----a-w- c:\windows\system32\mucltui.dll

2012-06-02 20:18:58 214256 ----a-w- c:\windows\system32\muweb.dll

2012-06-02 20:18:58 17136 ----a-w- c:\windows\system32\mucltui.dll.mui

2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll

2012-05-16 15:08:26 916992 ----a-w- c:\windows\system32\wininet.dll

2012-05-15 13:20:33 1863168 ------w- c:\windows\system32\win32k.sys

2012-05-11 14:42:33 43520 ------w- c:\windows\system32\licmgr10.dll

2012-05-11 14:42:33 1469440 ------w- c:\windows\system32\inetcpl.cpl

2012-05-11 11:38:02 385024 ------w- c:\windows\system32\html.iec

2012-05-04 13:16:13 2148352 ------w- c:\windows\system32\ntoskrnl.exe

2012-05-04 12:32:19 2026496 ------w- c:\windows\system32\ntkrnlpa.exe

2012-05-02 13:46:36 139656 ------w- c:\windows\system32\drivers\rdpwd.sys

2012-04-29 22:28:04 335504 ----a-w- c:\windows\system32\drivers\TrufosAlt.sys

2012-04-19 23:39:01 73728 ----a-w- c:\windows\system32\javacpl.cpl

2012-04-19 23:39:00 472808 ----a-w- c:\windows\system32\deployJava1.dll

2012-04-19 03:30:00 242240 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys

2012-04-19 00:48:15 0 ----a-w- c:\windows\ativpsrm.bin

2012-04-05 03:11:24 293992 ----a-w- c:\windows\system32\nvdrsdb0.bin

2012-04-05 03:11:24 1 ----a-w- c:\windows\system32\nvdrssel.bin

2012-04-05 03:11:22 293992 ----a-w- c:\windows\system32\nvdrsdb1.bin

2012-04-04 20:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

.

============= FINISH: 18:08:45.89 ===============

June 18, 2012

I've attempted multiple times to join the public beta for Tribes: Ascend. It always freezes on the "Checking for Software Updates" stage. Upon running the included diagnostic program, I received the message: "The system is unable to connect to the update server https://patcher.hire...otingServer.rem due to a likely spyware/malware infection on port 5643

Google 'spyware port 5643' or '127.0.0.1:5643 malware' for more information"

Here's the DDS file:

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Roman2 at 21:41:50 on 2012-06-17

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1504 [GMT -5:00]

.

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

============== Running Processes ===============

.

C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\Program Files\AVAST Software\Avast\AvastSvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Hi-Rez Studios\HiPatchService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe

C:\Program Files\AVAST Software\Avast\avastUI.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Steam\steam.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\MagicTune Premium\GammaTray.exe

C:\Program Files\SEC\Natural Color Pro\NCProTray.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Program Files\IObit\Advanced SystemCare 5\DelayLoad.exe

C:\WINDOWS\system32\wscntfy.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = about:blank

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll