Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Support
Windows Malware Removal Help & Support
Google redirect virus or something simillar? Need assistance
Message
<blockquote data-quote="Virusfighter7" data-source="post: 146742" data-attributes="member: 15480"><p>Alright, I ran combofix after I removed Avira (I will reinstall Avira for additional security again though) and here's the report.</p><p></p><p></p><p></p><p></p><p>ComboFix 13-12-04.02 - Stipan 04.12.2013 15:07:30.1.4 - x86</p><p>Microsoft Windows XP Professional 5.1.2600.3.1250.385.1033.18.3327.2586 [GMT 1:00]</p><p>Running from: d:\documents and settings\Stipan\My Documents\Downloads\ComboFix.exe</p><p>.</p><p>.</p><p>((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))</p><p>.</p><p>.</p><p>d:\documents and settings\All Users.WINDOWS.0\Application Data\TEMP</p><p>d:\documents and settings\All Users.WINDOWS.0\Application Data\TEMP\RAIDTest</p><p>d:\windows.0\system32\28_83260.dll</p><p>.</p><p>.</p><p>((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))</p><p>.</p><p>.</p><p>-------\Legacy_DEFAULTTABSEARCH</p><p>.</p><p>.</p><p>((((((((((((((((((((((((( Files Created from 2013-11-04 to 2013-12-04 )))))))))))))))))))))))))))))))</p><p>.</p><p>.</p><p>2013-12-04 10:54 . 2013-12-04 10:54 -------- d-----w- D:\FRST</p><p>2013-12-04 10:41 . 2013-12-04 10:50 -------- d-----w- D:\AdwCleaner</p><p>2013-12-02 09:54 . 2013-12-02 09:54 -------- d--h--w- d:\documents and settings\Default User</p><p>2013-12-02 09:54 . 2013-12-02 09:54 -------- d-----w- d:\documents and settings\All Users</p><p>2013-12-01 17:54 . 2013-12-01 17:56 -------- d-----w- d:\windows.0\system32\MRT</p><p>2013-12-01 13:39 . 2013-12-01 13:39 -------- d-----w- c:\program files\ESET</p><p>2013-12-01 13:20 . 2013-12-01 13:20 12872 ----a-w- d:\windows.0\system32\bootdelete.exe</p><p>2013-12-01 13:15 . 2013-12-01 13:15 -------- d-----w- c:\program files\HitmanPro</p><p>2013-12-01 10:55 . 2013-12-01 10:55 -------- d-----w- d:\documents and settings\Stipan\Application Data\Malwarebytes</p><p>2013-11-18 17:50 . 2013-12-02 17:50 -------- d-----w- d:\windows.0\system32\NtmsData</p><p>.</p><p>.</p><p>.</p><p>(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))</p><p>.</p><p>2013-12-01 19:05 . 2013-01-20 22:49 71048 ----a-w- d:\windows.0\system32\FlashPlayerCPLApp.cpl</p><p>2013-12-01 19:05 . 2013-01-20 22:49 692616 ----a-w- d:\windows.0\system32\FlashPlayerApp.exe</p><p>2013-10-12 15:56 . 2008-04-14 03:42 278528 ----a-w- d:\windows.0\system32\oakley.dll</p><p>2013-10-09 13:12 . 2008-04-14 03:41 287744 ----a-w- d:\windows.0\system32\gdi32.dll</p><p>2013-10-07 10:59 . 2008-04-14 03:41 603136 ----a-w- d:\windows.0\system32\crypt32.dll</p><p>2013-10-05 01:14 . 2013-01-21 11:04 7168 ----a-w- d:\windows.0\system32\xpsp4res.dll</p><p>.</p><p>.</p><p>------- Sigcheck -------</p><p>Note: Unsigned files aren't necessarily malware.</p><p>.</p><p>[-] 2008-04-28 . 9F42478360E9B053A6703DEF39B4CE33 . 1614848 . . [5.1.2600.5512] . . d:\windows.0\system32\sfcfiles.dll</p><p>.</p><p>((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))</p><p>.</p><p>.</p><p>*Note* empty entries & legit default entries are not shown </p><p>REGEDIT4</p><p>.</p><p>[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]</p><p>"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\progra~1\Yahoo!\Companion\Installs\cpn0\yt.dll" [2013-08-07 1561880]</p><p>.</p><p>[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]</p><p>[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]</p><p>[HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]</p><p>[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]</p><p>.</p><p>[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]</p><p>"uTorrent"="d:\program files\uTorrent\uTorrent.exe" [2013-01-21 969104]</p><p>"EADM"="d:\program files\Origin\Origin.exe" [2013-11-22 3551576]</p><p>"Advanced SystemCare 6"="d:\program files\IObit\Advanced SystemCare 6\ASCTray.exe" [2013-04-18 491840]</p><p>"GarenaPlus"="d:\program files\Garena Plus\GarenaMessenger.exe" [2013-09-27 9866032]</p><p>"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2012-05-25 6595928]</p><p>.</p><p>[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]</p><p>"RTHDCPL"="RTHDCPL.EXE" [2011-12-05 20065384]</p><p>"DivXMediaServer"="d:\program files\DivX\DivX Media Server\DivXMediaServer.exe" [2013-05-20 450560]</p><p>"Nikon Transfer Monitor"="d:\program files\Common Files\Nikon\Monitor\NkMonitor.exe" [2009-09-15 479232]</p><p>"Adobe ARM"="d:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]</p><p>"Nvtmru"="d:\program files\NVIDIA Corporation\NVIDIA Update Core\nvtmru.exe" [2013-05-16 1012000]</p><p>"NvCplDaemon"="d:\windows.0\system32\NvCpl.dll" [2013-05-12 15677728]</p><p>"NvMediaCenter"="d:\windows.0\system32\NvMcTray.dll" [2013-05-12 223008]</p><p>"nwiz"="d:\program files\NVIDIA Corporation\nview\nwiz.exe" [2013-05-12 2562848]</p><p>"DivXUpdate"="d:\program files\DivX\DivX Update\DivXUpdate.exe" [2013-02-13 1263952]</p><p>"SunJavaUpdateSched"="d:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]</p><p>.</p><p>[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]</p><p>"CTFMON.EXE"="d:\windows.0\system32\CTFMON.EXE" [2008-04-14 15360]</p><p>.</p><p>[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]</p><p>"nltide_3"="advpack.dll" [2009-03-08 128512]</p><p>.</p><p>[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]</p><p>@=""</p><p>.</p><p>[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]</p><p>@=""</p><p>.</p><p>[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]</p><p>@=""</p><p>.</p><p>[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]</p><p>@=""</p><p>.</p><p>[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]</p><p>"%windir%\\Network Diagnostic\\xpnetdiag.exe"=</p><p>"%windir%\\system32\\sessmgr.exe"=</p><p>"d:\\Program Files\\uTorrent\\uTorrent.exe"=</p><p>"d:\\Documents and Settings\\All Users.WINDOWS.0\\Application Data\\Battle.net\\Agent\\Agent.1544\\Agent.exe"=</p><p>"d:\\Documents and Settings\\All Users.WINDOWS.0\\Application Data\\Battle.net\\Agent\\Agent.1737\\Agent.exe"=</p><p>"c:\\Games\\Mass Effect 2\\Binaries\\MassEffect2.exe"=</p><p>"c:\\Games\\Mass Effect 2\\MassEffect2Launcher.exe"=</p><p>"d:\\Program Files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"=</p><p>"d:\\Program Files\\Garena Plus\\Room\\garena_room.exe"=</p><p>"d:\\Program Files\\Garena Plus\\ggdllhost.exe"=</p><p>"d:\\Program Files\\Garena Plus\\bbtalk\\BBTalk.exe"=</p><p>"c:\\Games\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=</p><p>"c:\\Games\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=</p><p>"c:\\Games\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=</p><p>"c:\\Games\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=</p><p>"c:\\program files\\Yahoo!\\Messenger\\YahooMessenger.exe"=</p><p>"d:\\Program Files\\Steam\\Steam.exe"=</p><p>.</p><p>[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]</p><p>"5985:TCP"= 5985:TCP:*<img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite116" alt=":D" title="Big grin :D" loading="lazy" data-shortname=":D" />isabled:Windows Remote Management </p><p>.</p><p>R0 SmartDefragDriver;SmartDefragDriver;d:\windows.0\system32\drivers\SmartDefragDriver.sys [2.8.2013 9:43 14776]</p><p>R2 AdvancedSystemCareService6;Advanced SystemCare Service 6;d:\program files\IObit\Advanced SystemCare 6\ASCService.exe [17.5.2013 17:50 574272]</p><p>S3 Ambfilt;Ambfilt;d:\windows.0\system32\drivers\Ambfilt.sys [20.1.2013 21:11 1691480]</p><p>S3 cleanhlp;cleanhlp;c:\eek\Run\cleanhlp32.sys [1.12.2013 15:41 50200]</p><p>S3 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?]</p><p>S3 GGSAFERDriver;GGSAFER Driver;\??\d:\program files\Garena Plus\Room\safedrv.sys --> d:\program files\Garena Plus\Room\safedrv.sys [?]</p><p>S3 RegFilter;RegFilter;\??\d:\program files\IObit\IObit Malware Fighter\drivers\wxp_x86\regfilter.sys --> d:\program files\IObit\IObit Malware Fighter\drivers\wxp_x86\regfilter.sys [?]</p><p>S3 UrlFilter;UrlFilter;\??\d:\program files\IObit\IObit Malware Fighter\drivers\wxp_x86\UrlFilter.sys --> d:\program files\IObit\IObit Malware Fighter\drivers\wxp_x86\UrlFilter.sys [?]</p><p>S4 FileMonitor;FileMonitor;\??\d:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\FileMonitor.sys --> d:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\FileMonitor.sys [?]</p><p>.</p><p>Contents of the 'Scheduled Tasks' folder</p><p>.</p><p>2013-12-04 d:\windows.0\Tasks\Adobe Flash Player Updater.job</p><p>- d:\windows.0\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-01-20 19:05]</p><p>.</p><p>2013-12-04 d:\windows.0\Tasks\ASC6_PerformanceMonitor.job</p><p>- d:\program files\IObit\Advanced SystemCare 6\Monitor.exe [2013-05-17 17:02]</p><p>.</p><p>2013-12-04 d:\windows.0\Tasks\GoogleUpdateTaskMachineCore.job</p><p>- d:\program files\Google\Update\GoogleUpdate.exe [2013-01-20 18:27]</p><p>.</p><p>2013-12-04 d:\windows.0\Tasks\GoogleUpdateTaskMachineUA.job</p><p>- d:\program files\Google\Update\GoogleUpdate.exe [2013-01-20 18:27]</p><p>.</p><p>2013-12-04 d:\windows.0\Tasks\JetCleanLoginCheckUpdate.job</p><p>- d:\program files\BlueSprig\JetClean\AutoUpdate.exe [2013-05-17 13:05]</p><p>.</p><p>.</p><p>------- Supplementary Scan -------</p><p>.</p><p>uStart Page = hxxp://www.google.com/</p><p>TCP: DhcpNameServer = 86.122.255.99 8.8.8.8</p><p>FF - ProfilePath - d:\documents and settings\Stipan\Application Data\Mozilla\Firefox\Profiles\erdra7p6.default\</p><p>FF - prefs.js: browser.search.selectedEngine - Yahoo</p><p>FF - prefs.js: browser.startup.homepage - hxxps://www.google.hr/</p><p>FF - prefs.js: network.proxy.type - 0</p><p>.</p><p>- - - - ORPHANS REMOVED - - - -</p><p>.</p><p>SafeBoot-50724399.sys</p><p>SafeBoot-CleanHlp</p><p>SafeBoot-CleanHlp.sys</p><p>SafeBoot-IMFservice</p><p>.</p><p>.</p><p>.</p><p>**************************************************************************</p><p>.</p><p>catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net</p><p>Rootkit scan 2013-12-04 15:13</p><p>Windows 5.1.2600 Service Pack 3 NTFS</p><p>.</p><p>scanning hidden processes ... </p><p>.</p><p>scanning hidden autostart entries ... </p><p>.</p><p>scanning hidden files ... </p><p>.</p><p>scan completed successfully</p><p>hidden files: 0</p><p>.</p><p>**************************************************************************</p><p>.</p><p>--------------------- LOCKED REGISTRY KEYS ---------------------</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]</p><p>@Denied: (A 2) (Everyone)</p><p>@="FlashBroker"</p><p>"LocalizedString"="@d:\\WINDOWS.0\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe,-101"</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]</p><p>"Enabled"=dword:00000001</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]</p><p>@="d:\\WINDOWS.0\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe"</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]</p><p>@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]</p><p>@Denied: (A 2) (Everyone)</p><p>@="IFlashBroker5"</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]</p><p>@="{00020424-0000-0000-C000-000000000046}"</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]</p><p>@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"</p><p>"Version"="1.0"</p><p>.</p><p>--------------------- DLLs Loaded Under Running Processes ---------------------</p><p>.</p><p>- - - - - - - > 'explorer.exe'(2668)</p><p>d:\windows.0\system32\WININET.dll</p><p>d:\windows.0\system32\ieframe.dll</p><p>d:\windows.0\system32\webcheck.dll</p><p>.</p><p>------------------------ Other Running Processes ------------------------</p><p>.</p><p>c:\program files\Java\jre7\bin\jqs.exe</p><p>d:\windows.0\system32\nvsvc32.exe</p><p>d:\program files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe</p><p>d:\windows.0\RTHDCPL.EXE</p><p>d:\windows.0\system32\RUNDLL32.EXE</p><p>d:\program files\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe</p><p>d:\windows.0\system32\wscntfy.exe</p><p>.</p><p>**************************************************************************</p><p>.</p><p>Completion time: 2013-12-04 15:14:58 - machine was rebooted</p><p>ComboFix-quarantined-files.txt 2013-12-04 14:14</p><p>.</p><p>Pre-Run: 3.277.803.520 bytes free</p><p>Post-Run: 3.514.597.376 bytes free</p><p>.</p><p>WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe</p><p>[boot loader]</p><p>timeout=2</p><p>default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS.0</p><p>[operating systems]</p><p>c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons</p><p>UnsupportedDebug="do not select this" /debug</p><p>multi(0)disk(0)rdisk(0)partition(2)\WINDOWS.0="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer</p><p>multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer</p><p>multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect</p><p>.</p><p>- - End Of File - - F362C703FF04708AE329930BDD774C0B</p><p>8F558EB6672622401DA993E1E865C861</p></blockquote><p></p>
[QUOTE="Virusfighter7, post: 146742, member: 15480"] Alright, I ran combofix after I removed Avira (I will reinstall Avira for additional security again though) and here's the report. ComboFix 13-12-04.02 - Stipan 04.12.2013 15:07:30.1.4 - x86 Microsoft Windows XP Professional 5.1.2600.3.1250.385.1033.18.3327.2586 [GMT 1:00] Running from: d:\documents and settings\Stipan\My Documents\Downloads\ComboFix.exe . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . d:\documents and settings\All Users.WINDOWS.0\Application Data\TEMP d:\documents and settings\All Users.WINDOWS.0\Application Data\TEMP\RAIDTest d:\windows.0\system32\28_83260.dll . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Legacy_DEFAULTTABSEARCH . . ((((((((((((((((((((((((( Files Created from 2013-11-04 to 2013-12-04 ))))))))))))))))))))))))))))))) . . 2013-12-04 10:54 . 2013-12-04 10:54 -------- d-----w- D:\FRST 2013-12-04 10:41 . 2013-12-04 10:50 -------- d-----w- D:\AdwCleaner 2013-12-02 09:54 . 2013-12-02 09:54 -------- d--h--w- d:\documents and settings\Default User 2013-12-02 09:54 . 2013-12-02 09:54 -------- d-----w- d:\documents and settings\All Users 2013-12-01 17:54 . 2013-12-01 17:56 -------- d-----w- d:\windows.0\system32\MRT 2013-12-01 13:39 . 2013-12-01 13:39 -------- d-----w- c:\program files\ESET 2013-12-01 13:20 . 2013-12-01 13:20 12872 ----a-w- d:\windows.0\system32\bootdelete.exe 2013-12-01 13:15 . 2013-12-01 13:15 -------- d-----w- c:\program files\HitmanPro 2013-12-01 10:55 . 2013-12-01 10:55 -------- d-----w- d:\documents and settings\Stipan\Application Data\Malwarebytes 2013-11-18 17:50 . 2013-12-02 17:50 -------- d-----w- d:\windows.0\system32\NtmsData . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-12-01 19:05 . 2013-01-20 22:49 71048 ----a-w- d:\windows.0\system32\FlashPlayerCPLApp.cpl 2013-12-01 19:05 . 2013-01-20 22:49 692616 ----a-w- d:\windows.0\system32\FlashPlayerApp.exe 2013-10-12 15:56 . 2008-04-14 03:42 278528 ----a-w- d:\windows.0\system32\oakley.dll 2013-10-09 13:12 . 2008-04-14 03:41 287744 ----a-w- d:\windows.0\system32\gdi32.dll 2013-10-07 10:59 . 2008-04-14 03:41 603136 ----a-w- d:\windows.0\system32\crypt32.dll 2013-10-05 01:14 . 2013-01-21 11:04 7168 ----a-w- d:\windows.0\system32\xpsp4res.dll . . ------- Sigcheck ------- Note: Unsigned files aren't necessarily malware. . [-] 2008-04-28 . 9F42478360E9B053A6703DEF39B4CE33 . 1614848 . . [5.1.2600.5512] . . d:\windows.0\system32\sfcfiles.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\progra~1\Yahoo!\Companion\Installs\cpn0\yt.dll" [2013-08-07 1561880] . [HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}] [HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1] [HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}] [HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin] . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "uTorrent"="d:\program files\uTorrent\uTorrent.exe" [2013-01-21 969104] "EADM"="d:\program files\Origin\Origin.exe" [2013-11-22 3551576] "Advanced SystemCare 6"="d:\program files\IObit\Advanced SystemCare 6\ASCTray.exe" [2013-04-18 491840] "GarenaPlus"="d:\program files\Garena Plus\GarenaMessenger.exe" [2013-09-27 9866032] "Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2012-05-25 6595928] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RTHDCPL"="RTHDCPL.EXE" [2011-12-05 20065384] "DivXMediaServer"="d:\program files\DivX\DivX Media Server\DivXMediaServer.exe" [2013-05-20 450560] "Nikon Transfer Monitor"="d:\program files\Common Files\Nikon\Monitor\NkMonitor.exe" [2009-09-15 479232] "Adobe ARM"="d:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576] "Nvtmru"="d:\program files\NVIDIA Corporation\NVIDIA Update Core\nvtmru.exe" [2013-05-16 1012000] "NvCplDaemon"="d:\windows.0\system32\NvCpl.dll" [2013-05-12 15677728] "NvMediaCenter"="d:\windows.0\system32\NvMcTray.dll" [2013-05-12 223008] "nwiz"="d:\program files\NVIDIA Corporation\nview\nwiz.exe" [2013-05-12 2562848] "DivXUpdate"="d:\program files\DivX\DivX Update\DivXUpdate.exe" [2013-02-13 1263952] "SunJavaUpdateSched"="d:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="d:\windows.0\system32\CTFMON.EXE" [2008-04-14 15360] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "nltide_3"="advpack.dll" [2009-03-08 128512] . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot] @="" . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "d:\\Program Files\\uTorrent\\uTorrent.exe"= "d:\\Documents and Settings\\All Users.WINDOWS.0\\Application Data\\Battle.net\\Agent\\Agent.1544\\Agent.exe"= "d:\\Documents and Settings\\All Users.WINDOWS.0\\Application Data\\Battle.net\\Agent\\Agent.1737\\Agent.exe"= "c:\\Games\\Mass Effect 2\\Binaries\\MassEffect2.exe"= "c:\\Games\\Mass Effect 2\\MassEffect2Launcher.exe"= "d:\\Program Files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"= "d:\\Program Files\\Garena Plus\\Room\\garena_room.exe"= "d:\\Program Files\\Garena Plus\\ggdllhost.exe"= "d:\\Program Files\\Garena Plus\\bbtalk\\BBTalk.exe"= "c:\\Games\\Atari\\Neverwinter Nights 2\\nwn2main.exe"= "c:\\Games\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"= "c:\\Games\\Atari\\Neverwinter Nights 2\\nwupdate.exe"= "c:\\Games\\Atari\\Neverwinter Nights 2\\nwn2server.exe"= "c:\\program files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "d:\\Program Files\\Steam\\Steam.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management . R0 SmartDefragDriver;SmartDefragDriver;d:\windows.0\system32\drivers\SmartDefragDriver.sys [2.8.2013 9:43 14776] R2 AdvancedSystemCareService6;Advanced SystemCare Service 6;d:\program files\IObit\Advanced SystemCare 6\ASCService.exe [17.5.2013 17:50 574272] S3 Ambfilt;Ambfilt;d:\windows.0\system32\drivers\Ambfilt.sys [20.1.2013 21:11 1691480] S3 cleanhlp;cleanhlp;c:\eek\Run\cleanhlp32.sys [1.12.2013 15:41 50200] S3 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?] S3 GGSAFERDriver;GGSAFER Driver;\??\d:\program files\Garena Plus\Room\safedrv.sys --> d:\program files\Garena Plus\Room\safedrv.sys [?] S3 RegFilter;RegFilter;\??\d:\program files\IObit\IObit Malware Fighter\drivers\wxp_x86\regfilter.sys --> d:\program files\IObit\IObit Malware Fighter\drivers\wxp_x86\regfilter.sys [?] S3 UrlFilter;UrlFilter;\??\d:\program files\IObit\IObit Malware Fighter\drivers\wxp_x86\UrlFilter.sys --> d:\program files\IObit\IObit Malware Fighter\drivers\wxp_x86\UrlFilter.sys [?] S4 FileMonitor;FileMonitor;\??\d:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\FileMonitor.sys --> d:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\FileMonitor.sys [?] . Contents of the 'Scheduled Tasks' folder . 2013-12-04 d:\windows.0\Tasks\Adobe Flash Player Updater.job - d:\windows.0\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-01-20 19:05] . 2013-12-04 d:\windows.0\Tasks\ASC6_PerformanceMonitor.job - d:\program files\IObit\Advanced SystemCare 6\Monitor.exe [2013-05-17 17:02] . 2013-12-04 d:\windows.0\Tasks\GoogleUpdateTaskMachineCore.job - d:\program files\Google\Update\GoogleUpdate.exe [2013-01-20 18:27] . 2013-12-04 d:\windows.0\Tasks\GoogleUpdateTaskMachineUA.job - d:\program files\Google\Update\GoogleUpdate.exe [2013-01-20 18:27] . 2013-12-04 d:\windows.0\Tasks\JetCleanLoginCheckUpdate.job - d:\program files\BlueSprig\JetClean\AutoUpdate.exe [2013-05-17 13:05] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ TCP: DhcpNameServer = 86.122.255.99 8.8.8.8 FF - ProfilePath - d:\documents and settings\Stipan\Application Data\Mozilla\Firefox\Profiles\erdra7p6.default\ FF - prefs.js: browser.search.selectedEngine - Yahoo FF - prefs.js: browser.startup.homepage - hxxps://www.google.hr/ FF - prefs.js: network.proxy.type - 0 . - - - - ORPHANS REMOVED - - - - . SafeBoot-50724399.sys SafeBoot-CleanHlp SafeBoot-CleanHlp.sys SafeBoot-IMFservice . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2013-12-04 15:13 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@d:\\WINDOWS.0\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="d:\\WINDOWS.0\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'explorer.exe'(2668) d:\windows.0\system32\WININET.dll d:\windows.0\system32\ieframe.dll d:\windows.0\system32\webcheck.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Java\jre7\bin\jqs.exe d:\windows.0\system32\nvsvc32.exe d:\program files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe d:\windows.0\RTHDCPL.EXE d:\windows.0\system32\RUNDLL32.EXE d:\program files\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe d:\windows.0\system32\wscntfy.exe . ************************************************************************** . Completion time: 2013-12-04 15:14:58 - machine was rebooted ComboFix-quarantined-files.txt 2013-12-04 14:14 . Pre-Run: 3.277.803.520 bytes free Post-Run: 3.514.597.376 bytes free . WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS.0 [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(2)\WINDOWS.0="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect . - - End Of File - - F362C703FF04708AE329930BDD774C0B 8F558EB6672622401DA993E1E865C861 [/QUOTE]
Insert quotes…
Verification
Post reply
Top