Jump to content

Possible Port 5643 Infection?


Recommended Posts

I've attempted multiple times to join the public beta for Tribes: Ascend. It always freezes on the "Checking for Software Updates" stage. Upon running the included diagnostic program, I received the message: "The system is unable to connect to the update server https://patcher.hire...otingServer.rem due to a likely spyware/malware infection on port 5643

Google 'spyware port 5643' or '127.0.0.1:5643 malware' for more information"

Here's the DDS file:

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Roman2 at 21:41:50 on 2012-06-17

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1504 [GMT -5:00]

.

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

============== Running Processes ===============

.

C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\AVAST Software\Avast\AvastSvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Hi-Rez Studios\HiPatchService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe

C:\Program Files\AVAST Software\Avast\avastUI.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Steam\steam.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\MagicTune Premium\GammaTray.exe

C:\Program Files\SEC\Natural Color Pro\NCProTray.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Program Files\IObit\Advanced SystemCare 5\DelayLoad.exe

C:\WINDOWS\system32\wscntfy.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = about:blank

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: VideoFileDownload: {e78a5c92-6a2b-4369-ab14-0ed3b2b18584} - c:\program files\oapps\bho_project.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [steam] "c:\program files\steam\steam.exe" -silent

uRun: [bitTorrent] "c:\program files\bittorrent\BitTorrent.exe" /MINIMIZED

mRun: [schedulingAgent] mstinit.exe /firstlogon

mRun: [iSUSPM] "c:\program files\common files\installshield\updateservice\isuspm.exe" -scheduler

mRun: [ATICustomerCare] "c:\program files\ati\aticustomercare\ATICustomerCare.exe"

mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui

mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

dRun: [oxawluwe] c:\documents and settings\networkservice\local settings\application data\xirmigofw\fxiyjhttssd.exe

StartupFolder: c:\docume~1\roman2~1.ric\startm~1\programs\startup\gammat~1.lnk - c:\program files\magictune premium\GammaTray.exe

StartupFolder: c:\docume~1\roman2~1.ric\startm~1\programs\startup\ncprot~1.lnk - c:\program files\sec\natural color pro\NCProTray.exe

StartupFolder: c:\docume~1\roman2~1.ric\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\gammat~1.lnk - c:\program files\magictune premium\GammaTray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ncprot~1.lnk - c:\program files\sec\natural color pro\NCProTray.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

TCP: DhcpNameServer = 192.168.11.1

TCP: Interfaces\{3D162B0D-0EB1-438B-845C-1E0A75072117} : DhcpNameServer = 192.168.11.1

Notify: AtiExtEvent - Ati2evxx.dll

.

============= SERVICES / DRIVERS ===============

.

P2 HiPatchService;Hi-Rez Studios Authenticate and Update Service;c:\program files\hi-rez studios\HiPatchService.exe [2012-2-23 8704]

R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2011-12-10 14776]

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-6-30 612184]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-9-1 337880]

R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2012-2-20 242240]

R2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files\iobit\advanced systemcare 5\ASCService.exe [2012-4-18 913752]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-9-1 20696]

R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2012-4-18 44768]

R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [2012-4-19 21992]

R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [2012-4-18 100368]

R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-18 257224]

S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-24 113120]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

S4 Freemake Improver;Freemake Improver;"c:\documents and settings\all users\application data\freemake\freemakeutilsservice\freemakeutilsservice.exe" --> c:\documents and settings\all users\application data\freemake\freemakeutilsservice\FreemakeUtilsService.exe [?]

.

=============== Created Last 30 ================

.

2012-06-17 22:21:01 388096 ----a-r- c:\documents and settings\roman2.richard\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe

2012-06-17 22:21:00 -------- d-----w- c:\program files\Trend Micro

2012-06-16 03:54:42 -------- d-----w- c:\program files\OApps

2012-06-16 03:54:37 -------- d-----w- c:\program files\TorrentSearch

2012-06-16 03:54:23 -------- d-----w- c:\program files\intellidownload

2012-06-16 00:09:33 -------- d-----w- c:\documents and settings\all users\application data\GoldWave

2012-06-15 23:54:12 348160 ----a-w- c:\windows\system32\MEnc.ocx

2012-06-15 23:54:12 348160 ----a-w- c:\windows\system32\FlatBtn6.ocx

2012-06-15 23:54:12 -------- d-----w- c:\program files\WAV to MP3 Encoder

2012-06-15 23:07:55 -------- d-----w- c:\program files\GoldWave

2012-06-15 05:16:37 -------- d-----w- c:\documents and settings\roman2.richard\application data\MinerWars

2012-06-15 04:57:25 -------- d-----w- c:\program files\Keen Software House

2012-06-15 04:56:47 -------- d-----w- c:\program files\SlimDX SDK (September 2011)

2012-06-15 04:55:22 -------- d-----w- c:\program files\Microsoft XNA

2012-06-14 21:31:28 -------- d-----w- c:\documents and settings\roman2.richard\local settings\application data\ArmA 2 Free

2012-06-14 21:28:40 -------- d-----w- c:\program files\Bohemia Interactive

2012-06-13 11:55:03 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll

2012-06-08 04:58:01 -------- d-----w- c:\program files\Hero Editor

2012-06-08 04:57:54 249856 ------w- c:\windows\Setup1.exe

2012-06-08 04:57:53 73216 ----a-w- c:\windows\ST6UNST.EXE

2012-06-07 03:57:11 770384 ----a-w- c:\program files\mozilla firefox\msvcr100.dll

2012-06-07 03:57:11 421200 ----a-w- c:\program files\mozilla firefox\msvcp100.dll

2012-06-04 21:13:00 -------- d-----w- c:\windows\Diablo II

2012-06-04 21:12:57 -------- d-----w- C:\Diablo II

2012-06-04 00:57:16 21840 ----atw- c:\windows\system32\SIntfNT.dll

2012-06-04 00:57:16 17212 ----atw- c:\windows\system32\SIntf32.dll

2012-06-04 00:57:16 12067 ----atw- c:\windows\system32\SIntf16.dll

2012-06-01 07:34:02 -------- d-----w- c:\documents and settings\roman2.richard\local settings\application data\Unity

2012-05-22 18:57:00 -------- d-----w- c:\documents and settings\roman2.richard\local settings\application data\Skyrim

2012-05-22 18:55:26 -------- d-----w- C:\214eddf86e80e1587dc4

.

==================== Find3M ====================

.

2012-06-18 01:36:42 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-06-18 01:36:42 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-06-02 20:19:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui

2012-06-02 20:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl

2012-06-02 20:19:38 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui

2012-06-02 20:19:34 15384 ----a-w- c:\windows\system32\wuapi.dll.mui

2012-06-02 20:19:30 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui

2012-06-02 20:18:58 275696 ----a-w- c:\windows\system32\mucltui.dll

2012-06-02 20:18:58 214256 ----a-w- c:\windows\system32\muweb.dll

2012-06-02 20:18:58 17136 ----a-w- c:\windows\system32\mucltui.dll.mui

2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll

2012-05-16 15:08:26 916992 ----a-w- c:\windows\system32\wininet.dll

2012-05-15 13:20:33 1863168 ------w- c:\windows\system32\win32k.sys

2012-05-11 14:42:33 43520 ------w- c:\windows\system32\licmgr10.dll

2012-05-11 14:42:33 1469440 ------w- c:\windows\system32\inetcpl.cpl

2012-05-11 11:38:02 385024 ------w- c:\windows\system32\html.iec

2012-05-04 13:16:13 2148352 ------w- c:\windows\system32\ntoskrnl.exe

2012-05-04 12:32:19 2026496 ------w- c:\windows\system32\ntkrnlpa.exe

2012-05-02 13:46:36 139656 ------w- c:\windows\system32\drivers\rdpwd.sys

2012-04-29 22:28:04 335504 ----a-w- c:\windows\system32\drivers\TrufosAlt.sys

2012-04-19 23:39:01 73728 ----a-w- c:\windows\system32\javacpl.cpl

2012-04-19 23:39:00 472808 ----a-w- c:\windows\system32\deployJava1.dll

2012-04-19 03:30:00 242240 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys

2012-04-19 00:48:15 0 ----a-w- c:\windows\ativpsrm.bin

2012-04-05 03:11:24 293992 ----a-w- c:\windows\system32\nvdrsdb0.bin

2012-04-05 03:11:24 1 ----a-w- c:\windows\system32\nvdrssel.bin

2012-04-05 03:11:22 293992 ----a-w- c:\windows\system32\nvdrsdb1.bin

2012-04-04 20:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

.

============= FINISH: 21:42:45.81 ===============

attach.txt

Link to post
Share on other sites

Hello RomanArmstrong and :welcome:! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

  • If you are a paying customer, you have the privilege to contact the help desk at support@malwarebytes.org or here (http://helpdesk.malwarebytes.org/home). If you choose this option to get help, please let me know.
  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.

That is correct, your system is infected.

Step 1

Please uninstall BitTorrent, because of our rules:

http://forums.malwarebytes.org/index.php?showtopic=97700

Step 2

  • Launch Malwarebytes' Anti-Malware
  • Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
  • Go to Scanner tab and select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

In your next reply, post the following log files:

  • Malwarebytes' Anti-Malware log
  • a new fresh DDS log file

Link to post
Share on other sites

I uninstalled Bittorrent (which, maybe to be a little facetious, I'll say isn't technically illegal), but I did have to manually remove some files before it stopped showing up in the DDS log. Anyway, the MBAM log follows:

Malwarebytes Anti-Malware 1.61.0.1400

www.malwarebytes.org

Database version: v2012.06.18.09

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

Roman2 :: RICHARD [administrator]

6/18/2012 5:42:39 PM

mbam-log-2012-06-18 (17-42-39).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 407047

Time elapsed: 13 minute(s), 19 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

And the DDS log:

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Roman2 at 18:07:18 on 2012-06-18

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1377 [GMT -5:00]

.

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

============== Running Processes ===============

.

C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\AVAST Software\Avast\AvastSvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Hi-Rez Studios\HiPatchService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe

C:\Program Files\AVAST Software\Avast\avastUI.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Steam\steam.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Program Files\MagicTune Premium\GammaTray.exe

C:\Program Files\SEC\Natural Color Pro\NCProTray.exe

C:\Program Files\OpenOffice.org 3\program\soffice.exe

C:\Program Files\OpenOffice.org 3\program\soffice.bin

C:\WINDOWS\system32\wscntfy.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = about:blank

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: VideoFileDownload: {e78a5c92-6a2b-4369-ab14-0ed3b2b18584} - c:\program files\oapps\bho_project.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [steam] "c:\program files\steam\steam.exe" -silent

uRun: [bitTorrent] "c:\program files\bittorrent\BitTorrent.exe" /MINIMIZED

mRun: [schedulingAgent] mstinit.exe /firstlogon

mRun: [iSUSPM] "c:\program files\common files\installshield\updateservice\isuspm.exe" -scheduler

mRun: [ATICustomerCare] "c:\program files\ati\aticustomercare\ATICustomerCare.exe"

mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui

mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

dRun: [oxawluwe] c:\documents and settings\networkservice\local settings\application data\xirmigofw\fxiyjhttssd.exe

StartupFolder: c:\docume~1\roman2~1.ric\startm~1\programs\startup\gammat~1.lnk - c:\program files\magictune premium\GammaTray.exe

StartupFolder: c:\docume~1\roman2~1.ric\startm~1\programs\startup\ncprot~1.lnk - c:\program files\sec\natural color pro\NCProTray.exe

StartupFolder: c:\docume~1\roman2~1.ric\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\gammat~1.lnk - c:\program files\magictune premium\GammaTray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ncprot~1.lnk - c:\program files\sec\natural color pro\NCProTray.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

TCP: DhcpNameServer = 192.168.11.1

TCP: Interfaces\{3D162B0D-0EB1-438B-845C-1E0A75072117} : DhcpNameServer = 192.168.11.1

Notify: AtiExtEvent - Ati2evxx.dll

.

============= SERVICES / DRIVERS ===============

.

P2 HiPatchService;Hi-Rez Studios Authenticate and Update Service;c:\program files\hi-rez studios\HiPatchService.exe [2012-2-23 8704]

R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2011-12-10 14776]

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-6-30 612184]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-9-1 337880]

R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2012-2-20 242240]

R2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files\iobit\advanced systemcare 5\ASCService.exe [2012-4-18 913752]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-9-1 20696]

R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2012-4-18 44768]

R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [2012-4-19 21992]

R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [2012-4-18 100368]

R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-18 257224]

S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-24 113120]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

S4 Freemake Improver;Freemake Improver;"c:\documents and settings\all users\application data\freemake\freemakeutilsservice\freemakeutilsservice.exe" --> c:\documents and settings\all users\application data\freemake\freemakeutilsservice\FreemakeUtilsService.exe [?]

.

=============== Created Last 30 ================

.

2012-06-17 22:21:01 388096 ----a-r- c:\documents and settings\roman2.richard\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe

2012-06-17 22:21:00 -------- d-----w- c:\program files\Trend Micro

2012-06-16 03:54:42 -------- d-----w- c:\program files\OApps

2012-06-16 03:54:37 -------- d-----w- c:\program files\TorrentSearch

2012-06-16 03:54:23 -------- d-----w- c:\program files\intellidownload

2012-06-16 00:09:33 -------- d-----w- c:\documents and settings\all users\application data\GoldWave

2012-06-15 23:54:12 348160 ----a-w- c:\windows\system32\MEnc.ocx

2012-06-15 23:54:12 348160 ----a-w- c:\windows\system32\FlatBtn6.ocx

2012-06-15 23:54:12 -------- d-----w- c:\program files\WAV to MP3 Encoder

2012-06-15 23:07:55 -------- d-----w- c:\program files\GoldWave

2012-06-15 05:16:37 -------- d-----w- c:\documents and settings\roman2.richard\application data\MinerWars

2012-06-15 04:57:25 -------- d-----w- c:\program files\Keen Software House

2012-06-15 04:56:47 -------- d-----w- c:\program files\SlimDX SDK (September 2011)

2012-06-15 04:55:22 -------- d-----w- c:\program files\Microsoft XNA

2012-06-14 21:31:28 -------- d-----w- c:\documents and settings\roman2.richard\local settings\application data\ArmA 2 Free

2012-06-14 21:28:40 -------- d-----w- c:\program files\Bohemia Interactive

2012-06-13 11:55:03 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll

2012-06-08 04:58:01 -------- d-----w- c:\program files\Hero Editor

2012-06-08 04:57:54 249856 ------w- c:\windows\Setup1.exe

2012-06-08 04:57:53 73216 ----a-w- c:\windows\ST6UNST.EXE

2012-06-07 03:57:11 770384 ----a-w- c:\program files\mozilla firefox\msvcr100.dll

2012-06-07 03:57:11 421200 ----a-w- c:\program files\mozilla firefox\msvcp100.dll

2012-06-04 21:13:00 -------- d-----w- c:\windows\Diablo II

2012-06-04 21:12:57 -------- d-----w- C:\Diablo II

2012-06-04 00:57:16 21840 ----atw- c:\windows\system32\SIntfNT.dll

2012-06-04 00:57:16 17212 ----atw- c:\windows\system32\SIntf32.dll

2012-06-04 00:57:16 12067 ----atw- c:\windows\system32\SIntf16.dll

2012-06-01 07:34:02 -------- d-----w- c:\documents and settings\roman2.richard\local settings\application data\Unity

2012-05-22 18:57:00 -------- d-----w- c:\documents and settings\roman2.richard\local settings\application data\Skyrim

2012-05-22 18:55:26 -------- d-----w- C:\214eddf86e80e1587dc4

.

==================== Find3M ====================

.

2012-06-18 01:36:42 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-06-18 01:36:42 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-06-02 20:19:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui

2012-06-02 20:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl

2012-06-02 20:19:38 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui

2012-06-02 20:19:34 15384 ----a-w- c:\windows\system32\wuapi.dll.mui

2012-06-02 20:19:30 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui

2012-06-02 20:18:58 275696 ----a-w- c:\windows\system32\mucltui.dll

2012-06-02 20:18:58 214256 ----a-w- c:\windows\system32\muweb.dll

2012-06-02 20:18:58 17136 ----a-w- c:\windows\system32\mucltui.dll.mui

2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll

2012-05-16 15:08:26 916992 ----a-w- c:\windows\system32\wininet.dll

2012-05-15 13:20:33 1863168 ------w- c:\windows\system32\win32k.sys

2012-05-11 14:42:33 43520 ------w- c:\windows\system32\licmgr10.dll

2012-05-11 14:42:33 1469440 ------w- c:\windows\system32\inetcpl.cpl

2012-05-11 11:38:02 385024 ------w- c:\windows\system32\html.iec

2012-05-04 13:16:13 2148352 ------w- c:\windows\system32\ntoskrnl.exe

2012-05-04 12:32:19 2026496 ------w- c:\windows\system32\ntkrnlpa.exe

2012-05-02 13:46:36 139656 ------w- c:\windows\system32\drivers\rdpwd.sys

2012-04-29 22:28:04 335504 ----a-w- c:\windows\system32\drivers\TrufosAlt.sys

2012-04-19 23:39:01 73728 ----a-w- c:\windows\system32\javacpl.cpl

2012-04-19 23:39:00 472808 ----a-w- c:\windows\system32\deployJava1.dll

2012-04-19 03:30:00 242240 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys

2012-04-19 00:48:15 0 ----a-w- c:\windows\ativpsrm.bin

2012-04-05 03:11:24 293992 ----a-w- c:\windows\system32\nvdrsdb0.bin

2012-04-05 03:11:24 1 ----a-w- c:\windows\system32\nvdrssel.bin

2012-04-05 03:11:22 293992 ----a-w- c:\windows\system32\nvdrsdb1.bin

2012-04-04 20:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

.

============= FINISH: 18:08:45.89 ===============

Link to post
Share on other sites

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Link to post
Share on other sites

ComboFix 12-06-16.02 - Roman2 06/18/2012 20:20:39.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1283 [GMT -5:00]

Running from: c:\documents and settings\Roman2.RICHARD\My Documents\Downloads\ComboFix.exe

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\All Users\Application Data\TEMP

c:\documents and settings\Elizabeth\Application Data\Dealio

c:\documents and settings\Elizabeth\Application Data\Dealio\res\widgets.xml

c:\documents and settings\Elizabeth\Application Data\Dealio\temp\http___www_dealio_com_rss_coupons-deals_dotd_.xml

c:\documents and settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\5vgaz1qy.default\extensions\{a759f96e-0c16-4e31-80a4-5e2c26e77bd0}

c:\documents and settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\5vgaz1qy.default\extensions\{a759f96e-0c16-4e31-80a4-5e2c26e77bd0}\chrome.manifest

c:\documents and settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\5vgaz1qy.default\extensions\{a759f96e-0c16-4e31-80a4-5e2c26e77bd0}\chrome\xulcache.jar

c:\documents and settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\5vgaz1qy.default\extensions\{a759f96e-0c16-4e31-80a4-5e2c26e77bd0}\defaults\preferences\xulcache.js

c:\documents and settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\5vgaz1qy.default\extensions\{a759f96e-0c16-4e31-80a4-5e2c26e77bd0}\install.rdf

c:\documents and settings\Roman2.RICHARD\Application Data\Mozilla\Firefox\Profiles\190cxai2.default\extensions\{a759f96e-0c16-4e31-80a4-5e2c26e77bd0}

c:\documents and settings\Roman2.RICHARD\Application Data\Mozilla\Firefox\Profiles\190cxai2.default\extensions\{a759f96e-0c16-4e31-80a4-5e2c26e77bd0}\chrome.manifest

c:\documents and settings\Roman2.RICHARD\Application Data\Mozilla\Firefox\Profiles\190cxai2.default\extensions\{a759f96e-0c16-4e31-80a4-5e2c26e77bd0}\chrome\xulcache.jar

c:\documents and settings\Roman2.RICHARD\Application Data\Mozilla\Firefox\Profiles\190cxai2.default\extensions\{a759f96e-0c16-4e31-80a4-5e2c26e77bd0}\defaults\preferences\xulcache.js

c:\documents and settings\Roman2.RICHARD\Application Data\Mozilla\Firefox\Profiles\190cxai2.default\extensions\{a759f96e-0c16-4e31-80a4-5e2c26e77bd0}\install.rdf

c:\documents and settings\Roman2\Application Data\Mozilla\Firefox\Profiles\190cxai2.default\extensions\{a759f96e-0c16-4e31-80a4-5e2c26e77bd0}

c:\documents and settings\Roman2\Application Data\Mozilla\Firefox\Profiles\190cxai2.default\extensions\{a759f96e-0c16-4e31-80a4-5e2c26e77bd0}\chrome.manifest

c:\documents and settings\Roman2\Application Data\Mozilla\Firefox\Profiles\190cxai2.default\extensions\{a759f96e-0c16-4e31-80a4-5e2c26e77bd0}\chrome\xulcache.jar

c:\documents and settings\Roman2\Application Data\Mozilla\Firefox\Profiles\190cxai2.default\extensions\{a759f96e-0c16-4e31-80a4-5e2c26e77bd0}\defaults\preferences\xulcache.js

c:\documents and settings\Roman2\Application Data\Mozilla\Firefox\Profiles\190cxai2.default\extensions\{a759f96e-0c16-4e31-80a4-5e2c26e77bd0}\install.rdf

c:\documents and settings\Roman2\llmbjmvywn.tmp

c:\documents and settings\Susan.RICHARD\WINDOWS

c:\documents and settings\Susan\Application Data\Dealio

c:\documents and settings\Susan\Application Data\Dealio\res\widgets.xml

c:\documents and settings\Susan\Application Data\Dealio\temp\http___www_dealio_com_rss_coupons-deals_dotd_.xml

c:\documents and settings\Susan\Application Data\Mozilla\Firefox\Profiles\ugmvoz4s.default\extensions\{a759f96e-0c16-4e31-80a4-5e2c26e77bd0}

c:\documents and settings\Susan\Application Data\Mozilla\Firefox\Profiles\ugmvoz4s.default\extensions\{a759f96e-0c16-4e31-80a4-5e2c26e77bd0}\chrome.manifest

c:\documents and settings\Susan\Application Data\Mozilla\Firefox\Profiles\ugmvoz4s.default\extensions\{a759f96e-0c16-4e31-80a4-5e2c26e77bd0}\chrome\xulcache.jar

c:\documents and settings\Susan\Application Data\Mozilla\Firefox\Profiles\ugmvoz4s.default\extensions\{a759f96e-0c16-4e31-80a4-5e2c26e77bd0}\defaults\preferences\xulcache.js

c:\documents and settings\Susan\Application Data\Mozilla\Firefox\Profiles\ugmvoz4s.default\extensions\{a759f96e-0c16-4e31-80a4-5e2c26e77bd0}\install.rdf

C:\install.exe

c:\program files\filesubmit

c:\program files\filesubmit\wfs\wfs.zip

c:\program files\OApps\bhO_project.dll

c:\windows\system32\_000005_.tmp.dll

c:\windows\system32\SET37C.tmp

c:\windows\system32\SET37D.tmp

c:\windows\system32\SET37E.tmp

c:\windows\system32\SET382.tmp

c:\windows\system32\SET383.tmp

c:\windows\system32\SET384.tmp

c:\windows\system32\SET388.tmp

c:\windows\system32\SET38A.tmp

.

.

((((((((((((((((((((((((( Files Created from 2012-05-19 to 2012-06-19 )))))))))))))))))))))))))))))))

.

.

2012-06-17 22:21 . 2012-06-17 22:21 388096 ----a-r- c:\documents and settings\Roman2.RICHARD\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2012-06-17 22:21 . 2012-06-17 22:21 -------- d-----w- c:\program files\Trend Micro

2012-06-16 03:54 . 2012-06-19 01:25 -------- d-----w- c:\program files\OApps

2012-06-16 03:54 . 2012-06-16 03:57 -------- d-----w- c:\program files\TorrentSearch

2012-06-16 03:54 . 2012-06-16 03:56 -------- d-----w- c:\program files\intellidownload

2012-06-16 00:09 . 2012-06-16 00:09 -------- d-----w- c:\documents and settings\All Users\Application Data\GoldWave

2012-06-15 23:54 . 2012-06-17 22:25 -------- d-----w- c:\program files\WAV to MP3 Encoder

2012-06-15 23:54 . 2002-08-23 04:27 348160 ----a-w- c:\windows\system32\FlatBtn6.ocx

2012-06-15 23:54 . 2001-12-12 16:35 348160 ----a-w- c:\windows\system32\MEnc.ocx

2012-06-15 23:07 . 2012-06-15 23:07 -------- d-----w- c:\program files\GoldWave

2012-06-15 05:16 . 2012-06-15 05:20 -------- d-----w- c:\documents and settings\Roman2.RICHARD\Application Data\MinerWars

2012-06-15 04:57 . 2012-06-15 04:57 -------- d-----w- c:\program files\Keen Software House

2012-06-15 04:56 . 2012-06-15 04:56 -------- d-----w- c:\program files\SlimDX SDK (September 2011)

2012-06-15 04:55 . 2012-06-15 04:55 -------- d-----w- c:\program files\Microsoft XNA

2012-06-14 21:31 . 2012-06-14 21:31 -------- d-----w- c:\documents and settings\Roman2.RICHARD\Local Settings\Application Data\ArmA 2 Free

2012-06-14 21:28 . 2012-06-14 21:28 -------- d-----w- c:\program files\Bohemia Interactive

2012-06-13 11:55 . 2012-05-11 14:42 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll

2012-06-08 04:58 . 2012-06-14 20:34 -------- d-----w- c:\program files\Hero Editor

2012-06-08 04:57 . 2012-06-08 04:57 249856 ------w- c:\windows\Setup1.exe

2012-06-08 04:57 . 2012-06-08 04:57 73216 ----a-w- c:\windows\ST6UNST.EXE

2012-06-07 03:57 . 2012-06-07 03:57 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll

2012-06-07 03:57 . 2012-06-07 03:57 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll

2012-06-04 21:13 . 2012-06-04 21:13 -------- d-----w- c:\windows\Diablo II

2012-06-04 21:12 . 2012-06-14 20:33 -------- d-----w- C:\Diablo II

2012-06-04 00:57 . 2012-06-04 00:58 21840 ----atw- c:\windows\system32\SIntfNT.dll

2012-06-04 00:57 . 2012-06-04 00:58 17212 ----atw- c:\windows\system32\SIntf32.dll

2012-06-04 00:57 . 2012-06-04 00:58 12067 ----atw- c:\windows\system32\SIntf16.dll

2012-06-01 07:34 . 2012-06-01 07:34 -------- d-----w- c:\documents and settings\Roman2.RICHARD\Local Settings\Application Data\Unity

2012-05-22 23:12 . 2012-05-22 23:13 -------- d-----w- c:\documents and settings\Elizabeth.RICHARD\Local Settings\Application Data\Skyrim

2012-05-22 18:57 . 2012-05-22 19:01 -------- d-----w- c:\documents and settings\Roman2.RICHARD\Local Settings\Application Data\Skyrim

2012-05-22 18:55 . 2012-05-22 18:55 -------- d-----w- C:\214eddf86e80e1587dc4

2012-05-22 15:18 . 2012-05-22 15:18 -------- d-----w- c:\documents and settings\Rick.RICHARD\Local Settings\Application Data\Temp

2012-05-22 15:18 . 2012-05-22 15:18 -------- d-----w- c:\documents and settings\Rick.RICHARD\Local Settings\Application Data\Adobe

2012-05-22 15:05 . 2012-05-22 15:05 -------- d-----w- c:\documents and settings\Rick.RICHARD\Application Data\vlc

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-06-18 01:36 . 2012-04-19 03:25 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-06-18 01:36 . 2011-05-15 20:23 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-06-02 20:19 . 2008-10-16 19:09 22040 ----a-w- c:\windows\system32\wucltui.dll.mui

2012-06-02 20:19 . 2009-08-25 17:52 329240 ----a-w- c:\windows\system32\wucltui.dll

2012-06-02 20:19 . 2009-08-25 17:52 219160 ----a-w- c:\windows\system32\wuaucpl.cpl

2012-06-02 20:19 . 2009-08-25 17:52 210968 ----a-w- c:\windows\system32\wuweb.dll

2012-06-02 20:19 . 2008-10-16 19:07 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui

2012-06-02 20:19 . 2009-08-25 17:52 35864 ----a-w- c:\windows\system32\wups.dll

2012-06-02 20:19 . 2009-08-25 17:40 53784 ----a-w- c:\windows\system32\wuauclt.exe

2012-06-02 20:19 . 2008-10-16 19:09 45080 ----a-w- c:\windows\system32\wups2.dll

2012-06-02 20:19 . 2008-10-16 19:07 15384 ----a-w- c:\windows\system32\wuapi.dll.mui

2012-06-02 20:19 . 2001-08-23 12:00 97304 ----a-w- c:\windows\system32\cdm.dll

2012-06-02 20:19 . 2008-10-16 19:07 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui

2012-06-02 20:19 . 2009-08-25 17:52 577048 ----a-w- c:\windows\system32\wuapi.dll

2012-06-02 20:19 . 2009-08-25 17:40 1933848 ----a-w- c:\windows\system32\wuaueng.dll

2012-06-02 20:18 . 2010-06-18 14:19 275696 ----a-w- c:\windows\system32\mucltui.dll

2012-06-02 20:18 . 2010-06-18 14:19 214256 ----a-w- c:\windows\system32\muweb.dll

2012-06-02 20:18 . 2010-06-18 14:19 17136 ----a-w- c:\windows\system32\mucltui.dll.mui

2012-05-31 13:22 . 2001-08-23 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll

2012-05-16 15:08 . 2001-08-23 12:00 916992 ----a-w- c:\windows\system32\wininet.dll

2012-05-15 13:20 . 2001-08-23 12:00 1863168 ------w- c:\windows\system32\win32k.sys

2012-05-11 14:42 . 2001-08-23 12:00 43520 ------w- c:\windows\system32\licmgr10.dll

2012-05-11 14:42 . 2001-08-23 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2012-05-11 11:38 . 2009-08-25 17:52 385024 ------w- c:\windows\system32\html.iec

2012-05-04 13:16 . 2001-08-23 12:00 2148352 ------w- c:\windows\system32\ntoskrnl.exe

2012-05-04 12:32 . 2001-08-17 13:48 2026496 ------w- c:\windows\system32\ntkrnlpa.exe

2012-05-02 13:46 . 2009-08-25 17:40 139656 ------w- c:\windows\system32\drivers\rdpwd.sys

2012-04-29 22:28 . 2012-04-29 22:28 335504 ----a-w- c:\windows\system32\drivers\TrufosAlt.sys

2012-04-19 23:39 . 2012-04-02 22:08 73728 ----a-w- c:\windows\system32\javacpl.cpl

2012-04-19 23:39 . 2010-09-02 16:25 472808 ----a-w- c:\windows\system32\deployJava1.dll

2012-04-19 03:30 . 2012-02-20 18:52 242240 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys

2012-04-04 20:56 . 2010-05-27 14:34 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-06-16 21:34 . 2011-09-28 01:32 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]

@="{472083B0-C522-11CF-8763-00608CC02F24}"

[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]

2012-03-06 23:15 123536 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Steam"="c:\program files\Steam\steam.exe" [2012-01-12 1242448]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SchedulingAgent"="mstinit.exe" [2008-04-14 12288]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-05-16 213936]

"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-05-04 311296]

"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-06 4241512]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-03-09 98304]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]

.

c:\documents and settings\Roman2\Start Menu\Programs\Startup\

GammaTray.lnk - c:\program files\MagicTune Premium\GammaTray.exe [2009-9-2 36864]

NCProTray.lnk - c:\program files\SEC\Natural Color Pro\NCProTray.exe [2009-9-2 49220]

.

c:\documents and settings\Susan\Start Menu\Programs\Startup\

OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]

.

c:\documents and settings\Elizabeth\Start Menu\Programs\Startup\

OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]

.

c:\documents and settings\Elizabeth.RICHARD\Start Menu\Programs\Startup\

OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]

.

c:\documents and settings\Roman2.RICHARD\Start Menu\Programs\Startup\

GammaTray.lnk - c:\program files\MagicTune Premium\GammaTray.exe [2009-9-2 36864]

NCProTray.lnk - c:\program files\SEC\Natural Color Pro\NCProTray.exe [2009-9-2 49220]

OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

GammaTray.lnk - c:\program files\MagicTune Premium\GammaTray.exe [2009-9-2 36864]

NCProTray.lnk - c:\program files\SEC\Natural Color Pro\NCProTray.exe [2009-9-2 49220]

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\ComicRack\\ComicRack.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

"c:\\Program Files\\Steam\\SteamApps\\nitroximos\\team fortress 2\\hl2.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Steam\\SteamApps\\common\\skyrim\\SkyrimLauncher.exe"=

"c:\\Program Files\\TorrentSearch\\easydownload.exe"=

.

P2 HiPatchService;Hi-Rez Studios Authenticate and Update Service;c:\program files\Hi-Rez Studios\HiPatchService.exe [2/23/2012 5:55 PM 8704]

R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [12/10/2011 4:12 PM 14776]

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [6/30/2011 10:35 PM 612184]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [9/1/2010 5:48 PM 337880]

R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2/20/2012 1:52 PM 242240]

R2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files\IObit\Advanced SystemCare 5\ASCService.exe [4/18/2012 11:02 PM 913752]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/1/2010 5:48 PM 20696]

R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [4/19/2012 1:38 PM 21992]

R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [4/18/2012 7:09 PM 100368]

R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/18/2012 10:25 PM 257224]

S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [4/24/2012 6:10 PM 113120]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]

S4 Freemake Improver;Freemake Improver;"c:\documents and settings\All Users\Application Data\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe" --> c:\documents and settings\All Users\Application Data\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe [?]

.

Contents of the 'Scheduled Tasks' folder

.

2012-06-19 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-19 01:36]

.

2012-06-12 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 23:57]

.

2012-06-18 c:\windows\Tasks\Game_Booster_Startup.job

- c:\program files\IObit\Game Booster\gbtray.exe [2011-03-29 19:51]

.

2012-06-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1757981266-1715567821-839522115-1003Core.job

- c:\documents and settings\Rick.RICHARD\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-04-18 23:47]

.

2012-06-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1757981266-1715567821-839522115-1003UA.job

- c:\documents and settings\Rick.RICHARD\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-04-18 23:47]

.

2012-06-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1757981266-1715567821-839522115-1005Core.job

- c:\documents and settings\Susan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-01 18:42]

.

2012-06-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1757981266-1715567821-839522115-1005UA.job

- c:\documents and settings\Susan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-01 18:42]

.

2012-06-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1757981266-1715567821-839522115-1006Core.job

- c:\documents and settings\Elizabeth\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-04-02 13:28]

.

2012-06-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1757981266-1715567821-839522115-1006UA.job

- c:\documents and settings\Elizabeth\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-04-02 13:28]

.

2012-06-18 c:\windows\Tasks\SmartDefrag_Startup.job

- c:\program files\IObit\Smart Defrag 2\SmartDefrag.exe [2011-03-29 16:35]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

TCP: DhcpNameServer = 192.168.11.1

.

- - - - ORPHANS REMOVED - - - -

.

HKCU-Run-BitTorrent - c:\program files\BitTorrent\BitTorrent.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-06-18 20:27

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

.

C:\avast! sandbox

.

scan completed successfully

hidden files: 1

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f5,06,08,49,32,c1,13,4b,b3,dd,26,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f5,06,08,49,32,c1,13,4b,b3,dd,26,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(960)

c:\windows\system32\Ati2evxx.dll

c:\windows\system32\atiadlxx.dll

.

Completion time: 2012-06-18 20:29:30

ComboFix-quarantined-files.txt 2012-06-19 01:29

.

Pre-Run: 44,650,725,376 bytes free

Post-Run: 46,700,744,704 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /usepmtimer /NoExecute=OptIn

.

- - End Of File - - D618B24BE403EFB838EB3CCB078F784D

Link to post
Share on other sites

I don't know if this affects whatever process you'll suggest--I highly doubt it removed the virus, itself--but, as per the instructions of HiRez Studios' tech support for the problem that originally brought me here, I copied the files from [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections] DefaultConnectionSettings and pasted them in [HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections] DefaultConnectionSettings. For the moment, the patcher is working perfectly, and I'm having nor more trouble with search result redirection.

Link to post
Share on other sites

No, but we still have some work to do. Please make this additional scan:

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan

  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.